View
28
Download
3
Category
Preview:
Citation preview
IT GovernanceA Framework for Performance
and Compliance
IT GovernanceA Framework for Performance
and Compliance
November 18, 2006 November 18, 2006 Tokyo, JapanTokyo, Japan
Ron SaullRon Saull
ITGI Japan Opening Celebration Conference ITGI Japan Opening Celebration Conference
Great-West Life IGM Financial Senior Vice-President and CIO Information Services Organisation
22
Presentation Outline1. Introduction2. IT Governance Framework3. IT Governance Implementation4. Control Framework for SOX5. Using CobiT for C/SOX6. Issues in Application Controls7. Questions
33
Who am I? MBA, CSP Professional experience: Systems Analyst,
Project Manager, Consultant, IT Director CIO since April, 1996 Member of ISACA / ITGI since 1996 Current ITGI involvement:
– Trustee, ITGI International Board– Chair, ITGI Advisory Panel– Member, ITGI Committee
44
London Life
London London LifeLife
Great-West Lifeco Inc.GreatGreat--West Lifeco Inc.West Lifeco Inc.
Great-West Life CanadaGreatGreat--West West Life CanadaLife Canada
Investors Group Inc.Investors Investors
Group Inc.Group Inc.
IGM FinancialIGM FinancialIGM Financial
Canada Life
Canada Canada LifeLife
Great-West Life
& Annuity
(US)
GreatGreat--West Life West Life
& & Annuity Annuity
(US)(US)
Parjointco N.V.
Parjointco Parjointco N.V.N.V.
Pargesa Holding
S.A.
Pargesa Pargesa Holding Holding
S.A.S.A.
Groupe Bruxelles Lambert
Groupe Groupe Bruxelles Bruxelles LambertLambert
Mackenzie FinancialMackenzie Mackenzie FinancialFinancial
IPC FinancialNetwork Inc.IPC FinancialIPC FinancialNetwork Inc.Network Inc.
I.S. I.S.
OrganisationOrganisation
Power Financial Corporation
Power Financial Power Financial CorporationCorporation
55
Information Services “Scale”
ReginaWinnipegWinnipeg
London
GermanyGermanyIrelandUnited Kingdom
Isle of ManTorontoMontreal
Overall Headcount = 1,4632006 Budget = $324M
I.S. goes international
66
I.S. Shared Services Operating Principles We are a cooperative enterprise vs. an outsourcing
relationship. Our objective is to deliver optimal value to our
clients. We share a commitment to a target state
architecture. All companies share a commitment to maximise
synergies.
77
I.S. Integration PrinciplesOver the course of six company integrations, we have developed a set of basic integration principles which have contributed to our success. That is, to the extent practical, we:
Pursue single system solutions Centralise Standardise Adhere to strict financial disciplines
88
I.S. Integration Results Achieved
GWL/LL/IG Integration (1998-2000)
IG/MFC Integration (2001-2003)
Canada Life Integration (2003-2005)
IPC Integration (2005)
Canada Life Europe Integration(2005-2006)
GWL/LL/CL IG/MFC/IPC Total
Annual Synergies ($M)
78.8 19.7 98.5
- 17.6 17.6
90.0 - 90.0
- 0.8 0.8
4.0 - 4.0
172.8 38.1 210.9
99
I.S. Strategy SummaryCorporate ContributionCorporate Contribution
Ensuring Effective I.S. GovernanceEnsuring Effective I.S. GovernanceAlign I.S. with
Business Objectives Deliver Value Manage Resources Manage RisksAchieve Inter-
Company Synergies
Measuring Up to Business ExpectationsMeasuring Up to Business Expectations
Demonstrate Competitive Costs Deliver Agreed Service Achieve Positive Impact
on Business ProcessesEnable Achievement
of Business Strategies
Service Provider Strategic ContributorCustomerPerspectiveCustomerPerspective
Operational Excellence Business Partnership Technology Leadership
Build Standard, Reliable Technology Platforms
Manage Operational Service Performance
Mature I.S. Internal Processes
Achieve Scale
Economies
Deliver Successful I.S. Projects
Understand Business Unit Strategies
Propose & Validate Enabling Solutions
Develop the Enterprise
Architecture
Understand Emerging
TechnologiesSupport
Technology Users
Plan & Manage I.S. Service
Delivery
Carrying out the Roles of the I.S. Organisation’s MissionCarrying out the Roles of the I.S. Organisation’s MissionInternal I.S. Process Perspective
Internal I.S. Process Perspective
Building the Foundation for Delivery & Continuous Learning & GrowthBuilding the Foundation for Delivery & Continuous Learning & Growth
Attract & Retain People with KeyCompetencies
Focus on Professional Learning
& Development
Build a Climate of Empowerment & Responsibility
Measure/ Reward Individual & Team Performance
CaptureKnowledge to Improve
Performance
Future Orientation Perspective
Future Orientation Perspective
Increasing Credibility and ImpactIncreasing Credibility and Impact
1010
I.S. Structure
Business unit delivery teams designed to meet the needs of the specific company and line
of business strategies
Account ManagementApplication Delivery
Career Centres
Strategic Business Services
SVP & CIO - Information Services
EVP Client & Information Services
Enterprise-wide services are designed to create and leverage
economies of scale and manage IT risk across the companies
Risk Management OfficeI.S. Financial Management
Enterprise-Wide Services
Shared Infrastructure Services
I.S. Risk Management
1111
Presentation Outline
1. Introduction2. IT Governance Framework3. IT Governance Implementation4. Control Framework for SOX5. Using CobiT for C/SOX6. Issues in Application Controls7. Questions
1212
What Makes IT Governance so important?
In October 2005 Mc Kinsey and the London School of Economics measured the increase in productivity from investments in IT versus investments in management practices in 100 enterprises.
Additional spending in Information Technology can raise productivity….but only in well managed companies!
1313
What Makes IT Governance so important?
• Strategic importance of IT
• Extended Enterprise
• Regulatory requirements
• Cost optimisation
• Return on investment
Drivers
• Low return from high-cost IT investments, and transparency of IT’s performance are two top issues
• More than 30% claim negative return from IT investments targeting efficiency gains
• 40% do not have good alignment between IT plans and business strategy• Interest in and use of active management of the return on IT investments
has doubled in 2 years (28% to 58%)
• Gartner – more than 600 billion $ thrown away annually on ill conceived or ill executed IT projects• Standish Group – about 20% of projects fail outright, 50% are challenged and only 30% are successful• ITGI 2005 Survey early findings confirm concerns
1414
What makes IT Governance so important?
Shareholders want protection for the Enterprise’s Share Price
“…if not filed, auditor must include a paragraph in its annual report that it cannot vouch for the enterprise’s ability as a going concern…”
“…financial reporting system is not up to speed…”
“…the company has lost a third more of its market value yesterday as it revealed a virtual collapse of its financial reporting system…”
“…data entry problems…”
1515
What is IT Governance?“IT governanceIT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures andprocesses that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.”
ITGI, Board Briefing on IT Governance
Strate
gic
Alignmen
t Value Delivery
Risk
M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Strate
gic
Alignmen
t Value Delivery
Risk
M
anag
emen
t
Resource Management
Performance
Measurem
ent
1. Strategic AlignmentAligning with the business and providing collaborative solutions2. Value DeliveryExecuting the value proposition throughout the delivery cycle3. Resource ManagementOptimising the development and use of available resources4. Risk ManagementSafeguarding assets, disaster recovery and compliance5. Performance MeasurementMonitoring results for corrective action
IT Governance
FocusAreas
1616
IT Governance – The Five Focus AreasStrategic Alignment• Linking business and IT plan
• Defining, maintaining and validating the IT value proposition
• Aligning IT operations with the enterprise operations
• Provide collaborative solutions that
• Add value and competitive positioning to the enterprise’s products and services
• Contain costs while improving administrative efficiency and managerial effectiveness
Best Practices• Integrated approach to business/IT strategy
• Cascading strategy and objectives down into the organisation
• Co-responsibility of business and IT
• Clearer objectives for IT investments
• IT Strategy and IT Steering Committees
In 2003, 49% of respondents had implemented, were considering implementing or were in the process of implementing this phase of IT governance. In 2005, 70%.
Strate
gic
Alignmen
t Value Delivery
Risk
M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Strate
gic
Alignmen
t Value Delivery
Risk
M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT Governance
FocusAreas
1717
IT Governance – The Five Focus AreasValue Delivery• Executing the value proposition throughout the delivery cycle
• Ensuring that IT delivers the promised benefits against the strategy
• Concentrating on optimising expenses & proving IT’s value
• Controlling projects and operational processes with practices that increase the probability of success (quality, risk, time, budget, cost, etc.)
Best Practices• Formal tracking of business value of IT
• Enabling effective value measurement (ROI, TCO, NOV…)
• Disciplined approach to project management with a larger role for the business
• Commitment to formal methodologies/processes for development and service delivery
• Enterprise architecture planning
In 2003, 39% of respondents had implemented, were considering implementing or were in the process of implementing this phase of IT governance. In 2005, 69%.
Strate
gic
Alignmen
t Value Delivery
Risk
M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Strate
gic
Alignmen
t Value Delivery
Risk
M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT Governance
FocusAreas
1818
IT Governance – The Five Focus AreasRisk Management• Requires risk awareness of senior corporate officers, a clear understanding of
the enterprise’s appetite for risk and transparency about the significant risks to the enterprise
• Embeds risk management responsibilities in the operation of the enterprise
• Addresses the safeguard of IT assets, disaster recovery and continuity of operations
Best Practices• Awareness of IT risks based on continuous assessment
• Transparency to all stakeholders
• Establishing responsibility and embedding risk management into the organisation
• An integral part of compliance and assurance
• Use of formal IT risk and control frameworks
• Process management disciplines
In 2003, 34% of respondents had implemented, were considering implementing or were in the process of implementing this phase of IT governance. In 2005, 78%.
Strate
gic
Alignmen
t Value Delivery
Risk
M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Strate
gic
Alignmen
t Value Delivery
Risk
M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT Governance
Focus Areas
1919
IT Governance – The Five Focus AreasResource Management• Optimal investment, use and allocation of IT resources and capabilities (people,
applications, infrastructure, data)
• Maximising the efficiency of these assets and optimising their costs
• Optimising knowledge and the IT infrastructure
• Knowing where and how to outsource
Best Practices• Supply/demand balancing
• Practices to train and sustain skilled staff including Career Centres for project assigned staff
• Consumption-based chargeback
• Transparency in expense management and cost allocation
• Formalised vendor management disciplines
In 2003, 50% of respondents had implemented, were considering implementing or were in the process of implementing this phase of IT governance. In 2005, 75%.
Strate
gic
Alignmen
t Value Delivery
Risk
M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Strate
gic
Alignmen
t Value Delivery
Risk
M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT Governance
FocusAreas
2020
Strate
gic
Alignmen
t Value Delivery
Risk
M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Strate
gic
Alignmen
t Value Delivery
Risk
M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT Governance
FocusAreas
IT Governance – The Five Focus AreasPerformance Measurement• Using balanced scorecards that translate strategy into action to achieve goals
measurable beyond conventional accounting
• Measuring relationships and assets necessary to compete: customer focus, process efficiency and the ability to learn and grow
• Tracking project delivery and monitoring IT services
Best Practices• IT Balanced Scorecard as emerging reporting system
• A management reporting system that feeds back into the strategy
• Use of benchmarking for performance comparison
• IT Scorecard approval by the key stakeholders for alignment
In 2003, 34% of respondents had implemented, were considering implementing or were in the process of implementing this phase of IT governance. In 2005, 67%.
CobiT
2222
What is IT Governance?Board Briefing on IT Governance, 2nd
Edition IT Governance: Definitions, facts, approach
• Framework• Definitions• Five Focus Areas: Emphasis on value and risk
Toolkit• Questions to ask• IT Governance Practices• Metrics to consider
Supporting material• IT Strategy committee charter• IT Governance implementation advice• Roles and responsibilities of key players
2323
Presentation Outline1. Introduction2. IT Governance Framework3. IT Governance Implementation4. Control Framework for SOX5. Using CobiT for C/SOX6. Issues in Application Controls7. Questions
2424
Organisational SystemsThe focus areas of IT Governance must be embedded within the organisation’s systems.
Culture
Habits and practices
Metrics and Rewards
Structure
Responsibilities and workflows
Internal Economy
Resource governanceprocesses
Methods and Tools
Organisational systems are relatively stable, influence everyone’s performance and can be consciously designed.
Source: N. Dean Meyer
2525
Strategic Alignment
Internal Economy
Business Process Owners, Account Managers, Service Delivery Managers
StructureStrategy Inter-company I.S. Executive Committee, ISEC
Service Level Agreements, I.S. Product and Service Standards
Methods & ToolsI.S. Strategy Map, Balanced Scorecard, CobiT
Contributing Metrics
Ties to management incentives, stock option / purchase plans
Financial Targets Minimum 15% annual growth in shareholder earnings, 18% ROE: Company, Line of Business
I.S. expenses are targeted and capped (zero tolerance) I.S. expenses are fully burdened and recovered by consumption-based chargeback (zero profit) Lines of business have clear ROE targets which include I.S. chargebacks
Metrics & Rewards
Rewards
Sales, Expense Management, Customer Service, Project Delivery, Service Achievement
Culture Empowered hierarchy, command and control management style Rigorous approaches to analysis, planning and risk management (fact-based) Strong preference for measurable, verifiable benefits
Operations Governance Executive/Risk Management Committees, Functional Leadership
Development Line of Business Steering Committees, Account Managers
Strategy
Operations Governance
Development Business Case Disciplines > $500K
Risk / Compliance / Maturity Assessments (CobiT)
Alignment is achieved within the structure of the companies’ annual planning and budgeting process through the transparency of the value/risk versus cost propositions..
2626
Value Delivery
Business process owners, Service Delivery Managers, Service Management Process
Development Business sponsors, I.S. Project Managers, I.S. leadership teams, A.C.T., PMI-based methodology, formal SDLC methodologies
Operations ITIL, CobiT, SAP
Development Bates Project Management, SEI-CMMI, Enterprise Architecture, TeamPlay, SAP
Ties to incentives at next levels of management and practitioners
Development Co-responsibility for results with business (quality, risk, time, cost)
I.S. expense budgets are allocated to lines of business and specific activities, these allocations act as expense caps Allocations are exceeded only by formal change control first considering scope reduction Expense over-runs at the activity level are offset within the lines of business (LOB’s), or failing that, across the LOB’s
Rewards
Accountability to executive committees (incidents, maturity, audits, initiative completions)
Active, hands-on management of emerging results and adjusting actions Business partnership: business says “what”, I.S. says “how” I.S. is a professional services organisation: we charge for our services, strive for repeatable performance
Governance CobiT, SAP, Terms of Engagement
Operations
Governance Risk Management Committee (risk, compliance, audit, I.S.)
Operations
Governance
Co-responsibility for results with business (service, cost, problem management)
Internal Economy
Structure
Methods & Tools
Metrics & Rewards
Culture
Value delivery is ensured on business projects and operations through co-responsibility with business leaders and on governance through direct accountability to the executive committees.
2727
Risk Management
I.S. Risk Management Office with focus on risk assessment, security, privacy, DR, compliance and process / quality management
Executive Executive committee sponsorship, risk committee oversight
Security CobiT, ISO 17799 Risk Management COSO/Methodware: Enterprise Risk Assessor
Tied to incentive based on results, progress and quality of assessments
Progress Measured through initiative completions, maturity assessments and audits
Governance improvements are structured as internal I.S. initiatives and compete for approval along with businessprojects
Scrutiny is also focused on the total expenditures on risk management activities
Rewards
Willingness to accept reasonable level of risk Risks must be explained in detail and target maturity levels justified Risk management viewed as overhead, value proposition is challenging
Disaster Recovery CobiT, IBM maturity framework
Risk Management
Supplier Management Vendor Relations Team focuses on leveraged purchasing and contractual risks
Results Avoidance of major incidents (non-occurrence, response)
Control CobiT, COSO
Internal Economy
Structure
Methods & Tools
Metrics & Rewards
Culture
Risk management is approached by selecting an acceptable risk level based upon the detailed assessments of exposure, probability of occurrence, compliance to legal or regulatory requirements and emerging industry good practice.
2828
Resource Management
Human Resources TimeControl, SEI-PCMMI, Career Centres for project assigned staff Financial SAP, TeamPlay, MICS, Remedy
Managed seat costs, recovery for assets
Financial Expense management, unit cost targets
Assets
Strong belief in internal expense management capability Decided preference for internal sourcing and control Expectation of managers to know / be engaged at a detailed level and be fiscally responsible
Assets
Human Resources Utilisation / “billable” ratios, blended labour rates, benchmark staffing ratios
Applications / Data Inventory, Remedy
Business process owners, Account Managers, Service Delivery ManagersDevelopment Business steering committees, business sponsors, I.S. project managers Operations Governance Risk Management Committee, functional leadership, ISFM, Career Centres, ISHR Organisation
Tied to management incentives at all levelsRewards
Internal Economy
Structure
Methods & Tools
Metrics & Rewards
Culture
I.S. expense budgets are allocated to lines of business and specific activities, these allocations act as expense caps I.S. is accountable to manage within its budget (gatekeeper role) Business leaders cannot spend above their I.S. budget without approval of the president.
Resource management is the most direct and controllable leverage point to ensure the delivery of our financial targets and is the focus of our detailed and active management approach.
2929
Performance Measurement
Metrics Measurable outcomes are required for all management objectives
Measurement investments are reviewed along with other control costs Measurement systems must demonstrate that control information is actionable and costs do not exceed the value
obtained.
Belief: “If you cannot measure it, you cannot manage it” “Show me” culture, insistence on demonstrable results “We deliver on our commitments”
Rewards Rewards and bonuses are only triggered when results are measured
Internal Economy
Structure
Methods & Tools
Metrics & Rewards
Culture
Account Managers, Service Delivery Managers, Service Management Process
Strategy I.S. Executive Committee, ISFM, Process Management function
Operations Governance Risk Management Organisation, Internal Audit, Compliance Officers
Development I.S. Project Managers, I.S. Project Management Office
Strategy
Operations Governance
Development
Operations Management Report by LOB, ITIL
I.S. Balanced Scorecard, CobiT
CobiT
Major Projects Review methodology
Performance measurement is an essential element of the management discipline to drive delivery, validate the effectiveness of business and I.S. strategy and to trigger management rewards based on company performance and individual contributions to its achievement.
3030
Key IT Governance Practices Executive and business level steering committees
Clear roles and responsibilities – business sponsors say “what”, IT says “how” (Terms of Engagement)
Internal economy model – supply/demand balancing, consumption based chargeback
Use of best practice frameworks for process and control
Linkage of measured results to rewards
Strong culture of rigorous analysis, fact-based decision making and active, hands-on management
3131
Process Model Selection
P-CMMI
CobiT
CMMIITIL
Low Moderate High
Holistic
General
Specific
Levels of Abstraction
IS/IT Relevance
TCO
Six Sigma
ISO 9000National Awards (such as Malcolm Baldrige Award)
Scorecards
Source: Gartner Research (June 2003)
CMMI = Capability Maturity Model Integration
CobiT = Control Objectives for Information and Related Technology
ITIL = IT Information Library
TCO = Total Cost of Ownership
3232
CobiTCobiT
Sustaining Management Practices
• Planning & organisation
• Financial Management
• Human resource management
• Performance measurement
Governance Maturity over time
Governance
Maturity
Time
Service Delivery Issues
ITIL
PMI
CMMI/P-CMMI
Development Project Issues
IT Governance matures over time – Where is your roadmap?
Value Enhancement
?VaLITVaLIT
COSO
ISO17799
OtherRisks?
Risk/Compliance
RiskITRiskIT
3333
CobiT Implementation GuideT
wo
com
plim
enta
rype
rspe
ctiv
es
Good things to Good things to happenhappen
Bad things not Bad things not happeninghappening
Resolve Resolve problemsproblems
Continuous Continuous improvementimprovement
Create valueCreate value Preserve valuePreserve value
What?What?
Value delivery focusValue delivery focus
IT alignment focusIT alignment focus
riskriskmanagement focusmanagement focus
Define strategyDefine strategy
Measure resultsMeasure results
performanceperformancemanagement focusmanagement focus
performanceperformancemanagement focusmanagement focus
Good things to Good things to happenhappen
Bad things not Bad things not happeninghappening
Resolve Resolve problemsproblems
Continuous Continuous improvementimprovement
Create valueCreate value Preserve valuePreserve value
What? IT alignment focus
Riskmanagement focus
Define strategyDefine strategy
Measure resultsMeasure results
Performancemanagement focus
Performancemanagement focus
Value delivery focus
How?
3434
General Approach to Governance Implementation
1. Identify priority issue(s) (governance or business drivers)2. Map to IT goals, process and affected resources3. Assign to Process Owner4. Resolve issue and adjust process/resources5. Use responsibility matrix to determine job impacts6. Change job descriptions/expectations7. Change measurement/monitoring systems8. Incorporate into performance appraisals/reward processes
3535
Presentation Outline1. Introduction2. IT Governance Framework3. IT Governance Implementation4. Control Framework for SOX5. Using CobiT for C/SOX6. Issues in Application Controls7. Questions
3737
Internal Internal
ControlControl
COSOCOSO
CobiTCobiT
Internal Internal
ControlControl
COSOCOSO
CobiTCobiT
IT, SOX and CobiTIT, SOX and CobiT
3838
IT, SOX and CobiTFinancial AssertionsProvide little input
• Completeness• Accuracy• Validity• Authorisation• SegregationPCAOB
Provides only high level guidance on IT
• Program development• Program changes• Computer operations• Access to programs and
data
COSONeeds more substance on IT
• Control environment• Information and
communication• Risk assessment• Control activities• Monitoring
COBITAccepted standard for control over IT
• Limited to effect on financial reporting, i.e. excluding operational and efficiency issues
• To be used as a reference, customised based on enterprise needs
• Split into control activities and control environment
3939
Organisation ControlsOrganisation Controls
Bus
ines
s Pr
oces
sLo
gist
ics
Bus
ines
s Pr
oces
sFi
nanc
e
Executive ManagementB
usin
ess
Proc
ess
Man
ufac
turin
g
Bus
ines
s Pr
oces
sE
tc.
IT ServicesOS/Data/Telecom/Continuity/Networks
Controls include: Strategies and plans Policies and procedures Risk assessment activities Training and education Quality assurance Internal audit
Control objectives/assertions include: Completeness Accuracy Existence/authorisation Presentation/disclosure
IT General ControlsControls embedded within IT Processes that provide a reliable operating environment and support the effective operation of application controls.
Controls include: Program development Program changes Access to programs and data Computer operations
Entity-level ControlsEntity-level Controls set the tone and culture of the organisation. IT entity-level controls are part of a company’s overall environment.
Application ControlsControls embedded within business process applications directly support financial control objectives. Such controls can be found in most financial applications including large systems such as SAP and Oracle as well as smaller OTS systems such as ACCPAC.
4040
C/SOX Roadmap
Sarbanes-Oxley Compliance
1. Plan and Scope IT Controls
• Review overall project documentation and identify application controls.
• Identify in-scope applications.
• Identify in-scope infrastructure and databases.
2. Assess IT Risk
• Assess the likelihood and impact of IT systems causing financial statement error or fraud.
4. Evaluate Control Design and Operating Effectiveness
• Determine that all key controls are documented.
• Test controls to confirm their operating effectiveness.
6. Build Sustainability
• Consider automating controls to improve their reliability and reduce testing effort.
• Rationalise to eliminate redundant and duplicate controls.
3. Document Controls• Document application
controls (automated or configured controls and hybrid controls).
• Document IT general controls (access, program development and change, and computer operations).
5. Prioritise and Remediate Deficiencies
• Evaluate deficiencies by assessing their impact and likelihood of causing financial statement error or fraud.
• Consider whether compensating controls exist and can be relied upon.
4141
Presentation Outline1. Introduction2. IT Governance Framework3. IT Governance Implementation4. Control Framework for SOX5. Using CobiT for C/SOX6. Issues in Application Controls7. Questions
4242
C/SOX – An Enterprise Approach
Fina
ncia
l Rep
ortin
gU
nder
writ
ing
Dis
burs
emen
ts
Trea
sury
Oth
erCOSO
Level 1Automated Application Controls
• Data validation, edit checks & output reconciliations
• Interface Controls• End User Security
Level 0Entity Controls
• Tone from the Top
InfrastructureGeneral Computer Controls
General Application Controls
Level 2
General Computer Controls• Change & Configuration
management• Network Administration• Security Administration• Data center operations• Database Administration• O/S Administration
Level 3
Cobi
T
I.S. Project:
General Application Controls• System development• Change control• Data Recovery• Database management• Programmer security
Corporate Projects (GWL & IGM):Level 0I.S. Entity Controls
• Support Tone from the Top
4343
IT Entity Controls (Level 0)
●●Provide IT governanceME4●●●Ensure regulatory complianceME3●●Monitor and evaluate internal controlME2●●●Monitor and evaluate IT performanceME1
DS7PO9PO8PO7PO6PO4PO1
Process ID
●●Educate and train users●Assess and manage IT risks
●●●●Manage quality●●Manage IT human resources●●Communicate management aims and directions
●●●Define the IT processes, organisation and relationships ●●●Define IT Strategic Planning
Monitoring
Information and
Com
munication
Control
Activities
Risk
Assessm
ent
Program
Developm
entCobiT IT Process
COSO Component
4444
IT General Controls (Level 2 & 3)
●Manage incidentsDS8
●●Manage operationsDS13 ●●Manage dataDS11
●Manage problemsDS10
●●Manage the configurationDS9
●●Ensure systems securityDS5DS2DS1AI7AI6AI4AI3AI2
Process ID
●●●●Manage 3rd party services●●●●Define and manage service levels●●●●Install and accredit solutions and changes●●Manage changes●●●●Enable operation and use
●●●Acquire and maintain technology infrastructure●●●●Acquire and maintain application software
Access to
Programs and
Data
Com
puter O
perations
Program
Changes
Control
EnvironmentCobiT IT Process
PCAOB Control Headings
4545
Presentation Outline1. Introduction2. IT Governance Framework3. IT Governance Implementation4. Control Framework for SOX5. Using CobiT for C/SOX6. Issues in Application Controls7. Questions
4646
Issues in Application Controls
The need for risk management is not appreciated– Demonstrate the value received for the investment in controls– Conduct regular communication and change management
Business slow to recognise responsibility for Application Controls– Ensure Application Control and IT General Control teams coordinate – Acknowledge shared responsibility for sign-off
Many older application do not have the required controls– If risk is high, identify compensating controls– If risk is low, waive the requirement on a case-by-case basis
4747
Issues in Application Controls
Difficult to determine an ‘appropriate and measured response’– Identify critical business processes based on risk and materiality – Limit work to high priority processes
There is a general lack of internal control expertise– Define and implement standardised monitoring processes– Minimise the risk of re-work – Do it right the first time!
No definitive guidance from consultants or government– Use common sense based on experience– Be able to justify the decisions made
4949
Presentation Outline
1. Introduction2. IT Governance Framework3. IT Governance Implementation4. Control Framework for SOX5. Using CobiT for C/SOX6. Issues in Application Controls7. Questions
November 18, 2006 November 18, 2006 Tokyo, JapanTokyo, Japan
Great-West Life IGM Financial Senior Vice-President and CIO Information Services Organisation
ITGI Japan Opening Celebration Conference ITGI Japan Opening Celebration Conference
Ron SaullRon SaullGreat-West Life/London Life/Investors Group
60 Osborne Street North, Winnipeg, Manitoba R3C 3A5 Canada
204-946-2930ron.saull@gwl.ca
Recommended