Upload
norsaidatulakmar
View
1.291
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
2. James Yung,CISA Associate Director, IS Audit Harvard University Risk Management and Audit Services Presenter 3. Agenda
4. Questions
5. How do most research universities govern the large and rapidly evolving set of information technology initiatives that take place on their campuses? ANSWER:Inefficiently, ineffectively and not as well as they should. ~ Source: Educause IT Governance in Higher Education 2006 ~ 6. What is IT Governance?
7.
2007 IT Governance Institute 8.
Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board. Performance Conformance 2007 IT Governance Institute 9.
64% Doing something about it 42% Notdoingsomething about it 2003 2005 Source: Surveys by PwC for the IT Governance Institute Sep-Oct 2003 and Sep-Oct 2005 36% 58% 2007 IT Governance Institute PERFORMANCE MEASUREMENT RESOURCE MANAGEMENT RISK MANAGEMENT VALUE DELIVERY STRATEGIC ALIGNMENT www.itgi.org www.itgi.org 10.
Value delivery Focuses on ensuring thelinkage of business and IT plansand onaligning IT operations with enterprise operations IT delivers thepromised benefits against the strategy , concentrating on optimizing costs and proving the intrinsic value of IT Is about theoptimal investment in , andthe proper management of ,critical IT resources : applications, information, infrastructure and peopleSenior management,appetite for risk ,compliance requirements , transparency about the significant risks to the organisation Tracks and monitors strategy implementation, project completion, resource usage, process performance and service deliveryto achieve goals measurable beyond conventional accounting Performancemeasurement Risk management Resourcemanagement Strategicalignment 2007 IT Governance Institute 11. 2007 IT Governance Institute
Business management Set direction for IT, monitor results and insist on corrective measures Defines business requirements for IT and ensures that value is delivered and risks are managed Delivers and improves IT services as required by the business Provides independent assurance to demonstrate that IT delivers what is needed Measures compliance with policies and focuses on alerts to new risks Risk andcomplianceIT audit IT management Board andexecutive 12. IT Governance at Harvard 13. Harvard University Facts
14. IT Governance Risks at Harvard
15. Why Audit IT Governance at Harvard
16.
KeepingIT Running Security Value/Cost ManagingComplexity Aligning IT withBusiness RegulatoryCompliance
17.
Stakeholders need to know that: 18. Risk Management and Audit Services Mission To Assist University Management and Governing Boards in Identifying, Managing and Mitigating Risk and Ensuring Risk Management Processes are Integrated Into the Universitys Business Practices and Academic and Research Activities 19. RMAS Organization 20. System Base Audit Integrated Audit IT Governance Audit Level of Complexity Value Add Evolution of RMAS IS AuditLow High Tactical Strategic
20062000 Pre-2000 21. CoBIT and IT Governance Control Objectives IT (CoBIT) is an International standard in directing and controlling an enterprises information technology.CoBIT sets the standards of measuring IT Governance process maturity.
Process Maturity Domain IT Processes Business Requirements IT Resources Basic CoBIT Principle 22. Benefits of CoBIT
23. C OBI T Framework
2007 IT Governance Institute C OBI T Framework Characteristics 24. PERFORMANCE:Business Goals CONFORMANCE Basel II, Sarbanes- Oxley Act, etc. Enterprise Governance IT Governance ISO9001:2000 ISO 17799 ISO20000 Best Practice Standards QA Procedures Processes and Procedures DriversC OBI T COSO SecurityPrinciples ITIL BalancedScorecard
2007 IT Governance Institute 25. CoBIT Approach In AssessingIT Governance At Harvard 26. Background
27.
Assessing IT Governance Detailed review of the school IT Governance and internal controls within Information Technology Services. 28. Audit Approach Identify Business GoalsIT GoalsKey IT processes and Key IT resources Identify Control Objectives
Planning Scoping Testing 29. 2007 IT Governance Institute IT Governance Audit ObjectivesEffectiveness Information beingrelevant and pertinentto the business process as well as beingdelivered in a timely, correct, consistent and usablemanner Efficiency Provision of information through theoptimal(most productive and economical )use of resources Confidentiality Theprotection of sensitive informationfrom unauthorised disclosure Integrity Relates to theaccuracy and completenessof information Availability Information being available when required by the business process now and in the future;it also concerns the safeguarding of necessary resources and associated capabilities Compliance Complying with those laws, regulations and contractual arrangementsto which the business process is subject, i.e., externally imposed business criteria as well as internal policies Reliability The provision ofappropriate information for management to operate the entityand to exercise its fiduciary and governance responsibilities 30.
Scope of Work Observations andRecommendations Risk Analysis
Approach IT Audit IT Governance Process Strategy Controls InterviewsDocumentation
31. CoBIT Four IT Process Domains
Business Requirements IT Resources 32. 2007 IT Governance Institute
Plan and Organize (PO) PO1 Define a strategic IT plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organizationand relationships. PO5 Manage the IT investment. PO6 Communicate management aims anddirection. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects. Plan and Organize 33. 2007 IT Governance Institute
Acquire and Implement (AI) AI1 Identify automated solutions. AI2 Acquire and maintain applicationsoftware. AI3 Acquire and maintain technologyinfrastructure. AI4 Enable operation and use . AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions andchanges. Acquire and Implement (AI) 34. 2007 IT Governance Institute Deliver and Support (DS)
DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations. Deliver and Support 35. 2007 IT Governance Institute Monitor and Evaluate (ME)
ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control. ME3 Ensure compliance with external requirements. ME4 Provide IT governance. Monitor and Evaluate 36. Align Business Goals with Key IT Goals 37. School Harvard Target IT Governance Maturity Benchmark 1.5
38. Key Recommendations Listed in priority order:
39. Benefits to the Auditee
40. Lessons Learned
IT GOVERNANCE AUDIT IS NOT FOR FAINT-HEARTED 41. Questions 42. References IT Governance Institute -http://www.itgi.org/ ISACA -http://www.isaca.org / IT Audit -http://www.theiia.org/itaudit/