BAA AIS IT Governance

8/16/2019 BAA AIS IT Governance

1/20

BAA-Audit & Information Systemsy

Winston Phethi


2/20

What is IT Governance Why IT Governance

Rationale for IT Governance Roles, Frameworks and Standards inIT Governance

Benefits of IT Governance

Effects of ineffective IT Governance Five Elements of IT Governance Role of Auditing in IT Governance


3/20

IIA Definition

Consists of the leadership, organizational structures andprocesses that ensure that the enterprise’s informationtechnology supports the org niz tion’s str tegies nd objectives.

ISACA Standards Definition

The responsibility of executives and the board of directors;consists of the

leadership

,organizational structures

andprocesses

that ensure that the enterprise’s IT sustains andextends the enterprise’s str tegies nd objectives.

others

is a set of relationships and processes designed to ensure thatthe organization’s IT sustains and extends the organization’s strategies and objectives, delivering benefits and maintainingrisks at an acceptable level.


4/20

Governance; is not about what decisions get made – that is

management – but it is about who makes thedecisions and how they are made.

specifies the decision rights andaccountability framework to encouragedesirable behaviours in the use of IT.


5/20

Organizations have realized that the IT is no longer a

support process

To set up a risk management program that addresses newrisks arising from the usage of IT in business processes

To direct IT endeavors, to ensure that IT’s performancemeets the following objectives:

Alignment of IT with the enterprise and realization of thepromised benefits;

Use of IT to enable the enterprise by exploitingopportunities and maximizing benefits;

Responsible use of IT resources;Appropriate management of IT-related risks.


6/20

The business and IT do not work in conjunction to define ITobjectives

IT and Business objectives are not aligned IT does not effectively manage costs to meet business

objectives

IT risks are not identified, assessed, or mitigated to meetbusiness objectives IT resources are not effectively aligned to meet business

objectives Internal and external IT systems, processes, and personnel

are not monitored for determine if business needs are being

met The business does not recognize the value from its IT

investments Applications are acquired and/or managed without the

involvement of IT personnel


7/20

Roles, Frameworks and Standards in ITGovernance


8/20

Strengthens the relationship between theorganization and IT◦ Helps ensure limited IT resources are focused on

the right strategic and tactical activities at the right

time Synergies with Enterprise Risk Management

(ERM) and other risk management activities◦ Helps ensure the appropriate IT risk management

processes and activities are in place and operatingeffectively


9/20

Enhanced visibility into the IT Function’sability to achieve its both

tactical

andstrategic

objectives◦ Key Performance Indicators (KPIs) for day-to-day

activities and longer-term/strategic initiatives

Improved adaptability of the IT Function toorganizational and IT environment changes -

Formality of Governance structure, processes andactivities enables more efficient and effective responseto change


10/20

Effective IT governance helps ensure that IT

supports business goals

optimizes business investment in IT

and appropriately manages IT-related risks

and opportunities.


11/20

Business losses, damaged reputations orweakened competitive positions;

Deadlines not met, costs higher thanexpected and quality lower than anticipated;

Enterprise efficiency and core processesnegatively impacted by poor quality of ITdeliverables;

Failures of IT initiatives to bring innovation ordeliver the promised benefits.


12/20

Source: IT Governance Institute. Five Elements of IT Governance


13/20

Objective:

Determine if a relationship exists between IT and business objectives and ifthis relationship has been established through participation between bothIT and business management.

Example Review Documents IT Strategic Plan Third Party service provider agreements and RFP process

Typical Areas to Assess Is IT management aware of the overall business strategy? What is IT’s involvement in defining the business strategy? Do current IT initiatives relate to one or more of the organization’s

strategic objectives? Is there a clear line of communication between IT and business

management? How do 3rd party service providers support business objectives? What IT architecturer is necessary to support the business objectives?


14/20

Objective:

Determine if activities are conducted relating to the identification and analysis of risksimpacting the achievement of business objectives and the preparation of financialstatements.

Example Review Documents

Business Continuity and Disaster Recovery Plans and Test Results IT Risk Assessment

3rd Party Service Provider Agreements and Request For Proposal Policies andProcedures

Typical Areas to Assess

Is a process in place to assess, address, and communicate IT risks to keystakeholders and executive management during the project, change, andrelease management processes?

How does IT select and manage third party vendor relationships? Does a business continuity and disaster recovery plan exist and is it tested

on a periodic basis? Does a risk management plan exist and are risk management activities

incorporated into project, change, and release management process?

Do discussions between IT, Business, and Compliance leadershipoccur in order to identify ways in which the IT environment can assist in

strengthening the organization's control environment?


15/20

Objective:

Determine if the effectiveness of IT systems, processes, and personnel,internal and external, are being monitored for alignment with businessneeds.


Performance metrics for services, projects, processes, and systems

Reports of IT’s performance against defined metrics to key stakeholders and executivemanagement

3rd Party Service Level Agreements

Incident and Problem Management Policies and Procedures

Cost Allocation Policies and Procedures

Typical Areas to Assess

Does the IT organization report performance metrics to key stakeholders?

Are processes in place to review key performance metrics and correct items falling belowa reasonable level?

Do performance management activities consider both internal and 3rd party ITactivities?

Is IT performance reported in IT or Business terms? Are the metrics operational,strategic, or both?

Is a process in place to establish performance metrics based on changing businessneeds?

Do the Board of Directors and Executive management have an awareness of ITperformance based on quantifiable data?


16/20

Objective:

Determine if adequate activities are being performed to align the use of resources(applications, information, infrastructure, people) to meet the needs of the business.


IT Organization Chart

IT Job Descriptions

Sourcing Strategy for IT projects

IT Segregation of Duties Requirements IT Asset Management Policies and Procedures

Typical Areas to Assess •Are processes in place to assess and implement IT segregation of duties?

Has an IT sourcing strategy been established that align with business objectives?

Do IT resource dedicate more time to operational or strategic objectives?

Does the IT department have processes in place to facilitate knowledge sharing withinthe department and with the business?

Have IT resources (employees, applications, hardware) been optimized to supportbusiness objectives?

Have formal job descriptions and reporting relationships been created andcommunicated for all IT positions?

Has an asset management program has been established?


17/20

Objective:

Determine if IT is effectively managing costs as they relate to meetingbusiness objectives and communicating this management to the appropriateindividuals.


IT Steering Committee Meeting Minutes

Policies and Procedures for the Development and Management of IT projects IT Budget

Typical Areas to Assess Is there a clear relationship between IT project performance indicators and

business objectives? Has the IT budget been communicated to business leadership? Does business

leadership understand the investments that have been made in IT? Does IT actively communicate the expected and realized value of IT projects? Does the business rely on the integrity and accuracy of data captured and

reported by IT systems? Do IT and business leaders meet on a periodic basis to review the current

and upcoming IT initiatives to reassess alignment with business objectives?


18/20

Audit plays a significant role in the successfulimplementation of IT governance within an organization. Audit is well positioned to provide leading practice

recommendations to senior management to help improvethe quality and effectiveness of the IT governanceinitiatives implemented.

Audit helps ensure compliance with IT governanceinitiatives implemented within an organization.

Standard 2110 A2 “The internal audit activitymust

assesswhether the IT Governance of the organization supports theorganization’s strategies and objectives”

By?

1

Providing assurance

2 Providing consulting

Training Facilitated workshop on IT Governance best practices


19/20

- An auditor should review and assess whether the ISfunction aligns with the organization's mission, vision,values, objectives and strategies.- The auditor should review whether the IS function has aclear statement about the performance expected by thebusiness (effectiveness and efficiency) and assess itsachievement.- The auditor should review and assess the effectiveness ofIS resource and performance management processes.- The auditor should review and assess compliance withlegal, environmental and information quality, and fiduciaryand security requirements.

- A risk-based approach should be used by the auditor toevaluate the IS function.- The auditor should review and assess the controlenvironment of the organization.- The auditor should review and assess the risks that may adversely affect the IS environment.


20/20

IT Governance: The IT and Internal AuditPerspectives, Pittsburgh ISACA ChapterMonday, December 5, 2011.

What is IT Governance and why is it importantfor the IS auditor? By Richard Brisebois, GregBoyd and ZiadShadid , From the Office of theAuditor General of Canada.

Auditing IT Governance Steve Hunt ,October11, 2012 from Crowe Horwath