Embed Size (px)
DESCRIPTION
IT Governance: A Practical Guide. - J. Mark Sanman, CIA, CISA, CISSP-ISSMP November 2009 Greater Cincinnati ISACA Chapter Meeting. Procter & Gamble - PowerPoint PPT Presentation
Citation preview
1
IT Governance:A Practical Guide
- J. Mark Sanman, CIA, CISA, CISSP-ISSMPNovember 2009 Greater Cincinnati ISACA Chapter Meeting
2
Biography:Biography:Biography:Biography:Procter & Gamble32 years in various IT, IT Audit, and IT Governance roles. Current assignment is in IT Commercial Governance, with specific responsibilities involving supplier governance, risk management and governance audit coordination. Previous roles included IT infrastructure audit management, e-business and e-commerce infrastructure management, EDI (Electronic Data Interchange) for global customer business development, and implementation manager - global network. Work at one time or another has involved travel to 35 countries on 6 continents.
EducationMSEE - University of CincinnatiBSEE - University of Idaho
Professional CertificationsCertified Internal Auditor (CIA) - 2002Certified Information Systems Auditor (CISA) - 2004Certified Information Systems Security Professional (CISSP) - 2005Information Systems Security Management Professional (ISSMP) - 2009
Procter & Gamble32 years in various IT, IT Audit, and IT Governance roles. Current assignment is in IT Commercial Governance, with specific responsibilities involving supplier governance, risk management and governance audit coordination. Previous roles included IT infrastructure audit management, e-business and e-commerce infrastructure management, EDI (Electronic Data Interchange) for global customer business development, and implementation manager - global network. Work at one time or another has involved travel to 35 countries on 6 continents.
EducationMSEE - University of CincinnatiBSEE - University of Idaho
Professional CertificationsCertified Internal Auditor (CIA) - 2002Certified Information Systems Auditor (CISA) - 2004Certified Information Systems Security Professional (CISSP) - 2005Information Systems Security Management Professional (ISSMP) - 2009
3
•DisclaimerDisclaimer
•The opinions contained in this The opinions contained in this presentation are those of the presentation are those of the presenter, and do not necessarily presenter, and do not necessarily reflect the views of The Procter & reflect the views of The Procter & Gamble Company.Gamble Company.
4
AgendaAgendaAgendaAgenda•Why is IT Governance
a ‘Hot Topic’?
• IT Governance Definitions
• IT Governance Considerations in a Sourced Environment
• An Audit Checklist for IT Governance
•Why is IT Governance a ‘Hot Topic’?
• IT Governance Definitions
• IT Governance Considerations in a Sourced Environment
• An Audit Checklist for IT Governance
4
5
Why is IT Governance a ‘Hot
Topic’?
Why is IT Governance a ‘Hot
Topic’?
6
Why is IT Governance a ‘Hot
Topic’?
Why is IT Governance a ‘Hot
Topic’?•Increased sensitivity to protecting
stakeholder interests
•Shareholders (see: Sarbanes Oxley)
•Consumers (see: HIPAA)
•Suppliers (see: PCI)
•Increased sensitivity to protecting stakeholder interests
•Shareholders (see: Sarbanes Oxley)
•Consumers (see: HIPAA)
•Suppliers (see: PCI)
7
Why is IT Governance a ‘Hot
Topic’?
Why is IT Governance a ‘Hot
Topic’?•Recognized need for tight business
linkage
•Strategic Alignment
•Value Delivery
•Resource Management
•Risk Management
•Performance Management
•Recognized need for tight business linkage
•Strategic Alignment
•Value Delivery
•Resource Management
•Risk Management
•Performance Management
8
•Effective Management of Outsourced IT Suppliers
•Relationship Management
•Financial Management
•Performance Management
•Contract Management
•Effective Management of Outsourced IT Suppliers
•Relationship Management
•Financial Management
•Performance Management
•Contract Management
Why is IT Governance a ‘Hot Topic’?
Why is IT Governance a ‘Hot Topic’?
9
IT GovernanceDefinitions
IT GovernanceDefinitions
IIA International Professional IIA International Professional Practices Framework:Practices Framework:
[IT Governance] Consists of the leadership, [IT Governance] Consists of the leadership, organizational structures and processes that ensure organizational structures and processes that ensure that the enterprise’s information technology sustains that the enterprise’s information technology sustains and extends the organization’s strategies and and extends the organization’s strategies and objectives.objectives.
IIA International Professional IIA International Professional Practices Framework:Practices Framework:
[IT Governance] Consists of the leadership, [IT Governance] Consists of the leadership, organizational structures and processes that ensure organizational structures and processes that ensure that the enterprise’s information technology sustains that the enterprise’s information technology sustains and extends the organization’s strategies and and extends the organization’s strategies and objectives.objectives.[IT Controls] Controls that support business [IT Controls] Controls that support business management and governance as well as provide management and governance as well as provide general and technical controls over information general and technical controls over information technology infrastructures such as applications, technology infrastructures such as applications, information, infrastructure, and people.information, infrastructure, and people.
[IT Controls] Controls that support business [IT Controls] Controls that support business management and governance as well as provide management and governance as well as provide general and technical controls over information general and technical controls over information technology infrastructures such as applications, technology infrastructures such as applications, information, infrastructure, and people.information, infrastructure, and people.
[Governance] The combination of processes and [Governance] The combination of processes and structures implemented by the board to inform, direct, structures implemented by the board to inform, direct, manage, and monitor the activities of the organization manage, and monitor the activities of the organization toward the achievement of its objectives.toward the achievement of its objectives.
[Governance] The combination of processes and [Governance] The combination of processes and structures implemented by the board to inform, direct, structures implemented by the board to inform, direct, manage, and monitor the activities of the organization manage, and monitor the activities of the organization toward the achievement of its objectives.toward the achievement of its objectives.
10
IT GovernanceDefinitions
IT GovernanceDefinitions
CobiT 4.1:CobiT 4.1:IT Governance is the responsibility of executives and IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, the board of directors, and consists of the leadership, organizational structures and processes that ensure organizational structures and processes that ensure that the enterprise’s IT sustains and extends the that the enterprise’s IT sustains and extends the organization’s strategies and objectives.organization’s strategies and objectives.
CobiT 4.1:CobiT 4.1:IT Governance is the responsibility of executives and IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, the board of directors, and consists of the leadership, organizational structures and processes that ensure organizational structures and processes that ensure that the enterprise’s IT sustains and extends the that the enterprise’s IT sustains and extends the organization’s strategies and objectives.organization’s strategies and objectives.
11
IT GovernanceDefinitions
IT GovernanceDefinitions
(ISC)2 Ethics Preamble:(ISC)2 Ethics Preamble:Safety of the commonwealth, duty to our principals, Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.to adhere, to the highest ethical standards of behavior.
(ISC)2 Ethics Preamble:(ISC)2 Ethics Preamble:Safety of the commonwealth, duty to our principals, Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.to adhere, to the highest ethical standards of behavior.
12
IT GovernanceHigh Level Summary
IT GovernanceHigh Level Summary
• The business of running IT vs. running the technology
• Setting the rules and assuring they are followed
• An ethical responsibility to stakeholders
• Principal - business
• Commonwealth - people
• Each other - reputation
• The business of running IT vs. running the technology
• Setting the rules and assuring they are followed
• An ethical responsibility to stakeholders
• Principal - business
• Commonwealth - people
• Each other - reputation
13
• Strategic Alignment
• Value Delivery
•Resource Management
•Risk Management
• Performance Measurement
IT GovernanceCobiT Focus Areas
14
• Leadership and Clear Business Ownership
• Aligned Business-Relevant Measures
•Complete and Accurate Inventories
• Linking Technical and Business Risk
IT GovernancePractical
Guidelines
15
Clear Business Ownership and Direction
• Alignment of Business and IT Objectives (CobiT 4.1 ‘Framework’)
• Enterprise Strategy
• Business Goals for IT
• IT Goals
• Enterprise Architecture for IT
• IT Scorecard
Retailer #1 Retailer #2
Enterprise Strategy
Rapid global expansion
Expansion of proven models
Business Goalsfor IT
Sacrifice standards for
speed
Leverage IT standards
IT GoalsBuy locally what works
Convert non-standard systems
Enterprise Architecture for
ITMinimal Central
IT ScorecardMarket
Startups supported
% Standard16
Alignment Example:
Two Global Retailers
17
Business - RelevantMeasures•Requires translation
of traditional IT measures
• Performance against Financial goals, either Business or IT
•Operational efficiency
• Innovation
Enterprise Strategy
Leverage Scale
Business Goalsfor IT
Take a day out of inventory
IT GoalsShare inventory, orders, safety stock information
with Suppliers
Enterprise Architecture for
IT
Use existing EDI infrastructure
New EDI Message (INVRPT)
IT ScorecardCash flow
Warehouses not built
18
Measures Example:
Replenishment
19
Complete and Accurate
Inventories• IT-dependent Business Processes
•Data Repositories and Information Flows
• IT Infrastructure
• IT Resources and Processes
Enterprise Strategy
Influence Trade Customer
Business Goalsfor IT
“Right information, right place, right time” for Sales
Reps
IT GoalsEffectively combine
product profitability, share, store data
Enterprise Architecture for
IT
Laptops in Shopping CartsEfficient(Cheap) communications
IT ScorecardSolution cost efficiencySales Representative
Satisfaction20
Information Flow /Combination Example
21
Linking Technical and Business Risk
• Risk is the ‘lingua franca’ of business.
•Management needs to be able to compare IT Risks with other risks.
• IT Governance must do an effective job of translating technical risks to business risks.
22
Linking Technical and Business Risk
Technical Risk
Incidents resulting from Changes
Equipment Age
Audit Scores
Information Security Incidents
Overdue Controls Issues
Business ExposuresDisruptions to Critical Business
Processes (i.e.: Orders to Cash)
Compromise Company Reputation
Compromise Company Secrets
Organizational Capacity / Health
Financial Goals May not be Met
23
IT Governance Basics
Questions?
24
IT Governance in a Sourced
Environment
NPS
25
IT Governance in aSourced Environment
Business Strategy and ProcessesBusiness Strategy and ProcessesBusiness Strategy and ProcessesBusiness Strategy and Processes
IT GovernanceIT GovernanceIT GovernanceIT Governance
Suppliers’ IT Strategy and ProcessesSuppliers’ IT Strategy and ProcessesSuppliers’ IT Strategy and ProcessesSuppliers’ IT Strategy and Processes
CommercialRelationship
CommercialRelationship
26
Considerations in a Sourced
Environment• Sourcing Strategy
•Contract Management
• Finance Management
•Relationship Management
• Performance Management
27
Sourcing Strategy• Part of IT Strategic
Plan
• Inventory of critical Supplier relationships
•Update based on changes to Business, IT or Supplier Strategies
•May contain intervention plans
28
Contract Management
• Initial negotiation and in-life change management
•Defines Services/Quality
•Defines ownership of Intellectual Property
•Compliance with Law and Policy
• Audit Rights
• Required by either changing business needs or to address ambiguity.
• Should be viewed as a negotiation.
• Each party will attempt to get concessions not previously obtained - value is at risk
•Depend on Relationship Management for smaller changes to avoid this risk
29
Contract Change Management
30
Intellectual Property
• Supplier IP may be used to deliver efficiencies ($)
•However, use of Supplier IP may limit sourcing flexibility.
•Who owns process ‘know-how’ and does this change over time?
•What risk does this represent?
NPS
•Inventory, inventory, inventory
•IT processes supporting the business
•Materials (documents, rights, etc.)
•Risk Management discussion with business
•Seek legal help
•Follow up!
31
Intellectual Property
Mitigations
32
Audit Rights
• Business requirements drive specifics.
•Must be in the initial contract
• For supplier shared services, SAS70 Type II
• Audit rights should be unlimited and at no cost.
NPS
33
Finance Management
•Deal financials reporting
• Invoice Verification
• Service receipt
• Credits
• Incentives
• Internal cost recoveryNPS
• This is THE PLACE to receive an independent confirmation of IT value delivery.
• Budgets are a very unforgiving reality check!
34
Finance Management
NPS
35
Relationship Management
•Overall Supplier management
•Monitor business needs
•Communication Forums
• Issue Management
•Risk Management
• Project Management
• IT Governance process to evaluate Supplier Financial, Service Delivery, Relationship and Information Security risks in total.
• As before, there may be a translation here from technical risk to business risk.
• Can use Probability x Business Impact as the metric. The business should supply the Impact.
• This can be a powerful tool to use with Suppliers. They speak the lingua franca as well.
36
Risk Management
NPS
37
Project Management
•Good Project Management helps assure value delivery
•Define ‘project’ vs. ‘daily work’ in the contract.
•Has linkages to Finance Management (paying Project costs), Service Delivery (assuring Project deliverables)
NPS
38
Performance Management
• Aligning Service Delivery Requirements
•Managing and Reporting against SLAs
•Management of individual projects
•Work prioritization
39
IT Governance in a
Sourced Environment
Questions?
40
An Audit Checklist for IT Governance
41
IT GovernanceAudit Planning
• Audit Team Composition
• Audit Criteria
• Learnings from the Balanced Scorecard Approach
• Leadership - Business or IT?
• Audit Supervision and Auditor in Charge Independence is a must
• Beware setting up an audit team that may reflect corporate IT Governance issues
•Consider sourcing knowledgeable auditors
42
Audit Team Composition
• IIA Governance Auditing Standards
• ISACA / ITGI IT Governance Auditing Guidelines
• ITGI Risk IT Framework
• ITGI Val IT Framework
•<< Insert your Company business policies here >>
43
IT Governance Audit
Criteria / Standards
•Consider IT Governance from various business points of view (1)
•Corporate
•Customer
•Operational Excellence
• Future / Sustainability
44
Learnings from the Balanced Scorecard
1. “Measuring and Improving IT Governance Through the Balanced Scorecard”Information Systems Control Journal, Volume 2, 2005
Objective Example Metrics
Business/ IT AlignmentOperational budget
approval
Value DeliveryBusiness Unit Performance
Cost ManagementAttainment of expense and recovery targets
Risk Management Results of Internal Audits
Intercompany Synergy Single System Solutions
45
Balanced Scorecard:
Corporate View
Objective Example Metrics
Customer SatisfactionBusiness Unit Survey
ratings
Competitive CostsAttainment of unit cost
targets
Development Performance
Major Project Scores
Operational PerformanceAttainment of targeted
levels
46
Balanced Scorecard:
Customer View
Objective Example Metrics
Development Process Function Point Measures
Operational processChange Management
effectiveness
Process Maturity Level of IT Processes
Enterprise ArchitectureState of the
infrastructure assessment
47
Balanced Scorecard:
Operational View
Objective Example Metrics
Human Resource Management
Staff Turnover
Employee SatisfactionSatisfaction survey
scores
Knowledge ManagementImplementation of
learned lessons
48
Balanced Scorecard:Future View
49
AuditingIT Governance
Questions?
50
What We’ve What We’ve Covered TonightCovered Tonight
What We’ve What We’ve Covered TonightCovered Tonight
•Why is IT Governance a ‘Hot Topic’?
• IT Governance Definitions
• IT Governance Considerations in a Sourced Environment
• An Audit Checklist for IT Governance
•Why is IT Governance a ‘Hot Topic’?
• IT Governance Definitions
• IT Governance Considerations in a Sourced Environment
• An Audit Checklist for IT Governance
50
51
Thank You!
