RC
Uploaded byRobert Koehler, MsPM, PgMP, PMP, CGEIT
PDF, PPTX242 views

Sharpening the Lens

This document provides an overview of a presentation on building an internal control framework for IT governance. It discusses key benefits to the audience, the current state of IT governance standards and challenges, areas not adequately covered by existing standards, and recommendations for the framework. The presentation will compare leading IT governance standards, highlight similarities and differences, and gaps not addressed. It will also recommend internal controls focusing on strategic alignment, financial performance, risk management, growth, and service delivery. An internal control framework is proposed that takes a holistic view encompassing governance, management, use of IT, and the relationship between corporate strategy, digital business models, and organization structures.

Download as PDF, PPTX
Steve Beaton, CIA, CISA, CFSA, MsMIT, USAA VP IA Robert Koehler, CGEIT, PgMP, PMP, MsPM, PwC Director
Slide 2 TOPIC We will explore the essential elements for preparing an assurance framework for IT Governance that integrates leading industry standards and practices ensuring the governing objectives for assessing strategy, financial performance, and effective delivery of technology.
Slide 3 KEY BENEFITS TO THE AUDIENCE • We will highlight the leading IT Governance standards, drawing comparison between their similarities and differences. • We will highlight the business areas not adequately addressed by IT Governance standards. • We will recommend internal controls that pertain to aligning the relationships between the business and IT, including organizational structures for the evaluation and direction of IT. • We will recommend internal controls that pertain to the effectiveness of deriving value from IT, including financial performance and the planning for benefits realization. • We will recommend internal controls that pertain to the effectiveness of IT risk and compliance management, including what can be done to ensure sufficient IT risk information is factored into investment decision making.
Slide 4 CURRENT STATE OF IT GOVERNANCE We will highlight the leading IT Governance standards, drawing comparison between their similarities and differences. • What are leaders saying about it? • Whose definition is best? • How is IA’s role perceived? • Where are the rabbit holes?
Slide 5 CURRENT STATE OF IT GOVERNANCE IN THE NEWS Oversight split between the Board, Audit Committee, IT/Risk Committees or no one at all. - PwC, Insights from the Boardroom 2012 Only 30% of directors find IT expertise a “very important” attribute in new directors, and 31% are not seeking this skill set at all. - PwC’s 2013 Annual Corporate Directors Survey 44-50% of Board members meet with the CIO only once a year or not at all. - PwC, Insights from the Boardroom 2012 Only 38% of business partners seen as “very engaged” in IT Governance. - Forrester, The State Of IT Governance Q4 2010 The findings of a number of research projects conducted by the Massachusetts Institute of Technology (MIT) Center for Information Systems Research (CISR) suggest that firms with focused strategies and above-average IT governance capabilities had more than 20 percent higher profits than other firms following the same strategies. - Peter Weill and Jeanne W. Ross, It governance, how top performers manage it decisions for superior results, Harvard Business School Press Effective IT governance is the single most important predictor of the value an organization generates from IT. - Peter Weill and Jeanne W. Ross, It governance, how top performers manage it decisions for superior results, Harvard Business School Press
Slide 6 COMPARING IT GOVERNANCE STANDARDS WHOSE DEFINITION IS BEST? • ISACA – The responsibility of executives and the board of directors; consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives. • ISO – The system by which the current and future use of IT is directed and controlled. Corporate governance of IT involves evaluating and directing the use of IT to support the organization and monitoring this use to achieve plans. It includes the strategy and policies for using IT within an organization. • Gartner – The set of processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. • Forrester – A decision-making framework for IT investments that is designed to maximize the return of benefits while managing risk to acceptable levels. • MIT CISR – Specifying the decision rights and accountability framework to encourage desirable behavior in using IT.
Slide 7 ARE STAKEHOLDERS SATISFIED? AREAS OF LEAST SATISFACTION WITH IA
Slide 8 COMPARING IT GOVERNANCE STANDARDS STANDARDS OVERLAPPING, EVEN CONFLICTING The challenge is choosing right and filling in the gaps as many standards are overlapping, even conflicting – None complete IT GovernanceProject Management Process Centric Maturity Centric PMI/PMBOK ITIL IT Management Val IT 2.0 Risk IT COBIT 5SEI CMMI ISO 38500TOGAF ISO 17998 COBIT 4 ISO 27001/2/5 MoV ISO 31000 MIT CISR PRINCE2 Most relevant standards
Slide 9 COMPARING IT GOVERNANCE STANDARDS RIGHT SPECTRUM FOR COMPARISON Five dimensions of comparison used, each having a common focus on an organizations ability to drive greater value from IT Strategic Alignment •The successful alignment between business and IT •The comprehension of the impacts of IT on business processes and results •The clarity of priorities for both IT investments and business management focus Financial Performance •The effectiveness of deriving value from IT across the first and second lines of defense •The comprehension of performance as predictors of strategic decision-making •The comprehension of factors to measure and regulate the effectiveness of controls for risk and compliance Risk & Compliance •The establishment or risk, compliance, security and legal authority •The alignment of risk and compliance decisions with responsibilities for performance •The level of process integration across IT governance, risk, and compliance Grow & Transform •The level IT investments contribute to optimal business value •The level collaboration occurs between business and IT to realize benefits •The provision of investment management controls across the economic lives of investments Delivery Management •The determination of how types of IT-enabled capabilities are chosen as important for success •The decision driven actions to set objectives and expectations for the performance of IT •The position to handle the costs and risk of the service portfolios
Slide 10 COMPARING IT GOVERNANCE STANDARDS MAPPING TO LEADING PRACTICES Strategic Alignment Financial Performance Delivery Risk & Compliance Grow &Transform Delivery Mgmt. • COBIT APO08 Manage Relationships • COBIT EDM01 Ensure Governance Framework Setting and Maintenance • COBIT EDM04 Ensure Resource Optimization • ITIL Strategy – Strategy and Organization • ITIL Strategy – Demand Management • IIA GTAG 17 – Auditing IT Governance • ISO/IEC 38500: 2008–Corporate Governance of Information Technology • COBIT MEA01 Monitor, Evaluate and Assess Performance and Conformance • EDM05 Ensure Stakeholder Transparency • COBIT APO06 Manage Budget and Costs • ITIL Strategy – Financial Management • ITIL Strategy – Return on Investment • ISO/IEC 38500: 2008–Corporate Governance of Information Technology • COBIT EDM03 Ensure Risk Optimization • COBIT MEA03 Monitor, Evaluate and Assess Compliance with External Requirements • COBIT DSS05 Manage Security Services • ISO/IEC 31000– Risk Management • ISO/IEC 27000– Security Techniques • Multiple industry based requirements such as: HIPPA, AML, Dodd Frank, PCI, FISMA, Sarbanes Oxley and Safe Harbour • COBIT APO04 Manage Innovation • COBIT APO05 Manage Portfolio • COBIT EDM02 Ensure Benefits Delivery • ITIL Strategy – Service Portfolio Management • Project Management Book of Knowledge (PMBOK) • Projects in Controlled Environments (PRINCE 2) • Portfolio, Program, and Project Management Maturity Model (P3M3) • ITIL Strategy– Strategy, Tactics, and Operations • COBIT APO02 Manage Strategy • COBIT APO03 Manage Enterprise Architecture • The Open Group Architecture Framework (TOGAF) • ISO/IEC 20000–IT Service Management
Slide 11 AREAS NOT ADEQUATELY COVERED We will highlight the business areas not adequately addressed by IT Governance standards. • Is IT on the boards agenda? • Does corporate strategy influence IT? • Is the value gap being closed? • Does the three lines of defense help IT Governance? • Is IT Governance, Risk and Compliance combined? • Are business benefits being realized?
Slide 12 AREAS NOT ADEQUATELY COVERED IT ON THE BOARD’S AGENDA A structured approach for board’s IT oversight: • Assessment: Evaluate the company’s current IT situation, while considering various factors, and conclude how critical IT is to the company’s current and future success. • Approach: Agree on the board's IT oversight approach including who is responsible (the full board, the audit committee, a risk committee, etc.), how often to discuss IT, and when to talk with the CIO. • Prioritization: Identify the IT subjects most relevant to the company and focus oversight efforts on those areas. • Strategy: "Bake" IT initiatives into the board’s oversight of overall company strategy based on the importance of IT to the company. • Risk: Include IT risks as part of the board’s risk management oversight process. • Monitoring: Adopt a continuous IT oversight process, regularly revisit the efficacy of that process, and measure results.
Slide 13 AREAS NOT ADEQUATELY COVERED CASCADING CORPORATE STRATEGY Need to evaluate the IT strategy within the overall strategy for the business Business Strategy (3-5 yr plan) IT Strategy Digital Business Model • Frames how IT & technology enables business capabilities • Sets expectations for scalability & interoperability • Provides principles & standards that guide technology decisions • Prioritizes immediate IT challenges that need resolution • Identifies synergies across entities • Identifies digital business model capabilities • Measures effectiveness of digital content, experience, and platform • Identifies digital source of competitive advantage BusinessDrivenITStrategy • Develops a target state and future vision that synchronizes IT investments with business needs • Creates a blueprint for maximizing return on technology investments • Establish guiding principles that will drive the technology evolution Strategy & business alignment Organization & skills Technology & architecture Management & Governance Information Product Customer Experience Internal External The Digital Business Model describes how content, experience, and platform works together to create a compelling customer value proposition. The Business Strategy describes and interrelates mission, vision, goals, and strategies with core processes, constituents, and interactions.
Slide 14 AREAS NOT ADEQUATELY COVERED CLOSING THE VALUE GAP While many companies fail to deliver business value, top performers deliver the expected value (+15%), on time (+30%) at or below budget (+30%) ACTUAL ROI = -4% Value RealizedPlan Actual Execution Benefits Only 38% of programs delivered 100% of value Time Only 36% of programs are delivered on time Value (200) Cost (100) Year 1 Year 2 Year 3 3 Year Plan Value (125) Extra Year 4 Year Actual Value Gap Cost (130) Over Cost PLAN ROI=50% The Value Gap -$60M -$15M +$30M EXAMPLE: Time Increase: 30% Cost Increase: 30% Value Loss: 30% ($M) IMPACT ($M)
Slide 15 AREAS NOT ADEQUATELY COVERED THREE LINES OF DEFENSE Clear delineation between line controls, second-level monitoring controls and third-line independent assurance for the effective governance of information technology Board of Directors / Audit Committee Business and IT Senior Management Regulator 1st Line of Defense ExternalAudit 3rd Line of Defense2nd Line of Defense Internal Control Measures IT Governance Mechanisms Financial Controls Risk Management Compliance Portfolio Performance Program Governance Security Internal Audit Project Assurance
Slide 16 AREAS NOT ADEQUATELY COVERED IT GRC INTEGRATION IT Governance, risk management and compliance managed in an integrated manner IT Compliance Committee Audit Committees Evaluate Direct Report Monitor IT governance Risk Management Compliance IT Governance Committee IT Steering Committee PMO / Portfolio Management Objective Setting Risk Assessment Event Identification Risk Response Control Activities Information & Communication Monitoring Requirement Analysis Deviation Analysis Deficiency Management Reporting / Documentation Deviation Analysis Enterprise & IT Risk Committees
Slide 17 AREAS NOT ADEQUATELY COVERED BENEFITS REALIZATION The benefits expected from IT are unlikely to emerge automatically. Any benefits sought must be identified along with the changes in ways of working to bring about and sustain each of the benefits. Means to Achieve Changes Evaluate overall vision for the new digital solution Ways to Achieve Changes Evaluate the new ways of doing business and the benefits this will deliver Results of Changes Evaluate how fostering and realizing business benefits will come through structured change Benefits Identification Business Case Benefits Planning Project Delivery User Adoption Value Creation Benefits Extension Benefits Fulfillment
Slide 18 BUILDING INTERNAL CONTROL FRAMEWORK We will recommend internal controls. • Where should we focus our attention? • What IT-related domains should be controlled? • What controls should comprise each domain?
Slide 19 BUILDING INTERNAL CONTROL FRAMEWORK EXECUTIVE AGREEMENT ON ROLE OF IT Align with management’s active design of IT Governance around the business’ objectives and performance goals. •Strategic Aims •Stewardship •IT Reliance •Firm Performance •Economic Life & Reward •Strategic Aims •Stewardship •IT Reliance •Firm Performance •Economic Life & Reward Corporate GovernanceCorporate Governance •Strategic Aims •Stewardship •IT Reliance •Firm Performance •Economic Life & Reward Corporate Governance •Financial Objectives •Customer Needs •Process Improvements •Organizational Learns •Financial Objectives •Customer Needs •Process Improvements •Organizational Learns Performance MgmtPerformance Mgmt •Financial Objectives •Customer Needs •Process Improvements •Organizational Learns Performance Mgmt •Service Levels •Resource Profiles •Workforce Planning •Learning & Development •Service Levels •Resource Profiles •Workforce Planning •Learning & Development Resource ManagementResource Management •Service Levels •Resource Profiles •Workforce Planning •Learning & Development Resource Management •Risk Transparency •Risk Delegation •Risk Control •Operational Risk •Risk Transparency •Risk Delegation •Risk Control •Operational Risk Risk ManagementRisk Management •Risk Transparency •Risk Delegation •Risk Control •Operational Risk Risk Management •Strategic Importance •Environmental Context •Financial Planning •IT Capabilities •IT Resources •Strategic Importance •Environmental Context •Financial Planning •IT Capabilities •IT Resources Strategic AlignmentStrategic Alignment •Strategic Importance •Environmental Context •Financial Planning •IT Capabilities •IT Resources Strategic Alignment •Regulatory Compliance •Internal Controls •IT Security •Compliance Policies •Regulatory Compliance •Internal Controls •IT Security •Compliance Policies IT ComplianceIT Compliance •Regulatory Compliance •Internal Controls •IT Security •Compliance Policies IT Compliance IT Governance Executive Agreement on the Role of IT
Slide 20 BUILDING INTERNAL CONTROL FRAMEWORK TOP-DOWN BOTTOM-UP PROCESS Proper integration of management and support functions must be considered when creating the assessment framework Project Work and Resource Authorizations Change Requirements and Risk Mitigates Performance Measurements Corporate Risk Management Service Levels and Finished Products Professional and Operational Services Investment Management IT Strategy, Vision, and Action Plans Program Health Updates Benefits Realization Time-Sensitive Growth / Recovery Strategies IT Governance IT Services Project Portfolio Management Corporate Governance Top-Down Evaluation & Direction Bottom-Up Monitoring & Reporting
Slide 21 BUILDING INTERNAL CONTROL FRAMEWORK HOLISTIC VIEW Encompassing these arrangements to create a holistic view of the governance, management, and use of IT Business Strategy Organization Structures Digital Business Models IT Asset Portfolios Performance and Change Metrics IT Service Valuation IT Risk Management IT Compliance Security Governance IT Service Strategy IT Long-term Strategy Portfolio & Project Delivery Operations Benefits Realization Architecture Strategic Alignment Financial Performance Risk & Compliance Grow & Transform Service Management Delivery Management
Slide 22 BUILDING INTERNAL CONTROL FRAMEWORK STRATEGIC ALIGNMENT Business Strategy Digital Business Models Organization Structures • Clear alignment is visible between Corporate and IT Strategy. • Business strategy changes are understood, documented and approved with their impact on IT communicated. • Good relationships and communication channels exist between the business and IT. • Business stakeholders are aware of technology- enabled opportunities. • Business plans, operating models and requirements are understood, documented and approved with their impact on IT communicated. • Impacts of expected future demand are understood and built into IT planning. • Strategic decision-making model for IT is effective and aligned with the organization’s internal and external environment and stakeholder requirements. • The governance system & bodies for IT are implemented and operating effectively. • Organizational structures are aligned with strategic value drivers. • The resource needs of the organization are met with the right capabilities. • Resources are allocated to best meet the overall business priorities within budget constraints. • Optimal use of resources is achieved throughout their full economic life cycles.
Slide 23 BUILDING INTERNAL CONTROL FRAMEWORK FINANCIAL PERFORMANCE IT Service Valuation IT Asset Portfolio Performance & Change Metrics • Processes are measured against agreed-on goals and metrics. • Goals and metrics are approved by the stakeholders. • Owners are assigned and held accountable. • Investment decisions are linked to value that can be tracked. • An appropriate investment mix is defined and aligned with business strategy. • Program business cases are evaluated and prioritized before funds are allocated. • Sources of investment funding are identified and available. • Current accounting evaluation process for justifying an IT investment is sufficient for managing investment risk. • Returns are measured across the economic life of the investment. • Performance measures include profitability, productivity and effectiveness. • Goals and metrics are integrated within the organization’s monitoring systems. • Process reporting on performance and conformance is useful and timely.
Slide 24 BUILDING INTERNAL CONTROL FRAMEWORK RISK & COMPLIANCE IT Risk Management IT Compliance Security Governance • Risk appetite is defined at the organizational level and cascaded to IT. • Risk thresholds are defined and communicated while key IT-related risks are known. • The organization is managing critical IT-related risk to the business effectively and efficiently. • IT-related risk does not exceed risk appetite and the impact of IT risk to business value is identified and managed. • All compliance obligations are identified. • Compliance obligations are adequately addressed. • The organization seeks to proactively manage compliance obligations through the use of technology. • Network and communications security meet business needs. • Information processed on, stored on and transmitted by endpoint devices is protected. • All users are uniquely identifiable and have access rights in accordance with their business role. • Physical measures have been implemented to protect information from unauthorized access, damage and interference when being processed, stored or transmitted. • Electronic information is properly secured when stored, transmitted or destroyed.
Slide 25 BUILDING INTERNAL CONTROL FRAMEWORK GROW & TRANSFORM IT Long-term Strategy Portfolio & Project Delivery Benefits Realization • Business value is created through the qualification and staging of the most appropriate advances and innovations in technology, IT methods and solutions. • Business objectives are met with improved quality benefits and/or reduced cost as a result of the identification and implementation of innovative solutions. • Innovation is promoted and enabled and forms part of the business culture. • As solutions are developed the business case is updated to reflect any changes. • A comprehensive and accurate view of the investment portfolio(s) performance exists. • Investment program changes are reflected in the relevant IT service, asset and resource portfolios. • Robust project and program management practices. • Transparency into project and program progress. • The business is securing optimal value from its portfolio of approved IT- enabled initiatives, services and assets. • Optimal value is derived from IT investment through effective value management practices in the business. • Individual IT-enabled investments contribute optimal value. • Benefits have been realized due to benefits management.
Slide 26 BUILDING INTERNAL CONTROL FRAMEWORK SERVICE MANAGEMENT IT Service Strategy IT Operations IT Architecture • All aspects of the service strategy are aligned with the broader corporate strategy. • The IT strategy is cost- effective, appropriate, realistic, achievable, business-focused and balanced. • Clear and concrete short- term goals can be derived from, and traced back to, specific long-term initiatives, and can then be translated into operational plans. • IT is a value driver for the business. • There is awareness of the service strategy and a clear assignment of accountability for delivery. • Achieve effectiveness and efficiency in the delivery and support of services. • Strategic objectives are ultimately realized through service operations. • Stability in service operations is maintained, allowing for changes in design, scale, scope, and service levels. • The architecture and standards are effective in supporting the business. • A portfolio of business architecture services supports agile business change. • Appropriate and up-to-date domain and/or federated architectures exist that provide reliable architecture information. • A common business architecture framework and methodology as well as an integrated architecture repository are used to enable re-use efficiencies across the business.
Slide 27 EXECUTING THE AUDIT • Is your audit approach risk-based? • What is the workflow for the audit? • How should risks be classified? • Who should participate in the audit? • What information should be requested?
Slide 28 EXECUTING THE AUDIT AUDIT APPROACH Take a consultative approach to assuring IT Governance. Assess Assess your capability and maturity with a wide range of industry standards and best practice frameworks Evaluate Measure your performance in order to establish your current baseline Benchmark Compare your direction with that of your peers using extensive global benchmarking data • Alignment • Value • Risk • Resource • Performance • Evaluate execution management • Organizational structures • Governing processes • Relational mechanisms • Maturity models • IT strategies • Digital business designs • IT investment areas and levels Recommend Provide practical recommendations for your consideration and selection for making improvements • Decision rights & accountability • Process maturity • Performance ratios • Priorities
Slide 29 EXECUTING THE AUDIT AUDIT APPROACH, CONTINUED Step 1 – Assess Conduct an assessment through executive and senior management and business leader interviews, roundtables, and surveys and examine documentation to compare IT practices against the framework in the areas of alignment, value, risk, resource, and performance. Analyse critical IT practices and prioritize risk to communicate the risk exposure based on stated objectives. The key to assuring IT is to understand the culture and priorities in both the business and IT; this will ensure that IT is aligned with the overall business strategy, and that the IT strategy drives controls, policies, budgets, risk tolerance, and service levels. Step 2 – Evaluate/Compare Leverage the results of Step 1 to evaluate and define the current condition of IT practice indicators that will be used to assess achievement of the expectations expressed in the IT Governance framework. Continue this evaluation by comparing your direction with that of your peers using extensive global benchmarking data. [Optional] Step 3 – Recommend Through the analysis of strengths and weaknesses, the prior steps provide the information to prepare practical recommendations and actions to improve the outcomes and performance of enterprise IT. Throughout the assessment, provide improvement recommendations based on the evaluation documentation and discussions with executive and senior management. At any time you identify an item that requires immediate attention by management, communicate such item.
Slide 30 EXECUTING THE AUDIT AUDIT WORKFLOW Tasks / Milestones Duration Project Start-up / Finalize Statement of Work Week 1 – Week 2 1. Kick-off Meeting 2. Begin Scheduling Interviews 3. Publish Initial Information Request 4. Establish Goals, Objectives, and Drivers for Assessment 5. Determine Comparison Baselines from Past IT Audits / Changes 6. Propose Custom Framework for Assessment 7. Obtain Approval for Proposal, Timeline, and Initial Resources 8. Establish Assessment Infrastructure to Coordinate Activities 9. Publish Goals and Guiding Principles of Assessment 10. Update Interview Calendar 11. Launch Assessment
Slide 31 EXECUTING THE AUDIT AUDIT WORKFLOW, CONTINUED Tasks / Milestones Duration Perform Assessment Week 3 – Week 4 1. Finalize Categories / Process Areas for Custom Framework 2. Build Custom Framework 3. Publish Updated Information Request 4. Conduct Assessment and Characterize Current Practice 5. Develop Audit Themes and Begin Socializing with Senior Management 6. Develop Recommendations and Document Results 7. Identify Improvement Strategy and Priorities Prepare / Deliver Draft Report Week 5 – Week 5 Prepare / Deliver Final Report Week 6 – Week 6 Plan Improvement (Optional) Week 7 – Week 8 1. Understand Short-/Long-Term Planned Improvement Efforts 2. Identify Roles/Responsibilities of Improvement/Audit Programs 3. Reconcile Existing/Planned Improvements with the Assessment Baseline 4. Prepare Performance Measurement Plan 5. Create Strategic Improvement Program
Slide 32 EXECUTING THE AUDIT CLASSIFY IT RISK Factor IT Risk within the ERM process to help ensure IT decision- makers know how much IT Risk is acceptable. Significance Likelihood 10 98 7 6 5 4 3 2 1 11 12 13 14 15 1. Enterprise IT Strategy 2. Digital Business Designs 3. Organizational Structures 4. Enterprise Architecture 5. IT Service Valuation 6. IT Investment Portfolios 7. IT Performance 8. IT Risk Management 9. IT Compliance 10. Security Governance 11. Service Strategy 12. Project Delivery 13. Benefits Realization 14. IT Operations 15. Price Performance
Slide 33 EXECUTING THE AUDIT IDENTIFYING PARTICIPANTS Technology • Heads IT Operations • Heads IT Development • Chief Technology Officer • Chief Architect • Chief Information Officer • Chief Information Security Officer • Heads IT PMOs Business • Chief Risk Officer • Business Leaders • Chief Financial Officer • IT Spokesperson on the Board • Heads Enterprise PMO Survey • Frontline and Middle Management The audit involves executives, senior management, and business leader interviews and possibly surveying frontline and business management.
Slide 34 EXECUTING THE AUDIT INFORMATION REQUESTS • IT strategy documentation • IT scorecards • IT policies • IT financial management documentation, including: financing and budgeting, asset management, contract management, and resource plans • Service level agreements (SLAs) • Any utilized governance or maturity frameworks and models • IT compliance and training requirements • Governance processes documentation The following information should be requested to understand IT Governance practices:
Slide 35 QUESTIONS & ANSWERS
Slide 36 YOUR SPEAKERS Steve Beaton Vice President Bank Audit Services Robert Koehler Director Risk Assurance Services Steve is Vice President of Bank Audit Services at USAA, where he leads audit coverage of bank operations. Previously he led IT/Security Audit Services, supporting the full range of engagements specific to IT/Security. Prior to joining USAA, Steve was Vice President of IT Audit at Freddie Mac. Steve is a seasoned internal audit and risk management executive with diverse leadership experience within financial services including TD BankNorth, Fifth Third Bank, Sunlife Financial, and Bank of Ireland. Steve holds a bachelor of business administration from Merrimack College in Massachusetts and a master’s degree in management of information technology from the McIntire School of Commerce at the University of Virginia. He is a Certified Internal Auditor (CIA), Certified Information Systems Auditor (CISA) and Certified Financial Services Auditor (CFSA). Robert is a Director at PwC. Over the last 30 years, as a consulting executive and provider, he has purchased, sold, managed, and delivered extensive global IT consulting services involving Oracle, SAP, and Microsoft enterprise software suites. He has led numerous global business transformations, and the PMOs, IT asset portfolios, and project management practices of leading firms. His specialties are in assuming responsibility for and leading client services in need of performance gains, improved client relations, and growth across numerous industries and the Government. Robert has earned a M.S. in Management, Project Management Specialty from Boston University and a B.S. in Administration and Management from La Roche College. He holds the professional certifications of Program Management Professional (PgMP), Project Management Professional (PMP), and Certified in the Governance of Enterprise IT (CGEIT). steven.beaton@usaa.com (210) 249-1309 robert.j.koehler@us.pwc.com (505) 417-7689

More Related Content

PPTX
Corporate governance of INFORMATION TECHNOLOGY (IT)
byOsman Hasan
 
PPT
It governance 13 may20102
byJames Sutter
 
PPTX
IT Governance Made Easy
byJerry Bishop
 
PPTX
Comprehending Information Technology Governance
byGoutama Bachtiar
 
PPT
Governance Of Enterprise Information Technology V3
bypjmartinez
 
PPTX
What Is It Governance Introduction
bynicxenos
 
PDF
Governance matrix
byzeusi9iuto
 
PPTX
Mergers & Acquisitions - Addressing The Critical IT Issues
bycurtherge
 
Corporate governance of INFORMATION TECHNOLOGY (IT)
byOsman Hasan
 
It governance 13 may20102
byJames Sutter
 
IT Governance Made Easy
byJerry Bishop
 
Comprehending Information Technology Governance
byGoutama Bachtiar
 
Governance Of Enterprise Information Technology V3
bypjmartinez
 
What Is It Governance Introduction
bynicxenos
 
Governance matrix
byzeusi9iuto
 
Mergers & Acquisitions - Addressing The Critical IT Issues
bycurtherge
 

What's hot

PPTX
It governance
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
PDF
IT Governance
byCarlos Chalico
 
PPT
Understanding IT Governance and Risk Management
byjiricejka
 
PPT
IT Governance Introduction
byKeith Rackley
 
PPT
What Every Executive Needs To Know About IT Governance
byBill Lisse
 
PPT
IT Governances
byJerald Burget
 
PDF
[MU630] 002. IT Strategic Planning
byAriantoMuditomo
 
PPTX
IT Governance Presentation
byjmcarden
 
PPTX
IT Governance Vs IT Management Presentation V0.1
byRichard Willis
 
PPT
EFFECTIVE IT GOVERNANCE presentation
byS L
 
PPT
IT Governance Concept
byitgproduct
 
PPTX
IT Governance - OpenThinking Day
byIyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
PDF
Executive's Handbook on IT Strategy and Governance
byKuda Musundire CA (Z), RPA
 
PDF
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
byMayk Campelo
 
PPTX
IT Strategic Planning Guide
byMary Patry
 
PPT
Stateofthecio2008 1210987739793979 8
byBalaji Balasubramanian
 
PDF
What is IT Governance?
byMansoor Adenwala
 
PDF
IT Governance Overview
byJim Sutter
 
It governance
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
IT Governance
byCarlos Chalico
 
Understanding IT Governance and Risk Management
byjiricejka
 
IT Governance Introduction
byKeith Rackley
 
What Every Executive Needs To Know About IT Governance
byBill Lisse
 
IT Governances
byJerald Burget
 
[MU630] 002. IT Strategic Planning
byAriantoMuditomo
 
IT Governance Presentation
byjmcarden
 
IT Governance Vs IT Management Presentation V0.1
byRichard Willis
 
EFFECTIVE IT GOVERNANCE presentation
byS L
 
IT Governance Concept
byitgproduct
 
IT Governance - OpenThinking Day
byIyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
Executive's Handbook on IT Strategy and Governance
byKuda Musundire CA (Z), RPA
 
2 -governanca_de_tic_-_uma_visao_do_mercado_gartner_-_claudio_chauke
byMayk Campelo
 
IT Strategic Planning Guide
byMary Patry
 
Stateofthecio2008 1210987739793979 8
byBalaji Balasubramanian
 
What is IT Governance?
byMansoor Adenwala
 
IT Governance Overview
byJim Sutter
 

Similar to Sharpening the Lens

PPT
This one cobit_introduction cobit notes.ppt
bykong100
 
PPTX
2014-1-Intro-GRC-and-COBIT5 notes fin.pptx
bykong100
 
PPT
It governance
byMahetab Khan
 
PDF
IT GovernanceChallenges facing IT Governance.pdf
bySherifElGohary7
 
PPSX
IT Governance - COBIT Perspective
bySayyed Zakir Ali Rizwe
 
PPTX
Information Security Governance and Strategy
byDam Frank
 
PDF
IT Governance - Governing IT: Do or Die?
byEryk Budi Pratama
 
PPTX
IT Governance.pptx
byFaith Shimba
 
PDF
COBITlaminate_online_RD3 introduction overview
byssusercf2d3e
 
PPTX
future technology in ai and whats are the new technogies used by the government
bymanonit047
 
PPT
IT_Governance iia uganda_presentation_ruyooka_2011
byAmbrose Ruyooka,PMP,CGEIT, CRISC
 
PDF
It governance & cobit 5
byLaddawan Rattanaruang
 
PDF
What is Cobit
byBen Kalland
 
PPTX
IT Govenence.pptx
byPeterOwenje1
 
PPT
IT Governance Presentation by omaha 2008
byssusera19f45
 
PPTX
CIT 3122 IS Governance Lecture 3.pptx
byanthonywanjohi5
 
PPT
It governance in_higher_education_by_james_yung
bynorsaidatul_akmar
 
PPTX
rethinking marketing
byNavneet Singh
 
PDF
Understanding co bit 4.1
byn|u - The Open Security Community
 
PPT
It Governance Slides for MISA Ontario June 2009
byBen Perry
 
This one cobit_introduction cobit notes.ppt
bykong100
 
2014-1-Intro-GRC-and-COBIT5 notes fin.pptx
bykong100
 
It governance
byMahetab Khan
 
IT GovernanceChallenges facing IT Governance.pdf
bySherifElGohary7
 
IT Governance - COBIT Perspective
bySayyed Zakir Ali Rizwe
 
Information Security Governance and Strategy
byDam Frank
 
IT Governance - Governing IT: Do or Die?
byEryk Budi Pratama
 
IT Governance.pptx
byFaith Shimba
 
COBITlaminate_online_RD3 introduction overview
byssusercf2d3e
 
future technology in ai and whats are the new technogies used by the government
bymanonit047
 
IT_Governance iia uganda_presentation_ruyooka_2011
byAmbrose Ruyooka,PMP,CGEIT, CRISC
 
It governance & cobit 5
byLaddawan Rattanaruang
 
What is Cobit
byBen Kalland
 
IT Govenence.pptx
byPeterOwenje1
 
IT Governance Presentation by omaha 2008
byssusera19f45
 
CIT 3122 IS Governance Lecture 3.pptx
byanthonywanjohi5
 
It governance in_higher_education_by_james_yung
bynorsaidatul_akmar
 
rethinking marketing
byNavneet Singh
 
Understanding co bit 4.1
byn|u - The Open Security Community
 
It Governance Slides for MISA Ontario June 2009
byBen Perry
 

Sharpening the Lens

  • 1.
    Steve Beaton, CIA,CISA, CFSA, MsMIT, USAA VP IA Robert Koehler, CGEIT, PgMP, PMP, MsPM, PwC Director
  • 2.
    Slide 2 TOPIC We willexplore the essential elements for preparing an assurance framework for IT Governance that integrates leading industry standards and practices ensuring the governing objectives for assessing strategy, financial performance, and effective delivery of technology.
  • 3.
    Slide 3 KEY BENEFITSTO THE AUDIENCE • We will highlight the leading IT Governance standards, drawing comparison between their similarities and differences. • We will highlight the business areas not adequately addressed by IT Governance standards. • We will recommend internal controls that pertain to aligning the relationships between the business and IT, including organizational structures for the evaluation and direction of IT. • We will recommend internal controls that pertain to the effectiveness of deriving value from IT, including financial performance and the planning for benefits realization. • We will recommend internal controls that pertain to the effectiveness of IT risk and compliance management, including what can be done to ensure sufficient IT risk information is factored into investment decision making.
  • 4.
    Slide 4 CURRENT STATEOF IT GOVERNANCE We will highlight the leading IT Governance standards, drawing comparison between their similarities and differences. • What are leaders saying about it? • Whose definition is best? • How is IA’s role perceived? • Where are the rabbit holes?
  • 5.
    Slide 5 CURRENT STATEOF IT GOVERNANCE IN THE NEWS Oversight split between the Board, Audit Committee, IT/Risk Committees or no one at all. - PwC, Insights from the Boardroom 2012 Only 30% of directors find IT expertise a “very important” attribute in new directors, and 31% are not seeking this skill set at all. - PwC’s 2013 Annual Corporate Directors Survey 44-50% of Board members meet with the CIO only once a year or not at all. - PwC, Insights from the Boardroom 2012 Only 38% of business partners seen as “very engaged” in IT Governance. - Forrester, The State Of IT Governance Q4 2010 The findings of a number of research projects conducted by the Massachusetts Institute of Technology (MIT) Center for Information Systems Research (CISR) suggest that firms with focused strategies and above-average IT governance capabilities had more than 20 percent higher profits than other firms following the same strategies. - Peter Weill and Jeanne W. Ross, It governance, how top performers manage it decisions for superior results, Harvard Business School Press Effective IT governance is the single most important predictor of the value an organization generates from IT. - Peter Weill and Jeanne W. Ross, It governance, how top performers manage it decisions for superior results, Harvard Business School Press
  • 6.
    Slide 6 COMPARING ITGOVERNANCE STANDARDS WHOSE DEFINITION IS BEST? • ISACA – The responsibility of executives and the board of directors; consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives. • ISO – The system by which the current and future use of IT is directed and controlled. Corporate governance of IT involves evaluating and directing the use of IT to support the organization and monitoring this use to achieve plans. It includes the strategy and policies for using IT within an organization. • Gartner – The set of processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. • Forrester – A decision-making framework for IT investments that is designed to maximize the return of benefits while managing risk to acceptable levels. • MIT CISR – Specifying the decision rights and accountability framework to encourage desirable behavior in using IT.
  • 7.
    Slide 7 ARE STAKEHOLDERSSATISFIED? AREAS OF LEAST SATISFACTION WITH IA
  • 8.
    Slide 8 COMPARING ITGOVERNANCE STANDARDS STANDARDS OVERLAPPING, EVEN CONFLICTING The challenge is choosing right and filling in the gaps as many standards are overlapping, even conflicting – None complete IT GovernanceProject Management Process Centric Maturity Centric PMI/PMBOK ITIL IT Management Val IT 2.0 Risk IT COBIT 5SEI CMMI ISO 38500TOGAF ISO 17998 COBIT 4 ISO 27001/2/5 MoV ISO 31000 MIT CISR PRINCE2 Most relevant standards
  • 9.
    Slide 9 COMPARING ITGOVERNANCE STANDARDS RIGHT SPECTRUM FOR COMPARISON Five dimensions of comparison used, each having a common focus on an organizations ability to drive greater value from IT Strategic Alignment •The successful alignment between business and IT •The comprehension of the impacts of IT on business processes and results •The clarity of priorities for both IT investments and business management focus Financial Performance •The effectiveness of deriving value from IT across the first and second lines of defense •The comprehension of performance as predictors of strategic decision-making •The comprehension of factors to measure and regulate the effectiveness of controls for risk and compliance Risk & Compliance •The establishment or risk, compliance, security and legal authority •The alignment of risk and compliance decisions with responsibilities for performance •The level of process integration across IT governance, risk, and compliance Grow & Transform •The level IT investments contribute to optimal business value •The level collaboration occurs between business and IT to realize benefits •The provision of investment management controls across the economic lives of investments Delivery Management •The determination of how types of IT-enabled capabilities are chosen as important for success •The decision driven actions to set objectives and expectations for the performance of IT •The position to handle the costs and risk of the service portfolios
  • 10.
    Slide 10 COMPARING ITGOVERNANCE STANDARDS MAPPING TO LEADING PRACTICES Strategic Alignment Financial Performance Delivery Risk & Compliance Grow &Transform Delivery Mgmt. • COBIT APO08 Manage Relationships • COBIT EDM01 Ensure Governance Framework Setting and Maintenance • COBIT EDM04 Ensure Resource Optimization • ITIL Strategy – Strategy and Organization • ITIL Strategy – Demand Management • IIA GTAG 17 – Auditing IT Governance • ISO/IEC 38500: 2008–Corporate Governance of Information Technology • COBIT MEA01 Monitor, Evaluate and Assess Performance and Conformance • EDM05 Ensure Stakeholder Transparency • COBIT APO06 Manage Budget and Costs • ITIL Strategy – Financial Management • ITIL Strategy – Return on Investment • ISO/IEC 38500: 2008–Corporate Governance of Information Technology • COBIT EDM03 Ensure Risk Optimization • COBIT MEA03 Monitor, Evaluate and Assess Compliance with External Requirements • COBIT DSS05 Manage Security Services • ISO/IEC 31000– Risk Management • ISO/IEC 27000– Security Techniques • Multiple industry based requirements such as: HIPPA, AML, Dodd Frank, PCI, FISMA, Sarbanes Oxley and Safe Harbour • COBIT APO04 Manage Innovation • COBIT APO05 Manage Portfolio • COBIT EDM02 Ensure Benefits Delivery • ITIL Strategy – Service Portfolio Management • Project Management Book of Knowledge (PMBOK) • Projects in Controlled Environments (PRINCE 2) • Portfolio, Program, and Project Management Maturity Model (P3M3) • ITIL Strategy– Strategy, Tactics, and Operations • COBIT APO02 Manage Strategy • COBIT APO03 Manage Enterprise Architecture • The Open Group Architecture Framework (TOGAF) • ISO/IEC 20000–IT Service Management
  • 11.
    Slide 11 AREAS NOTADEQUATELY COVERED We will highlight the business areas not adequately addressed by IT Governance standards. • Is IT on the boards agenda? • Does corporate strategy influence IT? • Is the value gap being closed? • Does the three lines of defense help IT Governance? • Is IT Governance, Risk and Compliance combined? • Are business benefits being realized?
  • 12.
    Slide 12 AREAS NOTADEQUATELY COVERED IT ON THE BOARD’S AGENDA A structured approach for board’s IT oversight: • Assessment: Evaluate the company’s current IT situation, while considering various factors, and conclude how critical IT is to the company’s current and future success. • Approach: Agree on the board's IT oversight approach including who is responsible (the full board, the audit committee, a risk committee, etc.), how often to discuss IT, and when to talk with the CIO. • Prioritization: Identify the IT subjects most relevant to the company and focus oversight efforts on those areas. • Strategy: "Bake" IT initiatives into the board’s oversight of overall company strategy based on the importance of IT to the company. • Risk: Include IT risks as part of the board’s risk management oversight process. • Monitoring: Adopt a continuous IT oversight process, regularly revisit the efficacy of that process, and measure results.
  • 13.
    Slide 13 AREAS NOTADEQUATELY COVERED CASCADING CORPORATE STRATEGY Need to evaluate the IT strategy within the overall strategy for the business Business Strategy (3-5 yr plan) IT Strategy Digital Business Model • Frames how IT & technology enables business capabilities • Sets expectations for scalability & interoperability • Provides principles & standards that guide technology decisions • Prioritizes immediate IT challenges that need resolution • Identifies synergies across entities • Identifies digital business model capabilities • Measures effectiveness of digital content, experience, and platform • Identifies digital source of competitive advantage BusinessDrivenITStrategy • Develops a target state and future vision that synchronizes IT investments with business needs • Creates a blueprint for maximizing return on technology investments • Establish guiding principles that will drive the technology evolution Strategy & business alignment Organization & skills Technology & architecture Management & Governance Information Product Customer Experience Internal External The Digital Business Model describes how content, experience, and platform works together to create a compelling customer value proposition. The Business Strategy describes and interrelates mission, vision, goals, and strategies with core processes, constituents, and interactions.
  • 14.
    Slide 14 AREAS NOTADEQUATELY COVERED CLOSING THE VALUE GAP While many companies fail to deliver business value, top performers deliver the expected value (+15%), on time (+30%) at or below budget (+30%) ACTUAL ROI = -4% Value RealizedPlan Actual Execution Benefits Only 38% of programs delivered 100% of value Time Only 36% of programs are delivered on time Value (200) Cost (100) Year 1 Year 2 Year 3 3 Year Plan Value (125) Extra Year 4 Year Actual Value Gap Cost (130) Over Cost PLAN ROI=50% The Value Gap -$60M -$15M +$30M EXAMPLE: Time Increase: 30% Cost Increase: 30% Value Loss: 30% ($M) IMPACT ($M)
  • 15.
    Slide 15 AREAS NOTADEQUATELY COVERED THREE LINES OF DEFENSE Clear delineation between line controls, second-level monitoring controls and third-line independent assurance for the effective governance of information technology Board of Directors / Audit Committee Business and IT Senior Management Regulator 1st Line of Defense ExternalAudit 3rd Line of Defense2nd Line of Defense Internal Control Measures IT Governance Mechanisms Financial Controls Risk Management Compliance Portfolio Performance Program Governance Security Internal Audit Project Assurance
  • 16.
    Slide 16 AREAS NOTADEQUATELY COVERED IT GRC INTEGRATION IT Governance, risk management and compliance managed in an integrated manner IT Compliance Committee Audit Committees Evaluate Direct Report Monitor IT governance Risk Management Compliance IT Governance Committee IT Steering Committee PMO / Portfolio Management Objective Setting Risk Assessment Event Identification Risk Response Control Activities Information & Communication Monitoring Requirement Analysis Deviation Analysis Deficiency Management Reporting / Documentation Deviation Analysis Enterprise & IT Risk Committees
  • 17.
    Slide 17 AREAS NOTADEQUATELY COVERED BENEFITS REALIZATION The benefits expected from IT are unlikely to emerge automatically. Any benefits sought must be identified along with the changes in ways of working to bring about and sustain each of the benefits. Means to Achieve Changes Evaluate overall vision for the new digital solution Ways to Achieve Changes Evaluate the new ways of doing business and the benefits this will deliver Results of Changes Evaluate how fostering and realizing business benefits will come through structured change Benefits Identification Business Case Benefits Planning Project Delivery User Adoption Value Creation Benefits Extension Benefits Fulfillment
  • 18.
    Slide 18 BUILDING INTERNALCONTROL FRAMEWORK We will recommend internal controls. • Where should we focus our attention? • What IT-related domains should be controlled? • What controls should comprise each domain?
  • 19.
    Slide 19 BUILDING INTERNALCONTROL FRAMEWORK EXECUTIVE AGREEMENT ON ROLE OF IT Align with management’s active design of IT Governance around the business’ objectives and performance goals. •Strategic Aims •Stewardship •IT Reliance •Firm Performance •Economic Life & Reward •Strategic Aims •Stewardship •IT Reliance •Firm Performance •Economic Life & Reward Corporate GovernanceCorporate Governance •Strategic Aims •Stewardship •IT Reliance •Firm Performance •Economic Life & Reward Corporate Governance •Financial Objectives •Customer Needs •Process Improvements •Organizational Learns •Financial Objectives •Customer Needs •Process Improvements •Organizational Learns Performance MgmtPerformance Mgmt •Financial Objectives •Customer Needs •Process Improvements •Organizational Learns Performance Mgmt •Service Levels •Resource Profiles •Workforce Planning •Learning & Development •Service Levels •Resource Profiles •Workforce Planning •Learning & Development Resource ManagementResource Management •Service Levels •Resource Profiles •Workforce Planning •Learning & Development Resource Management •Risk Transparency •Risk Delegation •Risk Control •Operational Risk •Risk Transparency •Risk Delegation •Risk Control •Operational Risk Risk ManagementRisk Management •Risk Transparency •Risk Delegation •Risk Control •Operational Risk Risk Management •Strategic Importance •Environmental Context •Financial Planning •IT Capabilities •IT Resources •Strategic Importance •Environmental Context •Financial Planning •IT Capabilities •IT Resources Strategic AlignmentStrategic Alignment •Strategic Importance •Environmental Context •Financial Planning •IT Capabilities •IT Resources Strategic Alignment •Regulatory Compliance •Internal Controls •IT Security •Compliance Policies •Regulatory Compliance •Internal Controls •IT Security •Compliance Policies IT ComplianceIT Compliance •Regulatory Compliance •Internal Controls •IT Security •Compliance Policies IT Compliance IT Governance Executive Agreement on the Role of IT
  • 20.
    Slide 20 BUILDING INTERNALCONTROL FRAMEWORK TOP-DOWN BOTTOM-UP PROCESS Proper integration of management and support functions must be considered when creating the assessment framework Project Work and Resource Authorizations Change Requirements and Risk Mitigates Performance Measurements Corporate Risk Management Service Levels and Finished Products Professional and Operational Services Investment Management IT Strategy, Vision, and Action Plans Program Health Updates Benefits Realization Time-Sensitive Growth / Recovery Strategies IT Governance IT Services Project Portfolio Management Corporate Governance Top-Down Evaluation & Direction Bottom-Up Monitoring & Reporting
  • 21.
    Slide 21 BUILDING INTERNALCONTROL FRAMEWORK HOLISTIC VIEW Encompassing these arrangements to create a holistic view of the governance, management, and use of IT Business Strategy Organization Structures Digital Business Models IT Asset Portfolios Performance and Change Metrics IT Service Valuation IT Risk Management IT Compliance Security Governance IT Service Strategy IT Long-term Strategy Portfolio & Project Delivery Operations Benefits Realization Architecture Strategic Alignment Financial Performance Risk & Compliance Grow & Transform Service Management Delivery Management
  • 22.
    Slide 22 BUILDING INTERNALCONTROL FRAMEWORK STRATEGIC ALIGNMENT Business Strategy Digital Business Models Organization Structures • Clear alignment is visible between Corporate and IT Strategy. • Business strategy changes are understood, documented and approved with their impact on IT communicated. • Good relationships and communication channels exist between the business and IT. • Business stakeholders are aware of technology- enabled opportunities. • Business plans, operating models and requirements are understood, documented and approved with their impact on IT communicated. • Impacts of expected future demand are understood and built into IT planning. • Strategic decision-making model for IT is effective and aligned with the organization’s internal and external environment and stakeholder requirements. • The governance system & bodies for IT are implemented and operating effectively. • Organizational structures are aligned with strategic value drivers. • The resource needs of the organization are met with the right capabilities. • Resources are allocated to best meet the overall business priorities within budget constraints. • Optimal use of resources is achieved throughout their full economic life cycles.
  • 23.
    Slide 23 BUILDING INTERNALCONTROL FRAMEWORK FINANCIAL PERFORMANCE IT Service Valuation IT Asset Portfolio Performance & Change Metrics • Processes are measured against agreed-on goals and metrics. • Goals and metrics are approved by the stakeholders. • Owners are assigned and held accountable. • Investment decisions are linked to value that can be tracked. • An appropriate investment mix is defined and aligned with business strategy. • Program business cases are evaluated and prioritized before funds are allocated. • Sources of investment funding are identified and available. • Current accounting evaluation process for justifying an IT investment is sufficient for managing investment risk. • Returns are measured across the economic life of the investment. • Performance measures include profitability, productivity and effectiveness. • Goals and metrics are integrated within the organization’s monitoring systems. • Process reporting on performance and conformance is useful and timely.
  • 24.
    Slide 24 BUILDING INTERNALCONTROL FRAMEWORK RISK & COMPLIANCE IT Risk Management IT Compliance Security Governance • Risk appetite is defined at the organizational level and cascaded to IT. • Risk thresholds are defined and communicated while key IT-related risks are known. • The organization is managing critical IT-related risk to the business effectively and efficiently. • IT-related risk does not exceed risk appetite and the impact of IT risk to business value is identified and managed. • All compliance obligations are identified. • Compliance obligations are adequately addressed. • The organization seeks to proactively manage compliance obligations through the use of technology. • Network and communications security meet business needs. • Information processed on, stored on and transmitted by endpoint devices is protected. • All users are uniquely identifiable and have access rights in accordance with their business role. • Physical measures have been implemented to protect information from unauthorized access, damage and interference when being processed, stored or transmitted. • Electronic information is properly secured when stored, transmitted or destroyed.
  • 25.
    Slide 25 BUILDING INTERNALCONTROL FRAMEWORK GROW & TRANSFORM IT Long-term Strategy Portfolio & Project Delivery Benefits Realization • Business value is created through the qualification and staging of the most appropriate advances and innovations in technology, IT methods and solutions. • Business objectives are met with improved quality benefits and/or reduced cost as a result of the identification and implementation of innovative solutions. • Innovation is promoted and enabled and forms part of the business culture. • As solutions are developed the business case is updated to reflect any changes. • A comprehensive and accurate view of the investment portfolio(s) performance exists. • Investment program changes are reflected in the relevant IT service, asset and resource portfolios. • Robust project and program management practices. • Transparency into project and program progress. • The business is securing optimal value from its portfolio of approved IT- enabled initiatives, services and assets. • Optimal value is derived from IT investment through effective value management practices in the business. • Individual IT-enabled investments contribute optimal value. • Benefits have been realized due to benefits management.
  • 26.
    Slide 26 BUILDING INTERNALCONTROL FRAMEWORK SERVICE MANAGEMENT IT Service Strategy IT Operations IT Architecture • All aspects of the service strategy are aligned with the broader corporate strategy. • The IT strategy is cost- effective, appropriate, realistic, achievable, business-focused and balanced. • Clear and concrete short- term goals can be derived from, and traced back to, specific long-term initiatives, and can then be translated into operational plans. • IT is a value driver for the business. • There is awareness of the service strategy and a clear assignment of accountability for delivery. • Achieve effectiveness and efficiency in the delivery and support of services. • Strategic objectives are ultimately realized through service operations. • Stability in service operations is maintained, allowing for changes in design, scale, scope, and service levels. • The architecture and standards are effective in supporting the business. • A portfolio of business architecture services supports agile business change. • Appropriate and up-to-date domain and/or federated architectures exist that provide reliable architecture information. • A common business architecture framework and methodology as well as an integrated architecture repository are used to enable re-use efficiencies across the business.
  • 27.
    Slide 27 EXECUTING THEAUDIT • Is your audit approach risk-based? • What is the workflow for the audit? • How should risks be classified? • Who should participate in the audit? • What information should be requested?
  • 28.
    Slide 28 EXECUTING THEAUDIT AUDIT APPROACH Take a consultative approach to assuring IT Governance. Assess Assess your capability and maturity with a wide range of industry standards and best practice frameworks Evaluate Measure your performance in order to establish your current baseline Benchmark Compare your direction with that of your peers using extensive global benchmarking data • Alignment • Value • Risk • Resource • Performance • Evaluate execution management • Organizational structures • Governing processes • Relational mechanisms • Maturity models • IT strategies • Digital business designs • IT investment areas and levels Recommend Provide practical recommendations for your consideration and selection for making improvements • Decision rights & accountability • Process maturity • Performance ratios • Priorities
  • 29.
    Slide 29 EXECUTING THEAUDIT AUDIT APPROACH, CONTINUED Step 1 – Assess Conduct an assessment through executive and senior management and business leader interviews, roundtables, and surveys and examine documentation to compare IT practices against the framework in the areas of alignment, value, risk, resource, and performance. Analyse critical IT practices and prioritize risk to communicate the risk exposure based on stated objectives. The key to assuring IT is to understand the culture and priorities in both the business and IT; this will ensure that IT is aligned with the overall business strategy, and that the IT strategy drives controls, policies, budgets, risk tolerance, and service levels. Step 2 – Evaluate/Compare Leverage the results of Step 1 to evaluate and define the current condition of IT practice indicators that will be used to assess achievement of the expectations expressed in the IT Governance framework. Continue this evaluation by comparing your direction with that of your peers using extensive global benchmarking data. [Optional] Step 3 – Recommend Through the analysis of strengths and weaknesses, the prior steps provide the information to prepare practical recommendations and actions to improve the outcomes and performance of enterprise IT. Throughout the assessment, provide improvement recommendations based on the evaluation documentation and discussions with executive and senior management. At any time you identify an item that requires immediate attention by management, communicate such item.
  • 30.
    Slide 30 EXECUTING THEAUDIT AUDIT WORKFLOW Tasks / Milestones Duration Project Start-up / Finalize Statement of Work Week 1 – Week 2 1. Kick-off Meeting 2. Begin Scheduling Interviews 3. Publish Initial Information Request 4. Establish Goals, Objectives, and Drivers for Assessment 5. Determine Comparison Baselines from Past IT Audits / Changes 6. Propose Custom Framework for Assessment 7. Obtain Approval for Proposal, Timeline, and Initial Resources 8. Establish Assessment Infrastructure to Coordinate Activities 9. Publish Goals and Guiding Principles of Assessment 10. Update Interview Calendar 11. Launch Assessment
  • 31.
    Slide 31 EXECUTING THEAUDIT AUDIT WORKFLOW, CONTINUED Tasks / Milestones Duration Perform Assessment Week 3 – Week 4 1. Finalize Categories / Process Areas for Custom Framework 2. Build Custom Framework 3. Publish Updated Information Request 4. Conduct Assessment and Characterize Current Practice 5. Develop Audit Themes and Begin Socializing with Senior Management 6. Develop Recommendations and Document Results 7. Identify Improvement Strategy and Priorities Prepare / Deliver Draft Report Week 5 – Week 5 Prepare / Deliver Final Report Week 6 – Week 6 Plan Improvement (Optional) Week 7 – Week 8 1. Understand Short-/Long-Term Planned Improvement Efforts 2. Identify Roles/Responsibilities of Improvement/Audit Programs 3. Reconcile Existing/Planned Improvements with the Assessment Baseline 4. Prepare Performance Measurement Plan 5. Create Strategic Improvement Program
  • 32.
    Slide 32 EXECUTING THEAUDIT CLASSIFY IT RISK Factor IT Risk within the ERM process to help ensure IT decision- makers know how much IT Risk is acceptable. Significance Likelihood 10 98 7 6 5 4 3 2 1 11 12 13 14 15 1. Enterprise IT Strategy 2. Digital Business Designs 3. Organizational Structures 4. Enterprise Architecture 5. IT Service Valuation 6. IT Investment Portfolios 7. IT Performance 8. IT Risk Management 9. IT Compliance 10. Security Governance 11. Service Strategy 12. Project Delivery 13. Benefits Realization 14. IT Operations 15. Price Performance
  • 33.
    Slide 33 EXECUTING THEAUDIT IDENTIFYING PARTICIPANTS Technology • Heads IT Operations • Heads IT Development • Chief Technology Officer • Chief Architect • Chief Information Officer • Chief Information Security Officer • Heads IT PMOs Business • Chief Risk Officer • Business Leaders • Chief Financial Officer • IT Spokesperson on the Board • Heads Enterprise PMO Survey • Frontline and Middle Management The audit involves executives, senior management, and business leader interviews and possibly surveying frontline and business management.
  • 34.
    Slide 34 EXECUTING THEAUDIT INFORMATION REQUESTS • IT strategy documentation • IT scorecards • IT policies • IT financial management documentation, including: financing and budgeting, asset management, contract management, and resource plans • Service level agreements (SLAs) • Any utilized governance or maturity frameworks and models • IT compliance and training requirements • Governance processes documentation The following information should be requested to understand IT Governance practices:
  • 35.
  • 36.
    Slide 36 YOUR SPEAKERS SteveBeaton Vice President Bank Audit Services Robert Koehler Director Risk Assurance Services Steve is Vice President of Bank Audit Services at USAA, where he leads audit coverage of bank operations. Previously he led IT/Security Audit Services, supporting the full range of engagements specific to IT/Security. Prior to joining USAA, Steve was Vice President of IT Audit at Freddie Mac. Steve is a seasoned internal audit and risk management executive with diverse leadership experience within financial services including TD BankNorth, Fifth Third Bank, Sunlife Financial, and Bank of Ireland. Steve holds a bachelor of business administration from Merrimack College in Massachusetts and a master’s degree in management of information technology from the McIntire School of Commerce at the University of Virginia. He is a Certified Internal Auditor (CIA), Certified Information Systems Auditor (CISA) and Certified Financial Services Auditor (CFSA). Robert is a Director at PwC. Over the last 30 years, as a consulting executive and provider, he has purchased, sold, managed, and delivered extensive global IT consulting services involving Oracle, SAP, and Microsoft enterprise software suites. He has led numerous global business transformations, and the PMOs, IT asset portfolios, and project management practices of leading firms. His specialties are in assuming responsibility for and leading client services in need of performance gains, improved client relations, and growth across numerous industries and the Government. Robert has earned a M.S. in Management, Project Management Specialty from Boston University and a B.S. in Administration and Management from La Roche College. He holds the professional certifications of Program Management Professional (PgMP), Project Management Professional (PMP), and Certified in the Governance of Enterprise IT (CGEIT). [email protected] (210) 249-1309 [email protected] (505) 417-7689