Presented By Tay Un Soo

Senior VP, Bank of Commerce

President of ISACA - Malaysia Chapter

1999 National Accountants Conference THRIVING IN

THE DIGITAL ECONOMY OF A NEW CENTURY

AGENDA• Introduction - Directions and Challenges• What is Corporate Governance & how it works.• What is IT Governance & how it works.• Relationship of Corporate and IT Governance• How IT Governance impacts Enterprise effectiveness• CobiT: The breakthrough IT Governance tool• What is IT Audit Governance?• How to audit IT Governance?• Conclusion

-

Introduction: What is Digital Economy?

Information

KnowledgeContent

Computing

Communi-cation

InteractiveMultimedia

TechnologyHumans

OrganizationsSocieties

Intelligence

CyberspaceDigital

Electronic

Goods,services,capital, labour,

information

Changes In Information Technology

Time to react

Business process

Organization

Rightsizing

Control Redesign

TRENDS

Realignment

MISSIONCUSTOMERS

COMPETITION

NEWENTERPRISE

Businessrisk

RiskAssessmentAssurance

AUDITORS

INFORMATIONTECHNOLOGY

BUSINESSSTRATEGIES,CULTURES,

ETHICS

SUCCESSFULENTERPRISE

OPTIMISEINFORMATION

VALUE

CAPITALISEON

TECHNOLOGY

ATTAIN BUSINESS OBJECTIVES

SECURITY & PRIVACY

TIMELY, ACCURATEINFORMATION

BUSINESS CONTINUITY

NEW AUDIT METHODOLOGIES

ACCOUNTING FORVIRTUAL ASSETS

TECHNICAL PROFICIENCIES

CHANGING ROLES

AICPA 1999 TOP 10 TECHNOLOGY PRIORITIES

1. YEAR 2000 2 (1998)

2. Internet, Intranets & Extranets 1

3. Information Security & Control 3

4. Training & Technology 4

5. Technology Management -

6. Disaster Recovery -

7. The Virtual Office -

8. Privacy -

9. Electronic Money -

10.Electronic Evidence -

Information-related Assurance Services

RISKASSESSMENTASSURANCE

ELECTRONIC COMMERCEASSURANCE

SYSTEMRELIABILITYASSURANCE

WEBTRUSTASSURANCE

BusinessRisks

Systems &Tools

InternalIS Websites

� Do your enterprise’s systems create

competitive advantage, or simply keep

you in business?

� Does your IT investment make money for

your organization or cause it concern?

� What is the economic and strategic

value of your enterprise’s information?

� How is online and internet delivery of products and services changing global industries?

DO THE ISSUES CONCERN ME?

CIO

� Does your management view the

internet as a threat or an opportunity?

� How can you help management and Board to effectively manage and govern IT strategy opportunities and threats in the rapidly changing technology?

TOP PRIORITIES OF CHIEF INFORMATION OFFICERS

In The Digital Economy

• Business/IT fusion

• Demonstrating the business value of IT

• IT Governance

THE TOP OF THE TOP PRIORITIES

IT and systems must work hand in hand with corporate goals and business practices

- To create competitive advantage

- To ensure the ultimate success

of the enterprise.

What Is Corporate Governance?

OBJECTIVES

•To Enhance Business Prosperity And Corporate Accountability

•To realize long term stakeholders value

The process and structureto direct

and managethe business

and affairsof the company

EFFECTIVECORPORATE GOVERNANCE

IndividualAnd GroupExpertise

AndExperience

Monitors And

MeasuresPerformance

Provides assurance tocritical issues

INFORMATION TECHNOLOGY& CORPORATE OBJECTIVES

ITGovernance

CORPORATE GOVERNANCE FRAMEWORK

STAKEHOLDERS

REGULATORSEXTERNAL AUDITORS

AUDIT COMMITTEE

BOARD OFDIRECTORS

COSO Framework of Internal Control

MonitoringC

omm

unic

atio

nControl

Risk

Activitie

s

Info

rmat

ion

&

Co

mm

un

icat

ion

Information &

Assessment

ControlEnviro

nment

Guidance on Control - CoCo• 20 criteria of control

PURPOSE

CAPABILITY

COMMITMENT

ACTION

MONITORING& LEARNING

Quality

Fiducia

ry

Securit

y

COBIT Information CriteriaInformation Criteria

IT P

roce

sses

IT P

roce

sses

IT R

esou

rces

IT R

esou

rces

Domains

Processes

Activities

How Corporate Governance Works

DIRECT

REPORT

USING

•Results measured•Input for constant revision & maintenance of control•Cycle begins again

Enterprisegoverned by:

Assuranceprovided by

What is IT Governance?

IT GOVERNANCE is an inclusive term, which encompasses :

• Information systems, technology & communication

• business, legal & other issues

• stakeholders, directors, senior management, process owners, IT suppliers, users, auditors, etc

Linking business objectives and IT

•IT AlignedWith Business

•IT ResourcesUsedResponsibly

•IT RelatedRisksManaged Appropriately

•Plan/organize•Acquire/implement

•Deliver/support•Monitor

MANAGE RISKS: Security,Reliability & Compliance

REALISE BENEFITS: •Increase automation•Effectiveness•Decrease costs•Efficiency

GOOD/BESTPRACTICES

HOW IT GOVERNANCE WORKS

IT ACTIVITIES

RELATIONSHIP OF CORPORATE & IT GOVERNANCE

STRATEGIC PLAN

RELATIONSHIP OF CORPORATE

& IT GOVERNANCE

REQUIRE INFORMATION

FROM

BUSINESS OBJECTIVES

STRATEGIC PLANNING

•MAXIMISE BENEFITS •CAPITALIZING ONOPPORTUNITIES•GAINING COMPETITIVE ADVANTAGE

How IT governance impact an enterprise effectiveness?

IT INVESTMENTProtection

INFORMATIONASSET - Management

for success

BUSINESS ISSUES- Y2K, ERP,E-commerce

STRATEGICINFORMATION

Security, Confidentiality,Integrity

COBIT is the breakthroughIT governance tool

CCOBIOBITT::

GOVERNANCE, CONTROL and AUDIT GOVERNANCE, CONTROL and AUDIT for INFORMATION and RELATED for INFORMATION and RELATED TECHNOLOGYTECHNOLOGY

IT governance tool to help management understand and manage IT risk

THE COBIT FRAMEWORKSetting The Scene

THE NEED FOR CONTROL IN IT

•Dependencies•Vulnerabilities• Scale and cost of investment•Change organizations and business practices, create opportunities and reduce costs

MANAGEMENT OF IT RISKS

• Management - What to invest for security & control

•Users - assurance

•Auditors - Opinion on internal control

THE COBIT FRAMEWORKSetting The Scene

•COMPETITION

•CHANGE

•COST

THE BUSINESSENVIRONMENT

MANAGENTEXPECTATIONS

OF IT

•Re-engineered Processes•Right-sizing•Distributed Processing•Flattened Organization•Outsourcing

COBIT IS SPECIFICALLY DESIGNED FOR..

MANAGEMENT USERS AUDITORS

•IT investment

•Risk & Control

•Benchmarking

Assurance on

return on costs,security and

control on

products andservices

•Minimum controls

•To substantiate opinions to management

COBIT Framework’s Principles -Summary

BUSINESSREQUIREMENTS

IT PROCESSES

IT RESOURCES

The Framework’s Principles

BUSINESS PROCESSESWhat you getWhat you get

INFORMATION

IT RESOURCES

What you needWhat you need

Do they matchDo they match?? data application

systems technology facilities people

Criteria effectiveness efficiency confidentiality integrity availability compliance reliability

The Framework’s Principles

PLANNING &ORGANISATION

IT RESOURCES

data application

systems technology facilities people

MONITORING

DELIVERY &SUPPORT

ACQUISITION &IMPLEMENTATION

The principle applied is The principle applied is that the IT Resources that the IT Resources are managed by a set of are managed by a set of naturally grouped naturally grouped processes, which need to processes, which need to be controlled in order to be controlled in order to ensure that the ensure that the resources provide the resources provide the information that the information that the enterprise needs to enterprise needs to achieve its objectives.achieve its objectives.

MatchMatch

IT Domains & Processes

DomainsDomains

ProcessesProcesses

ActivitiesActivities

Natural grouping of processes, often Natural grouping of processes, often matching and organisational domain matching and organisational domain of responsibility.of responsibility.

A series of joined activities with A series of joined activities with natural (control) breaks.natural (control) breaks.

Actions needed to achieve a Actions needed to achieve a measurable result. Activities have a measurable result. Activities have a life-cycle whereas tasks are discreet.life-cycle whereas tasks are discreet.

The COBIT Cube

Domains

Processes

Activities

Quality

Fiducia

ry

Securit

y

Peo

ple

Ap

pli

cati

on S

yste

ms

Tec

hn

olog

y

Fac

ilit

ies

Dat

a

IT P

roce

sses

IT P

roce

sses

Information Information CriteriaCriteria

IT R

esou

rces

IT R

esou

rces

The Waterfall Navigation Aid - High Level Control Objectives for Each Process

IT Processes

BusinessRequirements

Control Statements

Control Practices

The control of

Which satisfy

Is enabled by

considering34 CONTROLOBJECTIVES

AUDIT GUIDELINES

What Is IT Audit Governance?

It is an encompassing term which includes:

• IT Audit Charter

• IT Audit Plan

• IT Audit Manual

• IT Audit Program

How To Audit IT Governance?

• Audit Charter

• Independence

• Planning

• Performance of Audit Work

• Reporting

AUDITING GUIDELINE ISSUED BY ISACA

CORPORATE GOVERNANCEON INFORMATION

SYSTEMS

Audit Charter

• Scope of work to include corporate governance of information systems and technology

• Reporting line to be used where corporate governance issues are identified

Independence

• Consider organizational status appropriate for the nature of planned audit

• If not, use of independent third party should be considered

Planning

• Fact finding - corporate governance structure

• IS audit objectives - intended audience’s needs, level of dissemination intended and national and industry regulations; control framework adopted

• Scope of the audit - relevant processes; IT resources

• Staffing

Performance of Audit Work

• Review of Board activities

• Review of policies and compliance

• Business process owner responsibilities

• Consideration of external factors

Reporting• To audit committee and Board members

• Contents include

- Statement on directors’ responsibility for system of internal control

- Statement on reasonable assurance of system of internal control

- Key procedures established by Board to provide effective internal control

- Non compliance, major uncontrolled risks

- Poor control structures or controls

- Overall conclusion