Strategies for an IT Governance Audit
Rocky Mountain Information Security Conference – May 2012
Presented by: Chad Stowe, Experis SME Professional
Experis Finance, SME Professional.
17 years audit experience. (15 as a CISA)
Former VP of IT Audit at a large multi-billion dollar financial institution.
MBA Honors Graduate from Regis University.
Introduction: Chad Stowe, CISA
Understand a successful methodology, structure, and approach for IT Governance.
Understand example successful methods for analyzing IT Governance.
Understand critical success factors in performing an IT Governance review in your organization.
IT Governance Learning Objectives
Insert clip.
IT Governance Methodology
Is a subset of Corporate Governance. Defines how IT resources are managed on
behalf of stakeholders. Helps to assure stakeholders that
investments in IT generated business value.
Monitors and mitigates IT risks related to achieving a desired business value.
Assigns accountability within the IT organization.
Guided by the culture of the organization.
What is IT Governance?
IT governance processes should align with the entire organization.
Focused on the risks and values of governance processes.
IT Governance (cont.):
Guided by regulatory compliance requirements.
Defined by SOX controls.
A checklist activity.
IT Governance is NOT
IT Governance Structure is focused on:
Strategy
Tactics
Risk Mgmt
Metrics/ SLAs
Strategy
Tactics
Risk Mgmt
Metrics/ SLAs 1
2
3
4
5
6
ME4 - Provide IT Governance
1. Establishment of an IT Governance Framework
2. Strategic Alignment
3. Value Delivery
4. Resource Management
5. Risk Management
6. Performance Measurement
SOURCE: Information Systems Audit and Control Association - COBIT v4.1www.isaca.org
Mapping back to COBIT
IT Governance Framework and Strategic Value Drivers
1 - Establishment of an IT Governance Framework Value Drivers:• IT decisions in line with the business’s
strategies and objectives.• A consistent approach for a governance
framework achieved and aligned with the business approach.
• Processes overseen effectively and transparently
• Compliance with legal and regulatory requirements confirmed.
• Stakeholder requirements for governance likely to be met.
2 - Strategic Alignment Value Drivers:• IT more responsive to the business’s
objectives.• IT resources helping to facilitate the
business goals in an efficient and effective manner.
• IT capabilities enabling opportunities for the business strategy.
• Efficient allocation and management of IT investments.
SOURCE: Information Systems Audit and Control Association - COBIT v4.1
Strategy
Tactics
Risk Mgmt
Metrics/ SLAs 1
2
Value Delivery and Resource Management Value Drivers
Strategy
Tactics
Risk Mgmt
Metrics/ SLAs
3
4
3 - Value Delivery Value Drivers: • Cost-efficient delivery of solutions and
services.• Optimized use of IT resources.• Business needs supported efficiently.• Increasing support for use of IT by
business stakeholders.• Increased value contribution of IT to
business objectives.• Reliable and accurate picture of costs and
likely benefits.
4 - Resource Management Value Drivers:• Efficient and effective prioritization and
utilization of IT resources.• IT costs optimized.• Increased likelihood of benefit realization.• IT planning supported and optimized.• Readiness for future change.
SOURCE: Information Systems Audit and Control Association - COBIT v4.1
Risk Management and Monitoring Value Drivers
Strategy
Tactics
Risk Mgmt
Metrics/ SLAs
5
6
5 - Risk Management Value Drivers: • Risks identified before they materialize.• Increased awareness of risk exposures.• Clear accountability and responsibility for
managing critical risks.• Effective approach for managing IT risks.• IT risk profile aligned with management’s
expectations.• Minimized potential for compliance
failures.
6 – Performance Measurement Value Drivers:• Increased process performance.• Areas of improvement identified.• IT objectives and strategies being and
remaining in line with the business’s strategy.
• Processes overseen effectively and transparently.
• Timely and effective management reporting enabled.
SOURCE: Information Systems Audit and Control Association - COBIT v4.1
Example IT Governance Alignment Matrix
Source: COBIT 5 Draft
IT Governance Assessment
Obtain sponsorship and agreement with executive management prior to performing any assessment.
Set clear expectations and scope for the assessment
Identify both Business and IT personnel at the executive and lower level manager level to interview during the assessment.
Set a defined interview schedule. Know your interviewees and their responsibly
within in the organization. Consider pre-interview surveys. Develop standardized assessment questions for
each objective.
Research and Benchmarking prior to Assessment
Customize standard assessment questions to the interviewee while retaining the point of the question.
Research potential answers to questions by interviewees prior to the interview.
Understand the current business value drivers. Benchmark projects and systems to $ spent by IT in
relation to its’ strategic relevance. Understand how IT and the business benchmark
themselves internally and in relation to their industry.
Research emerging trends and ITGI Global Status Report. (www.isaca.org/ITGI-Global-Survey-Results )
Research and Benchmarking prior to Assessment
Strategic Alignment Objectives
Objective Risk IT utilizes a collaborative approach with the business to develop an IT strategic plan with a shared focus on IT investments.
The business strategic plan does not exist or is not clearly defined to enable the development of an IT strategic plan.The IT strategic plan does not exist or is not aligned with the business strategy.
CIO and key stakeholders, including Board of Directors, are fully informed of IT objectives and strategies.
The IT strategic plan is not clearly communicated to key stakeholders.
Tactical Alignment Objectives
Objective Risk IT activities are optimized towards execution of the IT strategic plan.
IT has been allocated the resources to execute the strategic plan.
a) The IT strategic plan is not defined clearly to enable tactical plans.b) The IT process framework does not support the execution of the IT strategic plan.c) Vehicles are not in place to support IT governance activities. d) The tactical plan does not identify which projects enable realizing IT strategy and business goals.e) The tactical plan does not identify which projects enable realizing IT strategy and business goals.f) Technology policies have not been established and implemented to support key governance activities. g) The IT strategic and tactical plans do not include day to day activities (e.g. implementation and maintenance of infrastructure and application portfolio to meet established business requirements and technological direction).h) The IT strategic and tactical plans do not include mergers and acquisitions. i) The IT strategic and tactical plans do not include emerging technologies and innovation.
Risk Management Objectives
Objective Risk
IT risk framework is in alignment with the company's overall risk management processes.
a) Risk is not clearly identified and understood by the key stakeholders.b) An IT risk framework does not align with the IT policies and the company's risk and control framework.
Significant IT project risks (obstacles to achieving objectives and strategies) are identified, addressed in a timely manner, and optimally managed.
c) Risk management is not incorporated in strategic planning, performance management, project management and day-to-day decision making.
d) IT risks that require responses are not identified, managed or monitored timely.
e) Risks related to IT processes and activities are not assessed in relation to their ability to impact the achievement of business objectives.
CIO and key stakeholders, including Board of Directors, are fully informed on IT risks.
f) Management and the board are not informed timely of significant risks.
Performance Metrics Objectives
Objective Risk
Performance metrics focus on the most important measures relevant to the overall business strategy.
a) The business does not evaluate ROI's on IT initiatives.b) Lack of strategic focused performance measures that assess the success of IT delivered value (e.g. SLAs are defined and agreed upon with the business).
The Board receives timely information and communication on IT to carry out their oversight duties.
c) Performance measures are not monitored and reported to management.
Initiatives and assets that do not create value are identified and eliminated.
IT detects and corrects deviations from, or weaknesses in execution of the IT strategic plan.
d) Remedial actions are not initiated based on performance indicators.
Baseline interview results to a risk level immediately after the interview.
Continually revisit predefined baseline and rating criteria when summarizing and rating interview results.
Track and review interview document requests when performing final assessment.
Summarizing the Results
Risk Level
Definition
High Processes and controls are not documented, communicated, understood, or measured.
Medium
Processes and controls are identified or documented, but may not be communicated, well understood, or measured.
Low Processes and controls are well documented, communicated, understood, and measured.
Summary Heat Map
Summarizing Results Example
Objective Area Objective Related Risk
Business Scope Area 1
Business Scope Area 2
Business Scope Area 3
Residual Risk Score
1. Strategic Alignment - Strategy
IT utilizes a collaborative approach with the business to develop an IT strategic plan with a shared focus on IT investments.
The business strategic plan does not exist or is not clearly defined to enable the development of an IT strategic plan.
1-Low2-
Medium3-High 2.0
The IT strategic plan does not exist or is not aligned with the business strategy.
1-Low 3-High2-
Medium2.0
CIO and key stakeholders, including Board of Directors, are fully informed of IT objectives and strategies.
The IT strategic plan is not clearly communicated to key stakeholders. 1-Low 3-High
2-Medium
2.0
Residual Risk Score 1.0 2.7 2.3 2-Medium
Interview Documentation Worksheet
Risk Question
Audit Area Y/N Questions Open Ended (H, M, L) Interview Notes
Scope Area
Result (Y/N or H/M/L)
Audit Notes (Ties to Interview Results tab)
Overall Auditor Summary (H, M, L
and Overall Assessment)
Supporting Documentation
Reference
1B 1 S Do you feel there is alignment between the business's strategic goals / objectives and IT's strategic goals / objectives?
Strategic Alignment: (High, Medium, Low)
1C 2 S How well do you feel the linkage between the business's and IT's strategic goals / objectives is communicated?High- The linkage is clearly, consistently and formally communicated to all key stakeholdersMedium- The linkage is occasionally communicated informally to some, but not all, key stakeholdersLow- The linkage is rarely communicated to very few key stakeholders, if any
3 S What is IT governance in your mind? 1B 4 S What process do you use to define/work with the IT
Strategy? (Ask if supporting info is available to show what vehicle is used to align with IT strategy).
1B/1C 5 S Do you know the IT strategic objectives?
1B/1C 5 S If yes, please explain the strategic objectives. 1B 6 S Are you a part of
approving IT strategic objectives?
1B 6 S If yes, please explain the approval process. 1A 7 S Have you defined and
communicated your business strategic objectives to IT?
1A 7 S If yes, please explain the process. (Ask for supporting documentation)
1B 8 S Are your business strategic objectives aligned with the IT strategic objectives?
1B 8 S If yes, please explain the process. (Ask if there is supporting documentation for alignment)
1A/1B 9 S How do you organize your department with IT to realize technical solutions that meet business objectives? (Ask if supporting info is available, and obtain examples like org chart)
Interview Analysis Worksheet
Business Scope Area 1
Area Exec 1 Director 1 Director 2 Summary of ResultsQuestion Description (Green = Preliminary Survey)
Question #Risk ID
Do you feel there is alignment between the business's strategic goals / objectives and IT's strategic goals / objectives?
Q1 Flag (N=1;Y=0)
1B
Q1 Notes
How well do you feel the linkage between the business's and IT's strategic goals / objectives is communicated?High- The linkage is clearly, consistently and formally communicated to all key stakeholdersMedium- The linkage is occasionally communicated informally to some, but not all, key stakeholdersLow- The linkage is rarely communicated to very few key stakeholders, if any
Q2 Flag (H=1;M=2;L
=3)
1C
Q2 Notes
What is IT governance in your mind? Q3 Flag (H=1;M=2;L
=3)
Overall
Q3 Notes What process do you use to define/work with the IT Strategy? (Ask if supporting info is available to show what vehicle is used to align with IT strategy).
Q4 Flag (H=1;M=2;L
=3)
1B
Q4 Notes
Do you know the IT strategic objectives? Q5 Flag (N=1;Y=0)
1B 1C
Q5 Notes
Highest Level Interview Summary
Business Scope Area 1
Area Executive 1 Director 1 Director 2 Summary of Results
Question Description
(Green = Preliminary
Survey)Strategic Alignment
Low Low Medium Low
Strong partnership between IT and business. Roles and responsibilities defined. IT is at the table when discussing business strategy.
Business and IT sit on the Leadership Team as one. Business analyst sit in the business and only focuses on business area’s related projects and providing requirements to IT, thus, enabling IT execute against specific, clear business area’s requirements that are aligned with the business area’s objectives.
Using a managed service for transaction monitoring; however, Director 2 meets with IT Director to validate needs are being met.
Good partnering between IT and the business in understanding projects, prioritization, and overall IT needs as both the IT Directors and Executive and Directors were rated high. Personnel with low rating results are Managers whose systems are provided through software obtained through a Managed Service provider and is not directly supported by IT. Much of the communication is through a close partnership. Is helpful that IT sits in all leadership meetings.
Summary Heat Map
Summarizing Results Example
Objective Area Objective Risk
Business Scope Area 1
Business Scope Area 2
Business Scope Area 3
Residual Risk Score
1. Strategic Alignment - Strategy
IT utilizes a collaborative approach with the business to develop an IT strategic plan with a shared focus on IT investments.
The business strategic plan does not exist or is not clearly defined to enable the development of an IT strategic plan.
1-Low2-
Medium3-High 2.0
The IT strategic plan does not exist or is not aligned with the business strategy.
1-Low 3-High2-
Medium2.0
CIO and key stakeholders, including Board of Directors, are fully informed of IT objectives and strategies.
The IT strategic plan is not clearly communicated to key stakeholders. 1-Low 3-High
2-Medium
2.0
Residual Risk Score 1.0 2.7 2.3 2-Medium
IT Governance assessment presentations to executives which provided:◦ Value opportunities from both an IT and a business
perspective.◦ IT and business residual risks should the value
opportunities not be addressed.◦ Improvement recommendations which apply to both IT
and the business.◦ Value propositions for improvement recommendations.◦ Supporting research articles for recommendations.◦ Where possible, baselines against industry standards,
metrics, best practices, and the ITGI Survey.
Deliverables
IT Governance Presenting Assessment Results
A. Strategic and Tactical Communication
B. Project Management and Prioritization
C. Resource ManagementD. Risk Management & Monitoring
Key Definitions:Related IT Governance Area:
Related IT Governance Value Objective(s).
Key Values Achieved: Benefits achieved by IT and the business from good IT Governance practices.
Key Value Opportunities: Areas where IT Governance and business value could be improved.
Potential Residual Risks: Potential risks to IT Governance if the Key Value Opportunities are not addressed.
Strategy
Tactics
Risk Mgmt
Metrics/
SLAs
AB
CD
Four Primary Themes of Value Opportunities in IT Governance
Key Value Opportunities:• Integrate IT objectives within a 3-5 year business strategic plan. • Introduce tools and processes to formalize communication of a
business and IT strategic plan.
Scope Area 1 Value Strengths & Opportunities for IT GovernanceA. Strategic and Tactical Communication
Key Values Achieved:• IT decisions in line with the business’s strategies and
objectives.• A consistent approach for a governance framework achieved
and aligned with the business approach.• Processes overseen effectively and transparently.• Stakeholder requirements for governance likely to be met.• IT more responsive to the business’s objectives.• IT resources helping to facilitate the business goals in an
efficient and effective manner.• IT capabilities enabling opportunities for the business strategy.
Potential Residual Risks:• The IT strategic plan may not be clearly communicated to all
key stakeholders.• The IT portfolio may fail to support the business’s objectives and
strategies.• Remedial actions to maintain and improve IT process
effectiveness and efficiency may not be identified or implemented.
Related IT Governance Area(s):1 - Establishment of an IT Governance Framework2 - Strategic Alignment
Strategy
Tactics
Risk Mgmt
Metrics/ SLA
s
A
Benchmarked using COBIT v4.1, Maturity Model for ME4: Provide IT Governance
Tone at the Top! Enable thought leadership in people under the
Executive level. Clearly define and communicate value
opportunities of IT Governance. Incorporate involvement by both IT and the
business to ensure collaboration and defined partnership.
Ensure agreement and understanding of IT Governance processes by both IT and the business.
Relate business and IT strategies and objectives back to their technology enablers.
Success Factors for an IT Governance Culture
Implement an IT Governance culture as a continual self-assessment process that: Understands and aligns business strategies to
tactics. Understands the associated risks related to the
business strategies and tactics. Monitors risks through metrics in order to identify
business unacceptable risk levels. Changes the business’s strategies and tactics
when management’s ‘risk appetite’ reaches unacceptable levels.
Success Factors for an IT Governance Culture
IT Governance QUESTIONS??????