it governance
TRANSCRIPT
IT GOVERNANCELUSUNGU MKANDAWIRE
MARCH 11, 2015
IIAM IT AUDIT
ESSENTIALS
WORKSHOP
AGENDA
What is IT Governance
Elements of IT Governance
Benefits of IT Governance
Frameworks for IT Governance
Auditing IT Governance
Role of Internal Audit
OBJECTIVES
Provide an overview of IT Governance and
describe its importance
Describe one approach to auditing IT Governance,
including key scope areas, involved
parties/stakeholders, key questions to answer
Describe current trends in IT Governance and how
they can be incorporated into IT Governance audits
WHAT IS IT GOVERNANCE
IIA Definition :Consists of the leadership,
organizational structures and processes that
ensure that the enterprise’s information technology
supports the organization’s strategies and
objectives.
Mechanisms and structures used to clarify
oversight, accountability, and decision making
frameworks for IT strategy, resources, and control
activities
Provides for effective management of IT operations
and IT projects to ensure alignment with the
institution’s strategic plan
ELEMENTS OF IT GOVERNANCE
According to ITGI, there are 5 areas of focus:
Strategic alignment
Value delivery
Resource management
Risk management
Performance measurement
IT Strategic Alignment, such as formalized business objectives, up to date IT strategy, linkage between business objectives and IT initiatives;
Value Delivery: IT tactical plans, clear benefits for each level of the organization: infra-structure (systems uptime), applications (degree of automation), operational (productivity), financial (income);
Risk Management: defined responsibilities for risk management, risk analysis methodology, defined strategies for addressing risks, continuous monitoring of threats, occurrence and impact;
Resource Management: sourcing strategies, human management practices, user manuals, segregation of duties, time reporting, infra-structure life cycle management, acceptable usage policies.
Performance Measurement: relevant and measurable metrics, continuous monitoring and reporting, follow-up policies, root cause analysis and problem management, benchmarking against industry practices and proven standards or frameworks.
ELEMENTS OF IT GOVERNANCE
BENEFITS OF IT GOVERNANCE
Strengthens the relationship between the
organization and IT; Helps ensure limited IT
resources are focused on the right strategic and
tactical activities at the right time
Synergies with Enterprise Risk Management (ERM)
and other risk management activities; Helps ensure
the appropriate IT risk management processes and
activities are in place and operating effectively
BENEFITS OF IT GOVERNANCE
Enhanced visibility into the IT Function’s ability to
achieve its both tactical and strategic objectives;
Key Performance Indicators (KPIs) for day-to-day
activities and longer-term/strategic initiatives
Improved adaptability of the IT Function to
organizational and IT environment changes;
Formality of Governance structure, processes and
activities enables more efficient and effective
response to change
Capability Maturity Modeling Integration (CMMI)- For Process Improvement
Information Technology Infrastructure Library (ITIL)- For IT Service Management.
Six Sigma- For Process Improvement especially security processes.
Control Objectives for Information and Related Technology (COBIT) - For information technology (IT) management and IT governance
The Balanced Scorecard (BSC) -method to assess an organization’s performance in different areas.
FRAMEWORKS FOR IT GOVERNANCE
IIA STANDARDS
IIA Standard 2110: “The internal audit activity
must assess and make appropriate
recommendations for improving the
governance process”
IIA 2110.A2: “The internal audit activity must
assess whether the [IT] governance of the
organization supports the organization’s
strategies and objectives”
Impacts downstream IT and business
processes and controls by setting a
foundation
AUDITING IT GOVERNANCE
How do we get started?
Scoping
Stakeholder involvement
Areas of focus
Tactical steps
Our Example will be the higher education
institutions
AUDITING IT GOVERNANCE
What should my scope be?
Scoping is always a challenge in higher
education institutions, IT Governance is no
exception
Ideally, even in a decentralized
environment, the IT Governance framework
applies across campuses, schools, and
departments/units/divisions
Realistically, where can we get started
AUDITING IT GOVERNANCE
What should my scope be?
Department/unit/division level
School level
Campus level
Institution-wide level –Ideal
scope!
Smaller and less
complex
Larger and
more complex
AUDITING IT GOVERNANCE
Who are the stakeholders involved? Depends on your scoping, but we will look at it from the
institution-wide view
Potential Stakeholders: Board
President/Chancellor
Provost Deans
Chief Business/Financial Officer Administrative department heads
Chief Information Officer
Information Security/Privacy Officer(s)
Chief Compliance/Risk Officer(s)
Research/Principal Investigators
Students
AUDITING IT GOVERNANCE
What are my areas of focus?
Institutional Governance Structures
Executive Leadership and Support
Strategic and Operational Planning
IT Organization(s) and Risk Management
Service Delivery and Management
AUDITING IT GOVERNANCE
Institutional Governance Structures
AUDITING IT GOVERNANCE
Executive Leadership and Support
AUDITING IT GOVERNANCE
Strategic and Operational Planning
AUDITING IT GOVERNANCE
IT Organization(s) and Risk Management
AUDITING IT GOVERNANCE
Service Delivery and Management
AUDITING IT GOVERNANCE
IT Governance Trends
Cost Efficiencies (Outsourcing / The Cloud)
Information Privacy and Security
Virtualization
Centralization vs. Decentralization
ROLE OF INTERNAL AUDIT
Minimum assurance provided by compliance audit with Standard 2110.A2: Depending on the maturity of the IT Function, governance program, the control environment and the results of the most recent risk assessment, IT Governance audits could be performed on an annual basis or up to two to three years apart.
Consulting; Would likely be the result of findings from compliance review related to Standard 2110.A2.
Remediation assistance
Post audit Follow-up review
Training
Facilitated workshop on IT Governance best practices
ROLE OF INTERNAL AUDIT
Compliance and Consulting; Audit team should
have extensive experience in IT and operational
audit
Important to understand there is no one-size-fits-all
IT Governance model
Process of moving from an ineffective IT
Governance model to an effective, optimal model
takes time, there are generally little to no quick fixes
Full support from the Board and Senior
Management is critical for an organization to have
an effective IT Governance model
SUMMARY
Mandatory nature of the Standards and in particular
2110.A2
IT Governance audits and relationship to external
QARs
Regardless of IIA Standards, performing IT
Governance reviews on a periodic basis are vitally
important due to the tremendous amount of dollars
spent by the IT Function and on technology
Thank You! Lusungu Mkandawire
265999989153www.linkedin.com/pub/lusungu-mkandawire/57/102/283
https://twitter.com/MLusungu