i-data-recovery.com

IT Governance Course: Definition of IT Governance, Still Unclear?

The field of IT governance is defined differently in the numerous articles and books written on the topic. The lack of consensus is dm. Some of the prevalent definitions of IT governance as stated below:

• IT governance is the organizational capacity exercised by the board, executive management and IT management to control the formulation and implementation of IT strategy and in this way ensure the fusion of business.
  

• IT governance is specifying the decision rights and accountability frameworks to encourage desirable behavior in the use of IT.
  
• IT governance is the selection and use of relationships such as strategic alliances or joint ventures to obtain key IT competencies. This is analogous to business governance, which involves make- vs. -buy choices in business strategy. Such choices cover a complex array of interfirm relationships, such as strategic alliances, joint ventures, marketing exchange and technology licensing.
  IT governance is the strategic alignment of IT with the business such that maximum business value is achieved though development and maintenance of effective IT control and accountability, performance management and risk management.
  
• According to the IT Governance Institute (ITGI), IT governance is the responsibility of the Board of Directors and Executive Management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives.
  
• According to Weill and Ross from MIT CSIR, IT governance is the decision rights and accountability- framework for encouraging desirable behaviors in the use of IT. IT governance reflects broader corporate governance principles while focusing on the management and use of IT to achieve corporate performance goals. Because IT outcomes are often hard to measure, firms must assign responsibility for desired outcomes and assess how well they achieve them. IT governance shouldn’t be considered in isolation because IT is linked to other key enterprise assets (i.e. financial, human, intellectual property, physical and relationships). Thus, IT governance might share mechanisms (such as executive committees and budget processes) with other asset governance processes, thereby coordinating enterprise-wide decision making processes.

Whereas corporate governance encompasses all organizational assets and processes, IT governance focuses especially on the IT organization. IT managers are answerable to the board for risks and audit findings associated with their organization. However, as an integrated component of corporate governance, IT management cannot ignore the bigger picture. It must consider not only IT goals and responsibilities, but technology’s integrated role in corporate processes.
With this big picture in mind, IT governance and strategy encompasses the core de?nitions, structures, and processes that shape all IT efforts and systems. Auditable functions of IT governance include:

• De?nition of what the IT organization is and does, including values and goals
  IT risk de?nition and management
  
• De?nition of roles and responsibilities, including leadership structures
  
• Strategic planning, monitoring, and continual improvement
  
• Oversight of standards, policies, and procedures
  
• Oversight of technical foundations, such as IT infrastructure, architectures, a semantic baseline or glossary, and data management,
  
• Asset management, including staff, systems, media, networks, and content
  
• Resource planning
  
• Investment management
  

Every IT practice, program, and procedure is guided by these functions. Information security, business continuity, records management, and all other strategic initiatives live and die by their effectiveness.
In general, governance principles, whether in IT or business, are somewhat canonical. However, corporate governance guidance issued by international organizations can provide a foundation for IT governance principles. Over the past ?ve years, governance research groups and standards bodies have increasingly updated their guidance with deference to IT.

And IT-speci?c frameworks and guidance have been developed independently and as a complement to existing corporate governance documents.

“The Principles of Corporate Governance,” issued by the Organisation for Economic Co-operation and Development (OECD). Although designed for public-company oversight, the principles can be broadly applied to non-public companies and internal organizations. In December 2006, the OECD also issued an audit guide, “Methodology for Assessing the Implementation of the OECD Principles on Corporate Governance,” an assessment framework with governance principles.

The UK Financial Reporting Council’s “Internal Control: Revised Guidance for Directors on the Combined Code,” conventionally called the Turnbull Guidance, offers a more speci?c approach to maintaining and reviewing a system of internal control.

“Enterprise Risk Management—Integrated Framework,” commonly called “COSO,” after its publisher, the Committee of Sponsoring Organizations of the Tread way Commission (COSO) is similar in outlook and focus to the Turnbull Guidance, but includes a more robust and explicit internal control framework. COSO is recognized by the US SEC and PCAOB as an approved control framework for SOX.

“Organizational Governance: Guidance for Internal Auditors,” a position paper from the Institute for Internal Auditors (IIA), ties corporate governance principles to audit goals and roles. Much of the content can be used as a model for IT governance and auditing.

CobiT, published by the Information Systems Audit and Control Association (ISACA), is widely considered the leading framework for IT controls. CobiT 4.0 covers 34 high-level objectives, comprising 215 control objectives in four domains: planning and organization, acquisition and implementation, delivery and support, and monitoring and evaluation. ISACA also publishes correlative audit guidelines, management guidelines, and an implementation toolset.

CobiT is perhaps the most widely used IT control framework, since it spans the gamut of IT; offers mappings to other governance standards; and is supported by many published materials, education, and a vast user community.

Adoption of CobiT as a primary best-practices standard is also facilitated by several mapping documents that can help IT managers align their processes, governance, and regulatory response. ISACA’s supporting document IT Control Objectives for Sarbanes-Oxley, 2nd Edition contains a general map of CobiT processes to PCAOB Auditing Standard No. 2. In May 2006, ISACA issued CobiT Mapping, Overview of International IT Guidance, 2nd Edition, which provides a general comparison of COSO and CobiT frameworks.

In January 2007 ISACA also published a map of CobiT and the IT Infrastructure Library (ITIL) from the UK Of?ce of Government Commerce. By aligning the two UK documents, it is possible to map COSO to ITIL at a high level, and therewith compile a framework that aligns enterprise risk management principles with IT controls and, ?nally, fairly narrowly de?ned IT services. Links to each of these documents is included in the appendix of this paper.
Note:
Since the passage of SOX, Turnbull and COSO have emerged as the major pillars of compliance and risk management. From an IT perspective, COSO is more accessible than Turnbull, since it is more widely documented and has been approximately mapped to a an IT control framework, Control Objectives for Information and related Technology (CobiT), published by the Information Systems Audit and Control Association (ISACA). Although COSO is officially endorsed for SOX compliance, CobiT has received no official endorsement. While most companies had IT governance processes and some controls in place long before they were required by SOX and other regulations, the adoption of frameworks to organize and round out governance and control efforts is a governance best practice. Frameworks such as CobiT provide a comprehensive overview of control objectives against which to standardize and align IT governance and auditing efforts.

Tags: IT Governance

Posted in IT Governance | No Comments »

IT GOVERNANCE COURSE 2: The Growing Need of IT Governance and IT audit

In an annual survey of Information security practices conducting by The Deloitte & Touche at 169 financial institutions found that 98 percent of them are spending more on information security this year than last year, and putting a greater emphasis on IT governance. In a related trend, 81 percent of the financial institutions surveyed said they’ve adopted a formal Information Security Governance framework, up from about 70 percent last year. The vast majority of the remaining respondents said they are in the process of establishing their own to fill their need.

Deloitte information security survey was gathering information from CIO from Japan 22 percent and the larger Asia Pacific region, 12 percent from the United States, 23 percent from Latin America, 7 percent from Canada, 31 percent from Europe, the Middle East and Africa, and 5 percent from the former Soviet Republics. The survey also tell us; 38 percent of the organizations surveyed did not measure their security budget on a per capita basis, of those that did, 7 percent said they spend more than US$1,000 per person, 7 percent between $501 an $1,000 per person, 14 percent between $251 and $500, 23 percent between $100 and $250, and 11 percent under $100. This indicated that getting through internal and external audits can be tough wherever you are. They report that the main audit obstacles are networks that still allow excessive access rights; lack of adequate audit logging; and failure to assure access control complies with formal business procedures.

According to the 2007 Global Security Survey, the cost for security system spending is up as much as 15 percent over last year at 11 percent of the 169 corporations surveyed, which include banks, and financial instutions from 32 countries. The highest cost were made in IT audit and IT auditor certification costs, logical access control products, infrastructure protection devices and compliance and risk management. The survey also asked the respondents questions about technology use. Questions asking whether organizations are allowed to use wireless technologies, including wireless LANs, infrared networking or mobile devices, due to security reasons. Forty five percent of the respondents said their organizations prohibit use of wireless LANs, 75 percent prohibited infrared networking; and 13 percent prohibited mobile devices, including PDAs and BlackBerries.

Those not prohibiting use of wireless sought to offer employees guidelines on secure use, published policies on acceptable business use or did implement wireless technologies.

Tags: IT Governance

Posted in IT Governance | No Comments »

IT GOVERNANCE COURSE 3: The Bene?ts of IT Governance for Your Corporate

IT governance addresses the growing complexity and threat that are the hallmarks of IT operations. Compared to just a few years ago, business processes are more complicated; technology is more powerful, functional, and ubiquitous; and attacks on corporate systems, from within and without, are more frequent and sophisticated. In general, IT governance ensures that the company’s technology assets and the information they contain are known, available, credible, and protected. Since legislation seeks the same goals, good IT governance must be aligned with regulatory compliance. Beyond that, however, the business bene?ts of IT governance and strategy include:

• Better alignment between business and IT strategy

• More informed, practical decisions about technology investments

• Greater agility in meeting shifting business demands, and a stronger foundation for innovation

• Better measurement and control of costs related to information systems and their protection

• Lower risk of non-compliance with regulatory requirements

• Lower risk of serious business disruption from events

• More healthy organizational relationships and reputation with directors, business staff, customers, and partner organizations

Recognizing the ROI of IT governance is an important step in meeting governance goals. Many governance controls such as network mapping, master data management, and asset inventories, have substantial costs. While good IT governance might be touted as its own reward, the ability to tie its concrete costs to equally concrete returns is itself a good IT governance practice.

Tags: IT Governance

Posted in IT Governance | No Comments »

IT GOVERNANCE COURSE 4: Why Corporate Governance Need IT Audit?

Audits are opportunities for companies to improve, based on auditor analysis and advice. To preserve the integrity and authority of audits, auditors maintain a delicate distinction between offering advice and making decisions. For each organization, the scope of auditor responsibility should be documented in the company’s internal audit charter and be approved by the audit committee. Because every organization has different goals and objective, and certainly different issues and challenges, there is no one ?ts with all audit process, nor one audit approach, that ?ts all situations. Historically, corporate governance has focused primarily on broad topics of leadership, management, ethics, and reporting. IT governance audits encompass many of the same issues and can include business plans, documentation and measurement of objectives, organizational reporting structures, contract management, and industrial and regulatory monitoring. It also has a signi?cant technology component. For example:

• Does the organization have an information architecture model?

• Do hardware and software acquisition plans exist?

• How are Web sites, blogs, and ezine and other managed?

• How are investments and development projects evaluated and do they meet business requirements?

• How does the IT organization ensure system continuity in case of disruptive contingencies?

The size and complexity of various organizations’ audit efforts differ due to variations in operating environments, risk priorities and thresholds, and business and audit objectives. In addition, the scope of audits can vary from project to project, depending on auditor’s focus for example, on various business processes, management controls, and technical controls. Ensuring appropriate audit focus is another reason management should communicate with auditors, and vice versa, early and often in every audit cycle.

Internal auditors should help management assess organizational risks. They must evaluate the audit universe and supporting audit plans at least annually and sometimes more frequently. At the micro level, an audit risk assessment of the various entities being audited is completed to support the audit project sometimes also referred to as the audit “terms of reference”. Planning for each audit requires serious consideration of the organization’s many risks and opportunities. Finally, in many companies, continuous auditing (ongoing audit evaluations) is being implemented for key systems and key transactions.

Tags: IT Governance

Posted in IT Governance | No Comments »

IT GOVERNANCE COURSE 5: Who Is Responsible for IT Governance?

Who Is Responsible for IT Governance?

The board of directors, IT executives, business executives, and internal auditors all has signi?cant roles in IT governance assurance and the auditing of IT governance and strategies. The big question for many companies is how these stakeholders should work together to ensure that everything that should be done to protect sensitive information is being done and that the company’s information assets are protected appropriately.

• The board of directors must provide oversight at a level above IT executives. The directors’ role in IT governance is to ask executives the right questions and encourage the right results. Directors must set an appropriate tone at the top, making executive management aware of their oversight and ensuring they have adequate information to make intelligent decisions about IT strategy and direction. To this end, many boards establish IT committees, which include representatives from both IT and business organizations. The board also has a role in setting the IT governance culture, which includes organizational values and attitudes. According to ITGI, boards should guide IT management to deliver measurable value by: 1) delivering solutions and services with the appropriate quality, on time and on budget, 2) enhancing reputation, product leadership and cost-ef?ciency, and 3) providing customer trust and competitive time to market.

• Business executives must have some insight into and in?uence on IT governance and programs, since business managers are ultimately accountable for the results of the business processes enabled by IT systems. Managers should review IT strategy to ensure it is appropriate, despite ever-changing risks and business requirements. This is, in fact, a form of auditing IT governance. And managers who own business unit information must also help de?ne their IT requirements based on business objectives, the signi?cance of the information involved, legal requirements, and the seriousness of risks associated with data integrity and security. Especially if the IT organization reports to the CEO or other business leader, that of?ce is responsible for providing resources and organizational structure to support IT strategy.

• IT executives work with the board to de?ne IT identity characteristics. These can include the IT organization’s business plan and model, expectations and commitments, and vision. Chief information of?cers (CIOs) and chief security of?cers (CSOs) should understand the business organization well enough to bridge the gap between IT and senior business managers or the board. IT executives look both into and outward from their organization to assess the impact on IT of industry norms and trends, regulatory changes, contractual obligations, even environmental threats. Internally, executives ensure that objectives and strategies are supported and understood across the organization. Finally, by subjecting IT processes, resources, and leadership to audit and board review, IT executives advance the goal of corporate oversight and promote its continuous improvement and success.

• IT managers marshal many of the requirements of IT governance, ensuring internal compliance with leadership mandates and drafting policies and procedures that support strategic goals. IT managers are also the eyes and ears of the IT organization. They are responsible for reporting up to executive management. And, when controls fail, IT managers are generally responsible for drafting remediation plans that meet governance requirements.

• Internal auditors provide strategic, operational, and tactical value to IT leaders. For example, the internal auditing function:

1. Informs the board and IT executives as to whether business and IT staff understand the importance of governance objectives and strategy. Auditors can tell IT leaders whether staff is adhering to IT policies, whether key information assets and systems are suf?ciently secure, whether business continuity programs are suf?cient, whether governance efforts continually strengthen IT performance, whether resources are suf?cient, and whether policies are reasonable. In brief, internal audits assess the state of the IT governance environment and recommend improvements.

2. Independently validates that the organization’s governance and strategy are proactive and effective against fraud, information security threats, and business disruption. To provide this level of assurance, internal auditors may compare current organizational practices with industry practices and regulatory guidelines.

3. In addition, the auditing function should complement, but never replace, management’s responsibility to ensure IT security controls are operating effectively. To ful?ll an audit’s potential, internal auditors need to: 1) know what they are doing (have the knowledge and skills to perform appropriate audits); 2) understand both technical and the business environments; 3) know what to ask for from the board, executives, and managers; and 4) complete regular and ongoing training to stay on top of new guidance and standards of practice.

4. Of course, auditing provides only a reasonable level of assurance. Auditors cannot provide an insurance policy against any fault or de?ciency, particularly in regard to activities that cannot be totally controlled, such as collusion and management override

Tags: IT Governance

Posted in IT Governance | No Comments »