baa ais it governance
TRANSCRIPT
-
8/16/2019 BAA AIS IT Governance
1/20
BAA-Audit & Information Systemsy
Winston Phethi
-
8/16/2019 BAA AIS IT Governance
2/20
What is IT Governance Why IT Governance
Rationale for IT Governance Roles, Frameworks and Standards inIT Governance
Benefits of IT Governance
Effects of ineffective IT Governance Five Elements of IT Governance Role of Auditing in IT Governance
-
8/16/2019 BAA AIS IT Governance
3/20
IIA Definition
Consists of the leadership, organizational structures andprocesses that ensure that the enterprise’s informationtechnology supports the org niz tion’s str tegies nd objectives.
ISACA Standards Definition
The responsibility of executives and the board of directors;consists of the
leadership
,organizational structures
andprocesses
that ensure that the enterprise’s IT sustains andextends the enterprise’s str tegies nd objectives.
others
is a set of relationships and processes designed to ensure thatthe organization’s IT sustains and extends the organization’s strategies and objectives, delivering benefits and maintainingrisks at an acceptable level.
-
8/16/2019 BAA AIS IT Governance
4/20
Governance; is not about what decisions get made – that is
management – but it is about who makes thedecisions and how they are made.
specifies the decision rights andaccountability framework to encouragedesirable behaviours in the use of IT.
-
8/16/2019 BAA AIS IT Governance
5/20
Organizations have realized that the IT is no longer a
support process
To set up a risk management program that addresses newrisks arising from the usage of IT in business processes
To direct IT endeavors, to ensure that IT’s performancemeets the following objectives:
Alignment of IT with the enterprise and realization of thepromised benefits;
Use of IT to enable the enterprise by exploitingopportunities and maximizing benefits;
Responsible use of IT resources;Appropriate management of IT-related risks.
-
8/16/2019 BAA AIS IT Governance
6/20
The business and IT do not work in conjunction to define ITobjectives
IT and Business objectives are not aligned IT does not effectively manage costs to meet business
objectives
IT risks are not identified, assessed, or mitigated to meetbusiness objectives IT resources are not effectively aligned to meet business
objectives Internal and external IT systems, processes, and personnel
are not monitored for determine if business needs are being
met The business does not recognize the value from its IT
investments Applications are acquired and/or managed without the
involvement of IT personnel
-
8/16/2019 BAA AIS IT Governance
7/20
Roles, Frameworks and Standards in ITGovernance
-
8/16/2019 BAA AIS IT Governance
8/20
Strengthens the relationship between theorganization and IT◦ Helps ensure limited IT resources are focused on
the right strategic and tactical activities at the right
time Synergies with Enterprise Risk Management
(ERM) and other risk management activities◦ Helps ensure the appropriate IT risk management
processes and activities are in place and operatingeffectively
-
8/16/2019 BAA AIS IT Governance
9/20
Enhanced visibility into the IT Function’sability to achieve its both
tactical
andstrategic
objectives◦ Key Performance Indicators (KPIs) for day-to-day
activities and longer-term/strategic initiatives
Improved adaptability of the IT Function toorganizational and IT environment changes -
Formality of Governance structure, processes andactivities enables more efficient and effective responseto change
-
8/16/2019 BAA AIS IT Governance
10/20
Effective IT governance helps ensure that IT
supports business goals
optimizes business investment in IT
and appropriately manages IT-related risks
and opportunities.
-
8/16/2019 BAA AIS IT Governance
11/20
Business losses, damaged reputations orweakened competitive positions;
Deadlines not met, costs higher thanexpected and quality lower than anticipated;
Enterprise efficiency and core processesnegatively impacted by poor quality of ITdeliverables;
Failures of IT initiatives to bring innovation ordeliver the promised benefits.
-
8/16/2019 BAA AIS IT Governance
12/20
Source: IT Governance Institute. Five Elements of IT Governance
-
8/16/2019 BAA AIS IT Governance
13/20
Objective:
Determine if a relationship exists between IT and business objectives and ifthis relationship has been established through participation between bothIT and business management.
Example Review Documents IT Strategic Plan Third Party service provider agreements and RFP process
Typical Areas to Assess Is IT management aware of the overall business strategy? What is IT’s involvement in defining the business strategy? Do current IT initiatives relate to one or more of the organization’s
strategic objectives? Is there a clear line of communication between IT and business
management? How do 3rd party service providers support business objectives? What IT architecturer is necessary to support the business objectives?
-
8/16/2019 BAA AIS IT Governance
14/20
Objective:
Determine if activities are conducted relating to the identification and analysis of risksimpacting the achievement of business objectives and the preparation of financialstatements.
Example Review Documents
Business Continuity and Disaster Recovery Plans and Test Results IT Risk Assessment
3rd Party Service Provider Agreements and Request For Proposal Policies andProcedures
Typical Areas to Assess
Is a process in place to assess, address, and communicate IT risks to keystakeholders and executive management during the project, change, andrelease management processes?
How does IT select and manage third party vendor relationships? Does a business continuity and disaster recovery plan exist and is it tested
on a periodic basis? Does a risk management plan exist and are risk management activities
incorporated into project, change, and release management process?
Do discussions between IT, Business, and Compliance leadershipoccur in order to identify ways in which the IT environment can assist in
strengthening the organization's control environment?
-
8/16/2019 BAA AIS IT Governance
15/20
Objective:
Determine if the effectiveness of IT systems, processes, and personnel,internal and external, are being monitored for alignment with businessneeds.
Example Review Documents
Performance metrics for services, projects, processes, and systems
Reports of IT’s performance against defined metrics to key stakeholders and executivemanagement
3rd Party Service Level Agreements
Incident and Problem Management Policies and Procedures
Cost Allocation Policies and Procedures
Typical Areas to Assess
Does the IT organization report performance metrics to key stakeholders?
Are processes in place to review key performance metrics and correct items falling belowa reasonable level?
Do performance management activities consider both internal and 3rd party ITactivities?
Is IT performance reported in IT or Business terms? Are the metrics operational,strategic, or both?
Is a process in place to establish performance metrics based on changing businessneeds?
Do the Board of Directors and Executive management have an awareness of ITperformance based on quantifiable data?
-
8/16/2019 BAA AIS IT Governance
16/20
Objective:
Determine if adequate activities are being performed to align the use of resources(applications, information, infrastructure, people) to meet the needs of the business.
Example Review Documents
IT Organization Chart
IT Job Descriptions
Sourcing Strategy for IT projects
IT Segregation of Duties Requirements IT Asset Management Policies and Procedures
Typical Areas to Assess •Are processes in place to assess and implement IT segregation of duties?
Has an IT sourcing strategy been established that align with business objectives?
Do IT resource dedicate more time to operational or strategic objectives?
Does the IT department have processes in place to facilitate knowledge sharing withinthe department and with the business?
Have IT resources (employees, applications, hardware) been optimized to supportbusiness objectives?
Have formal job descriptions and reporting relationships been created andcommunicated for all IT positions?
Has an asset management program has been established?
-
8/16/2019 BAA AIS IT Governance
17/20
Objective:
Determine if IT is effectively managing costs as they relate to meetingbusiness objectives and communicating this management to the appropriateindividuals.
Example Review Documents
IT Steering Committee Meeting Minutes
Policies and Procedures for the Development and Management of IT projects IT Budget
Typical Areas to Assess Is there a clear relationship between IT project performance indicators and
business objectives? Has the IT budget been communicated to business leadership? Does business
leadership understand the investments that have been made in IT? Does IT actively communicate the expected and realized value of IT projects? Does the business rely on the integrity and accuracy of data captured and
reported by IT systems? Do IT and business leaders meet on a periodic basis to review the current
and upcoming IT initiatives to reassess alignment with business objectives?
-
8/16/2019 BAA AIS IT Governance
18/20
Audit plays a significant role in the successfulimplementation of IT governance within an organization. Audit is well positioned to provide leading practice
recommendations to senior management to help improvethe quality and effectiveness of the IT governanceinitiatives implemented.
Audit helps ensure compliance with IT governanceinitiatives implemented within an organization.
Standard 2110 A2 “The internal audit activitymust
assesswhether the IT Governance of the organization supports theorganization’s strategies and objectives”
By?
1
Providing assurance
2 Providing consulting
Training Facilitated workshop on IT Governance best practices
-
8/16/2019 BAA AIS IT Governance
19/20
- An auditor should review and assess whether the ISfunction aligns with the organization's mission, vision,values, objectives and strategies.- The auditor should review whether the IS function has aclear statement about the performance expected by thebusiness (effectiveness and efficiency) and assess itsachievement.- The auditor should review and assess the effectiveness ofIS resource and performance management processes.- The auditor should review and assess compliance withlegal, environmental and information quality, and fiduciaryand security requirements.
- A risk-based approach should be used by the auditor toevaluate the IS function.- The auditor should review and assess the controlenvironment of the organization.- The auditor should review and assess the risks that may adversely affect the IS environment.
-
8/16/2019 BAA AIS IT Governance
20/20
IT Governance: The IT and Internal AuditPerspectives, Pittsburgh ISACA ChapterMonday, December 5, 2011.
What is IT Governance and why is it importantfor the IS auditor? By Richard Brisebois, GregBoyd and ZiadShadid , From the Office of theAuditor General of Canada.
Auditing IT Governance Steve Hunt ,October11, 2012 from Crowe Horwath