A governance view that consists of the business governance of IT – ensuring that IT supports and enables the business strategy – and the functional governance of IT – ensuring that the IT function itself runs efficiently and effectively (http://www.takinggovernanceforward.org).
Successful enterprises recognize the benefits of information technology and use it to drive their stakeholders’ value. These enterprises also understand and manage the associated risks, such as increasing regulatory compliance and critical dependence of many business processes on information technology (IT). The need for assurance about the value of IT, the management of IT-related risks and increased requirements for control over information are now understood as key elements of enterprise governance.
Value, risk and control constitute the core of IT governance. Control Objectives for Information and related Technology (COBIT®) provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COBIT’s good practices represent the consensus of experts. They are strongly focused more on control, less on execution. These practices will help optimize IT-enabled investments, ensure service delivery and provide a measure against which to judge when things do go wrong. For IT to be successful in delivering against business requirements, management should put an internal control system or framework in place. The COBIT control framework contributes to these needs by:
* Making a link to the business requirements * Organizing IT activities into a generally accepted process model * Identifying the major IT resources to be leveraged * Defining the management control objectives to be considered An answer to these requirements of determining and monitoring the appropriate IT control and performance level is COBIT’s definition of: * Benchmarking of IT process performance and capability, expressed as maturity models, derived from the Software Engineering Institute’s Capability Maturity Model (CMM)
* Goals and metrics of the IT processes to define and measure their outcome and performance based on the principles of Robert Kaplan and David Norton’s balanced business scorecard * Activity goals for getting these processes under control, based on COBIT’s control objectives The assessment of process capability based on the COBIT maturity models is a key part of IT governance implementation. After identifying critical IT processes and controls, maturity modeling enables gaps in capability to be identified and demonstrated to management. Action plans can then be developed to bring these processes up to the desired capability target level. Thus, COBIT supports IT governance by providing a framework to ensure that: * IT is aligned with the business
* IT enables the business and maximizes benefits
* IT resources are used responsibly
* IT risks are managed appropriately
Figure 1 – Adopted for this study Governance Focus Areas
* Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations. * Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT. * Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimization of knowledge and infrastructure.
* Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organization. * Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.
A control framework for IT governance defines the reasons IT governance is needed, the stakeholders and what it needs to accomplish. Why? Increasingly, top management is realizing the significant impact that information can have on the success of the enterprise. Management expects heightened understanding of the way IT is operated and the likelihood of its being leveraged successfully for competitive advantage. In particular, top management needs to know if information is being managed by the enterprise so that it is:
* Likely to achieve its objectives
* Resilient enough to learn and adapt
* Judiciously managing the risks it faces
* Appropriately recognizing opportunities and acting upon them Successful enterprises understand the risks and exploit the benefits of IT and find ways to deal with:
* Aligning IT strategy with the business strategy
* Assuring investors and shareholders that a ‘standard of due care’ around mitigating IT risks is being met by the organization * Cascading IT strategy and goals down into the enterprise
* Obtaining value from IT investments
* Providing organizational structures that facilitate the implementation of strategy and goals
* Creating constructive relationships and effective communication between the business and IT, and with external partners
* Measuring IT’s performance
Enterprises cannot deliver effectively against these business and governance requirements without adopting and implementing a governance and control framework for IT to:
* Make a link to the business requirements * Make performance against these requirements transparent * Organize its activities into a generally accepted process model * Identify the major resources to be leveraged * Define the management control objectives to be considered Furthermore, governance and control frameworks are becoming a part of IT management good practice and are an enabler for establishing IT governance and complying with continually increasing regulatory requirements. IT good practices have become significant due to a number of factors: * Business managers and boards demanding a better return from IT investments, i.e., that IT delivers what the business needs to enhance stakeholder value * Concern over the generally increasing level of IT expenditure
* The need to meet regulatory requirements for IT controls in areas such as privacy and financial reporting (e.g., the US Sarbanes-Oxley Act, Basel II) and in specific sectors such as finance, pharmaceutical and healthcare * The selection of service providers and the management of service outsourcing and acquisition * Increasingly complex IT-related risks, such as network security * IT governance initiatives that include adoption of control frameworks and good practices to help monitor and improve critical IT activities to increase business value and reduce business risk * The need to optimize costs by following, where possible, standardized, rather than specially developed, approaches * The growing maturity and consequent acceptance of well-regarded frameworks, such as COBIT, IT Infrastructure
Library (ITIL), ISO 27000 series on information security-related standards, ISO 9001:2000 Quality Management Systems—Requirements, Capability Maturity Model® Integration (CMMI), Projects in Controlled Environments 2 (PRINCE2) and A Guide to the Project Management Body of Knowledge (PMBOK) * The need for enterprises to assess how they are performing against generally accepted standards and their peers (benchmarking)
A governance and control framework needs to serve a variety of internal and external stakeholders, each of whom has specific needs: * Stakeholders within the enterprise who have an interest in generating value from IT investments:
* Those who make investment decisions
* Those who decide about requirements
* Those who use IT services
* Internal and external stakeholders who provide IT services:
* Those who manage the IT organization and processes
* Those who develop capabilities
* Those who operate the services
* Internal and external stakeholders who have a control/risk responsibility:
* Those with security, privacy and/or risk responsibilities
* Those performing compliance functions
* Those requiring or providing assurance services
To meet the requirements listed in the previous section, a framework for IT governance and control should: * Provide a business focus to enable alignment between business and IT objectives * Establish a process orientation to define the scope and extent of coverage, with a defined structure enabling easy navigation of content * Be generally acceptable by being consistent with accepted IT good practices and standards and independent of specific technologies * Supply a common language with a set of terms and definitions that are generally understandable by all stakeholders * Help meet regulatory requirements by being consistent with generally accepted corporate governance standards (e.g., COSO) and IT controls expected by regulators and external auditors
The IT organization delivers against these goals by a clearly defined set of processes that use people skills and technology infrastructure to run automated business applications while leveraging business information. The IT resources identified in COBIT can be defined as follows: * Applications are the automated user systems and manual procedures that process the information. * Information is the data, in all their forms, input, processed and output by the information systems in whatever form is used by the business. * Infrastructure is the technology and facilities (i.e., hardware, operating systems, database management systems, networking, multimedia, and the environment that houses and supports them) that enable the processing of the applications. * People are the personnel required to plan, organize, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, outsourced or contracted as required.
To govern IT effectively, it is important to appreciate the activities and risks within IT that need to be managed. They are usually ordered into the responsibility domains of plan, build, run and monitor. The four interrelated domains of COBIT are: * Plan and Organize (PO)—Provides direction to solution delivery (AI) and service delivery (DS) * Acquire and Implement (AI)—Provides the solutions and passes them to be turned into services * Deliver and Support (DS)—Receives the solutions and makes them usable for end users * Monitor and Evaluate (ME)—Monitors all processes to ensure that the direction provided is followed
Plan and organize (PO)
This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realization of the strategic vision needs to be planned, communicated and managed for different perspectives. A proper organization as well as technological infrastructure should be put in place. This domain typically addresses the following management questions: * Are IT and the business strategy aligned?
* Is the enterprise achieving optimum use of its resources?
* Does everyone in the organization understand the IT objectives?
* Are IT risks understood and being managed?
* Is the quality of IT systems appropriate for business needs? Acquire and implement (AI)
To realize the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure the solutions continue to meet business objectives. This domain typically addresses the following management questions: * Are new projects likely to deliver solutions that meet business needs? * Are new projects likely to be delivered on time and within budget? * Will the new systems work properly when implemented?
* Will changes be made without upsetting current business operations? Deliver and support (DS)
This domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It typically addresses the following management questions: * Are IT services being delivered in line with business priorities? * Is IT costs optimized?
* Is the workforce able to use the IT systems productively and safely? * Are adequate confidentiality, integrity and availability in place for information security? Monitor and evaluate (ME)
All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain addresses performance management, monitoring of internal control, regulatory compliance and governance. It typically addresses the following management questions: * Is IT’s performance measured to detect problems before it is too late? * Does management ensure that internal controls are effective and efficient? * Can IT performance be linked back to business goals?
* Are adequate confidentiality, integrity and availability controls in place for information security?
Processes need Controls
Control is defined as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected. IT control objectives provide a complete set of high-level requirements to be considered by management for effective control of each IT process. They: * Are statements of managerial actions to increase value or reduce risk * Consist of policies, procedures, practices and organizational structures * Are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected
Enterprise management needs to make choices relative to these control objectives by:
* Selecting those that are applicable
* Deciding upon those that will be implemented
* Choosing how to implement them (frequency, span, automation, etc.) * Accepting the risk of not implementing those that may apply The control objectives are identified by a two-character domain reference (PO, AI, DS and ME) plus a process number and a control objective number. In addition to the control objectives, each COBIT process has generic control requirements that are identified by PCn, for process control number. They should be considered together with the process control objectives to have a complete view of control requirements.
PC1 Process Goals and Objectives
Define and communicate specific, measurable, actionable, realistic, results-oriented and timely process goals and objectives for the effective execution of each IT process. Ensure that they are linked to the business goals and supported by suitable metrics.
PC2 Process Ownership
Assign an owner for each IT process, and clearly define the roles and responsibilities of the process owner. Include, for example, responsibility
for process design, interaction with other processes, accountability for the end results, measurement of process performance and the identification of improvement opportunities.
PC3 Process Repeatability
Design and establish each key IT process such that it is repeatable and consistently produces the expected results. Provide for a logical but flexible and saleable sequence of activities that will lead to the desired results and is agile enough to deal with exceptions and emergencies. Use consistent processes, where possible, and tailor only when unavoidable.
PC4 Roles and Responsibilities
Define the key activities and end deliverables of the process. Assign and communicate unambiguous roles and responsibilities for effective and efficient execution of the key activities and their documentation as well as accountability for the process end deliverables.
PC5 Policy, Plans and Procedures
Define and communicate how all policies, plans and procedures that drive an IT process are documented, reviewed, maintained, approved, stored, communicated and used for training. Assign responsibilities for each of these activities and, at appropriate times, review whether they are executed correctly. Ensure that the policies, plans and procedures are accessible, correct, understood and up to date.
PC6 Process Performance Improvement
Identify a set of metrics that provides insight into the outcomes and performance of the process. Establish targets that reflect on the process goals and performance indicators that enable the achievement of process goals. Define how the data are to be obtained. Compare actual measurements to targets and take action upon deviations, where necessary. Align metrics, targets and methods with IT’s overall performance monitoring approach. Effective controls reduce risk, increase the likelihood of value delivery and improve efficiency because there will be fewer errors and a more consistent management approach.
In addition, COBIT provides examples for each process that are illustrative, but not prescriptive or exhaustive, of:
* Generic inputs and outputs
* Activities and guidance on roles and responsibilities in a Responsible, Accountable, Consulted and Informed (RACI) chart * Key activity goals (the most important things to do)
Business and it controls
The enterprise’s system of internal controls impacts IT at three levels: * At the executive management level, business objectives are set, policies are established and decisions are made on how to deploy and manage the resources of the enterprise to execute the enterprise strategy. The overall approach to governance and control is established by the board and communicated throughout the enterprise. The IT control environment is directed by this top-level set of objectives and policies. * At the business process level, controls are applied to specific business activities. Most business processes are automated and integrated with IT application systems, resulting in many of the controls at this level being automated as well. These controls are known as application controls. However, some controls within the business process remain as manual procedures, such as authorization for transactions, separation of duties and manual reconciliations.
Therefore, controls at the business process level are a combination of manual controls operated by the business and automated business and application controls. Both are the responsibility of the business to define and manage, although the application controls require the IT function to support their design and development.
* To support the business processes, IT provides IT services, usually in a shared service to many business processes, as many of the development and operational IT processes are provided to the whole enterprise, and much of the IT infrastructure is provided as a common service (e.g., networks, databases, operating systems and storage). The controls applied to all IT service activities are known as IT general controls. The reliable operation of these general controls is necessary for reliance to be placed on application controls. For example, poor change management could jeopardize (accidentally or deliberately) the reliability of automated integrity checks.
Establishing an effective governance framework includes defining organizational structures, processes, leadership, roles, and responsibilities to ensure that enterprise IT investments are aligned and delivered in accordance with enterprise strategies and objectives. Control over the process of providing IT governance that satisfies the business requirements for IT of integrating IT governance with corporate governance objectives and complying with laws, regulations and contracts. By focusing on preparing board reports on IT strategy, performance and risks, and responding to governance requirements in line with board directions.
* Establishing IT governance framework integrated into corporate governance
* Obtaining independent assurance over the IT governance status. Measured by
* Frequency of board reporting on IT to stakeholders (including maturity)
* Frequency of reporting from IT to the board (including maturity)
* Frequency of independent reviews of IT compliance
* Cobit 4.1 http://www.itgi.org
* IT Governance Harvard University March 31, 2008
* Governance Objective and Governance views of IT (Mapping) http://www.takinggovernanceforward.org