1 / 51

IT Governance: A Practical Guide

IT Governance: A Practical Guide. - J. Mark Sanman, CIA, CISA, CISSP-ISSMP November 2009 Greater Cincinnati ISACA Chapter Meeting. Procter & Gamble

carlota-ramos
Download Presentation

IT Governance: A Practical Guide

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Governance:A Practical Guide • - J. Mark Sanman, CIA, CISA, CISSP-ISSMP • November 2009 Greater Cincinnati ISACA Chapter Meeting

  2. Procter & Gamble 32 years in various IT, IT Audit, and IT Governance roles. Current assignment is in IT Commercial Governance, with specific responsibilities involving supplier governance, risk management and governance audit coordination. Previous roles included IT infrastructure audit management, e-business and e-commerce infrastructure management, EDI (Electronic Data Interchange) for global customer business development, and implementation manager - global network. Work at one time or another has involved travel to 35 countries on 6 continents. Education MSEE - University of Cincinnati BSEE - University of Idaho Professional Certifications Certified Internal Auditor (CIA) - 2002 Certified Information Systems Auditor (CISA) - 2004 Certified Information Systems Security Professional (CISSP) - 2005 Information Systems Security Management Professional (ISSMP) - 2009 • Biography:

  3. Disclaimer • The opinions contained in this presentation are those of the presenter, and do not necessarily reflect the views of The Procter & Gamble Company.

  4. Agenda • Why is IT Governance a ‘Hot Topic’? • IT Governance Definitions • IT Governance Considerations in a Sourced Environment • An Audit Checklist for IT Governance 4

  5. Why is IT Governance a ‘Hot Topic’?

  6. Why is IT Governance a ‘Hot Topic’? • Increased sensitivity to protecting stakeholder interests • Shareholders (see: Sarbanes Oxley) • Consumers (see: HIPAA) • Suppliers (see: PCI)

  7. Why is IT Governance a ‘Hot Topic’? • Recognized need for tight business linkage • Strategic Alignment • Value Delivery • Resource Management • Risk Management • Performance Management

  8. Why is IT Governance a ‘Hot Topic’? • Effective Management of Outsourced IT Suppliers • Relationship Management • Financial Management • Performance Management • Contract Management

  9. IT GovernanceDefinitions IIA International Professional Practices Framework: [IT Governance] Consists of the leadership, organizational structures and processes that ensure that the enterprise’s information technology sustains and extends the organization’s strategies and objectives. [IT Controls] Controls that support business management and governance as well as provide general and technical controls over information technology infrastructures such as applications, information, infrastructure, and people. [Governance] The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.

  10. IT GovernanceDefinitions CobiT 4.1: IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.

  11. IT GovernanceDefinitions (ISC)2 Ethics Preamble: Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.

  12. The business of running IT vs. running the technology Setting the rules and assuring they are followed An ethical responsibility to stakeholders Principal - business Commonwealth - people Each other - reputation IT GovernanceHigh Level Summary

  13. IT GovernanceCobiT Focus Areas • Strategic Alignment • Value Delivery • Resource Management • Risk Management • Performance Measurement

  14. IT GovernancePractical Guidelines • Leadership and Clear Business Ownership • Aligned Business-Relevant Measures • Complete and Accurate Inventories • Linking Technical and Business Risk

  15. Clear Business Ownership and Direction • Alignment of Business and IT Objectives (CobiT 4.1 ‘Framework’) • Enterprise Strategy • Business Goals for IT • IT Goals • Enterprise Architecture for IT • IT Scorecard

  16. Alignment Example:Two Global Retailers

  17. Business - RelevantMeasures • Requires translation of traditional IT measures • Performance against Financial goals, either Business or IT • Operational efficiency • Innovation

  18. Measures Example: Replenishment

  19. Complete and Accurate Inventories • IT-dependent Business Processes • Data Repositories and Information Flows • IT Infrastructure • IT Resources and Processes

  20. Information Flow /Combination Example

  21. Linking Technical and Business Risk • Risk is the ‘lingua franca’ of business. • Management needs to be able to compare IT Risks with other risks. • IT Governance must do an effective job of translating technical risks to business risks.

  22. Linking Technical and Business Risk

  23. IT Governance Basics Questions?

  24. NPS IT Governance in a Sourced Environment

  25. IT Governance in aSourced Environment Business Strategy and Processes IT Governance Commercial Relationship Commercial Relationship Suppliers’ IT Strategy and Processes

  26. Considerations in a Sourced Environment • Sourcing Strategy • Contract Management • Finance Management • Relationship Management • Performance Management

  27. Sourcing Strategy • Part of IT Strategic Plan • Inventory of critical Supplier relationships • Update based on changes to Business, IT or Supplier Strategies • May contain intervention plans

  28. Contract Management • Initial negotiation and in-life change management • Defines Services/Quality • Defines ownership of Intellectual Property • Compliance with Law and Policy • Audit Rights

  29. Contract Change Management • Required by either changing business needs or to address ambiguity. • Should be viewed as a negotiation. • Each party will attempt to get concessions not previously obtained - value is at risk • Depend on Relationship Management for smaller changes to avoid this risk

  30. Intellectual Property • Supplier IP may be used to deliver efficiencies ($) • However, use of Supplier IP may limit sourcing flexibility. • Who owns process ‘know-how’ and does this change over time? • What risk does this represent? NPS

  31. Intellectual PropertyMitigations • Inventory, inventory, inventory • IT processes supporting the business • Materials (documents, rights, etc.) • Risk Management discussion with business • Seek legal help • Follow up!

  32. Audit Rights • Business requirements drive specifics. • Must be in the initial contract • For supplier shared services, SAS70 Type II • Audit rights should be unlimited and at no cost. NPS

  33. Finance Management • Deal financials reporting • Invoice Verification • Service receipt • Credits • Incentives • Internal cost recovery NPS

  34. Finance Management • This is THE PLACE to receive an independent confirmation of IT value delivery. • Budgets are a very unforgiving reality check! NPS

  35. Relationship Management • Overall Supplier management • Monitor business needs • Communication Forums • Issue Management • Risk Management • Project Management

  36. Risk Management • IT Governance process to evaluate Supplier Financial, Service Delivery, Relationship and Information Security risks in total. • As before, there may be a translation here from technical risk to business risk. • Can use Probability x Business Impact as the metric. The business should supply the Impact. • This can be a powerful tool to use with Suppliers. They speak the lingua franca as well. NPS

  37. Project Management • Good Project Management helps assure value delivery • Define ‘project’ vs. ‘daily work’ in the contract. • Has linkages to Finance Management (paying Project costs), Service Delivery (assuring Project deliverables) NPS

  38. Performance Management • Aligning Service Delivery Requirements • Managing and Reporting against SLAs • Management of individual projects • Work prioritization

  39. IT Governance in a Sourced Environment Questions?

  40. An Audit Checklist for IT Governance

  41. IT GovernanceAudit Planning • Audit Team Composition • Audit Criteria • Learnings from the Balanced Scorecard Approach

  42. Audit Team Composition • Leadership - Business or IT? • Audit Supervision and Auditor in Charge Independence is a must • Beware setting up an audit team that may reflect corporate IT Governance issues • Consider sourcing knowledgeable auditors

  43. IT Governance AuditCriteria / Standards • IIA Governance Auditing Standards • ISACA / ITGI IT Governance Auditing Guidelines • ITGI Risk IT Framework • ITGI Val IT Framework • << Insert your Company business policies here >>

  44. Learnings from the Balanced Scorecard • Consider IT Governance from various business points of view (1) • Corporate • Customer • Operational Excellence • Future / Sustainability 1. “Measuring and Improving IT Governance Through the Balanced Scorecard” Information Systems Control Journal, Volume 2, 2005

  45. Balanced Scorecard:Corporate View

  46. Balanced Scorecard:Customer View

  47. Balanced Scorecard:Operational View

  48. Balanced Scorecard:Future View

  49. AuditingIT Governance Questions?

  50. What We’ve Covered Tonight • Why is IT Governance a ‘Hot Topic’? • IT Governance Definitions • IT Governance Considerations in a Sourced Environment • An Audit Checklist for IT Governance 50

More Related