1 / 17

AUDIT COMMITTEE FORUM TM

AUDIT COMMITTEE FORUM TM. ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010. The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG. Current State.

ratana
Download Presentation

AUDIT COMMITTEE FORUM TM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG

  2. Current State There have been a number of high-profile instances where processes that govern the integrity of information technology operations (IT governance) are not sufficiently effective to guard companies against serious financial loss. Companies have damaged their operations and negatively impacted revenue recognition, profit, and reputation by compromising the integrity or availability of their information as a result of problems associated with IT system implementations. Good Corporate governance (and King III) outline the role that Audit Committees should play in improving IT Governance. In two recent surveys, 30% of respondents indicated that they were not satisfied with the amount of time that audit committees spend on oversight of IT risk while only 9-11% were “Very satisfied’’ • 2

  3. Current State (cont.) Many organisations are struggling with: Poor alignment of IT resources against business goals Lack of demonstrative value from IT investments Business and / or technology change Dissatisfaction with IT function and the level of service it provides The implementation of compliance legislation IT projects exceeding time and financial budgets IT risks and control responsibilities poorly defined • 3

  4. A definition of IT Governance IT governance is a set of business processes that impose management and control disciplines on IT activities to help ensure the integrity and protection of IT operations and the achievement of targeted business goals. It is primarily about achieving three things: Getting the most value from IT, including moving towards strategic goals. Ensuring that stakeholders and management understand key IT risks and manage them accordingly. Establishing the conditions that allow IT management to operate effectively. • 4

  5. The Key Elements of IT Governance Board Oversight and Responsibility IT Governance/ Performance Tracking and Reporting Business Needs and Expectations IT Strategy and Planning Outcomes IT Governance Framework Risk Assessment IT Investment Analysis Build IT control framework Governance Structures • 5

  6. THE KING III PERSPECTIVE Board Oversight and Responsibility IT Governance/ Performance Tracking and Reporting Business Needs and Expectations IT Strategy and Planning Outcomes IT Governance Framework Risk Assessment IT Investment Analysis Build IT control framework Governance Structures Principle 1: Board Responsibility Principle 2: Performance and Sustainability Principle 2: Performance and Sustainability 1 2 2 4 3 5 6 7 Principle 3: IT Governance Framework Principle 4: IT Investments Principle 6: Information Security Principle 5: Risk Management Principle 7: Governance Structures • 6

  7. QUESTIONS THE AUDIT COMMITTEE SHOULD ASK • 7

  8. IT Strategy and Planning IT Strategy and Planning Key Questions: • Who was involved in developing the IT strategy and what was the process followed? • Have you defined a sourcing strategy? What is it and why is it important? • The purpose of IT strategy – the business needs to understand its strategy and document its strategic intent • Strikes an optimum balance of information technology opportunities and IT business requirements • Accomplishes organisational goals and objectives • Critical to aligning business and IT objectives • Ensures investments are made optimally • Drives a “common language” • Sets expectations • Considers architecture, delivery and governance . • 8

  9. IT Governance Framework IT Governance Framework Key Questions: • Have roles and responsibilities been assigned across IT? • Is a policy framework and related policies in place? • Are we aligned to industry standards, and if so, which ones? What is it and why is it important? • IT governance at its most basic is the process of making decisions about IT • Good IT governance ensures that IT investments are optimised, aligned with business strategy and delivering value within acceptable risk boundaries — taking into account culture, organisational structure, maturity and strategy • Articulates the roles of the various management and governance bodies across the business and decision making • Assigns clearly defined delegation for effective and efficient decision making and performance monitoring, • Encompasses a broad focus on overall IT capability • Enhances strategic decision making capacity • 9

  10. IT Investments IT Investments Key Questions: • Do we have a formal project management methodology / processes? • Do we perform a business case prior to significant spend? • Do we identify the targeted benefits and track these through the life of the project? What is it and why is it important? • Organisations must be able to measure business value and also manage and communicate value delivery in order to answer the questions: 1) Are we doing the right things? and 2) are we getting the benefits? • Define the relationship between IT and the business • Manage portfolio of IT-enabled business investments • Maximise the quality of business cases for IT-enabled investments • Articulate IT investment decision rights to ensure that they deliver the maximum business value at an acceptable level of risk. • 10

  11. IT Risk Assessment Risk Assessment Key Questions: • How often do we perform IT risk assessments? • Are the necessary resources made available within the business and within the Internal Audit department to conduct IT Audits? • What are the key risks in our IT environment? What is it and why is it important? • These can range from accidental damage caused by employees with inadequate training to deliberate attempts from outsiders to illegally access data that your business holds • Helps identify and form basis for risk mitigation plans • Risk areas for consideration - Business Focus, Information Assets, Dependence on IT, Dependence on IT internal staff, Dependence on third parties, Reliability of IT systems, Changes to IT, Legislative and regulatory environment • Recognise the risks associated with using IT in a business environment • 11

  12. IT Control Framework IT Control Framework Key Questions: • Have we identified our key IT controls? • Do we monitor (and benchmark) these on an ongoing basis? What is it and why is it important? • IT controls are specific activities performed by people or systems designed to ensure that business objectives are met • A subset of an enterprise's internal control which relate to the confidentiality, integrity and availability of data and the overall management of the IT function • A set of fundamental controls that must be in place to prevent information loss in an organization • Control areas for consideration - Management of IT, Continuity of systems (Disaster recovery), Systems development, Change control, Security of information and systems, Physical and logical access controls, Control assurance IT controls are specific activities performed by people or systems designed to ensure that business objectives are met • 12

  13. Performance Tracking and Reporting Performance tracking and reporting Key Questions: • Have we defined KPI’s and CSF’s for IT? • Are these monitored, reported, and followed up on? What is it and why is it important? • It is critical to measure to outcomes of strategic initiatives • Keep the focus on ongoing control • Effectively manage the IT function • Provide transparent reporting to the business on IT performance • Performance reporting should focus not only on financial outcomes but also on the operational, marketing, risk and developmental inputs to the business • 13

  14. Summary of key questions IT Strategy and Planning: • Who was involved in developing the IT strategy and what was the process followed? • Have you defined a sourcing strategy? IT Governance Framework: • Have roles and responsibilities been assigned across IT? • Is a policy framework and related policies in place? • Are we aligned to industry standards, and if so, which ones? IT Investments: • Do we perform a business case prior to significant spend? • Do we identify the targeted benefits and track these through the life of the project? IT Risk Assessment • How often do we perform IT risk assessments? • What are the key risks in our IT environment? IT Control Framework • Have we identified our key IT controls? • Do we monitor (and benchmark) these on an ongoing basis? Performance Tracking and Reporting • Have we defined KPI’s and CSF’s for IT? • Are these monitored, reported, and followed up on? • 14

  15. King III specific responsibilities The audit committee should consider IT as it relates to financial reporting and the going concern of the company What are the key systems responsible for the generation and processing of financial reporting data? How reliant are we on our systems? (how long could we survive without them?) Do we have Disaster Recovery and Business Continuity Plans? Have we tested these? Is our information security sufficient for the business? The audit committee should consider the use of technology to improve audit coverage and efficiency Has our (internal or outsourced) Internal Audit function identified key application controls to test? Do we test the general controls related to those key applications? What internal auditing tools do we utilise (e.g. CAATs, Continuous Auditing)? • 15

  16. Presenter’s contact details: Johannesburg Frank Rizzo KPMG (011) 647 7388 frank.rizzo@kpmg.co.za www.kpmg.com Cape Town Patrick Ryan KPMG (021) 408 7374 patrick.ryan@kpmg.co.za www.kpmg.com Durban Eugene Pfister KPMG (011) 647 7918 eugene.pfister@kpmg.co.za www.kpmg.com • 16

  17. QUESTIONS?

More Related