IT governance consists of leadership, organizational structures, processes and relationships to ensure IT supports business strategy and objectives. COBIT is an internationally accepted framework for IT controls that focuses on objectives rather than implementation. Internal controls aim to provide assurance for effective operations, reliable financial reporting, and compliance, and have five components: control environment, risk assessment, control activities, information/communication, and monitoring. Portfolio management tools are needed to align IT investments with business goals and strategies to maximize returns.

1. IT Governance Methodology Author William Cox, MBA, QPM, PMP Partners

2. PMO IT Governance IT Governance consists of the leadership and organizational structures, processes and relational mechanisms that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives

3. COBIT® Stands for ‘Control Objectives for Information and related Technology Internationally accepted as good practice for control over information, IT and related risks It is a governance and control framework with guidance for IT controls that focuses on "What needs to be achieved" rather than "How to achieve."

4. COBIT® COBIT is closely linked to COSO, the most common control framework to deal with Regulatory requirements. COBIT is widely accepted as the IT control framework that can be used to meet regulatory compliance requirements such as Sarbanes Oxley, Basel II, etc.

5. Model for Enterprise-based Internal Control Controls can be classified by: nature functional area action or objective

6. Model for Enterprise-based Internal Control Controls are classified by nature as: management controls physical controls technical controls

7. Model for Enterprise-based Internal Control Controls are classified by functional area as: application controls network controls development controls operations controls security controls integrity controls

8. Model for Enterprise-based Internal Control Controls are classified by action or objective as: directive controls ... management actions, policies, guidelines that cause or encourage a desired event preventive controls ... standards, methods, practices, tools, technology to ensure quality and reliability detective controls ... give feedback regarding the effectiveness of directive and preventive controls corrective controls ... provide information, procedures, instructions for correcting errors, omissions, etc. detected recovery controls ... facilitate backup, restoration, recovery of a system following interruption of services

9. Model for Enterprise-based Internal Control Internal control includes those mechanisms within an enterprise which have been designed to provide reasonable assurance regarding the achievement of objectives for: effective and efficient operations reliability of financial reporting compliance with applicable laws and regulations

10. Model for Enterprise-based Internal Control Internal controls in and of themselves cannot: ensure the corporation's success or survival ensure the reliability of financial reporting ensure compliance with laws and regulations

11. Model for Enterprise-based Internal Control Internal control systems have 5 components: Control Environment ... human resource controls ... competence levels and cost ... etc. Risk Assessment ...objective setting & risk assessment integrated throughout operations Control Activities ... policies and procedures which define business processes Information/Communication ... internal and external information and reporting ... financial ... customers ... etc. Monitoring ... look for emphasis of "building in" rather than "adding on" of controls

12. Controls for Information Technology Preventive Controls policies, procedures, standards mission/vision statements TQM programs short-range planning long-range planning portfolio management approach to computer investments establishment of benchmarks and best practice standards establishment of self-management teams establishment of electronic commerce guidelines

13. Controls for Information Technology Detective Controls project management tools control parameter definitions review of operating and capital budgets establishment of tolerance limits establishment of sampling techniques

14. Controls for Information Technology Corrective Controls exception reports progress reports control reports error reports statistical reports special reports

15. Controls for Operations Management Preventive Controls establish and enforce computer center policies, procedures and standards establish a problem, change and configuration management structure install and empower help-desk staff to support system users require periodic audits of the computer center install automated job scheduling system discourage printing of hardcopy reports and encourage on-line viewing install automate tape and disk management systems develop partnership relationships with customers and suppliers install program library management software

16. Controls for Operations Management Detective Controls require system logging of transactions reduce computer operator intervention by installing automated console management system review system activity logs, journals and exception reports rotate key employees in the computer center acquire or develop automated job accounting information system

17. Controls for Operations Management Detective Controls (continued) require employees to take vacations ensure running of correct version of production programs implement run-to-run program controls compare production resource usage statistics install hardware and software monitors

18. IT Governance is a strategy Market leaders typically spend more on strategic initiatives and infrastructure to support those initiatives, while market followers will want to spend more on transactional systems

19. IT Governance is a strategy In order to collect information required for good governance, you need to have the right processes, tools and resources .

20. IT Governance is a strategy As important as knowing how much and where, is having the systems to support the effective management of your IT Portfolio Decisions need to be made as business strategies change. The better information your executives receive, the better decisions they are able to make .

21. Aligning Corporate Strategy and IT Investments The corporate IT project portfolio is similar to a portfolio of stocks and options - managing this portfolio requires an understanding of risks and return and tools to make informed decisions given scarce resources Technology Portfolio Management -

22. Weighted portfolios for three different corporate IT Strategies

23. Aligning Corporate Strategy and IT Investments Cost Focused The ‘Cost Focused’ IT Strategy is a characteristic of industries with high volume and low margin The technology investment focus is on transactional systems and related infrastructure

24. Aligning Corporate Strategy and IT Investments Balanced Cost & Agility Typically for fast follower organizations: Technology investments are approved as needed to enable specific strategic objectives. The company has a balanced mix of IT investments.

25. Aligning Corporate Strategy and IT Investments Agility Focused Companies in this category have advanced technology infrastructures that can easily be leveraged to implement new strategies. These companies tend to be market leaders and are not necessary technology industry companies. The technology infrastructure of Agility Focused companies effectively enables their strategy. IT investments are weighted towards infrastructure and strategic initiatives.

26. Aligning Corporate Strategy and IT Investments

27. Aligning IT investment with business goals and strategies An integral part of IT investment alignment and IT Governance is the deployment of a strong portfolio management solution. At the foundation of successful portfolio management solutions are methodologies and mature robust PPM / IT Governance Tools

28. Why invest in portfolio management? Alignment of People and Projects With Strategic Objectives Maximize resource utilization by allocating your best resources to the highest priority initiatives Provide accurate reports to the Executive Committee Create faster and more accurate business value assessments that prioritize projects Balanced scorecards with key performance indicators and key goal indicators from which to base decisions Smooth Collaboration and Participation Strategic Hiring ROI