This document provides an overview of a presentation on building an internal control framework for IT governance. It discusses key benefits to the audience, the current state of IT governance standards and challenges, areas not adequately covered by existing standards, and recommendations for the framework.
The presentation will compare leading IT governance standards, highlight similarities and differences, and gaps not addressed. It will also recommend internal controls focusing on strategic alignment, financial performance, risk management, growth, and service delivery. An internal control framework is proposed that takes a holistic view encompassing governance, management, use of IT, and the relationship between corporate strategy, digital business models, and organization structures.
IT Governance – The missing compass in a technology changing worldPECB
Oladapo Ogundeji, CTO of Digital Jewels Ltd, gave a presentation on IT governance and its importance in today's technology changing world. He discussed that IT governance provides a formal process to define IT strategy and oversee its execution to achieve business goals. It also helps balance priorities like maximizing returns, increasing agility, and mitigating risks. Ogundeji covered frameworks like COBIT 5 and ISO 38500 that provide guidance on implementing IT governance and highlighted critical success factors like executive commitment, focus on execution, and competence in resources.
The document discusses IT governance, which involves processes that ensure effective and efficient use of IT to help an organization achieve its goals. IT governance addresses demand governance, which involves determining what IT should work on and where resources should be invested, and supply governance, which involves how IT should deliver what the business needs. Effective IT governance models must address what IT decisions need to be made, who should make them, and how they will be made and monitored.
The document provides information about an upcoming training on IT Governance to be delivered by Goutama Bachtiar. It includes details about the trainer's background and experience in IT advisory, consulting, auditing, and education. The training objectives are to address key knowledge areas related to IT Governance domains such as framework, strategy alignment, value delivery, risk management, and performance measurement. The targeted participants are corporate and IT management, IT auditors, and senior IT management. The training agenda covers various topics around governance vs management, frameworks, strategy, value, risk, performance and more. It also discusses the ISACA CGEIT certification domains that the training maps to.
Corporate governance of INFORMATION TECHNOLOGY (IT)Osman Hasan
This document provides an overview of corporate governance of information technology (IT). It discusses key topics such as the difference between IT governance and IT management, principles of IT governance, and common frameworks used for IT governance including ISO, COBIT, and CMM. The primary goals of corporate governance of IT are to ensure IT generates business value, oversee management's performance, and mitigate risks associated with IT use. Frameworks help organizations implement effective IT governance through processes, structures, and communication approaches.
Mergers & Acquisitions - Addressing The Critical IT Issuescurtherge
The document discusses critical IT issues to address in an M&A integration. It emphasizes the importance of IT due diligence before and after a deal is announced to identify risks, costs, and integration challenges. A multi-step approach is proposed: 1) develop an IT integration strategy, 2) conduct integration planning including defining success factors and KPIs, and 3) focus the first 100 days on stabilizing operations and launching integration teams to develop detailed plans. Early focus areas include communications, retention efforts, and identifying projects to pause or complete to facilitate integration.
This document summarizes a research paper about IT governance. It defines IT governance as the process of aligning IT decisions and actions with organizational performance goals and assigning accountability. The summary provides a one-page framework for designing and communicating effective IT governance. Companies with good IT governance have profits 20% higher than peers. However, most senior managers do not understand their company's IT governance processes. The summary recommends that companies carefully design, implement, and communicate IT governance to improve performance.
This presentation is intended to assist CIO's with setting up a formal IT Governance model for their college or university. There are two companion files also in Slideshare linked at the end of an IT Governance Committee Charter and an IT Project Governance Guideline.
Governance Of Enterprise Information Technology V3pjmartinez
The document discusses a governance model for enterprise information technology service innovation presented to the Department of the Interior's Office of the Chief Information Officer. The model aims to increase accountability, advance modernization and integration, and drive business principles through a federated service innovation model. Key components of the proposed governance framework include performance measurements, risk management, and strategic alignment. Next steps involve further analyzing and decomposing the model elements, highlighting areas for improvement, and providing communications for clearer direction of the federated service model.
IT Governance – The missing compass in a technology changing worldPECB
Oladapo Ogundeji, CTO of Digital Jewels Ltd, gave a presentation on IT governance and its importance in today's technology changing world. He discussed that IT governance provides a formal process to define IT strategy and oversee its execution to achieve business goals. It also helps balance priorities like maximizing returns, increasing agility, and mitigating risks. Ogundeji covered frameworks like COBIT 5 and ISO 38500 that provide guidance on implementing IT governance and highlighted critical success factors like executive commitment, focus on execution, and competence in resources.
The document discusses IT governance, which involves processes that ensure effective and efficient use of IT to help an organization achieve its goals. IT governance addresses demand governance, which involves determining what IT should work on and where resources should be invested, and supply governance, which involves how IT should deliver what the business needs. Effective IT governance models must address what IT decisions need to be made, who should make them, and how they will be made and monitored.
The document provides information about an upcoming training on IT Governance to be delivered by Goutama Bachtiar. It includes details about the trainer's background and experience in IT advisory, consulting, auditing, and education. The training objectives are to address key knowledge areas related to IT Governance domains such as framework, strategy alignment, value delivery, risk management, and performance measurement. The targeted participants are corporate and IT management, IT auditors, and senior IT management. The training agenda covers various topics around governance vs management, frameworks, strategy, value, risk, performance and more. It also discusses the ISACA CGEIT certification domains that the training maps to.
Corporate governance of INFORMATION TECHNOLOGY (IT)Osman Hasan
This document provides an overview of corporate governance of information technology (IT). It discusses key topics such as the difference between IT governance and IT management, principles of IT governance, and common frameworks used for IT governance including ISO, COBIT, and CMM. The primary goals of corporate governance of IT are to ensure IT generates business value, oversee management's performance, and mitigate risks associated with IT use. Frameworks help organizations implement effective IT governance through processes, structures, and communication approaches.
Mergers & Acquisitions - Addressing The Critical IT Issuescurtherge
The document discusses critical IT issues to address in an M&A integration. It emphasizes the importance of IT due diligence before and after a deal is announced to identify risks, costs, and integration challenges. A multi-step approach is proposed: 1) develop an IT integration strategy, 2) conduct integration planning including defining success factors and KPIs, and 3) focus the first 100 days on stabilizing operations and launching integration teams to develop detailed plans. Early focus areas include communications, retention efforts, and identifying projects to pause or complete to facilitate integration.
This document summarizes a research paper about IT governance. It defines IT governance as the process of aligning IT decisions and actions with organizational performance goals and assigning accountability. The summary provides a one-page framework for designing and communicating effective IT governance. Companies with good IT governance have profits 20% higher than peers. However, most senior managers do not understand their company's IT governance processes. The summary recommends that companies carefully design, implement, and communicate IT governance to improve performance.
This presentation is intended to assist CIO's with setting up a formal IT Governance model for their college or university. There are two companion files also in Slideshare linked at the end of an IT Governance Committee Charter and an IT Project Governance Guideline.
Governance Of Enterprise Information Technology V3pjmartinez
The document discusses a governance model for enterprise information technology service innovation presented to the Department of the Interior's Office of the Chief Information Officer. The model aims to increase accountability, advance modernization and integration, and drive business principles through a federated service innovation model. Key components of the proposed governance framework include performance measurements, risk management, and strategic alignment. Next steps involve further analyzing and decomposing the model elements, highlighting areas for improvement, and providing communications for clearer direction of the federated service model.
The presentation will begin at 12PM EST and discuss IT governance. IT governance refers to the rules and regulations that govern an IT department and ensure compliance. Good IT governance provides several benefits, including standardized processes, maximized IT investment returns, and alignment between IT and business objectives. The presentation will cover IT governance definitions, frameworks like COBIT and ITIL, and take questions from the audience.
This document discusses IT governance and provides an introduction to the topic. It defines IT governance as specifying decision rights and accountability frameworks to encourage desirable behavior in using IT. It also discusses some of the challenges CIOs face, symptoms of ineffective governance, how to measure governance effectiveness, and key processes involved in designing an effective IT governance model. The document recommends establishing a business case for IT governance, assessing current maturity and performance, defining a desired future state, and developing a plan to improve governance.
Stewardship is extending to IT as Boards question the depth of their enterprise’s reliance on IT.
Some thoughts on how IT risk, control, audit and assurance is evolving toward the broader concept of IT governance.
Why IT governance should be on the Board of Directors’ agenda wherever IT is strategic to the business.
How it fits in the broader concepts of enterprise governance and how management and boards can address it.
Keller Graduate School of Management class - PM600 - this was the final presentation - created and presented by Scott Lang & Rajeshwer Subramanian
We were a 2 man team working over the length of the course creating and developing this project.
Hoping to show presentation skills and the understanding of the principles of project management
This document provides an overview of IT strategy and governance for executives. It discusses the importance of aligning IT with business strategy and having proper governance structures in place. Key points include:
- IT strategy should define how technology will support business goals and priorities through investments, applications, and infrastructure.
- IT governance ensures IT goals are met, risks mitigated, and value delivered to business. It focuses on strategic alignment, value delivery, risk management, resource management, and performance.
- Common pitfalls of IT strategy include lack of ownership, not tracking progress, failing to realize ROI, and not having proper governance structures.
- Strong IT governance with board oversight and an IT steering committee is needed to successfully
What Every Executive Needs To Know About IT GovernanceBill Lisse
IT governance provides the structure for determining organizational IT objectives and monitoring performance to ensure objectives are met. It specifies decision rights and accountability to encourage desirable behavior in IT use. Effective IT governance involves business process owners, evaluates performance against business requirements, and considers components like competitive advantage, risk management, and performance measurement.
IT Governance aims to align IT initiatives with business objectives, prioritize projects based on benefits and ROI, organize related projects to avoid duplication, lower total costs of ownership, and provide visibility into decision making processes. The proposed product enables informed IT investment decisions through a collaborative platform, sourcing required information from within organizations or decision makers' experiences. It ensures all relevant aspects and information are considered in analysis to make informed decisions and tracks key aspects with full visibility of decision making. The models provided are based on extensive research and can be enhanced over time as more decisions are made, growing with the organization.
Understanding IT Governance and Risk Managementjiricejka
Describes IT Governance Holistic Framework for establishing transparent relation between Business and IT environment.
Describes Governance services and Risk Management Methods
The document discusses IT governance and the challenges faced by SMB CIOs in managing IT. It summarizes that IT governance aims to ensure IT dollars are spent on the right projects at the right time. However, the tools and processes typically used by large enterprises are too expensive, complex, and specialized for SMBs. The document then introduces the concept of on-demand CIO services as a more cost-effective solution for SMBs to access expert guidance and management of their IT operations and projects.
The document discusses IT governance and provides an overview of key frameworks for IT governance, including ISO 38500 and COBIT. It begins by defining governance and describing how governance applies to IT. It then discusses why IT governance is important for organizations, noting benefits like ensuring strategic alignment between IT and business goals. The document also provides a detailed overview of the ISO 38500 standard for IT governance, describing its scope, framework and principles. It explains the standard's six principles of IT governance and provides examples. Overall, the document serves to introduce the topic of IT governance and some of the most relevant frameworks.
Copyright Notice:
This presentation is prepared by Author for Perbanas Institute as a part of Author Lecture Series. It is to be used for educational and non-commercial purposes only and is not to be changed, altered, or used for any commercial endeavor without the express written permission from Author and/or Perbanas Institute. Appropriate legal action may be taken against any person, organization, or entity attempting to misrepresent, charge, or profit from the educational materials contained here.
Authors are allowed to use their own articles without seeking permission from any person, organization, or entity.
IT Governance Vs IT Management Presentation V0.1Richard Willis
IT governance involves establishing responsibility and accountability for major IT decisions and ensuring IT strategy alignment with business strategy. Effective IT governance increases profitability and shareholder returns. Frameworks like COBIT, ITIL, and ISO/IEC 38500 provide best practices for IT governance and management. IT governance is concerned with strategic decision making while IT management focuses on operational excellence. Organizations can assess their IT governance maturity to continually improve practices over time.
IT governance provides strategic direction for IT and ensures objectives are met, risks managed, and resources used responsibly. It establishes organizational regulations and standards exercised by management. IT governance is needed for complex IT projects as it involves a team to deal with political, organizational, legal, technical, cultural, and personnel issues to help ensure successful project outcomes.
The document discusses three types of Chief Information Officers (CIOs): Functional Heads focused on IT operations; Transformational Leaders focused on business process transformation; and Business Strategists focused on competitive strategy. Most CIOs currently spend their time as Functional Heads, but the role is evolving towards Business Strategists. Business Strategists spend more time with business units, focus on external business processes, and have greater career rewards than the other two types.
Understanding COBIT 5.0 (IT Governance) by Mr. Avinash Totade
President of Information Systems Audit and Control Association (ISACA) UAE Chapter
OpenThinking Day 2012
This document summarizes key points from a presentation on IT governance and trends in government. It discusses how IT governance can support business objectives through principles, processes, relationships and decisions defined in a governance framework. It also examines how compliance requirements can be integrated into governance to balance predictability with agility. Emerging trends like socialization, the information continuum, and the convergence of IT, OT and CT are shaping new approaches to government IT strategies and operations.
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB
This document discusses how COBIT 5 and ISO 38500 can be aligned for effective IT governance. It provides an overview of COBIT 5 including its product family, principles, processes, and implementation guidance. It also summarizes ISO 38500 and its six principles for corporate governance of IT. The document emphasizes that both frameworks take a holistic approach to IT governance covering the entire enterprise and can be used together to establish effective IT governance.
This document provides an overview of IT governance and describes how to audit IT governance. It defines IT governance as the leadership, structures, and processes that ensure an organization's IT supports its strategies and objectives. The document outlines key elements of IT governance including strategic alignment, value delivery, risk management, resource management, and performance measurement. It also discusses benefits of IT governance, common frameworks, the role of internal audit, and current trends in auditing IT governance with a focus on higher education institutions.
The document discusses IT governance, defining it as the processes that ensure effective and efficient use of IT to help an organization achieve its goals. IT governance is a responsibility of executives and the board of directors and consists of leadership, structures, and processes to ensure IT supports business strategies and objectives. Frameworks like COBIT provide structures to align IT strategy with business strategy through formal processes. The benefits of IT governance include transparency, accountability, improved ROI, risk management, and compliance. Governance focuses on strategic decisions while management handles tactical implementation.
The presentation will begin at 12PM EST and discuss IT governance. IT governance refers to the rules and regulations that govern an IT department and ensure compliance. Good IT governance provides several benefits, including standardized processes, maximized IT investment returns, and alignment between IT and business objectives. The presentation will cover IT governance definitions, frameworks like COBIT and ITIL, and take questions from the audience.
This document discusses IT governance and provides an introduction to the topic. It defines IT governance as specifying decision rights and accountability frameworks to encourage desirable behavior in using IT. It also discusses some of the challenges CIOs face, symptoms of ineffective governance, how to measure governance effectiveness, and key processes involved in designing an effective IT governance model. The document recommends establishing a business case for IT governance, assessing current maturity and performance, defining a desired future state, and developing a plan to improve governance.
Stewardship is extending to IT as Boards question the depth of their enterprise’s reliance on IT.
Some thoughts on how IT risk, control, audit and assurance is evolving toward the broader concept of IT governance.
Why IT governance should be on the Board of Directors’ agenda wherever IT is strategic to the business.
How it fits in the broader concepts of enterprise governance and how management and boards can address it.
Keller Graduate School of Management class - PM600 - this was the final presentation - created and presented by Scott Lang & Rajeshwer Subramanian
We were a 2 man team working over the length of the course creating and developing this project.
Hoping to show presentation skills and the understanding of the principles of project management
This document provides an overview of IT strategy and governance for executives. It discusses the importance of aligning IT with business strategy and having proper governance structures in place. Key points include:
- IT strategy should define how technology will support business goals and priorities through investments, applications, and infrastructure.
- IT governance ensures IT goals are met, risks mitigated, and value delivered to business. It focuses on strategic alignment, value delivery, risk management, resource management, and performance.
- Common pitfalls of IT strategy include lack of ownership, not tracking progress, failing to realize ROI, and not having proper governance structures.
- Strong IT governance with board oversight and an IT steering committee is needed to successfully
What Every Executive Needs To Know About IT GovernanceBill Lisse
IT governance provides the structure for determining organizational IT objectives and monitoring performance to ensure objectives are met. It specifies decision rights and accountability to encourage desirable behavior in IT use. Effective IT governance involves business process owners, evaluates performance against business requirements, and considers components like competitive advantage, risk management, and performance measurement.
IT Governance aims to align IT initiatives with business objectives, prioritize projects based on benefits and ROI, organize related projects to avoid duplication, lower total costs of ownership, and provide visibility into decision making processes. The proposed product enables informed IT investment decisions through a collaborative platform, sourcing required information from within organizations or decision makers' experiences. It ensures all relevant aspects and information are considered in analysis to make informed decisions and tracks key aspects with full visibility of decision making. The models provided are based on extensive research and can be enhanced over time as more decisions are made, growing with the organization.
Understanding IT Governance and Risk Managementjiricejka
Describes IT Governance Holistic Framework for establishing transparent relation between Business and IT environment.
Describes Governance services and Risk Management Methods
The document discusses IT governance and the challenges faced by SMB CIOs in managing IT. It summarizes that IT governance aims to ensure IT dollars are spent on the right projects at the right time. However, the tools and processes typically used by large enterprises are too expensive, complex, and specialized for SMBs. The document then introduces the concept of on-demand CIO services as a more cost-effective solution for SMBs to access expert guidance and management of their IT operations and projects.
The document discusses IT governance and provides an overview of key frameworks for IT governance, including ISO 38500 and COBIT. It begins by defining governance and describing how governance applies to IT. It then discusses why IT governance is important for organizations, noting benefits like ensuring strategic alignment between IT and business goals. The document also provides a detailed overview of the ISO 38500 standard for IT governance, describing its scope, framework and principles. It explains the standard's six principles of IT governance and provides examples. Overall, the document serves to introduce the topic of IT governance and some of the most relevant frameworks.
Copyright Notice:
This presentation is prepared by Author for Perbanas Institute as a part of Author Lecture Series. It is to be used for educational and non-commercial purposes only and is not to be changed, altered, or used for any commercial endeavor without the express written permission from Author and/or Perbanas Institute. Appropriate legal action may be taken against any person, organization, or entity attempting to misrepresent, charge, or profit from the educational materials contained here.
Authors are allowed to use their own articles without seeking permission from any person, organization, or entity.
IT Governance Vs IT Management Presentation V0.1Richard Willis
IT governance involves establishing responsibility and accountability for major IT decisions and ensuring IT strategy alignment with business strategy. Effective IT governance increases profitability and shareholder returns. Frameworks like COBIT, ITIL, and ISO/IEC 38500 provide best practices for IT governance and management. IT governance is concerned with strategic decision making while IT management focuses on operational excellence. Organizations can assess their IT governance maturity to continually improve practices over time.
IT governance provides strategic direction for IT and ensures objectives are met, risks managed, and resources used responsibly. It establishes organizational regulations and standards exercised by management. IT governance is needed for complex IT projects as it involves a team to deal with political, organizational, legal, technical, cultural, and personnel issues to help ensure successful project outcomes.
The document discusses three types of Chief Information Officers (CIOs): Functional Heads focused on IT operations; Transformational Leaders focused on business process transformation; and Business Strategists focused on competitive strategy. Most CIOs currently spend their time as Functional Heads, but the role is evolving towards Business Strategists. Business Strategists spend more time with business units, focus on external business processes, and have greater career rewards than the other two types.
Understanding COBIT 5.0 (IT Governance) by Mr. Avinash Totade
President of Information Systems Audit and Control Association (ISACA) UAE Chapter
OpenThinking Day 2012
This document summarizes key points from a presentation on IT governance and trends in government. It discusses how IT governance can support business objectives through principles, processes, relationships and decisions defined in a governance framework. It also examines how compliance requirements can be integrated into governance to balance predictability with agility. Emerging trends like socialization, the information continuum, and the convergence of IT, OT and CT are shaping new approaches to government IT strategies and operations.
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB
This document discusses how COBIT 5 and ISO 38500 can be aligned for effective IT governance. It provides an overview of COBIT 5 including its product family, principles, processes, and implementation guidance. It also summarizes ISO 38500 and its six principles for corporate governance of IT. The document emphasizes that both frameworks take a holistic approach to IT governance covering the entire enterprise and can be used together to establish effective IT governance.
This document provides an overview of IT governance and describes how to audit IT governance. It defines IT governance as the leadership, structures, and processes that ensure an organization's IT supports its strategies and objectives. The document outlines key elements of IT governance including strategic alignment, value delivery, risk management, resource management, and performance measurement. It also discusses benefits of IT governance, common frameworks, the role of internal audit, and current trends in auditing IT governance with a focus on higher education institutions.
The document discusses IT governance, defining it as the processes that ensure effective and efficient use of IT to help an organization achieve its goals. IT governance is a responsibility of executives and the board of directors and consists of leadership, structures, and processes to ensure IT supports business strategies and objectives. Frameworks like COBIT provide structures to align IT strategy with business strategy through formal processes. The benefits of IT governance include transparency, accountability, improved ROI, risk management, and compliance. Governance focuses on strategic decisions while management handles tactical implementation.
One of the most daunting challenges organizations face in making decisions on what technology is needed to fully enable the business to achieve its strategy and objectives. The key is ALIGNMENT.
With the rapid evolution of Information Technology (IT) applications, and practices across the organization, appropriate IT Governance (ITG) has become essential to an organization’s success. The use of IT has become pervasive in every facet of the organisations’ endeavours in supporting and evolving each aspect of the business. As IT is associated with risk and value opportunities, a comprehensive, high-level system is required in each organization to minimise the associated risks and optimize value. The fact that the IT value to be achieved due to effective IT governance is related to efficient and cost effective IT delivery, innovation and business impact. This presentation highlights the Critical Success Factors (CSFs) needed for the successful and effective implementation of ITG.
Understanding IT Strategy, Sourcing and Vendor RelationshipsGoutama Bachtiar
This document discusses IT strategy, sourcing, and vendor relationships. It covers key topics such as:
1. Aligning IT strategy with business strategy and exploring different IT governance models.
2. Examining IT operating plans and sourcing strategies, including discussions of outsourcing, offshoring, and the outsourcing lifecycle.
3. Important considerations for commencing relationships with IT vendors, including vendor selection, contracts, and financial stability.
Harley Davidson recognized the need to align IT with its business strategy for continued growth. It implemented an IT governance framework to unite management, IT, and audit functions while preserving company culture. The framework aligned IT decision making with business objectives, managed risks, and ensured IT resources supported business goals. This allowed Harley Davidson to sustain record growth for 20 consecutive years while effectively governing its increasing IT usage and investments.
This document summarizes an information technology governance seminar that covered key topics like what IT governance is, elements and benefits of IT governance, frameworks for IT governance like COBIT and ITIL, auditing IT governance which involves assessing institutional structures and risk management, and current trends in IT governance around cost efficiencies, security, and addressing cyber threats. The presentation provided overviews of IT governance and approaches to auditing it across different organizational areas.
This document discusses the IT Capability Maturity Framework (IT-CMF) which provides a standard framework for linking corporate strategy to IT strategy. The IT-CMF examines the full spectrum of IT management dimensions across four macro processes - managing IT like a business, managing the IT capability, managing IT for business value, and managing the IT budget. It assesses maturity across five levels and provides guidance on best practices to increase maturity levels and maximize business value delivered by IT.
High-performing organizations achieve results by utilizing portfolio management to select the right projects at the right time with the right resources based on a data-driven selection methodology. Portfolio management adds value to an organization’s bottom line by optimizing the organization’s capacity and capabilities to meet the demands of an ever changing market and technology trends. It does this by providing insight and global visibility of the organizations approved set of strategic criteria against a backdrop of organizational constraints. This presentation provides a few of the value creation processes that implementing a best in class portfolio management solution can provide to your organization.
To learn more: http://developingaculturethatworks.com/
The document introduces the Innovation Value Institute (IVI), a consortium developing an industry standard framework called the IT Capability Maturity Framework (IT-CMF) for managing IT to deliver business value. The IT-CMF assesses 33 critical IT processes across four key areas and provides maturity levels, tools, and best practices to help organizations increase the maturity of their IT management and realize more value from IT investments. The document outlines the development of the IT-CMF and benefits organizations can expect from implementing and improving their maturity levels based on the framework.
The document discusses several frameworks for IT governance - COBIT, ITIL, and Val IT. It describes the key components and benefits of each framework. COBIT focuses on controls and metrics for IT processes, while ITIL provides guidance on service delivery and support. Using the frameworks together can provide a comprehensive approach to IT governance that establishes what should be done as well as how.
Cobit is a framework that provides governance over IT to ensure it is aligned with business needs. It improves IT efficiency and effectiveness by helping IT understand business needs and putting practices in place to meet them. Cobit supports IT governance by providing a framework to ensure IT is aligned with the business, enables the business, uses resources responsibly, and manages risks appropriately. Implementing Cobit provides benefits like a common language, understanding how business and IT can work together, improved efficiency, reduced risk, and more effective audits.
This document provides an overview of COBIT 5, a framework for the governance and management of enterprise IT. COBIT 5 helps enterprises create optimal value from IT by balancing benefits realization with risk optimization and resource use. The framework is designed to be a single integrated governance framework that covers the entire enterprise from end to end. It separates governance, which evaluates options and sets direction, from management, which implements activities. COBIT 5 aims to help enterprises maintain high quality information, generate value from IT, achieve operational excellence, manage IT risks, optimize costs, and ensure compliance.
IT governance involves aligning IT strategy with business strategy through focus on strategic alignment, value delivery, resource management, risk management, and performance measures. It is important for compliance, competitive advantage, and enterprise goals. Effective IT governance involves team leaders, managers, executives, board of directors, and stakeholders. Harley Davidson implemented COBIT, an IT governance framework, to better align IT with their business goals and manage risks while maintaining their unique culture. This helped standardize processes and provide a common language for management, IT, and auditors.
The document discusses establishing key IT governance processes for small and medium businesses. It covers establishing a CIO view of IT governance and the need for governance. Frameworks for IT governance like COBIT, ITIL, COSO and CMMI are reviewed. The evolution of IT governance processes and how they can become more embedded is examined. Specific IT governance workflows, tools and benefits at different maturity levels are outlined. Case studies of implementing governance at large retailers are also provided.
1. Steve Beaton, CIA, CISA, CFSA, MsMIT, USAA VP IA
Robert Koehler, CGEIT, PgMP, PMP, MsPM, PwC Director
2. Slide 2
TOPIC
We will explore the essential elements for preparing an
assurance framework for IT Governance that integrates
leading industry standards and practices ensuring the
governing objectives for assessing strategy, financial
performance, and effective delivery of technology.
3. Slide 3
KEY BENEFITS TO THE AUDIENCE
• We will highlight the leading IT Governance standards, drawing
comparison between their similarities and differences.
• We will highlight the business areas not adequately addressed
by IT Governance standards.
• We will recommend internal controls that pertain to aligning the
relationships between the business and IT, including
organizational structures for the evaluation and direction of IT.
• We will recommend internal controls that pertain to the
effectiveness of deriving value from IT, including financial
performance and the planning for benefits realization.
• We will recommend internal controls that pertain to the
effectiveness of IT risk and compliance management, including
what can be done to ensure sufficient IT risk information is
factored into investment decision making.
4. Slide 4
CURRENT STATE OF IT GOVERNANCE
We will highlight the leading IT Governance standards, drawing
comparison between their similarities and differences.
• What are leaders saying about it?
• Whose definition is best?
• How is IA’s role perceived?
• Where are the rabbit holes?
5. Slide 5
CURRENT STATE OF IT GOVERNANCE
IN THE NEWS
Oversight split between the
Board, Audit Committee, IT/Risk
Committees or no one at all.
- PwC, Insights from the
Boardroom 2012
Only 30% of directors find IT expertise a “very
important” attribute in new directors, and 31%
are not seeking this skill set at all.
- PwC’s 2013 Annual Corporate Directors
Survey
44-50% of Board members meet with
the CIO only once a year or not at all.
- PwC, Insights from the Boardroom
2012
Only 38% of business partners seen
as “very engaged” in IT Governance.
- Forrester, The State Of IT
Governance Q4 2010
The findings of a number of research projects conducted by the
Massachusetts Institute of Technology (MIT) Center for
Information Systems Research (CISR) suggest that firms with
focused strategies and above-average IT governance
capabilities had more than 20 percent higher profits than other
firms following the same strategies.
- Peter Weill and Jeanne W. Ross, It governance, how top
performers manage it decisions for superior results, Harvard
Business School Press
Effective IT governance is the single most
important predictor of the value an organization
generates from IT.
- Peter Weill and Jeanne W. Ross, It
governance, how top performers manage it
decisions for superior results, Harvard Business
School Press
6. Slide 6
COMPARING IT GOVERNANCE STANDARDS
WHOSE DEFINITION IS BEST?
• ISACA – The responsibility of executives and the board of directors; consists of
the leadership, organizational structures and processes that ensure that the
enterprise’s IT sustains and extends the enterprise’s strategies and objectives.
• ISO – The system by which the current and future use of IT is directed and
controlled. Corporate governance of IT involves evaluating and directing the use of
IT to support the organization and monitoring this use to achieve plans. It includes
the strategy and policies for using IT within an organization.
• Gartner – The set of processes that ensure the effective and efficient use of IT in
enabling an organization to achieve its goals.
• Forrester – A decision-making framework for IT investments that is designed to
maximize the return of benefits while managing risk to acceptable levels.
• MIT CISR – Specifying the decision rights and accountability framework to
encourage desirable behavior in using IT.
8. Slide 8
COMPARING IT GOVERNANCE STANDARDS
STANDARDS OVERLAPPING, EVEN CONFLICTING
The challenge is choosing right and filling in the gaps as many
standards are overlapping, even conflicting – None complete
IT GovernanceProject Management
Process
Centric
Maturity
Centric
PMI/PMBOK
ITIL
IT Management
Val IT 2.0
Risk IT
COBIT 5SEI CMMI
ISO 38500TOGAF
ISO 17998
COBIT 4
ISO 27001/2/5
MoV
ISO 31000
MIT CISR
PRINCE2
Most relevant
standards
9. Slide 9
COMPARING IT GOVERNANCE STANDARDS
RIGHT SPECTRUM FOR COMPARISON
Five dimensions of comparison used, each having a common focus
on an organizations ability to drive greater value from IT
Strategic Alignment
•The successful alignment between business and IT
•The comprehension of the impacts of IT on business processes and results
•The clarity of priorities for both IT investments and business management focus
Financial Performance
•The effectiveness of deriving value from IT across the first and second lines of defense
•The comprehension of performance as predictors of strategic decision-making
•The comprehension of factors to measure and regulate the effectiveness of controls for risk and compliance
Risk & Compliance
•The establishment or risk, compliance, security and legal authority
•The alignment of risk and compliance decisions with responsibilities for performance
•The level of process integration across IT governance, risk, and compliance
Grow & Transform
•The level IT investments contribute to optimal business value
•The level collaboration occurs between business and IT to realize benefits
•The provision of investment management controls across the economic lives of investments
Delivery Management
•The determination of how types of IT-enabled capabilities are chosen as important for success
•The decision driven actions to set objectives and expectations for the performance of IT
•The position to handle the costs and risk of the service portfolios
10. Slide 10
COMPARING IT GOVERNANCE STANDARDS
MAPPING TO LEADING PRACTICES
Strategic Alignment
Financial
Performance
Delivery
Risk & Compliance Grow &Transform Delivery Mgmt.
• COBIT APO08
Manage
Relationships
• COBIT EDM01
Ensure Governance
Framework Setting
and Maintenance
• COBIT EDM04
Ensure Resource
Optimization
• ITIL Strategy –
Strategy and
Organization
• ITIL Strategy –
Demand
Management
• IIA GTAG 17 –
Auditing IT
Governance
• ISO/IEC 38500:
2008–Corporate
Governance of
Information
Technology
• COBIT MEA01
Monitor, Evaluate
and Assess
Performance and
Conformance
• EDM05 Ensure
Stakeholder
Transparency
• COBIT APO06
Manage Budget
and Costs
• ITIL Strategy –
Financial
Management
• ITIL Strategy –
Return on
Investment
• ISO/IEC 38500:
2008–Corporate
Governance of
Information
Technology
• COBIT EDM03
Ensure Risk
Optimization
• COBIT MEA03
Monitor, Evaluate
and Assess
Compliance with
External
Requirements
• COBIT DSS05
Manage Security
Services
• ISO/IEC 31000–
Risk Management
• ISO/IEC 27000–
Security Techniques
• Multiple industry
based requirements
such as: HIPPA,
AML, Dodd Frank,
PCI, FISMA,
Sarbanes Oxley and
Safe Harbour
• COBIT APO04
Manage Innovation
• COBIT APO05
Manage Portfolio
• COBIT EDM02
Ensure Benefits
Delivery
• ITIL Strategy –
Service Portfolio
Management
• Project Management
Book of Knowledge
(PMBOK)
• Projects in
Controlled
Environments
(PRINCE 2)
• Portfolio, Program,
and Project
Management
Maturity Model
(P3M3)
• ITIL Strategy–
Strategy, Tactics,
and Operations
• COBIT APO02
Manage Strategy
• COBIT APO03
Manage Enterprise
Architecture
• The Open Group
Architecture
Framework
(TOGAF)
• ISO/IEC 20000–IT
Service
Management
11. Slide 11
AREAS NOT ADEQUATELY COVERED
We will highlight the business areas not adequately addressed
by IT Governance standards.
• Is IT on the boards agenda?
• Does corporate strategy influence IT?
• Is the value gap being closed?
• Does the three lines of defense help IT Governance?
• Is IT Governance, Risk and Compliance combined?
• Are business benefits being realized?
12. Slide 12
AREAS NOT ADEQUATELY COVERED
IT ON THE BOARD’S AGENDA
A structured approach for board’s IT oversight:
• Assessment: Evaluate the company’s current IT situation, while considering
various factors, and conclude how critical IT is to the company’s current and
future success.
• Approach: Agree on the board's IT oversight approach including who is
responsible (the full board, the audit committee, a risk committee, etc.), how
often to discuss IT, and when to talk with the CIO.
• Prioritization: Identify the IT subjects most relevant to the company and focus
oversight efforts on those areas.
• Strategy: "Bake" IT initiatives into the board’s oversight of overall company
strategy based on the importance of IT to the company.
• Risk: Include IT risks as part of the board’s risk management oversight process.
• Monitoring: Adopt a continuous IT oversight process, regularly revisit the
efficacy of that process, and measure results.
13. Slide 13
AREAS NOT ADEQUATELY COVERED
CASCADING CORPORATE STRATEGY
Need to evaluate the IT strategy within the overall strategy
for the business
Business
Strategy
(3-5 yr plan)
IT Strategy
Digital
Business
Model
• Frames how IT & technology enables
business capabilities
• Sets expectations for scalability &
interoperability
• Provides principles & standards that
guide technology decisions
• Prioritizes immediate IT challenges
that need resolution
• Identifies synergies across entities
• Identifies digital business model
capabilities
• Measures effectiveness of digital
content, experience, and platform
• Identifies digital source of competitive
advantage
BusinessDrivenITStrategy
• Develops a target state and future vision
that synchronizes IT investments with
business needs
• Creates a blueprint for maximizing return
on technology investments
• Establish guiding principles that will
drive the technology evolution
Strategy &
business
alignment
Organization
& skills
Technology
& architecture
Management
& Governance
Information
Product
Customer
Experience
Internal
External
The Digital Business Model describes
how content, experience, and platform
works together to create a compelling
customer value proposition.
The Business Strategy describes and
interrelates mission, vision, goals, and
strategies with core processes,
constituents, and interactions.
14. Slide 14
AREAS NOT ADEQUATELY COVERED
CLOSING THE VALUE GAP
While many companies fail to deliver business value, top performers deliver
the expected value (+15%), on time (+30%) at or below budget (+30%)
ACTUAL ROI = -4%
Value RealizedPlan Actual Execution
Benefits
Only 38% of programs
delivered 100% of value
Time
Only 36% of programs
are delivered on time
Value
(200)
Cost
(100)
Year 1 Year 2 Year 3
3 Year
Plan
Value
(125)
Extra
Year
4 Year
Actual
Value
Gap
Cost
(130)
Over Cost
PLAN ROI=50% The Value Gap
-$60M
-$15M
+$30M
EXAMPLE:
Time Increase: 30%
Cost Increase: 30%
Value Loss: 30%
($M)
IMPACT
($M)
15. Slide 15
AREAS NOT ADEQUATELY COVERED
THREE LINES OF DEFENSE
Clear delineation between line controls, second-level monitoring
controls and third-line independent assurance for the effective
governance of information technology
Board of Directors / Audit Committee
Business and IT Senior Management
Regulator
1st Line of Defense
ExternalAudit
3rd Line of Defense2nd Line of Defense
Internal Control
Measures
IT Governance
Mechanisms
Financial Controls
Risk Management
Compliance
Portfolio Performance
Program Governance
Security
Internal Audit
Project Assurance
16. Slide 16
AREAS NOT ADEQUATELY COVERED
IT GRC INTEGRATION
IT Governance, risk management and compliance managed in
an integrated manner
IT Compliance
Committee
Audit Committees
Evaluate
Direct
Report
Monitor
IT governance Risk Management Compliance
IT Governance
Committee
IT Steering
Committee
PMO /
Portfolio
Management
Objective Setting
Risk Assessment
Event
Identification
Risk Response
Control Activities
Information &
Communication
Monitoring
Requirement
Analysis
Deviation
Analysis
Deficiency
Management
Reporting /
Documentation
Deviation
Analysis
Enterprise & IT
Risk Committees
17. Slide 17
AREAS NOT ADEQUATELY COVERED
BENEFITS REALIZATION
The benefits expected from IT are unlikely to emerge automatically.
Any benefits sought must be identified along with the changes in
ways of working to bring about and sustain each of the benefits.
Means to Achieve Changes
Evaluate overall vision
for the new digital solution
Ways to Achieve Changes
Evaluate the new ways of doing business
and the benefits this will deliver
Results of Changes
Evaluate how fostering and realizing
business benefits will come through
structured change
Benefits
Identification
Business
Case
Benefits
Planning
Project
Delivery
User
Adoption
Value
Creation
Benefits
Extension
Benefits
Fulfillment
18. Slide 18
BUILDING INTERNAL CONTROL FRAMEWORK
We will recommend internal controls.
• Where should we focus our attention?
• What IT-related domains should be controlled?
• What controls should comprise each domain?
19. Slide 19
BUILDING INTERNAL CONTROL FRAMEWORK
EXECUTIVE AGREEMENT ON ROLE OF IT
Align with management’s active design of IT Governance around
the business’ objectives and performance goals.
•Strategic Aims
•Stewardship
•IT Reliance
•Firm Performance
•Economic Life & Reward
•Strategic Aims
•Stewardship
•IT Reliance
•Firm Performance
•Economic Life & Reward
Corporate GovernanceCorporate Governance
•Strategic Aims
•Stewardship
•IT Reliance
•Firm Performance
•Economic Life & Reward
Corporate Governance
•Financial Objectives
•Customer Needs
•Process Improvements
•Organizational Learns
•Financial Objectives
•Customer Needs
•Process Improvements
•Organizational Learns
Performance MgmtPerformance Mgmt
•Financial Objectives
•Customer Needs
•Process Improvements
•Organizational Learns
Performance Mgmt
•Service Levels
•Resource Profiles
•Workforce Planning
•Learning & Development
•Service Levels
•Resource Profiles
•Workforce Planning
•Learning & Development
Resource ManagementResource Management
•Service Levels
•Resource Profiles
•Workforce Planning
•Learning & Development
Resource Management
•Risk Transparency
•Risk Delegation
•Risk Control
•Operational Risk
•Risk Transparency
•Risk Delegation
•Risk Control
•Operational Risk
Risk ManagementRisk Management
•Risk Transparency
•Risk Delegation
•Risk Control
•Operational Risk
Risk Management
•Strategic Importance
•Environmental Context
•Financial Planning
•IT Capabilities
•IT Resources
•Strategic Importance
•Environmental Context
•Financial Planning
•IT Capabilities
•IT Resources
Strategic AlignmentStrategic Alignment
•Strategic Importance
•Environmental Context
•Financial Planning
•IT Capabilities
•IT Resources
Strategic Alignment
•Regulatory Compliance
•Internal Controls
•IT Security
•Compliance Policies
•Regulatory Compliance
•Internal Controls
•IT Security
•Compliance Policies
IT ComplianceIT Compliance
•Regulatory Compliance
•Internal Controls
•IT Security
•Compliance Policies
IT Compliance
IT
Governance
Executive Agreement
on the Role of IT
20. Slide 20
BUILDING INTERNAL CONTROL FRAMEWORK
TOP-DOWN BOTTOM-UP PROCESS
Proper integration of management and support functions must be
considered when creating the assessment framework
Project Work
and Resource
Authorizations
Change
Requirements
and Risk Mitigates
Performance
Measurements
Corporate
Risk Management
Service Levels
and
Finished Products
Professional and
Operational
Services
Investment
Management
IT Strategy,
Vision, and
Action Plans
Program
Health Updates
Benefits
Realization
Time-Sensitive
Growth / Recovery
Strategies
IT
Governance
IT
Services
Project
Portfolio
Management
Corporate
Governance
Top-Down
Evaluation & Direction
Bottom-Up
Monitoring & Reporting
21. Slide 21
BUILDING INTERNAL CONTROL FRAMEWORK
HOLISTIC VIEW
Encompassing these arrangements to create a holistic view of the
governance, management, and use of IT
Business
Strategy
Organization
Structures
Digital
Business
Models
IT Asset
Portfolios
Performance
and Change
Metrics
IT Service
Valuation
IT Risk
Management
IT Compliance
Security
Governance
IT Service
Strategy
IT Long-term
Strategy
Portfolio &
Project Delivery
Operations
Benefits
Realization
Architecture
Strategic Alignment
Financial Performance
Risk & Compliance
Grow & Transform
Service Management
Delivery Management
22. Slide 22
BUILDING INTERNAL CONTROL FRAMEWORK
STRATEGIC ALIGNMENT
Business Strategy Digital Business Models Organization Structures
• Clear alignment is visible
between Corporate and IT
Strategy.
• Business strategy changes
are understood, documented
and approved with their
impact on IT communicated.
• Good relationships and
communication channels
exist between the business
and IT.
• Business stakeholders are
aware of technology-
enabled opportunities.
• Business plans, operating
models and requirements
are understood, documented
and approved with their
impact on IT communicated.
• Impacts of expected future
demand are understood and
built into IT planning.
• Strategic decision-making
model for IT is effective and
aligned with the
organization’s internal and
external environment and
stakeholder requirements.
• The governance system &
bodies for IT are
implemented and operating
effectively.
• Organizational structures
are aligned with strategic
value drivers.
• The resource needs of the
organization are met with
the right capabilities.
• Resources are allocated to
best meet the overall
business priorities within
budget constraints.
• Optimal use of resources is
achieved throughout their
full economic life cycles.
23. Slide 23
BUILDING INTERNAL CONTROL FRAMEWORK
FINANCIAL PERFORMANCE
IT Service Valuation IT Asset Portfolio
Performance &
Change Metrics
• Processes are measured
against agreed-on goals
and metrics.
• Goals and metrics are
approved by the
stakeholders.
• Owners are assigned and
held accountable.
• Investment decisions are
linked to value that can be
tracked.
• An appropriate investment
mix is defined and aligned
with business strategy.
• Program business cases
are evaluated and
prioritized before funds are
allocated.
• Sources of investment
funding are identified and
available.
• Current accounting
evaluation process for
justifying an IT investment is
sufficient for managing
investment risk.
• Returns are measured
across the economic life of
the investment.
• Performance measures
include profitability,
productivity and
effectiveness.
• Goals and metrics are
integrated within the
organization’s monitoring
systems.
• Process reporting on
performance and
conformance is useful and
timely.
24. Slide 24
BUILDING INTERNAL CONTROL FRAMEWORK
RISK & COMPLIANCE
IT Risk Management IT Compliance Security Governance
• Risk appetite is defined at
the organizational level and
cascaded to IT.
• Risk thresholds are defined
and communicated while
key IT-related risks are
known.
• The organization is
managing critical IT-related
risk to the business
effectively and efficiently.
• IT-related risk does not
exceed risk appetite and the
impact of IT risk to business
value is identified and
managed.
• All compliance obligations
are identified.
• Compliance obligations are
adequately addressed.
• The organization seeks to
proactively manage
compliance obligations
through the use of
technology.
• Network and
communications security
meet business needs.
• Information processed on,
stored on and transmitted by
endpoint devices is
protected.
• All users are uniquely
identifiable and have access
rights in accordance with
their business role.
• Physical measures have
been implemented to protect
information from
unauthorized access,
damage and interference
when being processed,
stored or transmitted.
• Electronic information is
properly secured when
stored, transmitted or
destroyed.
25. Slide 25
BUILDING INTERNAL CONTROL FRAMEWORK
GROW & TRANSFORM
IT Long-term Strategy
Portfolio &
Project Delivery
Benefits Realization
• Business value is created
through the qualification and
staging of the most
appropriate advances and
innovations in technology, IT
methods and solutions.
• Business objectives are met
with improved quality
benefits and/or reduced cost
as a result of the
identification and
implementation of innovative
solutions.
• Innovation is promoted and
enabled and forms part of
the business culture.
• As solutions are developed
the business case is
updated to reflect any
changes.
• A comprehensive and
accurate view of the
investment portfolio(s)
performance exists.
• Investment program
changes are reflected in the
relevant IT service, asset
and resource portfolios.
• Robust project and program
management practices.
• Transparency into project
and program progress.
• The business is securing
optimal value from its
portfolio of approved IT-
enabled initiatives, services
and assets.
• Optimal value is derived
from IT investment through
effective value management
practices in the business.
• Individual IT-enabled
investments contribute
optimal value.
• Benefits have been realized
due to benefits
management.
26. Slide 26
BUILDING INTERNAL CONTROL FRAMEWORK
SERVICE MANAGEMENT
IT Service Strategy IT Operations IT Architecture
• All aspects of the service
strategy are aligned with the
broader corporate strategy.
• The IT strategy is cost-
effective, appropriate,
realistic, achievable,
business-focused and
balanced.
• Clear and concrete short-
term goals can be derived
from, and traced back to,
specific long-term initiatives,
and can then be translated
into operational plans.
• IT is a value driver for the
business.
• There is awareness of the
service strategy and a clear
assignment of accountability
for delivery.
• Achieve effectiveness and
efficiency in the delivery and
support of services.
• Strategic objectives are
ultimately realized through
service operations.
• Stability in service
operations is maintained,
allowing for changes in
design, scale, scope, and
service levels.
• The architecture and
standards are effective in
supporting the business.
• A portfolio of business
architecture services
supports agile business
change.
• Appropriate and up-to-date
domain and/or federated
architectures exist that
provide reliable architecture
information.
• A common business
architecture framework and
methodology as well as an
integrated architecture
repository are used to
enable re-use efficiencies
across the business.
27. Slide 27
EXECUTING THE AUDIT
• Is your audit approach risk-based?
• What is the workflow for the audit?
• How should risks be classified?
• Who should participate in the audit?
• What information should be requested?
28. Slide 28
EXECUTING THE AUDIT
AUDIT APPROACH
Take a consultative approach to assuring IT Governance.
Assess
Assess your capability
and maturity with a
wide range of industry
standards and best
practice frameworks
Evaluate
Measure your
performance in order
to establish your
current baseline
Benchmark
Compare your direction
with that of your peers
using extensive global
benchmarking data
• Alignment
• Value
• Risk
• Resource
• Performance
• Evaluate execution
management
• Organizational
structures
• Governing
processes
• Relational
mechanisms
• Maturity models
• IT strategies
• Digital business
designs
• IT investment
areas and levels
Recommend
Provide practical
recommendations for
your consideration and
selection for making
improvements
• Decision rights &
accountability
• Process maturity
• Performance
ratios
• Priorities
29. Slide 29
EXECUTING THE AUDIT
AUDIT APPROACH, CONTINUED
Step 1 – Assess
Conduct an assessment through
executive and senior
management and business leader
interviews, roundtables, and
surveys and examine
documentation to compare IT
practices against the framework
in the areas of alignment, value,
risk, resource, and performance.
Analyse critical IT practices and
prioritize risk to communicate the
risk exposure based on stated
objectives.
The key to assuring IT is to
understand the culture and
priorities in both the business and
IT; this will ensure that IT is
aligned with the overall business
strategy, and that the IT strategy
drives controls, policies, budgets,
risk tolerance, and service levels.
Step 2 – Evaluate/Compare
Leverage the results of Step 1 to
evaluate and define the current
condition of IT practice indicators
that will be used to assess
achievement of the expectations
expressed in the IT Governance
framework.
Continue this evaluation by
comparing your direction with that
of your peers using extensive
global benchmarking data.
[Optional]
Step 3 – Recommend
Through the analysis of strengths
and weaknesses, the prior steps
provide the information to prepare
practical recommendations and
actions to improve the outcomes
and performance of enterprise IT.
Throughout the assessment,
provide improvement
recommendations based on the
evaluation documentation and
discussions with executive and
senior management. At any time
you identify an item that requires
immediate attention by
management, communicate such
item.
30. Slide 30
EXECUTING THE AUDIT
AUDIT WORKFLOW
Tasks / Milestones Duration
Project Start-up / Finalize Statement of Work Week 1 – Week 2
1. Kick-off Meeting
2. Begin Scheduling Interviews
3. Publish Initial Information Request
4. Establish Goals, Objectives, and Drivers for Assessment
5. Determine Comparison Baselines from Past IT Audits / Changes
6. Propose Custom Framework for Assessment
7. Obtain Approval for Proposal, Timeline, and Initial Resources
8. Establish Assessment Infrastructure to Coordinate Activities
9. Publish Goals and Guiding Principles of Assessment
10. Update Interview Calendar
11. Launch Assessment
31. Slide 31
EXECUTING THE AUDIT
AUDIT WORKFLOW, CONTINUED
Tasks / Milestones Duration
Perform Assessment Week 3 – Week 4
1. Finalize Categories / Process Areas for Custom Framework
2. Build Custom Framework
3. Publish Updated Information Request
4. Conduct Assessment and Characterize Current Practice
5. Develop Audit Themes and Begin Socializing with Senior Management
6. Develop Recommendations and Document Results
7. Identify Improvement Strategy and Priorities
Prepare / Deliver Draft Report Week 5 – Week 5
Prepare / Deliver Final Report Week 6 – Week 6
Plan Improvement (Optional) Week 7 – Week 8
1. Understand Short-/Long-Term Planned Improvement Efforts
2. Identify Roles/Responsibilities of Improvement/Audit Programs
3. Reconcile Existing/Planned Improvements with the Assessment Baseline
4. Prepare Performance Measurement Plan
5. Create Strategic Improvement Program
32. Slide 32
EXECUTING THE AUDIT
CLASSIFY IT RISK
Factor IT Risk within the ERM process to help ensure IT decision-
makers know how much IT Risk is acceptable.
Significance
Likelihood
10
98
7
6
5
4
3
2
1
11
12
13
14
15
1. Enterprise IT Strategy
2. Digital Business Designs
3. Organizational Structures
4. Enterprise Architecture
5. IT Service Valuation
6. IT Investment Portfolios
7. IT Performance
8. IT Risk Management
9. IT Compliance
10. Security Governance
11. Service Strategy
12. Project Delivery
13. Benefits Realization
14. IT Operations
15. Price Performance
33. Slide 33
EXECUTING THE AUDIT
IDENTIFYING PARTICIPANTS
Technology
• Heads IT Operations
• Heads IT Development
• Chief Technology Officer
• Chief Architect
• Chief Information Officer
• Chief Information Security Officer
• Heads IT PMOs
Business
• Chief Risk Officer
• Business Leaders
• Chief Financial Officer
• IT Spokesperson on the Board
• Heads Enterprise PMO
Survey
• Frontline and Middle Management
The audit involves executives, senior management, and business
leader interviews and possibly surveying frontline and business
management.
34. Slide 34
EXECUTING THE AUDIT
INFORMATION REQUESTS
• IT strategy documentation
• IT scorecards
• IT policies
• IT financial management documentation, including: financing and budgeting,
asset management, contract management, and resource plans
• Service level agreements (SLAs)
• Any utilized governance or maturity frameworks and models
• IT compliance and training requirements
• Governance processes documentation
The following information should be requested to understand IT
Governance practices:
36. Slide 36
YOUR SPEAKERS
Steve Beaton
Vice President
Bank Audit Services
Robert Koehler
Director
Risk Assurance Services
Steve is Vice President of Bank Audit Services at
USAA, where he leads audit coverage of bank
operations. Previously he led IT/Security Audit
Services, supporting the full range of engagements
specific to IT/Security. Prior to joining USAA, Steve
was Vice President of IT Audit at Freddie Mac.
Steve is a seasoned internal audit and risk
management executive with diverse leadership
experience within financial services including TD
BankNorth, Fifth Third Bank, Sunlife Financial, and
Bank of Ireland.
Steve holds a bachelor of business administration
from Merrimack College in Massachusetts and a
master’s degree in management of information
technology from the McIntire School of Commerce
at the University of Virginia. He is a Certified Internal
Auditor (CIA), Certified Information Systems Auditor
(CISA) and Certified Financial Services Auditor
(CFSA).
Robert is a Director at PwC. Over the last 30 years, as
a consulting executive and provider, he has purchased,
sold, managed, and delivered extensive global IT
consulting services involving Oracle, SAP, and
Microsoft enterprise software suites. He has led
numerous global business transformations, and the
PMOs, IT asset portfolios, and project management
practices of leading firms. His specialties are in
assuming responsibility for and leading client services
in need of performance gains, improved client relations,
and growth across numerous industries and the
Government.
Robert has earned a M.S. in Management, Project
Management Specialty from Boston University and a
B.S. in Administration and Management from La Roche
College. He holds the professional certifications of
Program Management Professional (PgMP), Project
Management Professional (PMP), and Certified in the
Governance of Enterprise IT (CGEIT).
steven.beaton@usaa.com
(210) 249-1309
robert.j.koehler@us.pwc.com
(505) 417-7689