IT Governance

~ Services | Tips & Tricks | Compliance | Helpful Links | Home ~

IT Governance All IT organizations need to implement some type of governance and oversight to manage risk in their environment. This isn’t just a new fad, or revolutionary idea. Oversight of risk has long been a best practice for any company, which wants to remain competitive regardless of size. A controlled environment provides an organization with stream lined processes, reusable procedures, better functioning systems, and typically under budget of expected costs. This isn’t just some thing to do in order to meet federal, state or industry regulations.   Governance Organization One of the first steps to implementing a good governance model is to define your oversight organization. There is no set standard to this. There are many variations for enterprise wide oversight. For instance, some organizations implement a top layer organization under the CFO. While others appoint a new officer CISO (Chief Information Security Officer) and establish oversight in this area. Some organizations place oversight in Legal, others place it in the Corporate Controller’s office. And still others establish the enterprise oversight in Internal Audit.   After working with several large companies, I’ve come to my own conclusion that an enterprise oversight committee is essential. And to be frank, there are places it should not be. Adding oversight to the Audit department lends a certain air of impropriety. Audit finds the problems, so their sister team can fix the problems. Or provide oversight of the fix. In order to provide true Audit independence, these two groups should be in separate organizations.   I love lawyers and have a fascination with the law. But Risk management doesn’t belong in Legal either. Decisions for approaches or initiatives become bogged down with the perception of litigation, instead of the perspective of best practice. I’ve actually had a corporate attorney tell me “We don’t want procedures for this environment. Writing it down means we’re liable to the written document.” Yes that’s true, but every well organized compliant organization who has implemented best practices will tell you policies and procedures are essential.   Because SOx is focused on financial reporting, the accountability for compliance really sits on the shoulders of the Corporate Control. The CFO should be seriously concerned with the risks in the organization and how those risks are being reported, tracked and monitored. And that’s an excellent place for the corporate oversight organization.   It’s important to remember that an enterprise wide oversight team will need to be diverse and specialized. A Regulatory Analyst for your business side will not be able to affectively oversee compliance on your IT side. Many IT professionals have seen a need and opportunity for technical knowledge in a compliance body. Not only to help identify gaps and risks, but also to help solve them as well. Within your corporate oversight group, you should consider having two specialized teams. One that is intimately familiar with the business of your company, and one that is staffed with technical professionals who can work with your IT department.   So consider this structure:   Responsibilities Of The Regulatory Oversight Group The Regulatory Oversight group should be helping to set standards, policies and procedures. Providing guidance for strategic direction on both the business and IT sides of the fence. Working with teams to ensure projects are being developed with compliance in mind. Oversight should be helping the organization identify gaps, risks or deficiencies. In fact, they should be doing that before the auditing body arrives to perform it’s official audit of procedures and processes. They should be managing the remediation process for reported deficiencies. And finally, they should be working with legal to implement a corporate wide management attestation process.   Oversight should also provide ongoing oversight of the implemented controls. Periodic testing of what has been implemented in these remediation efforts. Periodic testing of existing controls outlined in the Process Narratives. Both are essential to ensuring IT is maintaining a high level of compliance and just as important, retaining evidence and documentation.   Tone From The Top No matter how you structure your Oversight organization, it will never succeed if senior management does not back the process. “Tone from the Top” is an extremely important component to the successful implementation of any compliance organization. Without this iteration of importance from the top through all levels of management to the lowest level manager, no organization can succeed in meeting compliance regulations and control governance.   Compliance and oversight is the responsibility of every manager in your organization. The CEO and CFO cannot reliably sign the yearly corporate attestation with the accountability of the organizations managers. If a procedure is put into place to remediate a deficiency, the first line manager of that procedure is accountable for ensuring it’s implementation and continued use. The “Tone from the Top” doesn’t stop with the email from CFO. It must become the company motto for all managers, regardless of deadlines or budgets.   Governance Frameworks IT organizations cannot deliver effective products without adopting a control framework. Frameworks are becoming a part of IT management best practices. They also provide the foundation for governance and compliance. There are two accepted framework models in use today. COSO (The Committee of Sponsoring Organizations of the Treadway Commission) and COBIT (Control Objectives for Information and related Technology).   In general COSO is a business framework that works well on the business side of any company. According to COSO, the definition of Internal Control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations   And implements the following Key Concepts: Internal control is a process. It is a means to an end, not an end in itself. Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization. Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.   But COSO can fall short when providing a framework for IT governance. In 1996, ISACA (Information Systems Audit and Control Association) released a set of control objectives for business applications to address these short comings for IT organizations. This was the first edition of COBIT.   In 1998 the next version of the framework is released which includes the implementation tool set and detailed control objectives. COBIT 3.0 is released in 2000 and includes management guidelines. 2002 brings about the Sarbanes-Oxley law and COBIT is quickly adopted by IT organizations throughout the United States.   COBIT 4.0, released in 2006, includes guidance for management of all levels, from the board to low level managers. It consists of the executive overview, the framework, the core content (control objectives, management guidelines and maturity models) and Appendices (mappings, cross-references and a glossary). It also maps COBIT to other standards such as: ITIL, CMM, COSO, PMBOK, ISF and ISO 17799. And finally it links business goals, IT goals and IT processes (detailed research in eight industries results in a clearer insight into how COBIT processes support the achievement of specific IT goals and, by extension, business goals).