Category: Information Technology

International Standards Provide Guidance For IT Governance

May 2001

Businesses today rely on information technology (IT) as an integral part of their overall enterprise strategy. As the logical next step, a new field of thought called IT governance has been under development for several years.

Just as business management is governed by generally accepted good practices, IT should be governed by practices that help ensure an enterprise's IT resources are used responsibly, its risks are managed appropriately and its information and related technology support business objectives.

No business, it seems, is immune to some form of IT attack, fraud or bad planning, whether from malicious external hackers, inexperienced managers or from dissatisfied employees. For example, the U.S. State Department recently confirmed that one of its confidential Web sites was hacked, causing the shutdown of several internal Internet servers. In other news stories, many leading-edge companies reported disastrous delays and cost overruns from uncontrolled IT projects with unspecified budgets and poorly defined objectives. Business managers must step in and provide high-level thought and guidance for IT projects.

IT Governance Supports Good Business

IT governance is the process by which an enterprise's IT is directed and controlled. Effective IT governance helps ensure that IT supports business goals, maximizes business investment in IT and appropriately manages IT-related risks. IT governance also helps ensure achievement of critical success factors by efficiently and effectively deploying secure, reliable information and applied technology.

Within the last decade, IT has changed how nearly every business executive does his or her job. Currently, IT governance includes such elements as:

• Capital Resources (information systems, technology and communication)


• Strategies and Regulations (business, legal and other issues)


• Human Resources (all concerned stakeholders, including directors, senior management, process owners, IT suppliers, users and auditors).

To succeed in this fluid environment, organizations must integrate their IT with business strategies to attain their business objectives, get the most value out of their information and capitalize on the technologies available to them.

Historically, senior managers have not had a solid grasp on IT issues and have not been as deeply involved in IT issues as they were in financial, strategic and other business decisions. IT governance provides the tools to enable them to be more effective in the IT arena of the business. Simply put, good governance -- enterprise and IT -- is good business.

Relationship Between Enterprise and IT Governance
Enterprise governance, the system by which companies are directed and controlled, drives and sets IT governance. At the same time, IT should provide critical input to, and form an important component of, strategic planning for enterprise governance. In many cases, IT influences the strategic opportunities and benefits identified by the enterprise.

Whether for sales, operations, human resources, legal or manufacturing, enterprise activities require data and IT services to meet business objectives. IT must be aligned with and enable enterprises to take full advantage of reliable, accurate and usable information. By so doing, businesses maximize benefits, capitalize on opportunities and gain a competitive advantage.

IT governance functions in much the same way as enterprise governance, although in a more focused arena. Like the enterprise itself, IT is governed by good (or best) practices to ensure that IT resources are used responsibly, risks are managed appropriately and information and related technology support business objectives.

Opportunities and Threats
Opportunities continue to arise to support better stewardship for businesses. Enterprise stakeholders want assurance that executives running the enterprise on a day-to-day basis are taking all possible steps to protect the business and make the best use of its assets. Organizations demonstrating that assurance -- and an IT governance program is one way of doing so -- can reap the rewards of stakeholder support.

E-commerce, for example, is a growing business opportunity for many organizations. When exploring e-commerce options, though, enterprises must implement and clearly exhibit effective control of IT and information for trading partners and customers. Without the trust of partners and customers, companies do not have a chance of succeeding in the e-commerce arena. IT governance enables businesses to inspire that trust, through clearly demonstrated control over the IT function.

Business threats are just as numerous as business opportunities. Perhaps the most rampant are increased security threats and vulnerabilities, through information warfare and cyberthreats. Rarely a day goes by that evidence of hacking or illicit data manipulation isn't trumpeted in the press.

IT Governance Program
With opportunities knocking and threats looming, it is more crucial than ever for an enterprise to implement a sound IT governance program.

To help organizations worldwide, the IT Governance Institute, along with the Information Systems Audit and Control Foundation (ISACF), has released Control Objectives for Information and Related Technology (COBIT^Æ) 3rd Edition^©, an open IT governance standard that helps non-technical managers and executives understand and manage risks associated with information and related IT.

"Information and the technology that supports it are two of the most valuable assets for organizations around the world," said Erik Guldentops, chair of the COBIT steering committee. "Often the success of an organization, whether a venerable financial institution or dot-com start-up, is critically dependent on the effective management of information and IT systems. Organizations must satisfy quality, fiduciary and security requirements of their IT as they do for other assets."

COBIT is a comprehensive framework of control objectives based on 36 international source documents, ensuring a global view and a best practice point of view. Available as a complimentary download from www.isaca.org, COBIT is the result of years of research and cooperation among global IT and business experts and provides an authoritative, international set of generally accepted IT practices for business managers and auditors.

This edition contains a new publication with detailed management guidelines to provide guidance on business risks, control needs and technical issues. The management guidelines help monitor business processes by using critical success factors (CSFs), key goal indicators (KGIs), key performance indicators (KPIs) and maturity models (MMs).

By addressing COBIT's control objectives, business managers can ensure that an adequate control system is provided for their IT environment. They can then focus on high-risk areas and determine cost-effective ways to mitigate those risks.

"We believe by 2002-03, more than 30-40 percent of Global 2000 companies deploying new technologies and entering new markets with e-products and services will have adopted a COBIT's-like risk assessment and balanced risk/reward reporting process," said Al Passori, vice president, META Group. "All CIOs should adopt a risk management process model and identify, train and support the needed implementation staff."

IT Governance Implementations
An appropriate IT governance program helps organizations confidently address critical business issues such as e-commerce as well as assure the security, reliability and integrity of their strategic information. Implementing an IT governance program also helps an enterprise protect its investment in IT and ensure appropriate management of information assets, many of which are vital to the survival and growth of the enterprise itself.

Royal Philips Electronics, a global electronics company established in 1891 and headquartered in Amsterdam, The Netherlands, implemented COBIT to help organize and support its IT governance process, improve its IT-related control framework and support internal auditing. With a multinational workforce of more than 225,000 and sales and service in 150 countries, Philips used the COBIT framework on a business management level for two company-wide initiatives. By complementing these two executive-level programs, COBIT achieved strong support from the Philips Supervisory Board.

Specifically, Philips is now using COBIT as part of the company-wide quality improvement program Business Excellence through Speed and Teamwork (BEST). In support of this initiative, the Philips IT Council developed a Process Survey Tool which facilitates the assessment of organizational capabilities and improvement of IT management processes. Using the COBIT maturity models, Philips developed a scoring process that reflects its specific organization and process needs. For IT, scoring results also are used to submit an annual Statement on Business Controls.

Another COBIT implementation took place at SAB Ltd. (South African Breweries Limited), which has more than 34,000 employees working for 70 breweries in 21 countries, as well as substantial hotel and gaming interests in Southern Africa.

After learning about COBIT from the Gartner Group, SAB Ltd. used COBIT to develop an IT and enterprise architecture strategy document. The SAB Ltd. approach fostered partnering opportunities between IS audit and the IT community. The IS audit team implemented value-added components to the reviews, which allowed a more rigorous interpretation of IT risk. Once the business benefits of COBIT were communicated, senior business executives realized the framework could help determine accountability for processes and improve IT governance. By using the framework as the basis for an accountability matrix, SAB Ltd. began achieving a role-based IT organization with defined process measures to ensure customer value.

In addition to Phillips Electronics and SAB, the Central Bank of Argentina adopted COBIT as a guideline for IT minimum controls and COBIT is to be implemented in information technology examinations. The United States Federal Financial Institutions Examination Council (FFIEC) adopted a revised Uniform Rating System for Information Technology (URSIT), which uses COBIT as a guideline for IT controls and is to be implemented in information technology examinations of all banks and data processing service providers. The United States General Accounting Office's Federal Information Systems Control Audit Manual includes COBIT references in every section.

The United States CIO Council, representing senior IT management in the US Federal government, has published the Federal Information Technology Security Assessment Framework. The document was prepared for the Security, Privacy and Critical Infrastructure Committee of the CIO Council by the US National Institute of Standards and Technology (NIST). The Framework provides a method for agency officials to:

• Determine the current status of their security programs relative to existing policy


• Where necessary, establish a target for improvement

The Framework does not establish new security requirements. It comprises five levels to guide agency assessment of its security programs and assist in prioritizing efforts for improvement. Coupled with the NIST-prepared self-assessment questionnaire, the Framework provides a vehicle for consistent and effective measurement of the security status for a given asset.

IT Governance Self-Assessment
COBIT provides an additional tool to help companies get started evaluating their own IT governance systems. The IT Governance Self-Assessment checklist (see below) leads management to determine for each of the COBIT processes:

• How important the process is for their business objectives


• Whether the process is well performed (the combination of importance and performance provide a strong indicator of risk)


• Who performs the process and who is accountable for the process (and whether accountability is unequivocal and accepted)


• Whether the process and its control are formalized, that is, is there a thorough contract for an outsourced activity or a clear set of documented procedures for an internal process


• Whether the process is audited

Completion of this checklist heightens management's awareness of the combination
of risk indicators, degree of formality and clarity of responsibility and accountability.
High risk indicators combined with "Don't know" answers relay a strong
message of concern.



When areas of high risk are identified, management can concentrate on these, using COBIT's's high-level and detailed control objectives and working with their IS auditors, to determine cost-effective means for mitigating these risks. As a result, the enterprise's IT governance is enhanced and true value-added benefits accrue to the entire enterprise.

Future of IT Governance
Demand for effective IT governance will increase as IT continues to support nearly every aspect of business. The strong business reasons for implementing an IT governance program will only grow more important as:

• Dependence on information and the systems that deliver the information increases


• Vulnerabilities and a wide spectrum of threats grow


• Scale and cost of current and future investments in information and information systems increase


• Technology continues to dramatically change organizations and business practices, create new opportunities and reduce costs

As long as these factors remain in play, there will be a need for effective, efficient and economical governance of enterprise IT systems.

John W. Lainhart IV is a partner with the consulting practice of PricewaterhouseCoopers in Washington, DC, USA. Prior to joining PwC, Mr. Lainhart was Inspector General for the U.S. House of Representatives and was responsible for conducting periodic audits of the financial and administrative functions of the House and joint entities. Mr. Lainhart established the Office of the Inspector General (OIG) and carried out the first House audit, which helped to identify US $20 million in potential savings or cost avoidance. He also provided management advisory services related to various system development life cycle initiatives, including the financial management system, human resources/payroll system, and fixed asset/inventory system.