1. “Issues in IT Governance for Internal Auditors”
By:
Ambrose Ruyooka, PMP®
Ag. Commissioner for Information Technology,
Ministry of Information and Communications Technology (ICT),
Uganda.
14th
April 2011, Kampala
ambrose.ruyooka@gmail.com
11
IIA Uganda National Conference 2011
2. IntroductionIntroduction
[Governance]
The combination of processes and
structures implemented by the board to
inform, direct, manage, and monitor the
activities of the organization toward the
achievement of its objectives.
22
3. IntroductionIntroduction
Corporate Governance
“Corporate Governance is the system by which
business corporations are directed and
controlled. Specifies the distribution of rights
and responsibilities among different
participants (e.g. Board, management,
shareholders, stakeholders) and spells out the
rules and procedures for making decisions on
corporate affairs.” (OCED)
33
4. IT Governance introductionIT Governance introduction
IT GovernanceIT Governance
Discipline of corporate Governance
Focus is on IT systems performance and risk
management
IT GovernanceIT Governance
“System by which IT within enterprises is directed and
controlled. IT governance structure specifies the distribution of
rights and responsibilities among participants (e.g. Board,
business, IT managers) and spells out the rules and
procedures for making decisions on IT” (ITSMF)
44
5. IT Governance DefinedIT Governance Defined
IIA International Professional Practices
Framework:
[IT Governance] Consists of the leadership,
organizational structures and processes that
ensure that the enterprise’s information
technology sustains and extends the
organization’s strategies and objectives.
55
6. IT Governance Defined…IT Governance Defined…
IT Governance Institute (ITGI):
[IT Governance] is the responsibility of the
board of directors and executive management.
It is an integral part of enterprise governance
and consists of the leadership and
organisational structures and processes that
ensure that the organisation’s IT sustains and
extends the organisation’s strategies and
objectives.
66
7. Definitions ctd..Definitions ctd..
According to CobiT. 4.1 framework:
IT Governance is the responsibility of executives
and the board of directors, and consists of the
leadership, organizational structures and
processes that ensure that the enterprise’s IT
sustains and extends the organization’s
strategies and objectives.
77
8. More concepts…More concepts…
[IT Controls] Controls that support
business management and governance
as well as provide general and technical
controls over information technology
infrastructures such as applications,
information, infrastructure, and people.
88
9. Motivation for IT GovernanceMotivation for IT Governance
The rising global interest in IT governance is
largely due to compliance initiatives.
The recent Legal, Regulatory advancements
by Government of Uganda:
Enactment of “Cyber Laws”(The Electronic
Transactions law, The Electronic Signatures law
and Computer Misuse law )
Enactment of the National Information Technology
Authority Act
E-Government Policy Framework
99
10. Motivation for IT GovernanceMotivation for IT Governance
Acknowledging :Acknowledging :
Coupling of IT to business performanceCoupling of IT to business performance
Complexity presented by IT investmentsComplexity presented by IT investments
Need for mitigation of IT-related risksNeed for mitigation of IT-related risks
That IT projects can easily get out ofThat IT projects can easily get out of
control and profoundly affect thecontrol and profoundly affect the
performance of an organization.performance of an organization.
1010
11. Development of IT GovernanceDevelopment of IT Governance
Contribution of IT to
Delivery of Business
Strategy
IT Informs the
Business on
New
Technologies
Source – ITGI Survey
IT Governance 2009
12. IT Governance Development ctd…IT Governance Development ctd…
1212
Accountable
for IT
Governance
Source – ITGI Survey
IT Governance 2009
13. IT Governance DimensionsIT Governance Dimensions
1313
IT Governance
Resource
Management
Strategic
Alignm
ent Value
Delivery
Performance
Measurement
RiskManagement
14. IT Governance Dimensions
What we do?=> Strategic Alignment
Aligning with Business Goals
Providing collaborative solutions
Why do It?=> Value Delivery
Optimising IT costs
Proof of value delivered
What could go wrong=> Risk Management
Safeguarding assests
Continuity and compliance
Who, What , How? => Resource Management
Assets, infrastructure, knowledge and partners
Was it Done? => Perfomance Measuremet
Metrics, Scorecards and dash boards
1414
15. IT Governance - ISO38500IT Governance - ISO38500
DIRECT
EVALUATE
MONITOR
Corporate
Governance
of ICT
Business
Strategy
Risk
environment
ICT Projects ICT Operations
Plans
Policies
Proposals
Performance
Original image copyright ISO/IEC 2008
6 principles of good IT governance
• Conformance
• Human behaviour
• Acquisition
• Performance
• Responsibility
• Strategy
Directors’
activities
Business
process
16. Uncovering IT IssuesUncovering IT Issues
Failure of IT projects to deliver what they promised
Satisfaction of end users with the quality of the IT service
Availability of sufficient IT resources, infrastructure and
competencies to meet strategic objectives
Overrun of IT operational budgets
The number and frequency of IT projects going over
budget
The amount of IT effort going to firefighting rather than
enabling business improvements
1616
17. Finding Out How Management Addresses the
IT Issues
The alignment of enterprise and IT objectives
Measurement of the value delivered by IT
Appropriateness of strategic initiatives taken by executive
management to manage IT and the critical relationship to
maintenance and growth of the enterprise
Clarity of enterprise positioning relative to technology: pioneer,
early adopter, follower or laggard.
Clarity on risk: risk-avoidance or risk-taking
up-to-date inventory of IT risks relevant to the enterprise
Actions taken to address these risks
1717
18. To Self-assess IT Governance Practices
Regular briefing of the board on IT risks to which the enterprise is
exposed
Regular appearance of IT as an item on the agenda of the board
addressed in a structured manner
Ability of the board to articulate and communicate the business
objectives for IT alignment
Clear view of the board on the major IT investments from a risk
and return perspective
The board obtaining regular progress reports on major IT projects
by
The board getting independent assurance on the achievement of
IT objectives and the containment of IT risks
1818
19. 1919
Key IT Governance Stakeholders
Executive Management
Set direction for IT, monitor results and
insist on corrective measures
Defines business requirements for IT and
ensures that value is delivered and risks are
managed
Delivers and improves IT services as
required by the business
Provides independent assurance to
demonstrate that IT delivers what is
needed
Measures compliance with policies and
focuses on alerts to new risks
Risk and
compliance
IT audit
IT management
Boards
20. Original slide copyright ISACAOriginal slide copyright ISACA
Defined Responsibilities for EachDefined Responsibilities for Each
ProcessProcess
Link business goals to IT goals. C I
A/
R
I C
Identify critical dependencies and current
performance.
C C R
A/
R
C C C C C C
Build an IT strategic plan. A C C R I C C C C I C
Build IT tactical plans. C I A C C C C C R I
Analyse programme portfolios and manage
project and service portfolios.
C I I A R R C R C C I
RACI Chart
Activities
Functions
A RACI chart identifies who is Responsible,
Accountable, Consulted and/or Informed.
21. ConclusionConclusion
IT is an integral part of the business. IT
governance is an integral part of enterprise
governance.
Need clearly define IT Governance Roles and
Responsibilities
Development of an IT Governance
Implementation Plan is significant
The Government of Uganda has over the last
decade steadily developed a Policy, Legal and
Regulatory environment to facilitate uptake of
Information Technology Governance.
2121
COBIT also provides information on what processes should be delegated and to whom they should be delegated. This helps to ensure that IT processes are being managed at the appropriate level within an enterprise. The ‘RACI’ Chart is defined for each process and indicates who is responsible, accountable, consulted or should be informed about specific tasks within a given process. The roles in the RACI chart are categorised for all processes as: • Chief executive officer (CEO) • Chief financial officer (CFO) • Business executives • Chief information officer (CIO) • Business process owner • Head operations • Chief architect • Head development • Head IT administration (for large enterprises, the head of functions such as human resources, budgeting and internal control) • The project management officer (PMO) or function • Compliance, audit, risk and security (groups with control responsibilities but not operational IT responsibilities)