KPMG On-Screen Enhanced US

Download Report

Transcript KPMG On-Screen Enhanced US 

AUDIT COMMITTEE FORUM
TM
ACF Roundtable
IT Governance – what does it mean to you as an
audit committee member
July 2010
The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG
Current State
There have been a number of high-profile instances where
processes that govern the integrity of information technology
operations (IT governance) are not sufficiently effective to guard
companies against serious financial loss.
Companies have damaged their operations and negatively
impacted revenue recognition, profit, and reputation by
compromising the integrity or availability of their information as a
result of problems associated with IT system implementations.
Good Corporate governance (and King III) outline the role that
Audit Committees should play in improving IT Governance.
In two recent surveys, 30% of respondents indicated that they
were not satisfied with the amount of time that audit committees
spend on oversight of IT risk while only 9-11% were “Very
satisfied’’
The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
2
Current State (cont.)
Many organisations are struggling with:
• Poor alignment of IT resources against business
goals
• Lack of demonstrative value from IT investments
• Business and / or technology change
• Dissatisfaction with IT function and the level of
service it provides
• The implementation of compliance legislation
• IT projects exceeding time and financial budgets
• IT risks and control responsibilities poorly defined
The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
3
A definition of IT Governance
IT governance is a set of business processes that
impose management and control disciplines on IT
activities to help ensure the integrity and protection of
IT operations and the achievement of targeted business
goals.
It is primarily about achieving three things:
• Getting the most value from IT, including moving
towards strategic goals.
• Ensuring that stakeholders and management
understand key IT risks and manage them accordingly.
• Establishing the conditions that allow IT management to
operate effectively.
The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
4
Board Oversight and Responsibility
IT Strategy
and Planning
IT Governance
Framework
Risk
Assessment
IT Investment
Analysis
Build IT control
framework
Outcomes
Business Needs and
Expectations
The Key Elements of IT Governance
IT Governance/
Performance
Tracking and
Reporting
Governance Structures
The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
5
Principle 1:
Board Responsibility
1
Principle 2:
Performance and Sustainability
Board Oversight and Responsibility
2
2
IT Strategy
and Planning
IT Governance
Framework
3
Risk
Assessment
5
IT Investment
Analysis
4
Build IT control
framework
Outcomes
Business Needs and
Expectations
Principle 2:
Performance and Sustainability
IT Governance/
Performance
Tracking and
Reporting
6
Governance Structures
7
THE KING III PERSPECTIVE
Principle 3:
IT Governance Framework
Principle 5:
Risk Management
Principle 7:
Governance Structures
TM
The AUDIT COMMITTEE FORUM is proudly sponsored by KPMG
Principle 4:
IT Investments
Principle 6:
Information Security
6
QUESTIONS THE
AUDIT COMMITTEE
SHOULD ASK
The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
7
IT Strategy and Planning
IT Strategy
and
Planning
What is it and why is it important?
.
•The purpose of IT strategy – the business needs to understand its strategy and document its strategic int
•Strikes an optimum balance of information technology opportunities and IT business requirements
•Accomplishes organisational goals and objectives
•Critical to aligning business and IT objectives
•Ensures investments are made optimally
•Drives a “common language”
•Sets expectations
•Considers architecture, delivery and governance
Key Questions:
•Who was involved in developing the IT strategy and what was the
process followed?
•Have you defined a sourcing strategy?
The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
8
IT Governance Framework
IT
Governance
Framework
What is it and why is it important?
•IT governance at its most basic is the process of making decisions about IT
•Good IT governance ensures that IT investments are optimised, aligned with business strategy
and delivering value within acceptable risk boundaries — taking into account culture,
organisational structure, maturity and strategy
•Articulates the roles of the various management and governance bodies across the business
and decision making
•Assigns clearly defined delegation for effective and efficient decision making and performance
monitoring,
•Encompasses a broad focus on overall IT capability
•Enhances strategic decision making capacity
Key Questions:
•Have roles and responsibilities been assigned across IT?
•Is a policy framework and related policies in place?
•Are we aligned to industry standards, and if so, which ones?
The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
9
IT Investments
IT
Investments
What is it and why is it important?
•Organisations must be able to measure business value and also manage and communicate
value delivery in order to answer the questions: 1) Are we doing the right things? and 2) are
we getting the benefits?
•Define the relationship between IT and the business
•Manage portfolio of IT-enabled business investments
•Maximise the quality of business cases for IT-enabled investments
•Articulate IT investment decision rights to ensure that they deliver the maximum business
value at an acceptable level of risk.
Key Questions:
•Do we have a formal project management methodology / processes?
•Do we perform a business case prior to significant spend?
•Do we identify the targeted benefits and track these through the life
of the project?
The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
10
IT Risk Assessment
Risk
Assessment
What is it and why is it important?
•These can range from accidental damage caused by employees with inadequate training to
deliberate attempts from outsiders to illegally access data that your business holds
•Helps identify and form basis for risk mitigation plans
•Risk areas for consideration - Business Focus, Information Assets, Dependence on IT,
Dependence on IT internal staff, Dependence on third parties, Reliability of IT systems, Changes to
IT, Legislative and regulatory environment
•Recognise the risks associated with using IT in a business environment
Key Questions:
•How often do we perform IT risk assessments?
•Are the necessary resources made available within the business and
within the Internal Audit department to conduct IT Audits?
•What are the key risks in our IT environment?
The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
11
IT Control Framework
IT Control
Framework
What is it and why is it important?
IT controls are specific activities performed by people or systems
designed to ensure that business objectives are met
objectives are met
•IT controls are specific activities performed by people or systems designed to ensure that business
•A subset of an enterprise's internal control which relate to the confidentiality, integrity and
availability of data and the overall management of the IT function
•A set of fundamental controls that must be in place to prevent information loss in an organization
•Control areas for consideration - Management of IT, Continuity of systems (Disaster recovery),
Systems development, Change control, Security of information and systems, Physical and logical
access controls, Control assurance
Key Questions:
• Have we identified our key IT controls?
• Do we monitor (and benchmark) these on an ongoing basis?
The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
12
Performance Tracking and Reporting
Performance
tracking and
reporting
What is it and why is it important?
•It is critical to measure to outcomes of strategic initiatives
•Keep the focus on ongoing control
•Effectively manage the IT function
•Provide transparent reporting to the business on IT performance
•Performance reporting should focus not only on financial outcomes but also on the operational,
marketing, risk and developmental inputs to the business
Key Questions:
•Have we defined KPI’s and CSF’s for IT?
• Are these monitored, reported, and followed up on?
The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
13
Summary of key questions
IT Strategy and Planning:
•Who was involved in developing the IT strategy and what was the process followed?
•Have you defined a sourcing strategy?
IT Governance Framework:
•Have roles and responsibilities been assigned across IT?
•Is a policy framework and related policies in place?
•Are we aligned to industry standards, and if so, which ones?
IT Investments:
•Do we perform a business case prior to significant spend?
•Do we identify the targeted benefits and track these through the life of the project?
IT Risk Assessment
•How often do we perform IT risk assessments?
•What are the key risks in our IT environment?
IT Control Framework
•Have we identified our key IT controls?
•Do we monitor (and benchmark) these on an ongoing basis?
Performance Tracking and Reporting
•Have we defined KPI’s and CSF’s for IT?
• Are these monitored, reported, and followed up on?
The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
14
King III specific responsibilities
The audit committee should consider IT as it relates to financial reporting
and the going concern of the company
• What are the key systems responsible for the generation and processing of
financial reporting data?
• How reliant are we on our systems? (how long could we survive without
them?)
• Do we have Disaster Recovery and Business Continuity Plans?
• Have we tested these?
• Is our information security sufficient for the business?
The audit committee should consider the use of technology to improve
audit coverage and efficiency
• Has our (internal or outsourced) Internal Audit function identified key
application controls to test?
• Do we test the general controls related to those key applications?
• What internal auditing tools do we utilise (e.g. CAATs, Continuous Auditing)?
The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
15
Presenter’s contact details:
Johannesburg Cape Town
Durban
Frank Rizzo
Patrick Ryan
Eugene Pfister
KPMG
KPMG
KPMG
(011) 647 7388
(021) 408 7374
(011) 647 7918
[email protected]
[email protected]
[email protected]
www.kpmg.com
www.kpmg.com
www.kpmg.com
The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
16
QUESTIONS?
The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
17