Transcript No Slide Title

1999 National Accountants Conference
THRIVING IN
THE DIGITAL ECONOMY
OF A NEW CENTURY
Presented By Tay Un Soo
Senior VP, Bank of Commerce
President of ISACA - Malaysia Chapter
AGENDA
•
•
•
•
•
•
•
•
•
Introduction - Directions and Challenges
What is Corporate Governance & how it works.
What is IT Governance & how it works.
Relationship of Corporate and IT Governance
How IT Governance impacts Enterprise
effectiveness
CobiT: The breakthrough IT Governance tool
What is IT Audit Governance?
How to audit IT Governance?
Conclusion
Introduction:
What is Digital Economy?
Goods,
services,
capital,
labour,
information
Cyberspace
Digital
Electronic
Intelligence
Information
Knowledge
Technology
Humans
Organizations
Societies
Interactive
Multimedia
Content
Computing
Communication
Changes In Information
Technology
NEW
ENTERPRISE
TRENDS
Time to react
Business process
Rightsizing
MISSION
CUSTOMERS
COMPETITION
Control Redesign
Organization
Realignment
Business
risk
Risk
Assessment
Assurance
AUDITORS
CAPITALISE
ON
TECHNOLOGY
INFORMATION
TECHNOLOGY
OPTIMISE
INFORMATION
VALUE
SUCCESSFUL
ENTERPRISE
BUSINESS
STRATEGIES,
CULTURES,
ETHICS
ATTAIN BUSINESS OBJECTIVES
NEW AUDIT
METHODOLOGIES
ACCOUNTING FOR
VIRTUAL ASSETS
SECURITY & PRIVACY
TIMELY, ACCURATE
INFORMATION
BUSINESS CONTINUITY
TECHNICAL
PROFICIENCIES
CHANGING ROLES
AICPA 1999 TOP 10
TECHNOLOGY PRIORITIES
1. YEAR 2000
2. Internet, Intranets & Extranets
3. Information Security & Control
4. Training & Technology
5. Technology Management
6. Disaster Recovery
7. The Virtual Office
8. Privacy
9. Electronic Money
10.Electronic Evidence
2 (1998)
1
3
4
-
Information-related
Assurance Services
Business
Risks
Internal
IS
RISK
ELECTRONIC
ASSESSMENT COMMERCE
ASSURANCE ASSURANCE
SYSTEM
RELIABILITY
ASSURANCE
Systems &
Tools
WEBTRUST
ASSURANCE
Websites
DO THE ISSUES
CONCERN ME?
CIO
•Do your enterprise’s systems create
competitive advantage, or simply keep
you in business?
•Does your IT investment make money for
your organization or cause it concern?
•What is the economic and strategic
value of your enterprise’s information?
•How is online and internet delivery of products
and services changing global industries?
•Does your management view the
internet as a threat or an opportunity?
•How can you help management and Board
to effectively manage and govern IT
strategy opportunities and threats in the
rapidly changing technology?
TOP PRIORITIES OF CHIEF
INFORMATION OFFICERS
In The Digital Economy
• Business/IT fusion
• Demonstrating the business value of IT
• IT Governance
THE TOP OF THE TOP
PRIORITIES
IT and systems must work hand in hand with
corporate goals and business practices
- To create competitive advantage
- To ensure the ultimate success
of the enterprise.
What Is Corporate Governance?
OBJECTIVES
The process
and structure
to direct
and manage
the business
and affairs
of the company
•To Enhance Business
Prosperity And
Corporate Accountability
•To realize long term
stakeholders value
INFORMATION TECHNOLOGY
& CORPORATE OBJECTIVES
Individual
And Group
Expertise
And
Experience
EFFECTIVE
CORPORATE
GOVERNANCE
IT
Governance
Provides assurance to
critical issues
Monitors
And
Measures
Performance
CORPORATE GOVERNANCE FRAMEWORK
STAKEHOLDERS
EXTERNAL
AUDITORS
REGULATORS
BOARD OF
DIRECTORS
AUDIT
COMMITTEE
COSO Framework of Internal
Control
Monitoring
Guidance on Control - CoCo
• 20 criteria of control
PURPOSE
MONITORING
& LEARNING
COMMITMENT
ACTION
CAPABILITY
COBIT
Information Criteria
Domains
Processes
Activities
How Corporate Governance Works
Enterprise
governed by:
DIRECT
USING
Assurance
provided by
REPORT
•Results measured
•Input for constant revision &
maintenance of control
•Cycle begins again
What is IT Governance?
IT GOVERNANCE is an inclusive term,
which encompasses :
• Information systems, technology &
communication
• business, legal & other issues
• stakeholders, directors, senior management,
process owners, IT suppliers, users,
auditors, etc
Linking business objectives and IT
HOW IT GOVERNANCE WORKS
GOOD/BEST
PRACTICES
•IT Aligned
With Business
•IT Resources
Used
Responsibly
•IT Related
Risks
Managed
Appropriately
IT ACTIVITIES
•Plan/organize
•Acquire/implement
•Deliver/support
•Monitor
MANAGE RISKS: Security,
Reliability & Compliance
REALISE BENEFITS:
•Increase automation
•Effectiveness
•Decrease costs
•Efficiency
RELATIONSHIP OF CORPORATE
& IT GOVERNANCE
STRATEGIC PLAN
RELATIONSHIP OF CORPORATE
& IT GOVERNANCE
STRATEGIC
PLANNING
•MAXIMISE
BENEFITS
•CAPITALIZING
ON
OPPORTUNITIES
•GAINING
COMPETITIVE
ADVANTAGE
REQUIRE
INFORMATION
FROM
BUSINESS
OBJECTIVES
How IT governance impact an
enterprise effectiveness?
BUSINESS ISSUES
- Y2K, ERP,
E-commerce
IT INVESTMENT
Protection
STRATEGIC
INFORMATION
Security, Confidentiality,
Integrity
INFORMATION
ASSET - Management
for success
COBIT is the breakthrough
IT governance tool
COBIT:
GOVERNANCE, CONTROL and AUDIT
for INFORMATION and RELATED
TECHNOLOGY
IT governance tool to help management
understand and manage IT risk
THE COBIT FRAMEWORK
Setting The Scene
THE NEED FOR
CONTROL IN IT
MANAGEMENT OF
IT RISKS
•Dependencies
•Vulnerabilities
• Scale and cost of
investment
•Change organizations and
business practices, create
opportunities and reduce
costs
• Management - What to
invest for security & control
•Users - assurance
•Auditors - Opinion on
internal control
THE COBIT FRAMEWORK
Setting The Scene
THE BUSINESS
ENVIRONMENT
•COMPETITION
•CHANGE
•COST
MANAGENT
EXPECTATIONS
OF IT
•Re-engineered Processes
•Right-sizing
•Distributed Processing
•Flattened Organization
•Outsourcing
COBIT IS SPECIFICALLY DESIGNED FOR..
MANAGEMENT
•IT investment
•Risk & Control
•Benchmarking
USERS
Assurance
on
return on costs,
security and
control
on
products and
services
AUDITORS
•Minimum
controls
•To substantiate
opinions
to management
COBIT Framework’s Principles Summary
BUSINESS
REQUIREMENTS
IT PROCESSES
IT RESOURCES
The Framework’s Principles
What you get
BUSINESS PROCESSES
Criteria
 effectiveness
 efficiency
 confidentiality
 integrity
 availability
 compliance
 reliability
INFORMATION
IT RESOURCES





data
application
systems
technology
facilities
people
What you need
?
Do they match
The Framework’s Principles
Match
IT RESOURCES


MONITORING



data
application
systems
technology
facilities
people
DELIVERY &
SUPPORT
PLANNING &
ORGANISATION
ACQUISITION &
IMPLEMENTATION
The principle applied is
that the IT Resources
are managed by a set of
naturally grouped
processes, which need to
be controlled in order to
ensure that the resources
provide the information
that the enterprise needs
to achieve its objectives.
IT Domains & Processes
Domains
Natural grouping of processes, often
matching and organisational domain
of responsibility.
Processes
A series of joined activities with
natural (control) breaks.
Activities
Actions needed to achieve a
measurable result. Activities have a
life-cycle whereas tasks are discreet.
The COBIT Cube
Domains
Processes
Activities
The Waterfall Navigation Aid - High Level
Control Objectives for Each Process
The control of
IT Processes
AUDIT GUIDELINES
Which satisfy
Business
Requirements
Is enabled by
34 CONTROL
OBJECTIVES
Control Statements
considering
Control Practices
What Is IT Audit Governance?
It is an encompassing term which includes:
• IT Audit Charter
• IT Audit Plan
• IT Audit Manual
• IT Audit Program
How To Audit IT Governance?
•
•
•
•
•
AUDITING GUIDELINE
ISSUED BY ISACA
CORPORATE GOVERNANCE
ON INFORMATION
SYSTEMS
Audit Charter
Independence
Planning
Performance of Audit Work
Reporting
Audit Charter
• Scope of work to include corporate
governance of information systems and
technology
• Reporting line to be used where corporate
governance issues are identified
Independence
• Consider organizational status appropriate
for the nature of planned audit
• If not, use of independent third party should
be considered
Planning
• Fact finding - corporate governance
structure
• IS audit objectives - intended audience’s
needs, level of dissemination intended and
national and industry regulations; control
framework adopted
• Scope of the audit - relevant processes; IT
resources
• Staffing
Performance of Audit Work
•
•
•
•
Review of Board activities
Review of policies and compliance
Business process owner responsibilities
Consideration of external factors
Reporting
• To audit committee and Board members
• Contents include
- Statement on directors’ responsibility for
system of internal control
- Statement on reasonable assurance of
system of internal control
- Key procedures established by Board to
provide effective internal control
- Non compliance, major uncontrolled risks
- Poor control structures or controls
- Overall conclusion