chapter 5 5-1 © 2009 pearson education, inc. publishing as prentice hall
TRANSCRIPT
IT in the New World of Corporate Governance
Reforms
Chapter 5
5-1© 2009 Pearson Education, Inc. Publishing as Prentice Hall
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
IT Compliance Impacts
Information
Technology
SOX
Industry Specific
Regulations (Pharmaceuticals, Oil sands)
International Regulations –
Security & Forensics
Privacy Laws – (Canada, EEC)
5-2
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
Why Do Regulatory Changes Dramatically Impact IT?
Recent regulations impact a greater number of systems.
Systems are more interconnected. (Interpol, Banks, CIA)
Organizations are more dependent on Information Systems. (Banks, IBM e-commerce, Facebook, Amazon & EBay)
Systems are more global and are affected by many countries. (EEC, US(SOX)) [GAPP]
5-3
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
Sarbanes-Oxley Section 404
Requires an annual evaluation of internal controls and procedures for financial ethicsRequires the CEO and CFO personally certify controls.Requires independent auditors test control effectiveness.Controls must be designed to achieve ethical objectives using established criteria.Controls and control objectives must be documented.COBIT – Control Objectives for Information & related technologies
5-4
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
Impact of Regulation on IT
1. Increasing Cost and Challenges1. $5.5 Billion for SOX targets 2004
2. Benefits and Opportunities1. SOX is good for IT
5-5
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
Costs and Challenges
Compliance to say SOX requires a significant resource investment.
Compliance adds new project costs and lengthens development schedules. (Syncrude, IBM)
CIOs must personally attest to the effectiveness of IT’s internal controls and the quality of information.
5-6
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
Costs and Challenges Continued
Compliance requires that IT staff have adequate training and excellent written communication skills.
Compliance requires the organization adopt a document retention strategy.
5-7
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
Benefits and Opportunities
Compliance provides an opportunity to enhance business processes.
Compliance has enhanced IT visibility with executives and the board of directors. (Maybe offering strategic direction)
Compliance has increased the importance of security, quality, data architecture, and change management.
5-8
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
Benefits of IT Internal Controls (Damianides, 2005)
Improved overall IT governanceEnhanced understanding of IT by senior executivesBetter business decisions based on more accurate informationImproved IT-Business alignmentReduced risk of system security breaches
5-9
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
Benefits of IT Internal Controls Continued (Damianides, 2005)
Reduced difficulty complying with new regulations
More efficient and effective operations
An integrated approach to security
Enhanced risk management competencies
Overall effective ethical practices
5-10
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
Elements of Effective Compliance in IT
5-11
Figure 5.1
New Systems Daily operationInformation
(Enabling IT Work)
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
Elements of Effective Compliance in IT
1. Enabling IT Work
2. New Systems
3. Information
4. Daily Operations
5. Controlling IT Work
5-12
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
Enabling IT Work
Physical and Virtual Access across corps, new staff hires with access privileges
Security Architecture requires practices
Business Continuity Planning and Disaster Recovery (9/11, 2003 blackout)
IT Governance (awareness & training required for compliance)
HR Management and Training
IT Finance (involving IT mgrs.)5-13
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
New Systems
IT Strategic Planning to be aligned with business strategy system
Risk Assessment system
Project Management system
5-14
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
Dissemination of Information(How, What, Why, When)
Information Architecture
Who has access to Data
Document Retention
Data AdministrationHow to create, collect, organize, analyze, maintain & archive data
5-15
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
Daily Operations
Operations and Infrastructure Support
Help Desk
Change ManagementChange Control Board (CCB)Change Management database
5-16
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
Controlling IT Work
Testing and Validation
Documentation Management
Quality Assurance
All are elements of quality Management
Everyone is responsible 5-17
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
Good Practices in Enabling IT Compliance
Organize for Compliance1. Reduce costEnsure procedures are followedReact with new regulation
Use Standards and Frameworks
Emphasize Training and Awareness for compliance
Ensure Appropriate Business ResourcesBusiness strategy is communicated so that IT strategy can support it
5-18
© 2009 Pearson Prentice Hall
Recommended Control Objectives for Information & related technologies CobIT Controls(IT Governance Institute 2000)
Plan and organize (IT environment)IT strategic planningInformation architectureDetermine technological directionIT organization and relationshipsManage the IT investment
Communication of management aims and directionManagement of human resourcesCompliance with external requirementsAssessment of risksManage projectsManage quality 5-19
© 2009 Pearson Prentice Hall
Recommended CobIT Controls Continued (IT Governance Institute 2000)
Acquire and implement (program development and program change)Identify automated solutionsAcquire or develop application softwareAcquire technology infrastructure
Manage changesDeliver and support (computer operations and access to programs and data)Define and manage service levelsManage third-party services 5-20
© 2009 Pearson Prentice Hall
Recommended CobIT Controls Continued (IT Governance Institute 2000)
Manage performance and capacityEnsure continuous serviceEnsure systems securityIdentify and allocate costsEducate and train users
Assist and advise customersManage the configurationManage problems and incidentsManage dataManage facilitiesManage operations
5-21
© 2009 Pearson Prentice Hall
Recommended CobIT Controls Continued (IT Governance Institute 2000)
Monitor and evaluate (IT environment)
Monitoring
Adequacy of internal controls
Independent assurance
Internal audit
5-22