audit committee forum tm acf roundtable it governance – what does it mean to you as an audit...
TRANSCRIPT
AUDIT COMMITTEE FORUM TM
ACF Roundtable ACF Roundtable IT Governance – what does it mean to you as an audit committee member
July 2010
The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG
The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG
Current StateCurrent State
There have been a number of high-profile instances where processes that govern the integrity of information technology operations (IT governance) are not sufficiently effective to guard companies against serious financial loss.
Companies have damaged their operations and negatively impacted revenue recognition, profit, and reputation by compromising the integrity or availability of their information as a result of problems associated with IT system implementations.
Good Corporate governance (and King III) outline the role that Audit Committees should play in improving IT Governance.
In two recent surveys, 30% of respondents indicated that they were not satisfied with the amount of time that audit committees spend on oversight of IT risk while only 9-11% were “Very satisfied’’
2
The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG
Current State (cont.)Current State (cont.)
Many organisations are struggling with:• Poor alignment of IT resources against business
goals• Lack of demonstrative value from IT investments• Business and / or technology change• Dissatisfaction with IT function and the level of
service it provides• The implementation of compliance legislation• IT projects exceeding time and financial budgets• IT risks and control responsibilities poorly defined
3
The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG
A definition of IT GovernanceA definition of IT Governance
IT governance is a set of business processes that impose management and control disciplines on IT activities to help ensure the integrity and protection of IT operations and the achievement of targeted business goals.
It is primarily about achieving three things:• Getting the most value from IT, including moving towards
strategic goals.• Ensuring that stakeholders and management understand
key IT risks and manage them accordingly.• Establishing the conditions that allow IT management to
operate effectively.
4
The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG
The Key Elements of IT GovernanceThe Key Elements of IT Governance
5
IT Strategy and Planning
Board Oversight and Responsibility
IT Governance/ Performance Tracking and
Reporting
Governance Structures
IT Governance Framework
Risk Assessment
IT Investment Analysis
Build IT control framework
Bu
sin
ess
Ne
eds
and
E
xpec
tati
on
s
Ou
tco
mes
The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG
THE KING III PERSPECTIVETHE KING III PERSPECTIVE
6
IT Strategy and Planning
Board Oversight and Responsibility
IT Governance/ Performance Tracking and
Reporting
Governance Structures
IT Governance Framework
Risk Assessment
IT Investment Analysis
Build IT control framework
Bu
sin
ess
Ne
eds
and
E
xpec
tati
on
s
Ou
tco
mes
Principle 2:Performance and Sustainability
22
Principle 3:IT Governance Framework
33
Principle 1:Board Responsibility
11
Principle 2:Performance and Sustainability
22
Principle 6:Information Security
66
Principle 4:IT Investments
44
Principle 7:Governance Structures
77
Principle 5:Risk Management
55
The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG
QUESTIONS THE AUDIT COMMITTEE SHOULD ASK
7
The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG
IT Strategy and PlanningIT Strategy and Planning
8
IT Strategy and
Planning
. What is it and why is it important?
•The purpose of IT strategy – the business needs to understand its strategy and document its strategic intent
•Strikes an optimum balance of information technology opportunities and IT business requirements
•Accomplishes organisational goals and objectives
•Critical to aligning business and IT objectives
•Ensures investments are made optimally
•Drives a “common language”
•Sets expectations
•Considers architecture, delivery and governance
Key Questions:
•Who was involved in developing the IT strategy and what was the process followed?
•Have you defined a sourcing strategy?
The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG
IT Governance FrameworkIT Governance Framework
9
IT Governance Framework
What is it and why is it important?
•IT governance at its most basic is the process of making decisions about IT
•Good IT governance ensures that IT investments are optimised, aligned with business strategy and delivering value within acceptable risk boundaries — taking into account culture, organisational structure, maturity and strategy
•Articulates the roles of the various management and governance bodies across the business and decision making
•Assigns clearly defined delegation for effective and efficient decision making and performance monitoring,
•Encompasses a broad focus on overall IT capability
•Enhances strategic decision making capacity
Key Questions:
•Have roles and responsibilities been assigned across IT?
•Is a policy framework and related policies in place?
•Are we aligned to industry standards, and if so, which ones?
The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG
IT InvestmentsIT Investments
10
IT Investments
What is it and why is it important?
•Organisations must be able to measure business value and also manage and communicate value delivery in order to answer the questions: 1) Are we doing the right things? and 2) are we getting the benefits?
•Define the relationship between IT and the business
•Manage portfolio of IT-enabled business investments
•Maximise the quality of business cases for IT-enabled investments
•Articulate IT investment decision rights to ensure that they deliver the maximum business value at an acceptable level of risk.
Key Questions:
•Do we have a formal project management methodology / processes?
•Do we perform a business case prior to significant spend?
•Do we identify the targeted benefits and track these through the life of the project?
The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG
IT Risk AssessmentIT Risk Assessment
11
Risk Assessment
What is it and why is it important?
•These can range from accidental damage caused by employees with inadequate training to deliberate attempts from outsiders to illegally access data that your business holds
•Helps identify and form basis for risk mitigation plans
•Risk areas for consideration - Business Focus, Information Assets, Dependence on IT, Dependence on IT internal staff, Dependence on third parties, Reliability of IT systems, Changes to IT, Legislative and regulatory environment
•Recognise the risks associated with using IT in a business environment
Key Questions:
•How often do we perform IT risk assessments?
•Are the necessary resources made available within the business and within the Internal Audit department to conduct IT Audits?
•What are the key risks in our IT environment?
The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG
IT Control FrameworkIT Control Framework
12
IT controls are specific activities performed by people or systems designed to ensure that business objectives are met
IT Control Framework
What is it and why is it important?
•IT controls are specific activities performed by people or systems designed to ensure that business objectives are met
•A subset of an enterprise's internal control which relate to the confidentiality, integrity and availability of data and the overall management of the IT function
•A set of fundamental controls that must be in place to prevent information loss in an organization
•Control areas for consideration - Management of IT, Continuity of systems (Disaster recovery), Systems development, Change control, Security of information and systems, Physical and logical access controls, Control assurance
Key Questions:
• Have we identified our key IT controls?
• Do we monitor (and benchmark) these on an ongoing basis?
The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG
Performance Tracking and ReportingPerformance Tracking and Reporting
13
Performance tracking and
reporting
What is it and why is it important?
•It is critical to measure to outcomes of strategic initiatives
•Keep the focus on ongoing control
•Effectively manage the IT function
•Provide transparent reporting to the business on IT performance
•Performance reporting should focus not only on financial outcomes but also on the operational, marketing, risk and developmental inputs to the business
Key Questions:
•Have we defined KPI’s and CSF’s for IT?
• Are these monitored, reported, and followed up on?
The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG
Summary of key questionsSummary of key questions
14
IT Strategy and Planning:
•Who was involved in developing the IT strategy and what was the process followed?
•Have you defined a sourcing strategy?
IT Governance Framework:
•Have roles and responsibilities been assigned across IT?
•Is a policy framework and related policies in place?
•Are we aligned to industry standards, and if so, which ones?
IT Investments:
•Do we perform a business case prior to significant spend?
•Do we identify the targeted benefits and track these through the life of the project?
IT Risk Assessment
•How often do we perform IT risk assessments?
•What are the key risks in our IT environment?
IT Control Framework
•Have we identified our key IT controls?
•Do we monitor (and benchmark) these on an ongoing basis?
Performance Tracking and Reporting
•Have we defined KPI’s and CSF’s for IT?
• Are these monitored, reported, and followed up on?
The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG
King III specific responsibilities King III specific responsibilities
The audit committee should consider IT as it relates to financial reporting and the going concern of the company
• What are the key systems responsible for the generation and processing of financial reporting data?
• How reliant are we on our systems? (how long could we survive without them?)
• Do we have Disaster Recovery and Business Continuity Plans?• Have we tested these?• Is our information security sufficient for the business?
The audit committee should consider the use of technology to improve audit coverage and efficiency
• Has our (internal or outsourced) Internal Audit function identified key application controls to test?
• Do we test the general controls related to those key applications?• What internal auditing tools do we utilise (e.g. CAATs, Continuous Auditing)?
15
The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG
Presenter’s contact details:Presenter’s contact details:
16
Cape TownPatrick Ryan
KPMG
(021) 408 [email protected]
www.kpmg.com
DurbanEugene Pfister
KPMG
(011) 647 [email protected]
www.kpmg.com
JohannesburgFrank Rizzo
KPMG
(011) 647 7388
www.kpmg.com
The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG17
QUESTIONS?QUESTIONS?