chapter 5 5-1 © 2009 pearson education, inc. publishing as prentice hall

IT in the New World of Corporate Governance

Reforms

Chapter 5

5-1© 2009 Pearson Education, Inc. Publishing as Prentice Hall

© 2009 Pearson Education, Inc. Publishing as Prentice Hall

IT Compliance Impacts

Information

Technology

SOX

Industry Specific

Regulations (Pharmaceuticals, Oil sands)

International Regulations –

Security & Forensics

Privacy Laws – (Canada, EEC)

5-2


Why Do Regulatory Changes Dramatically Impact IT?

Recent regulations impact a greater number of systems.

Systems are more interconnected. (Interpol, Banks, CIA)

Organizations are more dependent on Information Systems. (Banks, IBM e-commerce, Facebook, Amazon & EBay)

Systems are more global and are affected by many countries. (EEC, US(SOX)) [GAPP]

5-3


Sarbanes-Oxley Section 404

Requires an annual evaluation of internal controls and procedures for financial ethicsRequires the CEO and CFO personally certify controls.Requires independent auditors test control effectiveness.Controls must be designed to achieve ethical objectives using established criteria.Controls and control objectives must be documented.COBIT – Control Objectives for Information & related technologies

5-4


Impact of Regulation on IT

1. Increasing Cost and Challenges1. $5.5 Billion for SOX targets 2004

2. Benefits and Opportunities1. SOX is good for IT

5-5


Costs and Challenges

Compliance to say SOX requires a significant resource investment.

Compliance adds new project costs and lengthens development schedules. (Syncrude, IBM)

CIOs must personally attest to the effectiveness of IT’s internal controls and the quality of information.

5-6


Costs and Challenges Continued

Compliance requires that IT staff have adequate training and excellent written communication skills.

Compliance requires the organization adopt a document retention strategy.

5-7


Benefits and Opportunities

Compliance provides an opportunity to enhance business processes.

Compliance has enhanced IT visibility with executives and the board of directors. (Maybe offering strategic direction)

Compliance has increased the importance of security, quality, data architecture, and change management.

5-8


Benefits of IT Internal Controls (Damianides, 2005)

Improved overall IT governanceEnhanced understanding of IT by senior executivesBetter business decisions based on more accurate informationImproved IT-Business alignmentReduced risk of system security breaches

5-9


Benefits of IT Internal Controls Continued (Damianides, 2005)

Reduced difficulty complying with new regulations

More efficient and effective operations

An integrated approach to security

Enhanced risk management competencies

Overall effective ethical practices

5-10


Elements of Effective Compliance in IT

5-11

Figure 5.1

New Systems Daily operationInformation

(Enabling IT Work)


Elements of Effective Compliance in IT

1. Enabling IT Work

2. New Systems

3. Information

4. Daily Operations

5. Controlling IT Work

5-12


Enabling IT Work

Physical and Virtual Access across corps, new staff hires with access privileges

Security Architecture requires practices

Business Continuity Planning and Disaster Recovery (9/11, 2003 blackout)

IT Governance (awareness & training required for compliance)

HR Management and Training

IT Finance (involving IT mgrs.)5-13


New Systems

IT Strategic Planning to be aligned with business strategy system

Risk Assessment system

Project Management system

5-14


Dissemination of Information(How, What, Why, When)

Information Architecture

Who has access to Data

Document Retention

Data AdministrationHow to create, collect, organize, analyze, maintain & archive data

5-15


Daily Operations

Operations and Infrastructure Support

Help Desk

Change ManagementChange Control Board (CCB)Change Management database

5-16


Controlling IT Work

Testing and Validation

Documentation Management

Quality Assurance

All are elements of quality Management

Everyone is responsible 5-17


Good Practices in Enabling IT Compliance

Organize for Compliance1. Reduce costEnsure procedures are followedReact with new regulation

Use Standards and Frameworks

Emphasize Training and Awareness for compliance

Ensure Appropriate Business ResourcesBusiness strategy is communicated so that IT strategy can support it

5-18

© 2009 Pearson Prentice Hall

Recommended Control Objectives for Information & related technologies CobIT Controls(IT Governance Institute 2000)

Plan and organize (IT environment)IT strategic planningInformation architectureDetermine technological directionIT organization and relationshipsManage the IT investment

Communication of management aims and directionManagement of human resourcesCompliance with external requirementsAssessment of risksManage projectsManage quality 5-19


Recommended CobIT Controls Continued (IT Governance Institute 2000)

Acquire and implement (program development and program change)Identify automated solutionsAcquire or develop application softwareAcquire technology infrastructure

Manage changesDeliver and support (computer operations and access to programs and data)Define and manage service levelsManage third-party services 5-20



Manage performance and capacityEnsure continuous serviceEnsure systems securityIdentify and allocate costsEducate and train users

Assist and advise customersManage the configurationManage problems and incidentsManage dataManage facilitiesManage operations

5-21



Monitor and evaluate (IT environment)

Monitoring

Adequacy of internal controls

Independent assurance

Internal audit

5-22


Conclusion

New laws and regulations have had a significant impact on IT.

IT managers are struggling to implement new controls to support these regulations.

IT in the future will be controlled, standardized, and bureaucratized.

5-23

chapter 5 5-1 © 2009 pearson education, inc. publishing as prentice hall

Documents