Training in Portugal 1

1
Training in Portugal (1)
2
Project Design a self-assessmenttool for
SAIs based on  
3
What we want

• Improve IT audit (methodology and practical
  approach with CobiT)
• IT Governance (with self-assessment) by the SAIs

4
1. Genesis of a success story
the Hague, 1 October 2002
5
Our mandate

• The objective of this project is to design and
  pilot a self-assessment tool for all SAIs. It is
  based on 'CobiT', which is a governance (and
  audit) framework for the domain of information
  technology. The self-assessment tool we are
  developing should enable us to measure the
  maturity of the IT control of our own offices.

6
2. Why...

• ... a self-assessment ?
• ... of Information Technologies ?
• ... based on CobiT ?

7
Why a self-assessment?

• It allows  proximity . The evaluation is
  carried out by the people 
• who know the subject
• who are interested in solving the problems
• It is confidential. The organization is in
  control of the results of the evaluation and
  their distribution. Self-assessment is not an
  audit.
• The extern moderation encourages the people to
  speak freely.

8
Why IT?

• As in every organisation or company, it is in the
  interest of the SAI to maintain control of its IT
  system. The latter is of fundamental importance,
  whether this has to do with managing dossiers,
  planning auditor tasks, communication or
  knowledge management.
• Issues concerning communication and defining the
  roles between the different partners represent
  one of the main challenges in IT governance. The
  SAIs, together with other enterprises, need
  better communication between the sponsors and the
  IT specialists.

9
like the other organisations...

• we lose time because of system shutdowns...
• we type the same information in different systems
  two or three times...
• we develop projects which dont meet
  expectations...
• we manage expensive service providers...
• we use IT without enough training...

10
Why based on CobiT?

• CobiT is a well accepted standard
• Cobit can be downloaded free from www.isaca.org
• CobiT is also available in French
  www.afai.asso.fr , German www.isaca.ch and
  Spanish www.isaca.org
• but our group wanted to be sure that CobiT is the
  best choice ...

11
What have we done?

• Studies of other tools
• ISO 9001
• European Foundation for Quality Management (EFQM)
  Excellence Model
• ITIL / Process Maturity Self-Assessment Action
  Plan
• CMM Capability Maturity Model
• Common Assessment Framework (CAF), result of the
  cooperation among the EU Ministers responsible
  for Public Administration
• Contact with specialists
• Philips, The Netherlands
• Swisslife, Switzerland
• Prof. W. van Grembergen (University of Antwerp,
  Belgium)

.... our research confirmed the legitimacy of
choosing CobiT
12
3. Looking for the gaps and use CobiT as a bridge!

• ...the problem is always by the interface
• Management ? IT
• IT ? Audit
• IT audit ? Financial audit

13
COBIT includes 36 national and international
standards

• Codes of conduct issued by Council of Europe,
  OECD, ISACA, etc.
• Qualification criteria for IT systems and
  processes ITSEC, TCSEC, ISO 9000, SPICE, TickIT,
  Common Criteria, etc.
• Professional standards in internal control and
  auditing COSO Report, IFAC, AICPA, IIA, ISACA,
  PCIE, GAO standards, etc.

• Industry practices and requirements from industry
  forums (ESF, I4) and government-sponsored
  platforms (IBAG, NIST, DTI), etc.
• Technical standards from ISO, EDIFACT, etc.
• Emerging industry-specific requirements such as
  from banking, electronic commerce and IT
  manufacturing

14
the three most important sources
qualification standards (ISO, SPICE, ITIL,...)
audit standards (IFAC, IIA, COSO, GAO, ...)
IT security standards (ITSEC, BS7799, etc...)
15
Control OBjectives for Information and Related
Technology
with CobiT, they can communicate together!...
16
Service levelfor example
Management Guideline Key Performance
Indicators Time lag of resolution of a service
level change request Time lag to resolve a
service level issue Number of times that root
cause analysis of service level procedure and
subsequent resolution is completed within
required period Significance of amount of
additional funding needed to deliver the defined
service level (...)

• Control Objectives
• The service level agreement should cover at least
  the following aspects availability, reliability,
  performance, capacity for growth, levels of
  support provided to users, continuity planning,
  security, minimum acceptable level of
  satisfactorily delivered system functionality,
  restrictions (limits on the amount of work),
  service charges, central print facilities
  (availability), central print distribution and
  change procedures. (...)

• Audit Guideline
• Considering whether recourse process is
  identified for non-performance
• Testing that historical performance against prior
  service improvement commitments is tracked (...)

17
or InformationArchitecture

• Management Guideline
• Key Goal Indicators
• (...)
• Reduction of data redundancy
• Increased interoperability between systems and
  applications (...)

• Control Objectives
• Data Classification Scheme
• A general classification framework should be
  established with regard to placement of data in
  information classes (i.e., security categories)
  as well as allocation of ownership. The access
  rules for the classes should be appropriately
  defined.(...)

• Audit Guideline
• Considering whether a medium is used to
  distribute the data dictionary to ensure that it
  is accessible to development areas and that
  changes are reflected immediately
• Identifying data items where ownership is not
  clearly and/or appropriately defined. (...)

18
or managethe operations

• Management Guideline
• Critical Success Factors
• Changes to job schedules are strictly controlled
• There are strict acceptance procedures for new
  job schedules, including documentation delivered
• Clear and concise detection, inspection and
  escalation procedures are established(...)

• Control Objectives
• Job Scheduling
• IT management should ensure that the continuous
  scheduling of jobs, processes and tasks is
  organised into the most efficient sequence,
  (...). The initial schedules as well as changes
  to these schedules should be appropriately
  authorised.
• Remote Operations
• For remote operations, specific procedures should
  ensure that the connection and disconnection of
  the links to the remote site(s) are defined and
  implemented..(...)

• Audit Guideline
• Review of a sample of limited IT operations and
  determining whether they meet policy and
  procedures requirements.
• Identifying a sample of abnormal ends (ABENDS)
  for jobs and determining resolution of problems
  which occurred. (...)

19
CobiT is special
.... this framework goes further than the other
ones!
20
Navigation in CobiT How can you select the right
process? availability  for example
21
or  human ressources  ?
22
Warm up

• Who doesn't know what the EUROSAI IT Working
  Group is?
• Who doesn't know what CobiT is?
• Who doesn't know what self-assessment is?
• Is self-assessment a questionnaire or an
  interview method?
• Are we looking for problems in efficiency or in
  security?

23
4. Our method
24
How do we proceed?
25
The problem has 2 dimensions
26
the first formidentify the business process
27
What do we understand by business process?
examples

• Audit Risk Management
• Organise the missions
• Analyse the data
• Test the IT by the IT-Audit
• Report the results to the auditee
• Track the implementation of the recommendations
• Manage the knowledge

• Manage finances and human resources
• Administer and archive the dossiers
• Publish the results of the audits
• Communicate
• Automated data inputs
• Automated relations between different audits

28
(No Transcript)
29
then, we evaluate the importance and the quality
of the current IT systems
Importance of the IT systems?
Quality of the IT systems?
30
the second form
Importance of the IT systems?
Quality of the IT systems?
. . .
31
6 maturity levels
32
Maturity model? Example DS04 Ensure continuous
service

• 0 Non-existent.
• There is no understanding of the risks,
  vulnerabilities and threats to IT operations or
  the impact of loss of IT services to the
  business. Service continuity is not considered as
  needing management attention.

• 5 Optimised
• Integrated continuous service processes are
  proactive, self-adjusting, automated and
  self-analytical and take into account
  benchmarking and best external practices.
  Continuous service plans and business continuity
  plans are integrated, aligned and routinely
  maintained. Buy-in for continuous service needs
  is secured from vendors and major suppliers.
  Global testing occurs and test results are feed
  back as part of the maintenance process.
  Continuous service cost effectiveness is
  optimized through innovation and integration.
  Gathering and analysis of data is used to
  identify opportunities for improvement.
  Redundancy practices and continuous service
  planning are fully aligned. Management does not
  allow single points of failure and provides
  support for their remedy. Escalation practices
  are understood and thoroughly enforced.

33
Example 2 PO10 Manage projects

• 0 Non-existent.
• Project management techniques are not used and
  the organization does not consider business
  impacts associated with project mismanagement and
  development project failures.

• 5 Optimised
• A proven, full life-cycle project methodology is
  implemented and enforced, and is integrated into
  the culture of the entire organization. An
  on-going program to identify and institutionalize
  best practices has been implemented. There is
  strong and active project support from senior
  management sponsors as well as stakeholders. IT
  management has implemented a project organization
  structure with documented roles, responsibilities
  and staff performance criteria. A long term IT
  resources strategy is defined to support
  development and operational outsourcing
  decisions. An integrated program management
  office is responsible for projects from inception
  to post implementation. The program management
  office is under the management of the business
  units and requisitions and directs IT resources
  to complete projects. Organization-wide planning
  of projects ensures that user and IT resources
  are best utilized to support strategic
  initiatives.

34
matching the results ...
Where are the reasons for the dissatisfaction?
What impacts do the IT problems have?
35
5. what you get

• gaps analysis
• a good discussion !
• action plan

36
For example satisfaction with the IT support of
the business processes
2.29
B10
confidential....
2.00
B12
confidential....
1.75
B6
confidential...
1.38
B5
confidential...
1.33
B3
confidential...
1.29
B4
confidential...
1.00
B1
confidential...
1.00
B9
confidential...
0.86
B7
confidential...
0.83
B2
confidential...
0.60
B11
confidential...
0.00
B8
confidential...
37
identification of the problems (business point
of view)
6
5
4
What is the quality of the
current IT systems ?
3
What is the importance of
the future IT systems ?
2
1
0
B1
B2
B3
B4
B5
B6
B7
B8
B9
B10
B11
B12
B13
process
38
identifying the problems (IT point of view)
39
An action plan
40
and perhaps in the futurea benchmarking
Big SAIs
Middle SAIs
Small SAIs
41
A reasonable time management (first day)

• 14.00 Start of the workshop
• 15.00 Identify the business processes
• 15.30 Coffee break
• (moderator) Adaptation of the form 1 and print
  them
• 16.00 Fill form 1
• 16.15 Presentation CobiT
• 17.15 Select the most important IT processes
• 18.00 Fill form 2
• 18.30 End of the first day
• Then, put the results in your EXCEL sheet,
  prepare the presentation of the results and the
  discussion of tomorrow

42
A reasonable time management (second day)

• 09.00 Presentation of the results
• 09.30 Discussion (validation of the results,
  looking for consensus)
• 10.00 Listing the most important problems and
  strengths
• 10.15 Coffee break
• 10.45 Prepare an action plan
• 11.30 Fill the evaluation forms
• Finalization of the action plan
• 12.30 Discussion and end of the workshop
• Preparation of the final presentation
• 15.00 Presentation and discussion with the head
  of the SAI
• Write the evaluation report!

43
We will now focus on the following points
Get the right persons!
Identify the processes!
Get a good action plan!
Use the EXCEL sheet correctly!
Ask the right questions!