This book provides an overview of IT governance. IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and objectives.
This book has been updated to reflect the changes introduced in CobiT 4.1 and developments from other sources.
It is provided for two purposes. First, it is a quick-reference guide to IT governance for people that are not acquainted with this field of work. Second, it is a high-level introduction to ISACA’s freely available framework ‘CobiT’ that will encourage further study. Please note that this guide follows the process structure of CobiT, since we found that to be best practice, but it differs from CobiTin several ways, adding new information to the structure, especially from the perspective of IT service management.
The management guide is aimed at business and IT (service) managers, consultants, auditors and anyone interested in learning more about the possible application of IT governance standards in the IT management domain. In addition, it provides students in IT and Business Administration with a compact reference to CobiT.
After an introduction to IT governance and CobiT in general, you will find information about ISACA’s CobiT publications, since we encourage the use of CobiT. In the next section, you will find a description of the 34 processes that were identified from many international standards. This Management Guide adds new information to the various sources that were used to describe IT governance, including CobiT. Workflow diagrams and process models have been added as an extension to existing material. The last part of the book provides some guidance on CobiT implementation and the relationship with other methods and frameworks. The book can be used as an excellent companion guide to the CobiT Foundation training, or as a quick reference guide.
In a book about IT governance it is sensible to analyze the position of IT governance in relation to other governance frameworks. The most comprehensive framework encountered in literature is in a discussion paper by the Chartered Institute of Management Accountants (CIMA). In this paper enterprise governance is a term used to describe a framework that covers both the corporate governance and the business governance aspects of the organization.
CIMA uses the following definition of enterprise governance:
According to CIMA there are two dimensions of enterprise governance: conformance and performance. In general, the conformance dimension is approached in the retrospective view, while the performance dimension is approached in the prospective view.
The lines in figure 1.1 show that, although conformance feeds directly to accountability & assurance and performance to value creation & resource utilization, conformance can also feed to value creation & resource utilization while performance can feed to accountability & assurance.
Corporate governance, as the conformance dimension of enterprise governance, has had significant coverage following a number of well-known corporate scandals. In the wake of these scandals, which also included the demise of one of the Big Five accountancy firms, new regulations designed to strengthen corporate governance were introduced in the US, in Europe and in many other jurisdictions. In the US the Sarbanes-Oxley Act was introduced for this reason. In Europe the Winter Report issued recommendations to provide for a modern regulatory framework for company law to the European Commission.
Among its recommendations is that companies that are traded on open markets provide a coherent and descriptive statement covering the key elements of corporate governance rules and practices in their annual report and on their web site.
The Organization of Economic Co-operation and Development (OECD) defines corporate governance in the following way:
‘Corporate governance is the system by which business corporations are directed and controlled. The corporate governance structure specifies the distribution of rights and responsibilities among different participants in the corporation, such as the board, managers, shareholders and other stakeholders, and spells out the rules and procedures for making decisions on corporate affairs. By doing this, it also provides the structure through which the company objectives are set, and the means of attaining those objectives and monitoring performance.’
The importance of good corporate governance is recognized worldwide. It must lead to improved responsiveness to shareholder interest by attempting to balance the CEO’s power with the board’s ability to act as genuine custodians of the organization.
Business governance, as the performance dimension of enterprise governance, focuses on the board’s role in making strategic decisions, risk assessment and understanding the drivers for business performance.
The attention to corporate governance also raises the question whether the IT used for supporting business processes is adequately controlled. This leads to an increase in attention for IT governance in many organizations. Because IT is an integral part of enterprise operations, IT governance is an integral ingredient of enterprise governance.
IT governance has been defined in many different ways. ISACA defines IT governance as follows: ‘IT governance is defined as a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes’
The authors of this book have defined IT governance in line with the OECD definition of corporate governance:
IT governance is the system by which IT within enterprises is directed and controlled. The IT governance structure specifies the distribution of rights and responsibilities among different participants, such as the board, business and IT managers, and spells out the rules and procedures for making decisions on IT. By doing this, it also provides the structure through which the IT objectives are set, and the means of attaining those objectives and monitoring performance.
IT governance ensures that IT is properly aligned with business processes and is correctly organized and controlled. IT governance provides the structure that links IT processes, IT resources and information to enterprise strategies and objectives.
IT governance integrates and institutionalizes best practices of planning, organizing, acquiring, implementing, delivering, supporting, and monitoring and evaluating IT performance, to ensure that the enterprise’s information and related technology support its business objectives. IT governance enables the enterprise to take full advantage of its information, thereby maximizing benefits and capitalizing on opportunities thus leveraging competitive advantage.
Table 1.1 compares the most important characteristics of corporate governance, business governance and IT governance within enterprise governance.
Separation of ownership and control
Direction and control of the business
Direction and control of IT
• Responsibilities, accountability & duties of directors/leaders • Legislative/Fiduciary compliance & control framework • Shareholder rights • Ethics & integrity • Business operations, risks & control • Financial accounting & reporting • Asset management • Risk management
• Business goals & objectives • Business strategic risk management • Business strategy & planning • Business processes & activities • Innovation & research capabilities • Knowledge & intellectual capital • Information management • Human resources management • Customer relations management • In- and external communication • Performance control
• IT objectives • Alignment with enterprise objectives • IT processes • IT resources • IT value delivery • IT performance management • Information knowledge management • IT strategy & planning • IT acquisition & implementation • IT operations, risks & control • IT asset management • IT risk management
Table 1.1 Governance characteristics
1.3 Sources for IT Governance
Regarding governance there are several sources that provide basic knowledge. In the following paragraphs some background on the major sources is presented.
In 199_, the Committee of Sponsoring Organizations of the Treadway Commission issued ‘Internal Control - Integrated Framework’. This publication established a framework for internal control and provided evaluation tools which business and other entities can use to evaluate their control systems (figure 1._).
The framework identifies and describes five interrelated components necessary for effective internal control.
In ‘Internal Control - Integrated Framework’, COSO defined internal control as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
In _004 the COSO Enterprise Risk Management (ERM) was published. Enterprise Risk Management broadens internal control by expanding and elaborating a better conceptualization focusing more fully on risk.
The ERM framework expands on the internal control framework as follows:
Four categories of objectives are specified: Operations, reporting, compliance and strategic objectives. Reporting now includes reports used internally by management and those issued to external parties. Strategic objectives have been added as a new category.
ERM considers risk from a 'portfolio' perspective.
The framework takes into consideration the amount of risk a company is willing to accept to achieve its goals.
Events that can influence the company are identified. Those that can hold negative impact represent risks.
Risk assessment is extended.
ERM identifies four categories of risk response -avoid, reduce, share and accept. Responses are being considered both for individual risk effect and for aggregate effect.
ERM expands on the information and communication component, considering data derived from past, present and potential future events.
ERM describes the role and responsibilities of risk officers and expands on the role of a company's board of directors.