Contents
Cover
Series
Title Page
Copyright
Dedication
Preface
Part One: IT Governance Concepts
Chapter One: Importance of IT Governance for All Enterprises
Chapter Two: Fundamental Governance Concepts and Sarbanes-Oxley Rules
SARBANES-OXLEY ACT
OTHER SOx RULES—TITLE II: AUDITOR INDEPENDENCE
SOx TITLE III: CORPORATE RESPONSIBILITY
TITLE IV: ENHANCED FINANCIAL DISCLOSURES
WHAT IS IT GOVERNANCE?
NOTES
Chapter Three: Enterprise Governance and GRC Tools
THE ROAD TO EFFECTIVE GRC PRINCIPLES
IMPORTANCE OF GRC GOVERNANCE
RISK MANAGEMENT COMPONENT OF GRC
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_cov.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_fm_01.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_fm_02.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_fm_03.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_fm_04.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_fm_05.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_pt_01.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_01.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c02-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c02-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c02-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c02-sec1-0004
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c02-sec1-0005
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c02-sec1-0006
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_03.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_03.htm#c03-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_03.htm#c03-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_03.htm#c03-sec1-0003
GRC AND ENTERPRISE COMPLIANCE
IMPORTANCE OF EFFECTIVE GRC PRACTICES AND PRINCIPLES
Part Two: Frameworks to Support Effective IT Governance
Chapter Four: IT Governance and COSO Internal Controls
IMPORTANCE OF EFFECTIVE INTERNAL CONTROLS AND COSO
COSO INTERNAL CONTROL SYSTEMS MONITORING GUIDANCE
WRAPPING IT UP: IMPORTANCE OF COSO INTERNAL CONTROLS
NOTES
Chapter Five: COBIT and the IT Governance Institute
AN EXECUTIVE’S INTRODUCTION TO COBIT
THE COBIT FRAMEWORK AND ITS DRIVERS
COBIT PRINCIPLE 1: ESTABLISH AN INTEGRATED IT ARCHITECTURE FRAMEWORK
COBIT PRINCIPLE 2: STAKEHOLDER VALUE DRIVERS
COBIT PRINCIPLE 3: FOCUS ON BUSINESS CONTEXT
COBIT PRINCIPLE 4: GOVERNANCE AND RISK MANAGEMENT ENABLERS
COBIT PRINCIPLE 5: GOVERNANCE AND MANAGEMENT PERFORMANCE MEASUREMENT STRUCTURES
PUTTING IT TOGETHER: MATCHING COBIT PROCESSES AND IT GOALS
USING COBIT IN A SOx ENVIRONMENT
COBIT IN PERSPECTIVE
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_03.htm#c03-sec1-0004
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_03.htm#c03-sec1-0005
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_pt_02.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_04.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_04.htm#c04-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_04.htm#c04-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_04.htm#c04-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_04.htm#c04-sec1-0004
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_05.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_05.htm#c05-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_05.htm#c05-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_05.htm#c05-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_05.htm#c05-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_05.htm#c05-sec1-0004
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_05.htm#c05-sec1-0005
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_05.htm#c05-sec1-0006
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_05.htm#c05-sec1-0006
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_05.htm#c05-sec1-0007
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_05.htm#c05-sec1-0007
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_05.htm#c05-sec1-0008
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_05.htm#c05-sec1-0008
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_05.htm#c05-sec1-0009
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_05.htm#c05-sec1-00010
NOTES
Chapter Six: ITIL and IT Service Management Guidance
ITIL FUNDAMENTALS
ITIL SERVICE STRATEGY COMPONENTS
ITIL SERVICE DESIGN
ITIL SERVICE TRANSITION MANAGEMENT PROCESSES
ITIL SERVICE OPERATION PROCESSES
IT GOVERNANCE AND ITIL SERVICE DELIVERY BEST PRACTICES
NOTE
Chapter Seven: IT Governance Standards: ISO 9001, 27002, and 38500
ISO STANDARDS BACKGROUND
ISO 9000 QUALITY MANAGEMENT STANDARDS
ISO IT SECURITY STANDARDS: ISO 27002 AND 27001
ISO 38500 IT GOVERNANCE STANDARD
NOTES
Chapter Eight: IT Governance Issues: Risk Management, COSO ERM, and OCEG Guidance
RISK MANAGEMENT FUNDAMENTALS
COSO ERM DEFINITIONS AND OBJECTIVES: A PORTFOLIO VIEW OF RISK
COSO ERM FRAMEWORK
OTHER DIMENSIONS OF THE COSO ERM FRAMEWORK
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_05.htm#c05-sec1-00011
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_06.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_06.htm#c06-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_06.htm#c06-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_06.htm#c06-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_06.htm#c06-sec1-0004
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_06.htm#c06-sec1-0005
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_06.htm#c06-sec1-0006
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_06.htm#c06-sec1-0007
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_07.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_07.htm#c07-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_07.htm#c07-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_07.htm#c07-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_07.htm#c07-sec1-0004
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_07.htm#c07-sec1-0005
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_08.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_08.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_08.htm#c08-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_08.htm#c08-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_08.htm#c08-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_08.htm#c08-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_08.htm#c08-sec1-0004
THE OCEG GRC “RED BOOK,” RISK MANAGEMENT, AND IT GOVERNANCE
NOTES
Part Three: Tools and Technologies to Manage the IT Governance Infrastructure
Chapter Nine: Cloud Computing, Virtualization, and Portable, Mobility Computing
UNDERSTANDING CLOUD COMPUTING
IT SYSTEMS AND STORAGE MANAGEMENT VIRTUALIZATION
SMARTPHONE AND HANDHELD IT DEVICE GOVERNANCE ISSUES
NOTE
Chapter Ten: Governance, IT Security, and Continuity Management
IMPORTANCE OF AN EFFECTIVE IT SECURITY ENVIRONMENT
ENTERPRISE IT SECURITY PRINCIPLES: GENERALLY ACCEPTED SECURITY STANDARDS
IMPORTANCE OF AN EFFECTIVE, ENTERPRISE-WIDE SECURITY STRATEGY
IT CONTINUITY PLANNING
THE BUSINESS CONTINUITY PLAN AND IT GOVERNANCE
NOTES
Chapter Eleven: PCI DSS Standards and Other IT Governance Rules
PCI DSS BACKGROUND AND STANDARDS
GRAMM-LEACH-BLILEY ACT IT GOVERNANCE RULES
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_08.htm#c08-sec1-0005
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_08.htm#c08-sec1-0005
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_08.htm#c08-sec1-0006
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_pt_03.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_pt_03.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_09.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_09.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_09.htm#c09-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_09.htm#c09-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_09.htm#c09-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_09.htm#c09-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_09.htm#c09-sec1-0004
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_10.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_10.htm#c10-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_10.htm#c10-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_10.htm#c10-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_10.htm#c10-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_10.htm#c10-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_10.htm#c10-sec1-0004
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_10.htm#c10-sec1-0005
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_10.htm#c10-sec1-0006
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_11.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_11.htm#c11-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_11.htm#c11-sec1-0002
HIPAA: HEALTH CARE AND MUCH MORE
NOTES
Chapter Twelve: IT Service Catalogs: Realizing Greater Value from IT Operations
IMPORTANCE OF IT SERVICE CATALOGS
ROLE OF A SERVICE CATALOG IN THE IT SERVICE PROVIDER ORGANIZATION
AN IT SERVICE CATALOG’S CONTENT AND FEATURES
IT SERVICE CATALOG MANAGEMENT
Part Four: Building and Monitoring Effective IT Governance Systems
Chapter Thirteen: Importance of IT Service-Oriented Architecture for IT Governance Systems
SOA APPLICATIONS AND SERVICE-DRIVEN IT APPLICATIONS
SOA GOVERNANCE, INTERNAL CONTROL ISSUES, AND RISKS
PLANNING AND BUILDING AN SOA IMPLEMENTATION BLUEPRINT
SOA AND IT GOVERNANCE
NOTES
Chapter Fourteen: IT Configuration and IT Portfolio Management
IT CONFIGURATION MANAGEMENT CONCEPTS
ITIL BEST PRACTICES FOR IT CONFIGURATION MANAGEMENT
THE CONFIGURATION MANAGEMENT DATABASE: AN OFTEN DIFFICULT CONCEPT
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_11.htm#c11-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_11.htm#c11-sec1-0004
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_12.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_12.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_12.htm#c12-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_12.htm#c12-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_12.htm#c12-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_12.htm#c12-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_12.htm#c12-sec1-0004
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_pt_04.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_13.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_13.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_13.htm#c13-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_13.htm#c13-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_13.htm#c13-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_13.htm#c13-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_13.htm#c13-sec1-0004
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_13.htm#c13-sec1-0005
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_14.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_14.htm#c14-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_14.htm#c14-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_14.htm#c14-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_14.htm#c14-sec1-0003
ESTABLISHING AN ENTERPRISE CMDB
IT PORTFOLIO MANAGEMENT
Chapter Fifteen: Application Systems Implementations and IT Governance
THE SYSTEMS DEVELOPMENT LIFE CYCLE: A BASIC APPLICATION DEVELOPMENT TECHNIQUE
IT RAPID DEVELOPMENT PROCESSES: PROTOTYPING
ENTERPRISE RESOURCE PLANNING AND IT GOVERNANCE PROCESSES
Chapter Sixteen: IT Governance Issues: Project and Program Management
THE PROJECT MANAGEMENT PROCESS
PMBOK STANDARDS
ANOTHER PROJECT MANAGEMENT STANDARD: PRINCE2
IT SYSTEMS PORTFOLIO AND PROGRAM MANAGEMENT
THE PROGRAM MANAGEMENT OFFICE (PMO), A STRONG GOVERNANCE RESOURCE
PROJECT MANAGEMENT, THE PMO, AND IT GOVERNANCE
NOTE
Chapter Seventeen: Service Level Agreements, itSMF, Val IT, and Maximizing IT Investments
ITIL SERVICE MANAGEMENT BEST PRACTICES AND THE ITSMF
OPEN COMPLIANCE AND ETHICS GROUP (OCEG) STANDARDS
VAL IT: ENHANCING THE VALUE OF IT INVESTMENTS
NOTES
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_14.htm#c14-sec1-0004
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_14.htm#c14-sec1-0005
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_15.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_15.htm#c15-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_15.htm#c15-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_15.htm#c15-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_15.htm#c15-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_15.htm#c15-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_16.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_16.htm#c16-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_16.htm#c16-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_16.htm#c16-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_16.htm#c16-sec1-0004
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_16.htm#c16-sec1-0005
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_16.htm#c16-sec1-0005
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_16.htm#c16-sec1-0006
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_16.htm#c16-sec1-0007
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_17.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_17.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_17.htm#c17-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_17.htm#c17-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_17.htm#c17-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_17.htm#c17-sec1-0004
Part Five: Monitoring and Measuring Enterprise Management and Board Governance
Chapter Eighteen: Enterprise Content Management
ECM CHARACTERISTICS AND KEY COMPONENTS IN THE ENTERPRISE TODAY
ECM PROCESSES AND IT GOVERNANCE
CREATING AN EFFECTIVE ECM ENVIRONMENT IN THE ENTERPRISE
Chapter Nineteen: Internal Audit’s Governance Role
INTERNAL AUDITING HISTORY AND BACKGROUND
INTERNAL AUDITING AND THE IT AUDITOR
INTERNAL AUDIT’S IT GOVERNANCE ACTIVITIES AND RESPONSIBILITIES
INTERNAL AUDIT IT GOVERNANCE STANDARDS
INTERNAL AUDIT IT GOVERNANCE PROCEDURES
NOTE
Part Six: IT Governance and Enterprise Objectives
Chapter Twenty: Creating and Sustaining an Ethical Workplace Culture
IMPORTANCE OF MISSION STATEMENTS
ENTERPRISE CODES OF CONDUCT
WHISTLEBLOWER AND HOTLINE FUNCTIONS
LAUNCHING AN ETHICS PROGRAM AND IMPROVING ENTERPRISE GOVERNANCE PRACTICES
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_pt_05.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_pt_05.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_18.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_18.htm#c18-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_18.htm#c18-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_18.htm#c18-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_18.htm#c18-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_18.htm#c18-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_19.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_19.htm#c19-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_19.htm#c19-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_19.htm#c19-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_19.htm#c19-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_19.htm#c19-sec1-0004
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_19.htm#c19-sec1-0005
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_19.htm#c19-sec1-0006
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_pt_06.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_20.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_20.htm#c20-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_20.htm#c20-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_20.htm#c20-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_20.htm#c20-sec1-0004
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_20.htm#c20-sec1-0004
NOTE
Chapter Twenty One: Impact of Social Media Computing
WHAT IS SOCIAL MEDIA COMPUTING?
SOCIAL MEDIA EXAMPLES
ENTERPRISE SOCIAL MEDIA COMPUTING RISKS AND VULNERABILITIES
SOCIAL MEDIA POLICIES
NOTES
Chapter Twenty Two: IT Governance and the Audit Committee’s IT Role
THE ENTERPRISE AUDIT COMMITTEE AND IT GOVERNANCE
AUDIT COMMITTEE IT GOVERNANCE RESPONSIBILITIES
AUDIT COMMITTEE BRIEFINGS AND IT GOVERNANCE ISSUES
About the Author
Index
Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers’ professional and personal knowledge and understanding.
The Wiley Corporate F&A series provides information, tools, and insights to corporate professionals responsible for issues affecting the profitability of their company, from accounting and finance to internal controls and performance management.
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_20.htm#c20-sec1-0005
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_21.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_21.htm#c21-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_21.htm#c21-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_21.htm#c21-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_21.htm#c21-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_21.htm#c21-sec1-0004
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_21.htm#c21-sec1-0005
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_22.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_22.htm#c22-sec1-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_22.htm#c22-sec1-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_22.htm#c22-sec1-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_bm_01.htm
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_bm_02.htm
Cover image: © Max Delson Martins Santos/iStockphoto Cover design: © John Wiley & Sons, Inc.
Copyright © 2013 by John Wiley & Sons, Inc. All rights reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on- demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
http://www.copyright.com/
http://www.wiley.com/go/permissions
http://booksupport.wiley.com/
http://www.wiley.com/
Library of Congress Cataloging-in-Publication Data:
Moeller, Robert R. Executive’s guide to IT governance : improving systems processes with service management, COBIT, and ITIL / Robert R. Moeller. 1 online resource. — (Wiley corporate F&A series) Includes bibliographical references and index. Description based on print version record and CIP data provided by publisher; resource not viewed. ISBN 978-1-118-22495-3 (pdf) — ISBN 978-1-118-23893-6 (epub) — ISBN 978-1-118-26354-9 (mobipocket) — ISBN 978-1-118-13861-8 (o-book) — ISBN 978-1-118-54017-6 (cloth) 1. Information technology—Management. 2. Information technology—Auditing. 3. Electronic data processing departments—Auditing. I. Title. HD30.2 004.068’4—dc23 2012050404
Dedicated to my best friend and wife, Lois Moeller.
Lois has been my companion and partner for over 40 years,
whether we are on our Lake Michigan sailboat,
skiing in Utah or elsewhere,
visiting museums and traveling to interesting places in the world,
vegetable gardening in the backyard,
or jointly cooking its produce.
Preface
IN TODAY’S WORLD OF EVER-CHANGING ECONOMIC CONDITIONS and increased regulatory activities, governance is becoming an increasingly important issue for all sizes of enterprises, whether public corporations, not-for-profits, or private businesses. Enterprise governance concepts consist of a series of broad areas of enterprise activity, starting first with management’s accountability and fiduciary responsibilities to its customers, employees, regulators, and all other stakeholders. This requires the implementation of guidelines and programs to ensure that management acts in good faith and that the overall enterprise is protected from wrongdoing or fraud. In addition, enterprise governance includes management processes and policies to promote strategic and economic efficiency. The management of economic efficiency involves how the corporate governance system intends to optimize results and meet its objectives. This promotion of strategic efficiency also calls for an enterprise to promote and establish public policy objectives that are not always directly measurable in economic terms but include such things as a strong ethics program, the promotion of quality, and employee welfare.
Effective enterprise governance, of course, requires strong management skills to make important decisions and provide leadership. There is also a very strong requirement for information technology (IT) systems and processes in particular. This important area, IT governance, is the overall topic of this executive guide.
In the earlier days of IT systems and processes, senior operations management often delegated many aspects of IT operations to specialists responsible for building, operating, and maintaining an enterprise’s IT resources. While there was frequent talk about engaging the management and users of IT systems with the specialists and developers of their IT resources, operations management often experienced disappointments. New IT initiatives often did not meet their planned objectives, were delivered late, had security and internal control vulnerabilities, or too soon became obsolete due to poor planning or assessments of management needs. To improve matters today, there is a need for better processes to manage and coordinate all aspects of an enterprise’s IT resources—the need for IT governance.
This book is an executive’s guide to this important concept of IT governance. Our focus is not on the IT specialist installing IT hardware, software, and network connections, nor on such important resources as internal auditors who test and review IT processes. Rather, this guide is directed to the enterprise executive who has some understanding of IT processes but is interested in learning more about the issues and processes that are important for efficiently managing and benefiting from these IT resources and systems in today’s Internet-connected environment.
A goal of this book is to provide high-level background information on a variety of IT governance issues that are important to today’s business enterprise and executive manager. We hope to provide that business executive with sufficient general information to allow him or her to have a greater understanding of important IT governance issues today and to be able to better ask questions that will achieve a greater understanding of these issues and better make effective decisions regarding these IT governance matters. For example, business literature today frequently makes reference to a concept called cloud computing. Chapter 9 will provide an overview of cloud computing and why it is important for effective IT governance. Similarly, we will introduce the concept of service level agreements (SLAs), often informal contracts between the users or owners of IT resources and IT management. Our objective here is to help the business executive better understand why SLAs are important, how to install and manage them in all sizes or types of enterprises, and how to use them to improve IT governance processes.
We have divided the chapters following into six basic topics or section areas. Each of these sections and their associated chapters is generally complete, summarizing IT governance issues in that area, and can hopefully serve the business executive with enough high-level information to understand each of these IT governance concepts and issues.
• Part I—IT Governance Concepts. The chapters in this section start by providing an overall introduction to the concept of IT governance and how it applies to business enterprises in general, and then to their IT resources. This section includes a chapter that describes the importance and impact of Sarbanes-Oxley Act (SOx) rules, an important set of legislation first initiated in the United States early in this century and now an almost-worldwide set of regulations mandating general rules for enterprise finance and other internal controls. This part concludes with a chapter explaining
overall governance, risk, and compliance (GRC) issues, an important concept and term common in many enterprise-level management discussions today.
• Part II—Frameworks to Support Effective IT Governance. Beyond high-level IT governance concepts and standards, an enterprise executive needs to have an understanding of some of the high-level frameworks that are important for both IT and overall enterprise governance. A chapter here provides an overview of the Committee of Sponsoring Organizations (COSO) internal control framework and why it is important for effective IT governance. In addition, a chapter will provide an overview and introduction to the Control Objectives for Information and related Technology framework, known by the acronym COBIT, as well as supporting guidance from the IT Governance Institute. Both of these are important internal control concepts, and an enterprise business executive should have an understanding of both as well as why they are important for IT governance. A chapter in this part will also introduce another very important IT governance concept, known as the Information Technology Infrastructure Library (ITIL), a set of best practices guidance materials for managing all aspects of an enterprise’s IT resources. Related to ITIL, the chapter also will introduce the IT Service Management Forum, an important professional organization that provides IT governance guidance. A business executive, with responsibilities for managing IT operations, should have at least a good understanding of these guidance materials, their use in an IT function, and how they promote more effective IT governance. Chapters in the first part of this book also introduce two other frameworks important to IT governance. First, we will discuss several ISO, or International Organization for Standardization, sets of guidance materials important for IT governance. We also introduce the OCEG, or Open Compliance and Ethics Group, set of risk management guidance. An understanding of both ISO IT governance standards and OCEG is important for implementing effective IT governance practices. These frameworks should help an enterprise manager understand some important IT governance issues.
• Part III—Tools and Technologies to Manage the Governance Infrastructure. The IT infrastructure includes all of the people and resources needed to run and manage the IT facility for an enterprise, including the IT server hardware, IT security specialists, and both the
people and hardware to manage the IT telecommunications network. A chapter in this section discusses several important newer technologies that are changing IT today, such as the concepts of cloud computing and what is known as virtualization. We will introduce these and other related issues and discuss why they are important for IT governance. IT infrastructures face a variety of security and integrity threats, such as the risk of an unexpected attack from rogue software, the failure to restore operations because of a lack of backed-up key systems, or password violations that result in improper access to confidential data. One chapter here will introduce IT security and continuity planning issues that are important for effective IT governance. Another chapter will introduce some of the more important IT security rules and regulations that are important for establishing effective IT governance. We will then conclude this part with a chapter on techniques for realizing greater value from IT operations. IT governance should consist of both well-controlled and well-managed operations and efficient and cost-effective IT processes. Management at all levels should have a general understanding of how to implement and benefit from these issues, and this chapter will offer some guidance from an IT management perspective.
• Part IV—Building and Monitoring Effective IT Governance Systems. In addition to IT infrastructure processes and tools from the previous section, the chapters here discuss approaches for building effective IT governance processes in the systems and applications found in enterprises. In particular, one of these chapters introduces and discusses the importance in what is generally called service-oriented architecture, an increasingly common approach to building and implementing new applications but a set of processes rather different from the conventional techniques of earlier IT development approaches. Other chapters in this part will discuss IT governance issues for managing systems and process changes and revision controls as well as approaches to implement integrated systems for the better governance and management of IT operations. There is a chapter in this section on tools and techniques for project and program management. Management at all levels should understand the importance and value of good project management and control techniques to promote IT governance processes. This part then concludes with a chapter on service level agreements—formal
performance standards and measures between an IT resource and its user community, and a very important IT governance tool.
• Part V—Monitoring and Measuring Enterprise Management and Board Governance.Many of the earlier chapters focus on helping the IT executive to understand and implement effective IT governance processes in an enterprise’s IT systems and operations. This section introduces the role of the internal audit, and a chapter discusses the importance of internal audit for IT governance. Another chapter here discusses document management approaches from an IT executive perspective, including the importance of data content management and data archiving issues.
• Section VI—IT Governance and Enterprise Objectives. This final section concludes with some guidance on creating and sustaining an ethical workplace culture, an important element in IT governance. We also have a chapter here on the importance of social network computing—the growing use of such tools as Facebook and their overall impact on IT governance. The last chapter concludes the book with guidance on using IT governance to communicate the business value of IT.
These chapters are focused on the needs and interests of the senior enterprise business executive. In each of the chapters following, we will begin by explaining why the chapter topic is important from an IT governance perspective. We will then discuss tools and techniques to implement the particular governance processes as well as approaches for measuring their success. In addition to the specific chapters on these topics, many other chapters will draw on important elements from IT service management, COBIT, and ITIL processes. We will try to link all specific IT governance issues with general enterprise governance controls and concerns.
An overall objective of this book is to help senior enterprise managers to better understand important IT governance issues today and to help implement them in their enterprise. The result should be stronger systems and processes both for IT and for the overall enterprise.
PART ONE
IT Governance Concepts
CHAPTER ONE
Importance of IT Governance for All Enterprises
COMPUTERS AND INFORMATION TECHNOLOGY (IT) applications first burst into the business world primarily in the United States and Europe starting in the early 1960s. It was a new business technology then and many companies were offering competing computer hardware and software products to major corporations at that time. Companies at all levels wanted to get up to speed with this new technology, and massive investments were made in installing new systems and hiring and training the programmers and analysts to build and launch them. Despite some failures along the way, we are all using and benefiting today from these types of computer hardware and software products.
Today, IT systems supported by ever-changing and improving technologies are a major component of almost all business activities. However, our IT activities have not been supported by some of the same standards and procedures found in other business areas. For example, accounting systems and financial standards are supported by recognized accounting principles that are reviewed by independent auditors and follow governmental financial accounting rules, such as those of the Securities and Exchange Commission in the United States. Similar best practices rules and standards exist for other areas of business activity, such as in many aspects of marketing and quality control. This is not the case for IT systems and processes. Despite the fact that IT operations are facing increasing governmental and professional compliance requirements and face a wide range of systems-related risks, there is an ongoing need for better IT governance practices today.
IT governance is a concept that was almost unknown not too many years ago. We thought about enterprise governance from the roles and activities of senior management and the board of directors, but IT functions in those earlier enterprises were just viewed as very important support functions and not as major business activities. Our overall thinking of enterprise governance really changed in the United States in the early years of this century after the failure of a major U.S. corporation called Enron. That failure was so sudden and almost unexpected that U.S. governmental regulators investigated and found that many corporate governance and financial practices were lacking. The result was the Sarbanes-Oxley Act (SOx) in the United States. These legislative rules have had a major impact on financial reporting and corporate governance practices, first in the United States and then worldwide. Sarbanes-Oxley has also had a major related impact on the need for effective IT governance.
Today, senior managers, IT managers, and practitioners think of IT governance in many varying but different ways. Some see IT governance as “command-and-control” rules over IT initiatives imposed by internal auditors, non-IT executives, and outside consultants; others consider it a corporate mechanism that implements a Big Brother approach to apply top-down constraints to overall IT activities. From the perspective of the IT practitioner who is building and managing systems to improve business productivity, IT governance is sometimes seen as an unnecessary evil that hampers IT-related creativity and productivity in the enterprise. In any case, IT governance does not impose upon enterprise management and their IT functions with stringent regulations, standards, and policies. Rather, good IT governance is a set of policies and best practices that should serve as a strategic enabling force to improve enterprise business operations. It is embraced by all levels in the organization and reaches far beyond the four walls of IT enterprise operations.
Good IT governance aligns an enterprise strategically to support the evolution of an IT architecture that delivers consistent and scalable business value. IT governance helps measure a business’s growth and success, including its financial health. The chapters following present an emerging and comprehensive view of IT governance that addresses enterprise root business performance criteria along with the important factors of compliance adherence and risk management. As the chapters following discuss important aspects of each, we will refer to governance,
risk, and compliance factors by their initials, GRC. This is an acronym that is frequently found in business publications today.
IT governance is about the way an enterprise accomplishes the delivery of mission-critical business capabilities using IT strategies, goals, and objectives. IT governance is concerned with the strategic alignment between the goals and objectives of the business and the utilization of its IT resources to effectively achieve the desired results. Exhibit 1.1 shows this IT governance concept and how it fits in with overall enterprise strategies.
EXHIBIT 1.1 IT Governance Concepts
Although Exhibit 1.1 is very general, it shows IT governance concepts—the purpose of this book—in the center but within overall enterprise strategies and operations. This is always a key concept to keep in mind. Too often, an aggressive IT director may tend to think that his or her ideas for improving and running IT systems and operations are almost more important than other enterprise activities. We should always keep in mind that although IT operations are usually critical to overall business operations, they must fit into overall business activities and strategies. Although the head of IT, the
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_01.htm#c1-fig-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_01.htm#c1-fig-0001-1
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_01.htm#c1-fig-0001
enterprise chief information officer (CIO), may feel that he or she has the best idea for some change or improvement in IT operations, that idea should be subservient to other corporate activities. For example, a CIO may recognize the importance of implementing service level agreements (SLAs), or informal contracts between users and IT, as discussed in Chapter 17, and as a good way to improve IT operations. If senior management does not like this idea, the CIO should accept senior management’s direction and go forward and make other improvements where possible.
Our point here is that enterprise IT architecture sets the overall big-picture rules for enterprise activities and IT governance. The chapters following suggest many areas for improving IT systems and operations. With an objective of improving overall enterprise IT governance, however, all of these IT governance improvements must fit into the big picture of corporate operations.
The IT governance section in Exhibit 1.1 points to a series of other activities. Each of these roughly corresponds to the chapter topics outlined in the Preface to this book and described in the chapters going forward. In them, we have tried to outline many of the issues that are important for improving IT governance. They must be closely connected with links to overall business operations.
IT governance disseminates authority to the various layers in the organizational structures within the business, while ensuring appropriate and prudent use of that authority. This does not refer simply to hierarchical structures; we should always remember that network structures allow for specialization, teaming, and building infrastructure to support those teams. Specialization allows the sum of the parts of the organization to be greater than the whole. We should also remember that IT governance is not only for large organizations. Smaller enterprises have a need for good IT governance practices as well. However, there are obviously a smaller number of control points to be deployed in a smaller operation, and the focus of our chapters points to the larger enterprise.
As the chapters following have defined it, IT governance affects business performance, and it ideally helps an enterprise to outperform its competition. A key theme here is that IT governance definesbusiness performance, specifically the performance of IT resources as they are applied to the business’s strategic objectives. Good IT governance leads directly to increased productivity, higher quality, and improved financial
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_01.htm#c1-fig-0001
results. Poor IT governance, on the other hand, often leads to programmatic waste, bureaucracy, lower morale, and diminished overall financial performance.
To underscore the importance of good IT governance practices, consider the production of goods or services for typical enterprise business customers. These customers generally have visibility into a business only where they interface for the purpose of ordering or making requests, receiving value through the sale or production of products, or providing information through surveys or marketing analyses. It is the efficiency and coordination of internal business processes that comprise end-to-end customer experience; this is an aspect of business performance and should be measured and improved. In order to positively impact business performance, IT governance process must have focus and visibility on these overall end-to-end business processes with which customers interact. Poor IT governance loses sight of the customer in favor of satisfying regulations, standards, and policies in isolation. Local gains in process efficiency and productivity often do not provide favorable results in the context of the end-to-end business processes. Furthermore, the implementation of externally imposed regulations on internal business processes must be accounted for in ways that positively impact customer experiences, not simply as the apparent overhead of compliance; doing otherwise simply introduces risk into an enterprise. Good IT governance addresses whole end-to-end business processes and coordinates the activities of the enterprise over time and across organizational boundaries.
IT governance, as discussed in these chapters, should not be considered just in a new enterprise initiative. It is not a project that separately begins and ends but rather should be a key element in the fabric of an enterprise that transcends time, leadership, and other initiatives. Whether enterprise IT governance processes have grown unintentionally through evolving process improvements or grown intentionally through a deliberate project, the questions a senior manager should ask include: “How good are my IT governance processes at effectively delivering strategic business value year after year?” and “Are my processes repeatable, predictable, and scalable, and are they truly meeting the needs of my business (outside of IT) and my customers?”
It is no more likely that a single IT governance process will work for all IT business processes than it is for every one of an enterprise’s customers to be satisfied with the exact same product or service configuration for any given
product or service that a company produces. Therefore, a number of IT governance-related processes must be considered. This integrated collection of available IT governance processes is what we describe in the chapters following as the IT governance landscape.
IT governance is a subset of enterprise governance, which at the highest level drives and sets what needs to be accomplished by improving overall management processes. IT governance itself encompasses systems, the overall IT infrastructure, and communications. Product development governance, like IT governance, is a subset of enterprise governance and overlaps with IT governance. Product development governance is targeted for enterprises that develop products (as opposed to IT service delivery discussed in Chapter 17, for example). IT development governance should be applied to development organizations and programs, and is a subset of IT and product development governance.
The chapters following introduce and describe many important frameworks and concepts—with names such as COBIT or ITIL—that are well understood by many IT professionals but may be less familiar to the senior enterprise executive. However, these are all important tools and processes to improve enterprise IT governance, as Chapter 2 will discuss. In our IT- centric world today, the senior enterprise executive should understand why IT governance and the related concepts of IT-related compliance activities and risk management are important. This is an overall goal of this book.
CHAPTER TWO
Fundamental Governance Concepts and Sarbanes-Oxley Rules
AS WE DISCUSSED IN CHAPTER 1, the term enterprise IT governance is not new, but is a concept that has meant different things to different people. The concept of enterprise governance has been evolving over recent years, at least in the United States. As a response to ongoing cycles of business frauds and failures particularly in the latter decades of the past century, there has been an increased emphasis on embellishing enterprise codes of conduct and establishing what are called corporate ethics departments. This author got involved in corporate governance issues when he directed the internal audit function for a large U.S. corporation and was asked to chair a task force and take leadership for the company to revise many internal rules, rewrite its code of conduct, and establish an ethics function for that company in response to a major threat of litigation involving consumer fraud. Strong enterprise governance practices were established for that company, although they emphasized general operations and with little emphasis on IT systems and operations.
Enterprise governance issues became increasingly important in the first years of this century when the United States experienced a series of major corporate failures that were generally caused by accounting misdeeds and financial fraud. The notorious poster boy for this period was the commodities trading firm Enron. Its sudden and unexpected failure was based on financial fraud and caused several corporate executives to go to prison. Enron’s failure precipitated passage of the Sarbanes-Oxley Act (SOx) in the United States, as well as similar requirements worldwide. The sections following will provide an overview of SOx’s internal controls and governance legislation.
The general governance concepts that were discussed in Chapter 1 take a somewhat different direction when we introduce information technology (IT) concepts and systems into the mix. Many of our general management governance concepts were established and somewhat perfected during the last half of the twentieth century. Standards were established, as were work practices between management and external auditors and regulators.
In addition to our overview of SOx concepts, this chapter provides a high- level review of IT governance issues, including their IT-related enterprise risk, security, and legislative issues. The chapter will discuss some of the internal and external threats that impact enterprise IT governance processes as well as some of the characteristics of effective IT governance in the enterprise. This chapter surveys both general and specific IT governance concepts as they apply to today’s senior manager. Many of these concepts also will be referenced and discussed in greater detail in other specific topic chapters.
SARBANES-OXLEY ACT
The Sarbanes-Oxley Act is a U.S. law enacted in 2002 to improve public company financial reporting, audit, and enterprise governance processes. It first had a major impact on businesses in the United States and now is recognized worldwide. Although SOx’s auditing and internal control rules have directly changed many external auditor and IT financial practices, SOx has also had a major impact on IT governance. A general understanding of SOx, with an emphasis on its Section 404 internal accounting control rules, is a key knowledge requirement for all senior managers.
SOx became a U.S. law as a response to a series of accounting misdeeds and financial failures at such once-major corporations as Enron and WorldCom. SOx has caused major changes that have impacted corporate governance, accounting, and financial reporting audit processes—first in the United States and now worldwide. Although SOx is a comprehensive set of legislation with many components, most of its business and auditor attention has focused on the SOx Section 404 internal control attestation rules. These internal control audit procedures have caused a major amount of effort and concern as corporations began to establish compliance with SOx. This section provides a high-level overview of SOx today, with an emphasis on its Section 404 and the rules that are most important for IT governance issues. We will summarize SOx requirements for reviews of internal accounting controls and will summarize the relatively new external auditing standard called Auditing Standard No. 5 (AS5), a set of more risk- based auditing approaches that also emphasizes the importance of performing financial reporting internal control reviews. All senior enterprise managers should have a general knowledge and understanding of SOx internal control rules.1
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c02-note-0001
Sarbanes-Oxley Act Key IT Governance Elements
The official name of SOx is the Public Accounting Reform and Investor Protection Act. It became law in August 2002, with most of the final detailed rules and regulations released by the end of the following year. Its title being a bit long, business professionals refer to it as the Sarbanes- Oxley Act from the names of its principal congressional sponsors. Most generally refer to it today as SOx, SOX, or Sarbox, among many other variations.
SOx introduced a series of totally changed processes for external auditing and gave new governance responsibilities to senior executives and board members. SOx also established the Public Company Accounting Oversight Board (PCAOB), a rule-setting authority under the Securities and Exchange Commission (SEC) that issues financial auditing standards and monitors external auditor governance. As happens with all financial and securities- related federal laws, an extensive set of specific regulations and administrative rules has been developed by the SEC based on the SOx legislation.
U.S. federal laws are organized and issued as separate sections of legislation called Titles, with numbered sections and subsections under each. Much of the SOx legislation contains rules that are not that significant for many business professionals. For example, Section 602(d) of Title I states that the SEC “shall establish” minimum professional conduct standards or rules for SEC practicing attorneys. While perhaps good to know, this does not have any enterprise management or IT governance impact. Exhibit 2.1 summarizes the major titles or sections of SOx, although our focus will only be on SOx’s Titles I and IV. Our intent is not to describe all sections of SOx or to reproduce the full text of this legislation—it can be found on the Web2—but to highlight portions of the law that are more significant to interested business professionals. We will start with a discussion of SOx’s Title I, the PCAOB, and the Section 404 rules.
EXHIBIT 2.1 Sarbanes-Oxley Act Key Provisions Summary
Section Subject Rule or Requirement
101 Establishment of PCAOB Overall rules for the establishment of the PCAOB, including its membership requirements.
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0001
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c02-note-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0001-1
104 Accounting Firm Inspections
Schedule for PCAOB inspections of registered public accounting firms.
108 Auditing Standards The PCAOB will accept current but will issue its own new auditing standards.
201 Out of Scope Practices Outlines prohibited accounting firm practices such as internal audit outsourcing, bookkeeping, and financial systems design.
203 Audit Partner Rotations The audit partner and the reviewing partner must rotate off an assignment every 5 years.
301 Audit Committee Independence
All audit committee members must be independent directors.
302 Corp. Responsibility for Financial Reports
The CEO and CFO must personally certify their periodic financial reports.
305 Officer and Director Bars
If compensation is received as part of fraudulent or illegal accounting, the benefiting officer or director is required to personally reimburse funds received.
404 Internal Control Reports Management is responsible for an annual assessment of internal controls.
407 Financial Expert One audit committee director must be a designated financial expert.
408 Enhanced Review of Financial Disclosures
The SEC may schedule extended reviews of reported information based on certain specified factors.
409 Real-Time Disclosure Financial reports must be distributed in a rapid and current manner.
1105 Officer or Director Prohibitions
The SEC may prohibit an officer or director from serving in another public company if guilty of a violation.
SOx Title I: Public Company Accounting Oversight Board
SOx introduced significant new rules for external auditors. Prior to SOx, the American Institute of Certified Public Accountants (AICPA) had guidance- setting responsibility for all external auditors and their public accounting firms through its overall responsibility for the Certified Public Accountant (CPA) certification. While state boards of accountancy actually licensed CPAs, the AICPA previously had overall responsibility for the profession. External audit standards also were set by the AICPA’s Auditing Standards Board (ASB). Although basic standards—called generally accepted auditing standards (GAAS)—have been in place over the years, newer auditing
standards were released as numbered Statements on Auditing Standards (SASs). Much of GAAS was just good auditing practices, such as that accounting transactions must be backed by appropriate documentation, while the SASs covered specific areas requiring better definition. SAS No. 99, for example, covered the consideration of fraud in a financial statement audit. The AICPA’s code of professional conduct required CPAs to follow and comply with all applicable auditing standards.
The AICPA’s GAAS and its numbered SAS standards had been accepted by the SEC, and these auditing rules defined external auditing standards and the tests necessary for an audited financial statement. However, the accounting scandals that led to the passage of SOx signaled that the AICPA- led process of establishing auditing standards was “broken.” SOx took this audit standards-setting process away from the AICPA, which was dominated by the major public accounting firms, and created the PCAOB, a nonfederal, nonprofit corporation with the responsibility to oversee all audits of corporations subject to the SEC.
The PCAOB does not replace the AICPA but assumes responsibility for the external auditing practices for AICPA members. The AICPA continues to administer the CPA examination, with its certificates awarded on a state- by-state basis, and sets auditing standards for U.S. private, non-SEC organizations. While SOx Title I defines PCAOB auditing practices for external auditors, other audit process and corporate governance rules have changed how internal auditors coordinate their work with external auditors. Although SOx Title I contains many new rules, perhaps the three most important to many senior managers are that the PCAOB now has major responsibility for public accounting firms, now sets their external auditing standards, and sets audit standards rules such as workpaper retention. The following paragraphs briefly describe these SOx Title I external audit process rules:
PCAOB administration and public accounting firm registration. The PCAOB is administered through an SEC-appointed board with required membership that is not dominated by CPA and public accounting firm interests. The PCAOB is responsible for overseeing and regulating all public accounting firms that practice before the SEC and for establishing auditing standards.
Auditing, quality control, and independence standards. The PCAOB has the authority to establish auditing and related attestation standards and
quality control and ethics standards for registered public accounting firms. SOx recognizes previously issued AICPA auditing standards and has issued a limited number of new standards to date, such as AS5 for the review and evaluation of internal controls. SOx rules further specify that an external auditor’s evaluation must contain a description of material weaknesses as well as any material noncompliance matters found. External auditors are required to update the effectiveness of internal controls, and an absence of this documentation should be considered a weakness of internal controls.
Audit workpapers retention. Workpapers are the documentation prepared by auditors during an audit. PCAOB standard AS3, Audit Documentation, mandates that audit workpapers and other supporting materials should be maintained for a period of not less than seven years. This requirement is certainly in response to an infamous event just prior to the fall of Enron and its then auditor, Arthur Andersen. Enron was still in operation but was under some financial pressures when the SEC announced that it was going to conduct an onsite investigation. Enron’s then external auditor, Arthur Andersen, used an internal firm policy to justify destruction of all but the most current of their Enron audit documentation. This was a motivating factor that led to this SOx rule.
Scope of internal control testing. PCAOB rules require external auditors to describe the scope of both their testing processes and test findings. Prior to SOx, external auditors had sometimes used internal firm policies to justify the most minimal of test sizes, and they frequently tested only a very small number of items despite being faced with very large test populations. If no problems were found, they expressed an opinion for the entire population based on the results of a very limited sample. They now must pay greater attention to the scope and reasonableness of their testing procedures, and the supporting documentation must clearly describe the scope and extent of testing activities.
Title IV: Enhanced Financial Disclosures and Section 404
SOx Title IV is designed to correct some financial reporting disclosure problems, to tighten up conflict-of-interest rules for corporate officers and directors, to mandate a management assessment of internal controls, to require senior officer codes of conduct, and other matters. There is a lot of material here, but the most significant nugget for most senior managers is Section 404 on Management’s Assessment of Internal Controls. SOx requires that all annual 10K reports must contain an internal controls
report stating management’s responsibility for establishing and maintaining an adequate system of internal controls as well as management’s assessment, as of the fiscal year ending date, on the effectiveness of those installed internal control procedures. This is what has popularly been known as the Section 404 rules. Internal and IT auditors, outside consultants, or even the management team—but not the external auditors—have the responsibility to review and assess the effectiveness of their internal controls, and external auditors are then to attest to the sufficiency of these internal control reviews built and controlled by management.
Section 404 reviews are supported by the AS5 standards discussed later in this section and are particularly important to internal auditors because the rules specify that external auditors may elect to use the work of internal auditors in their internal control reviews.
SOx Section 404 rules state that an enterprise is responsible for reviewing, documenting, and testing its own internal accounting controls, with those review results then passed on to the enterprise’s external auditors, who are charged with reviewing and attesting to that work as part of their review of the reported financial statements. When SOx first became law, Section 404 reviews were a major point of concern for many enterprises because external auditors were following a very detailed set of financial accounting audit procedures defined in the earlier PCAOB Auditing Standard No. 2 (AS2) that required a very detailed review approach that did not give any allowances for small errors or omissions. Section 404 auditing rules subsequently have changed with the release of AS5 in 2007, a more risk- based audit approach that also allows external auditors to better use the work of internal auditors in their assessments.
Section 404 Internal Controls Assessments
Management always has had the overall responsibility for designing and implementing internal controls over their enterprise’s operations. Although the standards for what constituted good internal controls were not always very well defined in the past, they have remained a fundamental management concept. SOx Section 404 requires an annual internal controls report, with the following information elements, as part of an SEC- mandated Form 10K annual report:
• A formal management statement acknowledging the enterprise’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
• An assessment, as of the end of the most recent fiscal year, of the effectiveness of the enterprise’s internal control structure and procedures for financial reporting.
In addition, the external audit firm that issued the supporting audit report is required to review and report on management’s assessment of its internal financial controls. Simply put, management is required to report on the quality of their internal controls, and their public accounting firm must audit or attest that management developed an internal controls report in addition to their normal financial statement audit. Management has always been responsible for preparing their periodic financial reports, and the external auditors then audited those financial numbers and certified that they were fairly stated. With SOx Section 404, management is responsible for documenting and testing their internal financial controls as well as to report on their effectiveness. External auditors then review the supporting materials leading up to that internal financial controls report to assert that the report is an accurate description of the internal control environment.
To the non–financial statement auditor and certainly to many senior business executives, this might appear to be an obscure or almost trivial requirement. Even some internal auditors who primarily perform operational audits may wonder about the nuances in this process. However, audit reports on the status of internal controls have been an ongoing issue between external auditors, the SEC, and other interested parties going back to at least 1974. Much of the problem then was that there was no recognized definition for what is meant by internal controls. The COSO internal control framework discussed in Chapter 4 describes an accepted standard for understanding internal controls. Under SOx Section 404, management is required to report on the adequacy of their internal controls, with their external auditors attesting to the management-developed internal control reports.
This process follows a basic internal control such as the importance of maintaining a separation of duties where the person who develops transactions should not be the same person who approves them. Under Section 404 procedures, the enterprise builds and documents its own internal control processes, then an independent party such as internal audit reviews and tests those internal controls, and finally the external auditors
review and attest to the adequacy of this process. Their financial audit procedures will be based on these internal controls. This Section 404 process improves things from pre-SOx days when external auditors frequently built, documented, and then audited their own internal controls—a separation-of-duties shortcoming.
Identifying Key Processes to Launch a Section 404 Compliance Review
Whether based on IT systems or primarily manual procedures performed on a regular basis, every enterprise has basic processes that are normally considered in terms of their basic accounting cycles, including:
• Revenue cycle. Processes dealing with sales or other enterprise revenue.
• Direct expenditures cycle. Expenditures for material or direct production costs.
• Indirect expenditures cycle. Operating costs that cannot be directly tied to production activities but are necessary for overall business operations.
• Payroll cycle. Covers all personnel compensation. • Inventory cycle. Although inventory will eventually be applied as
direct production expenditures, time-based processes are needed for holding inventory until applied to production.
• Fixed assets cycle. Property and equipment require separate accounting processes, such as periodic depreciation accounting over time.
• General controls IT cycle. This set of processes covers IT controls that are general or applicable to all IT operations.
The identification of these key enterprise processes is an initial Section 404 compliance step, and an enterprise should document, understand, and test all of these “key processes.” For many enterprises, these are prime systems and supporting IT processes that have been reviewed through annual external audit reviews.
Internal Audit’s Role
Even though SOx does not give specific responsibilities to internal audits, they are an important resource for the completion of Section 404 internal control assessments. Under SOx, a separate and independent function within the enterprise—often internal or IT audit—reviews and documents
the internal controls covering key processes, identifies key control points, and then tests those identified controls. External audit would then review that work and attest to their adequacy. For many enterprises, IT audit can be a key resource for performing these internal controls reviews for technology-based processes.
Senior financial management and the audit committee should work with the enterprise’s external auditors to define responsibilities for their Section 404 internal control reviews. They are performed on an annual process, with documentation prepared and tested in the first year, then updated and retested in future periods. All parties should develop a cost-effective approach to achieve these SOx requirements and assess their IT applications and controls.
SOx Section 404 reviews should be planned and conducted similarly to many new IT projects, as discussed in Chapter 19 on internal audit’s IT governance role. Exhibit 2.2 outlines some planning considerations for a Section 404 internal control review to be performed by an enterprise’s internal auditors, who can play a major role in helping senior management establish Section 404 compliance. Our objective is not to provide internal audit guidance but to give a senior manager an idea of these IT internal audit processes.
EXHIBIT 2.2 Planning Considerations for a Section 404 Internal Control Review
1. Determine status of review—Is this the first round of Section 404 reviews for the entity and a subsequent-year follow-up?
2. If a new review, follow the work steps to understand, document, and test key processes. Otherwise, plan for a subsequent-period review.
3. Review the detailed documentation covering prior 404 reviews, including process flow charts, internal control gaps identified and remediated, as well as overall project planning documentation for prior review.
4. Review any recently published PCAOB rules covering Section 404 reviews and related auditing changes, and adjust review procedures to reflect those changes.
5. Meet with the external audit firm responsible for the current Section 404 attestations and determine if there are any changes in documentation and testing philosophy, with an emphasis on AS5 rules, from that prior review.
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0002
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0002-1
6. Consider any organization changes since the past review, including acquisitions or major reorganizations, and modify review coverage, if necessary.
7. Through meetings with senior and IT management, identify if new systems or processes have been installed over the past period and if those new changes have been reflected in updated documentation.
8. Review any internal control weaknesses identified in the past review and assess whether internal control corrections reported as installed appear to be working.
9. Assess the status of existing Section 404 documentation and determine the extent of new documentation preparation necessary.
10. Assuming the prior Section 404 review was done by internal audit, determine that appropriate knowledgeable trained resources are available to perform the upcoming review.
11. Interview all parties involved in the prior Section 404 review exercise to assess any lessons learned and develop plans for corrective actions in the upcoming review.
12. Based on discussions with external auditors and senior management, determine scope materiality parameters for the upcoming review.
13. Determine that the software, if any, used to document prior review is still current, and make any changes necessary to have adequate tools in place to perform the upcoming review.
14. Prepare a detailed project plan for the upcoming Section 404 review, with considerations given to coordination of review activities at business entity units and external auditors.
15. Submit plan for approval by senior management.
AS5 Rules and Internal Audit
Shortly after SOx became law in the United States, the PCAOB released its AS2 guidance that called for external auditors to take very conservative and detailed approaches on their audits of financial statements. AS2 mandated a “look-at-everything” detailed audit approach, and enterprise external audit bills became much more expensive in those first SOx years. However, there were frequent complaints by industry leaders and others, with a general consensus that AS2 needed some revisions. The SEC and the PCAOB agreed to revise AS2, and AS5 was issued in late May 2007.
AS5 is a set of standards for the external auditors who review and certify published financial statements, and these rules are also important for internal auditors as well. AS5 introduces risk-based rules with an emphasis on the effectiveness of internal controls that are more oriented to enterprise facts and circumstances. In addition, AS5 calls for external auditors to consider including reviews of appropriate internal audit reports in their
financial statement audit reviews. It allows external auditors to place more emphasis on management’s ability to establish and document key internal controls.
AS5 rules are particularly important for internal auditors because external auditors can rely on the work of internal auditors in their Section 404 assessments. AS5 has three broad objectives:
1. Focus internal control audits on the most important matters. AS5 calls on external auditors to focus their reviews on areas that present the greatest risk that an internal control will fail to prevent or detect a material misstatement in financial statements. This approach calls for external auditors to focus on identifying material weaknesses in internal control in their audits, before they result in material misstatements of financial statements. AS5 also emphasizes the importance of auditing higher-risk areas, such as the financial statement period-end close process and controls designed to prevent fraud by management. At the same time, this standard provides external auditors a range of alternatives for addressing lower-risk areas, such as by more clearly demonstrating how to calibrate the nature, timing, and extent of testing based on risk, as well as how to incorporate knowledge accumulated in previous years’ audits into the auditors’ assessment of risk. Also and very important to internal auditors, AS5 allows external auditors to use the work performed by an enterprise’s internal auditors when appropriate.
2. Eliminate audit procedures that are unnecessary to achieve their intended benefits. AS5 does not include the previous AS2 standard’s detailed requirements to evaluate management’s own evaluation process and clarifies that an internal control audit does not require an opinion on the adequacy of management’s processes. For example, AS5 focuses on the multilocation dimensions of risk in an enterprise and reduces requirements that external auditors should test a “large portion” of an enterprise’s operations or financial positions. This should allow a reduction in financial audit work.
3. Make the financial audit clearly scalable to fit the size and the complexity of any enterprise. In order to provide guidance for audits of smaller, less complex companies, AS5 calls for tailoring internal control audits to fit the size and complexity of the enterprise being audited. The standard has guidance on how to apply AS5 to smaller, less complex enterprises as well as the units of larger enterprises.
Following AS5, external auditors may consider using the work of others to help perform their SOx financial statement internal control audits. While this was not very well defined under previous SOx AS2 rules, AS5 now explicitly allows it. AS5 states that an external auditor may use the work performed by, or receive direct assistance from, internal auditors, other company personnel, or third parties working under the direction of management or the audit committee, to provide evidence about the effectiveness of financial reporting internal controls. This was a major change for internal auditors.
Of course, the external auditors are signing off on or attesting to the audit results, and they must assess the competence and objectivity of the persons whose work they plan to use. The higher the degree of competence and objectivity of others, the greater use an auditor may make of their work. In particular, AS5 calls for an assessment of the competence and objectivity of the internal auditors at an enterprise. Competence means the attainment and maintenance of a level of understanding and knowledge that enables persons to perform the tasks assigned to them, and objectivity means the ability to perform those tasks impartially and with intellectual honesty. To assess competence, an external auditor should evaluate the qualifications and ability of the internal auditors or others to perform the work the external auditor plans to use. To assess objectivity, AS5 calls for an external auditor evaluation of whether factors are present that either inhibit or promote a person’s ability to perform with the necessary degree of objectivity the work the auditor plans to use.
AS5 goes on to state that external auditors should not use the work of persons who have “a low degree of objectivity, regardless of their level of competence,” and also should not use the work of persons who have a low level of competence regardless of their degree of objectivity. Personnel whose core function is to serve as a testing or compliance authority at an enterprise, such as internal and IT auditors, normally are expected to have greater competence and objectivity in performing the type of work that will be useful to the external auditor. This is an area where the audit committee and senior management may want to challenge their external auditors if they see no role for internal audit in this financial statement audit planning process.
OTHER SOx RULES—TITLE II: AUDITOR INDEPENDENCE
Internal and external auditors have historically been separate and independent resources. External auditors were responsible for assessing the fairness of an enterprise’s internal control systems and the resultant published financial reports, while internal auditors served management in a wide variety of other areas. In the early 1990s, this separation began to change, with external audit firms taking overall responsibility for some internal audit functions as well. This started when larger enterprises began to “outsource” some of their noncore functions such as the employee cafeteria or a plant janitorial function. The thinking was that employees who worked in these specialized areas were not really part of core enterprise operations, and an enterprise’s janitorial function or other noncore functions might be “outsourced” to another company that specialized in areas such as janitorial services for many other enterprises. The previous in-house janitors would then be transferred to the janitorial services company and, in theory, everyone would benefit. The enterprise that initiated the outsourcing would experience lower costs by giving a noncore function, janitorial services, to someone who better understood it. The outsourced janitor, in this example, also might have both better career possibilities and better supervision.
Internal audit outsourcing first got started in the late 1980s. External audit firms went to their client firm’s management and offered to “outsource” or take over existing internal audit functions. The idea appeared to make sense to senior management and audit committees on many levels. Senior management often did not really understand the distinctions between the two external and internal audit functions and were sometimes more comfortable with their external auditors. In addition, senior management and audit committee members were often enticed by the promised lower costs of internal audit outsourcing, and internal audit outsourcing continued to grow through the 1990s. Although a few independent firms made efforts to get into this market, internal auditor outsourcing continued to be the realm of the major public accounting firms.
Internal audit outsourcing became very much of an issue in the Enron scandal, its internal auditor function having been almost totally outsourced to its external audit firm, Arthur Andersen. The two audit groups, both officially Andersen employees with different reporting relationships, worked side by side in Enron’s offices. After Enron’s fall, many raised after- the-fact questions about how that outsourced internal audit department could have been independent of Andersen. It would have been very difficult
in this environment for internal audit to raise concerns to the audit committee about their external auditors. This potential conflict became a reform issue for SOx.
Limitations on External Auditor Services
SOx has made it illegal for a registered public accounting firm to contemporaneously perform both audit and non-audit services at a client. The prohibitions include internal auditing, many areas of consulting, and senior officer financial planning. The most significant element here is that it is illegal for a registered public accounting firm to provide internal audit outsourcing services if it is also doing the audit work. This means that the major public accounting firms are now essentially out of the internal audit outsourcing business for their direct audit clients. Other firms, including independent spin-offs from public accounting firms or specialized internal audit consulting firms, can still provide internal audit outsourcing, but the era when an internal audit professional became a contractor or employee of his or her public accounting firm is over.
In addition to the ban on providing outsourced internal audit services, SOx prohibits public accounting firms from providing other services, including:
• Financial information systems design and implementations. Public accounting firms had been installing financial systems—often of their own design—at clients for many years. They were then coming back and reviewing the internal controls of the systems they had just installed—a significant conflict of interest. This is no longer allowed.
• Bookkeeping and financial statement services. Public accounting firms previously offered accounting services to their clients in addition to doing the audits. Even for major corporations, it was not unusual for the team responsible for the overall financial statement audit to also do much of the work necessary in building the final consolidated financial statements. Again a potential conflict of interest, this is not allowed.
• Management and human resources functions. Prior to SOx, external audit firms often identified professionals from their own firms and helped move them to client management positions. The result was an environment where virtually all of the accounting managers in an enterprise often were alumni of their external
auditors. This was sometimes frustrating for internal auditors or others who were not from that same public accounting firm. Avenues for promotion above certain levels seemed limited because of “old- boy” network connections with the external audit firm.
• Other prohibited services. SOx specifically prohibits external audit firms from offering actuarial services, investment advisory services, and audit-related legal services, although tax services are allowed.
The overall SOx theme here is that external auditors are authorized to audit the financial statements of their client enterprises, and that is about all. SOx allows that beyond the prohibited activities listed, external auditors can engage in other non-audit services only if those services are approved in advance by the audit committee. With the increased scrutiny of audit committees under SOx, many are typically wary of approving anything that appears to be at all out of the ordinary.
Audit Committee Preapproval of Services
Section 202 of SOx’s Title I specifies that the audit committee must approve all audit and non-audit services in advance. While audit committees have or should have been doing this all along, that approval was often little more than a formality prior to SOx. Audit committees in the “old days” often received little more than a brief written and/or verbal report from a responsible audit department that was approved in the same perfunctory manner that business meeting minutes are often approved. SOx changed all of this, and audit committee members can now expose themselves to criminal liabilities or stockholder litigation for allowing a prohibited action to take place.
Of course, there are many minor matters regarding external auditor activities that should not have to go through this formal audit committee advance approval process. Using legal terminology, SOx sets de minimus3 exception rules for these audit committee permission requirements. Per SOx, preapproval is not required for some non-audit services if:
• The aggregate dollar value of the service does not exceed 5 percent of the total external audit fees paid by the enterprise during the fiscal year when the services were provided.
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c02-note-0003
• The services were not recognized as non-audit service by the enterprise at the time the overall audit engagement was initiated.
• These services are brought to the attention of the audit committee and approved by it prior to the completion of the audit.
These exceptions give the external auditors and the audit committee some flexibility. However, the nature and accumulated dollar value of these additional non-audit services must be carefully monitored throughout the course of a fiscal year to maintain a level of compliance. Internal audit should become involved in this process to help ascertain that all provided extra services continue in compliance with the SOx rules, including disclosure to investors through the annual proxy statement. SOx does allow that the audit committee may delegate this non-audit services preapproval authority to one or more of the outside directors on the audit committee. This would relieve the strain of lengthy audit committee business matters, but put even more responsibility on a few audit committee members over and above the many new legal responsibilities mandated by SOx.
External Audit Partner Rotation
Another section of Title II makes it unlawful for a public accounting firm lead partner to head a specific engagement for over five years. This is a matter that the major public accounting firms had corrected well before SOx. Lead partners from the major firms had been rotated on a regular basis, although there may have been exceptions with smaller firms and smaller engagements. While lead partner rotation had been common, SOx makes the failure of a firm to rotate a criminal act. However, SOx does not really address the common practice in audit partner rotation where a given person will play the lead on an audit and then continue to serve in an advisory role after his or her term. That advisory role partner can often maintain the same level of responsibility as the designated lead partner and could become a potential violation of SOx rules.
As this book goes to press, there are rumors or comments that the PCAOB is considering requiring full public accounting firm rotation. At present, partners may rotate but the firm remains unchanged. The thinking is that a new firm will provide enterprise management with a new perspective on the audit process.
External auditors have always communicated regularly with their audit committees in the course of the audit engagement, as well as for any other
matters of concern. In the aftermath of Enron and the other corporate scandals at that time, it was discovered that this communication was sometimes very limited. A member of management might negotiate a “pass” from the public accounting partner on a suggested accounting treatment change, but the matter was only reported to the audit committee in the most general of terms, if at all.
SOx has changed this. External auditors are required to report on a timely basis all accounting policies and practices used, alternative treatments of financial information discussed with management, the possible alternative treatments, and the approach preferred by the external auditor. The whole idea here is that external auditors must report to their audit committee any alternative accounting treatments, the approach preferred by the external auditors, and management’s approach. This really says that if there are disputed accounting treatments, the audit committee should be made well aware of the actions taken. This requirement really points to the need for good audit committee documentation.
Conflicts of Interest and Mandatory Rotations of External Audit Firms
It had once been common for members of the external audit firm team to get job appointments for senior financial positions at their audit clients. SOx Title II, Section 206, prohibits external auditors from providing any audit services to a firm where the chief executive officer (CEO), chief financial officer (CFO), or chief accounting officer participated as a member of that external audit firm on the same audit within the last year. This really says that an audit partner cannot leave an audit engagement to begin working as a senior executive of the same firm that was just audited. While staff members and managers can still move from the public accounting firm team to various positions in the auditee enterprise, this prohibition is limited to public accounting partners. There were some outrageous examples of this switching of roles as part of all of the news about Enron.
SOx TITLE III: CORPORATE RESPONSIBILITY
SOx’s Title III regulations contain major regulatory rules for audit committees and prescribe audit committee performance standards and a large set of corporate governance rules. Under SOx, all registered enterprises must have an audit committee composed of only independent
directors. The firm’s external audit firm is to report directly to the audit committee, which is responsible for their compensation, oversight of the audit work, and the resolution of any disagreements between external audit and management. While major U.S. corporations have had audit committees, these rules were tightened from the past traditional practices. For example, while internal audit departments have had an often weak reporting relationship to their audit committees in past years, SOx has made this reporting link much stronger and more active.
Each member of the board’s audit committee must be a totally independent director, and at least one member of the audit committee must be a “financial expert.” These rules were introduced because in the hearings that led up to the enactment of SOx, it was discovered that some of Enron’s audit committee members did not appear to understand many of the financial transactions they were being asked to review and approve. SEC regulations define a “financial expert” as a person who, through education and experience, has:
• An understanding of generally accepted accounting principles and financial statements;
• Experience applying such generally accepted accounting principles in connection with the accounting for estimates, accruals, and reserves that are generally comparable to the estimates, accruals, and reserves, if any, used in the registrant’s financial statements;
• Experience preparing or auditing financial statements that present accounting issues that are generally comparable to those raised by the registrant’s financial statements;
• Experience with internal controls and procedures for financial reporting; and
• An understanding of audit committee functions.
These rules do not require any stiff certifications, academic backgrounds, or other qualification. They just say that members of an audit committee must present themselves as having some level of knowledge on accounting, financial reporting, and internal control issues. In some respects, an audit committee member is being asked to put herself or himself in the potential line of fire if the enterprise is ever questioned regarding some financial or internal control decision.
The SOx legislation also calls for audit committees to establish procedures to receive, retain, and treat complaints and handle whistleblower
information regarding questionable accounting and auditing matters. This really says that an audit committee must become, in effect, an almost separate ongoing entity rather than a subset of the traditional board that flies to some location and meets quarterly. While this is a nice-sounding idea, most audit committee functions do not have the supporting resources to handle an enterprise-level whistleblower function—something that is often the responsibility of an enterprise’s corporate-level ethics function. Despite the words in the SOx legislations, audit committee–level whistleblower functions today are run on essentially an ad hoc basis.
Prior to SOx, U.S. enterprises filed their financial statements with the SEC and published the results for investors, but the responsible corporate officers who “signed” or authored those reports were not personally responsible. The bar has now been raised. The CEO, the principal financial officer, or other persons performing similar functions must certify each annual and quarterly report filed. The signing officer, as part of what is referred to as Section 302, must certify that:
• The signing officer has reviewed the report. • Based on that signing officer’s knowledge, the financial statements do
not contain any materially untrue or misleading information. • Again based on the signing officer’s knowledge, the financial
statements fairly represent the financial conditions and results of operations of the enterprise.
• The signing officer is responsible for: • Establishing and maintaining internal controls. • Having designed these internal controls to ensure that material
information about the enterprise and its subsidiaries was made known to the signing officer during the period when the reports were prepared.
• Having evaluated the enterprise’s internal controls within 90 days prior to the release of the report.
• Having presented in these financial reports the signing officer’s evaluation of the effectiveness of these internal controls as of that report date.
• The signing officer should disclose to the external auditors, audit committee, and other directors that any significant deficiencies in the design and operation of internal controls that could affect the reliability of the reported financial data have been disclosed to the enterprise’s auditors.
• The signing officer should also indicate whether there were internal controls or other changes that could significantly impact those controls, including corrective actions, subsequent to the date of the internal control evaluation.
Given that SOx imposes potential criminal penalties of fines or jail time on individual violators of the act, the signer enterprise governance requirement places a heavy burden on responsible corporate officers. Corporate officers must take all reasonable steps to make certain that they are in compliance.
This personal sign-off requirement has raised major concerns from corporation CEOs and CFOs and causes a major amount of additional work for the accounting and finance staffs preparing these reports as well as signing officers. The enterprise needs to set up detailed paper-trail procedures such that the signing officers are comfortable that effective processes have been used and the calculations to build the reports are all well documented. An enterprise may want to consider using an extended sign-off process where staff members submitting the financial reports sign off on what they are submitting. Exhibit 2.3 is an example of an officer disclosure sign-off type of statement that officers will be requested to sign. While this exhibit is not an official PCAOB form, it is based on SEC documents, showing the types of things an officer will be asked to certify. We have highlighted a couple of phrases in Exhibit 2.3 in bold italics. Under SOx, the CEO or CFO is asked to personally attest to these types of representations and could be held criminally liable if incorrect. While the officer is at risk, the support staff—including internal audit—should take every step possible to make certain that the package presented to the senior officer is correct.
EXHIBIT 2.3 SOx Officer Disclosure Sign-off
CERTIFICATE OF EMPLOYEE REGARDING SARBANES-OXLEY COMPLIANCE
Certification: Understanding that we intend to rely upon these statements, the undersigned hereby certifies, represents, and warrants to each of them and to the Company as follows:
1. I have read those portions of the accompanying draft of the covered filing that relate directly to the scope of my responsibilities as an employee of the Company (the “certified information”).
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0003
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0003-1
2. Based on my knowledge, the certified information, as of the end of the period covered by such filing, did not contain an untrue statement of a material fact or omit to state a material fact necessary to make the statements therein, in light of the circumstances under which they were made, not misleading.
3. Based on my knowledge, to the extent of the scope of the certified information, the certified information fairly presents, in all material respects, the financial condition, results of operations, and cash flows of the Company as of the close of and for the period presented in the covered filing.
4. I am not aware of any deficiencies in the effectiveness of the Company’s disclosure controls and procedures that could adversely affect the Company’s ability to record, process, summarize, and report information required to be disclosed in the covered filing.
5. I am not aware of any significant deficiencies or material weaknesses in the design or operation of the Company’s internal controls that could adversely affect the Company’s ability to record, process, summarize, and report financial data.
6. I am not aware of any fraud, whether or not material, that involves the Company’s management or other employees who have a significant role in the Company’s internal controls.
Signature: ______________ Dated this _______ day of ___________, 20xx. Print Name: Title:
TITLE IV: ENHANCED FINANCIAL DISCLOSURES
This title of SOx is designed to correct some financial reporting disclosure problems, to tighten up conflict-of-interest rules for corporate officers and directors, to mandate a management assessment of internal controls, to require senior officer codes of conduct, and other matters. There is a lot of material here. Many unexpected bankruptcies and sudden earnings failures about the time of the Enron failure around 2002 were attributed to extremely aggressive, if not questionable, financial reporting. With the approval of their external auditors, companies pushed to the limits and often used such tactics as issuing questionable pro forma earnings to report their results or moved the corporate headquarters offshore to minimize taxes. While these tactics were previously allowed at that time through generally accepted accounting principles (GAAP), international financial reporting standards (IFRS), and some existing laws, SOx changed many
rules here and made these financial disclosure tactics difficult to use or illegal.
In a common tactic at that time, what were called pro forma financial reports were frequently used to present an “as-if” picture of a firm’s financial status by leaving out nonrecurring earnings expenses such as restructuring charges or merger-related costs. However, because there is no standard definition and no consistent format for reporting pro forma earnings, depending on the assumptions used, it was possible for an operating loss to become a profit under pro forma earnings reporting. The problem with two sets of numbers is that investors and the press frequently ignore the GAAP numbers, focusing on the more favorable pro forma results. SOx-mandated rules require that pro forma published financial statements must not contain any materially untrue statements or omit any fact that makes the reports misleading. Further, the pro forma results also must reconcile to the financial conditions and results of operations under GAAP.
Perhaps the major issue that brought Enron down was a large number of off-balance-sheet transactions that, if consolidated with regular financial reports, would have shown major financial problems. Once they were identified and included with Enron’s other financial results, their disclosure pushed Enron toward bankruptcy. SOx now requires that quarterly and annual financial reports must disclose all such off-balance-sheet transactions that may have a material effect on the current or future financial reports. These transactions may include contingent obligations, financial relationships with unconsolidated entities, or other items that could have material effects on operations. The final rules here, after passage of Sox, require an enterprise to provide an explanation of its off-balance- sheet arrangements in a separately captioned subsection of the “Management’s Discussion and Analysis” (MD&A) section of the annual Form 10K.
Expanded Conflict-of-Interest Provisions, Disclosures, and Codes of Ethics
The hearings that led to the passage of SOx often pictured corporate officers and directors as a rather greedy lot. In arrangements that frequently appeared to be conflicts of interest, large relocation allowances or corporate executive personal loans were granted and subsequently forgiven by corporate boards. A CEO, for example, who requests the board to grant his
CFO a large personal “loan” with vague repayment terms and the right to either demand payment or forgive certainly creates a conflict-of-interest situation. Although a series of exceptions are allowed, SOx makes it unlawful for any corporation to directly or indirectly extend credit, in the form of a personal loan, to any officer or director.
As an important element of enterprise governance, SOx requires that corporations must adopt a code of ethics for their senior financial officers and disclose compliance with this code as part of their annual financial reporting. While SOx has made this a requirement for senior officers, employee codes of ethics or conduct have been in place in some enterprises for many years. They evolved to more formal ethics functions in larger corporations in the early 1990s, but were often established for employees and supervisors rather than for corporate officers. These codes defined a set of rules or policies that were designed to apply for all employees and covered such matters as policies on the protection of company records or on gifts and other benefit issues.
With a growing public concern about the need for strong ethical and governance practices, many enterprises have appointed an ethics officer to launch such an initiative, with a code of conduct as a first step. SOx does not address the content of these enterprise-wide codes of ethics, but focuses on the need for the same standards for senior officers as for all employees in the enterprise. SOx specifically requires that an enterprise’s code of ethics or conduct for its senior officers must reasonably promote:
• Honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships;
• Full, fair, accurate, timely, and understandable disclosure in the enterprise financial reports; and
• Compliance with applicable governmental rules and regulations.
If an enterprise has a code of conduct, management should assure that this code applies to all members of the enterprise, is consistent with SOx, and that these ethical rules are communicated to all members of the enterprise, including the officers. The key governance issue here is making sure that the existing code of conduct covers the above SOx rules, that it has been communicated to senior management, and that these officers have agreed to comply with it. While SOx compliance processes must be established just for senior officers, this is the ideal time to launch an ethics function
throughout the enterprise that applies to senior management and to all employees as well.
Not just a SOx legal requirement, a strong set of ethical standards can get an enterprise through a crisis situation and help it move in the right direction. A motivation for SOx and its strong provisions in these areas was the perception that certain corporate officers were operating on the basis of personal gain with no consideration for strong ethical values as evidenced by correct and accurate financial reporting. SOx’s ethical requirements can help any enterprise to better set itself up for improved governance and ethical business conduct practices.
Other SOx Rules and Requirements
SOx also includes a large and complex set of rules covering such areas as audit committee governance requirements, security analyst conflicts of interest, and other financial disclosure rules. It is not our objective to provide a detailed summary of the overall legislation and its provisions. From the perspective of enterprise and IT governance, an understanding of Section 404 and some of the other issues highlighted in this chapter are perhaps the most significant. A more detailed general description of SOx can be found in this author’s previously referenced book on SOx.
Passed as a U.S. law in the early 1990s, SOx is an important item of legislation that has since changed many aspects of financial reporting, internal control practices, and enterprise governance. Although some elements of SOx have changed since its original passage and its requirements did not really gather much additional compliance attention, most aspects of SOx are still active and applicable. The major area of change was the release of AS5, discussed previously, an auditing standard that prescribed a more risk-based approach to reviewing and assessing internal controls. SOx originally contained some whistleblower rules that allowed staff members to independently report potential financial fraud, with rewards for savings going to the person reporting. Though it was originally assumed that this would cause a storm of litigation, there has not been much if any SOx activity in this area since its passage.
Although many of its details will be handled by financial management as well as the external and internal auditors, today’s business executive should have a good general understanding of SOx rules and requirements. The general description of SOx included in this chapter should help today’s
business executive to better understand SOx and its importance in IT governance.
WHAT IS IT GOVERNANCE?
As highlighted in the introduction to this chapter, the discipline of IT governance is a subset and very important element of overall enterprise governance issues. There is no single accepted definition of IT governance, and an Internet search shows that IT governance means different things to different people:
• IT governance is often used to describe the processes for deciding how money for IT resources should be spent. This IT governance process includes the prioritization and justification of IT investments. It includes controls on spending such as budgets and authorization levels.
• IT governance is often used to describe many different aspects of IT changes. At the low level, it is sometimes used to describe project management and control of a portfolio of IT-related projects, as described in Chapter 16.
• IT governance is used to make sure that IT change processes comply with regulatory requirements, both governmental laws and rules as well as professional standards.
• IT governance is the process of aligning IT change and expenditure to business requirements and expenditures. Sometimes it also covers the deployment of IT staff.
• IT governance is also used to describe the management and control of IT services. For example, service level agreements (SLAs), discussed in Chapter 17, are used to define levels of service that are acceptable to business, and then used as a basis for monitoring services.
• IT governance makes sure that day-to-day problem solving and support of all IT resources are aligned to business needs.
IT governance deals primarily with the connection between an enterprise’s business focus and the IT-related management and operation of the enterprise. The concept highlights the importance of IT-related matters and emphasizes that strategic IT decisions should be owned by the most senior levels of corporate management, including the board of directors, rather than just IT management such as the chief information officer (CIO). IT
governance concepts have really evolved since the earlier days of IT when senior management often handed over the authority and funding of IT operations to specialists with such titles as chief information officer (CIO) but did not aggressively manage IT resources from an overall management perspective.
The results of this process were some really outstanding IT processes that transformed many leading enterprises worldwide and improved their efficiency and profitability. However, over those same years many other enterprises experienced some massive IT systems failures because of poor project planning, cost overruns, failures by the business and IT to understand IT issues, and other matters. For example, a 2002 Gartner survey found that 20 percent of all expenditures on IT are wasted—a finding that represents, on a global basis, an annual destruction of value totaling about $600 billion—and an IBM survey in 2004 of Fortune 1000 CIOs found that, on average, CIOs believe that 40 percent of all IT spending brought no return to their organization.4 In recent years, other surveys have consistently revealed that 20 to 70 percent of large-scale investments in IT- enabled change are wasted, challenged, or fail to bring a return to their enterprise. All of this points to the need for strong systems of enterprise IT governance. Rather than arguing which is the correct definition of IT governance, enterprise senior managers should look at the similarities. In virtually every case, governance involves a mix of the following:
• Control of all aspects of IT work. • Coordination between different pieces of IT-related work—such as
new systems development and IT infrastructure support. • Measurement of the outcomes of IT systems and processes. • Compliance with internal IT policies or regulations. • Justification of the spending for all IT resources. • IT and enterprise-wide accountability and transparency. • Strong connections with the needs of IT customers, the broader
enterprise, and other stakeholders.
Many of these IT governance issues concern the qualities of IT systems themselves, including newer technology issues, legacy systems using old technologies, security, documentation, and many other areas. Tackling these IT governance issues is not primarily a technical problem but a management issue.
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c02-note-0004
A very general theme of the IT governance issues in this chapter and others going forward is that an enterprise’s IT resources and capabilities can no longer be something the business side of the enterprise doesn’t understand, and also that IT must understand the business and its needs. Major IT issues should be an issue for board-level executives, even though because of the technical nature of IT some key decisions may be left to IT professionals. IT governance implies a system in which all stakeholders, including the board, internal customers, and related areas such as finance have the necessary input into the decision-making process.
The chapters following discuss many aspects and considerations of IT governance. They will generally focus on enterprise risk issues, IT governance issues, legislative and regulatory issues, security issues, and internal as well as external threats impacting IT governance.
All of the IT governance objectives fit into an overall model, as shown in Exhibit 2.4. IT governance is bounded by performance management, strategic alignment, risk management, and value delivery concepts. In order to implement these, there is a need for strong policy and compliance practices, performance and risk management processes, and an overall understanding of appropriate value delivery. Exhibit 2.4 shows these concepts at a high level, but they will be referenced further in later chapters.
EXHIBIT 2.4 IT Governance Objectives
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0004
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0004
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0004-1
IT Governance Enterprise Risk Issues
Every enterprise faces a wide range of risks, including enterprise business operations, the business and related market factors, general economic conditions, and an endless list of other enterprise risk factors. Although the objective of this book is not to fully introduce and discuss all aspects of enterprise-wide risk management and what is known as the COSO enterprise risk management (ERM) framework,5many aspects of overall enterprise risk management are particularly important for effective IT governance practices. Chapter 4 will provide more information on COSO.
In order to have effective IT governance practices, an enterprise needs to have an effective program for assessing and managing overall risks,
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c02-note-0005
significant risks within an enterprise, and specific risks facing IT operations. Exhibit 2.5 outlines some IT governance risk issues and summarizes some effective strategies for managing those risks.
EXHIBIT 2.5 IT Governance Risk Issues
Enterprise Risk Requirements
Risk Activation Strategies
Understanding Enterprise Risk Appetite
When faced with alternative potential risks, an enterprise should understand how great and the level of risk to assume. When management is willing to accept riskier ventures, the enterprise is viewed as having a high appetite for risk.
Understanding Risk Acceptance
An enterprise will face many risks, but there should be a clear understanding of what enterprise unit will accept or take responsibility for the risk.
Ensuring the Correct People Are Involved
Organizational unit responsibilities for should be assigned for all identified risks. A unit should recognize that it is responsible for taking appropriate actions if a risk occurs.
Accepting Residual Risks In an accounting or audit perspective, residual risk is the possibility that an auditor will not catch a material misstatement in a client’s financial report and will mistakenly give an unqualified opinion. In a similar sense, management may not recognize the implications of a risk and accept the risk or give things a pass.
Understanding Control Selection Processes
An enterprise needs to understand the costs and implications of various controls that it may establish as a response to various identified risks.
Understanding the Costs of Risk Event Remediation
An enterprise will face many risks, but it should have a clear understanding of the costs to remediate various things if identified risks occur.
Establishing a Clear Risk Mitigation Strategy
An enterprise should have a defined and well-reasoned strategy of what actions to take if an IT-related risk occurs.
Understanding Control Selection Processes
There are many considerations if an IT risk occurs. The enterprise should develop appropriate controls that will correct these risks in an effective manner.
Senior managers are often faced with high or low extremes when accepting and managing many types of IT risks. A systems password to control access to IT resources is a good example here. On one end of things, the not-very- IT-literate manager may want a very simple and easy-to-remember password system, such as just three letters that often become one’s initials
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0005
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0005-1
as well as one digit. A Mary Anne Jones could then just use MAJ1 as her systems password, with the single-digit number changing from time to time when passwords change. This is an easy-to-remember—and easily breached—password system.
IT security specialists usually advocate going the other direction in establishing password standards, often a combination of eight or more upper- and lowercase letters, plus numerals and special characters, that all require periodic revision. This can create a much more secure atmosphere, except that many may have trouble recalling these difficult-to-remember passwords and will post them with sticky notes on their computer consoles.
The theme of the risk requirements and strategies outlined in Exhibit 2.5 is that an enterprise needs to have an understanding of the various types of IT risks that it faces as well as the costs and alternative strategies for taking corrective actions if such risk events occur. An important term and concept here is what is called risk appetite. That is, how great of a risk is a senior manager and the overall enterprise willing to accept? The individual investor who places his money in AA-rated corporate bonds has a much lower appetite for risk than does the investor in speculative technology stocks.
An understanding of enterprise risk issues is a requirement for implementing effective IT governance processes. We always need to understand that virtually every area of IT and overall business operations involves the risk of unplanned activities or events occurring. We should always have strategies and processes in place to react appropriately if any of these risks occur.
IT Governance Enterprise Organization Issues
IT governance issues and concerns extend well beyond just the IT department and its resources, and must include many enterprise-wide issues and concerns. We should always consider the IT resource in an enterprise not as just one unique element but a specialized unit or component of the overall enterprise. Some of these governance issues are outlined in Exhibit 2.6.
EXHIBIT 2.6 IT Governance Enterprise Issues
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0005
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0006
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0006-1
Enterprise-Level Issue IT Governance Considerations
Corporate Risk-Monitoring Processes
Beyond just identifying the various types and levels of IT and enterprise risks that can impact an enterprise, regular and continuous monitoring processes should be in place to determine the status of these identified risks as well as ongoing action plans to take appropriate actions if the risks occur.
Weak Decision-Making Mechanisms
Beyond just monitoring the status of IT governance risks, management processes should be in place to take appropriate actions in the event of a risk occurring. This is particularly difficult when the planned action involves such matters as shutting down an IT network operation that requires strong and decisive management decisions.
Risk of Personal and Business Records Privacy Exposures
Whether business or financial records or personal data, an enterprise maintains in its records or systems a large amount of data and information that must be protected.
Risks of Ineffective Enforcement and Conflict Resolution
IT governance issues often come to too much or too little corrective action types of considerations when implementing appropriate actions. Strong and regularly tested management processes should be in place.
Lack of Financial Resources Risks
While it is sometimes easy for specialists to develop a risk remediation plan, the enterprise may not have the financial resources to really invoke such a plan.
Failure to Understand Overall Business Responsibilities and Stakeholder Needs Risks
IT operations are too often focused on their own IT infrastructure operations but fail to understand needs and risks for the overall business operaton as well as those of such stakeholders as key vendors or suppliers.
Fiduciary Responsibilities Risks
At all levels, an enterprise and its IT operations always need to remember that they have a duty to protect the assets and investments of their stockholders and lenders.
Boundary and Jurisdiction Identification Risks
All too often, risk monitoring and remediation activities extend beyond just the IT operations to the overall enterprise and to other key stakeholders. There is a need to recognize the jurisdictions and boundaries.
The message in this exhibit is that although IT management may develop governance processes and procedures affecting their own IT systems and operations, they should always think of them in the much larger context of the overall enterprise. For example, it is too easy to forget that many governance-related actions impact the fiduciary responsibility of the
enterprise and its key managers in particular to preserve and enhance the investments of investors at all levels. Failure here could result in civil or even legal actions against enterprise officers. A related consideration here is that an enterprise and its IT operations do not possess an open or unlimited set of resources to take appropriate corrective actions. We must always balance the impact of taking corrective actions against overall enterprise resources.
Exhibit 2.6 also mentions jurisdiction and boundary issues as an IT governance component. Although not too many years ago an enterprise’s IT resources existed behind highly secured locked doors and often as a separate facility island from other enterprise operations, we must always think of IT operations as a key component in the continuous process of other enterprise operations. However, we should always remember that boundaries exist, and IT, finance, and other operations should recognize the boundaries between various areas of responsibility when establishing governance processes.
IT Governance Legislative and Regulatory Issues
We began this chapter by providing a summary of some of the key components of SOx, an important item of legislation impacting auditing, financial reporting, and their internal controls. Although a major set of legislative rules, SOx is just one of many major and even more minor legislative and regulatory laws and rules that impact IT governance operations. Some of these cover overall enterprise operations on a national or international level, while others are much more IT-security specific. In other cases, IT governance operations are not impacted by government legislative rules or laws but by professional standards that are voluntary but required to remain at least competitive.
The chapters following will introduce and discuss some of these IT governance legislative and regulatory issues in greater detail. For example, Chapter 10 provides an overview of some of the many IT security rules that impact an enterprise today, and Chapter 11 discusses important elements of the Payment Card Industry Data Security Standard (PCI DSS), an important set of rules impacting any enterprise using credit cards in its business operations. On a different level, Chapter 7 introduces some of the international standards, such as ISO 38500 on IT governance, that are not
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0006
legislative rules but compliance standards that an astute enterprise should follow.
Legislative and regulatory rules and issues are important components of effective IT governance processes. Enterprise management should monitor these rules and take steps to assure their compliance.
IT Governance Security Issues
Because enterprise IT operations are connected both internally and to outsiders through the Internet and many other data connections, security matters are major IT governance issues. Many IT consumers and users recognize that their systems and data are vulnerable to a wide range of outside intruders whose interests range from just disrupting someone’s IT operations to sabotaging systems and data for profit or gain. Effective IT security controls are an important element of IT governance.
Today’s business executive should have a high-level general understanding of the more significant security issues that are important for effective IT governance. Although there are many and varied issues here, a business manager should understand IT security threats and risks but should seek specialized technical help within the enterprise to more effectively implement the types of IT governance security processes outlined in Exhibit 2.7.
EXHIBIT 2.7 IT Governance Security Issues
IT Security Issues IT Governance Activities
Security Policy and Procedure Risks
An enterprise should have strong procedures in place to detect and prevent IT security breaches and intrusions. There also should be specialized and skilled staff on board to monitor IT security and to take corrective actions where appropriate.
Business Continuity Planning Issues
Processes should be in place to restore operations in the event of an unexpected disruption in systems and IT operations. These systems should be fully tested and kept current to reflect changes in enterprise operations.
MalWare Risks Management should recognize that all systems today are subject to an ever-evolving wide range of malicious threats that have the ability to avoid detection and mutate themselves once launched.
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0007
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0007
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c2-fig-0007-1
Requirements for Effective Intrusion Detection and Security Monitoring Tools
An enterprise should install the appropriate tools to monitor all aspects of IT security, both internally and externally, and to take effective remedial actions when required.
IT Asset Classification Risks All IT hardware and software assets should be appropriately identified as to their relative security vulnerabilities with corrective action plans tested, implemented, and in place.
Security Monitoring Risks Tools should be in place to monitor all aspects of IT security and to initiate appropriate actions when any security attacks or breaches are identified.
Encryption Policy and Management Risks
Effective encryption policies should be installed and used where appropriate to improve IT governance practices.
Stakeholder IT Security Risks Policies and training tools should be in place to ensure that all involved enterprise stakeholders follow appropriate IT security procedures.
IT Governance Internal, External Threats
In addition to more specific IT governance issues, an enterprise faces a wide range of internal and external security threats. The external threats can range from such matters as terrorist attacks to foreign government espionage to cloud computing risks and more. While we will discuss some cloud computing IT threats in Chapter 9, an enterprise today faces a wide range of external threats to its IT resources and general business operations. Today’s business executive should make certain that appropriate monitoring tools have been established along with skilled people to monitor such threats and take appropriate corrective actions.
IT governance internal threat processes can often be better monitored and controlled. While we never know when some totally unexpected intruder will attack our IT systems, we can reduce the risks of internal threats by establishing strong internal policies and procedures covering many of those discussed in this chapter as well as building a strong team organization where all stakeholders are aware of their roles, responsibilities, and management expectations.
As outlined in this chapter, IT governance is a broad area that covers many areas of enterprise operations and goes well beyond just the IT department. It is much more than the current hot-topic buzzword. Today’s enterprise senior executives should work with the IT staff and their security specialists as well as internal auditors to develop strong IT governance practices. The
chapters following will provide more background and discussion about implementing effective IT governance practices.
NOTES
1. While we are presenting only a high-level summary of SOx requirements, Robert Moeller, Sarbanes-Oxley Internal Controls: Effective Auditing with AS5, CobiT, and ITIL (Hoboken, NJ: John Wiley & Sons, 2008), provides much more information.
2. As a public document, the text of the law can be found in many Web locations. One source is http://fl1.findlaw.com/news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley07230 2.pdf.
3. A principle of law: Even if a technical violation of a law appears to exist according to the letter of the law, if the effect is too small to be of consequence, the violation of the law will not be considered as a sufficient cause of action, whether in civil or criminal proceedings.
4. Steve Crutchley, “IT Governance Helping Business Survival,” www.slideshare.net/khanyasmin/it-governance-consult2comply.
5. For more information on enterprise risk management and COSO ERM, see Robert Moeller’s COSO Enterprise Risk Management, 2nd ed. (Hoboken, NJ: John Wiley & Sons, 2011).
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c02-note-0001-1
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c02-note-0002-1
http://fl1.findlaw.com/news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf
http://fl1.findlaw.com/news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c02-note-0003-1
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c02-note-0004-1
http://www.slideshare.net/khanyasmin/it-governance-consult2comply
https://www.safaribooksonline.com/library/view/executives-guide-to/9781118238936/OEBPS/9781118238936_epub_ch_02.htm#c02-note-0005-1
CHAPTER THREE
Enterprise Governance and GRC Tools
ALL BUSINESSES, AND PUBLICLY TRADED CORPORATIONS in particular, have faced governance needs and requirements issues going back to their earliest days. For many enterprises, senior management often initially took the lead in setting business compliance rules and policies for its employees and others to follow. While this worked with many smaller single proprietorships or in the tightly centralized corporations of eras past, many of today’s larger multiunit enterprises need broad-based facilities for setting rules and procedures—they need efficient and effective governance processes.
Life would be easier for those same enterprises if they just had to rely on strong central leadership, such as a dominant chief executive officer (CEO), to authorize and direct implementation of any required governance rules. However, enterprises today at any location or size are faced with ever- increasing sets of rules and procedures ranging from local police and public safety ordinances to state, national, and sometimes international government-issued rules and laws as well as some broad professional rules. An enterprise must comply with these laws and regulations on a whole series of levels, and its compliance failures can potentially result in a variety of penalties. Every enterprise needs processes to ensure that it is operating in compliance with the appropriate laws and regulations.
An enterprise always faces risks that it will misinterpret rules or be found in violation of one or another of these multiple laws and regulations. There are also risks that an enterprise’s own established governance rules will not achieve the desired results or that the enterprise may face some outside event beyond its control, such as a significant economic downturn, a terrorist attack or act of war that impacts its sphere of operations, or a fire in a major facility. There is a need to understand and manage all of these risks on an overall enterprise level.
While enterprises have always been concerned with various governance, risk, and compliance issues, the major theme of this book has brought all three of these concerns together in an IT context and into what are known
as GRC principles. While other chapters following discuss such issues as the importance of enterprise governance practices, risk management fundamentals, and corporate governance practices, this chapter looks at the importance of establishing a strong set of enterprise governance, risk, and compliance, or GRC, principles, as an important element of IT governance.
THE ROAD TO EFFECTIVE GRC PRINCIPLES
Business professionals had not even heard about this now increasingly familiar GRC acronym until early in this century. The first letter stands for governance, not just for IT governance but for concerns over the entire enterprise. In short, governance means taking care of business, making sure things are done according to an enterprise’s standards, regulations, board of directors’ decisions, as well as governmental laws and rules. It also means setting forth clearly the stakeholder expectations of what should be done so that all stakeholders are on the same page with regard to how the enterprise is run.
The R from GRC is risk. Everything we do and all aspects of business operations involve some element of risk. When it comes to an individual running across a freeway or a child playing with matches, it’s pretty clear that certain risks should just not be taken. When it comes to business, however, risk factors become a way to both help protect existing asset values and create value by strategically expanding an enterprise or adding new products and services. The concept of risk is even more than just the IT governance risks that we will be exploring in greater detail in the chapters to follow.
Finally, the C in GRC is compliance with the many laws and directives affecting businesses and citizens today. Sometimes people will also extend that letter to include controls, meaning that it is important to put certain controls in place to ensure that compliance is happening. For example, this might mean monitoring a factory’s emissions or ensuring that its import and export papers are in order. Or it might just mean establishing good internal accounting controls, and effectively implementing legislative requirements such as the Sarbanes-Oxley (SOx) rules briefly discussed in Chapter 2. Putting it all together, GRC is not just what you have to do to take care of an enterprise but a paradigm to help grow that enterprise in the best possible way.