A CIO’s Perspective on Compliance & Risk Management Keeping Stakeholders and Auditors Happy with ICT Value Contributions and Controls - PowerPoint PPT Presentation

1 / 73
About This Presentation
Title:

A CIO’s Perspective on Compliance & Risk Management Keeping Stakeholders and Auditors Happy with ICT Value Contributions and Controls

Description:

A CIO s Perspective on Compliance & Risk Management Keeping Stakeholders and Auditors Happy with ICT Value Contributions and Controls Steve Sanazaro – PowerPoint PPT presentation

Number of Views:444
Avg rating:3.0/5.0
Slides: 74
Provided by: tacuaOrgd
Learn more at: http://tacua.org
Category:

less

Transcript and Presenter's Notes

Title: A CIO’s Perspective on Compliance & Risk Management Keeping Stakeholders and Auditors Happy with ICT Value Contributions and Controls


1
A CIOs Perspective on Compliance Risk
ManagementKeeping Stakeholders and Auditors
Happy with ICT Value Contributions and Controls
  • Steve Sanazaro
  • For TACUA
  • April 8, 2010

2
Topline Summary
  • Objective improve your understanding and your
    ability to team with IT leaders to implement and
    manage a robust and meaningful compliance regime
  • Briefly describe the general and
    college/university environment
  • Discuss IT Governance where teamwork and
    cohesion begins
  • Describe the role, agenda and cross-pressures on
    CIOs and their organizations
  • Demonstrate some of the sources of dysfunctional
    friction between compliance and achieving the IT
    agenda
  • Provide a roadmap to
  • IT Compliance collaboration and integration for
    efficiency and productivity

3
My Backgroundwelcome to my day job
  • Executive and technology roles in all three
    aspects of information and communications
    technology
  • Commercial technology product development
    e-business, data communications, reservations
    technology, business applications
  • Corporate executive business strategy and
    operations, technology planning and
    implementation and managing ICT (CIO/CTO/CEO/COO)
  • Professional services provider advising
    corporations in a range of industries on
    business-technology opportunities and managing
    strategic initiatives (consultant)
  • Educator and mentor of the next generation of
    business-technology leaders (the 110 factor)
  • Diverse industry experience in the US and other
    countries
  • Software, telecom, e-commerce, distribution and
    supply chain management, hospitality,
    transportation, consumer products, manufacturing,
    health, broadcasting, business process
    outsourcing, consulting
  • Companies in all stages mature Global 500,
    mid-size growth, early-stage and startup
    companies, not-for-profits
  • Responsible for international initiatives and
    technology management with multiple companies
  • Instrumental in 2 successful IPOs
  • Founder of multiple companies, including two
    profitable professional services businesses
  • Today I advise companies on business and ICT
    strategy, major program implementations,
    competency development, change management and
    other subjects companies explore to maximize the
    competitive standing and value of the enterprise.
  • Special focus strategic readiness,
    organizational health and sustainment, total
    supply chain, performance management,
    turnarounds, rejuvenation efforts
  • All of my engagements today require a strong
    background in international business, Information
    Technology, business operations, compliance and
    risk management, strategic planning, performance
    management, cross-cultural business and social
    experience and travel.

4
A More Detailed Overview
  • 1 - The unique environment of colleges and
    universities and the environment we all share
  • 2 - The IT Value Proposition
  • Automation, Information, Communication,
    Collaboration
  • Routine performance and innovation
  • Performance and institutional sustainment
  • 3 - IT Governance
  • Integration, not alignment team sport
  • Expectations, priorities and targets
  • Performance and organizational sustainment
  • Financial stewardship
  • Risk management and controls
  • 4 - What do CIOs do anyway?
  • Agenda and cross pressures
  • 5 - Friction and Dysfunction in IT Compliance
    Implementation
  • Risks the infinite spectrum
  • IT control regimes
  • Integrating compliance into IT
  • 6 A Roadmap to IT-Compliance Harmonization
  • Compliance as connective tissue, not a separate
    organ

5
  • 1 - The Unique Environment of Colleges and
    Universities Today

6
The 21st Century Economy
  • Global relentlessly competitive talent,
    products, customers, suppliers
  • Fast Unforgiving time is the enemy
  • Continuous innovations imitations new
    products, new competitors, new technologies,
    imitators everywhere
  • Digital information is replacing physical
    goods
  • Customers are in command
  • Choice access to global information, access to
    peer opinions
  • Fluid loyalties
  • Suppliers - Partners - Customers
  • Results-driven
  • Financial
  • Other
  • Emerging global culture the new cosmopolitans

7
Management in the Global Reality
  • Managements great task will be taking strategic
    control of companies and simultaneously
    decentralizing operational controlloosening
    controls without losing control.
  • Strategic Discontinuity, McKinsey, 2002

8
Enterprise Purpose Convert Assets to Goals
Value-Generating Processes
  • Enterprise Execution Model
  • Performance
  • Health Sustainment

9
Cash Results from Doing the Right Things Right
  • Businesses begin with assets and try to grow
    them over time
  • Assets become sales
  • Sales minus expenses become profits
  • Profits become cash flow
  • Cash flow becomes assets
  • Theres no reason to grow the asset base except
    to generate higher revenue, more sales, etc.
  • ICT must adopt the same attitude
  • The purpose of IT assets is to grow revenue
    (effectiveness) and net income (efficiency

10
Globalization Has Enlarged the Enterprise Focus
Risk Management Agenda
  • Talent development attract, recruit, retain,
    develop, place
  • Economics and Free Trade
  • Tradition, Sovereignty and Cultural Preservation
  • The Role of Information, Communications and
    Collaboration
  • Education, Opportunity and Participation
  • Population Shifts and Mass Migrations
  • Human Rights
  • Crime Safety
  • Environmental Concerns and Pollution
  • Transborder Disease
  • Corporate Social Responsibility and the Digital
    Divide
  • Compliance
  • Corruption and Governance
  • Intellectual Property Rights
  • Representation and Participation

11
Colleges and Universities Face Additional
Challenges
  • Some are common to institutions some are unique
    to educational institutions
  • Further gradients of issues are by
    public/private, size, target curricula, etc.
  • Just a few of the many Big questions
  • What is the 21st century college and university
    value proposition?
  • Autonomy and centralization issues
  • What new programs or capabilities do we need?
  • Performance targets what to measure, what to do
    with the results?
  • Customers and colleagues Students, academics,
    administrators, other stakeholder interests
  • How do we improve distance and continuing
    education?
  • How do IT technologies, applications and services
    change curricula, delivery methods, target
    audience, student and prospective student
    expectations?
  • The special function of university research
  • Endowments , special gifts, programs and other
    fundraising
  • Talent management faculty, administration
  • Community support
  • Peer standing among other colleges and
    universities
  • Mastering legal and regulatory mandates

12
College and University ICT Challenges
  • Centralized core systems and supporting
    infrastructure
  • Fragmented departmental and functional systems by
    discipline
  • High variability in governance policies and
    effectiveness
  • Non-standardized user technology
  • PCs and laptops, smart phones, game consoles,
    sensors, video cameras
  • An open information culture with information
    integrity and protection
  • Inherent resistance to centralized authority
  • Diverse investor (contributor/user) base with
    different objectives
  • Facility or discipline-specific gifts
  • Endowment
  • Student/parent payments
  • Industry/corporate gifts
  • Gifts in-kind
  • Net net mandates from on high will not achieve
    the objective of a controlled ICT environment in
    a fragmented, decentralized institution
  • Challenge how to get critical mass on the
    compliance team

13
Institutions Balance Today with Tomorrow
  • Performance (today)
  • Organizational Health (tomorrow)
  • Reinforcing desired culture
  • Respect, curiosity, integrity, diversity,
    excellence
  • Strategic assessments
  • Where do we want to be in the future? When does
    the future begin?
  • Planning
  • New programs, facilities, relationships, etc.
  • Skills and competency improvements (people)
  • Job and organizational structure reviews
  • Building compliance and risk management
    competencies
  • Doing the work working the plan
  • The academic year cycle
  • The financial cycle
  • Fund raising campaigns
  • Incremental improvements
  • Security, applications
  • Delivering on commitments
  • Meeting deadlines
  • Operations reliability and continuity
  • Meeting goals and objectives
  • Managing controls conducting compliance audits

14
Wheres your Line between Performance
Institutional Sustainment Initiatives
  • Performance
  • Execution
  • Operations
  • Continuous Improvement
  • Monitoring
  • Measuring
  • Adjusting
  • Controlling

Whats your institution's Optimal Golden Mean? Do
you have a way to get there? Time, talent
treasure
  • Institutional Health Sustainment
  • New Capabilities - dynamic compliance,
    resilient disaster recovery
  • New Methods and Processes administration,
    customer interaction
  • New Subject Areas performance management and
    reporting
  • New Relationships complementary virtual
    institutions
  • Strategic Planning Investment - programs,
    facilities, faculty, locations

15
Innovation the New Is Hard to Control
Continuous Future
Today
Today
Legacy Systems financial, email, registration,
Blackboard, payments, grading, Internet access,
etc.
Emerging systems Social Networks, Smart Phone
apps, new academic apps
Innovative Apps Services
Controls in place audited
Controls in development
The Wild Wild West
Process and Accountabilities to Develop Oversee
Controls
New and Enhanced Regulatory Regimes Privacy,
Intellectual Property Rights, Security,
Disclosure, Transparency, Statistical Mandates
Therefore, to jump ahead, the competence to
develop, operate and improve controlled processes
in a timely manner is MORE MUCH MORE
important than developing a protocol for any one
regulatory regime. I know easier said than
done
16
University Compliance Missions Are Inconsistent
  • To support the Universitys fundamental
    commitment to the highest standards of ethics,
    education, integrity, lawful conduct, and
    responsible citizenship by complying with all
    laws, regulations, and internal policies. This
    makes sense to me.
  • Columbia University
  • To reinforce and support a culture at UNT which
    builds compliance consciousness into its daily
    activities and operations of the University and
    encourages each employee to conduct UNT business
    with the highest standards of honesty and
    integrity. This makes sense to me
  • University of North Texas
  • The mission of internal audit is to assess and
    monitor the university community in the discharge
    of their oversight, management, and operating
    responsibilities in relation to governance
    processes, the systems of internal controls, and
    compliance with laws, regulations and University
    policies including those related to ethical
    conduct by providing relevant, timely,
    independent, and objective assurance, advisory
    and investigative services using a systematic,
    disciplined approach to evaluate risk and improve
    the effectiveness of control and governance
    processes. Huh?
  • - University of California system

17
  • 2 The ICT Value Proposition

18
Pervasive IT Whos In Charge? In Control?
  • ICT today serves every aspect of institutional
    life, and numerous personal ones as well
  • Universities have an exceptional Venn overlay of
    these two domains
  • Transcends organizational boundaries tremendous
    interaction with external individuals and
    institutions
  • Continues to permeate organizations at every
    level and scale
  • Is encompassing more devices (Smart phones,
    object sensors, whats next?)
  • Includes all types of data (text, numbers, video,
    audio, all digitally translatable analog data,
    real time, hyper-aggregated, images)
  • Includes both staged, asynchronous and real-time
    information events
  • The proportion of IT activity that happens
    outside of IT continues to grow
  • Consumer devices iPhone, Blackberry, Xbox,
    Playstation
  • Social networking Facebook, online games,
    Twitter, Foursquare
  • Embedded systems device sensors and
    controllers, cars
  • Non-IT business functions - every enterprise
    function has some independent IT, whether they
    admit it or not (think Excel)
  • Consider everything your faculty and students are
    doing with Information, Communications and
    Collaboration tools today? Whats coming
    tomorrow?
  • Content, devices, communications channels, users,
    collaborators, intelligent agents

19
The ICT Value-Building Cycle
Plan
Execute
Assess
Move On
Environment
IT Governance, Portfolio Management Alignment
Delivery
Assess
Business Strategy - Differentiators
Enabling Initiatives Execution
Priorities, Projects Service Levels
Measurement
Operations
Capabilities Competencies
Performance Management - Measures Targets
Vision Mission
Adjust Adapt Flexibility Resilience
Issue What are the decision rights,
accountabilities, responsibilities and metrics
for each component and the overall cycle? Hint
no answers no controls ineffective risk
management
20
Four Sources of New IT Value
Improve Decision Making
Improve Process
Source The Real Business of IT, Hunter
Westerman , Harvard Business Press 2009
21
The IT Value Proposition
  • Information, communications and collaboration
  • Automation of existing work
  • Blackboard
  • Accounting AP, AR, GL, Asset Management
  • Funds management
  • Grants administration
  • Research
  • Admissions
  • Financial aid
  • Payment
  • Improvement and optimization
  • Innovation (new, unknown, speculative,
    experimental)
  • External integration
  • Risk management (assets, security, data, services
    continuity, liability)

22
Getting a return on your ICT investments
  • 3 ICT Governance

23
ICT Governance
  • Governance is the process of ensuring that an
    institutions financial investments yield the
    desired returns and are well managed
  • A subset of the overall institutional governance
    function
  • Strategy (direction), institutional integration
    and oversight
  • Priorities and investments
  • Focus on projects, performance (overall
    operations) and sustainment
  • Integration, not alignment a team sport
  • Expectations, priorities and targets
  • Setting expectations, priorities and targets
  • Focused, at heart, on ensuring that the
    enterprise receives an appropriate return for the
    money and other resources invested in IT
  • Financial stewardship
  • Balancing performance with organizational
    sustainment
  • Integrating strategy, operations and IT

24
Governance Analysis, Decision, Follow-through
  • Enablers
  • Clear accountabilities
  • Shared purpose goals
  • Smooth collaboration
  • Measures targets
  • Org sustainment

25
Risk Management is Integral to IT Governance
  • Internal control is a process
  • Not a department, organization or function a
    genuine team sport
  • There is no ultimate destination or rest for the
    weary
  • It focuses in an ideal world on insuring that the
    institution is being managed and operated in
    reasonable accord (not a perfect world) with
    regard to
  • Effectiveness (right things) and efficiency
    (right level of resources)
  • Integrity and reliability of reporting not just
    financial
  • Compliance with a growing list of laws and
    regulations
  • Being able to deliver priority projects and
    services
  • Being able to keep services running (continuity)
    or to recover from a disaster
  • This makes well-managed risk management and
    compliance a key enabler of institutional
    processes IT and other that operate to move
    the enterprise towards its goals

26
ICT Governance Cross Currents
Goal Achieving, maintaining and improving
strategic and operational integration among all
internal and external entities and stakeholders
to deliver value and improve enterprise health
and sustainability
27
IT Investment Profiles
Rethinking IT Strategy, McKinsey, Aug 2006
28
ICT Portfolio Allocations
Talent Career Management
Core Competencies
Organizational Health Projects
ICT Structure
Investment Allocations (Capex Opex)
Bus-Tech Architecture
ICT Portfolio
Risk Management
Measures Targets
Innovation
Business Technology Projects
Competitive Parity or Advantage
Service Levels
Operations
Capacity Planning
29
ICTs Role Is Changing
August 2006, Trends Is There A Career Future In
Enterprise IT?
30
  • 4 What do CIOs Do Anyway?

31
CIO Career Growth Stages
Source CIO Success Factors, TechExecs, Nov 2009
32
The CIOs Universe
ICT Environment
Stakeholders Business Partners
ICT Environment
General Business Environment
Strategy Governance Integration
Alignment Portfolio Mgmt Compliance Risk
Mgmt Architecture Measures Targets Financial
Mgmt
ICT Competencies, Processes Staff
Projects
Emerging Future Technologies
Enterprise Environment
ICT Infrastructure Operations
33
The CIO Meta-Agenda
  • Shaping and Meeting Enterprise Expectations a
    translation layer between institutional needs and
    technology capabilities and talents
  • Providing reliable and effective IT services
  • Planning Insight and Foresight
  • Doing the right things the right way
  • Operations running what is already in place
  • Projects delivering extended, enhanced or
    innovative improvements
  • Institution building / organizational health
  • Financial and compliance stewardship / risk
    management
  • Communicating value the iceberg report
  • Building and reinforcing a High Performance
    culture
  • Net net provide more value, continuously improve
    and extending IT into new areas to increase
    value/benefit provided for investment made

34
Sample ICT Agenda Items Today
35
a brief aside on controls and controlled
environments
36
Compliance Regimes
  • SB1386 (California privacy breech disclosure law)
  • Internal proprietary regimes
  • FERC/NRC (Energy)
  • FERPA Controls on student grade and other
    personal information
  • Jeanne Cleary Act (1990) campus crimes
    disclosure
  • FISMA Federal Information Security Act
  • PCI Payment Card Industry control objectives
  • Access systems access controls
  • Sarbanes Oxley (SEC, PCAOB, COSO, CobiT, ITIL)
  • SAS 70 external service provider control regime
  • Graham-Leach-Bliley Consumer information
    privacy safeguards
  • HIPAA Protection of personal health information
  • SysTrust WebTrust AICPA assessment of IT
    risks and opportunities can substitute for a
    Sox audit
  • Government Accountability Office
  • Securities and Exchange Commission
  • NIST National Institute of Standards and
    Technology
  • ISO 27000 Security techniques
  • Office of Thrift Supervision
  • ITIL Information Technology Infrastructure
    Library
  • FIPS 140-1 140 2 Federal standards for
    cryptographic software implementation
  • CMMI Capabilities Maturity Model Integration
  • GAAP/FASB Generally Accepted Accounting
    Principles / Financial Accounting Standards
    Board
  • IFRS / IASB (International Accounting Standards
    Board) convergence projects with FASB underway

Source Students enrolled in EMIS 7360 Executive
program, May 2008
37
The Purposes of Controls
  • Safeguarding assets essentially the
    cash-to-result value chain
  • Checking the accuracy, integrity and reliability
    of operational and financial data
  • Promoting operational efficiency through rigorous
    process definition, measurement, assessment and
    continuous improvement
  • Encouraging and ensuring that official policies
    and procedures are followed
  • Demonstrating legal compliance by
    contemporaneous, current process, role and
    proof-of-adherence documentation

38
Look at the Regulatory Storm We All Face
39
Relationship of Control Regimes
Operations
Applications
Finance
Strategy
COCO
COSO
COBIT
ITIL
University control regimes are derived from
frameworks originally developed for businesses
and need tweaking to fit comfortably.
40
COSO Enterprise Risk Management Model
41
The COSO ERM Framework
  • Entity objectives can be viewed in the context of
    four categories
  • Strategic
  • Operations
  • Reporting
  • Compliance
  • ERM considers activities at all levels of the
    organization
  • Enterprise-level
  • Division or subsidiary
  • Business unit processes

Source COSO Enterprise Risk Management
Framework Draft Version, July 2003
42
Internal Environment
  • Risk Management Philosophy
  • Risk Culture
  • Board of Directors
  • Integrity and Ethical Values
  • Commitment to Competence
  • Managements Philosophy and Operating Style
  • Risk Appetite
  • Organizational Structure
  • Assignment of Authority and Responsibility
  • Human Resource Policies and Practices

43
Internal Auditors ERM Responsibilities per COSO
  • Do not have primary responsibility for
    establishing or maintaining ERM
  • Play an important role in monitoring ERM
  • Regarding the ERM process - assist management and
    the Board or Audit Committee by
  • Monitoring - Examining
  • Evaluating Reporting On
  • Recommending improvements

CIO comment ICT needs assistance too.
44
ICT Vulnerabilities Are Increasing
  • Scale (Pervasive IT) creates complexity
    complexity generates opportunities to breech
    security
  • Security is a moving target
  • Security is a people issue, not a technical
    issue
  • Complexity of Software and open development
    philosophy
  • Microsoft windows most major league
    applications
  • Linux / Open source
  • Macintosh (yes, Macintosh)
  • New processing
  • Wireless devices open wireless connections
  • Unencrypted environment
  • Web based processing-immature security
  • More send/receive devices (Smart phones)
  • Decentralized infrastructures / physical and
    logical access control complexity

45
Follow the Frameworks Minimize Roll Your Own
Controls
The policies, procedures, practices, and
organizational structures that are designed to
provide reasonable assurance that business
objectives will be achieved and that undesired
events will be prevented, detected and corrected.

formerly known as the Information Systems
Audit and Control Association and, prior to
that, the EDP Auditors Association
46
Control Frameworks and ICT
  • Control Environment as much the culture of
    integrity and ethics as the official policies and
    procedures. Roles and responsibilities.
  • Risk Assessment internal and external
    controllable (prevent) and uncontrollable
    (anticipate and recover) observe and report only
  • Control Activities policies and procedures that
    transparently ensure that management directives
    are carried out
  • Information and Communication includes all
    information being controlled. Includes ensuring
    that everyone knows their role and
    responsibility.
  • Monitoring timely assessment of adherence and
    effectiveness of controls

47
CobiT Processes by Domain
Monitoring
Planning Organization
Delivery Support
Acquisition Implementation
48
Integrated CobiT Schematic
49
The 34 Defined CobiT Processes
1
3
2
4
50
The 7 CobiT Principles
51
Elements of a Controlled ICT Environment
  • Defined and effective governance
  • Defined executed change management systems
    implementation process
  • Software controls configuration management
  • Hardware access asset controls
  • Computer operations controls
  • Data security access, CRUD, password management,
    storage, retention, recovery
  • Administrative control (new and exiting
    employees, etc.)
  • Balancing high availability and widespread use
    with security integrity
  • Policy-based, not technology-based control
    environment

52
  • 5 - Friction and Dysfunction in IT Compliance
    Implementation

53
Risks the infinite spectrum
  • Every ICT manager lives somewhat in fear of
    outages and disruptions
  • Who defines risks and who assigns the cost of
    addressing risks?
  • Who pays? What doesnt happen because of risk
    management expenditures?
  • What gets taken off the ICT plate because of
    compliance? (Hint not much, if anything)
  • Real risk management versus mandated risk
    management
  • Random versus controlled activity process
    definition and discipline versus mandate meeting
  • Expected versus actual outcomes measures and
    targets defined in advance
  • Multi-perspective verification evidence versus
    anecdotes

54
Sources of Auditor-ICT Conflict a Sampler
  • These may apply more to commercial businesses
    than colleges and universities but some
    all-too-common sore points include
  • Surprise, surprise Gomer Pyle, repeatedly
  • Showing up with a deliverable and a deadline with
    no prior relationship
  • Mandating a regime-specific set of controls to
    meet a deadline
  • Asking for a control to be documented multiple
    ways
  • Assuming CIOs have never thought of this stuff
    before (security, privacy, data integrity)
  • Criticizing the ICT program without offering
    specific suggestions on how to design, implement
    or improve a control
  • Priority stuffing (10 pounds of sugar in a 5
    pound bag)
  • Leveraging senior management or the external
    auditor against ICT without developing a clear
    understanding with ICT of any problems
  • Expecting ICT to allocate labor to the mandate
    with no support for who pays the bill
  • Blaming ICT for whatever goes wrong

55
  • 6 A Roadmap to IT-Compliance Harmonization

56
Compliance as connective tissue, not a separate
organ
  • The Compliance Challenge Making performance and
    compliance complimentary (Lets skip the synergy
    thing)

57
IT and Auditing Share Mutual Compliance
Challenges Today
  • IT demand is shifting towards mobile and social
    services
  • Objective obtain any information or communicate
    with anyone via any channel, anytime, anywhere
  • Technologies iPhone, Blackberry, netbooks,
    pervasive wireless
  • Applications Facebook, Twitter, Linkedin,.
  • Challenges
  • Standards security is often a matter of
    technology currency as well as programmatic
    actions. How to allocate budget for technology
    refreshes?
  • Privacy of personal information e.g.,
    unencrypted public wireless lost or stolen
    devices
  • Security and retention of confidential data
    what IP is in that email attachment?
  • Inappropriate behavior or postings on social
    networking sites (things that impugn your
    institutions reputation or enable someone to
    cause harm to another, for instance)

58
Integration, not alignment
  • Compliance like information and communications
    has to be part of core institutional processes
    to be effective
  • Built-in quality versus post-incident inspection
  • Compliance and IT share the need for an
    enterprise and extra-enterprise perspective
  • Both require some formal oversight group to bring
    expertise and attention not a pickup band of
    departmental assignees

59
The Compliance Challenge
  • Making performance and compliance complimentary
  • Getting IT Work Done
  • Doing the right things the right way
  • Operations
  • Projects
  • Organizational health
  • Implementing Compliance Regimes
  • Compliance and Risk Management Roles
  • The lineup
  • Responsibilities and accountabilities
  • Team work, collaboration and productivity
  • Defining and refining processes and practices
  • Training and incentives
  • Performance management and feedback
  • Overhead, Co-existence or Leverage?
  • Synthesizing Compliance and ICT Goals

60
We need to overcome our professional vocabularies
PSTN DNS IP EA HTTPS NTFS FTP GSM CMMi Extreme
Programming CSS Ocxx ACL SATA SSL LDAP DFD API Pe
ering SMTP LAMP PHP OSPF
Risk Assessment Attest Segregation of
Duties Control Risk FERPA Footnotes Materiality Si
gnificant Controls Confirmation Reperformance Subs
tantive Tests HIPAA PCI Monitoring Year Fraud Reas
onable Assurance Unqualified Report Independence P
CAOB AICPA
Enrollment Applicants Transcript Financial
Aid Registrar Major Academic Advisor Syllabus Conv
ocation Endowment Trusts and Gifts Transfer Intern
Distance Learning Postgraduate SAT Credit
Unit Tuition Withdrawal Deadline Incomplete Plagia
rism Wait List Year
61
CobiT Processes by Domain
Monitoring
Planning Organization
Delivery Support
Acquisition Implementation
62
Process Categories
63
CMM Maturity Levels
5. Optimizing. Continuous process improvement. 4.
Managed. Detailed measures of the software
process and product quality are collected. 3.
Defined. Management and engineering activities
are documented, standardized, institutionalized.
2. Repeatable. Basic project management tracks
cost, schedule, and functionality. Successes can
be repeated for similar projects. 1. Initial. Ad
hoc. Success depends on individual effort and
heroics.
64
Compliance Regimes Overlap with ICT Processes
Friction Point ICT needs to control an overall
process not build a process to accommodate an
individual mandate
65
The Special Case of ICT Operations and ITIL
  • IT Infrastructure Library, Office of Government
    Commerce, UK
  • Focus
  • People
  • Process
  • Technology
  • Service Delivery
  • Service Level Management
  • Availability Management
  • Capacity Management
  • IT Service Continuity Management
  • Service Support
  • Incident Management
  • Problem Management
  • Change Management
  • Configuration Management
  • Release Management

Many compliance issues manifest themselves in
ITSM (IT Service Management) although the root
cause is often way upstream.
66
The V3 Lifecycle
67
Collaborate on the Basics of Effective Controls
  • Authority and responsibility clear,
    communicated and documented
  • Authorization of transactions - documented
  • Adequate accounting records - a good audit trail
  • Segregation of duties
  • Independent verifications
  • Limited access and physical protection of assets
  • Physical
  • Electronic
  • Virtual
  • Cosign and co-deliver the defining documents

68
Complexity
  • Complexity is built in dont add your own
  • Complexity is as much organizational as technical
  • Unnecessary technical complexity challenges
    timeliness, functionality and performance as long
    as it persists
  • Changes must be made within the changeability
    index of your institution
  • Scale optimization or a true re-engineering
  • Materiality of the changes risk quotient
  • Readiness management, process, education,
    communications
  • Openness and willingness of the culture to change
  • Skill and history prior projects and risk
    management efforts
  • Persistence the willingness to stay on task
    until it is right
  • Leadership more than management
  • Plan B

69
Key Ingredients of the Success Recipe (1)
  • ICT is inseparable from the enterprise
    integration, not alignment
  • Build on-going relationships dont make
    compliance the basis of creating relationships
  • Auditor-ICT co-responsibility
  • Clear responsibilities and accountabilities
  • On-going programs, not projects
  • Rely on control frameworks where possible to
    reduce the time necessary to define and implement
    regimes
  • Select and tailor the regime CobiT, ITIL, etc.
    to fit your circumstances
  • Simplify ICT Leverage compliance to make ICT
    more efficient
  • Lower unit costs, fewer labor specialties, less
    manual labor, etc.
  • Engineer and manage processes dont organize
    around individual regimes
  • Build-in, dont bolt-on measures through design
    and refinement

70
Key Ingredients of the Success Recipe (2)
  • Collaborate on defining and seeking funding for
    automated tools and any other resources necessary
    to leverage efficiency efforts and controls
  • Backup/recovery, patch management, intrusion
    detection, access management, employee
    hire/termination, logging
  • Spend each dollar once and track pay-offs
  • Standardize reporting and evidentiary
    documentation
  • Hold regular unofficial compliance meetings
  • Project reviews
  • Upcoming regulation
  • Network with other institutions auditors and
    ICT together
  • Work together to improve ICT governance
    effectiveness

71
Triangulate to Succeed Mutually
The Powers that Be
Auditor / Compliance Authorities
CIO / IT Authorities
72
A Final Word
  • We know that more and more compliance measures
    are heading towards all of us lets get ready
  • Compliance implementations and controls are
    tremendous opportunities for institution
    building, teamwork, operational improvements
    (performance) and greater transparency
  • Compliance is a team sport and everyone on the
    team has to feel valued and know their role and
    responsibilities.
  • Make compliance-ICT relationships and integration
    a regular part of your work cycle
  • Synthesis can generate triple wins for your
    institutions, for Audit and for ICT.

73
Comments, Q A
  • Thank You.
Write a Comment
User Comments (0)
About PowerShow.com