WebEx guide. > Everyone is muted to avoid background noise. Please use the chat box if you need to communicate with the host.

Transcription

1 WebEx guide > Everyone is muted to avoid background noise. Please use the chat box if you need to communicate with the host. > Asking questions: In the chat screen, ask questions by choosing All Panelists in lower right chat window. Type your message in the chat box and hit send. > If disconnected: Refer to your and reconnect. If audio is disconnected,click the Communicate tab in the upper left to find the dial in numbers and access code or refer back to your for the dial-in #. > Support #: If you have any technical problems, call WebEx Support at > We will be recording today. Chat Window Chat Box Refresh button Choose All Panelists 1

2 Auditing IT Governance January 16,

3 Webinar Moderator Phil Hurd ACUA President 3

4 Your Presenters Mike Cullen, Senior Manager CISA, CISSP, CIPP/US > Leads the firm s Technology Risk Services team in Washington, DC, focused on IT risk consulting and internal auditing. > Performs IT risk assessments and audits, developed information privacy and security programs, performed ethical hacking of IT systems, and conducted digital forensic investigations. > Presents to a variety of audiences, including ACUA, various IIA chapters and regional conferences, and at multiple universities. 4

5 Your Presenters Stephanie Marino, Manager CISA, CIA > Performs IT process improvement reviews, risk assessments, and IT audits for higher education and research institutions. > Utilizes industry best standards to assess internal control effectiveness around IT information privacy and security, governance, IT general controls, network and IT infrastructure management, and regulatory compliance. > Actively involved in training, seminars, and thought leadership initiatives with ACUA, IIA, and ISACA. 5

6 Contents/Agenda > What is IT Governance? > Approach to Auditing IT Governance > IT Governance Trends > References and Tools 6

7 Objectives > Provide an overview of IT Governance and describe its importance > Describe one approach to auditing IT Governance, including key scope areas, involved parties/stakeholders, key questions to answer > Describe current trends in IT Governance and how they can be incorporated into IT Governance audits 7

8 Polling Question #1 How would you rate your IT governance auditing experience? A. I ve audited IT governance multiple times at my institution B. I ve audited IT governance once at my institution C. I ve never audited IT governance at my institution 8

9 What is IT Governance? 9

10 What is IT Governance? > Mechanisms and structures used to clarify oversight, accountability, and decision making frameworks for IT strategy, resources, and control activities > Provides for effective management of IT operations and IT projects to ensure alignment with the institution s strategic plan Sources: The Institute for Internal Auditors, Global Technology Audit Guide: Auditing IT Governance, July 2012 Selig, Gad J. Implementing IT Governance, A Pocket Guide. June

11 What is IT Governance? The goal is to align IT investments with institutional priorities in order to enable fundamental improvements in teaching, learning, research, and administrative processes-and improvements in their costs-through technology-enabled transformation. John C. Hitt, President, University of Central Florida, Two Views of Alignment, EDUCAUSE Review March/April

12 What are the benefits of IT Governance? > Facilitates strategic alignment and understanding between the institution and IT organization(s) > Increases the ability of IT organization(s) to achieve their goals and objectives, as well as the overall institution s goals and objectives > Defines the value and cost of IT in terms of impact to the institution s goals and objectives > Helps IT organizations better manage their IT risk profile 12

13 What are the benefits of IT Governance? > Results in responsible utilization of IT resources and assets based on consistent, repeatable IT processes > Establishes and clarifies accountability and decision-making authority > Improves IT performance and compliance > Champions innovation within the IT function and throughout the institution > Emphasizes performance management and staff development 13

14 Why should institutions care about IT Governance? > Reduce costs, increase efficiency and effectiveness, especially in austere times > Frameworks make decision making easier and more consistent > Ranked as an EDUCAUSE 2012 Top 10 IT Issues 14

15 Why do auditors care about IT Governance? > IIA Standard 2110: The internal audit activity must assess and make appropriate recommendations for improving the governance process IIA 2110.A2: The internal audit activity must assess whether the [IT] governance of the organization supports the organization s strategies and objectives > Impacts downstream IT and business processes and controls by setting a foundation 15

16 Why do auditors care about IT Governance? We can evaluate the IT Governance structure and deliver results for the organization by making recommendations for improving the efficiency and effectiveness of the IT function 16

17 Polling Question #2 How would you describe your institution s approach to IT governance? A. Strong, defined, auditable, and centralized or decentralized B. Inconsistent, loosely defined, or not aligned to the institution s strategy and goals C. Non-existent or unknown 17

18 Approach to Auditing IT Governance 18

19 How do we get started? > Scoping > Stakeholder involvement > Areas of focus > Tactical steps 19

20 What should my scope be? > Scoping is always a challenge in higher education institutions, IT Governance is no exception > Ideally, even in a decentralized environment, the IT Governance framework applies across campuses, schools, and departments/units/divisions > Realistically, where can we get started 20

21 What should my scope be? > Department/unit/division level Smaller and less complex > School level > Campus level > Institution-wide level Ideal scope! Larger and more complex 21

22 Who are the stakeholders involved? Depends on your scoping, but we will look at it from the institution-wide view Potential Stakeholders: > Board > President/Chancellor > Provost Deans > Chief Business/Financial Officer Administrative department heads > Chief Information Officer > Information Security/Privacy Officer(s) > Chief Compliance/Risk Officer(s) > Research/Principal Investigators > Students 22

23 What are my areas of focus? > Institutional Governance Structures > Executive Leadership and Support > Strategic and Operational Planning > IT Organization(s) and Risk Management > Service Delivery and Management 23

24 Institutional Governance Structures Areas to Review Documents to Obtain Questions to Ask > Institution-wide Organizational structures > Communication mechanisms and frequency > Accountability protocols Governance Committee(s) > Institution s governance structure/organization chart with roles and responsibilities and reporting lines > Agendas and minutes from key governance meetings > Is IT governance centralized or decentralized? > What areas does IT support? > How is the CIO involved in institution-wide governance structures? 24

25 Executive Leadership and Support Areas to Review Documents to Obtain Questions to Ask > Strategic Plans > Budgets/Funding > CIO Roles and Responsibilities > Institution s strategic plan > IT strategic plan(s)/goals > IT budgets > CIO job description, performance plan > Is the IT strategic plan aligned specifically to elements of the institution s strategic plan? > How is IT funded? > Who does the CIO report to? > How frequently does the CIO interact with leadership/executive management? In what forums? 25

26 Strategic and Operational Planning Areas to Review Documents to Obtain Questions to Ask > Tactical Plans > Key Performance Indicators > Project Portfolio Management > IT Personnel Management > Tactical IT plans > Reports including KPIs/Metrics > Project Portfolio > Management Program documentation > IT Job Descriptions, Skill Requirements, Hiring Plans > How do IT tactical plans support IT strategic plan(s)? > How is IT measuring successful completion of tactical plans? > How are IT projects reviewed and approved to align with strategy? > Does IT have the personnel with the appropriate knowledge, skills, and abilities, to accomplish plans? 26

27 IT Organization(s) and Risk Management Areas to Review Documents to Obtain Questions to Ask > Risk Assessment > Compliance > Information Privacy > Information/Data Security > Employee Development > Asset Management and Procurement > Risk assessment process documents > Risk assessment results > Privacy program documents > Information Security program documents > Employee Development program documents > Asset Management and Procurement documents > How frequently and effectively is the IT risk assessment performed? Is it comprehensive? > How does IT ensure compliance, privacy, and security obligations are met? > How does IT provide employees development opportunities? > How does IT manage assets and procurement? 27

28 Service Delivery and Management Areas to Review Documents to Obtain Questions to Ask > Service Delivery and Costs > Helpdesk > System Operations > User Satisfaction > Project Management > Communication > Service Catalog or Inventory of Costs > Helpdesk process documentation > Helpdesk metrics > User Satisfaction metrics > Project Inventory > How are services funded? > Are costs competitive with other providers? > How effective is the IT helpdesk? > How much does it cost to maintain and implement systems? > How do IT projects get requested, reviewed, approved, and monitored? > How does IT effectively communicate services, interruptions to users? 28

29 Polling Question #3 Does your institution have an IT strategic plan? A. Yes B. No C. Unsure 29

30 IT Governance trends 30

31 IT Governance Trends > Cost Efficiencies (Outsourcing / The Cloud) > Information Privacy and Security > Scholarly Systems > Centralization vs. Decentralization 31

32 Cost Efficiencies What is it? > Outsourcing > The Cloud How does it impact/relate to IT Governance? > Compliance > Vendor Management Audit tips/real world examples 32

33 Information Privacy and Security What is it? > Privacy > Security How does it impact/relate to IT Governance? > Compliance > Reputation Audit tips/real world examples 33

34 Scholarly Systems What is it? > Learning management > MOOCs How does it impact/relate to IT Governance? > Teaching effectiveness > Student engagement Audit tips/real world examples 34

35 Centralization vs. decentralization What is it? How does it impact/relate to IT Governance? > Costs > Politics > Research Audit tips/real world examples 35

36 Polling Question #4 Which trend is likely to have the largest impact on your institution s IT governance strategy? A. Cost Efficiencies (Outsourcing / The Cloud) B. Information Privacy and Security C. Scholarly Systems D. Centralization vs. Decentralization 36

37 References and Tools 37

38 References > IIA Global Technology Audit Guide, Auditing IT Governance, July 2012 > Implementing IT Governance: A Pocket Guide, Gad Selig, 2008 > IT Governance, Peter Weill and Jeanne W. Ross, 2004 > Business Driven Information Technology, David R. Laube and Raymond F. Zammuto,

39 Tools > Process and Politics: IT Governance in Higher Education, EDUCAUSE Center for Applied Research, 2008 > A Framework for Information Systems Management and Governance, Information Resources Directorate of the University of Strathclyde, 2007 > An Executive Primer Based on the Val IT Framework 2.0, ITGI,

40 Next ACUA IT Webinar Ethical Leadership with ACUA Leads! February 2013 BYOD Party? Bring Your Own Device, Mobile Security, and Data Security Auditing March

41 ACUA MidYear ACUA MidYear Conference April 7-10, 2013 Renaissance Seattle Hotel Seattle, Washington Early registration closes Feb. 20 Register TODAY! acua.org 41

42 Resources ACUA > Promoting Internal Audit: > Listserv: > Forums: Baker Tilly > 42

43 Presenter Contact Info Thank you for participating today! Remember CPE certificates will be ed to you by ACUA Headquarters in about three weeks. Mike Cullen Stephanie Marino

44 Required disclosure and Circular 230 Prominent Disclosure The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan or arrangement to any other party. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International Baker Tilly Virchow Krause, LLP. 44