Moving Forward with IT Governance and COBIT



Similar documents
Cybersecurity The role of Internal Audit

Pulling it all together: Integrated Solutions for Governance, Risk and Compliance

IT Governance. What is it and how to audit it. 21 April 2009

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Risk Considerations for Internal Audit

COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30

Integrating GRC with Performance Management Demands Enterprise Solutions

How To Improve Your Business

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

XBRL & GRC Future opportunities?

Identity and Access Management Point of View

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

10 Best-Selling Modules For Home Information Technology Professionals

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

Metrics that Matter Security Risk Analytics

IT Governance: framework and case study. 22 September 2010

Third Party Risk Management 12 April 2012

Enterprise Risk Management in Compliance 360

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Dallas IIA Chapter / ISACA N. Texas Chapter. January 7, 2010

The Value of Vulnerability Management*

IT Compliance After Hours Seminar September 2007 Zurich. Improving IT Risk & Compliance Management (RCM)

Proactive Risk Management with SAP BusinessObjects

SAP BusinessObjects GRC Access Control 10.0 New Feature Highlights and Initial Lessons Learned

Vermont Enterprise Architecture Framework (VEAF) Identity & Access Management (IAM) Abridged Strategy Level 0

Talent Management in U.S. Financial Services: Attracting and Engaging Generation Y

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013

IT GOVERNANCE PANEL BRING VALUE BY AUDITING IT GOVERNANCE GET THE

Applying Risk Assessment to Your Audit Plan Break-out Session T3, Tuesday, October 26 2:00-2:50pm

<Insert Picture Here> Financial Audit Scoping Tool Blueprint for Oracle GRC Applications

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

Strategic IT audit. Develop an IT Strategic IT Assurance Plan

IT Risk Management Life Cycle and enabling it with GRC Technology

Leveraging data analytics and continuous auditing processes for improved audit planning, effectiveness, and efficiency. kpmg.com

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

Medicaid Enterprise Data Governance Approach. MESConference August 21, 2012 Rashmi Menon, Deloitte Consulting LLP

building a business case for governance, risk and compliance

Impact of New Internal Control Frameworks

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

Italy. EY s Global Information Security Survey 2013

COBIT Helps Organizations Meet Performance and Compliance Requirements

fs viewpoint

Empower your talent with learning

Customer Retention Management

IT Strategy: The key to winning executive support.

Cloud Computing An Auditor s Perspective

Measuring The Value of Information Security. Maninder Bharadwaj 23 th July 2011

Module 6 Essentials of Enterprise Architecture Tools

Matthew E. Breecher Breecher & Company PC November 12, 2008

CONSULTING SERVICES Managed IT services

University of Windsor Board of Governors. That the Board of Governors approve of the Enterprise Risk Management Framework.

IT Governance Regulatory. P.K.Patel AGM, MoF

IT Risk Management Era: Research Challenges and Best Practices. Eyal Adar, Founder & CEO Eyal@WhiteCyberKnight.com Chairman of the EU SRMI

Revised October 2013

Hedge fund launch considerations Reaching new boundaries. Investment Management

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Sarbanes-Oxley Section 404: Compliance Challenges for Foreign Private Issuers

ADVISORY SERVICES. Risk management in an evolving world. Making the case for social media governance. kpmg.com

RSA Archer Risk Intelligence

Chayuth Singtongthumrongkul

COBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.

7 Practical insights for IT Asset Management

IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013

Improving Financial Performance, Governance and Compliance

Global Technology Audit Guide. Auditing IT Governance

Executive's Guide to

The Power of Risk, Compliance & Security Management in SAP S/4HANA

Continuous Controls Monitoring. Virginia ISACA January Meeting 19 January 2010

Leveraging Data Analytics and Continuous Auditing. Internal Audit. January 9, 2014

A Risk-Adjusted Operating Model for Insurers: Addressing Regulatory and Market Demands

ERP Administrative Challenges Brian Jensen

EMEA TMC client conference Using global tax management systems to improve visibility and enhance control. The Crystal, London 9-10 June 2015

Ann Geyer Tunitas Group. CGEIT Domains

and Risk Tolerance in an Effective ERM Program

KPMG Advisory. Microsoft Dynamics CRM. Advisory, Design & Delivery Services. A KPMG Service for G-Cloud V. April 2014

Enterprise Risk Management

KPMG s Financial Management Practice. kpmg.com

Evergreen Solutions Lowering the cost of EHR ownership

Enterprise Risk Management & Information Technology

Enterprise-Wide Risk Assessment

U.S. CFO Program The Four Faces of the CFO Deloitte Touche Tohmatsu

14 October 2015 ISACA Curaçao Conference By: Paul Helmich

Getting to strong Leading Practices for value-enhancing internal audit By Richard Reynolds and Abhinav Aggarwal - PricewaterhouseCoopers LLP

Consulting. PMOver Transforming the Program Management Office into a Results Management Office

Enterprise Service Management (ESM)

Case Study: ICICI BANK INTERNAL AUDIT DEPARTMENT PENTANA AUDIT WORK SYSTEM IMPLEMENTATION

Enterprise Risk Management (ERM): In Action. January Co-presented by: Michael Yip, Marsh Risk Consulting Norma Essary, DFW International Airport

Practical Approaches to Achieving Sustainable IT Governance

Data & Analytics in Internal Audit. January 13, 2015

Information Security Management System for Microsoft s Cloud Infrastructure

RISK MANAGEMENT OVERVIEW 2011 RISK CONFERENCE SPONSORED BY THE FEDERAL RESERVE BANK OF CHICAGO AND DEPAUL UNIVERSITY

Transcription:

Moving Forward with IT Governance and COBIT Los Angeles ISACA COBIT User Group Tuesday 27, March 2007

IT GRC Questions from the CIO Today s discussion focuses on the typical challenges facing the CIO around IT Governanance, Risk and Compliance Management and provides practical solutions to address them. Questions How can I reduce compliance costs? How do I move to a risk-based approach to compliance? How can I better manage the thousands of risks we are assessing and provide management a roll-up view? How can I take credit for progress made today yet still show management there is more to be done? How can I improve consistency while allowing freedom in the field? Are we making good decisions? -1-

Our Perspective - Cost Reduction Question Driver Deloitte s Perspective How can I reduce compliance costs? Audit, SOX team, Compliance Dept., Information Security, Business Continuity all asking similar questions of the same groups. Compliance costs continue to spiral upward. Assess Once, Test Once Integrated Assessment Programs COBIT Aligned Risk Catalog Common Information Repository Illustrative Testing Screen Case Study Solution Highlights Take credit for all the testing you are already doing; centralized planning w/ 365 Day Compliance Calendar Provides a single view of risk and compliance requirements Internal Audit, External Audit and Self Assess using the same test procedures and understanding of risk and compliance requirements Optimized sampling reduces the overload of testing Risk-based Auditor reliance on self assessments -2-

Case Study Highlights Source Source Text Mapped to an Integrated Requirement that is COBIT Aligned -3-

Case Study Highlights Integrated Requirement COBIT Aligned Control Objective Individual requirement sources used to develop the integrated requirement Cost Reduction Strategy Because Multiple requirements are mapped to a single integrated requirement you can test once and satisfy many. -4-

Our Perspective Risk-Based Approach Question Driver Deloitte s Perspective How do I move to a risk-based approach to compliance? Regulatory and audit demands. Just ticking boxes, not understanding true business risk. Risk-Based Framework Risk-based approach to compliance Control Baseline Common Risk Language Illustrative Risk Assessment Screen Case Study Solution Highlights Standards based risk methodology (ISO 13335, AS/NZ 4360) Tangible and measurable risk rating scale used by multiple parties (ERM, Audit, Self) Qualitative and Quantitative Measurements Compliance criteria determined after controls are selected based on risk assessment results Consider impact and likelihood across multiple dimensions (Financial, Reputation, Contracts, Regulatory, Operations, People) Information & Technology Risks managed in functional risk areas (18 Areas) -5-

Our Perspective Top Down and Bottoms Up Question Driver Deloitte s Perspective How can I better manage the thousands of risks we are assessing and provide management a roll-up view? Important risk grows by volumes as you move down the organization (from board to line). Demand for alignment of business goals with self assessment process. Need both Top Down & Bottoms Up Key Risk and KRI for Top Down (Board and Sr. Mgmt) Self assessment using both workshops and questionnaires for Bottoms Up (Line Mgmt) Actual dashboard display will be driven by the choice of solution. -6- Case Study Solution Highlights A business view of what is most important to monitor from a risk perspective Manages to expected losses not unexpected losses Monthly reports with drill down capabilities. Ability to turn detailed disparate data into actionable management information. Custom reports on management hot spots. Trending, analytics and data aggregation. Insight into effectiveness of control spend and where more or less spend may be needed. Integration with golden source feeds for automation

Case Study Highlights Key Risks Malicious Code & Virus -7-

Case Study Highlights Month over Month Trending Reason for improvement (better process) noted -8-

Our Perspective CoBIT based Diagnostics Question Driver Deloitte s Perspective How can I take credit for progress made today yet still show management there is more to be done? CEO and Board want to know where we stand from a GRC perspective. Management spend on GRC needs to be defended. CoBIT based Diagnostics CMMI Continuous Improvement Rating Scale Risk and Compliance Operating Framework with sourced Diagnostics Case Study Solution Highlights Operating Framework Template for Information & Technology Governance, Risk and Compliance (GRC) GRC Organizational Model Template CoBIT Aligned RACI Model for GRC roles CoBIT Aligned CMMI diagnostics for each GRC area to show current and target state CMMI CoBIT Based Diagnostic Template -9-

Case Study Highlights We start with the COBIT 4.0 organizational model to establish roles, responsibilities and interactions for each core activity and process Example Risk Management Domain with RACI Model RISK MANAGEMENT ACTIVITIES Determine risk management alignment (e.g., assess risk). CEO CFO Business Executive CIO Head Operations Business Senior Management Chief Architect Head Development Head IT Administration PMO A R/A C C R/A I I Compliance, Audit, Risk, and Security Understand relevant strategic business objectives. Understand relevant business process objectives. Determine Identify risk internal management IT objectives alignment and establish (e.g., assess risk context. risk). Identify events associated with objectives Assess risk associated with events. Evaluate risk responses. Prioritize and plan control activities. Approve and ensure funding for risk action plans. C C R/A C C I C C R/A I A/C A/C A/C A/C A/C R/A A/C A/C C A/C C A/C C A/C A/C I I A/C A R R R R C A/C A R R R R C I I A A/C A R R R R C C C A A R R C C C C A A R I I I I I Maintain and monitor a risk action plan. Legend (A)ccountable - the person who provides direction and authorizes an activity. (R)esponsibility - the person who gets the task done. A C I R R C C C C C R (C)onsulted involved in the process. (I)nformed - knowledgeable and supports the process. -10-

Case Study Highlights Risk Management Non Existent (0) Initial/Ad Hoc (1) Repeatable (2) Defined Process (3) Managed (4) Optimized (5) Determine risk management alignment (e.g., assess risk). Understand relevant strategic business objectives. Understand relevant business process objectives. Identify internal IT objectives and establish risk context. Identify events associated with objectives. Assess risk associated with events. Evaluate risk responses. Prioritize and plan control activities. Approve and ensure funding for risk action plans. Maintain and monitor a risk action plan. Establish and execute a process to identify, quantify, and prioritize IT risks (i.e. a risk assessment process). Determine guidelines and procedures for mitigating and treating risks. Establish risk acceptance criteria. Develop appropriate controls to reduce and/or transfer risks. 2007 Current State 2008 Target State -11-

Our Perspective Common Framework Question Driver Deloitte s Perspective How can I improve consistency while allowing freedom in the field? Regulatory and audit demands. Conflicting results reported at Board level. Demand for risk and control decision making autonomy in the field. Single Framework Prescriptive minimum baseline Global, Regional and Local roles Reference Architectures (i.e., Configuration Items in ITIL) Self Assessment Process Template Case Study Solution Highlights End-to-end self assessment process Templates for roles and workflow Technology enabled Provides common repository of risk requirements and risk responses Leverages Reference Architectures for baseline control decisions and allows for documented deviation Allows for independent and automated QA Tracks progress and automates escalation System supported sign-off of results -12-

Our Perspective Decision Support Question Driver Deloitte s Perspective Are we making good decisions? Business demands a transparent method to reward risk mitigation. Backlash against best practice standards that aren t operationally sustainable. Analytic Decision Support Business Unit discretion on control selection Risk analytics provide costbenefit business case for decisions Case Study Solution Highlights Aggregate loss model that ties likelihood and impact of risk materializing together Business-unit level risk distributions can be developed Transparent cost-benefit of mitigation strategies Business decides the right risk-reward balance COBIT 4 aligned control objectives Illustrative Risk Response Screen -13-

Conclusion COBIT is one of the major ingredients companies use to achieve these objectives. A single view of business requirements. A common risk language (e.g. inherent, target and residual risk) and definition of high, medium, low risk. A process for aligning multiple stakeholder agendas. An IT Risk and Compliance Program integrated with ERM. IT Risk and Compliance Office established with supporting roles and responsibilities defined. A consistent way to define, engineer and assess the environment through reference architectures. A repository of collaborative risk decisions. Ability to test and report consistently across a global enterprise. Ability to validate control design and effectiveness of outsourcers and third parties. Business aligned control decisions. Risk based approach to compliance. Issue and corrective plan tracking. Ad-hoc and audience specific reporting. A 365 day risk and compliance calendar to keep stakeholders aware of activities. -14-

7:15 7:30 Q&A Session

About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and advice, focused on client service through a global strategy executed locally in nearly 150 countries. With access to the deep intellectual capital of approximately 135,000 people worldwide, Deloitte delivers services in four professional areas audit, tax, consulting and financial advisory services and serves more than one-half of the world s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. Services are not provided by the Deloitte Touche Tohmatsu Verein, and, for regulatory and other reasons, certain member firms do not provide services in all four professional areas. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names Deloitte, Deloitte & Touche, Deloitte Touche Tohmatsu, or other related names. In the US, Deloitte & Touche USA LLP is the US member firm of Deloitte Touche Tohmatsu and services are provided by the subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP and their subsidiaries), and not by Deloitte & Touche USA LLP. The subsidiaries of the US member firm are among the nation's leading professional services firms, providing audit, tax, consulting and financial advisory services through nearly 30,000 people in more than 80 cities. Known as employers of choice for innovative human resources programs, they are dedicated to helping their clients and their people excel. For more information, please visit the US member firm s web site at www.deloitte.com/us. -16-

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information