www.pwc.com/cy Benchmark of controls over IT activities 2011 Report ABC Ltd... 2012
Scope and approach We wish to provide you with our IT Benchmarking report over IT activities at ABC Ltd (the Company) with the use of our PwC Benchmarking tool. The benefit to you from this benchmarking report is to: Understand why IT systems are not delivering quality, value, effectiveness and efficiencies. Provide insight into how your IT controls compare against your peers and industry within Europe. Improve the understanding of IT at Board and/or Audit Committee level. Assist you prepare a comprehensive road map for improvement. The IT focus areas covered include: Systems Quality; Systems Support and Change; IT Operations; Information Security; The areas of Strategic Decision Making, IT Governance and IT were not addressed as those areas were outside of our scope. We have identified the areas where our clients, as a whole, tend to encounter risk and control issues with IT. We have considered the controls ABC Ltd operates in each of the in-scope areas and rated them on the following 0-4 scale: 0 No effective controls in the area; 1 Some controls with significant gaps or problems with their operation; 2 Controls are broadly adequate with still some gaps, and the controls do not come up to good practice levels; 3 Controls are at good practice level; and 4 Controls that are better than generally accepted good practice. The ratings have been based on professional judgement and are subjective / qualitative ratings rather than based on objective quantifiable statistics. Good practice as defined by PwC is continually evolving, based on industry standards such as COBIT, ITIL, ISO27001, regulatory rules and PwC experience. So, more rigorous processes may be needed in future to maintain this year's scores. We have compared our ratings for ABC Ltd with those for Europe to give an idea of how we perceive the controls in place compared to others in the sector. Our benchmark database contains "audited" data, built up from equivalent reviews at other clients. ABC Ltd data is included in the database. All client data is anonymised and shown only on an aggregated basis with no fewer than 10 clients in any comparison data set. As with all benchmarks, the analysis should be treated as indicative rather than comprehensive. Different companies may exhibit different risk profiles and may require different levels of control over their IT activities. In addition, in any organisation, there needs to be a balance between cost and control. Consequently, there is not a single correct level of control for companies. PwC accepts no liability to any other party into whose hands it may come. PwC Page 2 of 5
Overall Benchmark Results PwC Page 3 of 5
Glossary for the Benchmarking report Reference Description COBIT The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996. ITIL The Information Technology Infrastructure Library (ITIL) is a set of concepts and practices for managing Information Technology (IT) services (ITSM), IT development and IT operations. ISO27001 ISO/IEC 27001, is an Information Security System (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems - Requirements. 2011 Report Desired Desired maturity level of controls for 2011 2011 Report Current Current maturity level of controls for 2011 Top Quartile Indication where each quartile starts and finish based on the benchmarking data and Second Quartile the criteria selected (i.e. industries, countries within Europe zone, markets, legal Third Quartile structure, etc). Bottom Quartile Blank area Area where no benchmarking data is available yet. Question Questions asked to identify the current level of controls over IT activities. Potential Impact What level of business impact would arise if the controls were to fail -, Medium, Rating Low. Desired Control How strong would the organisation like the control to be. Current Control How strong is the control implemented at present. Reasons for the A brief summary of our findings. current rating Possible Actions to be considered by the management for implementation, according to the Development Areas Desired Control rating. Not applicable (N/A) No information was collected for this area or does not apply to your organisation. PwC Page 4 of 5
Detail Road Map Priority Area # Section Impact Rating Current Control Road Map Priority Time For Completion Cost Involved Yes/No Systems quality 4.1 Systems Quality and Business Intelligence Medium 2.50 Low 4.2 Data Quality 1.75 Medium 4.3 End-user Computing Medium 2.00 Medium 4.4 Project and Benefits Realisation 1.00 Systems support and change Physical Data Centre Security 4.5 Acquiring and developing new technologies Medium 1.50 Medium 5.1 Systems Support Capability 1.75 Medium 5.2 Change Process 1.50 5.3 Promotion (and access) to live environment 1.75 Medium 6.1 Physical Data Centre Security Medium 2.50 Low 6.2 Service Delivery and Problem Medium 1.50 Medium 6.3 Disaster Recovery and Continuity Planning 1.50 6.4 Data Retention 1.50 Security 7.1 Security 1.00 7.2 Security Awareness and Training 1.50 7.3 Identity and Access 1.00 7.4 Monitoring unusual and privileged access 1.00 7.5 Threat and Vulnerability 0.75 7.6 Data Loss Prevention 1.50 PwC Page 5 of 5