BADM 458, Fall Semester, Section UG

IT Governance Methodology in Practice

Marcel Hasan

Dr. Michael J. Shaw

December 15, 2008 Hasan 2

Information Technology (IT) has developed into a vital business process for almost all companies. IT has transformed from a simple idea of keeping up with advances in technology to providing critical value to a company. IT is a concept that nearly all companies have incorporated and have been using to help run their business more efficiently for quite some time.

Initially, the use of IT within an organization provided a distinct competitive advantage over its industry wide competitors. The importance of IT grew rapidly and soon it became a standard that everyone started to participate in. The growth of IT was an important one and is still in its early stages with regard to organizational value. One main issue that is seen in IT currently involves the emergence of several compliance initiatives such as the Sarbanes-Oxley Act. Another issue is the struggle to clearly identify the business value that IT provides an organization. Putting a value on IT and successfully complying with all control objectives are very important concepts in the world of IT. The idea of IT governance addresses both of these issues. IT Governance is centered around compliance standards as well as attempting to place a value on IT processes for a certain business. IT governance also helps to specify decision rights and helps assist in achieving the desirable behavior when using IT. These reasons are only a few as to why IT governance has developed into an important practice in the IT world.

In this report I hope to establish the importance of IT governance and how it has transformed the IT environment for good reasons. I will begin by explaining what IT governance is, why it’s important, what the goals of IT governance are, and what types of processes are associated with it. My aim is to go into a fair amount of detail when describing some current IT governance methods and frameworks that are in practice. These frameworks include Control

Objectives for Information and related Technology (COBIT) and Information Technology Hasan 3

Infrastructure Library (ITIL). I will discuss the main goals and objectives of each framework, provide a detailed description of each framework, and describe how each framework supports IT governance. To go along with those three frameworks I would also like to touch upon the topic of some IT compliance standards that are currently in place. The two I would like to refer to in my report are the Sarbanes Oxley Act (SOX) and Committee of Sponsoring Organizations

(COSO). Both SOX and COSO have impacted IT and its use in organizations in a great way and have a strong connection with the notion of IT governance. For SOX and COSO I don’t plan on going into as much detail as the IT governance frameworks but I will provide an explanation of what each is, how and what the goals and objective of each standard is with respect to IT. To begin, however, I will take a close look at examining IT governance and its importance.

IT governance is defined as “the process by which decisions are made around IT investments” (Shaw). The following excerpt provides a more detailed description of IT governance and its relation to organizational strategy:

“IT governance is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives” (Shaw). Both definitions iterate that IT governance is a concept that is an important part of an organization. The main idea behind IT governance is to ensure that it is successfully aligned with the company’s overall strategy and goals. If the role of IT governance is not firmly implanted within the business strategy or objectives of a company then it will be difficult to measure the value of IT and consequently use IT as a part of the business process. The definition of IT governance that I have provided also helps explain why it is important. IT governance is important because it can be engraved within the company’s objectives and goals. Once this is done the company is then able to IT in a way that ties it to its other functions. As a result, the Hasan 4 company is then able to derive a great amount of value from its IT roles. But to reach IT governance a company must first assess what processes will get it there and how they are connected to IT governance as shown in Figure 1.

Figure 1: IT Governance and IT functions

Figure 1 illustrates the importance of IT governance by depicting it as the centerpiece among IT functions such as security management, risk management, and audit. All three of these functions compose IT governance and are tied to each other. Security management, risk management, and audit are some of the ways that companies utilize their capabilities to reach IT governance. Then it is from this point that an organization can align its overall strategy and objectives with IT governance and further apply its resources toward generating greater business value.

IT governance has four main objectives which are accountability, risk management, performance measurement, and IT value and alignment. IT governance attempts to establish Hasan 5 accountability as a way to assign responsibility to IT management. By doing this a company is able to determine who is accountable for the return on investment for certain IT projects.

Accountability helps define barriers within IT and deliver credibility for its IT information and controls. Risk management is an objective of IT governance that tries to keep track of security risks, risks associated with certain projects, and recovery and resiliency of systems. By managing risk under IT governance, an organization can easily determine which future IT related projects are more risky to undertake and which ones will provide the most value for the company. The performance measurement goal of IT governance is one that implements an IT Balanced

Scorecard as a way to accurately measure IT value, operational effectiveness, and future orientation. IT governance establishes performance measurement as an objective so it can address one of the main issues within IT which is the struggle to accurately measure the business value performance of IT systems. The final goal of IT governance is IT value and alignment which reiterates the definition of IT governance that was provided earlier. The IT value and alignment objective of IT governance is used by a business to actively adopt IT projects that are strongly aligned with the strategy and goals of the business. IT governance attempts to reach these objectives as a way to provide accountability to IT as well as risk, performance, and value assessments.

There are several different processes that are associated with IT governance, but all are of equal importance. These processes include IT portfolio management, service-level agreements, chargeback mechanisms, and IT demand management. All four are approaches that a company can pursue as a way to achieve IT governance on an organizational level. IT portfolio management “consists of IT asset management, project portfolio management, and application portfolio management” (Shaw). IT portfolio management is used as a way to adequately manage Hasan 6 a large collection of a variety of projects, applications, and systems within a company. Service- level agreements “articulate what service(s) IT is providing to the user, at what service level, and at what cost” (Shaw). Service-level agreements allow a business to accurately define what IT related services it is providing to its users and customers and what cost is associated with such services. Chargeback mechanisms “chargeback the costs of shared services to the business units that consume them” (Shaw). Chargeback mechanisms are processes that help a company identify costs that are associated with the use of IT services by its supported business units. The IT demand management is a type of process that “handles demands for IT resources through a single point” (Shaw). IT demand management assists in integrating the number of demands for its IT services through a single channel which makes it easier to quickly respond to varying levels of demand. Now that the importance, goals, and various processes of IT governance have been established I will now begin to evaluate the different frameworks that are associated with

IT governance, beginning with COBIT.

The Control Objectives for Information and related Technology (COBIT) has many objectives that apply to IT governance. The following excerpt helps define the main objectives that are linked to COBIT:

“COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company” (Shaw). This definition emphasizes that COBIT affects many people and is a type of control that helps to underline the actual benefit of practicing select IT processes in a company. The COBIT framework explains how IT functions appropriate information and data that a company needs in order to achieve its goals. The goal of COBIT is to help maintain IT control as a way to gain Hasan 7 further profitability in a dynamic environment. COBIT enacts a system of control objectives, which will be discussed later, as a way to develop insight toward clearly defining policies and practices for IT controls. One of the priorities of COBIT is to bring into line its controls with a company’s strategy, as the following excerpt explains:

“Decision making is more effective because COBIT aids management in defining a strategic IT plan, defining the information architecture, acquiring the necessary IT hardware and software to execute an IT strategy, ensuring continuous service, and monitoring the performance of the IT system” (Shaw). This highlights the importance of COBIT in regards to management. COBIT provides managers with vital information that allows them to use IT resources more effectively and ensure that the performance of their IT systems is always meeting expectations. As a control, COBIT aims to efficiently optimize IT-enabled investments, ensure the delivery of IT services, and provide a measure to accurately judge the importance and value of IT within an organization. COBIT is used by businesses to create a link between IT and business processes, define management objectives, successfully identify IT resources and services, and organize IT capabilities into a common process model.

COBIT is a set of best practices for IT management that was created by the Information

Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in

1992. COBIT is used to join IT and business processes through the exchange of vital information and is controlled through thirty-four control objectives that represent each IT process, which are contained within four domains. The four domains of COBIT that contain its control objectives are Plan and Organize (PO), Acquire and Implement (AI), Deliver and Support (DS), and

Monitor and Evaluate (ME). The Plan and Organize (PO) domain involves defining a strategic

IT plan and direction, managing IT investments, defining IT processes, and managing projects. Hasan 8

The Acquire and Implement (AI) domain involves identifying automated solutions, acquiring and maintaining technology infrastructure, procuring IT resources, and installing solutions and changes. The Delivery and Support (DS) domain involves defining and managing service levels, managing performance, training users, managing data, and managing operations. The Monitor and Evaluate (ME) domain involves the monitoring of IT processes and internal controls, ensuring regulatory compliance, and providing IT governance. Through these four domains

COBIT uses its control objectives to assess strategic planning and goals, realize the value of the

IT strategy, deliver and manage services effectively, and assess IT processes over time.

With its four domain structures, COBIT is able to provide benefits on many different levels of an organization. Managers, for example, benefit from COBIT because it provides them with a solid base for making IT related decisions and investments. Managers can use COBIT to make important IT related decisions quicker and more effectively and they can also evaluate IT investments in greater detail. The following passage outlines how COBIT benefits IT users:

“IT users benefit from COBIT because of the assurance provided to them if the applications that aid in the gathering, processing, and reporting of information complies with COBIT since it implies controls and security are in place to govern the processes” (Shaw). Thus, IT users benefit from COBIT because it helps govern the many different processes they employ in gathering and processing information. This governance that COBIT provides reassures

IT users that their methods of reporting information are in compliance with IT controls and standards. COBIT also benefits auditors because they are able to easily identify IT control problems within a business and allows them to confirm their findings to a greater extent and more quickly. Hasan 9

COBIT utilizes its benefits and structure to support IT governance. COBIT has gained a great amount of acceptance and recognition for various IT regulation and legislation compliance.

Its framework is very comprehensive and provides a strong auditing and controls perspective for a company.

Figure 2: COBIT supporting IT governance

Figure 2 illustrates that COBIT supports IT governance on a number of levels. The following quotation helps to describe exactly how COBIT supports IT governance:

“COBIT supports IT governance by ensuring: IT is aligned with the business, IT enables the business and maximizes benefits, IT resources are used responsibly, and IT risks are managed appropriately” (Fransen and Harjani). Therefore, it is seen that COBIT is an important control of IT governance because it ensures that a company’s business and IT processes coincide with one another and provide value to the business. COBIT also helps a company maximize its benefits within its IT services, and ensures that any IT risks that management encounters are managed correctly. Through the COBIT Hasan 10 framework, IT governance can address the pressing issues of the IT world such as measuring the business value of IT functions and consistently complying with legislated standards and regulations. In this respect, COBIT has been developed into a framework that uses strong control perspectives to align IT processes with business needs and provide many benefits to varying levels of an organization. Through these aspects COBIT is able to sufficiently support the role IT governance plays within industries.

The second control framework that I have chosen to evaluate is the Information

Technology Infrastructure Library (ITIL), in particular version three which deals with information technology service management (ITSM). ITIL is used to assess the value of IT and use it to solve complex business problems that a company would encounter. There are many challenges to IT in an organization including providing services instead of delivering IT products, establishing a business relationship, enabling a stable service, solving business challenges, and putting less emphasis on technology. ITIL “was created to address the challenges of managing IT” (Goebel and Kula). ITIL is primarily focused on defining the best practices on managing IT service levels and is process driven. ITIL version two was focused on IT to business alignment whereas the more current ITIL version three is now focused on IT to business integration. The difference between the two versions is that ITIL has moved to a service level management approach where its objectives include devising a IT service strategy, defining and designing this strategy, building and deploying the service, maintaining day-to-day IT service operations, and participating in continual service improvements. ITIL has “strategic emphasis and requires strong IT governance” (Johnson). Version 2 of ITIL involved linking IT with business strategies and version three emphasizes stronger service management. This shift helps to further allow better management of IT and the wide variety of challenges related with it. ITIL Hasan 11 is closely associated with IT governance and is used to help build a stronger service level management within companies as a way to better understand the value of IT services as a business process.

ITIL is described as the “world wide de facto standard for IT Service Management”

(Goebel and Kula) and was developed in the United Kingdom by the Office of Government

Commerce (OGC). ITIL offers certification to consultants and practitioners who desire to obtain them and has its own international user group called IT Service Management Forum (ITSMF).

ITIL offers a way to help organizations to manage its IT services. Also, ITIL is “complementary to, rather than competing with COBIT” (Shaw). This complementary view that is seen between

COBIT and ITIL is essential because rather than competing with one another over the concept of

IT governance, both control frameworks are able to work together to help companies achieve greater IT compliance and value. ITIL is composed of eight books as illustrated in Figure 3 below. Hasan 12

Figure 3: The eight ITIL books

ITIL utilizes its eight books as a way to bind business and technology aspects in a service management perspective. These eight books include the initial plan to implement service management within an organization and provide a business perspective side and infrastructure management view from the technology side. Service management itself is in between the business and technology because it applies to both sides and encompasses service delivery and support. Security management is an important concept and is portrayed as closer to the technology since it is an issue that applies to the more technical side with regard to security and risk assessment. Finally, the applications management is a portion that connects the business and technology sides much like the initial plan to implement service management in the organization.

The reasoning behind this is that applications are important to both sides since they are used and applied on the business side and supported and maintained on the technology side. With these eight books, ITIL is able to strongly depict an ideal service management for an organization that can provide business value to its IT services.

ITIL complements COBIT and helps several companies achieve IT governance which further allows them to utilize their IT capabilities to provide further business value. ITIL was focused on aligning business values with IT functions, similar to COBIT, in version 2. This business alignment addresses the main issue that I brought up earlier which was determining how to flourish when determining the value of IT processes. ITIL version three transitioned toward providing a better way to manage IT services within a business. Essentially this new approach of

ITIL consisted of “repeatable, documented processes that are essential to improving IT service delivery and management” (Goebel and Kula). This new perspective coincided with the idea that

IT services, such as support centers, were essential parts of a company and had to be organized Hasan 13 into a fluid, value- driven process. In order to do this ITIL approaches service management with a set of processes that stress repetition and documentation as a way to achieve improved service management. ITIL “provides an effective foundation for quality IT service management”

(Goebel and Kula). In this sense, ITIL is able to simultaneously complement COBIT and improve an organization’s IT service management as a way to add value to its IT functions and further support it with the overall facet of IT governance. After examining the control frameworks of COBIT and ITIL I will now briefly elaborate on some of the IT regulations and standards that are currently in place. In particular, I will focus on SOX and COSO since both attempt to achieve similar goals and have impacted IT governance greatly.

The Sarbanes-Oxley Act (SOX) was enacted in 2002 and was named after Senator Paul

Sarbanes and Representative Michael Oxley. SOX was created as a way to address past standards that were filled with fraud from cases like Enron, Adelphia, and MCI. Other reasons include quarter-to-quarter growth by companies was misleading and portrayed strong investment opportunities when in fact there were none and the incentive based contracts that executives enjoyed which caused some of them to devise strategies to make the company’s stock price appear safe when it wasn’t. SOX was thus enacted to address these issues by specifying that

“internal controls over financial data must be maintained, audited, and reported” (Fransen and

Harjani). SOX was endorsed to help combat corruption over reporting financial data and help protect investors. SOX is composed of eleven titles that are subsequently broken down into different sections. Two sections within SOX that are worth noting are section 302 and section

404. Section 302 “requires a suitable framework for internal controls to be established and maintained” (Shaw). By ‘suitable’, SOX is referring to a framework that is free from bias, consistent, complete, and relevant. One way that companies achieve this is through the COSO, Hasan 14 which will be discussed later. Section 404 of SOX states that all annual reports must contain an internal control report as well as a statement to the internal control framework chosen in the design of internal controls. Section 404 stresses the importance of assessing the effectiveness of internal controls and the responsibility of management to maintain such internal controls.

Implementing a top-down, risk-based approach is critical to effectively approaching

Section 404 of SOX. This type of implementation requires performing a risk assessment, scoping work based on risk, developing sound testing strategies, and identifying the company’s internal controls. The following diagram in Figure 4 illustrates a basic set of functions that an organization must address when deploying SOX solutions.

Figure 4: SOX Compliance

Organizations that pursue SOX compliance have an opportunity to strengthen their internal control environment and create more consistent, effective, and cost-efficient IT processes. All together, SOX compliance will enable a company to strengthen their financial reporting process Hasan 15 and internal control structure. IT governance is relevant to Sarbanes Oxley because it establishes a framework for internal controls within an organization that are free from bias, contain consistent qualitative and quantitative measurements, and obtain relevant to controls on financial reports which is a concept that many leading companies are practicing in today’s markets. Since

SOX compliance deals with the concern over accurately reporting financial reports, I will now introduce the control framework that is associated with controls for financial processes, COSO.

The Committee of Sponsoring Organizations (COSO) is a control framework that is similar to COBIT, but while COBIT focuses on IT, COSO focuses on financial reporting. There are several organizations that makeup COSO including the American Institute of Certified Public

Accountants (AICPA), Institute of Internal Auditors (IIA), Financial Executives International

(FEI), Institute of Management Accountants (IMA), and American Accounting Association

(AAA). COSO is a private sector organization that focuses on improving the quality of financial reporting through business ethics, internal controls, and corporate governance. COSO provides vital guidance on fraud, internal controls, and enterprise risk management. IT governance plays an important role in COSO because almost all of financial reporting that is done by companies is through the use of IT. Since COSO involves enabling a set of internal controls to prevent fraudulent financial reporting, it is crucial that IT governance is established within the company simultaneously so it can obtain full compliance.

In conclusion, IT governance has developed into a concept that is changing many industries. IT governance addresses the issues of putting a business value on IT and also complying with set standards and regulations like SOX. COBIT is a control framework that is IT focused while COSO is a control framework that is focused on financial reporting, but both complement each other and involve IT governance. ITIL is a control framework that is in its Hasan 16 third version and attempting to address the issues organizations face with regard to information technology service management. While all of these control frameworks have their specific functions, they still manage to coincide with one another and together are able to derive IT governance. Through managing IT governance an organization is able to fully understand the business value that IT provides and also obtain the knowledge behind important IT related legislation and regulations.

Works Cited

Figure 1. NoticeBored. Unknown. IsecT Ltd. 13 November 2008. http://www.noticebored.com

Figure 2. Phoenix Business and Systems Process. Unknown. Phoenix Business and Systems

Process, inc. 13 November 2008. http://www.pbandsp.com/

Figure 3. ITIL-ITSM. Unknown. Six Apart, Ltd. 13 November 2008.

http://itil-itsm.groups.vox.com/

Figure 4. WolffTech. Unknown. WolffTech LLC. 13 November 2008.

http://www.wolfftechllc.com/

Fransen, Clint and Harjani, Anil. “IT Governance and Controls.” Wohlers Hall, U of Illinois at

Urbana-Champaign. 3 September 2008.

Goebel, Alex and Kula, Michael. “Introduction to ITIL V3.” Wohlers Hall, U of Illinois at Hasan 17

Ubrana-Champaign. 8 Octoboer 2008.

Johnson, Brian. “ITIL V3: What’s in it for me?” Course notes. IT Governance. Department of

Business Administration, U of Illinois at Urbana-Champaign. 17 September 2008.

Shaw, Michael J. “Lecture Summary: IT Governance and Control.” Course notes. IT

Governance. Department of Business Administration, U of Illinois at Urbana-Champaign.

10 September 2008.