COBIT Case Study: IT Governance - Financial Audit Department
Government of Dubai Implements a Full Life Cycle for Continuous Improvement
The Financial Audit Department (FAD) is the supreme audit institution of Dubai. This
office is headed by a Director General and reports to the Ruler of Dubai.
The FAD was established by the law No (1) of 1995 issued by His Highness the Ruler of
Dubai on 29 January 1995 and was subsequently amended by the Law No (5) of 2000.
Subsequent amendment by Law No.(3) of 2007 made FAD further independent, by
empowering a direct reporting channel to His Highness the Ruler of Dubai.
The audit jurisdiction of FAD covers all government departments, public corporations,
companies in which the Government shareholding is above 25 percent, organizations for
which the Government provides a financial subsidy, and/or any other body where an
audit is commissioned by His Highness the Ruler of Dubai.
The FAD conducts regular financial audits, information systems audits and performance
audits for ascertaining the extent of legality, adequacy of financial prudency and
management of financial operations. The objectives include reviewing of efficiency,
effectiveness and economy in planning, directing, execution, controlling and monitoring
of operations.
Dubai
Dubai is one of the seven emirates in the UAE, which is on the eastern coast of the
Arabian Peninsula in the southwestern corner of the Arabian Gulf. The total area of the
UAE is approximately 77,700 square kilometers.
Dubai ’s economic growth from 2000-2005 has been remarkable, with double- digit gross
domestic product (GDP) growth and relatively high per capita income, despite negligible
dependence on oil. The driving force behind Dubai’s economic performance has been the
Government, through investments and other initiatives, supported by the private sector,
guided by Dubai Strategic Plan 2015. Since the year 2000, Dubai’s real GDP has been
growing at a compounded annual growth rate of 13 percent.
The FAD recognized the need to promote, formalize and improve IT governance
practices within Dubai as the extensive usage of information technology is widely
accepted as an essential component in providing services to citizens, residents and
business entities.
The Government of Dubai has a strong commitment in the use of technology as a
business enabler in achieving its strategic positioning as a business hub of the region. The
direct benefits of this have been realized through greater interactions among the
government departments and the ease of doing business in Dubai. The Government has
reinforced its commitment to good corporate and IT governance to provide services,
secure information, protect privacy and nurture best practices to meet the growing
challenges of adapting to economic advancement and social changes.
Information Systems Audits
To provide assurance on IT governance and encourage the adoption of leading practices
for IT governance within government entities, an information system/technology audit
function has been commissioned since 2000. The following mission statement was
adopted for the Information System Audit section of the FAD.
Mission
To assess whether the governance, control and risk management of information systems:
Safeguard assets
Maintain integrity, confidentiality and availability
Achieve organizational goals effectively
Consume resources efficiently
Comply with the leading practices and applicable regulations
Align with the vision of the Government of Dubai
Benefits of using COBIT as a framework
Team members of the information systems audit section of FAD are mostly members and
certified professionals of ISACA, either they hold the Certified Information Systems
Auditor (CISA) or Certified Information Security Manager (CISM) or Certified in the
Governance of Enterprise IT (CGEIT) designation. The team assumes the responsibility
as internal champions for adopting ISACA/ITGI resources as required.
The Control Objectives for Information and related Technology (COBIT), IT governance
framework, developed by ISACA’s affiliate, the IT Governance Institute (ITGI), had
already been adopted as the resource serving as the overall framework for information
systems audit methodology since 2000.
The information systems audit section of FAD recognized the need to be proactive.
Hence, from merely using COBIT resources for assurance, the team decided to promote
the best practices of COBIT resources among its audit community. COBIT provides
control objectives, control practice statements and other resources supporting assurance
processes as a global reference framework and benchmark.
As a significant step, the section has pioneered and implemented an IT Governance
maturity model assessment as an integral part of all major IS Audits, since 2001. This is
based on the COBIT maturity model and was a unique audit methodology in the
government sector within UAE/GCC countries.
The following is the high-level approach diagram of information system audits.
Improving process maturity using COBIT
COBIT-based maturity model assessment/rating are mandatory components in all major
audit assignments. This necessitates adopting the best practices suggested by COBIT by
the auditees and mandates the need for demonstrating improved maturity on IT-related
processes. In turn, this drives internal programs to identify and improve upon process
maturity on prioritized areas that are supported by the business. The IT governance
assessment has been supported by an internally designed tool for arriving at the scores.
An indicative presentation of overall score and domain scores would be as follows:
Overall Score
Domain Scores
FAD has undertaken IT governance assessments using COBIT and has introduced the
advantages of COBIT in many Government entities. In many entities, multiple
assessments have been undertaken since 2000. So far, FAD has done more than 40 IT
Governance assessments using COBIT. The following is a sample list of entities that had
been subject to IT Governance assessments, where the best practices of COBIT have been
introduced successfully.
Dubai Customs World
Dubai Health Authority
Dubai Airport Free-zone
Royal Air Wing
Dubai Electricity & Water Authority
Dubai Police
Dubai Municipality
Dubai Duty Free
Dubai World Trade Center
Dubai Chamber of Commerce and Industries
Dubai E-Government
Dubai Civil Aviation (Dubai Airports)
Dubai Financial Market
Roads and Transport Authority
Dubai Land Department
Government Information Resources Planning
Department of Naturalisation & Residency
Department of Economic Development
Dry Dock World
Dubai Gas Company
Emaar properties
Mercator – Emirates Airlines
Dubai Islamic Bank
Dubai Aluminium ( DUBAL )
Emirates National Oil Company (ENOC)
Obtaining senior management support
IT governance assessments promoted the benefits of raising the level of process maturity
as a way towards building and sustaining IT governance culture. To achieve the mission
and objectives most effectively, apart from conducting IS/IT audits, FAD mooted an
initiative named Information Technology Governance Assurance Forum (ITGAF).
ITGAF (www.ITGAF.ae), was founded in 2006 as a not-for-profit professional
organization exclusively to promote IT governance in Dubai. This was formed to
propagate IT governance, more specifically, to build, sustain and improve IT governance
practices within the Government of Dubai and its establishments.
Commitment from the Director General (DG) of the Financial Audit Department (FAD),
on the concept of setting up the ITGAF, followed as a natural outcome of thought
leadership. The DG of the FAD assumed the role of the founding chairman of ITGAF and
the key sponsor of the initiative. This gave ITGAF the impetus to design and authority to
deliver various programs, making significant progress in pursuing and accomplishing the
stated mission and objectives.
The following have been formally adopted as the mission and high-level objectives of
ITGAF.
ITGAF Mission
To provide support to boards and executive managements of Government community on
the direction, successful usage and governance of information technology towards
achieving organizational goals
ITGAF Objectives
Promote IT governance practices as an integral part of corporate governance
among Dubai Government community.
Brainstorm on the leading practices/frameworks for effective IT governance.
Establish a forum of IT decision makers to network and facilitate continuous
improvement on the stated objectives.
Facilitate continuous educational support to the Government Community.
Empower the audit departments of the Government Community by building IS
control/audit strengths.
ITGAF Activities
The following are the highlights of key activities that were undertaken by ITGAF.
1.
Conferences: The conferences of 2006, 2007 and 2008 were focused on adopting,
implementing and sustaining leading practices on IT governance, respectively.
Presenters at the conferences included IT governance/Corporate governance leaders
such as Mr. Erik Guldentops, advisor to the ITGI board, Dr. Nasser Al Saidi, Executive
Director, Hawkamah, The Institute of Corporate Governance, etc.
2.
Workshops: Propagating COBIT as a model framework by conducting workshops
on a regular basis. ITGAF conducted several workshops in 2007 and 2008 on related
topics, including Implementing IT Governance Practices. A workshop titled Using
COBIT for Effective IT Management and Implementing IT Governance was held in
November 2008 and repeated in February 2009.
3.
Awards: Commencing 2006 through 2008, ITGAF instituted an award that is
bestowed to the IT department among the Government of Dubai that demonstrates
highest level of process maturity in IT governance. The award is named as “ITGAF
Process Maturity Award”. The criteria for evaluation of process maturity are based on
the COBIT maturity model framework. The maturity model score collation and
evaluation are done using an in-house-developed tool for standardized evaluation.
4.
In 2008, FAD developed and rolled out a pilot project to conduct IT Governance
Maturity Model Assessments as a Control Self Assessment (CSA) initiative. Once this
project is fully implemented, all Dubai Government Departments will assess and report
the outcome of CSA to FAD. To support this activity, an exercise of identifying
“Champions” within all Dubai Government Departments and a workshop was
organized to equip the Champions, who will in turn lead the CSA projects. While this
was a pilot project, it is expected to become a formal activity in 2009. Upon gathering
the feedback, this is expected to be extended to all other entities owned by the
Government.
5.
Scope, applicability and reach of ITGAF extends beyond one organization. In
effect, the above activities have actually made significant contribution towards
adoption and implementation of good governance practices in government departments
and in more than 40 other major to medium establishments, where the Government of
Dubai has a stake.
6.
ITGAF/FAD has an existing Memorandum of Understanding (MOU) with the
local chapter of ISACA for collaborative efforts in the areas of IT governance. This has
been in place since 2007. ITGAF, as an initiative, advocates the cause of IT
governance and that of ISACA/ITGI. The following are the stated objectives in the
MOU between ITGAF and the ISACA UAE Chapter.
The Objectives
The ITGAF and ISACA-UAE Chapter share a common goal, namely to promote best
practices in IS and improve upon IS practices related to assurance, control, security and
governance in the region. This goal is supported by the following objectives:
(A) To improve the IT governance practices among government departments and
companies owned by the government of Dubai, thus improving the overall IS
infrastructure and the security of IS assets.
(B) To help develop modern IT-related governance frameworks for entities within
Dubai, UAE, in accordance with international best practices
(C) To disseminate IS knowledge with focus on assurance, control, security and
governance among the entities
The activities
(A) Coordinating and conducting conferences, seminars, roundtables, workshops and
tutorials for dissemination of knowledge
(B) Publishing material related to IS/ IT governance for spreading the knowledge and
to assist in implementation of controls
(C) The cooperation in all activities will be subject to the constitution, relevant bylaws
and policies of ITGAF and ISACA UAE Chapter
7.
ITGAF/FAD in the past has designed, developed and delivered customized
training sessions on IT governance, information security, IS audits and preparation of
the CISA examination since 2001.
8.
ITGAF has announced and is in the process of gathering and distributing case
studies on successfully implemented IT governance initiatives within all Dubai
Government establishments.
Roles of the Board of Directors
ITGAF has the following structure. Presently, the chairman, president and vice presidents
constitute the board of directors.
Goals Achieved in enhancing IT Governance Practices
The risk of not having a framework toward the usage of technology has been addressed.
The next endeavor is to work on expanding adoption and sustenance of practices.
The information systems audit/IT governance assessments drive and forge a learning
enthusiasm towards COBIT. This creates the need for all auditees to develop and acquire
skills and knowledge of COBIT resources. The training initiatives of ITGAF are
positioned to fill the required resource gaps through trainings, workshops and
conferences. The ITGAF Process Maturity Award gives the incentive to demonstrate a
high level of process improvement. Thus, a full life-cycle process for continuous
improvement has been set in place.
According to Mr. Yassir Amiri, Director General of the Financial Audit Department and
Chairman of ITGAF:
“ITGAF is the next step to reiterate our commitment to assure information technology
governance and encourage adopting leading practices for IT governance within
government departments/organizations/companies. I hope these initiatives gain further
momentum in the coming years, and we expand research and educational activities to
lead the thinking and ultimately be in service to the community and region.”
According to Mr. Tariq Al Ghaith, Director of Information Systems Audit and President
of ITGAF:
“Today, for most organizations, success in the achievement of business goals depends
directly on the extent and capability of technology enablement. In such an environment,
governance over technology usage is as critical as any other corporate governance
function. Effective information technology governance helps ensure that it supports
business goals, maximizes business investment in technology, and appropriately manages
information technology-related opportunities and risks.”
Future Landscape
The goals set for implementing the best practices suggested in COBIT within the
Government of Dubai:
Establish COBIT as the preferred framework of leading practices for the IT
professionals within the Government Departments/Establishments.
Develop CGEIT as the most preferred certification for eligible IT professionals
within the Government Departments/Establishments.
Further propagate the benefits of CISA certification within the Government Audit
Community.
The adoption of COBIT by the Financial Audit Department, the Government Audit
Department of Dubai, has driven the need by the auditee management for knowing,
understanding and using COBIT resources within the IT and business community. In turn,
this has led to the wide acceptance and practical adoption of best practices of COBIT
among auditee entities within the Government of Dubai. Many of these organizations
have adopted the COBIT framework, in principle, as a de facto standard.
Future plans focus on positioning ITGAF as a leading provider of educational programs
on IT Governance within the Government Community across the MENA (Middle East
and Northern Africa) region and propagate the benefits of COBIT as an ideal IT
Governance framework.
In addition, ITGAF will adopt best efforts to contribute and work with ISACA’s local
chapter on the next steps for sharing the benefits of ITGI/ISACA publications for
promotion/propagation of IT governance best practices. A COBIT User-Convention
among the Dubai Government Departments/Entities is under consideration, slated for
2010.
Case Study Disclaimer
This case study is intended for informational purposes only. The advice, opinion,
statements, materials and other information expressed and contained in this case study are
solely those of the authors and do not necessarily reflect the views, policies or opinions of
ISACA or the IT Governance Institute (ITGI). ISACA/ITGI is not responsible for the
accuracy, currency, completeness, reliability or usefulness of any advice, opinions,
statements or content contained in the case study and makes no claim that use of the case
study will assure a successful outcome.
Questions :
•
•
•
•
Please summarize the case
What’s generating all of the extra project requests?
What problems arise from over-commitment?
What’s your assessment of company’s IT Governance?
Sumber :
http://www.itgi.org/Template_ITGI.cfm?Section=Case_Studies1&CONTENTID=50152
&TEMPLATE=/ContentManagement/ContentDisplay.cfm