AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG Current State There have been a number of high-profile instances where processes that govern the integrity of information technology operations (IT governance) are not sufficiently effective to guard companies against serious financial loss. Companies have damaged their operations and negatively impacted revenue recognition, profit, and reputation by compromising the integrity or availability of their information as a result of problems associated with IT system implementations. Good Corporate governance (and King III) outline the role that Audit Committees should play in improving IT Governance. In two recent surveys, 30% of respondents indicated that they were not satisfied with the amount of time that audit committees spend on oversight of IT risk while only 9-11% were “Very satisfied’’ The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG 2 Current State (cont.) Many organisations are struggling with: • Poor alignment of IT resources against business goals • Lack of demonstrative value from IT investments • Business and / or technology change • Dissatisfaction with IT function and the level of service it provides • The implementation of compliance legislation • IT projects exceeding time and financial budgets • IT risks and control responsibilities poorly defined The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG 3 A definition of IT Governance IT governance is a set of business processes that impose management and control disciplines on IT activities to help ensure the integrity and protection of IT operations and the achievement of targeted business goals. It is primarily about achieving three things: • Getting the most value from IT, including moving towards strategic goals. • Ensuring that stakeholders and management understand key IT risks and manage them accordingly. • Establishing the conditions that allow IT management to operate effectively. The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG 4 Board Oversight and Responsibility IT Strategy and Planning IT Governance Framework Risk Assessment IT Investment Analysis Build IT control framework Outcomes Business Needs and Expectations The Key Elements of IT Governance IT Governance/ Performance Tracking and Reporting Governance Structures The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG 5 Principle 1: Board Responsibility 1 Principle 2: Performance and Sustainability Board Oversight and Responsibility 2 2 IT Strategy and Planning IT Governance Framework 3 Risk Assessment 5 IT Investment Analysis 4 Build IT control framework Outcomes Business Needs and Expectations Principle 2: Performance and Sustainability IT Governance/ Performance Tracking and Reporting 6 Governance Structures 7 THE KING III PERSPECTIVE Principle 3: IT Governance Framework Principle 5: Risk Management Principle 7: Governance Structures TM The AUDIT COMMITTEE FORUM is proudly sponsored by KPMG Principle 4: IT Investments Principle 6: Information Security 6 QUESTIONS THE AUDIT COMMITTEE SHOULD ASK The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG 7 IT Strategy and Planning IT Strategy and Planning What is it and why is it important? . •The purpose of IT strategy – the business needs to understand its strategy and document its strategic int •Strikes an optimum balance of information technology opportunities and IT business requirements •Accomplishes organisational goals and objectives •Critical to aligning business and IT objectives •Ensures investments are made optimally •Drives a “common language” •Sets expectations •Considers architecture, delivery and governance Key Questions: •Who was involved in developing the IT strategy and what was the process followed? •Have you defined a sourcing strategy? The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG 8 IT Governance Framework IT Governance Framework What is it and why is it important? •IT governance at its most basic is the process of making decisions about IT •Good IT governance ensures that IT investments are optimised, aligned with business strategy and delivering value within acceptable risk boundaries — taking into account culture, organisational structure, maturity and strategy •Articulates the roles of the various management and governance bodies across the business and decision making •Assigns clearly defined delegation for effective and efficient decision making and performance monitoring, •Encompasses a broad focus on overall IT capability •Enhances strategic decision making capacity Key Questions: •Have roles and responsibilities been assigned across IT? •Is a policy framework and related policies in place? •Are we aligned to industry standards, and if so, which ones? The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG 9 IT Investments IT Investments What is it and why is it important? •Organisations must be able to measure business value and also manage and communicate value delivery in order to answer the questions: 1) Are we doing the right things? and 2) are we getting the benefits? •Define the relationship between IT and the business •Manage portfolio of IT-enabled business investments •Maximise the quality of business cases for IT-enabled investments •Articulate IT investment decision rights to ensure that they deliver the maximum business value at an acceptable level of risk. Key Questions: •Do we have a formal project management methodology / processes? •Do we perform a business case prior to significant spend? •Do we identify the targeted benefits and track these through the life of the project? The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG 10 IT Risk Assessment Risk Assessment What is it and why is it important? •These can range from accidental damage caused by employees with inadequate training to deliberate attempts from outsiders to illegally access data that your business holds •Helps identify and form basis for risk mitigation plans •Risk areas for consideration - Business Focus, Information Assets, Dependence on IT, Dependence on IT internal staff, Dependence on third parties, Reliability of IT systems, Changes to IT, Legislative and regulatory environment •Recognise the risks associated with using IT in a business environment Key Questions: •How often do we perform IT risk assessments? •Are the necessary resources made available within the business and within the Internal Audit department to conduct IT Audits? •What are the key risks in our IT environment? The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG 11 IT Control Framework IT Control Framework What is it and why is it important? IT controls are specific activities performed by people or systems designed to ensure that business objectives are met objectives are met •IT controls are specific activities performed by people or systems designed to ensure that business •A subset of an enterprise's internal control which relate to the confidentiality, integrity and availability of data and the overall management of the IT function •A set of fundamental controls that must be in place to prevent information loss in an organization •Control areas for consideration - Management of IT, Continuity of systems (Disaster recovery), Systems development, Change control, Security of information and systems, Physical and logical access controls, Control assurance Key Questions: • Have we identified our key IT controls? • Do we monitor (and benchmark) these on an ongoing basis? The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG 12 Performance Tracking and Reporting Performance tracking and reporting What is it and why is it important? •It is critical to measure to outcomes of strategic initiatives •Keep the focus on ongoing control •Effectively manage the IT function •Provide transparent reporting to the business on IT performance •Performance reporting should focus not only on financial outcomes but also on the operational, marketing, risk and developmental inputs to the business Key Questions: •Have we defined KPI’s and CSF’s for IT? • Are these monitored, reported, and followed up on? The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG 13 Summary of key questions IT Strategy and Planning: •Who was involved in developing the IT strategy and what was the process followed? •Have you defined a sourcing strategy? IT Governance Framework: •Have roles and responsibilities been assigned across IT? •Is a policy framework and related policies in place? •Are we aligned to industry standards, and if so, which ones? IT Investments: •Do we perform a business case prior to significant spend? •Do we identify the targeted benefits and track these through the life of the project? IT Risk Assessment •How often do we perform IT risk assessments? •What are the key risks in our IT environment? IT Control Framework •Have we identified our key IT controls? •Do we monitor (and benchmark) these on an ongoing basis? Performance Tracking and Reporting •Have we defined KPI’s and CSF’s for IT? • Are these monitored, reported, and followed up on? The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG 14 King III specific responsibilities The audit committee should consider IT as it relates to financial reporting and the going concern of the company • What are the key systems responsible for the generation and processing of financial reporting data? • How reliant are we on our systems? (how long could we survive without them?) • Do we have Disaster Recovery and Business Continuity Plans? • Have we tested these? • Is our information security sufficient for the business? The audit committee should consider the use of technology to improve audit coverage and efficiency • Has our (internal or outsourced) Internal Audit function identified key application controls to test? • Do we test the general controls related to those key applications? • What internal auditing tools do we utilise (e.g. CAATs, Continuous Auditing)? The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG 15 Presenter’s contact details: Johannesburg Cape Town Durban Frank Rizzo Patrick Ryan Eugene Pfister KPMG KPMG KPMG (011) 647 7388 (021) 408 7374 (011) 647 7918 frank.rizzo@kpmg.co.za patrick.ryan@kpmg.co.za eugene.pfister@kpmg.co.za www.kpmg.com www.kpmg.com www.kpmg.com The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG 16 QUESTIONS? The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG 17