Training in Portugal (1) EUROSAI IT Working Group - Michel Huissoud 1 Project: « Design a self-assessment tool for SAI’s based on » EUROSAI IT Working Group - Michel Huissoud 2 What we want Improve IT audit (methodology and practical approach with CobiT) IT Governance (with selfassessment) by the SAIs EUROSAI IT Working Group - Michel Huissoud 3 1. Genesis of a success story the Hague, 1 October 2002 EUROSAI IT Working Group - Michel Huissoud 4 Our mandate The objective of this project is to design and pilot a selfassessment tool for all SAIs. It is based on 'CobiT', which is a governance (and audit) framework for the domain of information technology. The self-assessment tool we are developing should enable us to measure the maturity of the IT control of our own offices. EUROSAI IT Working Group - Michel Huissoud 5 2. Why... ... a self-assessment ? ... of Information Technologies ? ... based on CobiT ? EUROSAI IT Working Group - Michel Huissoud 6 Why a self-assessment? It allows « proximity ». The evaluation is carried out by the people : – – who know the subject who are interested in solving the problems It is confidential. The organization is in control of the results of the evaluation and their distribution. Self-assessment is not an audit. The extern moderation encourages the people to speak freely. EUROSAI IT Working Group - Michel Huissoud 7 Why IT? As in every organisation or company, it is in the interest of the SAI to maintain control of its IT system. The latter is of fundamental importance, whether this has to do with managing dossiers, planning auditor tasks, communication or knowledge management. Issues concerning communication and defining the roles between the different partners represent one of the main challenges in IT governance. The SAIs, together with other enterprises, need better communication between the sponsors and the IT specialists. EUROSAI IT Working Group - Michel Huissoud 8 like the other organisations... we lose time because of system shutdowns... we type the same information in different systems two or three times... we develop projects which don’t meet expectations... we manage expensive service providers... we use IT without enough training... EUROSAI IT Working Group - Michel Huissoud 9 Why “based on CobiT”? CobiT is a well accepted standard Cobit can be downloaded free from www.isaca.org CobiT is also available in French www.afai.asso.fr , German www.isaca.ch and Spanish www.isaca.org but our group wanted to be sure that CobiT is the best choice ... EUROSAI IT Working Group - Michel Huissoud 10 What have we done? Studies of other tools: ISO 9001 European Foundation for Quality Management (EFQM) Excellence Model ITIL / Process Maturity Self-Assessment & Action Plan CMM Capability Maturity Model Common Assessment Framework (CAF), result of the cooperation among the EU Ministers responsible for Public Administration Contact with specialists: Philips, The Netherlands Swisslife, Switzerland Prof. W. van Grembergen (University of Antwerp, Belgium) .... our research confirmed the legitimacy of choosing CobiT EUROSAI IT Working Group - Michel Huissoud 11 3. Looking for the gaps and use CobiT as a bridge! ...the problem is always by the interface Management IT IT Audit IT audit Financial audit EUROSAI IT Working Group - Michel Huissoud 12 COBIT includes 36 national and international standards Codes of conduct issued by Council of Europe, OECD, ISACA, etc. Qualification criteria for IT systems and processes: ITSEC, TCSEC, ISO 9000, SPICE, TickIT, Common Criteria, etc. Professional standards in internal control and auditing: COSO Report, IFAC, AICPA, IIA, ISACA, PCIE, GAO standards, etc. EUROSAI IT Working Group - Michel Huissoud Industry practices and requirements from industry forums (ESF, I4) and government-sponsored platforms (IBAG, NIST, DTI), etc. Technical standards from ISO, EDIFACT, etc. Emerging industry-specific requirements such as from banking, electronic commerce and IT manufacturing 13 the three most important sources: qualification standards (ISO, SPICE, ITIL,...) IT security standards (ITSEC, BS7799, etc...) EUROSAI IT Working Group - Michel Huissoud audit standards (IFAC, IIA, COSO, GAO, ...) 14 with CobiT, they can Control OBjectives for Information communicate together!... and Related Technology EUROSAI IT Working Group - Michel Huissoud 15 Service level for example Control Objectives •The service level agreement should cover at least the following aspects: availability, reliability, performance, capacity for growth, levels of support provided to users, continuity planning, security, minimum acceptable level of satisfactorily delivered system functionality, restrictions (limits on the amount of work), service charges, central print facilities (availability), central print distribution and change procedures. (...) EUROSAI IT Working Group - Michel Huissoud Management Guideline Key Performance Indicators •Time lag of resolution of a service level change request •Time lag to resolve a service level issue •Number of times that root cause analysis of service level procedure and subsequent resolution is completed within required period •Significance of amount of additional funding needed to deliver the defined service level (...) Audit Guideline •Considering whether recourse process is identified for non-performance •Testing that historical performance against prior service improvement commitments is tracked (...) 16 or Information Architecture Management Guideline Key Goal Indicators •(...) •Reduction of data redundancy •Increased interoperability between systems and applications (...) Control Objectives •Data Classification Scheme A general classification framework should be established with regard to placement of data in information classes (i.e., security categories) as well as allocation of ownership. The access rules for the classes should be appropriately defined.(...) EUROSAI IT Working Group - Michel Huissoud Audit Guideline •Considering whether a medium is used to distribute the data dictionary to ensure that it is accessible to development areas and that changes are reflected immediately •Identifying data items where ownership is not clearly and/or appropriately defined. (...) 17 or manage the operations Control Objectives •Job Scheduling IT management should ensure that the continuous scheduling of jobs, processes and tasks is organised into the most efficient sequence, (...). The initial schedules as well as changes to these schedules should be appropriately authorised. •Remote Operations For remote operations, specific procedures should ensure that the connection and disconnection of the links to the remote site(s) are defined and implemented..(...) EUROSAI IT Working Group - Michel Huissoud Management Guideline Critical Success Factors •Changes to job schedules are strictly controlled •There are strict acceptance procedures for new job schedules, including documentation delivered •Clear and concise detection, inspection and escalation procedures are established(...) Audit Guideline •Review of a sample of limited IT operations and determining whether they meet policy and procedures requirements. •Identifying a sample of abnormal ends (ABENDS) for jobs and determining resolution of problems which occurred. (...) 18 CobiT is special Quality Cost Delivery Confidentiality Integrity Availability Effectiveness and Efficiency of operations or projects Reliability of Information Compliance with laws and regulations .... this framework goes further than the other ones! EUROSAI IT Working Group - Michel Huissoud 19 Navigation in CobiT: How can you select the right process? « availability » for example EUROSAI IT Working Group - Michel Huissoud 20 or « human ressources » ? EUROSAI IT Working Group - Michel Huissoud 21 Warm up… Who doesn't know what the EUROSAI IT Working Group is? Who doesn't know what CobiT is? Who doesn't know what self-assessment is? Is self-assessment a questionnaire or an interview method? Are we looking for problems in efficiency or in security? EUROSAI IT Working Group - Michel Huissoud 22 4. Our method EUROSAI IT Working Group - Michel Huissoud 23 How do we proceed? Documentation to study will be provided on CobiT, selfassessment, etc..) The instructor will provide more information, the structure of your business will be discussed and then forms will be filled in 2 weeks before EUROSAI IT Working Group - Michel Huissoud The instructor will consolidate the results and a discussion of the results will follow Workshop An action plan for the future will be prepared together and the exercise will then be evaluated The results of the workshop are then presented to the top managemen t of the SAI Post ws 24 The problem has 2 dimensions Planing ans organisation Etc… acquisition and implementation business process 1 business process 2 Etc… Etc... AI2 AI1 PO2 business process 3 business process 4 business process 5 PO1 first dimension = business second dimension = IT business process 6 business process 7 EUROSAI IT Working Group - Michel Huissoud 25 the first form identify the business process Business added-value chain BVC Form 1. Does the IT help to achieve the SAI's strategic goals? B1 Audit Risk Management B2 Organise the missions B3 Analyse the data B4 Test the IT by the IT-Audit B5 Report the results to the auditee B6 Track the implementation of the recommandations B7 Manage the knowledge B8 Manage finances and human ressources B9 Administer and archive the dossiers B10 Publish the results of the audits B11 Communicate EUROSAI IT Working Group - MichelB12 Huissoudother … B13 other… What is the quality of the current IT systems ? very low (0) quality level (1) quality level (2) quality level (3) quality level (4) very high (5) What is the importance of the future IT systems for this business process? high (5) importance level (4) importance level (3) importance level (2) low (1) no application software (0) high (5) importance level (4) importance level (3) importance level (2) low (1) no application software (0) What is the importance of the current IT systems for this business process? In which IT-process (see in Form 2) is the problem (especially if quality level = 0 or 1)? 26 What do we understand by “business process”? examples: Audit Risk Management Organise the missions Analyse the data Test the IT by the IT- Manage finances and Audit Report the results to the auditee Track the implementation of the recommendations Manage the knowledge EUROSAI IT Working Group - Michel Huissoud human resources Administer and archive the dossiers Publish the results of the audits Communicate Automated data inputs Automated relations between different audits 27 EUROSAI IT Working Group - Michel Huissoud 28 then, we evaluate the importance and the quality of the current IT systems Business added-value chain BVC Form 1. Does the IT help to achieve the SAI's strategic goals? B1 Audit Risk Management B2 Organise the missions B3 Analyse the data What is the quality of the current IT systems ? very low (0) quality level (1) quality level (2) quality level (3) quality level (4) very high (5) What is the importance of the future IT systems for this business process? high (5) importance level (4) importance level (3) importance level (2) low (1) no application software (0) high (5) importance level (4) importance level (3) importance level (2) low (1) no application software (0) What is the importance of the current IT systems for this business process? In which IT-process (see in Form 2) is the problem (especially if quality level = 0 or 1)? Importance Test the IT by the IT-Audit Quality of B5 Report the results to the auditee of theB6 IT Track the implementation the IT of the recommandations B7 Manage the knowledge systems? systems? B4 B8 Manage finances and human ressources B9 Administer and archive the dossiers B10 Publish the results of the audits B11 Communicate EUROSAI IT Working Group - Michel B12 Huissoud other … B13 other… 29 the second form COBIT's Domains and Processes Planning and Organisation PO1 PO2 PO3 PO4 Which business processes (see in Form 1) are affected by this problem (especially if level = 0 o 1)? Importance Define a Strategic IT Plan Quality of of Define the IT the IT the information architecture Determine the technological direction systems? systems? ... Define the IT Organisation and Relationships EUROSAI IT Working Group - Michel Huissoud PO5 Maturity level of the process non-existent (0) initial / ad hoc (1) repeatable but intuitive (2) defined process (3) managed and measurable (4) optimised (5) CobiT Form 2: What is the maturity level of the IT-processes? very important (2) important (1) not important (0) not sure (0) Importance of the process Manage the IT investment 30 6 maturity levels EUROSAI IT Working Group - Michel Huissoud 31 Maturity model? Example: “DS04 Ensure continuous service” 0 Non-existent. There is no understanding of the risks, vulnerabilities and threats to IT operations or the impact of loss of IT services to the business. Service continuity is not considered as needing management attention. 5 Optimised Integrated continuous service processes are proactive, self-adjusting, automated and self-analytical and take into account benchmarking and best external practices. Continuous service plans and business continuity plans are integrated, aligned and routinely maintained. Buy-in for continuous service needs is secured from vendors and major suppliers. Global testing occurs and test results are feed back as part of the maintenance process. Continuous service cost effectiveness is optimized through innovation and integration. Gathering and analysis of data is used to identify opportunities for improvement. Redundancy practices and continuous service planning are fully aligned. Management does not allow single points of failure and provides support for their remedy. Escalation practices are understood and thoroughly enforced. EUROSAI IT Working Group - Michel Huissoud 32 Example 2: “PO10 Manage projects” 0 Non-existent. Project management techniques are not used and the organization does not consider business impacts associated with project mismanagement and development project failures. 5 Optimised A proven, full life-cycle project methodology is implemented and enforced, and is integrated into the culture of the entire organization. An on-going program to identify and institutionalize best practices has been implemented. There is strong and active project support from senior management sponsors as well as stakeholders. IT management has implemented a project organization structure with documented roles, responsibilities and staff performance criteria. A long term IT resources strategy is defined to support development and operational outsourcing decisions. An integrated program management office is responsible for projects from inception to post implementation. The program management office is under the management of the business units and requisitions and directs IT resources to complete projects. Organization-wide planning of projects ensures that user and IT resources are best utilized to support strategic initiatives. EUROSAI IT Working Group - Michel Huissoud 33 matching the results ... COBIT's Domains and Processes Planning and Organisation Business added-value chain BVC Form 1. Does the IT help to achieve the SAI's strategic goals? Where are the What is the quality of the current IT systems ? very low (0) quality level (1) quality level (2) quality level (3) quality level (4) very high (5) What is the importance of the future IT systems for this business process? high (5) importance level (4) importance level (3) importance level (2) low (1) no application software (0) high (5) importance level (4) importance level (3) importance level (2) low (1) no application software (0) What is the importance of the current IT systems for this business process? PO1 Define a Strategic IT Plan PO2 Define the information architecture PO3 Determine the technological direction PO4 Define the IT Organisation and Relationships PO5 Manage the IT investment PO6 Communicate management aims and direction PO7 Manage human resources PO8 Ensure compliance with external requirements PO9 Assess risks PO10 Manage projects PO11 Manage quality AI1 Identify automated solutions AI2 Acquire and maintain application SW AI3 Acquire and maintain technology infrastructure AI4 Develop and maintain procedures AI5 Install and accredit systems AI6 Manage changes Delivery and Support reasons for the dissatisfaction? In which IT-process (see in Form 2) is the problem (especially if quality level = 0 or 1)? What impacts do the IT problems have? DS1 Define and manage service levels DS2 Manage third-party services DS3 Manage performance and capacity DS4 Ensure continuous service DS5 Ensure system security DS6 Identify and allocate costs DS7 Educate and train users Audit Risk Management B2 Organise the missions B3 Analyse the data B4 Test the IT by the IT-Audit DS8 Assist and advise customers B5 Report the results to the auditee DS9 Manage the configuration B6 Track the implementation of the recommandations DS10 Manage problems and incidents B7 Manage the knowledge DS11 Manage data Manage finances and human ressources DS12 Manage facilities DS13 Manage operations B9 Administer and archive the dossiers B10 Publish the results of the audits M1 Monitor the processes B11 Communicate M2 Assess internal control adequacy B12 other … M3 Obtain independent assurance B13 other… M4 Provide for independent audit EUROSAI IT Working Group - Michel Huissoud Which business processes (see in Form 1) are affected by this problem (especially if level = 0 or 1)? Acquisition and Implementation B1 B8 non-existent (0) initial / ad hoc (1) repeatable but intuitive (2) defined process (3) managed and measurable (4) optimised (5) CobiT Form 2: What is the maturity level of the Maturity level of IT-processes? the process very important (2) important (1) not important (0) not sure (0) Importance of the process Monitoring 34 5. what you get gaps analysis a good discussion ! action plan EUROSAI IT Working Group - Michel Huissoud 35 For example: satisfaction with the IT support of the business processes B10 confidential.... B12 confidential.... B6 confidential... B5 confidential... B3 confidential... B4 confidential... B1 confidential... B9 confidential... B7 confidential... B2 confidential... B11 confidential... B8 confidential... EUROSAI IT Working Group - Michel Huissoud 2.29 2.00 1.75 1.38 1.33 1.29 1.00 1.00 0.86 0.83 0.60 0.00 36 identification of the problems (business point of view) 6 5 4 What is the quality of the current IT systems ? 3 What is the importance of the future IT systems ? 2 1 B13 B12 B11 B10 B9 B8 B7 B6 B5 B4 B3 B2 B1 0 process EUROSAI IT Working Group - Michel Huissoud 37 identifying the problems (IT point of view) Importance of the process ? Maturity level of the process ? 6 5 4 3 2 1 process EUROSAI IT Working Group - Michel Huissoud 38 M4 M3 M2 M1 DS13 DS12 DS11 DS10 DS9 DS8 DS7 DS6 DS5 DS4 DS3 DS2 DS1 AI6 AI5 AI4 AI3 AI2 AI1 PO11 PO10 PO9 PO8 PO7 PO6 PO5 PO4 PO3 PO2 PO1 0 An action plan Findings and Actions form Finding/ Description Gap Risk / implication Recommendation / action Person in description charge EUROSAI IT Working Group - Michel Huissoud Deadline for finishing activity Priority 1-10 39 and perhaps in the future: a benchmarking Big SAIs Middle SAIs Small SAIs EUROSAI IT Working Group - Michel Huissoud 40 A reasonable time management (first day) 14.00 Start of the workshop 15.00 Identify the business processes 15.30 Coffee break (moderator) Adaptation of the form 1 and print them 16.00 Fill form 1 16.15 Presentation CobiT 17.15 Select the most important IT processes 18.00 Fill form 2 18.30 End of the first day Then, put the results in your EXCEL sheet, prepare the presentation of the results and the discussion of tomorrow… EUROSAI IT Working Group - Michel Huissoud 41 A reasonable time management (second day) 09.00 09.30 10.00 10.15 10.45 11.30 12.30 15.00 Presentation of the results Discussion (validation of the results, looking for consensus) Listing the most important problems and strengths Coffee break Prepare an action plan Fill the evaluation forms Finalization of the action plan Discussion and end of the workshop Preparation of the final presentation Presentation and discussion with the head of the SAI Write the evaluation report! EUROSAI IT Working Group - Michel Huissoud 42 We will now focus on the following points Get the right Documentation to persons! study will be provided on CobiT, selfassessment, etc..) Identify The instructor the will provide more processes! information, the structure of your business will be discussed and then forms will be filled in 2 weeks before EUROSAI IT Working Group - Michel Huissoud The instructor will consolidate the results and a discussion of the results will follow Use the EXCEL sheet correctly! An action plan for the future will be prepared together and the exercise will then be evaluated Ask the right questions! Workshop Get a good action The results plan! of the workshop are then presented to the top managemen t of the SAI Post ws 43