1COBITPart1ITGovernance---IT治理框架

1、COBIT Part 1 IT Governance2009 年 3 月1SITC: Service &Security開場時間請簡單介紹您自己名字公司/產(chǎn)業(yè)別工作性質(zhì)貴公司推行IT治理的程度在這堂課中,想了解的事情任何愿意和大家分享的事?2SITC: Service &Security前沿小站3SITC: Service &SecurityIT management to IT GovernanceISO31000ISO38500BS25999Prince2PMBOKCOBITITIL V3ISO27001ISPLSCAMPITOGAFSecurity & Availability MgtI

2、SO17799ISO13335ISO9001SW-CMMIQuality Management SystemIT Governance & Service MgtGovernance & Risk MgtISO15408Project Mgt (New service)ITIL v2IT ManagementITSCMChange&Release MgtTicketITNIST800SLM /BR/Configuration MgtITSMSupplier MgtMgt system & OrgFinance & CapacityMgtISO15504Appraisal & audit Mgt

3、MOF&MSFISO200004SITC: Service &SecurityCOBIT foundation examThe exam consists of 40 multiple-choice questions. To pass the exam, an individual must correctly answer 28 or more questions or attain a score of 70% or higher.PrerequisitesNone.Learning OutcomesHow IT management issues are affecting organ

4、izationsThe need for a control framework driven by the need for IT governanceHow COBIT meets the requirement for an IT governance frameworkHow COBIT is used with other standards and best practicesThe COBIT framework and all the components of COBITHow to apply COBIT in a practical situationHow the us

5、e of COBIT is supported by ITGICOBIT is a registered trademark of ISACA5SITC: Service &SecurityCertifications overviewISO38500ISO20000ISO27001COBIT foundation examITIL Foundation examService ManagerExpertCISA/CISMCISSPBUSINESSINDIVIDUAL6SITC: Service &Security學習目標了解何為IT治理及為何需要IT治理7SITC: Service &Sec

6、urityAgendaGovernance to why we need IT GovernanceWhat is IT GovernanceIT Governance FrameworkIT AlignmentValue DeliveryRisk ManagementResource ManagementPerformance ManagementISO38500:2008 VS CGEITConclusions8SITC: Service &SecurityWorld-class IT?Aligned with the business and providing transparent

7、valueTop management attention through appropriate IT Governance mechanismsEngaged in performance measurementCommitted to continuous improvement9SITC: Service &SecurityEnterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goal of:Pro

8、viding strategic directionEnsuring that objectives are achievedAscertaining that risks are managed appropriately Verifying that the enterprises resources are used responsiblyEnterprise GovernancePERFORMANCEMEASUREMENTRESOURCEMANAGEMENTRISKMANAGEMENTVALUEDELIVERYSTRATEGICALIGNMENT10SITC: Service &Sec

9、urityEnterprise governance is about: ConformanceAdhering to legislation, internal policies, audit requirements, etc.PerformanceImproving profitability, efficiency, effectiveness, growth, etc.Enterprise Governance Drives IT GovernanceEnterprise governance and IT governance require a balance between c

10、onformance and performance goals directed by the board.PerformanceConformance11SITC: Service &SecurityScenario IT-GovernanceIT is an intensively discussed topic in Organisations and Enterprises. Discussion ranges from cost factor to business enabler.A close link between the Enterprise-Strategy and I

11、T-strategy is key, but it seems the distance between Enterprise-Management and IT is growing.Top Managers come very often from the classical“ disciplines.CIOs are not very often members of the Board.For many Enterprises are Consolidation“, Concentration on core business“ and Operational Excellence“

12、additional priorities of today. 12SITC: Service &SecurityOrganizations require a structured approach for managing these and other challenges.This will ensure that there are agreed objectives for IT, good management controls in place and effective monitoring of performance to keep on track and avoid

13、unexpected outcomes.The Need for IT GovernanceKeeping IT RunningSecurityValue/CostManaging ComplexityAligningIT with BusinessRegulatory Compliance13SITC: Service &Security 2007 IT Governance Institute. All rights reserved. Forces Driving IT GovernanceComplianceSecurityBusiness/ITAlignment ROIProject

14、Execution14SITC: Service &SecurityRole of ITSource of differentiation and advantageSupport core businessprocessesSupportback officeCopyright The Boston Consulting Group1960s1970s1980s1990s2000sAirlinesRetailingAutomotiveHealth CareFinancial Services2010sIT evolution over timeITroleIT needs to be lin

15、ked with business strategy to generate value for the businessCopyright The Boston Consulting GroupDevelopment Exhausted Or New Future Push To Be Expected?(1) IT evolving from Support Tool into Source of Competitive Advantage.15SITC: Service &SecurityWhy get into IT Governance?“Due diligenceIT is cri

16、tical to the businessExpectations and reality dont matchIT hasnt gotten the attention it deservesIT involves huge investments and large risks16SITC: Service &SecuritySarbanes-Oxley(cont.)17SITC: Service &SecuritySarbanes-Oxley (cont.)Effects of Sarbanes-OxleyCreated the Public Company Accounting Ove

17、rsight Board(PCAOB)Reinforces Auditor IndependenceStrengthen Internal Control Structure with organizationsUpgrade financial DisclosuresCreated Accountability at the Executive LevelProtect Investors18SITC: Service &Security“中國薩班斯企業(yè)內(nèi)部控制根本標準 2008/6/28 由財政部、證監(jiān)會、審計署、銀監(jiān)會、保監(jiān)會聯(lián)合公布。2009/7/1起首先在上市公司范圍內(nèi)施行參照美國于

18、2002/7/30公布的2002年薩班斯-奧克斯利法案而制定薩班斯法案對公司治理、會計師行業(yè)監(jiān)管、證券市場監(jiān)管等方面提出了許多新的嚴格要求，并設定了內(nèi)控風險管理的問責機制和相應的懲罰措施。自此，全球也掀起了加強企業(yè)內(nèi)部控制和風險管理的颶風迎接內(nèi)控時代到來19SITC: Service &Security規(guī)範的要求及突破針對國內(nèi)財務及會計監(jiān)控體制的開展趨勢，以及企業(yè)內(nèi)部的委托-代理關(guān)系等各個方面的需求，要求上市公司應當對公司內(nèi)部控制的有效性進行自我評價，披露年度自我評價報告，在企業(yè)內(nèi)確定內(nèi)部控制要素，建立內(nèi)部控制機制突破界定了內(nèi)部控制的內(nèi)涵，強調(diào)內(nèi)部控制是由企業(yè)董事會、監(jiān)事會、經(jīng)理層和全體員工實

19、施的、在實現(xiàn)控制目標的過程，有利于樹立全面、全員、全過程控制的理念。20SITC: Service &Security內(nèi)控框架五大目標 五大要素五大目標(合理保證)企業(yè)戰(zhàn)略企業(yè)經(jīng)營管理合法合規(guī)財務報告及相關(guān)信息真實完整提高經(jīng)營效率和效果，促進企業(yè)實現(xiàn)開展戰(zhàn)略資產(chǎn)平安五大要素(相互聯(lián)系、相互促進)構(gòu)建以內(nèi)部環(huán)境為重要基礎以風險評估為重要環(huán)節(jié)以控制活動為重要手段以信息與溝通為重要條件以內(nèi)部監(jiān)督為重要保證以企業(yè)為主體、以政府監(jiān)管為促進、以中介機構(gòu)審計為重要組成局部的內(nèi)部控制實施機制。21SITC: Service &SecurityBasel II: Risk ClassificationTotal

20、 RiskCredit RiskMarket RiskOther RisksConsideredNot considered22SITC: Service &SecuritySample QuestionsWhich one of the following is currently driving the interest in IT best practices?Convergence in many technologiesIndustry standardisationIncreasingly complex IT-related risks.Lower cost of technol

21、ogy23SITC: Service &SecuritySample QuestionsGovernance and control frameworks provide IT management with best practice for which one of the following?performing computer operationsresolving disputes with IT vendorsremunerating IT staffcomplying with regulatory requirements24SITC: Service &SecuritySa

22、mple QuestionsWhich of the following is a common reason why IT projects exceed budget expectations or deadlines?Cost of IT specialistUnavailability of the latest technologyUnderestimation of the effort requiredLack of automation of development tools25SITC: Service &SecuritySample QuestionsWhich of t

23、he following is the most likely reason why IT projects exceed budget expectations or deadlines?Technical problemsShortage of skilled resourcesPoor development methodologiesHigh cost of IT experts26SITC: Service &SecurityAgendaGovernance to why we need IT GovernanceWhat is IT GovernanceIT Governance

24、FrameworkIT AlignmentValue DeliveryRisk ManagementResource ManagementPerformance ManagementISO38500:2008 VS CGEITConclusions27SITC: Service &SecurityGovernanceInherent Risk - Control = Residual Risk Local Management are Concerned with these Senior Management are concerned with thisWho makes decision

25、s, why, and how28The COSO Internal Control FrameworkThe Committee On Sponsoring Organizations (COSO)Internal Control-Integrated FrameworkPublished in 1992Reissued in 1994For Sarbanes-Oxley, Section 404,management must select framework as their basis for control review.COSO is the most widely recogni

26、zed internal control frameworkSponsored by AICPA,AAA,IIA,IMA,FEI29SITC: Service &SecurityNew frameworkInternal ControlToEnterprise Risk ManagementObjectivescomponentsEntity Structure30SITC: Service &SecurityThe COSO ERM frameworkEnterprise Risk Management FrameworkFramework for evaluating controls a

27、nd riskIncreased focus on risk managementFramework to effectively identify, assess, and manage riskPublished in 2004Expands on the Integrated Framework31SITC: Service &Security“IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterpris

28、e governance and consists of the leadership and organizational structures and processes that ensure that the organizations IT sustains and extends the organizations strategies and objectives.I.T. GovernanceITGI, Board Briefing on IT Governance32SITC: Service &SecurityWhat is IT GovernanceIT provides

29、 valueIT does not provide surprisesIT pushes the envelopeA decision rights and accountability framework to encourage desirable behavior in the use of ITExpectationNeedDefinition“IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterpri

30、se governance and consists of the leadership and organizational structures and processes that ensure that the organizations IT sustains and extends the organizations strategies and objectives.33SITC: Service &SecurityIT Governance Focus AreasStrategic alignmentValue deliveryResource managementRisk m

31、anagementPerformance measurement PERFORMANCEMEASUREMENTRESOURCEMANAGEMENTRISKMANAGEMENTVALUEDELIVERYSTRATEGICALIGNMENT34SITC: Service &SecurityCOSO / COBIT CubeCourtesy of the IT Governance Institutes document : “IT Control Objectives for Sarbanes-Oxley35SITC: Service &SecurityIT Governance Principl

32、esDirect and controlResponsibilityAccountabilityActivitySet directionsCompareSet objectives and MeasuresReportsMeasuresMeasuresReportsPerformActivitiesDirectControlResponsibilityAccountabilityActivitiesBoardITOrganizations36SITC: Service &Security2007 IT Governance InstituteIT Governance Stakeholder

33、sBusiness managementSet direction for IT, monitor results and insist on corrective measuresDefines business requirements for IT and ensures that value is delivered and risks are managedDelivers and improves IT services as required by the businessProvides independent assurance to demonstrate that IT

34、delivers what is neededMeasures compliance with policies and focuses on alerts to new risksRisk and compliance IT auditIT managementBoard and executive37SITC: Service &SecurityIT Governance in ContextIT governance and associated governance mechanisms provide the linkage between responsible corporate

35、 governance and effective IT managementCorporate GovernanceIT GovernanceIT managementCorporate GovernanceIT GovernanceIT managementOverall decision making and accountability structureEstablish goals, measures, policiesEnsures shareholders interests are respectedOverall IT decision making and account

36、abilityEnsures value is delivered to shareholders through IT investments and actionsCreates business value through IT manages IT budgets, resources, projects, operations, vendorsRuns IT as a business38SITC: Service &SecurityQuality SystemIT PlanningProject MgmtIT SecurityAP. Dev. (SDLC)Service Mgmt.

37、IT OperationsIT Governance ModelCOSOCOBITSOXISOSIXSigmaCMMIISO17799PMITSO ISStrategyISO20000Quality Systems& Mgmet. FrameworksISO3850039SITC: Service &SecurityCompliance frameworkThere are four compatible frameworks, operating at different level of detail and scope, that provide a set of controls an

38、d governance for ITLevel1: COSOOrganization wide controlsLevel2:COBITCan satisfy and extend COSO controls relating to ITLevel3:ITILCan satisfy and extend COBIT controls relating to ITLevel4:ISO27002/17799IT Security controls to meet and extend COBIT security40SITC: Service &SecurityKey Findings of t

39、he SurveyIT Governance Global Status Report2008.Although championship for IT governance within the enterprise comes from the C-level, in daily practiceIT governance is still very much a CIO/IT director issue. The few non-IT people in the sample have a muchmore positive view of IT than do the IT prof

40、essionals themselves.The importance of IT continues to increase.Self-assessment regarding IT governance has increased and is quite positive.Communication between IT and users is improving, but slowly.There is still substantial room for improvement in alignment between IT governance and corporate gov

41、ernanceas well as for IT strategy and business strategy.IT-related problems persist. While security/compliance is an issue, people are the most critical problem.Good IT governance practices are known and applied, but not universally.Organisations know who can help them implement IT governance, but a

42、ppreciation for the available expertise and delivery capability is only average.Action is being taken or plans are underway to implement IT governance activities. A large increase is evident when compared to the 2006 report.Organisations use the well-known frameworks and solutions.COBIT awareness ha

43、s exceeded 50 percent, and adoption and use remain around 30 percent.a. Twenty-five to 35 percent of respondents apply COBIT to the letter or are very strict.b. Fifty percent of respondents indicate that COBIT is one of the reference sources.c. In general, there is high appreciation of COBIT, as has

44、 been seen in prior reports.More than half of the respondents apply or plan to apply Val IT principles, but are not familiar with theVal IT brand itself.Major obstacles to adoption and use of Val IT principles include uncertainty regarding the return on investment (ROI) and lack of knowledge/experti

45、se.41SITC: Service &SecuritySelected IT Governance Frameworks42SITC: Service &SecurityBenefits of IT GovernanceConfidence of top managementResponsiveness of IT to businessHigher return on investment (ROI)More reliable servicesMore transparency43SITC: Service &SecurityIT GovernanceIT governance is an

46、 integral part of corporate governance and analogously combines leadership, organizational structures, and processes that ensure that IT sustains and extends the organizations strategies and objectivesIT governance provides guidelines, establishes criteria and standards for decision making, monitori

47、ng, measuring, and improving the performance of ITIT governance is the responsibility of the executive board and the executive management (incl. IT) and supports the interaction of all the organizations parties involved with ITWhat?How?Who?Though guided by it, daily operations or operative project m

48、anagement, are not core part of IT governance nor can IT governance substitute for a sound business strategyWhat not?Our Definition of IT Governance emphasizes the close Link of IT to the Organization as a whole .44SITC: Service &SecurityWhat is IT Governance? Its about organization leadership Decis

49、ion making that leads to better alignment of IT and the business IT delivering more business value IT resources are used responsibly IT risks are managed appropriately45SITC: Service &SecuritySample QuestionsWhich of the following is a key benefit of IT governance?Improved business processesGreater

50、awareness of available technical solutionsResponsiveness of ITGreater use of technologyIncreased budget for IT projects46SITC: Service &SecuritySample QuestionsThe COSO framework is a framework to help organizations establish and determine:Accounting standardsAuditing standardsInvestment decisionsTh

51、e effectiveness of their internal controls47SITC: Service &SecuritySample QuestionsWhich statement below best describes the Committee of Sponsoring Organisations of the Treadway Commission (COSO)s Internal ControlIntegrated Framework?A framework for internal auditing.A framework for systems manageme

52、nt.A framework for risk management.A framework for information systems48SITC: Service &SecuritySample QuestionsWhich of the following is an IT Governance concern of a trading partner?Confidential company information is not given to competitorsThe IT systems are based on the latest technologySystem c

53、hanges are not made without the partners approvalThe IT operation is cost effective and efficient49SITC: Service &SecuritySample QuestionsWhich of the following is a principle of IT governance?AccountabilityReliabilityAvailabilityProbability 50SITC: Service &SecurityAgendaGovernance to why we need I

54、T GovernanceWhat is IT GovernanceIT Governance FrameworkIT AlignmentValue DeliveryRisk ManagementResource ManagementPerformance ManagementISO38500:2008 VS CGEITConclusions51SITC: Service &SecurityIT Governance FrameworkSet ObjectivesIT is aligned with the businessIT enables the business and maximize

55、s benefitsIT resources are used responsiblyIT-related risks are managed appropriatelyCompareProvideDirectionMeasurePerformanceIT ActivitiesIncrease automation (make the business effective) Decrease cost (make the enterprise efficient)Manage risks (security, reliability and compliance)52SITC: Service

56、 &SecurityBe driven by stakeholder valueAsk the right questionsFocus on ITs:Alignment with the businessValue deliveryRisk managementMeasure resultsAdopt an IT governance frameworkIT Value DeliveryStakeholder Value DriversPerformance MeasurementRisk ManagementITStrategicAlignmentWhat should Boards do

57、 about it?53SITC: Service &SecurityIT Value DeliveryStakeholder Value DriversPerformance MeasurementRisk ManagementITStrategicAlignmentI.T. Governance FocusWhat does it cover?54SITC: Service &SecurityWhat should Management do about it?Align IT strategy with business goalsCascade strategy and goals d

58、own into the organizationSetup organizational structures that facilitate strategy implementationAdopt and IT control and governance frameworkProvide IT infrastructures that facilitate creation and sharing of business informationEmbed responsibilities for risk management in the organizationFocus on i

59、mportant IT process and core IT competenciesMeasure performance (Balanced Business Scorecard)55SITC: Service &SecurityWhat should Auditors do about it?Obtain an understanding about IT GovernanceGet the Board and Management to focus on the issues in the previous two slidesRecommend the adoption of an

60、 IT control and governance framework, such as COBITSet up organizational structures in your areas that facilitate a strategic implementation of such a frameworkMeasure your own performance (Balance Business Scorecard)56SITC: Service &SecurityIT Governance Focus AreasValue deliveryFocuses on ensuring