Digital Ecosystem and Controls Study Material PDF

SET D – PAPER-4 SET SELF-PACED D SELF-PACED DIGITAL ECOSYSTEM STUDY MATERIAL AND CONTROLS PAPER-4 DIGITAL ECOSYSTEM AND CONTROLS © The Institute of Chartered Accountants of India ii This Study Material has been prepared by the faculty of the Board of Studies. The objective of the Study Material is to provide teaching material to the students to enable them to obtain knowledge in the subject. In case students need any clarification or have any suggestion for further improvement of the material contained herein, they may write to the Joint Director, Board of Studies. All care has been taken to provide interpretations and discussions in a manner useful for the students. However, the Study Material has not been specifically discussed by the Council of the Institute or any of its committees and the views expressed herein may not be taken to necessarily represent the views of the Council or any of its Committees. Permission of the Institute is essential for reproduction of any portion of this material. © THE INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior permission, in writing, from the publisher. Basic draft of this publication was prepared by CA. (Dr.) Rashmi Goel Edition : March, 2024 Committee/Department : Board of Studies E-mail : [email protected] Website : www.icai.org Price : ` /- ISBN No. : 978-81-19472-60-4 Published by : The Publication & CDS Directorate on behalf of The Institute of Chartered Accountants of India, ICAI Bhawan, Post Box No. 7100, Indraprastha Marg, New Delhi 110 002 (India) Printed by : © The Institute of Chartered Accountants of India BEFORE WE BEGIN….. The traditional role of a chartered accountant restricted to accounting and auditing, has now changed substantially and there has been a marked shift towards strategic decision making and entrepreneurial roles that add value beyond traditional financial reporting. The primary factors responsible for the change are the increasing business complexities on account of plethora of laws, borderless economies consequent to giant leap in e-commerce, emergence of new financial instruments, emphasis on corporate social responsibility, significant developments in information technology, to name a few. These factors necessitate an increase in the competence of chartered accountants to take up the role of not merely an accountant, auditor or more specifically an IS Auditor, but a global solution provider. Towards this end, the scheme of education and training is being continuously reviewed so that it is in sync with the requisites of the dynamic global business environment; the competence requirements are being continuously reviewed to enable aspiring chartered accountants to acquire the requisite professional competence to take on new roles. Under the New Scheme of Education and Training, the content of the study material of the “Paper: Digital Ecosystem and Controls” under Self-paced Online Module Set D is to provide the understanding of Governance and Management of Digital Ecosystem, Information Systems Life Cycle, Information System’s Control, Digital Data and Analysis and Digital Economy. The overall learning objective of this paper “To develop competencies and skillsets in evaluation of controls and relevant evidence gathering in an IT environment using IT tools and techniques for effective and efficient performance of accounting, assurance, financial technologies and compliance services” has been kept in mind while developing the material. The process of learning should help you inculcate the requisite IT skill-sets necessary for achieving the desired professional competence. Requirement of Professional Knowledge and Skills Students are required to learn and qualify Self-paced Online Modules after passing Intermediate Examination but before appearing in Final Examination. Accordingly, they are expected to not only acquire professional knowledge but also the ability to apply such knowledge in addressing issues and problem solving. The integrated process of learning through academic education and practical training will help inculcate in them, the requisite technical competence, and professional skills. © The Institute of Chartered Accountants of India ii Framework of Chapters: Uniform Structure comprising of specific components Efforts have been made to present the content of Digital Ecosystem and Controls in a lucid manner. Care has been taken to present the chapters in a logical sequence to facilitate easy understanding by the students. Each chapter of the Study Material has been structured uniformly and comprises of the following components: S. No. Components of About the component each chapter 1 Learning This lists the understanding and skill set to be acquired by Outcomes you after the thorough reading of the chapter. 2 Chapter Overview As the name suggests, this chart/table would give you an overall outline of the contents covered in the chapter. 3 Illustration Illustration is provided at the beginning of each chapter to provide an overview of the topics discussed in the specified chapter. 4 Introduction A brief introduction is given at the beginning of each chapter which would help you to get acclimatized with the broad coverage of the topics. 5 Content The concepts are explained in a student-friendly manner and illustrated with the aid of examples/illustrations /diagrams/tables. These value additions would help you develop conceptual clarity and get a good grasp of the topic. 6 Summary A summary of the chapter provides quick recapitulation of the topics covered in the chapter. 7 Test your This comprises of Multiple-Choice Questions which test Knowledge the breadth and depth of your understanding of the entire chapter. Chapter-wise coverage of various topics in the study material are as follows: UNIT I: GOVERNANCE AND MANAGEMENT OF DIGITAL ECOSYSTEM ♦ Chapter 1 - Concepts of Governance and IT Strategy introduces the concept of Governance, its framework, and the impact of their automation with the help of Technology. The chapter focusses on the role of Information technology and alignment of Information Systems strategy with business strategy. Further, it provides an insight into IT Governance, Enterprise Governance and Corporate Governance. This chapter © The Institute of Chartered Accountants of India iii also discusses COBIT framework and Information Technology Infrastructure Library (ITIL). ♦ Chapter 2 - Governance, Risk, and Compliance (GRC) Framework familiarizes with the concept of Governance, Risk, and Compliance. It further discusses the concept of risks, its related terms and risk classification system. The chapter focuses on various types of risks and their mitigation strategies. Various types of malicious attacks and malicious software are also emphasized with the applicable counter measure to prevent or reduce threats. ♦ Chapter 3 – Enterprise Risk Management Framework disseminates the basic concept of Enterprise Risk Management and its related benefits. The chapter deals with implementation of Enterprise Risk Management in organization by Plan, Implement, Measure and Learn (PIML) methods. ♦ Chapter 4 – Information System Security Policy provides the meaning, components of an information system and the working of various components of an information system. It deals with the needs for protection of information systems. This chapter provides an insight on information security policies, procedure, related standards, and guidelines along with the need for information security and the prospects of frauds relating to technology. ♦ Chapter 5 – Business Continuity Planning and Disaster Recover Planning brings into light the core concepts of Business Continuity Planning (BCP) and the key phases in the development of BCP. It also includes the Business Continuity Management Process and various types back up plans and their working. Furthermore, the chapter highlights the key aspects included in implementation of incident Management plan and various areas involved in Disaster Recovery Procedural Plan. UNIT II: INFORMATION SYSTEMS LIFE CYCLE ♦ Chapter 6 – System Development Life Cycle focuses on the need for development of an information system. It deals with the system development process for an information system. Various stages of system development life cycle are also discussed. Various tools and techniques of system analysis and design and programming are also briefly covered in this chapter. ♦ Chapter 7 – System Acquisition and Development Methodologies devoted to system acquisition and its phase wise activities, methods, tools, controls, etc. it provides the insight on software procurement, acquisition from external sources and evaluation of IT proposals. © The Institute of Chartered Accountants of India iv It provides the details on various SDLC models with their pros and cons and understanding of the most appropriate model for a particular project. UNIT III: INFORMATION SYSTEMS’ CONTROL ♦ Chapter 8 – Information Systems’ Control and its Classification provides a detailed discussion on IS controls, their objective, and functions with reference to information systems. Understanding of these controls is essential to the Chartered Accountants to strengthen their ability for conducting IS audit in any Organization. ♦ Chapter 9 – Information Technology Tools devoted to auditing of Information system. It highlights the working of various Information technology tools. Furthermore, this chapter discusses the various illustrations to provide insight on risks and controls associated with different business processes such as P2P, O2C, CASA, etc. UNIT IV: DIGITAL DATA AND ANALYSIS ♦ Chapter 10 – Digital Data and Privacy devoted to various concepts of data protection and its principles. Data Analysis and the tools devoted for data protection have been discussed in the chapter. This chapter also provides highlights on Digital Personal Data Protection Act, 2023. ♦ Chapter 11– Business Intelligence deals with the concept of Business Intelligence and its life cycle and functionality. It also discusses the various Business Intelligence tools used in any organization. UNIT V: DIGITAL ECONOMY ♦ Chapter 12 – ABCD of Fintech is devoted to ABCD technologies i.e. Artificial Intelligence, Blockchain, Cloud Computing and Big Data used in Fintech. It provides insight on usage of these technologies in any financial institutions. It highlights the various components, working, advantages and disadvantages of these technologies. ♦ Chapter 13 – Emerging Technologies is devoted to emerging technologies. Major evolving technologies/concept such as Internet of Things (IoT), Quantum computing, Regtech and mobile computing. This chapter also deals with various modes of digital payment used in today’s world along with their advantages and disadvantages. The applications of these technologies are covered in this chapter. © The Institute of Chartered Accountants of India v This study material covers both concepts and practical aspects and hence, students are advised to read the study material not only from examination point of view but also from practical perspective of how this is relevant and can be applied in any work environment. Happy Reading and Best Wishes! © The Institute of Chartered Accountants of India vi SYLLABUS – SELF PACED SET – D PAPER-4 : DIGITAL ECOSYSTEM AND CONTROLS (100 MARKS) Objective “To develop competencies and skillsets in evaluation of controls and relevant evidence gathering in an IT environment using IT tools and techniques for effective and efficient performance of accounting, assurance, financial technologies and compliance services”. Contents Unit – I : Governance and Management of Digital Ecosystem ♦ Key concepts of Governance and IT strategy. ♦ Governance, Risk, and Compliance (GRC) Framework. ♦ Risk fundamentals and related terms, Sources, and types of risks. ♦ Enterprise Risk Management Framework. ♦ Information Systems Security Policy. ♦ Business Continuity Planning and Disaster Recovery Planning. Unit – II: Information Systems Life Cycle ♦ Information System Acquisition. ♦ Information System Development Methodologies. ♦ Information Systems Implementation and Maintenance. © The Institute of Chartered Accountants of India vii Unit – III: Information Systems’ Control ♦ Information Systems’ Control and its Classification. ♦ Overview of Information Technology Tools. ♦ Illustrations on Risks and Controls of Specific Business Processes. Unit – IV: Digital Data and Analysis ♦ Data Privacy. ♦ Data Assurance. ♦ Introduction to Digital Personal Data Protection Act, 2023. ♦ Regulatory Compliance in terms of relevant sections of Information Technology Act, 2000. ♦ Introduction to Data Analytical Tools and Techniques. ♦ Introduction to Business Intelligence (BI) Tools and Techniques. Unit – V : Digital Economy ♦ ABCD of Fintech. ♦ Digital Payments, Digital Currency, and Cryptocurrency. ♦ e-business and their associated risks and controls. ♦ Emerging Technologies and Concepts. © The Institute of Chartered Accountants of India viii DETAILED CONTENTS UNIT-I : GOVERNANCE AND MANAGEMENT OF DIGITAL ECOSYSTEM Page No. CHAPTER-1: CONCEPTS OF GOVERNANCE AND IT STRATEGY Chapter Overview.................................................................................................................. 1.1 Introduction.......................................................................................................... 1.3 1.2 Enterprise Governance......................................................................................... 1.5 1.3 Overview of IT Governance.................................................................................. 1.7 1.4 Governance of Enterprise IT (GEIT)...................................................................... 1.9 1.5 Business and IT Strategy................................................................................. …1.12 1.6 Framework to Support Effective IT Governance.................................................. 1.18 Summary........................................................................................................................ 1.34 Test Your Knowledge...................................................................................................... 1.35 CHAPTER-2: GOVERNANCE, RISK, AND COMPLIANCE FRAMEWORK Chapter Overview......................... ………………………………………………………………..…2.2 2.1 Introduction.......................................................................................................... 2.4 2.2 Risk Fundamentals……………………………………………………………….... ………..2.6 2.3 Risk................................................................................................................... 2.10 2.4 Malicious Attacks…………………………………….. ……………………………………..2.22 2.5 Malicious Software............................................................................................. 2.27 2.6 Counter Measures.............................................................................................. 2.29 2.7 Internal Controls................................................................................................. 2.30 2.8 Compliance........................................................................................................ 2.35 Summary........................................................................................................................ 2.36 © The Institute of Chartered Accountants of India ix Test your Knowledge...................................................................................................... 2.36 CHAPTER-3: ENTERPRISE RISK MANAGEMENT FRAMEWORK Chapter Overview............................................................................................................. 3.2 3.1 Introduction............................................................................................................... 3.3 3.2 Enterprise Risk Management (ERM)........................................................................... 3.3 3.3 ERM Framework (For IT Governance Issues)............................................................. 3.7 Summary........................................................................................................................ 3.17 Test Your Knowledge...................................................................................................... 3.17 CHAPTER-4: INFORMATION SYSTEM SECURITY POLICY Chapter Overview............................................................................................................. 4.4 4.1 Introduction............................................................................................................... 4.2 4.2 Information Systems.................................................................................................. 4.5 4.3 Need for Protection of Information systems................................................................ 4.6 4.4 Information System Security....................................................................................... 4.8 4.5 Principles of Information Security............................................................................. 4.14 4.6 Information Security Policy....................................................................................... 4.15 Summary........................................................................................................................ 4.23 Test Your Knowledge...................................................................................................... 4.25 CHAPTER-5: BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY PLANNING Chapter Overview............................................................................................................. 5.5 5.1 Introduction.......................................................................................................... 5.2 5.2 Need of Business Continuity Management............................................................ 5.5 5.3 BCM Policy.......................................................................................................... 5.7 5.4 Business Continuity Planning................................................................................ 5.8 5.5 Business Continuity Management (BCM) Process............................................... 5.14 © The Institute of Chartered Accountants of India x 5.6 Business Continuity Management (BCM) Cycle................................................... 5.16 5.7 Types of Plan.................................................................................................... 5.24 5.8 Types of Back-ups............................................................................................. 5.26 5.9 Alternate Processing Facility Arrangements....................................................... 5.32 5.10 Disaster Recovery Procedural Plan..................................................................... 5.33 Summary........................................................................................................................ 5.34 Test Your Knowledge...................................................................................................... 5.35 UNIT-II : INFORMATION SYSTEMS LIFE CYCLE CHAPTER-6: SYSTEM DEVELOPMENT LIFE CYCLE Chapter Overview............................................................................................................. 6.2 6.1 Introduction.......................................................................................................... 6.3 6.2 Need for SDLC.................................................................................................... 6.4 6.3 System Development Life Cycle (SDLC)............................................................... 6.5 6.4 Operation Manuals............................................................................................ 6.21 Summary....................................................................................................................... 6.21 Test Your Knowledge...................................................................................................... 6.22 CHAPTER-7: SYSTEM ACQUISITION AND DEVELOPMENT METHODOLOGIES Chapter Overview………………………………………………………………………………………..7.2 7.1 Introduction.......................................................................................................... 7.4 7.2 Information System Acquisition........................................................................... 7.5 7.3 Information System Development Methodologies............................................... 7.16 Summary....................................................................................................................... 7.30 Test Your Knowledge..................................................................................................... 7.30 © The Institute of Chartered Accountants of India xi UNIT-III : INFORMATION SYSTEMS’ CONTROL CHAPTER 8: INFORMATION SYSTEMS’ CONTROL AND ITS CLASSIFICATION Chapter Overview................................................................................................................... 8.2 8.1 Introduction............................................................................................................................ 8.5 8.2 Controls................................................................................................................................. 8.6 8.3 Classification of Controls....................................................................................................... 8.6 8.4 Role of Auditors While Inspecting the Controls.................................................................... 8.30 Summary............................................................................................................................................ 8.39 Test Your Knowledge......................................................................................................................... 8.39 CHAPTER 9: INFORMATION TECHNOLOGY TOOLS Chapter Overview................................................................................................................................ 9.2 9.1 Introduction............................................................................................................................ 9.3 9.2 Control and Inspection of Information System....................................................................... 9.4 9.3 Information Systems Auditing................................................................................................ 9.6 9.4 Auditing around the Computer Versus Auditing Through the Computer................................9.8 9.5 Information Technology Tools.............................................................................................. 9.10 9.6 Business Processes............................................................................................................ 9.19 Summary............................................................................................................................................ 9.36 Test Your Knowledge......................................................................................................................... 9.37 UNIT-IV : DIGITAL DATA AND ANALYSIS CHAPTER 10 : DIGITAL DATA AND PRIVACY Chapter Overview.............................................................................................................................. 10.2 10.1 Introduction.......................................................................................................................... 10.4 10.2 Data Protection.................................................................................................................... 10.5 © The Institute of Chartered Accountants of India xii 10.3 What are Fair Information Practices?.................................................................................. 10.8 10.4 Data Security Tools............................................................................................................. 10.9 10.5 Data Analysis..................................................................................................................... 10.11 10.6 Data Analysis Tools........................................................................................................... 10.15 10.7 Data Analytics.................................................................................................................... 10.17 10.8 Data Assurance................................................................................................................. 10.20 10.9 Information Technology Act,2000 Based Regulatory Compliance..................................... 10.22 10.10 Digital Personal Data Protection Act,2023............................................ ……………………10.31 Summary.......................................................................................................................................... 10.36 Test Your Knowledge....................................................................................................................... 10.38 CHAPTER 11 : BUSINESS INTELLIGENCE Chapter Overview.............................................................................................................................. 11.2 11.1 Introduction.......................................................................................................................... 11.3 11.2 Business Intelligence Life Cycle.......................................................................................... 11.5 11.3. Business Intelligence Tools................................................................................................. 11.7 11.4 Chart Types in Power BI.................................................................................................... 11.11 11.5 Business Intelligence VS Data Analytics........................................................................... 11.12 Summary.......................................................................................................................................... 11.14 Test Your Knowledge....................................................................................................................... 11.15 UNIT-V : DIGITAL ECONOMY CHAPTER 12 : ABCD of Fintech Chapter Overview.............................................................................................................................. 12.2 12.1 Introduction.......................................................................................................................... 12.3 12.2 Artificial Intelligence........................................................................................................... 12.15 12.3 Blockchain......................................................................................................................... 12.20 © The Institute of Chartered Accountants of India xiii 12.4 Cloud Computing............................................................................................................... 12.27 12.5 Big Data............................................................................................................................. 12.45 Summary.......................................................................................................................................... 12.49 Test Your Knowledge....................................................................................................................... 12.50 CHAPTER 13 : EMERGING TECHNOLOGIES Chapter Overview.............................................................................................................................. 13.2 13.1 Introduction.......................................................................................................................... 13.2 13.2 Digital Payments.................................................................................................................. 13.3 13.3 E-Business Associated Risks and their Controls............................................................... 13.14 13.4 Emerging Technologies..................................................................................................... 13.19 Summary........................................................................................................................................ 13.34 Test Your Knowledge....................................................................................................................... 13.34 © The Institute of Chartered Accountants of India UNIT – 1 GOVERNANCE AND MANAGEMENT OF DIGITAL ECOSYSTEM © The Institute of Chartered Accountants of India CHAPTER 1 1 CONCEPTS OF GOVERNANCE AND IT STRATEGY LEARNING OUTCOMES After studying this chapter, you will be able to –  build an understanding of the concepts of governance, its framework, and related terms.  understand the role of Information Technology (IT) in real life time, how to align Information Systems (IS) strategy with business strategy and ensure business value from use of it.  distinguish among key concepts of governance like - IT governance, enterprise governance, and corporate governance.  comprehend the knowledge about the COBIT framework and Information Technology Infrastructure Library (ITIL).  get acquainted with ISO 27001 standard. © The Institute of Chartered Accountants of India 1.2 DIGITAL ECOSYSTEM AND CONTROLS CHAPTER OVERVIEW Corporate Governance Enterprise Governance Business Governance IT Governance COBIT Frameworks to support IT Governance ITIL GOVERNANCE Governance of Enterprise IT ISO 27001 Business and IT Strategy Illustration: Governance in an Organisation Mr. Sunil had been working in the manufacturing unit of an organization for the past 18 years. On an unfortunate day, he met with an accident on duty and died on the spot. His family demanded compensation. However, the organization denied compensation because it was revealed in the investigation that he was drunk at the time of the accident. The workers of the company went on strike demanding compensation for the family of the deceased. The Chairman of the management board has asked for your recommendation. What recommendation would you provide to the management? Discuss the merits and demerits of each of the recommendations. Option 1: Let the law take its own course. As the worker was drunk during duty, the company cannot be held responsible for his death.This may sound right as the worker was bound to follow rules at the place of work. However, the strike by the remaining workers could affect the image and productivity of the company. No matter the outcome, the trust between workers and the management would be lost. Option 2: Recommend the company to offer compensation. But this would set a bad precedent among the management as well as the workers. To offer compensation would mean to let down the safety regulations of the company. The management may also not appreciate the payment as they were not liable for compensation due to negligence of rules showed by the worker. Option 3: Recommend the management to offer alternative employment to the kin of the deceased. Push the management to adopt stricter prevention and safety measures. The third option is suitable as it would be better to bring the situation under control. The workers could be placated if the kin of the deceased would be offered a job. And also the company may prefer to not lose image and man-days due to the strike. © The Institute of Chartered Accountants of India CONCEPT OF GOVERNANCE AND IT STRATEGY 1.3 1.1 INTRODUCTION It is needless to emphasize that enterprises, whether they are commercial or non-commercial, exist to deliver value to their stakeholders. Delivering value is achieved by operating within value and risk parameters that are acceptable and advantageous, and by using resources including IT responsibly. In the rapidly changing environment that most enterprises operate in, swift direction setting and agility to change are essential. Senior management is responsible for ensuring that the right structure of decision-making accountabilities is shared among many people in the enterprise and when accountability is shared, governance comes into play. The term “Governance” is derived from the Greek verb meaning “to steer” and is a very general concept that can refer to all manner of organizations and can be used in different ways.  Governance refers to "all processes of governing, whether undertaken by a government, market or network, whether over a family, tribe, formal or informal organization or territory and whether through laws, norms, power or language."  It relates to "the processes of interaction and decision-making among the actors involved in a collective problem that led to the creation, reinforcement, or reproduction of social norms and institutions.”  A governance system typically refers to all the means and mechanisms that will enable multiple stakeholders in an enterprise to have an organized mechanism for evaluating options, setting direction and monitoring compliance and performance, to satisfy specific enterprise objectives. Three Principles for a Governance Framework The three principles for a governance framework are shown in the Fig. 1.1: 1. Based on Conceptual Model: A governance framework should be based on a conceptual model, identifying the key components and relationships among components, to maximize consistency and allow automation. 2. Open and Flexible: A governance framework should be open and flexible. It should allow the addition of new content and the ability to address new issues in the most flexible way, while maintaining integrity and consistency. 3. Aligned to major standards: A governance framework should align to relevant major related standards, frameworks, and regulations. © The Institute of Chartered Accountants of India 1.4 DIGITAL ECOSYSTEM AND CONTROLS 1. Based on Conceptual Model 3. Aligned to 2. Open and major Flexible standards Fig. 1.1: Governance Framework Principles Many people believe that governance and management are synonymous, but they are not. Governance is about decision making, while management is about making sure that the enterprise’s governance process is executed. The perspective of IT governance is distinct in case of definition of new processes and creation of process that are used to produce goods and service from business. A governance process defines the chains of responsibility, authority, and communication to empower people, as well as to define the measurement and control mechanisms to enable people to carry out their roles and responsibilities. Thus, a governance activity is intentionally designed to define organizational structures, decision rights, workflow, and authorization points to create a target workflow that optimally uses a business entity’s resources in alignment with the goals and objectives of the business. A management process is the output of the governance process. Unlike a governance process, a management process implements the specific chain of responsibility, authority, and communication that empowers people to do their day-to-day jobs. The management process also implements appropriate measurement and control mechanisms that enable practitioners the freedom to carry out their roles and responsibilities without undue interruption by the executive team. Essentially the management process is implementation of the polices and process defind in the governance process. Benefits of Governance Governance is a general concept that can refer to all manners of organizations and can be used in different ways. However, some of the major benefits of governance are summarized as follows: ♦ Achieving enterprise objectives by ensuring that each element of the mission and strategy are assigned and managed with a clearly understood and transparent decisions rights and accountability framework. ♦ Defining and encouraging desirable behavior in the use of IT and in the execution of IT outsourcing arrangements. © The Institute of Chartered Accountants of India CONCEPT OF GOVERNANCE AND IT STRATEGY 1.5 ♦ Implementing and integrating the desired business processes into the enterprise. ♦ Providing stability and overcoming the limitations of organizational structure. ♦ Improving customer, business and internal relationships and satisfaction, and reducing internal territorial strife by formally integrating the customers, business units, and external IT providers into a holistic IT governance framework. ♦ Enabling effective and strategically aligned decision making for the IT Principles that define the role of IT, IT Architecture, IT Infrastructure, Application Portfolio and Frameworks, Service Portfolio, Information and Competency Portfolios and IT Investment & Prioritization. 1.2 ENTERPRISE GOVERNANCE We shall here understand what is meant by the term- Enterprise Governance. ♦ It can be defined as: “The set of responsibilities and practices exercised by the Board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the organization’s resources are used responsibly.” ♦ Enterprise governance is an overarching framework into which many tools and techniques and codes of best practice can fit. Examples include codes on corporate governance and financial reporting standards. Enterprise Governance Corporate Governance Business Governance (Conformance Processes) (Performance Processes) IT Governance COBIT 5 Risk Mitigation Value Creation Fig. 1.2: Relation between Enterprise Governance, Corporate Governance, and IT Governance © The Institute of Chartered Accountants of India 1.6 DIGITAL ECOSYSTEM AND CONTROLS The enterprise governance constitutes the entire accountability framework of an organization as it involves establishing accountability for decision-making. As shown in Fig. 1.2, Enterprise Governance has two dimensions Corporate Governance or Conformance, and Business Governance or Performance. The key message of enterprise governance is that an enterprise must balance the two dimensions of conformance and performance to meet stakeholder requirements and ensure long-term success. To ensure success of business, both conformance and performance must go hand in hand Corporate governance may create administrative hurdles for performance of business if a practicable approach is not followed. Corporate Governance ♦ The Corporate Governance provides a holistic view and focuses on regulatory requirements and is defined as the system by which a company or enterprise is directed and controlled to achieve the objective of increasing shareholder value by enhancing economic performance. ♦ Corporate Governance refers to the structures and processes for the direction and control of companies. Corporate governance concerns the relationships among the management, Board of Directors, the controlling shareholders, and other stakeholders. This covers corporate governance issues such as roles of the Chairman and CEO, role and composition of the Board of Directors, Board committees, Controls assurance and Risk management for compliance. The conformance dimension is monitored by the audit committee. ♦ The Regulatory requirements and standards generally address conformance dimension with compliance to establish oversight mechanisms for the Board to ensure that good corporate governance processes are effective. These might include committees composed mainly or wholly of independent non-executive directors, particularly the audit committee or its equivalent in countries where the two-tier board system is the norm. Other committees are usually the nominations committee and the remuneration committee. The Sarbanes Oxley Act of US and the Clause 49 listing requirements of SEBI are examples of providing such compliances from conformance perspective. ♦ Good corporate governance exhibit following characteristics:  It contributes to sustainable economic development by enhancing the performance of companies and increasing their access to outside capital. It is about doing good business to protect shareholders’ interest. Corporate Governance drives the corporate information needs to meet business objectives.  Good corporate governance requires sound internal control practices such as segregation of incompatible functions, elimination of conflict of interest, establishment of Audit Committee, risk management and compliance with the relevant laws and © The Institute of Chartered Accountants of India CONCEPT OF GOVERNANCE AND IT STRATEGY 1.7 standards including corporate disclosure requirements. These are intended to guide companies to achieve their business objectives in a manner such that those who are entrusted with the resources or power to run the companies to meet stakeholder needs without compromising the shareholders’ interest. Legally, the directors of a company are accountable to the shareholders for their actions in directing and controlling the business, and for the actions of the company’s employees, who are in the position of trust to discharge their responsibilities in the best interest of the company. Corporate governance is thus necessary for the purpose of monitoring and measuring their performance.  Good corporate governance is important, and it is critical that any weakness in this area is addressed properly. However, good corporate governance by itself cannot make an organization successful. There is always a risk that inadequate attention is paid to the need for enterprises to create wealth or stakeholder value. Hence, it is important to remember that strategy and performance are also very important. Business Governance ♦ Business Governance is proactive in its approach. It is business oriented and takes a forward-looking view. This dimension focuses on strategy and value creation with the objective of helping the board to make strategic decisions, understand its risk appetite and its key performance drivers. This dimension does not lend itself easily to a regime of standards and assurance as this is specific to enterprise goals and varies based on the mechanism to achieve them. It is advisable to develop appropriate best practices, tools, and techniques such as balanced scorecards and strategic enterprise systems that can be applied intelligently for different types of enterprises as required. ♦ The performance dimension in terms of the overall strategy is the responsibility of the full board but there is no dedicated oversight mechanism comparable to the audit committee. Remuneration and financial reporting are scrutinized by a specialist board committee of independent non-executive directors and referred to the full board. In contrast, the critical area of strategy does not get the same dedicated attention. There is thus an oversight gap in respect of strategy. One of the ways of dealing with this lacuna is to establish a strategy committee of similar status to the other board committees which will report to the board. 1.3 OVERVIEW OF IT GOVERNANCE There is no doubt to say that IT is a key enabler of corporate business strategy. Chief Executive Officers (CEO), Chief Financial Officers (CFO) and Chief Information Officers (CIO) agree that strategic alignment between IT and business objectives is a critical success factor for the achievement of business objectives. IT must provide critical inputs to meet the information needs of all the required stakeholders or it can be said that enterprise activities require information from IT © The Institute of Chartered Accountants of India 1.8 DIGITAL ECOSYSTEM AND CONTROLS activities in order to meet enterprise objectives. Hence, corporate governance drives and sets IT governance. There are multiple definitions of IT Governance. However, one of the well-known definitions is: “IT Governance is the system by which IT activities in a company or enterprise are directed and controlled to achieve business objectives with the ultimate objective of meeting stakeholder needs”. Hence, the overall objective of IT governance is very much similar to corporate governance but with the focus on IT. Hence, it can be said that there is an inseparable relationship between Corporate Governance and IT Governance or IT Governance is a sub-set of Corporate or Enterprise Governance. IT Governance refers to the system in which directors of the enterprise Evaluate, Direct and Monitor IT management to ensure effectiveness, accountability, and compliance of IT. The objective of IT Governance is to determine and cause the desired behavior and results to achieve the strategic impact of IT. The active distribution of decision-making rights and accountabilities among different stakeholders in an organization and the rules and procedures for making and monitoring those decisions are required to be well structured and defined to determine and achieve desired behaviors and results. It may be noticed that governance and IT governance are similar in their definition and approach except that in case of IT governance the focus is on IT and related areas. Adequate care is to be taken to ensure that IT governance benefits should give measurable benefits so that the importance can be emphasized to Boards. 1.3.1 Benefits of IT Governance The benefits, which are achieved by implementing/improving governance or management of enterprise, IT would depend on the specific and unique environment of every enterprise. At the highest level, these could include the following depicted in the Fig. 1.3: Increased value Increased user Improved agility in delivered through satisfaction with IT supporting business enterprise IT. services. needs. Improved compliance Improved management IT becoming an enabler with relevant laws, and mitigation of IT- for change rather than regulations and policies. related business risk. an inhibitor. Improved transparency Better cost performance and understanding of More optimal utilization of IT. IT’s contribution to the of IT resources. business. Fig. 1.3: Benefits of IT Governance © The Institute of Chartered Accountants of India CONCEPT OF GOVERNANCE AND IT STRATEGY 1.9 For every defined benefit, it is critical to ensure that: ♦ ownership is defined and agreed. ♦ it is relevant and links to business strategy. ♦ the timing of its realization of benefit is realistic and documented. ♦ the risks, assumptions and dependencies associated with the realization of the benefits are understood, correct and current. ♦ an unambiguous measure has been identified. ♦ timely and accurate data for the measure is available or is easy to obtain. 1.3.2 Key practices to determine status of IT Governance Some of the key practices, which determine the status of IT Governance in the enterprise, are as follows: ♦ Who makes directing, controlling, and executing decisions? ♦ How are the decisions made? ♦ What information is required to make the decisions? ♦ What decision-making mechanisms are required? ♦ How are exceptions handled? ♦ How are the governance results monitored and improved? As per regulatory requirements and best practice frameworks of Governance of Enterprise IT, it is important for the Board of Directors and senior management to play critical roles in Evaluating; Directing and Monitoring IT effectiveness in an enterprise. IT governance structure and processes are directly dependent upon the level of involvement of the Board and senior management. Different levels of the framework require different tools, techniques, and standards addressing specific needs of an effective IT governance structure, which consists of the organizational structure, leadership, and processes that ensure IT support of the organization’s strategies and objectives. 1.4 GOVERNANCE OF ENTERPRISE IT (GEIT) Governance of Enterprise IT is a subset of Corporate Governance and facilitates implementation of a framework of IS controls within an enterprise as relevant and encompassing all key areas. The primary objectives of GEIT are to analyze and articulate the requirements for the governance of enterprise IT, and to put in place and maintain effective enabling structures, principles, processes, © The Institute of Chartered Accountants of India 1.10 DIGITAL ECOSYSTEM AND CONTROLS and practices, with clarity of responsibilities and authority to achieve the enterprise's mission, goals, and objectives. Refer Fig. 1.4 to know about the benefits of GEIT. Benefits of GEIT Provides a consistent approach integrated and aligned with the enterprise governance approach. Ensures that IT-related decisions are made in line with the enterprise's strategies and objectives. Ensures that IT-related processes are overseen effectively and transparently. Confirms compliance with legal and regulatory requirements. Ensures that the governance requirements for Board members are met. Fig. 1.4: Benefits of GEIT 1.4.1 Key Governance Practices of GEIT The key governance practices required to implement GEIT in enterprises are highlighted here: ♦ Evaluate the Governance System: Continually identify and engage with the enterprise's stakeholders, document an understanding of the requirements, and make judgment on the current and future design of governance of enterprise IT. ♦ Direct the Governance System: Inform leadership and obtain their support, buy-in and commitment. Guide the structures, processes and practices for the governance of IT in line with agreed governance design principles, decision-making models and authority levels. Define the information required for informed decision making. ♦ Monitor the Governance System: Monitor the effectiveness and performance of the enterprise’s governance of IT. Assess whether the governance system and implemented mechanisms (including structures, principles, and processes) are operating effectively and provide appropriate oversight of IT. 1.4.2 Role of IT in Enterprises In an increasingly digitized world, enterprises are using IT not merely for data processing but more for strategic and competitive advantage. IT deployment has progressed from data processing to MIS to decision support systems to online transactions/services. IT has not only automated the business processes but also transformed the way business processes are performed. The way in which business processes are performed/services rendered and how an organization is structured could be transformed through right deployment of IT. It is needless to emphasize that IT is used to perform © The Institute of Chartered Accountants of India CONCEPT OF GOVERNANCE AND IT STRATEGY 1.11 business processes, activities and tasks and it is important to ensure that IT deployment is oriented towards achievement of business objectives. The extent of technology deployment also impacts the way internal controls are implemented in an enterprise. With the advancement of technology, control process can be checked in real time for all transaction instead of merely testing for samples. Further, extensive organization restructuring, or business process re-engineering may be facilitated through IT deployments. Implementing IT must consider not only the implementation of IT controls from conformance perspective but also IT could be a key enabler for providing strategic and competitive advantage. This requires that senior management considers IT not only as an information processing tool but more from a strategic perspective to provide better and innovative services. This makes it imperative to develop an IT strategy, which is aligned with business strategy and ensures value creation and facilitates benefit realization from the IT investments. 1.4.3 EGIT (Enterprise Governance of Information and Technology) In the light of digital transformation, Information and Technology has become crucial in the support, sustainability, and growth of enterprises. Previously, governing Boards (Boards of directors) and senior management could delegate, ignore, or avoid IT-related decisions which is not the case now. Enterprise governance of IT is a relatively new concept that is gaining traction in both the academic and practitioner worlds. Given the centrality of I&T for enterprise risk management and value generation, a specific focus on Enterprise Governance of Information and Technology (EGIT) has arisen over the last three decades. Going well beyond the implementation of a superior IT infrastructure, enterprise governance of IT is about defining and embedding processes and structures throughout the organizations that enable both business and IT people to execute their responsibilities, while maximizing the value created from their IT-enabled investments. EGIT is an integral part of overall enterprise governance and is focused on IT performance and the management of risk attributable to the enterprise’s dependencies on IT. It is exercised by the Board that oversees the definition and implementation of processes, structures and relational mechanisms in the organization that enable both business and IT people to execute their responsibilities in support of business/IT alignment and the creation of business value from I&T-enabled business investments. © The Institute of Chartered Accountants of India 1.12 DIGITAL ECOSYSTEM AND CONTROLS 1.5 BUSINESS AND IT STRATEGY Management Strategy determines at the macro level the path and methodology of rendering services by the enterprise. Strategy outlines the approach of the enterprise and is formulated by the senior management. Based on the strategy adopted, relevant policies and procedures are formulated. From a business strategy perspective, IT is affecting the way in which enterprises are structured, managed and operated. One of the most dramatic developments affecting enterprises is the fusion of IT with business strategy. Enterprises can no longer develop business strategies separate from IT strategy and vice versa. Accordingly, there is a need for the integration of sound IT planning with business plan and the incorporation of effective financial and management controls within new systems. Management primarily is focused on harnessing the enterprise resources towards achievement of business objectives. This would involve the managerial processes of planning, organizing, staffing, directing, coordinating, reporting, and budgeting. The IT function will be aiding in each of this role to make an effective strategy of the business. Every enterprise regardless of its size needs to have an internal control system built into its enterprise structure. Control is defined as “Policies, procedures, practices and enterprise structure that are designed to provide reasonable assurance that business objectives will be achieved and undesired events are prevented or detected and corrected.” We are aware that auditors could be involved in providing assurance requiring review of Information Systems as implemented from control perspective. However, auditors may also be required to provide consultation before, during or after implementation of information systems strategy. It becomes imperative for the auditor to understand the concepts of the enterprise strategy as relevant. Hence, auditors must have a good understanding of management aspects as relevant to deployment of IT and IT strategy. This would include understanding of the IS Strategy, policies, procedures, practices and enterprise structure, segregation of duties, etc. The policies and procedures along with control has to be embedded in the IT system for effective management. IT organizations should define their strategies and tactics to support the organization by ensuring that day-to-day IT operations are delivered efficiently and without compromise. Metrics and goals are established to help IT organization to perform on a tactical basis and to guide the efforts of personnel to improve maturity of practices. The results will enable the IT functions to execute its strategy and achieve its objectives established with the approval of enterprise leaders. Internal audit can determine whether the linkage of IT metrics and objectives aligns with the organization’s goals, adequately measure progress being made on approved initiatives, and express an opinion on whether the metrics are relevant and useful. Additionally, auditors can validate that metrics are being measured correctly and represent realistic views of IT operations and governance on a tactical and © The Institute of Chartered Accountants of India CONCEPT OF GOVERNANCE AND IT STRATEGY 1.13 strategic basis. Auditors are even called upon to check the operation and effectiveness of the controls both as part of confirmatory function in IS assurance and risk mitigation. 1.5.1 Objective of IT Strategy The primary objective of IT strategy is to provide a holistic view of the current IT environment, the future direction, and the initiatives required to migrate to the desired future environment. This is achieved by leveraging enterprise architecture building blocks and components to enable nimble, reliable, and efficient response to strategic objectives. Alignment of the strategic IT plans with the business objectives is done by clearly communicating the objectives and associated accountabilities so they are understood by all, and all the IT strategic options are identified, structured, and integrated with the business plans as required. 1.5.2 IT Steering Committee Planning is essential for determining and monitoring the direction and achievement of the enterprise goals and objectives. As enterprises are dependent on the information generated by information systems, it is important that planning relating to information systems is undertaken by senior management or by the steering committee. Depending on the size and needs of the enterprise, the senior management may appoint a high-level committee to provide appropriate direction to IT deployment and information systems and to ensure that the information technology deployment is in tune with the enterprise business goals and objectives. This committee, called the IT Steering Committee, is ideally led by a member of the Board of Directors and comprises of functional heads from all key departments of the enterprise including the audit and IT department. The role and responsibility of the IT Steering Committee and its members must be documented and approved by senior management. As the members comprise of functional heads of departments, they would be responsible for taking decisions relating to their departments as required. The IT Steering Committee provides overall direction to deployment of IT and information systems in the enterprises. The key functions of the IT Steering Committee would include the following: ♦ To ensure that long and short-range plans of the IT department are in tune with enterprise goals and objectives. ♦ To establish the size and scope of IT function and sets priorities within the scope. ♦ To review and approve major IT deployment projects in all their stages. ♦ To approve and monitor key projects by measuring the result of IT projects in terms of return on investment, etc. ♦ To review the status of IS plans and budgets and overall IT performance. © The Institute of Chartered Accountants of India 1.14 DIGITAL ECOSYSTEM AND CONTROLS ♦ To review and approve standards, policies and procedures. ♦ To make decisions on all key aspects of IT deployment and implementation. ♦ To facilitate implementation of IT security within enterprise. ♦ To facilitate and resolve conflicts in deployment of IT and ensure availability of a viable communication system exists between IT and its users. ♦ To report to the Board of Directors on IT activities on a regular basis. 1.5.3 IT Strategic Planning The strategic planning has to be dynamic in nature and IT management and business process owners should ensure that a process is in place to modify the IT long-range plan in a timely and accurate manner to accommodate changes to the enterprise's long-range plan and changes in IT conditions. Management should establish a policy requiring that IT long and short-range plans are developed and maintained. IT management and business process owners should ensure that the IT long-range plan is regularly translated into IT short-range plans. Such short-range plans should ensure that appropriate IT function resources are allocated on a basis consistent with the IT long- range plan. The short-range plans should be reassessed periodically and amended as necessary in response to changing business and IT conditions. The timely performance based on feasibility studies should ensure that the execution of the short-range plans is adequately initiated. 1.5.4 Classification of Strategic Planning In the context of Information Systems, Strategic Planning refers to the planning undertaken by top management towards meeting long-term objectives of the enterprise. IT Strategy planning in an enterprise could be broadly classified into the following categories: (i) Enterprise Strategic Plan: Business Planning determines the overall plan of the enterprise. The enterprise strategic plan provides the overall charter under which all units in the enterprise, including the information systems function must operate. It is the primary plan prepared by top management of the enterprise that guides the long run development of the enterprise. It includes a statement of mission, a specification of strategic objectives, an assessment of environmental and organizational factors that affect the attainment of these objectives, a statement of strategies for achieving the objectives, a specification of constraints that apply, and a listing of priorities. For an organization to thrive, it is important to ensure that the IT plan is aligned with the enterprise plan. (ii) Information Systems Strategic Plan: The IS strategic plan in an enterprise must focus on striking an optimum balance of IT opportunities and IT business requirements as well as © The Institute of Chartered Accountants of India CONCEPT OF GOVERNANCE AND IT STRATEGY 1.15 ensuring its accomplishment. This would require the enterprise to have a strategic planning process undertaken at regular intervals giving rise to long-term plans; the long-term plans should periodically be translated into operational plans setting clear and concrete short-term goals. Some of the enablers of the IS Strategic plan are as follows:  Robust enterprise business strategy,  Definition of how IT supports the business objectives,  Inventory of technological solutions and current infrastructure,  Monitoring the technology markets,  Timely feasibility studies and reality checks,  Existing systems assessments,  Enterprise position on risk, time-to-market, quality, and  Need for senior management buy-in, support and critical review. (iii) Information Systems Requirements Plan: Every enterprise needs to have clearly defined information architecture with the objective of optimizing the organization of the information systems. This requires creation and continuous maintenance of a business information model and ensuring that appropriate systems are defined to optimize the use of this information. Based on the information architecture requirements of an enterprise, the Information Systems Requirements Plan has to be drawn up. Some of the key enablers of the information architecture are as follows:  Automated data repository and dictionary.  Data syntax rules.  Data ownership and criticality/security classification.  An information model representing the business.  Enterprise information architectural standards. The information system requirements plan defines information system architecture for the information systems department. The architecture specifies the major organization functions needed to support planning, control and operations activities and the data classes associated with each function. Business planning will determine the information needs of an enterprise. The information architecture will determine information needs and flow in an enterprise. Based on the information architecture, the organization structure is determined. This in turn will lead to specific information systems, which include the relevant IT and related processes. © The Institute of Chartered Accountants of India 1.16 DIGITAL ECOSYSTEM AND CONTROLS For example, depending on the business, information architecture and organization structure, the enterprise will decide whether to acquire or develop the solution and the relevant controls which are required to meet the business requirements. (iv) Information Systems Applications and Facilities Plan: Based on the information systems architecture and its associated priorities, the information systems management can develop an information systems applications and facilities plan that includes:  specific application systems to be developed and an associated time schedule.  hardware and software acquisition/development schedule.  facilities required.  organization changes required. Senior management is responsible for developing and implementing long and short-range plans that enable the achievement of the enterprise mission and goals. Senior management should ensure that IT issues as well as opportunities are adequately assessed and reflected in the enterprise's long- and short-range plans. IT long and short-range plans should be developed to help ensure that the use of IT is aligned with the mission and business strategies of the enterprise. The strategic plan period could vary from 1 year to 3 years. It is important to ensure that the IT strategic plans are aligned with the business strategic plans as IT is ultimately used for achieving business objectives. Strategic planning could be done by the top management or by the steering committee. Strategic planning facilitates putting organization objectives into time-bound plans and action. Comprehensive planning helps to ensure an effective and efficient enterprise. Strategic planning is time and project oriented but must also address and help determine priorities to meet business needs. 1.5.5 Key Management Practices for aligning IT Strategy with Enterprise Strategy The key management practices which are required for aligning IT strategy with enterprise strategy, are highlighted here: ♦ Understand enterprise direction: Consider the current enterprise environment and business processes, as well as the enterprise strategy and future objectives. Also consider the external environment of the enterprise (industry drivers, relevant regulations, basis for competition). ♦ Assess the current environment, capabilities, and performance: Assess the performance of current internal business and IT capabilities and external IT services and develop an understanding of the enterprise architecture in relation to IT. Identify issues currently being © The Institute of Chartered Accountants of India CONCEPT OF GOVERNANCE AND IT STRATEGY 1.17 experienced and develop recommendations in areas that could benefit from improvement. It is advisable to consider service provider differentiators and options and the financial impact and potential costs and benefits of using external services. ♦ Define the target IT capabilities: Define the target business and IT capabilities and required IT services. This should be based on the understanding of the enterprise environment and requirements; the assessment of the current business process and IT environment and issues; and consideration of reference standards, best practices and validated emerging technologies or innovation proposals. ♦ Conduct a gap analysis: Identify the gaps between the current and target environments and consider the alignment of assets (the capabilities that support services) with business outcomes to optimize investment in and utilization of the internal and external asset base. Consider the critical success factors to support strategy execution. ♦ Define the strategic plan and road map: Create a strategic plan that defines, in co- operation with relevant stakeholders, how IT- related goals will contribute to the enterprise’s strategic goals. Include how IT will support IT-enabled investment programs, business processes, IT services and IT assets. IT should define the initiatives that will be required to close the gaps, the sourcing strategy, and the measurements to be used to monitor achievement of goals, then prioritize the initiatives and combine them in a high-level road map. ♦ Communicate the IT strategy and direction: Create awareness and understanding of the business and IT objectives and direction, as captured in the IT strategy, through communication to appropriate stakeholders and users throughout the enterprise. The success of alignment of IT and business strategy can be measured by reviewing the percentage of enterprise strategic goals and requirements supported by IT strategic goals, extent of stakeholder satisfaction with scope of the planned portfolio of programs and services and the percentage of IT value drivers, which are mapped to business value drivers. 1.5.6 Business Value from Use of IT Business value from use of IT is achieved by ensuring optimization of the value contribution to the business from the business processes, IT services and IT assets resulting from IT-enabled investments at an acceptable cost. The benefit of implementing this process will ensure that enterprise is able to secure optimal value from IT-enabled initiatives services and assets, cost- efficient delivery of solutions and services, and a reliable and accurate picture of costs and likely benefits so that business needs are supported effectively and efficiently. © The Institute of Chartered Accountants of India 1.18 DIGITAL ECOSYSTEM AND CONTROLS The key management practices which need to be implemented for evaluating ‘Whether business value is derived from IT’, are highlighted as under: ♦ Evaluate Value Optimization: Continually evaluate the portfolio of IT enabled investments, services, and assets to determine the likelihood of achieving enterprise objectives and delivering value at a reasonable cost. Identify and make judgment on any changes in direction that need to be given to management to optimize value creation. ♦ Direct Value Optimization: Direct value management principles and practices to enable optimal value realization from IT enabled investments throughout their full economic life cycle. ♦ Monitor Value Optimization: Monitor the key goals and metrics to determine the extent to which the business is generating the expected value and benefits to the enterprise from IT- enabled investments and services. Identify significant issues and consider corrective actions. The success of the process of ensuring business value from use of IT can be measured by evaluating the benefits realized from IT enabled investments and services portfolio and the how IT costs, benefits and risk is implemented. Some of the key metrics which can be used for such evaluation are as follows: ♦ Percentage of IT enabled investments where benefit realization monitored through full economic life cycle. ♦ Percentage of IT services where expected benefits realized. ♦ Percentage of IT enabled investments where claimed benefits met or exceeded. ♦ Percentage of investment business cases with clearly defined and approved expected IT related costs and benefits. ♦ Percentage of IT services with clearly defined and approved operational costs and expected benefits. ♦ Satisfaction survey of key stakeholders regarding the transparency, understanding and accuracy of IT financial information. ♦ Benchmarking the benefits realized with the industry practice and evaluation of industry matrices vis a vis company. 1.6 FRAMEWORKS TO SUPPORT EFFECTIVE IT GOVERNANCE There are several formal frameworks that are identified in any survey of IT governance frameworks. An organization that adopts and pursues an IT governance framework must ensure that it satisfies four separate audiences: Customers, Stakeholders, Regulators, and the Board Members themselves. © The Institute of Chartered Accountants of India CONCEPT OF GOVERNANCE AND IT STRATEGY 1.19 ♦ Customers need some certainty that their supplier will be around for the long term, that their personal or business details won’t be exposed, and that they will get what they are paying for—whether it’s quality, services, or goods. ♦ Stakeholders (including shareholders, employees, and suppliers) also want to be sure that the organization will be around for the long term, and that their investment (of shareholder cash, uncompensated labor, or as-yet unpaid invoices) is not only safe but likely to turn into better—through effective leveraging of IT and intellectual assets combined with clear-sighted, transparent management and control of the ICT (Information and Communications Technology) infrastructure within the context of the business model and business strategy. ♦ Regulators want to be convinced that their regulations are and will continue to be adhered to. ♦ The Board members want to be sure that their reputations will survive their time at the organization and that a personal contribution to the settlement of a class action suit never become an issue for them. 1.6.1 COBIT as an IT (Information and Technology) Governance Framework Over the years, best-practice frameworks have been developed and promoted to assist in the process of understanding, designing and implementing Enterprise Governance of IT (EGIT). COBIT® 2019 builds on and integrates more than 25 years of development in this field, not only incorporating new insights from science, but also operationalizing these insights as practice. From its foundation in the IT audit community, COBIT® has developed into a broader and more comprehensive Information and Technology (I&T) governance and management framework and continues to establish itself as a generally accepted framework for I&T governance. COBIT is a framework for the governance and management of information and technology, aimed at the whole enterprise. Enterprise I&T means all the technology and information processing the enterprise puts in place to achieve its goals, regardless of where this happens in the enterprise. In other words, enterprise I&T is not limited to the IT department of an organization but encompasses broader concept. The COBIT framework makes a clear distinction between governance and management. These two disciplines encompass different activities, require different organizational structures and serve different purposes. © The Institute of Chartered Accountants of India 1.20 DIGITAL ECOSYSTEM AND CONTROLS ♦ Governance ensures that:  stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives.  direction is set through prioritization and decision making.  performance and compliance are monitored against agreed-on direction and objectives. In most enterprises, governance is the responsibility of the Board of directors, under the leadership of the chairperson. Specific governance responsibilities may be delegated to special organizational structures at an appropriate level, particularly in larger, complex enterprises. ♦ Management plans, builds, runs, and monitors activities, in alignment with the direction set by the governance body, to achieve enterprise objectives. In most enterprises, management is the responsibility of the executive management under the leadership of the Chief Executive Officer (CEO). COBIT defines the components to build and sustain a governance system: processes, organizational structures, policies and procedures, information flows, culture and behaviors, skills, and infrastructure. Misconceptions about COBIT Its not a full description of the whole IT environment of an enterprise. Its not a framework to organize business processes. It is not an (IT) technical framework to manage all technology. It does not make or prescribe any IT-related decisions. COBIT defines the design factors that should be considered by the enterprise to build a best-fit governance system. COBIT addresses governance issues by grouping relevant governance components into governance and management objectives that can be managed to the required capability levels. It will not decide what the best IT strategy is, what the best architecture is, or how much IT can or should cost. Rather, COBIT defines all the components that describe which decisions should be taken and how and by whom they should be taken. COBIT Principles COBIT® 2019 was developed based on two sets of principles: (i) Principles that describe the core requirements of a governance system for enterprise information and technology. © The Institute of Chartered Accountants of India CONCEPT OF GOVERNANCE AND IT STRATEGY 1.21 (ii) Principles for a governance framework that can be used to build a governance system for the enterprise. Six Principles for a Governance System The six principles for a Governance System are depicted in the Fig. 1.5: (i) Provide Stakeholders value: Each enterprise needs a governance system to satisfy stakeholder needs and to generate value from the use of I&T. Value reflects a balance among benefits, risk and resources, and enterprises need an actionable strategy and governance system to realize this value. (ii) Holistic approach: A governance system for enterprise I&T is built from several components that can be of different types and that work together in a holistic way. (iii) Dynamic Governance System: A governance system should be dynamic. This means that each time one or more of the design factors are changed (e.g., a change in strategy or technology), the impact of these changes on the EGIT system must be considered. A dynamic view of EGIT will lead toward a viable and future-proof EGIT system. (iv) Distinct Governance from Management: A governance system should clearly distinguish between governance and management activities and structures. (v) Tailored to enterprise needs: A governance system should be tailored to the enterprise’s needs, using a set of design factors as parameters to customize and prioritize the governance system components. (vi) End-to-end Governance System: A governance system should cover the enterprise end to end, focusing not only on the IT function but on all technology and information processing the enterprise puts in place to achieve its goals, regardless of where the processing is located in the enterprise. 1. Provide 3. Dynamic Stakeholder 2. Holistic Governance value Approach System 4. Governance 5. Tailored to 6. End-to-End Distinct from Enterprise Governance Management Needs System Fig. 1.5: Principles of Governance System Governance and Management Objectives For information and technology to contribute to enterprise goals, several governance and management objectives should be achieved. Basic concepts relating to governance and management objectives are as follows: © The Institute of Chartered Accountants of India 1.22 DIGITAL ECOSYSTEM AND CONTROLS 1. A governance or management objective always relates to one process (with an identical or similar name) and a series of related components of other types to help achieve the objective. 2. A governance objective relates to a governance process, while a management objective relates to a management process. Board and executive management are typically accountable for governance processes, while management processes are the domain of senior and middle management. COBIT® 2019 includes 40 governance and management objectives organized into five domains – EDM, APO, BAI, DSS and MEA. The domains have names with verbs that express the key purpose and areas of activity of the objective contained in them. Refer Fig. 1.6: EDM01—Ensured EDM02— EDM03— EDM04— EDM05— Governance Ensured Ensured Ensured Ensured Framework Benefits Risk Resource Stakeholder Setting Delivery Optimization Optimization Engagement APO01— APO03— APO06— APO07— APO02— APO04— APO05— MEA01 - Managed Managed Managed Managed Managed Managed Managed Managed I&T Mgt. Enterprise Budget & Human Strategy Innovation Portfolio Performance Framework Architecture Costs Resources & Conformance Monitoring APO09— APO10— APO11— APO12— APO13— APO14— APO08— Managed Managed Managed Managed Managed Managed Managed Service Vendors Quality Risk Security Data Relationships Agreements MEA02— BAI03— BAI04— BAI05— Managed BAI02— Managed BAI06— BAI01— Managed Managed System of Managed Organizational Managed Managed Solutions Availability Internal Requirements Change IT Changes Programs Identification & & Capacity Control Definition Build BAI07—Managed BAI09— MEA03 — IT Change Managed BAI10—Managed BAI11—Managed Managed BAI08—Managed Acceptance & Assets Configuration Projects Compliance Knowledge Transitioning With External Requirements DSS02— Managed DSS05— DSS06— DSS01— DSS03— DSS04— MEA04 — Service Managed Managed Managed Managed Managed Managed Requests Security Business Operations Problems Continuity Assurance and Incidents Services Process Controls Fig. 1.6: COBIT Core Model © The Institute of Chartered Accountants of India CONCEPT OF GOVERNANCE AND IT STRATEGY 1.23 (i) Governance objectives are grouped in the Evaluate, Direct and Monitor (EDM) domain (EDM01 to EDM05). In this domain, the governing body evaluates strategic options, directs senior management on the chosen strategic options and monitors the achievement of the strategy. (ii) Management objectives are grouped in four domains:  Align, Plan and Organize (APO01 to APO14) addresses the overall organization, strategy and supporting activities for I&T.  Build, Acquire and Implement (BAI01 to BAI11) treats the definition, acquisition and implementation of I&T solutions and their integration in business processes.  Deliver, Service and Support (DSS01 to DSS06) addresses the operational delivery and support of I&T services, including security.  Monitor, Evaluate and Assess (MEA01 to MEA04) addresses performance monitoring and conformance of I&T with internal performance targets, internal control objectives and external requirements. Components of the Governance System (Refer Fig. 1.7) Processes Services, Infrastructure Organizational and Structures Application GOVERNANCE People, Skills SYSTEM Principles, and Policies, Competencies Procedures Culture, Ethics and Information Behaviour Fig. 1.7: COBIT Components of a Governance System To satisfy governance and management objectives, each enterprise needs to establish, customise and sustain a governance system built from a number of components. ♦ Components are factors that, individually and collectively, contribute to the good operations of the enterprise’s governance system over Information & Technology. © The Institute of Chartered Accountants of India 1.24 DIGITAL ECOSYSTEM AND CONTROLS ♦ Components interact with each other, resulting in a holistic governance system for Information & Technology. ♦ Components can be of different types. The most familiar are processes. However, components of a governance system also include organizational structures; policies and procedures; information items; culture and behavior; skills and competencies; and services, infrastructure, and applications.  Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs that support achievement of overall IT-related goals.  Organizational structures are the key decision-making entities in an enterprise.  Principles, Policies and Frameworks translate desired behavior into practical guidance for day-to-day management.  Information is pervasive throughout any organization and includes all information produced and used by the enterprise. COBIT focuses on information required for the effective functioning of

Digital Ecosystem and Controls Study Material PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue