ISCA Chapter 1 - Part 1

Governance: (BCCI = Governance) The term “Governance” is derived from the Greek verb meaning “to steer”. (Now in a cricket, multiple stakeholder of IPL enable to say that Evraj singh is option due to dhoni’s directional setting and mohit sharma’s complete performance. Whatever, Dhoni is Satisfied because of he has achieved his Specific Objective) A governance system typically - refers to all the means and mechanisms - that will enable multiple stakeholders in an enterprise - to have an organized mechanism for evaluating options, setting direction and monitoring compliance and performance, - in order to satisfy specific enterprise objectives.. IT Governance (CISA= CA(Govrnance)+IT) (CISA Department’s BOD and executive Mgmt has made available set of responsibilities and practices to CISA student , with goal of providing starategic direction in study and ensuring that passing % objectives are achieved as well as failure risk are managed) ‘The set of responsibilities and practices - exercised by the board and executive management - with the goal of providing strategic direction, - ensuring that objectives are achieved, - ascertaining that risks are managed appropriately - and verifying that the organization’s resources are used responsibly. Governance of Enterprise IT (GEIT) (IPL = GEIT) IPL = BCCI (Enterprise/Governance) + I(international)T(teams) IPL is Subset of BCCI and facilitating implementation of International Standered control within India as relevant.) Governance of Enterprise IT is a sub-set of corporate governance and facilitates implementation of a framework of IS controls within an enterprise as relevant and encompassing all key areas. Benefits of Governance (BCCI = Governance) (BCCI achieved objective (Won Worldcup) by ensuring msission, strategy are assigned and transport decion framework. In press conference they told that their secrets , they defined and desirable behaviors in use of International Teams coach and execution of Iternational Teams Outsourcing Arrnagement. Implementing & Integrating desired Batting Practice into the team,) 1 . Achieving enterprise objectives by ensuring that each element of the mission and strategy are assigned and managed with a clearly understood and transparent decisions rights and accountability framework. Benefits of IT Governance (CISA= CA+IT) (CA auditors value increased through CISA degree also their user(client) satisfaction increased with CISA auditor because they have to pay low fees and they can do better cost performance. Auditors can bring improvement in supporting business needs like accounting, taxation hence company can do compliance with relevant laws and optimum utilization of IT Resources.) Increased value delivered through enterprise IT; Increased user satisfaction with IT services Improved agility in supporting business needs Benefits of GEIT (IPL=GEIT)) (BCCI=Enterprise / Governance) IPL ensure that International Team- related decisions are made in line with the BCCI’s strategies and objectives. IT Ensure that that International Team-related processes are overseen effectively and transparently. IPL confirms compliance with legal and regulatory requirements of Indian Lwas It ensures. that the BCCI requirements for board members are met It provides a consistent approach integrated and aligned with the enterprise governance approach. It ensures that IT-related decisions are made in line with the enterprise's strategies and objectives. 2. Defining and encouraging desirable behavior in the use of IT and in the execution of IToutsourcing arrangements; 3. Implementing and integrating the desired business processes into the enterprise 4. Providing stability and overcoming the limitations of organizational structure 5. Enabling effective and strategically aligned decision aking for the IT Principles that define the role, architecture, Infrastructure of IT Better cost performance of IT Improved management and mitigation of IT-related business risk IT becoming an enabler for change rather than an inhibitor More optimal utilization of IT resources Improved compliance with relevant laws, regulations and policies It ensures that IT-related processes are overseen effectively and transparently It confirms compliance with legal and regulatory requirements. It ensures that the governance requirements for board members are met Good corporate governance requires (Audit Committee has conflict of Interest in Philips (Sound) Co. Internal Departments Control; Hence they failed to comply with relevant laws and regulations & Corporate disclosure requirements.) - segregation of incompatible functions, elimination of conflict of interest, - establishment of Audit Committee, - risk management and compliance with the relevant laws and -standards including corporate disclosure requirements. Critical Ensure of Defined Benefit of IT Goverence (CISA =IT Govn) (CISA Exam’s ownership is defined and agreed. It is relevant and link to ICAI’s Strategy. Risk, Assumption and passing (relisation) benefits are understood, correct and current. Timely and accurate result data of CISA Exam are easy to obtain or available on website.) • Ownership is defined and agreed; • It is relevant and links to the business strategy; • The timing of its realization of benefit is realistic and documented; • The risks, assumptions and dependencies associated with the realization of the benefits are understood, correct and current; • An unambiguous measure has been identified; and • Timely and accurate data for the measure is available or is easy to obtain. Best practices of corporate governance (After “SATYAM” Fraud case, many co. introduce corporate governance system which include assignment of responsibilities and decision- making authorities, Establishment of a mechanism for the interaction and cooperation among the board of directors, Implementing strong internal control systems Special monitoring of risk exposures where conflicts of interest) • Clear assignment of responsibilities and decision-making authorities, incorporating an hierarchy of required approvals from individuals to the board of directors; • Establishment of a mechanism for the interaction and cooperation among the board of directors, senior management and the auditors; • Implementing strong internal control systems, including internal and external audit functions, risk management functions independent of business lines, and other checks and balances; • Special monitoring of riskexposures where conflicts of interest are likely to be particularly great, including business relationships with borrowers affiliated with the bank, large shareholders, senior management, or key decision-makers within the firm (e.g.traders); • Financial and managerial incentives to act in an appropriate manner offered to senior management, business line management and employees in the form of compensation, promotion and other recognition. Key Governance Practices of Risk Management Evaluate = Identify/Analyse Effects / WHO,HOW, WHAT question relating to decision Direct = Estalbilish/Assure /Guide Monitor = Monitor Goals/result/ matrics/performance Evaluate Risk Management: Continually examine and make judgment on the effect of risk on the current and future use of IT in the enterprise. Direct Risk Management: Direct the establishment of risk management practices to provide reasonable assurance that IT risk management practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite; Monitor Risk Management: Monitor the key goals and metrics of the risk management processes and establish how deviations or problems will be identified, tracked and reported on for remediation. Key practices to determine status of IT Governance Evaluate = Identify/Analyse Effects / WHO,HOW, WHAT question relating to decision Direct = Estalbilish/Assure /Guide Monitor = Monitor Goals/result/ matrics/performance • Who makes directing, controlling and executing decisions? (Evaluate) • How the decisions are made? (Evaluate) • What information is required to make the decisions? (Evaluate) • What decision-making mechanisms are required? (Evaluate) • How exceptions are handled? (Direct) • How the governance results are monitored and improved? (Monitor) Key Governance Practices of GEIT Evaluate = Identify/Analyse Effects / WHO,HOW, WHAT question relating to decision Direct = Estalbilish/Assure /Guide Monitor = Monitor Goals/result/ matrics/performance Evaluate the Governance System: - Continually identify & engage with the enterprise's stakeholders, document an understanding of requirements - make judgment on the current and future design of governance of enterprise IT; Direct the Governance System: - Inform leadership and obtain their support, buy‐in and commitment. - Guide the structures, processes and practices for the governance of IT in line with agreed governance design principles, decision‐making models and authority levels. - Define the information required for informed decision making. Monitor the Governance System: - Monitor the effectiveness and performance of the enterprise’s governance of IT. - Assess whether the governance system and implemented mechanisms are operating effectively and provide appropriate oversight of IT. key management practices, which need to be implemented for evaluating ‘Whether business value is derived from IT’, Evaluate = Identify/Analyse Effects / WHO,HOW, WHAT question relating to decision Direct = Estalbilish/Assure /Guide Monitor = Monitor Goals/result/ matrics/performance Business Value = IT Enabled investment, Investment Claimed Benefits, Expected Benefits, Realized Benefits -Evaluate Value Optimization Continually evaluate the portfolio of IT enabled investments, services and assets to determine the likelihood of achieving enterprise objectives and delivering value at a reasonable cost. -Direct Value Optimization Direct value management principles and practices to enable optimal value realization from IT enabled investments throughout their full economic life cycle. -Monitor Value Optimization. Monitor the key goals and metrics to determine the extent to which the business is generating the expected value and benefits to the enterprise from IT-enabled investments and services. Key Management Practices for Aligning IT Strategy with Enterprise Strategy (CU CU AD relating to IT service, strategy, enterprise environment) Understand enterprise direction: understanding of the enterprise environment and requirements. Define the target IT capabilities: Define the target business and IT capabilities and required IT services. Assess the current environment, capabilities and performance Assess the performance of current internal business and IT capabilities and external IT services and develop an understanding of the enterprise architecture in relation to IT. Conduct a gap analysis between the current and target environments Understand enterprise direction Consider the current enterprise environment and also consider the external environment of the enterprise. Communicate the IT strategy and direction (Create awareness and understanding of the business and IT objectives and direction) Key Management Practices of Risk Management (MAD CAR related to IT Risk) Collect Data: Identify and collect relevant data to enable effective IT related risk identification, analysis and reporting. • Analyze Risk: Develop useful information to support risk decisions that take into account the business relevance of risk factors. • Maintain a Risk Profile: Maintain an inventory of known risks and risk attributes, including expected frequency, potential impact, and responses, and of related resources, capabilities, and current control activities. • Articulate Risk: Provide information on the current state of IT- related exposures and opportunities in a timely manner to all required stakeholders for appropriate response. • Define a Risk Management Action Portfolio: Manage opportunities and reduce risk to an acceptable level as a portfolio. • Respond to Risk: Respond in a timely manner with effective measures to limit the magnitude of loss from IT related events. Key Management Practices of IT Compliance (IOCO related to Compliance Requirement) Compliance = Internal & External Laws, Regulation, Agreement, Reports, Working Practice, Review Updates, Fine Penalties COBIT 5 provides key management practices for ensuring compliance with external compliances as relevant to the enterprise. Identify External Compliance Requirements - On a continuous basis, identify and monitor for changes in local and international laws, regulations, and other external requirements that must be complied with from an IT perspective Optimize Response to External Requirements Review and adjust policies, principles, standards, procedures and methodologies to ensure that legal, regulatory and contractual requirements are addressed and communicated. Conform External Compliance and Confirm compliance of policies, principles, standards, procedures and methodologies with legal, regulatory and contractual requirements Obtain Assurance of External Compliance - Obtain and report assurance of compliance and adherence with policies, principles, standards, procedures and methodologies. Confirm that corrective actions to address compliance gaps are closed in a timely manner. key management practices for assessing and evaluating the system of internal controls in an enterprise are (MRP Independent & Qualified IPS) • Monitor Internal Controls: Continuously monitor, benchmark and improve the control environment and control framework to meet organizational objectives. • Review Business Process Controls Effectiveness: Review the operation of controls, including a review of monitoring and test evidence to ensure that controls within business processes operate ffectively. • Perform Control Self-assessments: Encourage management and process owners to take positive ownership of control improvement through a continuing program of selfassessment to evaluate the completeness and effectiveness of management’s control over processes, policies and contracts • Identify and Report Control Deficiencies: Identify control deficiencies and analyze and identify their underlying root causes. Escalate control deficiencies and report to stakeholders. • Ensure that assurance providers are independent and qualified: Ensure that the entities performing assurance are independent from the function, groups or organizations in scope. • Plan Assurance Initiatives: Plan assurance initiatives based on enterprise objectives and conformance objectives, assurance objectives and strategic priorities, inherent risk resource constraints, and sufficient knowledge of the enterprise. • Scope assurance initiatives: Define and agree with management on the scope of the assurance initiative, based on the assurance objectives. key functions of the IT Steering committee (Set, Ensure, facilitate, Review Make ,Report) • To sets priorities according to size and scope of IT function within its scope; • To ensure plans of the IT department are aligned with enterprise goals and objectives; • To facilitate implementation of IT security within enterprise; • To facilitate and resolve conflicts in deployment of IT and ensure availability of a viable communication system exists between IT and its users; and • To approve and monitor key projects by measuring result of IT projects in terms of ROI, etc. • To review and approve major IT deployment projects in all their stages; • To review and approve standards, policies and procedures; • To review the status of IS plans and budgets and overall IT performance; • To make decisions on all key aspects of IT deployment and implementation; • To report to the Board of Directors on IT activities on regularly Key Metrics for Assessing Compliance Process Metrics = Cost, Percentage, Number, Frequency Compliance = Internal & External Laws, Regulation, Agreement, Reports, Working Practice, Review Updates, Fine Penalties • Compliance with External Laws and Regulations: These metrics are given as follows: - Cost of IT non-compliance, including settlements and fines; - Number of IT related non-ompliance issues reported to the board or causing public comment or embarrassment; - Number of non-compliance issues relating to contractual agreements with IT service providers; and - Coverage of compliance assessments. • IT Compliance with Internal Policies: These metrics are given as follows: - Number of incidents related to non compliance to policy; - Percentage of stakeholders who understand policies; - Percentage of policies supported by effective standards and working practices; and - Frequency of policies review and updates. key metrics For Evaluation of Business value from use of IT Metrics = Cost, Percentage, Number, Frequency Business Value = IT Enabled investment, Investment Claimed Benefits, Expected Benefits, Realized Benefits • Percentage of IT enabled investments where benefit realization monitored through full economic life cycle; • Percentage of IT services where expected benefits realized; • Percentage of IT enabled investments where claimed benefits met or exceeded; • Percentage of investment business cases with clearly defined and approved expected IT related costs and benefits; • Percentage of IT services with clearly defined and approved operational costs and expected benefits; and • Satisfaction survey of key stakeholders regarding the transparency, understanding and accuracy of IT financial information. Metrics of Risk Management Metrics = Cost, Percentage, Number, Frequency Risk Management = Critical Business Process, IT Services, Significant IT Related Incidents, IT Related Risk, Risk Profile Assessment • Percentage of critical business processes, IT services and IT-enabled business programs covered by risk assessment; • Number of significant IT related incidents that were not identified in risk Assessment; • Percentage of enterprise risk assessments including IT related risks; and • Frequency of updating the risk profile based on status of assessment of risks. COBIT 5 Business Framework – Governance and Management of Enterprise IT (Manage IT Risk, Policy Development, Increase User Satisfaction, For All Business) COBIT 5 helps enterprises to manage IT related risk and ensure compliance, security and privacy. Cobit % enables clear policy development and good practice for IT management including Integrating COBIT 5 with Other Frameworks COBIT 5 builds and expands on COBIT 4.1 by integrating other major frameworks, standards and resources, including -GEIT Customizing COBIT 5 as per Requirement (Women Director (GIRL)Assure the Activities of CSR Reporting) COBIT 5 can be tailored to meet an enterprise’s specific business model, technology environment, industry, location and corporate culture. Because of its open design, it can be increased business user satisfaction. The key advantage in using a generic framework such as COBIT 5 is that it is useful for enterprises of all sizes, whether commercial, not for profit or in the public sector. -ISO 27001 -ITIL -Risk IT -Val IT -TOGAF (The Open Group Architechture) -ISO 38500 The framework and resulting enablers should be aligned with and in harmony with (amongst others) the: • Enterprise policies, strategies, governance and business plans, and audit approaches; • Enterprise risk management framework; and • Existing enterprise governance organization, structures and processes. applied to meet needs related to: • Information security, • Risk management, • Governance and management of enterprise IT, • Assurance activities, • Legislative and regulatory compliance, and • Financial processing or CSR reporting. Need for Enterprises to Use COBIT 5 (Increase Value Creation using UID card. In future support compliance with relevant laws & regulation of UID will be increased ) • Increased value creation from use of IT • User satisfaction with IT engagement and services; • Support compliance with relevant laws, regulations and contractual requirements; • Development of more business- focused IT solutions and services; and • Increased enterprise wide involvement in IT-related activities Components in COBIT5 (PM CM on FC Road) • Framework - Organize IT governance objectives and good practices by IT domains and processes, and links them to business requirements • Process Descriptions - A reference process model and common language for everyone in an organization. The processes map to responsibility areas of plan, build, run and monitor. • Control Objectives - Provide a complete set of high-level requirements to be considered by management for effective control of each IT process. • Management Guidelines - Help assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes • Maturity Models - Assess maturity and capability per process and helps to address gaps. Benefits of COBIT 5 (Combine answer of Benefit of IT Governance and Cobit GEIT Framework) • A comprehensive framework such as COBIT 5 enables enterprises in achieving their objectives for the governance and management of enterprise IT. • The best practices of COBIT 5 help enterprises to create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. • Further, COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and IT functional areas of responsibility, considering the IT related interests of internal and external stakeholders. • COBIT 5 helps enterprises to manage IT related risk and ensures compliance, continuity, security and privacy. • COBIT 5 enables clear policy development and good practice for IT management including increased business user satisfaction. • The key advantage in using a generic framework such as COBIT 5 is that it is useful for enterprises of all sizes, whether commercial, not-for-profit - or in the public sector. • COBIT 5 supports compliance with relevant laws, regulations, contractual agreements and policies. Five Principles of COBIT 5 Co. ne stakeholder ki meeting bulai, meeting mein sare chair end to end full (cover ) ho gaye, Sabne milk ek single plan banaya ki hum Holi ko Mathura Jayenge but management and governance separate jayenge Principle 1: Meeting Stakeholder Needs Provides all of the required processes and other enablers to support business value creation through the use of IT. An enterprise can customize COBIT 5 to suit its own context & creates value for its stakeholders through the use of IT Principle 2: Covering the Enterprise End to End It does not focus on IT function, it considers all IT related governance and management enablers to be enterprise- wide & end to end including each & everything Principle 3: Applying a Single Integrated Framework There are many IT related standards and best practices, each providing guidance on a subset of IT activities. COBIT 5 framework aligns with them at a high Seven Enablers of Cobit 5 Ek origination ne aisa decision liya ki hum principles and policies for day to day management ke liye banayenge ki agar koi staff co. ki process ko wrong cultural , ethical and behavior se follow karta hai to use next month se service desk pe shift karenge aur uskee skill and competence sudharne ke liye training denge (correct Action). Aur aise staff ki information dene wale ko inam denge. Principles, policies and Frameworks are the vehicle to translate the desired behaviour into practical guidance for day-to-day management. Processes describe organized set of practices and activities to achieve certain objectives & produce a set of outputs in support of achieving overall IT-related goals. Oraganisation structure are the key decision-making entities in an enterprise Culture, ethics and behaviour Culture, ethics and behaviour of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities. Service, Infrastructure and application Cobit 5 Reference Model It defines and describes in detail a number of governance and management processes. It represents all of the processes normally found in an enterprise relating to IT activities providing a common reference mode understandable to operational IT and business managers Govenance Process - -Evaluate direct monitor practices (EDM ) – 5 Processes Management Process - -Audit , Plan , Organise – 13 Process - Build, Acquire and implement – 10 processes level & serve as an overarching framework to simplify complexity. Principle 4: Enabling a Holistic Approach COBIT 5 defines a set of 7 enablers to support the implementation of a comprehensive governance and management system for enterprise IT. Principle 5: Separating Governance from Management Cobit 5 Make Clear Dstinction between Governance and management. The COBIT 5 recognizes that these two disciplines (governance and management)are involved in different types of activities, serve different purposes and requires different organizational structures to fulfil their individual needs. include the infrastructure, technology and applications that provide the enterprise with information technology processing and services. People, Skill and Competence Are linked to people and are required for successful completion of all activities and for making correct decision and correct action. Information Information is required for keeping the oraganisation ruuning and well goverened . Perational level information is key product of the enterprise itself. -Deliver, Service Support – 6 Process -Monitor, Evaluate, Accesses -3 Processes