Does Assurance Add Value? (We Don t Know What We Don t Know Until We Know It) John Mitchell. PhD, MBA, CEng, CITP, FBCS, CFIIA, CISA, CGEIT, QiCA, CFE

Size: px

Start display at page:

Download "Does Assurance Add Value? (We Don t Know What We Don t Know Until We Know It) John Mitchell. PhD, MBA, CEng, CITP, FBCS, CFIIA, CISA, CGEIT, QiCA, CFE"

Dorthy Perkins
5 years ago
Views:

1 Does Assurance Add Value? (We Don t Know What We Don t Know Until We Know It) John Mitchell PhD, MBA, CEng, CITP, FBCS, CFIIA, CISA, CGEIT, QiCA, CFE LHS Business Control Tel: +44 (0) Grangewood Potters Bar Herts EN6 1SL john@lhscontrol.com England

2 How Your IT Service Is (hopefully) Seen By Others 2

3 The Reality 3

Assurance Services Quality processes Chief

4 Stakeholder Needs and Expectations Assurance Practical solutions Audit Committee Value-driven Meeting all requirements Local management Head of Assurance Services Quality processes Chief Executive Real Benefits External Assessors Business Directors Slide # 4

5 What Management Want Assurance Conformance Performance 5

6 Impact of Control on Income (Normal Operation) Cost Revenue Profit Cost of the Control System Cost of Control Cost of Normal Business Activities Time 6

7 Impact of Control Failure on Income (With Recovery) Lost Profit Control Failure Cost Revenue Profit Profit Cost of the Control System DT = Detection Time FT = Fix Time MT Max Time Time Cost of Normal Business Activities DT Recovery Time FT MT Exposure Window 7

8 Impact of Control Failure on Income (Without Recovery) Control Failure Cost Revenue Lost Profit Profit Cost of the Control System DT = Detection Time FT = Fix Time MT Max Time Time Cost of Normal Business Activities DT FT MT Exposure Window 8

9 Financial Impact On Brand Maria Sharapova loses 100 million in sponsorship Npower fined 26m because of customer service failures Cost of emission cheating Likely to top 45 billion Scottish Power fined 18m because of customer service failures 9

10 The Main IT Areas Planning & organisation of IT/IS Acquisition & implementation of business solutions Service delivery Performance monitoring 10

11 Simple IT Infrastructure Finance EUC End User Computing (Bandit Country) Policies People Facilities Data Application Software Base Software (Operating System & DBMS) Standards Procedures Hardware 11

12 Extended Infrastructure Back-end legacy system Inner Firewall Social Networking Cloud Computing Credit Check & Banking BYOD Wearability Customer Middleware SQL database Web server Outer Firewall Internet Router 12

13 IT Governance & Relationships IT GOVENANCE (Evaluate, Direct & Monitor) Governance framework, Benefits delivery, Risk optimisation, Resource optimisation, Stakeholder transparency Align, Plan & Organise Acquire & Implement Delivery & Support Monitor & Evaluate - Manage the IT management framework - Manage strategy - Manage enterprise architecture - Manage innovation - Manage portfolio - Manage budget & costs - Manage human resources - Manage relationships - Manage service agreements - Manage suppliers - Manage quality - Manage risk - Manage security Manage programmes & projects Manage requirements definition Manage solutions identification & build Manage availability & capacity Manage organisational change Manage changes Manage change acceptance & transitioning Manage knowledge Manage Assets Manage configuration - Manage operations - Manage service requests & incidents - Manage problems - Manage continuity - Manage security services - Manage business process controls - Monitor & evaluate performance - Monitor & evaluate internal control - Monitor external compliance 13

14 Assurance Frameworks COSO ISO ISO CMM & ISO ISO WHAT ISO ISO ISO ISO 8000 ITIL ISO 9000 HOW SCOPE OF COVERAGE 14

15 CMM & ISO Levels CMM ISO Optimised 5 - Optimised 4 Managed and Measurable 4 Predictable 3 Defined 3 Established 2 Repeatable 2 - Managed 1 Ad Hoc 1 - Performed 0 Non existent 0 - Incomplete Slide # 15

IT Assurance Roadmap PREPARE STRATEGIC PLAN Process Maturity Assessment Risk Identification Gap Analysis between CobiT processes & inherent risks Gap Analysis between processes maturity & residual

16 IT Assurance Roadmap PREPARE STRATEGIC PLAN Process Maturity Assessment Risk Identification Gap Analysis between CobiT processes & inherent risks Gap Analysis between processes maturity & residual risks Prepare strategic plan Select processes for assurance PREPARE TACTICAL PLAN Understand process operation Identify value drivers Identify risk drivers Select control objectives Select control practices Identify process owners PREPARE ASSURANCE PLAN Interview process owners Select control tests Prepare assurance documentation TEST FOR ASSURANCE Test control design Test control effectiveness Document impact of control weakness REPORT OPINION Prepare draft report Obtain agreement & commitment Issue final report 16

17 Performance v Conformance Business requirements information IT Processes Controlled by Control Objectives Measured by Made effective and efficient with Audited by For performance Activity Goals Assurance Guidelines Control Practices For outcome For maturity For conformance Key Performance Indicators Key Goal Indicators Maturity Models 17

18 Technology Developments (1970s to Present) Single batch program Batch multi-tasking On-line retrieval Real-time update Stand alone PCs Networking File servers & distributed processing Internet, Intranet & Extranet Palm devices Phone devices BYOD RFID Cloud computing 3D printing AI Robotics Impact on the Assurance paradigm 18

19 Some Closing Thoughts The test of police efficiency is the absence of crime and disorder, not the visible evidence of police action in dealing with it. Sir Robert Peel The test of assurance effectiveness is the absence of adverse regulatory or public comment on the enterprise s operations, not the visible evidence of auditor action in dealing with it. Dr John Mitchell

20 Questions? John Mitchell PhD, MBA, CEng, CITP, FBCS, CFIIA, CISA, CGEIT, QiCA, CFE LHS Business Control 47 Grangewood Potters Bar Hertfordshire EN6 1SL England Tel: +44 (0)