SHIFTING TO THE CLOUD: UNDERSTANDING IT INVESTMENT MANAGEMENT BEYOND YOUR DATA CENTER WALLS

Transcription

1 1 SHIFTING TO THE CLOUD: UNDERSTANDING IT INVESTMENT MANAGEMENT BEYOND YOUR DATA CENTER WALLS KATHERINE FORE JENNIFER MCGILL CAROLINAS HEALTHCARE SYSTEM AHIA 35th Annual Conference September 11-14,

2 75 Years of Caring

3 3

4 Agenda 4 Learning Objectives Background on IT Governance and IT Investment Management Investment Management Lifecycle Emerging IT Investment Shift to Cloud Changing Roles and Responsibilities in the Cloud Era Risks and Control Objectives Audit and Assessment Techniques Questions 4

5 Learning Objectives 5 Discuss the principles of IT investment management (ITIM) Share audit strategy for evaluating the planning, funding, maintenance, and replacement of IT investments over their full economic lifecycle Compare in-house and cloud-hosted information services solutions, and discuss emerging investment considerations Describe emerging risks related to changing roles and responsibilities for in-house IT personnel 5

6 IT Governance 6 IIA Standard 2110: Governance states, the internal audit activity must assess whether the information technology governance of the organization supports the organization s strategies and objectives. Many internal audit departments report that they have not yet performed an IT governance assessment 6

7 Why is it important? 7 According to Protiviti s 2015 IT Priorities Survey, 60% of organizations are undergoing a major IT transformation For 54% of organizations, the duration of IT transformation is expected to be one year or longer Auditors need to understand how these changes influence the ongoing effectiveness of overall IT entity-level controls and IT process-level controls Source: A Global Look at IT Audit Best Practices, ISACA and Protiviti,

8 The Bottom Line 8 Organizations with superior IT governance have 25% higher profits than those with poor IT governance, given the same strategic objectives Source: IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Peter Weill and Jeanne Ross,

9 IT Governance Overview 9 Source: ISACA Knowledge Center, COBIT Overview, 9

10 Connection Points

11 Typical Challenges in Creating Value Delivery 11 Problems delivering technical capabilities Limited or no understanding of IT expenditures Business abdication of decision making to the IT function Communication gaps between the IT function and the business Questioning of the value of IT Major investment failure Source: Enterprise Value: Governance of IT Investments, Getting Started With Value Management, IT Governance Institute, 2008.

12 Value Delivery = IT Investment Management 12 IT Investment Management helps to make sure that: IT is aligned with the business IT enables the business and maximizes benefits IT resources are used responsibly IT risks are managed appropriately

13 IT Investment Management Overview 13 IT-enabled investments will: Be managed as a portfolio of investments Include the full scope of activities required to achieve business value Be managed through their full economic life cycle Value delivery practices will: Recognize there are different categories of investments that will be evaluated and managed differently Define and monitor key metrics and respond quickly to any changes or deviations Engage all stakeholders and assign appropriate accountability for the delivery of capabilities and the realization of business benefits Be continually monitored, evaluated and improved Source: ISACA, Val IT Overview, 13

14 IT Value Chain 14 A number of operational processes work together to enable IT value delivery Understanding your organization s capabilities in these areas helps to pinpoint where to begin with your audit Source: COBIT 5 Processes From a Systems Management Perspective, Myles Suer, Chane Cullens and Don Brancato, 2014.

15 Which of these risks apply in your organization? 15 Inexperienced or unqualified IT staff Limited physical space for IT equipment Inadequate understanding of the process or function requiring an IT solution Limited capital for IT investment Undocumented IT portfolio Acquisition of solutions incompatible with technical environment IT investments not aligned with organizational goals and objectives

16 Vendor Management Lifecycle 16 Source: ISACA, Vendor Management Using COBIT 5, Management-Using-COBIT5.aspx 16

17 Vendor Management Definitions 17 Vendor Management: The strategic process that is dedicated to management of vendor relationships so that value creation is maximized and risk to the enterprise is minimized. Source: ISACA, Vendor Management Using COBIT 5, Management-Using-COBIT5.aspx Vendor Management Due Diligence: Third-party vendor due diligence is a process used to make an informed business decision concerning the selection of the appropriate vendor. Due diligence is the gathering and analysis of detailed information about possible vendors. As with all business decisions, there are some risks that cannot be eliminated but can be managed. The purpose of due diligence is to help choose the best third-party vendor relationship given the risks and abilities or services available, and then to negotiate, contract, implement, and monitor to mitigate any residual risks. Source: Credit Union National Association, Third Party Vendor Management Guide, Due-Diligence-Task-Force/

18 Vendor Management Ownership 18 Establishing and managing vendor relations is not solely the responsibility of IT or the business process owners. The vendor management process involves many stakeholder functions within the enterprise, for example: The legal function validates contracts The compliance, legal and audit functions are consulted during the review of service agreements The enterprise risk function analyzes vendor-related risk The board approves budgets The procurement function ensures that vendor management activities are integrated into the overall selection and management process Source: ISACA, Vendor Management Using COBIT 5, page 9, Management-Using-COBIT5.aspx 18

19 Emerging IT Investment Shift to Cloud 19 The term "moving to the cloud" refers to an organization moving away from a traditional capital expenditure model (buy dedicated hardware and depreciate it over a period of time) to an operating expense model (use a shared cloud infrastructure and pay as we use it). Cloud computing means that the computer hardware and software we use is provided for us as a service by another company and is accessed over the Internet, rather than sitting on our desktops or somewhere inside our network. Strong vendor due diligence practices are critical to protecting the organization s interests in this type of arrangement. 19

20 What is The Cloud? 20 Source:

21 Most Common Types of Cloud Solutions 21 Source:

22 22 Current Cloud Trend

23 Source: Changing Roles and Responsibilities in the Cloud Era: It s Not You, It s Me 23

24 Translation to Cloud Responsibilities: 24 Source:

25 Cloud Security: The Handshake 25 Shared Responsibility Facilities Physical Infrastructure Network Infrastructure Virtualization Layer Operating System Application Data

26 Seven Best Practices for Cloud Security 26 Keep in mind, you are responsible for your data no matter where the lines of responsibility are drawn Secure your code Develop strong access management policies & processes Strengthen your patch management process Adopt a consistent monitoring process Incorporate your security toolkit (anti-malware, IPS/IDS, encryption, etc) Stay informed / be ready to react to new vulnerabilities Have full understanding of your cloud provider s security model

27 The big picture at CHS 27 The lay of the land as we started our work: An IT Steering Committee was the governance group with responsibility for oversight of IT investments Large budget projects (greater than $1million) required approval by the Board Significant oversight existed for large budget projects IS was able to account for 90%+ of systems and solutions in the portfolio CIO announced strategy to get out of data center business and move most solutions to the Cloud Accounting for IT projects happened in IT, not Finance CHS had three capital project approval bodies for different types of activities IT capital spending was second only to new construction projects 27

28 Risks and Control Objectives 28 Risks Business cases may not consider all significant information resulting in budget overruns or approval of projects that do not meet needs of business Issues impacting the successful delivery of IT solutions may go unrecognized or may not be addressed timely IS may not be able to present an accurate picture of the IT portfolio, potentially impacting leadership decision making about staffing, budget, etc. ITIM Step Business Case Development Measurement of IT Investments Portfolio Management Control Objectives Requirements for business case established (Needs Assessment) Alignment of investment with corporate strategy is defined Relevant financial analysis including hard & soft costs Request for proposals conducted Responsible personnel identified (owner, ongoing support, etc) Review & approval by appropriate leadership obtained IT investment measurement criteria defined Leadership is monitoring & documenting: Realization of business case Budget vs. actual costs (hard & soft costs) Project timeline Overall operating costs Requirements for portfolio management defined Comprehensive inventory of IT investments is maintained Investments are categorized according to strategic alignment Strategic planning for ongoing support & future investments exists Method for prioritization of investments exists Corporate leadership / Board oversight of IT value delivery is evident Participants Risks Business Unit Information Services IT Committees Business Unit 28 Information Services Information Services CHS Leadership

29 Testing Approach Business Case Development 29 Business cases may not consider all significant information resulting in budget overruns or approval of projects that do not meet needs of business Business Case Development Requirements for business case established (Needs Assessment) Alignment of investment with corporate strategy is defined Relevant financial analysis including hard & soft costs Request for proposals conducted Responsible personnel identified (owner, ongoing support, etc) Review & approval by appropriate leadership obtained Business Unit Information Services IT Committees Obtain access to the minutes from the prior 12 months of IT Steering Committee meetings Select a sample of Business Line Leaders who have presented projects for review Interview the Leaders to understand the process that they followed Review project documentation to determine if needs assessment was conducted Interview IT personnel assigned to the project to understand the process that they followed Determine if regulatory and information security requirements were defined and addressed Interview the Business Line Leaders to understand the process that they followed to make the final selection Review project documentation to determine if the selection was reviewed and approved by authorized leaders or committees

30 What is a Needs Assessment? 30 Method for defining the gap between the current situation and the desired future state Involves communication between the people who use an existing system that will be replaced (or a new system that will automate a manual process) and the people who will help find the system that best meets their needs Establishes a basis for evaluating competing products and vendors Provides a foundation for estimating the resources needed to achieve the desired future state

31 What is a Request for Proposal? 31 A request for proposal (RFP) is a document that an organization posts to elicit bids from potential vendors for a desired IT solution. The RFP specifies what the customer is looking for and establishes evaluation criteria for assessing proposals. Generally includes: Background on the issuing organization and its lines of business A set of specifications that describe the sought-after solution (including regulatory constraints and information security requirements) Evaluation criteria that disclose how proposals will be graded May also include a statement of work, which describes the tasks to be performed by the winning bidder and a timeline for providing deliverables. Source: Posted by Margaret Rouse on WhatIs.com, Re-posted to

32 How is Vendor Analysis performed? 32 Start with the decision makers How do they digest the information provided by the vendors? See what was documented What information did they use to make their decisions? Identify the focus of the exercise Is the emphasis on who they are doing business with, or what they are planning to buy? Find out if they are leveraging in-house expertise Is IT Security reviewing responses to security questions? Will the solution meet IT standards and architectural requirements? Has Compliance screened for conflict of interest? Determine what type of risk/control-related information has been provided - SSAE16, SOC 2, or similar third-party audit report

33 Testing Approach Measurement of IT Investments 33 Issues impacting the successful delivery of IT solutions may go unrecognized or may not be addressed timely Measurement of IT Investments IT investment measurement criteria defined Leadership is monitoring & documenting: Realization of business case Budget vs. actual costs (hard & soft costs) Project timeline Overall operating costs Business Unit 33 Information Services Obtain documentation that provides guidance to project owners regarding expectations to measure IT investments through the lifecycle of the investment. The guidance should define the measurement criteria and tracking expectations. Review a sample of implemented projects to determine if IT investment measurements are being monitored and tracked throughout the lifecycle of an investment. Expected measurements include: Realization of business case Budget vs. actual costs (hard & soft costs) Project timeline Overall operating costs

34 Testing Approach Portfolio Management 34 IS may not be able to present an accurate picture of the IT portfolio, potentially impacting leadership decision making about staffing, budget, etc. Portfolio Management Requirements for portfolio management defined Comprehensive inventory of IT investments is maintained Investments are categorized according to strategic alignment Strategic planning for ongoing support & future investments exists Method for prioritization of investments exists Corporate leadership / Board oversight of IT value delivery is evident Information Services CHS Leadership Obtain documentation that provides guidance regarding expectations to measure IT investments as a portfolio of investments Obtain the list of IT investments to determine if a comprehensive inventory is being maintained Review a sample of implemented projects to determine if IT investments (future, present, and retired) are being measured by management Expected measurements include: Investments are meeting corporate strategic goals and target investment mix Strategic planning includes ongoing support for current and future investments (resource planning) Investments are prioritized based on corporate strategic goals and business readiness needs Corporate leadership/board involvement is evident

35 Our Results 35 Identified need for comprehensive, documented process All parties involved followed a process, but it differed from one project team to the next None of the Business Line Leaders were familiar with the process Documentation was inconsistent, project names shifted from start to finish, IT personnel handed projects off from phase to phase IT personnel did not assert subject matter leadership to guide Business Line Leaders to make selections inclusive of IT strategy as well as business strategy Found a loophole in a fundamental organizational policy If responsibility for all IT vendor relationships and IT solution management resides with IT, make sure the policy states it explicitly 35

36 Common Results 36 RFP process not consistently followed No due diligence for new solutions being sought from an existing vendor relationship One-time-only approach to due diligence so that once the vendor is in the door they are never evaluated again IT personnel receive information from vendor and check it off but don t actually review it Business leaders go outside the process to procure systems and services without input from IT IT projects are not aligned with company goals, so they fail to support highest priority activities 36

37 How to Get Started 37 Do decisions about IT investments happen outside of IT? Find out if your organization has an IT Steering Committee or similar governance function for project approval and funding

38 Is there a shift to the Cloud? 38 Talk with your IT organization to find out about the computing environment and what services/solutions are in use. Note: Many organizations have a hard time accounting for all of their solutions.

39 Which situations are relevant? 39 Preparing for a major system implementation or replacement? Experienced a lot of IT leadership turnover? Has the Board asked for information about how IT is performing? Is there aging equipment and limited funds to address the problem? Is responsibility for IT systems selection managed outside of IT? Have there been any failed implementations?

40 Choose an approach that can move the needle 40 Incremental progress will help the organization improve its governance posture If the risk justifies a more expedited approach, consider bringing in outside help to get the work done

41 41 Questions?

42 Save the Date August 27-30, th AHIA Annual Conference