Does Assurance Add Value? (We Don t Know What We Don t Know Until We Know It) John Mitchell PhD, MBA, CEng, CITP, FBCS, CFIIA, CISA, CGEIT, QiCA, CFE LHS Business Control Tel: +44 (0)7774 145638 47 Grangewood Potters Bar Herts EN6 1SL john@lhscontrol.com England www.lhscontrol.com
How Your IT Service Is (hopefully) Seen By Others 2
The Reality 3
Stakeholder Needs and Expectations Assurance Practical solutions Audit Committee Value-driven Meeting all requirements Local management Head of Assurance Services Quality processes Chief Executive Real Benefits External Assessors Business Directors Slide # 4
What Management Want Assurance Conformance Performance 5
Impact of Control on Income (Normal Operation) Cost Revenue Profit Cost of the Control System Cost of Control Cost of Normal Business Activities Time 6
Impact of Control Failure on Income (With Recovery) Lost Profit Control Failure Cost Revenue Profit Profit Cost of the Control System DT = Detection Time FT = Fix Time MT Max Time Time Cost of Normal Business Activities DT Recovery Time FT MT Exposure Window 7
Impact of Control Failure on Income (Without Recovery) Control Failure Cost Revenue Lost Profit Profit Cost of the Control System DT = Detection Time FT = Fix Time MT Max Time Time Cost of Normal Business Activities DT FT MT Exposure Window 8
Financial Impact On Brand Maria Sharapova loses 100 million in sponsorship Npower fined 26m because of customer service failures Cost of emission cheating Likely to top 45 billion Scottish Power fined 18m because of customer service failures 9
The Main IT Areas Planning & organisation of IT/IS Acquisition & implementation of business solutions Service delivery Performance monitoring 10
Simple IT Infrastructure Finance EUC End User Computing (Bandit Country) Policies People Facilities Data Application Software Base Software (Operating System & DBMS) Standards Procedures Hardware 11
Extended Infrastructure Back-end legacy system Inner Firewall Social Networking Cloud Computing Credit Check & Banking BYOD Wearability Customer Middleware SQL database Web server Outer Firewall Internet Router 12
IT Governance & Relationships IT GOVENANCE (Evaluate, Direct & Monitor) Governance framework, Benefits delivery, Risk optimisation, Resource optimisation, Stakeholder transparency Align, Plan & Organise Acquire & Implement Delivery & Support Monitor & Evaluate - Manage the IT management framework - Manage strategy - Manage enterprise architecture - Manage innovation - Manage portfolio - Manage budget & costs - Manage human resources - Manage relationships - Manage service agreements - Manage suppliers - Manage quality - Manage risk - Manage security Manage programmes & projects Manage requirements definition Manage solutions identification & build Manage availability & capacity Manage organisational change Manage changes Manage change acceptance & transitioning Manage knowledge Manage Assets Manage configuration - Manage operations - Manage service requests & incidents - Manage problems - Manage continuity - Manage security services - Manage business process controls - Monitor & evaluate performance - Monitor & evaluate internal control - Monitor external compliance 13
Assurance Frameworks COSO ISO 22301 ISO 38500 CMM & ISO 15504 ISO 31000 WHAT ISO 27001 ISO 25010 ISO 20001 ISO 8000 ITIL ISO 9000 HOW SCOPE OF COVERAGE 14
CMM & ISO 15504 Levels CMM ISO 15504 5 Optimised 5 - Optimised 4 Managed and Measurable 4 Predictable 3 Defined 3 Established 2 Repeatable 2 - Managed 1 Ad Hoc 1 - Performed 0 Non existent 0 - Incomplete Slide # 15
IT Assurance Roadmap PREPARE STRATEGIC PLAN Process Maturity Assessment Risk Identification Gap Analysis between CobiT processes & inherent risks Gap Analysis between processes maturity & residual risks Prepare strategic plan Select processes for assurance PREPARE TACTICAL PLAN Understand process operation Identify value drivers Identify risk drivers Select control objectives Select control practices Identify process owners PREPARE ASSURANCE PLAN Interview process owners Select control tests Prepare assurance documentation TEST FOR ASSURANCE Test control design Test control effectiveness Document impact of control weakness REPORT OPINION Prepare draft report Obtain agreement & commitment Issue final report 16
Performance v Conformance Business requirements information IT Processes Controlled by Control Objectives Measured by Made effective and efficient with Audited by For performance Activity Goals Assurance Guidelines Control Practices For outcome For maturity For conformance Key Performance Indicators Key Goal Indicators Maturity Models 17
Technology Developments (1970s to Present) Single batch program Batch multi-tasking On-line retrieval Real-time update Stand alone PCs Networking File servers & distributed processing Internet, Intranet & Extranet Palm devices Phone devices BYOD RFID Cloud computing 3D printing AI Robotics Impact on the Assurance paradigm 18
Some Closing Thoughts The test of police efficiency is the absence of crime and disorder, not the visible evidence of police action in dealing with it. Sir Robert Peel - 1829 The test of assurance effectiveness is the absence of adverse regulatory or public comment on the enterprise s operations, not the visible evidence of auditor action in dealing with it. Dr John Mitchell - 2016 19
Questions? John Mitchell PhD, MBA, CEng, CITP, FBCS, CFIIA, CISA, CGEIT, QiCA, CFE LHS Business Control 47 Grangewood Potters Bar Hertfordshire EN6 1SL England Tel: +44 (0)7774 145638 john@lhscontrol.com www.lhscontrol.com 20