Docstoc

KPMG On Screen Enhanced US TM AUDIT COMMITTEE FORUM ACF

Document Sample
KPMG On Screen Enhanced US TM AUDIT COMMITTEE FORUM ACF Powered By Docstoc
					                                              TM
                      AUDIT COMMITTEE FORUM




                      ACF Roundtable
                      IT Governance – what does it mean to you as an
                      audit committee member
                      July 2010




The AUDIT COMMITTEE FORUMTM is proudly sponsored by KPMG
Current State

There have been a number of high-profile instances where
processes that govern the integrity of information technology
operations (IT governance) are not sufficiently effective to guard
companies against serious financial loss.
Companies have damaged their operations and negatively
impacted revenue recognition, profit, and reputation by
compromising the integrity or availability of their information as a
result of problems associated with IT system implementations.
Good Corporate governance (and King III) outline the role that
Audit Committees should play in improving IT Governance.
In two recent surveys, 30% of respondents indicated that they
were not satisfied with the amount of time that audit committees
spend on oversight of IT risk while only 9-11% were “Very
satisfied’’

 The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
                                                                       2
Current State (cont.)

 Many organisations are struggling with:
• Poor alignment of IT resources against business
  goals
• Lack of demonstrative value from IT investments
• Business and / or technology change
• Dissatisfaction with IT function and the level of
  service it provides
• The implementation of compliance legislation
• IT projects exceeding time and financial budgets
• IT risks and control responsibilities poorly defined

  The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
                                                              3
A definition of IT Governance

IT governance is a set of business processes that
impose management and control disciplines on IT
activities to help ensure the integrity and protection of
IT operations and the achievement of targeted business
goals.
It is primarily about achieving three things:
 • Getting the most value from IT, including moving
    towards strategic goals.
 • Ensuring that stakeholders and management
    understand key IT risks and manage them accordingly.
 • Establishing the conditions that allow IT management to
    operate effectively.
 The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
                                                             4
The Key Elements of IT Governance


                                             Board Oversight and Responsibility
Business Needs and
   Expectations




                                                                                                                               Outcomes
                                                                                                         IT Governance/
                      IT Strategy      IT Governance        Risk      IT Investment   Build IT control    Performance
                     and Planning        Framework       Assessment      Analysis       framework         Tracking and
                                                                                                            Reporting



                                                   Governance Structures




     The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
                                                                                                                          5
                                                             Principle 1:
Principle 2:                                                 Board Responsibility                                     Principle 2:
Performance and Sustainability                                                                                        Performance and Sustainability




                                                          Board Oversight and Responsibility
     Business Needs and




                                                1
        Expectations




                                                                                                                                2




                                                                                                                                                          Outcomes
                          2
                                                                                                                                    IT Governance/
                               IT Strategy          IT Governance          Risk      IT Investment        Build IT control           Performance
                              and Planning            Framework         Assessment      Analysis            framework                Tracking and
                                                                                                                                       Reporting
                                                3                   5                4                     6

                                                                Governance Structures
                                                                                         7


                THE KING III PERSPECTIVE
      Principle 3:                           Principle 5:                                            Principle 4:            Principle 6:
      IT Governance Framework                Risk Management                                         IT Investments          Information Security



                                                               Principle 7:
                                                               Governance Structures
          The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
                                                                                                                                                     6
          QUESTIONS THE
          AUDIT COMMITTEE
          SHOULD ASK


The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
                                                            7
IT Strategy and Planning                                                                        IT Strategy
                                                                                                    and
                                                                                                 Planning




    What is it and why is it important?                                                                       .
    •The purpose of IT strategy – the business needs to understand its strategy and document its strategic int

    •Strikes an optimum balance of information technology opportunities and IT business requirements

    •Accomplishes organisational goals and objectives

    •Critical to aligning business and IT objectives

    •Ensures investments are made optimally

    •Drives a ―common language‖

    •Sets expectations

    •Considers architecture, delivery and governance



               Key Questions:
               •Who was involved in developing the IT strategy and what was the
               process followed?
               •Have you defined a sourcing strategy?




 The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
                                                                                                         8
IT Governance Framework                                                                              IT
                                                                                                 Governance
                                                                                                 Framework




         What is it and why is it important?
         •IT governance at its most basic is the process of making decisions about IT

         •Good IT governance ensures that IT investments are optimised, aligned with business strategy
         and delivering value within acceptable risk boundaries — taking into account culture,
         organisational structure, maturity and strategy
         •Articulates the roles of the various management and governance bodies across the business
         and decision making
         •Assigns clearly defined delegation for effective and efficient decision making and performance
         monitoring,
         •Encompasses a broad focus on overall IT capability

         •Enhances strategic decision making capacity


                  Key Questions:
                  •Have roles and responsibilities been assigned across IT?

                  •Is a policy framework and related policies in place?

                  •Are we aligned to industry standards, and if so, which ones?



 The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
                                                                                                        9
IT Investments                                                                                        IT
                                                                                                 Investments




         What is it and why is it important?
         •Organisations must be able to measure business value and also manage and communicate
         value delivery in order to answer the questions: 1) Are we doing the right things? and 2) are
         we getting the benefits?
         •Define the relationship between IT and the business

         •Manage portfolio of IT-enabled business investments

         •Maximise the quality of business cases for IT-enabled investments

         •Articulate IT investment decision rights to ensure that they deliver the maximum business
         value at an acceptable level of risk.


                Key Questions:
                •Do we have a formal project management methodology / processes?

                •Do we perform a business case prior to significant spend?

                •Do we identify the targeted benefits and track these through the life
                of the project?



 The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
                                                                                                         10
IT Risk Assessment                                                                                   Risk
                                                                                                  Assessment




          What is it and why is it important?
          •These can range from accidental damage caused by employees with inadequate training to
          deliberate attempts from outsiders to illegally access data that your business holds
          •Helps identify and form basis for risk mitigation plans

          •Risk areas for consideration - Business Focus, Information Assets, Dependence on IT,
          Dependence on IT internal staff, Dependence on third parties, Reliability of IT systems, Changes to
          IT, Legislative and regulatory environment
          •Recognise the risks associated with using IT in a business environment




               Key Questions:
               •How often do we perform IT risk assessments?

               •Are the necessary resources made available within the business and
               within the Internal Audit department to conduct IT Audits?
               •What are the key risks in our IT environment?




 The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
                                                                                                        11
IT Control Framework                                                                                     IT Control
                                                                                                        Framework




          What is it and why is it important?
                         IT controls are specific activities performed by people or systems
          •IT controls are specific activities performed by people or systems designed to ensure that business
          objectives are met           designed to ensure that business objectives are met
          •A subset of an enterprise's internal control which relate to the confidentiality, integrity and
          availability of data and the overall management of the IT function
          •A set of fundamental controls that must be in place to prevent information loss in an organization

          •Control areas for consideration - Management of IT, Continuity of systems (Disaster recovery),
          Systems development, Change control, Security of information and systems, Physical and logical
          access controls, Control assurance




               Key Questions:
               • Have we identified our key IT controls?

               • Do we monitor (and benchmark) these on an ongoing basis?




 The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
                                                                                                               12
Performance Tracking and Reporting                                                                 Performance
                                                                                                   tracking and
                                                                                                     reporting




          What is it and why is it important?
          •It is critical to measure to outcomes of strategic initiatives

          •Keep the focus on ongoing control

          •Effectively manage the IT function

          •Provide transparent reporting to the business on IT performance

          •Performance reporting should focus not only on financial outcomes but also on the operational,
          marketing, risk and developmental inputs to the business




               Key Questions:
               •Have we defined KPI’s and CSF’s for IT?

               • Are these monitored, reported, and followed up on?




 The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
                                                                                                      13
Summary of key questions
  IT Strategy and Planning:
  •Who was involved in developing the IT strategy and what was the process followed?

  •Have you defined a sourcing strategy?

  IT Governance Framework:
  •Have roles and responsibilities been assigned across IT?

  •Is a policy framework and related policies in place?

  •Are we aligned to industry standards, and if so, which ones?

  IT Investments:
  •Do we perform a business case prior to significant spend?

  •Do we identify the targeted benefits and track these through the life of the project?

  IT Risk Assessment
  •How often do we perform IT risk assessments?

  •What are the key risks in our IT environment?

  IT Control Framework
  •Have we identified our key IT controls?

  •Do we monitor (and benchmark) these on an ongoing basis?

  Performance Tracking and Reporting
  •Have we defined KPI’s and CSF’s for IT?

  • Are these monitored, reported, and followed up on?


  The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
                                                                                           14
King III specific responsibilities

The audit committee should consider IT as it relates to financial reporting
and the going concern of the company
 • What are the key systems responsible for the generation and processing of
   financial reporting data?
 • How reliant are we on our systems? (how long could we survive without
   them?)
 • Do we have Disaster Recovery and Business Continuity Plans?
 • Have we tested these?
 • Is our information security sufficient for the business?
The audit committee should consider the use of technology to improve
audit coverage and efficiency
 • Has our (internal or outsourced) Internal Audit function identified key
   application controls to test?
 • Do we test the general controls related to those key applications?
 • What internal auditing tools do we utilise (e.g. CAATs, Continuous Auditing)?
 The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
                                                                              15
Presenter’s contact details:



Johannesburg Cape Town                                           Durban
Frank Rizzo                            Patrick Ryan              Eugene Pfister
KPMG                                   KPMG                      KPMG
(011) 647 7388                         (021) 408 7374            (011) 647 7918
frank.rizzo@kpmg.co.za                 patrick.ryan@kpmg.co.za   eugene.pfister@kpmg.co.za

www.kpmg.com                           www.kpmg.com              www.kpmg.com




 The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
                                                                                             16
             QUESTIONS?



The AUDIT COMMITTEE FORUM TM is proudly sponsored by KPMG
                                                            17