Does This Sound Familiar?
An IT organization is under increasing pressure from the board’s audit committee to demonstrate, in a quantifiable way, that it is working on the right things in the right way, the work is being done well and it is adding value to the company.
The IT organization is evaluating its internal control framework because of the US Sarbanes-Oxley Act of 2002 and an increasing awareness of the value of a broad internal control framework.
The IT organization is asked to identify core vs. noncore activities as outsourcing is more seriously explored as an option to focus on core competencies and reduce costs.
The IT organization’s internal structure needs to be reevaluated for alignment to ensure that all areas are covered without unwanted redundancy.
These were the issues facing Sun’s information technology (Sun IT) as 2004 began. Some people saw the value of using a common framework to view and measure Sun IT’s alignment and contribution to Sun’s overall business strategy. In fact, a few months earlier, the chief information officer (CIO) had said that the organization would use Control Objectives for Information and related Technology (COBIT) as the framework. But Sun’s culture is built on innovation, and great value is perceived in contrarian thinking that stretches the limits of the imagination.
This would mean that, while the CIO had approved the use of COBIT, actual implementation of the change would require an approach that builds acceptance and adoption of the various elements of COBIT while taking into account the great process improvement work already being done in a significantly resource-constrained environment. While doing this, the organization also expected to begin its Sarbanes-Oxley reporting in June 2004, the end of its fiscal year. Sun’s finance department was driving the Sarbanes-Oxley compliance effort, and IT became actively involved in October 2003. As with most organizations, significant resources were being spent on the Sarbanes-Oxley compliance effort and that effort continued even after learning that the first official reporting requirement had been pushed out to fiscal year 2005.
The following questions needed to be answered:
- How could we leverage the new awareness of the need for adequate internal controls among IT people gained through the Sarbanes-Oxley compliance effort?
- How could it be demonstrated that a common framework, such as COBIT, complements rather than displaces existing process improvement methods?
- How could we identify and evaluate core vs. noncore IT activities?
- How could we ensure alignment of the organization’s internal IT organizational charters?
Background
Since its inception in 1982, a singular vision—“The Network Is the Computer”—has propelled Sun Microsystems to its position as a leading provider of industrial-strength hardware, software and services that make the Internet work. Sun’s 30,000-plus employees can be found in 100 countries around the world.
Sun IT’s global scope and scale include supporting the Sun community with 600 applications, six data centers, 1,700 data center servers, 600 terabytes of data, 4 million internal web pages and 5 million e-mails per day. Figure 1 shows the current organizational structure of Sun IT. Reading from left to right, it follows the flow one would expect to see. It starts with the strategy, architecture and technological direction. From there, system development, integration and deployment are organized closely around the type of business systems being dealt with, such as demand creation systems or engineering and fulfillment systems. The IT service management group is focused on defining processes, standards and tools that bridge the development and the service delivery worlds. Application support and operations focus on service support and delivery. The governance organization focuses on budget and monitoring activities.
Initially, IT executive support for using COBIT was limited. The CIO and the vice president for IT governance were championing the idea, but there was resistance from most of the other executives and for good reasons.
First, the organization had not done a good job at helping them understand what COBIT is and, more specifically, how it could add value.
Second, only 18 to 24 months earlier, the Sun IT organization was significantly transformed, moving from a distributed approach with an IT group for each business unit to one unified Sun IT for one Sun. This facilitated the creation and institutionalization of common standardized processes. Sun embraced Sigma, the IT Infrastructure Library (ITIL) and other process improvement methods. Some questions asked were, “If the organization already knows what it needs to work on, and it follows industry best practices as it makes improvements, what does COBIT give it that it does not already have? Does COBIT replace ITIL?” Finally, even those who were open-minded about using COBIT expressed concerns about the potential resource impact. Resources were already stretched thin, and the organization knew additional resources would not be available. Would the organization have the necessary resources to implement COBIT in addition to everything else it was doing?
At the same time the executives were weighing their personal support for COBIT, the organization had begun intensive preparation for Sarbanes-Oxley compliance with the finance group driving the effort. As mentioned, at that time the expected requirement for the initial Sarbanes-Oxley section 404 compliance was June 2004.
The IT internal control framework was developed before the organization had a good understanding of COBIT in general and how COBIT applies to Sun IT specifically. At present, there are only controls related to financial reporting in the formal IT internal control framework, but the organization sees it expanding beyond that, as acceptance and adoption of COBIT continue to grow. The organization’s general controls cover 22 processes with 194 controls. When those 194 controls are localized, the number grows to 1,114. The application controls cover approximately 125 applications with seven general categories of controls. Those categories are:
- Data security classification
- System-granted access control
- Role-based segregation of duties
- Event-driven authorizations
- Data validation
- Interfaces
- Batch processing
Sun’s Sarbanes-Oxley compliance effort put this initial compliance framework in place and has been instrumental in introducing the concept of internal controls to a broad IT audience.
Adoption and Acceptance Influencers
At the same time this was going on, the decision was made to look at IT activities that might be candidates for potential outsourcing. This was a great opportunity to reintroduce COBIT to the IT executives. Very quickly they saw the value of having a common framework that generically described what IT-related work is done in an organization. They decided to take an end-to-end look at the Sun IT processes and activities using the COBIT management guidelines and control objectives to ensure coverage of all processes. The most senior IT executives did this themselves, and the result was called the Sun IT/COBIT Activities Listing, which maps Sun IT processes and activities to COBIT. Figure 2 is an example from this mapping, showing the Monitor and Evaluate domain of COBIT.
This mapping proved invaluable when a cross-organizational team was asked to review the alignment of the internal IT organizations. Here again the organization took the opportunity to introduce COBIT to this team and help the team members understand COBIT’s value. With that understanding in place, the decision to use the mapping prepared by the senior IT executives was, as they say, a “no brainer.” The Sun IT/COBIT activities were mapped to existing organizational activities, and redundancies, gaps and joint activities were called out. Finally, organizational owners were added to the Sun IT/COBIT activities listing, and their work was validated with the IT executives. Figure 3 provides a high-level view of the revised listing for the Plan and Organize domain with the organization owners identified. The abbreviated organization names relate to the organizations shown in Figure 1.
|
Figure 2—Extract from Activities Listing |
| Domain: Monitor and Evaluate (M) Sun IT Processes/Activities |
|
| |
|
|
| # |
Name |
Activity Description |
|
| MI |
Monitor the process |
|
|
| 1.1 |
Operational dashboard (executive Sun IT dashboard) |
The definition of the executive-level Sun IT dashboards, used to measure and manage the comple teset of services that are delivered by Sun IT to the company |
| |
|
| 1.2 |
Customer metrics/survey |
Defining the complete set of customer metrics required by Sun IT to assess performance and customer satisfaction. This includes definition of surveys, analyzing the data and working with the customers of Sun IT to identify areas for improvement. See COBIT Control Objectives, page 127, for details. This maps to SBS PLC’s sustain phase. |
| |
|
| 1.3 |
Collect monitoring data |
Actual collection of data for overall Sun IT metrics, including internal and external benchmarks, at regular intervals.See COBIT Control Objectives, page 127, for details. Maps to SBS PLC’s sustain phase. |
| |
|
| M2 |
Assess internal control adequacy |
Ensure the internal controls in place, including those for SOX, meet the needs of the business. Includes timely operation of internal controls and error correction, and regular reporting to function or BU management. See COBIT Control Objectives, page 129, for details. Maps to SBS PLC’s sustain phase. |
| |
|
| M3 |
Obtain independent assurance |
Obtain independent assurance of security and internal control, evaluation of effectiveness, and assurance of compliance with laws and regulatory requirements and contractual commitments. It applies to internally provided IT services and third-party service providers, both prior to implementing/using critical new IT services and recertification/reaccreditation on a routine cycle after implementation. See COBIT Control Objectives, page 131, for details. It maps to SBS PLC’s plan customer acceptance and sustain phases. |
| |
|
| M4 |
Provide for independent audit |
Ensure regular and independent audit of the effectiveness, efficiency and economy of security and internal control procedures, and management’s ability to control IT function activities. It includes the establishment of the audit charter, ensuring independence and adherence to professional ethics and auditing standards, and assuring technical competence and appropriate supervision of auditors. See COBIT Control Objectives, page 133, for details. It maps to SBS PLC’s sustain phase. |
| | |
| Note: SBS PLC stands for Sun Business Systems Product Life Cycle, Sun’s implementation of a system development life cycle (SDLC). |
|
Figure 3—High-level Mapping With Organizational Owners |
COBIT Domain: Plan and Organize (PO)
The Plan and Organize domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. Furthermore, the realization of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organization, as well as technology infrastructure, must be put in place. |
| # |
Sun IT Process Name |
Owner(s)/Breakdown |
|
| 1 |
Define a strategic IT plan |
ITSTAR |
|
| 2 |
Define the business systems and information architecture |
ITSTAR |
| |
|
| 3 |
Determine technological architecture and direction |
CTO—Determine technological direction |
| |
|
| ITSTAR—Determine technological architecture |
|
| 4 |
Define the IT organization and relationships |
ITGOV—Overall and customer briefings |
| |
|
| IMB/EMG—IT business account managers (CEM) |
|
| ITSTAR—Sun on Sun program management and reference architecture creation management |
|
| 5 |
Manage the IT investment |
ITGOV |
|
| 6 |
Communicate management aims and direction |
ITGOV—Communication and policy creation and policy management |
| |
|
|
| 7 |
Manage human resources |
All Org Mgrs—Manage Sun-badged human resources |
| |
|
| ITSM—Resource management (framework) |
|
| ITGOV—Strategic planning of human resources |
|
| 8 |
Ensure compliance with external requirements |
ITGOV |
| |
|
|
| 9 |
Assess risks |
ITGOV—Overall and integrated process risk framework and assess portfolio risks |
| |
|
| ITSTAR—Assess architectural risks and assess security risks |
|
| ITSM—Assess process risks and assess program risks |
|
| CTO—Assess risks in technical direction |
|
| 10 |
Manage projects |
ITSM—Project management framework and acquistion integration |
|
| 11 |
Manage quality |
ITSM—Develop/maintain standards and SunSigma process consulting (blackbelts, etc.) and develop/maintain plans |
| |
|
| ITGOV—SunSigma program ownership for IT and develop/maintain metrics | |
Having this mapping done by the organization’s IT executives and senior management has proven very helpful in building acceptance and adoption of COBIT, but this did not eliminate concerns about resource constraints and the impact on ongoing process improvement efforts. The organization decided to first look at how the initial Sarbanes-Oxley-spawned internal controls framework could be expanded to include controls not related to financial reporting. This had to be done in a way that took into account the resource constraints and the experience gained through the Sarbanes-Oxley compliance effort. The Sigma methodology was used to ensure that the views of the control assessment process participants and, in particular, the key stakeholders were taken into account. The result is an IT compliance framework that has two components: a formal internal control framework for Sarbanes-Oxley and selected other controls, and a less formal component based in part on COBIT process maturity model assessments. Figure 4 shows the end-to-end elements of the process.
The element titled “establish scope of IT compliance framework” is the part of the process where the organization moved beyond simply meeting Sarbanes-Oxley objectives to embracing COBIT more fully. The steps identified in this subprocess are:
- Map Sun IT processes to the COBIT framework.
- Map Sarbanes-Oxley controls to Sun IT processes and identify gaps.
- Assess Sun IT process maturity using COBIT.
- Assess risks associated with gaps.
- Assess costs and ease to implement controls that bridge gaps.
- Assess business benefit of enforcing the controls.
- Prioritize work (based on previous steps).
- Obtain management decision on inclusion in formal internal control framework.
The assessments (steps 3 through 6) automatically become part of the IT compliance framework. Steps 7 and 8 are there to determine if any of the processes warrant a promotion to the formal component of the framework. If a process is made part of the formal controls framework, it is subject to all the formal documentation and testing requirements the same as any controls related to financial reporting. Figure 5 is an example of the organization’s compliance framework process assessment worksheet. It is meant to be used in a 90-minute facilitated session with process experts and the IT executive who owns the process to give them a high-level, subjective (but expert) assessment of the process.
|
Figure 5—Example Assessment Worksheet |
|
Compliance Framework Process Assessment Workshop |
|
Process |
Process/Activity Description |
| # |
Name |
| PO1 |
Define a strategic IT plan |
Defining a strategic IT plan satisfies the business requirement to strike an optimum balance of information technology opportunities and IT business requirements as well as ensure its further accomplishment. This activity is enabled by a strategic planning process undertaken at regular intervals giving rise to long-term plans, which are periodically translated into operational plans setting clear and concrete short-term goals. Components of the IT strategy include the IT operational model, the applications development model, the enterprise architecture and all of its components, the sourcing strategy, the governance model and the service delivery model. See COBIT Control Objectives, page 32, for details. |
| 1. Maturity assessment (see page 25 of the COBIT Management Guidelines). |
| |
Record “as is” and “must be” states (between 0.00 and 5.00). |
AS IS = 2.5 |
|
Nonexistent |
Initial |
Repeatable |
Defined |
Managed |
Optimized |
MUST BE = 2.75 |
|
0 |
1 |
2 |
3 |
4 |
5 |
|
| 2. Assess key risks associated with not closing the gap. (Take no more than 15 minutes to complete this section.) |
|
Number |
Key Risk Description |
Severity (1-5) |
Probability (1-5) |
Detectability (1-5) |
Total (SxPxD) |
Totals converted to score between 0 and 10:
1.28 |
|
1 |
First Risk |
2 |
1 |
3 |
6 |
|
2 |
Second Risk |
2 |
2 |
2 |
8 |
|
|
Etc. |
Third Risk |
1 |
1 |
2 |
2 |
| 3. Estimate the cost to mitigate the key risks in #2 above on a scale of 0 to 10. |
| Consider such things as head count, system hardware and software for process and improvements. |
$ Equivalent: |
$0 |
$125K |
>$250K |
Rating = 1 |
|
Rating: |
0 |
5 |
10 |
|
| 4. Estimate the ease to implement the mitigation of the key risks in #2 above on a scale of 0 to 10. |
| Consider such things as availability, of resources, scope and duration of work. |
$ Equivalent: |
Easily Doable |
Moderately Difficult |
Very Difficult |
Rating = 1 |
|
Rating: |
0 |
5 |
10 |
|
| 5. Estimate the business benefit of improving the key controls associated with the key risks in #2 above on a scale of 0 to 10. |
| Consider the likely impact on one or more of our five company priorities. |
Impact: |
None |
Moderate |
High |
Rating = 9 |
|
Rating: |
0 |
5 |
10 |
|
| 6. Estimate the completeness and quality of current process documentationon a scale of 0 to 10. |
| Are all components of the process documented? Could those unfamiliar with the process understand the flow? |
Quality: |
Poor |
Moderate |
High |
Rating = 2 |
|
Rating: |
0 |
5 |
10 |
|
| Process documentation location (i.e., URL) |
|
| 7. Describe the measures used to determine process performance and goal achievement. |
| Performance Indicators: |
Goal Indicators: |
Estimated annual overhead* for adding a single process to the formal intenal controls framework: 2 work months
(*Overhead includes such things as the cost of documenting the IT process to the standard required by the internal control assessment process, periodically testing and retesting the control for effectiveness, annual sign-off and the program management overhead.) | |
The elements in the assessment worksheet are based on feedback from senior IT managers and reflect the key data they felt were needed to make an informed decision on inclusion of a process in the formal controls framework. Additionally, a summary is needed to present multiple process assessment results. Figure 6 is an example of the compliance framework process assessment summary. It includes maturity model assessment results in a radar-style chart. The cost element on the four-quadrant chart is a composite of the “cost” and “ease to implement” components of the assessment worksheet.
Building Momentum
With acceptance growing, the organization set out to build on that momentum with a three-pronged approach:
- etting the word out in a meaningful way. The organization is linking COBIT presentations to specific events, whenever possible, to increase the relevance of the information and participate in presentations to targeted audiences with material customized to their specific interests.
- Demonstrating linkage between COBIT and process refinement methodologies that the organization has adopted:
- For example, the organization has an internal product called Helios that is part service catalog and part configuration management database. Its development was influenced by the ITIL service level management and configuration management processes. It shows graphically that the COBIT Deliver and Support domain provides the generic “what is to be done” with suggested measures, ITIL provides the generic “how it should be done,” and the Helios product provides the specific implementation.
- Another way the organization shows the linkage is overlaying its major process/activity names on a one-page representation of the COBIT framework. This has proven to be a powerful way to help people quickly see how COBIT is more inclusive and serves a different purpose than process improvement methods. Figure 7 is an example of this representation.
- Finally, the organization is consulting with process owners to map their efforts to COBIT so that a common language is used across processes. For example, the organization helps those working on enterprise architecture, portfolio management and strategic planning fit their work into the common framework and language.
What Is Next?
Moving forward, Sun will continue with these momentum-building activities. The organization expects that conducting the compliance framework process assessments will extend the acceptance and adoption of COBIT by exposing all process owners to COBIT in a meaningful setting. The assessment will allow them to see the value of adopting elements of COBIT whether or not their process is added to the formal controls framework.
Building acceptance and adoption of COBIT at Sun Microsystems has been possible because senior IT management was open-minded about using it in specific situations where the value was absolutely clear. After a slow start, senior management’s embrace of COBIT is filtering down and encouraging others to look at how COBIT’s components can add value to their IT work.
Bob Frelinger has been with Sun Microsystems since 1999 and is the IT policy administrator and process compliance architect in Sun IT’s governance organization. He has been active in the Sun IT Sarbanes-Oxley compliance effort from its beginning in October 2003. He is a Prince2 Registered Practitioner and a certified SunSigma greenbelt.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by ISACA®, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA® and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
© Copyright 2005 by ISACA® Inc., formerly the EDP Auditors Association. All rights res erved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA® Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
www.isaca.org
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2005