Marty King, CISA, CGEIT, CPA
In 2004, external audit firms raised the bar on the level of IT controls because of the U.S. Sarbanes-Oxley Act of 2002. In response, Blue Cross and Blue Shield of North Carolina, USA, (BCBSNC), created a remediation program that addressed each Sarbanes-Oxley-related issue individually.
In 2005, a team at BCBSNC realized that they needed a control framework to allow them to “own” their IT controls. They researched the field, reviewed several options and selected COBIT because it is the only IT management and control framework that covers the end-to-end IT life cycle. COBIT was developed by ISACA, is continually updated and is available as a free download from www.isaca.org/cobit.
In 2006 BCBSNC began preparing for the National Association of Insurance Commissioners’ (NAIC) Sarbanes-Oxley-like compliance requirements, called the Model Audit Rule. It stayed with its selection of COBIT as the designated framework because the team knew they could use it to meet Sarbanes-Oxley compliance requirements. Since COBIT also maps 100 percent to COSO, the framework being used at the enterprise level, they gained approval from senior management to use COBIT for their IT controls compliance initiative.
Blue Cross and Blue Shield of North Carolina (BCBSNC) is a leading health services company that delivers quality products, information and services to help its customers improve their health and well-being.
For 76 years, the company has served its members by offering health insurance at a competitive price and has served the people of North Carolina through support of community organizations, programs and events that promote good health. BCBSNC is headquartered in Durham, NC, USA, and employs nearly 4,800 people. It is a not-for-profit company and has more than 3.7 million members, including approximately 900,000 served on behalf of other Blue Plans.
In 2006, BCBSNC began preparing for the National Association of Insurance Commissioners’ (NAIC) Sarbanes-Oxley-like compliance requirements, called the Model Audit Rule. Because of the team’s research into and selection of the COBIT IT governance framework, BCBSNC was aware that COBIT could also be leveraged to meet Sarbanes-Oxley compliance requirements.
Through the compliance planning process with its internal audit group and external consultants/coaches, BCBSNC decided to modify its approach from a risk-based to a compliance-based focus. The change in approach caused the starting point to move from the process level to the control objective level. Specifically, instead of implementing eight complete processes, it implemented 14 partial processes and focused on implementing the key IT controls appropriate for the environment.
BCBSNC used a couple of unique requirements to help provide focus and set priorities. First, the financially significant applications had to be addressed. The second requirement was called “COBIT Lite.” The team used the financially significant applications to narrow the scope of what they looked at and self tested. For example, when the team looked at backup and recovery, they only looked at the platforms that housed the financially significant applications. “COBIT Lite” referred to the pragmatic approach the team adopted. The work was performed by employees in addition to their day jobs so they focused on reasonable and prudent controls for the environment.
The Project Team
The framework implementation was handled as a program (a number of related projects). The project team included the IS team responsible for the framework, delegates of the process owners (process leads), coaches and representatives from the internal audit group—Audit and Risk Management (ARM).
The team members wanted a coach who could teach them how to implement the framework, rather than do the work for them. They interviewed several firms and selected IBM Global Business Services for two reasons. First, because it is Sarbanes-Oxley-compliant on a global basis, the firm knows first hand what it is like to deal with stringent, externally imposed standards that require compliance. Second, IBM has a practice in place to help customers institute IT governance procedures leveraging the COBIT framework.
ARM headed up the company’s compliance effort and the team followed ARM’s lead by aligning the control framework implementation efforts with the enterprise-wide compliance effort. This alignment proved to be mutually beneficial. Among other things, ARM helped to “sell” COBIT as the framework of choice to senior management. In turn, the IT controls framework implementation by IS, helped the enterprise wide compliance effort by ensuring that the required IT general controls were in place. The project team members from ARM were part of all meetings and work groups and that closeness helped the compliance efforts stay aligned throughout the implementation project.
To implement the framework, the team used the following approach:
- Identify the key processes to address.
- Identify process owners at senior IT leadership levels with clear roles and responsibilities.
- Evaluate the current state of the processes for control gaps:
a) Evaluate the risk of the gaps.
b) Evaluate the maturity of the process—current state vs. desired state and what it would take to move from current to desired state.
- Set priorities—for the IS department and for each process area. The top priorities were addressed in the implementation plan.
- Set up an ongoing governance and monitoring process to support control sustainment and to mature the processes.
Framework and Governance Design
The framework consists of 14 partial processes, policies, procedures, controls, a self-testing program, the evidence, a document repository, and defined roles and responsibilities. BCBSNC used COBIT as the basis for designing the framework. Specifically, they used the COBIT domains to assign process owners. The COBIT control objectives became the basis of their policies, and the COBIT control practices were used to write procedures. They also documented the roles and responsibilities in the procedures. The COBIT control practices were used to select key controls, and the key controls were the subjects of self tests. They used ISACA’s IT Assurance Guide to help them design the tests of the key controls.
Below is a visual representation of using COBI
T for the design:
||Policies (objectives encompassed by policy)|
||Procedures and Standards|
COBIT processes in the Monitor and Evaluate domain were used to design the framework governance model. The governance model consists of the processes put in place to sustain the framework, the 14 partial processes, the roles and responsibilities, and the approving bodies (the IT Steering Committee and the CIO).
Sustaining the Framework
Self testing helps sustain the controls that were implemented. If there are exceptions in self testing, they are tracked by an existing IT governance and monitoring process. It was very easy to connect the framework to existing processes.
On a quarterly basis, they sit down with the process owners and their delegates to discuss the results of self testing and review their controls. They also require an annual review of policies, procedures, controls and self tests to make sure the information stays current.
BCBSNC received numerous benefits from implementing the COBIT framework. Notable benefits include formalizing and documenting controls, policies and procedures. For the most part, the required controls were in place when they set off on this odyssey; however, little was documented and procedures were informal.
Many areas achieved benefits from the self-testing program, including noticing minor exceptions right away and being able to correct them before they became any larger. The team also found that it could use COBIT as a common language, which worked internally among various process areas as well as with internal auditors.
Any undertaking of this size has some great lessons. The lessons started when the team started talking about a framework and they continue today. Every enterprise needs expertise to implement a framework. The expertise can come from in house or an external coach, but trying to do it without experience wastes a lot of time.
If obtaining outside help is the decision, hire a coach to provide guidance rather than someone to actually do the work for staff. Enterprises will need in-house knowledge to sustain and mature the framework. Advantages to bringing in someone from the outside include obtaining a broader view based on their work in many companies and their ability to help establish benchmark data.
The audit/compliance perspective is different from the perspective of implementing a framework with a focus on governance, risk management and IT controls. Enterprises that choose to begin at the control objective level for compliance purposes should try to implement at the process level. BCBSNC found instances where the rest of the process was required to put the control objective in place. For example, the control objective selected for Incident Management was Incident Escalation. The team had to put Incident Identification in place before they could escalate.
Another problem with implementing at the control objective level is that it is best to build the controls into the process. It makes the controls easier to sustain and it makes self testing more efficient and effective. If the controls are not built into the process, the area performing the self test may have to pull and review a quarter’s worth of documentation. This can take numerous hours. If the control point is built into the process as a quality assurance step, self testing is always done; they just have to submit the documentation/evidence.
Some controls are pervasive (e.g., segregation of duties, access controls). Enterprises should look at them as part of each process or they may end up with a partial view of the control.
Enterprises should also limit the number of processes they attempt to implement at one time. BCBSNC took on 14 partial processes and it took two and a half years to get everything in place and operating.
Use the many publications and research materials from ISACA (www.isaca.org/cobit and www.isaca.org/downloads) because there is a lot of useful information in them. Among the documents BCBSNC uses are the control practices, IT Assurance Guide and IT Control Objectives for Sarbanes Oxley.
Senior-level support is critical. Since BCBSNC put the framework in place for compliance purposes, the project team had immediate support. It did, however, have to convince senior management that COBIT was the framework most beneficial for them.
Don’t underestimate the enterprise-wide change that must occur with implementing governance. Senior level support and communication is essential. Communicate, communicate, communicate. The most difficult part of the program was the resistance to change. Resistance to change comes in many forms; however, the team found that consistent, repetitive information—especially when it was accompanied by good visual images—helped erode the resistance.
Create links with the business to manage the IT risk of the business processes. This helps ensure that the IT control layer of the business process is in place.
Now that the base controls are in place, BCBSNC’s focus is on maturing the framework, integrating it with the business and further maturing IT governance.