COBIT Case Study: Implementing COBIT for IT Governance, Risk and Compliance at Ecopetrol S.A. 

 

Abstract

Ecopetrol S.A. is a vertically integrated crude oil and natural gas company engaged in the exploration, development and production of crude oil and natural gas. In 2007, Ecopetrol updated its corporate strategy with clearly defined growth goals for the next years that required important changes and improvements in the organizational structure and processes that support the strategic objectives.

Consequently, there were important milestones, such as the transformation of the legal nature of the company, the initiation of international operations and the adoption of the COSO framework to strengthen the internal control system. The company listed its shares on the New York Stock Exchange in September 2008.

Aligned with the strategic deployment and to provide timely and effective response to the requirements generated by the company's situation, the Information Technology Division decided in 2008 to integrate an IT management system, based on a proper framework. COBIT was selected as the appropriate IT governance framework to implement its IT management system.

Background

Ecopetrol S.A. is Colombia´s largest integrated oil company with about 7,000 direct employees. It is among the top 40 oil companies in the world and the four largest oil companies in Latin America. In addition to Colombia, which accounts for 60 percent of Ecopetrol’s total production, the company is involved in exploration and production activities in Brazil, Peru and the United States (Gulf of Mexico). Ecopetrol is also considerably increasing its participation in bio-fuels.

The Forbes magazine annual list of the 2,000 largest companies in the world (April 2010) indicates that Ecopetrol is located at position 222, with the following information: Sales $14.26 billion, Profits $2.40 billion, Assets $27.20 billion and Market Value $54.14 billion.

The Corporate Governance Code of Ecopetrol comprises the best corporate practices needed to preserve the business ethics and the correct administration and control of the company. This enables the company to compete through recognition and respect for the rights of shareholders, investors and other stakeholders based on clear policies for transparency in the management and disclosure of information about the business, which will in turn generate greater confidence among stakeholders and the market in general. The internal control system of Ecopetrol is framed within international standards (COSO).

Ecopetrol’s Information Technology Division depends on the Vice president of Services and Technology and is in charge of information management process for the company on two main fronts: development and implementation of IT solutions and provisioning of information technology and infrastructure services to support business processes.

The Information Technology Division, which has about 150 direct employees, is responsible for ensuring IT governance. It has a very strong internal structure, distributed in a manner that meets the needs of business development projects, implementation, operation and support of solutions, and provides the required services. In addition, it contains a Management and Architecture Unit and an Information Security area responding at the highest level of the IT Division to guide the processes related to IT Governance, Risk and Compliance.

Process

In 2008, The Information Technology Division chose COBIT as the proper IT governance framework to integrate an IT management system, based on the following characteristics of COBIT:

  • It enables mapping of IT goals to business goals.
  • It results in better alignment, based on a business focus.
  • It provides a view of what IT does that is understandable to management.
  • It indicates clear ownership and responsibilities based on process orientation.
  • It is generally accepted by third parties and regulators.
  • It provides a shared understanding amongst all stakeholders, based on a common language.
  • It fulfills the COSO and Sarbanes-Oxley requirements for the IT control environment.

In the last quarter of 2008, Ecopetrol’s Information Technology Division defined the guidelines, processes and control objectives to implement. Similarly, the division identified the internal resources that would support the implementation of the system and allocated resources to hire the required external consultants.

The team established a project, giving special consideration to the following issues:

  • Resource allocation and an interdisciplinary team with representatives from the involved areas within IT
  • Defining the points of relationship with Business Units and other Support Units and interacting with key areas—Finance, Risk, Strategy, Quality, and Internal and External Audit—on an ongoing basis
  • Integration and convergence with the IT support team in Transport Operations who were anticipating a COBIT implementation effort.
  • Alignment with business projects: Strengthening of the internal control system (COSO) and Compliance (Sarbanes-Oxley Act). We considered the various business initiatives and ongoing projects to ensure the coordination and integration of efforts.
  • A line of reporting at the highest level of management, with weekly follow-up meetings on the project
  • Identification of prior applications (Sarbanes-Oxley, high component in SAP) and others critical for business process. Equally, understanding the people, resources and infrastructure associated with these applications.

Ecopetrol chose to implement 28 COBIT processes, giving priority to the control objectives that support Sarbanes-Oxley compliance. The Information Technology Division developed an internal exercise to determine the maturity level of these processes. After concluding that they were at an average maturity level of 2, the team identified the gaps and set up action plans to reach level 3 for the most critical processes.

The project team then developed the design and documentation of the processes and, subsequently, the implementation and monitoring of the operation for the completion of the required adjustments. As a result, by June 2009, the Division had implemented and secured 14 high-priority COBIT processes. By December 2009, all 28 had been implemented.

During the second half of 2009 and the first quarter of 2010, internal and external audits were developed for Sarbanes-Oxley compliance. Several measures were implemented for remediation and improvement of key IT processes and controls. As a result, the external auditor reported that there were no significant deficiencies or material weaknesses in IT controls that need to be reported by the CIO, the CFO, the CEO or the auditor.

In December 2009, the COBIT project received a company award for excellence to recognize the project team’s performance, initiative and teamwork.

Conclusion

During the last quarter of 2009, the Information Technology Division contracted an external consultant to conduct the COBIT maturity level assessment for the fourteen critical processes. The assessment confirmed the achievement of level 3 in twelve processes and level 4 in two processes.

In 2010, the IT Division structured a sustainability and optimization plan for its IT management system, based on the premise of having a comprehensive vision, organizational and operating model, and leveraging information technology to achieve automation in the IT processes and controls.

The company also restructured the IT Compliance area, taking as reference the good practices of the COBIT framework.

Key issues that led to the excellent results of the first year of COBIT implementation in Ecopetrol’s IT management system include:

  • The implementation of COBIT was structured as a project, with a detailed work plan, clearly defined milestones, allocation of team work with dedication and reliance on project management, risk management, and control of timing and deliverables of the project.
  • The team had the full support of management, provided weekly progress reports, and brought up any deviations and actions that required assurance.
  • The company hired well-known specialized consulting firms that integrated teams with extensive knowledge and experience.
  • A change management front, including training activities and professional accreditation, was established.
  • The project planning, development and results was communicated effectively within the company.
  • Search for the appropriation of practices by the process owners and control responsible.
  • The project was well integrated with all areas involved, and synergies were leveraged, especially with the IT support team in Transport Operations who provided the results of previous efforts and guaranteed the perspective of business users
  • A community of practice and management on lessons learned were established.
  • Sustainability strategies and further optimization of processes were defined.
  • The IT Division interacted effectively with the audit teams.
  • Particular focus was given to segregation of duties, access control, continuity planning, software development and information security issues.
  • Maturity level assessments were conducted by a competent and independent third party.
  • More than 20 employees passed the COBIT Foundation exam and earned a COBIT certificate.
  • Several employees were or became members of ISACA, which gave them easier access to more detailed guidance.
  • Ecopetrol conducted benchmarking of national and international oil and gas companies.

Ecopetrol plans to finish 2010 with 31 COBIT processes built into the IT management system, operating at level 3, with a view to achieve level 4 in 2011. The Information Technology Division is studying the draft documents of COBIT 5 and plan to implement it as soon as it’s available. Ecopetrol is also extending the practices of its IT management system and COBIT to the companies in its business group in Colombia, Peru and Brazil.The IT management system will be embedded in the Corporate Management System to ensure integration and alignment of practices.

With the integration of the IT Management System supported by the implementation of COBIT and the structuring of sustainability and process-based optimization model, Ecopetrol has laid a strong foundation for the consolidation of IT governance, risk and compliance.

Consultants

A number of consulting companies were instrumental to the success of Ecopetrol’s COBIT implementation.

Ecopetrol S.A. contracted Deloitte in 2009 and 2010 as consultants for the projects: Strengthening of the internal control system (COSO) and Sarbanes-Oxley Compliance (SOX). Deloitte participated significantly in the definition of IT control objectives to ensure the Sarbanes-Oxley and COSO scope and to determine the methodology to select the assets to be covered. Deloitte also supported the control documentation and assessment. Deloitte consultants played an important role in guiding the assurance on the segregation of duties with the perspective of risk.

KPMG supported the Internal Audit Department in the evaluation of the design and operation of Sarbanes-Oxley controls in 2009. The KPMG consults generated significant contributions and improvements in the adjustments to the controls’ design.

PricewaterhouseCoopers was selected at Ecopetrol’s General Shareholders' Meeting as the external auditor for 2009 and 2010. PwC has conducted audits for Sarbanes-Oxley compliance and assessments of the internal control system for the key suppliers of IT, under the SAS 70 approach.

In 2009, Ernst & Young was contracted by Ecopetrol to perform the independent and competent assessment of the maturity level for the processes of the IT management system, based on the COBIT methodology. E&Y issued its report and a letter of recommendation to the sustainability and optimization of the level achieved.

The firms EVERIS and GTP were contracted by Ecopetrol in 2008 and 2009 to be consultants on the technical and change management fronts to support the design and implementation of the COBIT processes.

In 2009, Ecopetrol acquired Modulo Risk Manager as a tool to optimize the monitoring of IT Risk and Compliance.

In 2009, Ecopetrol also contracted the ISACA Bogota Chapter to lead a COBIT Foundation training.