Pension-Fennia is part of the Finnish Fennia Group, which provides pension, life and nonlife insurance services for enterprises, their personnel, entrepreneurs and private households, as well as flexible financing solutions. Fennia Group was established in 1998, but the Fennia name and insurance activities date back to the 19th century.
Pension-Fennia was using the COSO ERM model for internal control self-assessments of its business entities and began using the Control Objectives for Information and related Technology (COBIT) maturity model to gain more insight into its controls over information and IT. The company combined these approaches and used COSO ERM and COBIT to maximize its effectiveness and optimize the maturity of its controls.
By using this combined approach, the organization was able to clarify the mutual goals and responsibilities of its business units and IT. The COBIT self-assessment has been credited with deepening the IT managers’ managerial skills and their insight in control issues.
A few years ago, Pension-Fennia began organizing internal control self-assessments of its business entities by using the COSO ERM model. The internal audit function facilitated these evaluations, which were discussed with the responsible managers and executives following COSO ERM’s layers: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring.
The discussions and the resulting improvement actions were documented and integrated into the organization’s continuous planning process.
Soon after, Pension-Fennia’s chief information officer (CIO) and chief audit executive (CAE) had a conversation concerning the IT function’s aim to gain an even better understanding of the needs of business to obtain enhanced IT services. The CIO and CAE realized the need to obtain insight into the controls used in IT and decided to start an evaluation process using COBIT’s maturity models.
COBIT’s maturity model proved to be a very useful tool for the IT professionals. The model enabled IT to define the actual level of controls over IT processes and set the desired level of maturity to deliver the required information to the business. This was a critical outcome, as the key objective of IT is to ensure reliable, effective and efficient services that are aligned with the business’s objectives.
Pension-Fennia’s IT staff started the self-assessment process by attending a two-day training session to obtain a better knowledge of IT governance and the COBIT framework. Subsequently, IT management evaluated 24 processes in the course of a few months. During the training and self-assessment process, IT collaborated closely with an external expert. The IT managers evaluated the present maturity levels of controls over each process and the maturity levels they aspire to reach.
To bridge the gap between present and future levels, they prioritized improvement actions and grouped them into projects. These projects were integrated in an IT governance improvement program that included the actions to be performed internally in the IT organization, and the improvements to be made by the outside service providers and internal business and support entities.
The COSO ERM framework does not cover maturity aspects, but Pension-Fennia’s CAE wondered if it would be possible to use COBIT’s maturity approach and extend it into COSO ERM—and, further, if it would be possible to combine the two frameworks. Ultimately, she found it was not only possible, but also beneficial.
Pension-Fennia’s CAE and the external expert used the two frameworks by molding the evaluation model based on COSO ERM and attaching to it several areas related to the improvement projects resulting from the organization’s COBIT self-assessment. Additionally, they combined the two risk management layers inside COSO ERM into one layer. In COSO ERM, “internal environment” is the first layer, but in Pension-Fennia’s model, “internal environment” is the result of the evaluation of the first six layers—meaning the internal control culture changed from the starting point to the outcome of the project.
To facilitate the discussion among the company’s managers and executives, a questionnaire was created containing the following six layers:
- Planning of activities
- Risk management process (evaluation, assessment, response and monitoring)
- Daily operations (including segregation of duties)
- Information, applications, security and continuity
Each layer was divided into three sections. The first section consists of questions related to that layer; for example, inside layer four are questions related to sensitivity and criticality of information, segregation of duties, management of data, business continuity planning, resource management, etc.
The second section consists of a list of requested supporting documents, such as the entity’s strategy, process descriptions, control instructions and documents, productivity objectives, job descriptions, and meeting minutes.
In the third section, the maturity of controls is evaluated with the help of different criteria, such as regularity, level of documentation, conformity to enterprise risk management and business planning, quantity, and validity of reports. To situate this maturity, Pension-Fennia used the generic maturity model for internal controls, as published in Appendix III of COBIT 4.1.
When carrying out discussions with managers and executives and when evaluating the results of the discussions, Pension-Fennia came to the conclusion that all parties—business units, IT and internal audit—benefited greatly from the project of combining COBIT and COSO.
The business managers and executives received a useful and down-to-earth framework that allowed them to evaluate the pertinence of their internal control activities and determine the need for further control development activities. The tool also deepened the synergy and mutual understanding between business units and IT, and between IT and its service providers.
By using this combined approach, together with the results of the COBIT project, the enterprise was able to clarify the mutual goals and responsibilities of its business units. The COBIT self-assessment has been credited with deepening the IT managers’ managerial skills and their insight in control issues.
The methodology described in this case study for defining the status of the maturity of overall controls at Pension-Fennia is now used regularly in the organization. The first round created the basis for a common understanding of controls, and the aim for subsequent rounds is to continue to strengthen collaboration between the business and IT.
Note: This case study was adapted from an article in volume 4, 2008, of the Information Systems Control Journal.