IT Governance, Risk, and Compliance


April 15, 2011  8:01 PM

Right-sizing IT Controls – Part III



Posted by: Robert Davis
Control Environment, Control Evaluation, Control Processes, Governance Tree, Internal Control Systems, IT Controls, IT Governanace, IT Management, Roles and Responsibilities

During IT governance framework construction; personnel, structures, processes, and risk management integration are foundational. Nevertheless, professionals generally agree defining IT roles and responsibilities should be the first step when developing IT governance. Towards this ‘end,’ roles represent persons that are accountable based on the organizational structure; while responsibilities indicate activities with associated methodologies or processes for achieving organizational objectives and goals.

At the IT departmental level, precise organizational unit responsibilities should be documented. Correspondingly, utilizing a bottom-up approach can assist in clearly defining roles and responsibilities for each IT unit as well as the IT department, and assure IT structure understanding. Through this definitional understanding, gaps and over extensions in the control perimeter can be determined as well as potential risks to ensure deployment of suitable IT controls.

View Part I of the Right-sizing IT Controls series here

April 12, 2011  3:11 PM

Right-sizing IT Controls – Part II



Posted by: Robert Davis
Control Environment, Control Evaluation, Control Processes, Governance Tree, Internal Control Systems, IT Controls, IT Governanace, IT Management, Tone at the Top

As illustrated by the ‘Governance Tree’ model, an entity’s ‘Tone at the Top’ impacts IT governance effectiveness. IT governance effectiveness and efficiency are directly related to management’s responsibility, accountability, authority, and communication structure. Contextually, responsibility without authority can prevent objective achievement. Furthermore, authority without accountability can lead to unethical, corrupt and/or reprehensible behavior. Regarding an entity’s direction and purpose; when responsibility, accountability, and authority are properly tailored, communication efficiency is improved through reductions in entropy and misunderstanding.

View Part I of the Right-sizing IT Controls series here


April 8, 2011  8:39 PM

Right-sizing IT Controls – Part I



Posted by: Robert Davis
Control Environment, Control Evaluation, Control Processes, Internal Control Systems, IT Controls, IT Governanace, IT Management

IT has enhanced control processes. It has enabled opportunities for utilizing close-loop control systems and provided the means for more timely corrective actions. Unfortunately, IT has also introduced the potential for a detrimental proliferation of controls. Therefore, developing an organizationally adjusted IT governance structure to ensure the appropriate allocation of controls is a mandate requiring in-depth understanding of the entity’s internal and external environment. Specifically, consideration of the entity’s mission and operating environment is imperative when attempting to implement “good IT governance.”


April 5, 2011  5:45 PM

Managing the Dynamic Uncertainties of IT – Part VIII



Posted by: Robert Davis
Adaptive Process, Adaptive Systems, COBIT, Control Environment, Dynamic Equilibrium, Illegal Acts, Risk Assessment, Risk Management

Technology is an enabler, not a solution, for deploying and executing a sound operational strategy. To ensure effectiveness, responsibility for executing an adopted strategy should be shared across the entity, making all employees accountable as part of a well-defined and articulated risk management program. Where this premise is institutionalized, a primary IT risk management practice should be vetting recommendations minimizing uncertainty, while considering the affect on IT functionality and usability. Consequently, comprehensive high-level IT risk assessments should be the starting point for developing or modifying an entity’s business and IT plans as well as associated policies, procedures, and standards.

View Part I of the Managing the Dynamic Uncertainties of IT series here


April 1, 2011  6:32 PM

Managing the Dynamic Uncertainties of IT – Part VII



Posted by: Robert Davis
Adaptive Process, Adaptive Systems, COBIT, Control Environment, Dynamic Equilibrium, Illegal Acts, Risk Assessment, Risk Management

An IT risk assessment can classify information assets by criticality, sensitivity, and impact on operations. For most entities, comprehensive IT risks evaluations should be iterative and adaptive processes. Therefore, adequate IT risk management normally requires quarterly risk assessments to ensure established risk tolerance levels are maintained. Simultaneously, risk assessments should be considered whenever there is a change in the entity’s operations or use of technology, or when outside influences affect operations. However, unless mandated by law or regulation, risk assessment costs should not outweigh benefits derived from managerial due diligence.

View Part I of the Managing the Dynamic Uncertainties of IT series here


March 29, 2011  8:28 PM

Managing the Dynamic Uncertainties of IT – Part VI



Posted by: Robert Davis
Adaptive Process, Adaptive Systems, COBIT, Control Environment, Dynamic Equilibrium, Illegal Acts, Risk Assessment, Risk Management

An adequate IT plan describes predetermined objectives, goals as well as ambit with sufficient supporting detail to guide risk assessment development. Correspondingly, IT risk assessment plans should reflect applicable IT standards and practice statements issued by governing bodies. Whereby, provisioning an IT program’s risk assessment nature, timing and extent are primary motives for determining IT ambit. Thus delineated, considering generally accepted IT domains, potential IT risk assessment ambits include:
 deployed IT applications
 IT change management
 IT development projects
 IT network infrastructure
 information security

View Part I of the Managing the Dynamic Uncertainties of IT series here


March 25, 2011  3:32 PM

Managing the Dynamic Uncertainties of IT – Part V



Posted by: Robert Davis
Adaptive Process, Adaptive Systems, COBIT, Control Environment, Dynamic Equilibrium, Illegal Acts, Risk Assessment, Risk Management

The IT program’s ambit generally dictates the risk assessment approach. Regarding techniques, the IT program’s ambit determines ‘what’ will be assessed, ‘how’ it will be assessed and assessment limits. Reflective of the IT planning premise, evaluating cost versus data collection level will aid in defining the risk assessment team’s effort. Simultaneously, documenting overall and detail control perimeters assists in assessing risk analysis process decisions and data. From this point, detail IT control perimeters can be delineated by functional areas, IT environments, and/or physical locations. In addition, based on the IT risk assessment ambit, risk assessment tools and techniques can be selected to ensure data collection standardization.

View Part I of the Managing the Dynamic Uncertainties of IT series here


March 22, 2011  5:36 PM

Managing the Dynamic Uncertainties of IT – Part IV



Posted by: Robert Davis
Adaptive Process, Adaptive Systems, COBIT, Control Environment, Dynamic Equilibrium, Illegal Acts, Risk Assessment, Risk Management

Selecting a discretionary IT risk management framework imposes defining spending limits, work assignments and information decisions for creating and managing a viable strategically aligned IT management plan. IT risk management frameworks considered for adoption should allow development of risk management processes. These IT processes should identify, assess, manage, and control potential events or situations to permit reasonable assurance objectives will be achieved. Specifically, an effective IT risk assessment will define the IT risk appetite, enhance IT risk response, reduce IT operational aberrations, identify and manage IT irregular and illegal act schemes, as well as improve IT capital deployment.

View Part I of the Managing the Dynamic Uncertainties of IT series here


March 18, 2011  8:30 PM

Managing the Dynamic Uncertainties of IT – Part III



Posted by: Robert Davis
Adaptive Process, Adaptive Systems, COBIT, Control Environment, Dynamic Equilibrium, Illegal Acts, Risk Assessment, Risk Management

Managerial monitoring of deployed controls focusing on redressing external and internal environment quality assists in ensuring the established fiduciary relationship with stakeholders is fulfilled. An entity’s control environment quality is a major factor impacting irregular and illegal act risks. However, there also is a relationship between irregular and illegal acts risk assessment frequency and control environment maturity. In other words, conversely, IT management should perform irregular and illegal acts risk assessments frequently to enhance the control environment. This risk assessment type is the foundation for a proactive approach to discouraging unacceptable organizational behavior within the IT department’s domains.

View Part I of the Managing the Dynamic Uncertainties of IT series here


March 15, 2011  7:16 PM

Managing the Dynamic Uncertainties of IT – Part II



Posted by: Robert Davis
Adaptive Process, Adaptive Systems, COBIT, Control Environment, Dynamic Equilibrium, Risk Assessment, Risk Management

Risk management should be a continuous, adaptive effort addressing: threats, opportunities, and vulnerabilities. In pursuit of achieving dynamic homeostasis for IT, effective “risk management incorporates a systematic approach for identifying risk and defining the impact on an entity’s ability to provide goods and/or services.” Aligning with the Control Objectives for Information and related Technology (COBIT) IT governance framework, IT risk management should be considered a primary focus area for ensuring appropriate responses to varying conditions. Hierarchically, an entity’s control environment is a major factor affecting deployed IT risk management processes.

View Part I of the Managing the Dynamic Uncertainties of IT series here


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: