IT Governance, Risk, and Compliance » ISACA

What Every IT Manager Should Know About Service Delivery and Support – Part XII

Robert Davis — Tue, 12 Jun 2012 21:46:21 +0000

Audit professionals have a significant role in supporting an adequate control environment when providing contributions to strategic, tactical, and operational value through governance improvement recommendations. Consistent with entity oversight responsibilities, board of directors should insist on utilizing perceptive IT auditors to permit control environment enrichment. In particular, an entity’s audit committee should proactively ensure IT service delivery and support are subject to periodic audits, reviews, as well as agreed-upon procedures by highly qualified auditors so individuals responsible for governance can advance entity oversight goals with IT enhancement triggers. Furthermore, a robust IT audit function can usually render superior performance when requested to assist management with operational control issues that may arise.

Lastly, external factors often influence an entity’s environment. Specific external influencers affecting an entity’s ability to achieve objectives include: economics, communities, governments, technologies, competitors, suppliers, and customers. Therefore, it is crucial that the external environment be accurately assessed prior to proceeding with a course of action impacting the entity’s system of controls.

“View Part I of the What Every IT Manager Should Know About Service Delivery and Support series here“

What Every IT Manager Should Know About Service Delivery and Support – Part XI

Robert Davis — Fri, 08 Jun 2012 22:32:17 +0000

Foundationally, the IT control environment should assist in enabling the governing body, management and all other staff in providing reasonable assurance regarding achievement of the following general objectives:

 Operational Efficiency
 Operational Effectiveness
 Operational Economy
 Management Reliability
 Laws and Regulations Compliance
 Internal Policies Compliance

General entity objectives increase in significance when they are collectively considered in relation to operations, management and compliance fiduciary responsibilities. Categorically, these distinct general objectives can be achieved through various criteria establishment that frame aligned focus on meeting entity-centric needs. For instance, IT related information criteria (i.e. effectiveness, efficency, confidentiality, integrity, availability, compliance and availability) can be utilized to satisfy entity-level objectives that have specific fiduciary responsibilities.

“View Part I of the What Every IT Manager Should Know About Service Delivery and Support series here“

What Every IT Manager Should Know About Service Delivery and Support – Part X

Robert Davis — Tue, 05 Jun 2012 21:55:12 +0000

Management’s control methods over compliance with laws and regulations should ensure appropriate measures are deployed to ascertain whether entity personnel understand implemented governance practices, and governance processes are being followed as intended. Legal compliance procedures for ethical control standards should be set by top management and promoted through exemplary behavior.

The importance of responsibilities of those charged with governance is recognized in codes of practice and other regulations or guidance produced for the benefit of oversight committee members. Documented primary responsibilities of those charged with governance include oversight of the design and effective operation of procedures and the process for reviewing the effectiveness of the entity’s control system. Consequently, the entity’s oversight committee should direct IT management to achieve measurable service and support value.

“View Part I of the What Every IT Manager Should Know About Service Delivery and Support series here“

What Every IT Manager Should Know About Service Delivery and Support – Part IX

Robert Davis — Fri, 01 Jun 2012 21:54:00 +0000

Human resources policies are definite courses or methods of action selected by management from alternatives, considering the environment, that guide as well as determine present and future employment decisions. For example, training policies that communicate prospective roles and responsibilities with prerequisite educational attainment illustrate expected performance and behavior levels.

Human resources practices relate to recruiting, orientating, training, evaluating, counseling, promoting, compensating, and remediating entity personnel. For example, a standard for recruiting the most qualified individual reflecting morally acceptable traits from a candidate pool conveys an entity’s commitment to competent and trustworthy personnel. Furthermore, promotions driven by objective periodic performance appraisals support the entity’s dedication to advancing qualified individuals to higher responsibility levels.

“View Part I of the What Every IT Manager Should Know About Service Delivery and Support series here“

What Every IT Manager Should Know About Service Delivery and Support – Part VIII

Robert Davis — Tue, 29 May 2012 22:55:22 +0000

Knowledge management activities and initiatives enable competence. Commitment to competence is required to ensure adequate leadership and workmanship when engaged in entity endeavors. Therefore, well qualified, capable and fit individuals should be employed to ensure sufficient means to meet an entity’s needs. Conversely, compromising commitment to employee competence for financial burden relief can lead to the demise of an entity. Minimally, within the entity, commitment to employee competence requires fostering strategic, tactical and operational recruiting, hiring, knowledge reviews, skills reviews, training, team development, document management, collaborative communication systems as well as ‘knowledge-base’ development systems.

“View Part I of the What Every IT Manager Should Know About Service Delivery and Support series here“

What Every IT Manager Should Know About Service Delivery and Support – Part VII

Robert Davis — Fri, 25 May 2012 21:20:04 +0000

Authority is the power or right to give commands, enforce obedience, take action, or make final decisions. How operating activities are assigned as well as how reporting relationships and authorization hierarchies are established reflect authority status. Managerial authority invokes leadership responsibilities for activities within the assigned authority domain. An entity’s policies and/or procedures for assigning authority for activities affect the understanding of established reporting relationships and designated authorization authority.

Responsibility is an obligation to account or answer for something or someone and is generally considered a delegated authority corollary. A sufficient responsibility assignment milieu includes policies and communications directed at ensuring that all employees understand the entity’s objectives, knowledge regarding how their individual actions interrelate and contribute to adopted objectives, and recognition of how and for what they will be held accountable. In addition, policies relating to appropriate business practices, knowledge and experience of key personnel, and resources provided for carrying out duties are key components of assigning responsibility.

Considering the preceding discussions, accountability is the obligation to answer for a responsibility conferred or implied. Accountability is required to ensure authority is administered appropriately within the context of assigned responsibilities. Employee accountability affects responsibility for meeting standards. Standards become ineffective measurement tools when accountability is lacking. Lastly, authority without accountability can promote corrupt practices.

“View Part I of the What Every IT Manager Should Know About Service Delivery and Support series here“

What Every IT Manager Should Know About Service Delivery and Support – Part VI

Robert Davis — Tue, 22 May 2012 21:46:38 +0000

An entity’s organizational structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled, and reviewed. An entity should develop an organizational structure suited to perceived needs. Entity-centric organizational structure appropriateness is dependent, in part, on size and the nature of activities. Furthermore, effective organizational structure establishment includes deploying suitable authority and responsibility with adequate accountability for activities. As regulators, internal control systems are designed and operated in order to achieve the goals set in adopted governance rules or to comply with adopted governance rules.

“View Part I of the What Every IT Manager Should Know About Service Delivery and Support series here“

What Every IT Manager Should Know About Service Delivery and Support – Part V

Robert Davis — Fri, 18 May 2012 23:06:10 +0000

Management’s operating style is usually derived from devotion to tasks, symbolic behavior, and engrained cultural norms. Operating style will typically be reflected, directly or indirectly, in entity-centric imperatives presented in items such as the mission statement, management principles, management plans, ethic codes, and conduct codes. Within this context, the manner of communicating management’s operating style also affects employee behavior. Regarding IT, as stated in ISACA COBIT 4.1, the “control environment should be based on a culture that supports value delivery whilst managing significant risks, encourages cross-divisional co-operation and teamwork, promotes compliance and continuous process improvement, and handles process deviations (including failure) well.”

“View Part I of the What Every IT Manager Should Know About Service Delivery and Support series here“

Achieving Not-for-profit Organizational Objectives through IT Governance Deployment – Part VI

Robert Davis — Mon, 26 Apr 2010 17:51:28 +0000

Governing an entity mandates management accurately conceptualize information criticality and communication paths. Reflective of the Australian/New Zealand Standard on Risk Management (AS/NZS ISO 31000:2009), risk management is an iterative process consisting of steps, which when taken in sequence, enable continual improvement in decision-making. It is also the logical and systematic method of identifying, analyzing, evaluating, treating, monitoring and conveying risks associated with any system, process, activity, or task in a way that will enable an entity to minimize losses and maximize opportunities. Consequently, management of risk represents the means by which an entity elects to administrate cataloged possibilities. As alternative responses, risks may be addressed by reducing, avoiding, transferring, or accepting potential threats. Specific to not-for-profit entities, these risks typically encompass: objective achievement, organizational credibility, equitable provision of services, and appropriate behavior of officials.

“View Part I of the Achieving Not-for-profit Organizational Objectives through IT Governance Deployment series here“

Achieving Not-for-profit Organizational Objectives through IT Governance Deployment – Part V

Robert Davis — Thu, 22 Apr 2010 18:34:47 +0000

Regarding supplemental value delivery design and development assistance, the Davis’ ‘Governance Tree’ offers a conceptual frame of reference for defining IT governance practices from an information and communication perspective; therefore enabling comprehensive process integration for value realization. Through the Davis’ Governance Tree, details demonstrating governance sub-domain influences can be documented utilizing specific processes and applicable controls. In addition, governance development discussions are enabled to convey evolutionary baselines necessary for measuring managerial progress. Once abstraction elements are understood, management’s role in providing strategic alignment impacting not-for-profit service delivery can be defined and enabled to address control objective deployment subscribing to IT governance mandates. Lastly, the Governance Tree can provide a comparative assessment of best practices for monitoring and evaluating IT governance strategic alignment.

“View Part I of the Achieving Not-for-profit Organizational Objectives through IT Governance Deployment series here“