IT Governance, Risk, and Compliance » Reliability

Governing IT: Setting Control Objectives – Part VIII

Robert Davis — Tue, 08 Feb 2011 21:21:09 +0000

IT goals election as well as information systems design, implementation, and maintenance are bound by IT objectives. Performing an IT maturity assessment can assist in determining where improvements are most needed. Subsequently, IT control objectives selection conveys what is considered important to the entity’s IT governance program. Whereas, monitoring and evaluating IT objectives drives assurances provided or obtained through due care and due diligence as well as enables managerial fiduciary oversight expectations fulfillment. The absence of setting and periodically assessing IT control objectives is commonly interpreted as a major deficiency in the entity’s control structure that can result in a material financial loss.

“View Part I of the Governing IT: Setting Control Objectives series here“

Governing IT: Setting Control Objectives – Part VII

Robert Davis — Fri, 04 Feb 2011 23:07:14 +0000

“An [entity's] Management Information System (MIS) represents the aggregation of personnel, computer hardware and software, as well as procedures that process data to generate utilizable information for decision-making. Management enables a MIS through control objectives implemented to comply with external and internal business requirements.” To ensure achievement of the IT control objectives supported by the MIS, among other techniques, Key Performance Indicators (KPIs), Critical Success Factors (CSFs), and Benchmarks are utilized for performance measurements, issues identification and gap analysis.

“View Part I of the Governing IT: Setting Control Objectives series here“

Governing IT: Setting Control Objectives – Part VI

Robert Davis — Tue, 01 Feb 2011 21:04:45 +0000

Reflective of ensuring effective IT control objectives, undertaking IT risk management provides the framework that enables future activity to take place in a consistent and controlled manner. As a particular, prioritization enables appropriate resource allocation to prevent, avoid, detect, and/or correct potential risks to the entity’s IT architecture. Once management understands the degree of total risk to information assets, decisions can be made regarding accepting specific risks or conducting tests to verify the sufficiency of detail risk treatment measures. Thereafter, in descending sequential order, the IT risk points exceeding the IT risk tolerance level can be addressed through adoption or revision of the entity’s IT control objectives.

“View Part I of the Governing IT: Setting Control Objectives series here“

Governing IT: Setting Control Objectives – Part V

Robert Davis — Fri, 28 Jan 2011 22:07:58 +0000

Using SWOT, each IT objectives analysis team member should have conversations with at least four other individuals from the entity to solicit their situational assessment of the current state of IT controls. At a minimum, the four individuals — queried independently by each team member involved in the SWOT exercise — should include: someone two levels senior from themselves, someone from a different functional area, someone known for creative thinking, and someone with a reputation for levelheaded decisions. Subsequently, in a group setting, IT team members should discuss and compare their individual perspectives to arbitrate and document IT control consensus.

“View Part I of the Governing IT: Setting Control Objectives series here“

Governing IT: Setting Control Objectives – Part IV

Robert Davis — Tue, 25 Jan 2011 21:53:41 +0000

COBIT enables an entity to set clear control objectives for IT through the combining of previously discussed individual IT design and operational areas. Specifically, the eight IT managerial areas are grouped into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. Management can use these generally accepted domains with associated control objectives for deriving achievable IT goals.

When setting control objectives, Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis can be employed to organize IT control objectives and illuminate general agreement on the entity’s strategic situation. If the control environment dictates setting control objectives based on the COBIT framework, management can approve the presented control objectives as documented or, where it is appropriate, modify then approve the presented control objectives.

“View Part I of the Governing IT: Setting Control Objectives series here“

Governing IT: Setting Control Objectives – Part III

Robert Davis — Fri, 21 Jan 2011 22:08:44 +0000

IT planning, organization, acquisition, implementation, delivery, support, monitoring, and evaluation are baseline IT subjects that embrace core managerial responsibilities as conceived by Henri Fayol. Categorically, IT related planning, organization, acquisition, and implementation can be considered design areas for defining compatibility and functionality of IT configurations; whereas, IT related delivery, support, monitoring, and evaluation can be considered operational areas for enabling consistency and accuracy of IT processing. Nevertheless, adopted control objectives should reflect the entity’s control environment.

“View Part I of the Governing IT: Setting Control Objectives series here“

Governing IT: Setting Control Objectives – Part II

Robert Davis — Tue, 18 Jan 2011 17:52:51 +0000

General managerial objectives, such as maintaining satisfactory performance levels, can be translated into detail IT objectives defining acceptable IT configuration characteristics. The primary purpose of these detailed IT configuration objectives is to guide IT owners and designers in the selection of appropriate IT controls. Therefore, reflecting the COBIT framework, IT statements of objectives should address the following areas affecting the availability, compliance, confidentiality, effectiveness, efficiency, integrity and/or reliability of information:

· Planning

· Organization

· Acquisition

· Implementation

· Delivery

· Support

· Monitoring

· Evaluation

“View Part I of the Governing IT: Setting Control Objectives series here“

Governing IT: Setting Control Objectives – Part I

Robert Davis — Fri, 14 Jan 2011 19:06:51 +0000

Reducing IT related errors, mistakes, omissions, irregularities, and illegal acts should be an explicit policy of every passive or active entity. Institutionalizing such a policy requires documenting and conveying “statements of objectives” for reducing these common IT risks to an acceptable level. Wherefore, considering the impact on an entity’s internal control system, “Setting objectives and establishing processes to accomplish designed objectives is a managerial responsibility. Tactically, the manager responsible for a plan’s implementation should set objectives with advice obtained from the entity’s planning committee, top-level executives and line subordinates.”