27
ISCA Amendment Notes 2015 BY R M Jha
Chapter IT Governance
Ø Separate topic on governance dimension is deleted
Governance Dimension topic is included in Enterprise Governance
Enterprise governance has two dimensions
1. Corporate governance or conformance
2. Business governance or performance
Ø Separate topic on Information Technology and Governance (New Topic)
· The usage of IT is rapidly increasing for all the types and sizes of business enterprises and treated as core of most of the key business operations. There is increasing pressure on corporate governance by regulators to encompass governance, risks management and controls. The use of IT in all key aspects of business processes impact three aspects related to IS such as how information is processed, how computerized information systems are used for strategic and competitive success, and how internal controls are integrated with IS.
· Benefits of governance (transferred from CG and ITG in this topic)
· On the basis of benefits it can be said that IT is integral part of the governance. The successful design and deployment of information system using IT, determine success of an enterprise. Hence it is crucial to ensure that required controls are implemented not only from IT Perspective but also from management and regulatory perspective.
Ø Corporate governance and IT governance
· Removes corporate governance word
· No separate definition of ITG
· Topic merged as single
There is no doubt to say that IT is a key enabler of corporate business strategy. Chief Executive Officers (CEO), Chief Financial Officers (CFO) and Chief Information Officers (CIO) agree that strategic alignment between IT and business objectives are a critical success factor for the achievement of business objectives.
IT governance is the system by which IT activities in a company or enterprise are directed and controlled to achieve business objectives with the ultimate objective of meeting stakeholder needs. Hence, the overall objective of IT governance is very much similar to corporate governance but with the focus on IT. Hence, it can be said that there is an inseparable relationship between corporate governance and IT governance or IT Governance is a sub-set of Corporate or Enterprise Governance.
Ø IT Governance and Governance of Enterprise IT (GEIT) (No Change)
Ø Corporate Governance, ERM and Internal Controls (no change)
Ø Role of IT in enterprise (no change)
Ø IT Strategic Planning (no Change)
Ø IS Risks and Risk Management
· Sources of risks (new topic): The most important steps in Risk Management process is to identify the risks, the areas from where risks can occur. This will give the information about the possible threats, vulnerabilities and accordingly appropriate risk mitigation strategy can be adapted. Some of the common sources of risks are as follows-
ü Commercial and legal relationship
ü Economic circumstances
ü Human behaviour
ü Natural events
ü Political circumstances
ü Technology and Technical Issues
ü Management Activities Controls and
ü Individual Activities.
Some of the broad characteristics of risks are as follows:-
ü Loss potential that exists as results of threats/vulnerabilities processes
ü Uncertainty of loss expected in terms of probability of such loss
ü The probability/likelihood that a threat agent mounting a specific attack against a particular system.
· Key Governance Practices of Risk Management: The Key governance practices of Risk Management are as follows:
ü Evaluate Risk Management: (new) Continually examine and make judgement on the effect of risk on the current and future use of IT in the enterprise. Consider whether enterprise’s risk appetite appropriate and that risks to enterprise value related to the use of IT are identified and managed.
ü Direct Risk Management: (old) Direct the establishment of risk management practices to provide reasonable assurance that IT risk management practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite; and
ü Monitor Risk Management: (old) Monitor the key goals and metrics of the risk management processes and establish how deviations or problems will be identified, tracked and reported on for remediation.
· No other change in this topic
Ø COBIT 5 Business Framework – Governance and management of Enterprise IT
· Need of COBIT (no change)
· Integrating COBIT 5 with other Frameworks (no change)
· Components in COBIT 5: (new topic)
Framework: organize IT governance objectives and good practices by IT domains and processes, and links them to business requirements.
Process description: a reference process model and common language for everyone in an organization. The process map to responsibility areas of plan, build, run and monitor.
Control Objectives: provide a complete set of high level requirements to be considered by management for effective control of each IT process.
Management Guidelines: help assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes.
Maturity models: assess maturity and capability per process and helps to address gaps.
· Benefits of COBIT 5 (New Topic)
ü It is a comprehensive framework which enables enterprises in achieving their objectives for the governance and management of enterprise IT
ü It’s best practices help enterprises to create optimal value from IT by maintaining a balance between realizing benefits and optimizing risks levels and resource use.
ü Further, COBIT 5 enables IT to be governed and managed in a holistic manner for entire enterprise, taking in the full end-to-end business and IT functional areas of responsibilities, considering the IT related interests of internal and external stakeholders.
ü COBIT 5 helps enterprises to manage IT related risks and ensures compliance, continuity, security and privacy.
ü It enables clear policy development and good practice for IT management including increased business users satisfaction.
ü It is useful for enterprises of all sizes and all types.
ü It supports compliance with relevant laws, regulations, contractual agreements and policies.
· Customizing COBIT 5 as per requirements (no change)
· Five principle of COBIT 5
Definition of governance and management has been removed from the fifth principle and shifted to COBIT 5 reference model.
· COBIT 5 Process Reference Model: COBIT 5 includes a process reference model which defines and describes number of processes for governance and management of enterprise IT. It consists of two main process domains such as Governance and Management. It provides a common reference model of processes understandable by both the operational IT and business management. However, COBIT describe that each enterprise should define its own process set by considering its own requirements and common language for IT and business is key step to achieve good governance. This process reference model also provides framework for measuring and monitoring IT performance, providing IT assurance, communicating with service providers and integrating with the best management practices.
ü Governance –In most enterprise, governance is the responsibilities of the board of directors under the leadership of the chairperson. It ensures that stakeholders needs conditions and options are evaluated to determine balanced, agreed-on enterprise objectives are to be achieved. It also ensure that setting direction through prioritization and decision making as well as monitoring of performance and compliance against agreed-on direction and objectives.
ü Management- In most enterprises, management is the responsibilities of the executive management under the leadership of the CEO. It consists of four domains as responsibility of management such as Paln, Build, Run and Monitor (PBRM) providing end-to-end coverage of IT in alignment with the direction set by the governance body to achieve the enterprise objectives.
(New Topic) The COBIT 5 process reference model is the successor of the COBIT 4.1 process model, incorporating the both the Risk IT and Val IT Framework. The complete COBIT 5 enabler model includes a total of 37 governance and management processes as mentioned below:
ü Governance processes:
o Evaluate, Direct and Monitor Practices (EDM) consists 5 processes (EDM 01 to EDM 5).
ü Management processes:
· Align, Plan and Organize (APO) consists 13 processes (APO 01 to APO 13).
· Build, Acquire and Implement(BAI) consists 10 processes (BAI 01 to BAI 10).
· Deliver, Service and Support (DSS) consists 6 processes (DSS 01 to DSS 06).
· Monitor, Evaluate and Assess (MEA) consists 03 processes (DSS 01 to DSS 03).
· Seven enablers of COBIT 5 (no change)
· Risk Management in COBIT 5 (it is shifted from Risk Management topic with no change)
· Using COBIT 5 best Practices for GRC (no change)
Ø IT Compliance Review
· No Change
Ø IS Assurance
· Evaluating IT Governance Structure and practices by Internal Auditors:
One more point is added as first point before organization structutre
Leadership: The following aspects need to be verified by auditor:
ü Evaluate the relationship between IT objectives and current /strategic needs of the organization and the ability of IT leadership to effectively communicate this relationship to IT and organizational personnel.
ü Assess the involvement of IT leadership in the development and on-going execution of the organization’s strategic goals.
ü Determine how IT will be measured in helping the organization achieve these goals.
ü Review how roles and responsibilities are assigned within the IT organization and how they are executed.
ü Review the role of senior management and the board in helping established and maintain strong IT governance.
No other change in this topic
Chapter IS Concept
Ø Knowledge Management System (KMS): (new topic)
ü Knowledge Management System (KMS) refers to any kind of IT system that stores and retrieves knowledge, improve collaboration, locates knowledge sources, mines repositories for hidden knowledge, capture and uses knowledge component of any organization’s activities as an explicit concern reflected in strategy , policy , and practice at all levels of the organization.
ü There is a paradigm shift from an economy principally concerned by the management of tangible resources (equipment, machinery, buildings, ….) to an economy in which renovation and growth are determined by intangible resources and investment (knowledge , technology, competencies, abilities to innovate….).
ü Information and knowledge are the key element of this economy. A firm’s competitive gain depends on its knowledge processing i.e., what it knows; how it uses & how it uses & how fast it can know something new.
Knowledge management (KM): It is the process of capturing developing, sharing, and effectively using organization knowledge. It refers to a multi-disciplined approach to achieving organizational objectives by making the best use of knowledge.
There are two types of knowledge.
a. Explicit knowledge: Explicit knowledge is that which is that which can be formalized easily and as a consequence is easily available across the organization. Explicit knowledge is articulated, and represented as spoken words, written material and compiled data. This type of knowledge is codified, easy to document, transfer and reproduce. For example – online tutorials, policy and procedural manuals.
b. Tacit knowledge: Tacit knowledge, on the other hand, resides in a few often –in just one person and hasn’t been captured by the organization or made available to others. Tacit knowledge is unarticulated and represented as intuition, perspective, beliefs, and value that individuals based on their experiences. It is personal, experimental and context-specific. It is difficult to document and communicate the tacit knowledge. For example-hand-on skills, special know-how, employee experiences.
Ø Cross Function Information Systems – It is also known as integrated information system that combines most of information systems and designed to produce information and support decision making for different levels of management and business function. Example – Enterprise Resource Planning (ERP).
Enterprise Resource Planning (ERP):
ü Enterprise resources planning (ERP) is process management software that allows an organization to use a system of integrated applications to manage the business and automate many back office functions related to technology, service and human resources.
ü ERP software integrates all facts of an operation, including product planning, development, and manufacturing, sales and marketing.
ü ERP software is considered an enterprise application as it is designed to be used by larger businesses and often requires dedicated teams to customize and analyze the data to handle upgrades and deployment.
Components of ERP: ERP model is consists of four components which are implemented through a methodology. All four components are as follows:
(i) Software Component: The software component is the component that is most visible part and consists of several modules such as Finance Human Resource, supply Chain Management, Supplier Relationship Management, Customer Relationship, and Business Intelligent.
(ii) Process Flow: It is the model that illustrates the way how information flows among the different modules within an ERP system. By creating this model makes it easier to understand how ERP work.
(iii) Customer Management: In ERP implementation, change needs to be managed at server levels – User attitude; resistance. For example, some users may say that they have spent many years doing an excellence job without help from ERP system, In order to lead ERP implementation to succeed, the company needs to eliminate negative value or belief that users may carry toward utilizing new system.
(iv) Change Management: In ERP implementation change needs to be managed at several levels – User attitude; resistance to change; and Business process changes.
Benefits of ERP :
ü Streamlining processes and workflows with a single integrated system.
ü Reduce redundant data entry and processes and in other hand it shares information across the department.
ü Establish uniform processes that are based on recognized best business practices.
ü Improve workflow and efficiency.
ü Improve customer satisfaction based on improve on-time delivery, increased quality, shortened delivery times.
ü Reduced inventory costs resulting from better planning, tracking and forecasting of requirements.
ü Turn collections faster based on better visibility into accounts and fewer billing and/or delivery errors.
ü Decrease in vendor pricing by taking better advantages of quantity breaks and tracking vendor performance.
ü Track actual costs of activities and performance activity based costing.
ü Provide a consolidated picture of sales, inventory and receivables.
Core Banking System (CBS):