Readings
- In your own words, how would you define a control environment?
- Define the three kinds of common controls and give two examples of each from your everyday life.
- What is the role of the board of directors in IT governance?
- Which of the EDM processes do you think is most important and why?
- If you’re working, have you seen examples of active IT governance in your organization?
The DentDel Case
Think about the following questions before class next week.
- What processes were ineffective and allowed this situation to occur.
- Where could stronger IT governance have helped DentDel avoid this situation?
Rich
Here’s a sample comment. I left it by clicking on “N comments(Edit)” under the title of my original post. Remember your first comment or post won’t appear until I approve it.
I would define a controlled environment as having systems / standards in place for certain situations. For example in the DentDel case. The project was rushed and was discuss only for about 10 minute and wasn’t even presented to the CEO,COO and the general counsel. If it was in a controlled environment there should of been an approval process for projects especially if it’s a large project that could affect all stakeholders.
Heiang – Congrats for being the first to comment. I have a small revision to make to your comment. its more than just “systems/standards” its having a complete set of expectations about how senior management expects the company to behave and then the policies, standards, and processes that implement those expectations.
A control environment to me means the attitude of management towards company related issues, weather senior level or mid-level. How management reacts to things can certainly shape the values/tone of a company. These values/tone can trickle down and determine if the control environment is aligned with the company’s set controls. I completely agree that it’s expectations set by management.
Yes, but trickle down sounds like a problem. How does senior management ensure that the company is following the desired behaviors?
Trickle down is more of sharing of a vision, values or an ethical standard for the company. Management would ensure desired behaviors by controls.
To me, trickle down means things happen without intervention, a natural consequence.. Establishing a control environment and maintaining is very proactive in nature and consumes a lot of organizational energy.
Rich,
I agree with you about the term tickle down. When I hear trickle down I think of trickle down in the sense of economics where its a more hands off approach where everything slowly falls downs or trickles to the lowest person either being policies, money or anything else. In this sense of establishing a control environment i feel like there needs to be a lot more hands on where the people of your team all understand and are working together to complete the common goal. It can just happen, at least not at first.
Trickle down is more of sharing of a vision, values or an ethical standard for the company. Management would ensure desired behaviors by controls.
The board of directors plays a role in IT governance because they monitor policy and make sure everything is happening the way it is supposed to. Also they are the bridge between the shareholders and company. They have to make sure that whatever IT people are working on provides value for the company and it’s shareholder.
Heiang,
Remember that boards are not management. Their key role is to ensure the future of the company for its owners. They are normally reviewing senior management’s plans and actions but not managing directly. They do not normally dive into the details of something like IT. While its improving, many boards never discuss IT or security. If they do so once a year they are probably leading the pack.
Stronger IT governance for DenTel would’ve definitely helped their situation if not stop it from the beginning it would’ve at least stop it before everything went over budget. Better IT governance would’ve provided a better process of decision making instead of thing being rushed. It would’ve also provided better process for how decision are even implemented. They didn’t consult the CEO of the board, I believe that if the project was going to have a material affect the company and shareholders, it should’ve at least have approval from the board because they are the voice of the shareholders in a way.
Please be sure to log into the site before posting so that you get credit for your post.
Sorry about that this was my post
Board approval of IT projects is very rare. In my case the only project that ever got a board level approval was a $260MM SAP implementation. It not just about approvals its about having ways of doing things that you follow. Clearly management here was very willing to ignore anything in its playbook and just do it. All too often, that turns out to be a bad idea.
This is where having strong corporate governance and established processes and procedures comes into play. To prevent this type of issue, a purchasing policy that requires Board sign off for anything over $1 million dollars would bring high cost projects to their attention. This would help keep the conversation going as the Board would be asking for status updates and expect to see significant progress made for the investment. This oversight keeps Senior Management moving towards a common goal because they now know they are accountable and they could be on the hook if the project fails. Another policy or procedure that would help here is a strong project management process where the CEO and Senior Management are driving and aware of all existing projects and have a voice in prioritizing these high dollar value projects so that all business unit resources needed are available. I feel having these items in place would have helped DentDel from running into major issues.
A control environment is having a layered approach which combines multiple controls in a designed framework. One such example would be the COBIT framework which provides guidance for an organization through a methodical review of compliance effectiveness, efficiency, and economy. It is crucial that the framework is a living process and constantly reviewed. It is strengthened through culture and proper risk management hygiene. Implementation originates board the board, executive leadership and strong HR presence.
interesting point. I guess this would apply to many other frameworks in this context as well – like TOGAF and ITIL as well, right? Also agree with your point that frameworks are initially defined as static guidelines but they must be streamlined and tailored to fit each organizations particular needs, (perhaps an enterprise needs to use multiple enterprise architectures like TOGAF and Zachman for example).
Yes, both TOGAF and ITIL can play an important part in IT governance depending on the firm. There are a lot of standards (ieISO 27000) and frameworks (ie CMMI) that also might come up, again, depending on what’s most important to the company.
I feel having open dialog between the various assurance functions of an organization can help drive stronger IT governance as well. COSO provides a high level internal control integrated framework which can help all organization areas “speak” the same risk language. Translating risk from the IT side to the business side is where I have seen the majority of miscommunication. Many of the audit assurance programs available through ISACA do a nice job of mapping out controls and the framework that those controls tie back to (COBIT, NIST, CIS, etc.). Having that mapping and a clear understanding of the objectives of the organization can play a key role in helping the non-technical understand or translate those risk items.
1. In your own words, how would you define a control environment?
I attempted to be as inclusive as possible with the definition. I’d think the definition should be broken down into two elements;
1. An opinion/interpretation of what a control is.
2. what ‘my’ interpretation of a control environment is.
In my opinion:
1. A control is a mechanism or process that prevents, detects, or corrects any activity or condition that has the potential to adversely *OR* beneficially impact an organizations values, mission, vision, priorities, requirements, capabilities, solutions, strategies, objectives or goals. An example of an adverse impact might include disruption or misalignment of an organizations capabilities – (people, process and/or technologies). An example of a beneficial impact might include streamlining, improving or enhancing those capabilities.
2. A control environment is, (again only my opinion here) any situation or scenario where one or more controls are currently implemented or potentially planned to be applied in the future.
I think you are missing the environmental nature of the”control environment”. Its much more cultural and behavioral than specifically about controls. Will folk follow the controls or ignore them? Is your being a good corporate citizen part of you annual review or not? To beat on Wells Fargo again, would you get fired for increasing sales fraudulently or promoted? WF had the controls in place, they just choose to ignore them.
Correct. You can create the most comprehensive control environment that covers every possible contingency, but they are useless if the people don’t follow. Therefore you must also establish a detailed governance structure and oversight responsibility along with those controls. Those elements combined will result in a viable control environment.
Agreed and I would add having formal policies in place where you can hold people accountable is a factor that I believe gets overlooked. As much as everyone hates reviewing policies on a periodic basis, they serve a purpose and in a strong control environment, policies are the high level direction for how things are to be done throughout the organization. Those policies drive business unit standards and procedures and allow an assurance activity to review and map back through and find areas for improvement or errors/irregularities.
” think you are missing the environmental nature of the ”control environment”. Its much more cultural and behavioral than specifically about controls. Will folk follow the controls or ignore them? Is your being a good corporate citizen part of you annual review or not?”
…not to quibble professor but isn’t that what’s included when we use the term ‘capabilities’? As I understand it, ‘capabilities’ refer to people, process, technology and tools – essentially all of those things that go into creating an organizational environment.’
I disagree that it’s ‘much more cultural and behavioral than specifically about controls’. I think your absolutely correct in that one aspect of a control environment is cultural/behavioral – these things make up (what amount to) the internal influences on capabilities – organizational culture, organizational readiness/adaptability/acceptance of change, as well as the organizational maturity (where the company is in its lifecycle – i.e, a startup has a different culture and behavior than a mature corporation).
But isn’t that just one aspect of an ‘environment’?, i,e., if not, then I think it completely ignores other aspects like external influences on a company – things like trends, market forces, macroeconomic forces, industry forces for example. These are all ‘environments’ that have a direct effect on a company.
Where I think that we may have different opinions is with the application of the term ‘environment’ in the context of the question.
.
The definition of an environment is:
“the surroundings or conditions in which a person, animal, or plant lives or operates.”
To me, an environment – i.e. the ‘surroundings/conditions’ not ONLY include culture and behaviors, it also includes many dimensions of/within an organization.
In other words, ‘the environmental nature of the control environment’ of an oil and gas company is *significantly* different than ‘the environmental nature of the control environment’ of a law firm in every aspect – from the people (culture), process (managing capital versus non-capital intensive businesses), and technology (oil drilling platforms versus yellow legal pads :):)
If we apply the word ‘environment’ with the word ‘control’ then, (in my opinion) we are defining a GENERIC set of restrictions or guidances upon particular groups of physical, non-physical and/or behavioral conditions..
…session crashed when I tried to post question #2 comment, so I’ll repost here – I apologize for potential duplicate messages…
Define the three kinds of common controls and give two examples of each from your everyday life.
According to Gartner, “Understanding IT Controls and COBIT”, page 2, Three types of controls include:
1). Preventive Controls. Controls intended to proactively mitigate the occurrence and/or impacts of risks.
An example of a preventive control in my everyday life are the seat belts in my car which are designed to prevent the driver or passenger from becoming a projectile if a collision happened to occur. Another example of a preventive control is the Acceptable Use Policy (AUP) that I’m forced to agree to whenever I log into my company’s computing environment.
2). Detective Controls: Are controls that operate after the fact to identify if a predefined event occurred. One example of this in my everyday life is the badge reader that scans my employee identification card in order for me to gain entry into a company lab or facility. One interesting aspect of this definition is the last sentence; “It should be noted that data from detective controls can feed predictive analytics tools and processes to enable preventive controls.” This is interesting to me because it is exactly what happens every time I scan into a facility. Whenever I scan my badge, an event notification is sent to an asset management system which, over time reports how much a particular lab or facility is being used. This in turn prevents my company from excess spending on real estate, power, floor space, etc., etc. Another detective control from my everyday life is the latest eye exam that I went through in order to determine/detect if my eyesight had deteriorated.
3). Corrective Controls: Controls that are tasked with restoring the current state to an improved state. An example of a corrective control in everyday life would be my daughters (very expensive) braces;) Another everyday example that I’m using right now as I write this comment are error checking and correcting algorithms like BIOS POST and the ECC-memory algorithm that is maintaining memory stability on my PC as I use it.
3. What is the role of the board of directors in IT governance?
The boards responsibilities include taking responsibility for the risks associated with cybersecurity, effective oversight of company resources and personnel, developing effective security partnerships with senior leadership as well as establishing open and independent communications channels between itself, the IT organization and any IT oversight functions that may exist within the company, (audit, compliance and/or an independent CISO functions for example).
The IBIT Report “Implementing Board Oversight of Cybersecurity”, page 7 quotes SEC Commissioner Luis Aguilar as follows;
“….boards need to provide meaningful oversight of the company’s proactive actions to mitigate risks”
Page 5 of the IBIT report also states that,(among other things),
“To effectively protect the corporation from the consequences of a loss of information assets, management and directors must build a constructive relationship.”
Part 2 of the video “Maintaining a Strong Control Environment” points out the most important aspect of the Boards responsibility is setting the ‘Tone from the Top’ for the internal control environment. Basically this refers to the notion that the Board must not just ‘Talk the Talk’ they must also ‘Walk the Walk’. The Board must take compliance and security seriously, as opposed to just a ‘check the box’ duty. This means at the board shouldn’t just adhere to the mechanics of security, the Board need’s to lead by example. The Board needs allocate appropriate levels of time and resources to security and must embrace a culture of vigilance, prevention and accountability throughout the organization.
You say that the board is responsible for the risks associated with cybersecurity. Don’t limit your thinking to just cybersecurity. The board must think about all kinds of business risk. Cyber risk is something that most boards have not paid attention to, but that is changing.
Jan Yeomans, my co-author, is on three boards and is being asked to speak (at board members only sessions) on how boards should evaluate their company’s cyber risk. The problem is that boards are very busy. Jan says a typical meeting for her is two days of non-stop meetings with dozens of topics and a thousand pages of pre-reading. So even if cyber gets on the agenda, it may be only for 15 minutes out of 1000 and 4-5 pages also out of 1,000.
Do you think this is where Boards are being stretched too thin and expected to know too much about everything? I hear from examiners on a regular basis and they are wanting more and more information passed to the Board but there does not seem to be a perfect answer on what level of detail needs to go to the Board as far as cyber security risk is concerned (metrics vs. full detail). Is this where a dedicated sub-committee of the Board would be beneficial (i.e. Audit Committee, Enterprise Risk Committee, InfoSec Committee). I know it could add more layers to an already complex organization but these Committees could potentially be the independent subject matter experts for the top level Board.
Michael, you bring up a good point. With all the increases in data, metrics, approvals, and escalations often found in larger firms, I can very easily see information overload becoming a problem more and more these days. Senior management and board members can easily be tasked with an overload of things which becomes a problem very quickly because then truly important things might not be given the thought and attention they deserve and may create their own risk in that state. In my opinion, this is why it is so important to have executive assistants whom are actively engaged in the type of business and to build a team of educated and experienced professionals to assist with all of the more trivial and/or technical issues which may come up. The board would and should remain to be involved with business, financial, reputation risks, as well as general direction and very high-level policy of the firm overall.
To answer #1, I’d define a control environment as a an organizational worldview enacted by the majority of employees. This means that if perhaps 70% of a corporation’s employees, from c-suite to entry-level, adhere to a particular perspective, then that is the control environment. This would seem to invalidate regulatory or internal policy or at least have to potential to do so. Some may consider this a bug in the system, but that depends on the company. In the example of Wells-Fargo posted by the professor yesterday, shirking corporate ethics and evidently pursuing short-term profits to the detriment of long-term growth and government scrutiny seems to be precisely what the control environment intends, regardless of how sensible this may seem.
Michelangelo – Do you really think its as low as 70% in most companies? I suspect its much higher. But understand, the control environment is about the behavior you expect and how you intend to institutionalize that behavior. To the extent that company leadership ignores its own rules (think Uber, Wells Fargo, etc.) they do wind up getting the behavior they want, but not what they say they want. Walking the talk is absolutely important here. A trivial example from my old company was showing our id badges to get in. Lots of tailgating went on but the one person who always stopped, showed his id and talked to the guard was the CEO, Raj Gupta. He was sending the message that the company’s policies and rules were to be followed every time he entered the building.
Thanks for the reply, Professor. I was giving a hypothetical with the 70% estimate. I agree that the percentage is likely higher in most cases. I believe an indication of this is the need for whistleblower protections in law. Such protections imply that those who are trying to report on ethical violations are likely a very small and indeed vulnerable percentage of any organization.
I entirely agree that ‘walking the talk’ is crucial, but I feel that the short-term gains emphasized by many corporations mean that talking about ethics is only valuable insofar as it keeps regulators at bay and doesn’t harm the short-term share values. To enact cultural and systemic changes is much harder and doesn’t provide immediately obvious ROI, so there is less interest in such action. Whether this shortsighted approach is wise is certainly a debate worth having however.
“I entirely agree that ‘walking the talk’ is crucial, but I feel that the short-term gains emphasized by many corporations mean that talking about ethics is only valuable insofar as it keeps regulators at bay and doesn’t harm the short-term share values. ”
Totally agree with your point Michelangelo many companies appear to talk one way but often act in another way. One suggestion might be to put some ‘concreteness’ behind ‘walking the talk’, i.e., incentivize employees to actively embrace and follow the ‘tone from the top’ by structuring company compensation to align with its values, mission and its overall ‘tone from the top’ and disincentivize employees for failing to do so – this should be an integral part of the control environment.
Another benefit to this is that, from an external stakeholders point of view , It would clearly identify companies who only pay lip service to ethical behavior from those who take it seriously.
I see where you are coming from here, Michael and ‘tuj17357’. Sometimes implementing a successful and appropriate control environment may call for a difficult culture shift of a large part of the organization. This may be easier to do in certain industries than others. I’ve been working in IT within the financial services industry for several years now and the real cultural positivity which drives a lot of people in the industry is really surrounding doing what’s right by our customers. Yes, profits are very important for any for-profit company to survive, however if you can shift the mindset of the employees and management to where the true profits come from (our customers), then it’s much easier to make decisions and adhere to a strong control environment. Without our customers, we are nothing, let’s do our best by them so they trust us, which, in the end, will also help our bottom line.
4. Which of the EDM processes do you think is most important and why?
The four governance processes in the COBIT Governance Reference Model address all of the pertinent, important areas of governance. For example, EDM02 emphasizes getting optimal value from IT initiatives and the importance of cost efficient delivery of services and solutions. EDM03 specifies the need for continual risk assessments and for risk not to exceed management risk tolerance. EDM04 emphasizes IT cost optimization as well as “benefit realisation and readiness for future change”.
But the most important EDM process in my opinion is EDM01 – Ensure Governance Framework Setting and Maintenance. The reason for this is because,(among other things) EDM01 specifies that “IT related decisions are made in line with the enterprise’s strategies and objectives.”
I think that one definition of strategy is that it’s a long term plan which enables a business to work toward achieving its vision and that business strategy should be aligned with not only the organization’s vision but with the values and mission of the organization as well. Business strategy should be based on business goals and objectives and these in turn must support the organization’s business priorities.
So, without clearly stipulating that IT decisions and strategies must be in line with the overall business strategy of the enterprise,(called out in EDM01), it sets a precedent whereby the two strategies could, and probably would, start to diverge at some point,(something that was demonstrated in the STAR Information Systems case study). If this divergence occurs – i.e., everyone is not “on the same page” in terms of a common direction, then it becomes extremely difficult to leverage/synchronize critical success factors like, accountability and a common, shared vision for the entire enterprise.
Cleary all are important but I tend to agreed with you. If no one has the responsibility for ensuring that IT provides value, manages risk and runs efficiently, no one will.
5. If you’re working, have you seen examples of active IT governance in your organization?
I don’t work in an IT organization per se, but I have seen many customers struggle with IT governance. In many of these cases, (in my opinion) a generalized ‘dislocation’ occurs between these IT organizations and the businesses that they are supposed to support. These IT organizations often isolate themselves from the business and concern themselves only with ‘tech-centric’, ‘strategic’ issues like selecting the most appropriate SDLC methodology, technology architectures, systems integration strategies, etc. ,etc. In these environments, ‘innovation’ is thought of solely in the context of technology rather than as a way to create business value and market differentiation. The process of IT support for other lines of the business becomes a set of disjointed, unrelated BU initiatives rather than a cohesive approach to enabling the company’s longer-term corporate strategy.
As a result, the focus of these IT organizations often become directed at simply optimizing costs. They don’t have or can’t articulate what the strategic direction of the company is, how its corporate strategy drives other, (non-IT), business unit strategies and objectives or how their own strategy aligns with the overall corporation in general.
Vince does describe many IT organizations, but the problem is a two-way street in my experience. We will spend a lot of time on this issue over the month of September. I have seen many business leaders who don’t want to be bothered with IT. They have a “Just do what I want” attitude with putting much thought into what they want. In a company with multiple lines of business this can get very confusing. The corporation has one strategic view, each business one of its own and all are competing with each other for IT’s attention. If a clear governance process is not in place, then it make be very chaotic.
Rich, I completely agree. In my experience in a large firm, I can fully understand how it can get very confusing and even chaotic with multiple different, and sometimes clashing, directives coming down from the top. A clear governance process must be put in place which may include a prioritization process for which project gets slotted first based on ROI, Risk evaluation, or even to gain competitive advantage. There must be some sort of prioritization process in place if multiple different business units are all fighting over getting their project in first with IT.
In terms of the DentDel case to me the problems they have experienced would have been adverted if they would have met with all of the key people in charge such as CEO, etc. It sounded like they had rushed the project from the get go without thoroughly thinking this out. As they said at one point they were 8 million over budget when they predicted they would be only at 3 million at that point. This seemed due to ineffective coordination among all people involved, SME’s etc.
As far as examples of IT governance in my work place, recently they are taking more of a hard lined stance as far as a “front door” process to help program managers and all plan which projects are more essential for the companies success. Another aspect is that anytime someone wants a new IT related tool to use they have to justify it in front of a “board” so they can get all of the necessary approvals done. Before people were buying tools right and left so were all over the place. They are trying to get a good handle on this here corporate wide in terms controlling all of the spending going on.
Brent – All you suggestions are good, they describe how projects should be started. The point I thinkyou may be missing is that DentDel management doesn’t care how projects start – they do what they think best without submitting their thinking to any controls at all. This is really a dangerous way to run a business. Think of the infamous Hershey SAP implementation. What business person in their right mind would schedule an SAP go live in a candy company 4 weeks before Halloween. Not only weren’t they ready from the technical point of view but clearly they ignored the business risk.
Rich, that brings up a very good point related to implementation timing. It’s not always about how the projects are started. In an ideal world, there should be preventative controls, detective controls, and corrective controls in place to reduce the risk of issues during implementation. The project should be thoroughly analyzed and tested prior to implementation, however something that people can miss in today’s world where ‘time to market’ is becoming more and more of a driving force for production IT implementations, is the risk related to timing with these types of releases. Retailers and banks should be very wary of production implementation during the holiday shopping season just as accounting firms should be very cautious about them during tax season Januar-April. This type of risk should be part of the preventative controls previously mentioned.
A control environment is a business system that defines actions taken by management, the board, and staff to manage risk and increase the probability that established objectives and goals will be achieved. Controls are put in place to mitigate unforeseen risk and produce predictable outcomes from business processes.
The three types of controls are preventative, such as locking your door at home to prevent intruders, detective, such as a credit monitoring system used to monitor personal finances, and corrective, like replacing a broken water heater, with a newer and more efficient model with longer warranty.
The role of the board of directors is to clearly define roles and responsibilities within the corporation. It must define who owns the risk involved with cybersecurity, where the skills and responsibility to handle these risks reside in the corporate structure. Ultimately, each board member must be satisfied that any incident involving cybersecurity will be handled effectively.
I feel that the most important EDM process is to Evaluate the governance system. This step ensures that the governance system is effective and in alignment with the business objectives. It also ensures that the governance system is properly documented and is understood by all parties involved throughout the organization. It also allows the opportunity for revision of the policy and judgement on the current and future design of governance of the IT infrastructure.
I see the need for improvements in the IT governance at my current employer which is a life insurance agency. There are multiple instances of employees using Windows XP, including those in upper management. This shows that certain departments systems are not being properly audited as numerous vulnerabilities exist for XP workstations. In contrast, the migration of our company bank accounts to a different bank was handled fairly well. The direction of the migration was handled from top executives, and the roles in the migration were clearly defined from upper management to the staff in both finance and IT. The migration was successful with minimal issues.
Hi Bilaal, I just wanted to add to your description of the role of the board the role they play in setting the mood of the organization – the culture of compliance and concern for IT security. This would apply to all upper management as well; indeed, the c-suite is likely crafting effective IT governance policy and implementing it, and the board is approving it and adhering to it themselves. If, for example, management devises a solid set of controls and the board rubber-stamps it without enacting it themselves (e.g. not using 2-factor), then management may find things not working out. Everyone needs to pulling in the same direction, or even the best policies may end up failing.
Thanks for your response Michelangelo and that’s a good point, Setting the mood and tone at the top sets an organizations guiding values and ethical climate. This will ultimately become the foundation upon which the culture of an enterprise is built.
Michelangelo – agree with you about setting the tone, but please remember that the board members are not employees of the company and therefore operate as a sort of outsider. Thus they are subject to a special set of controls and must set the tone by following them but that is largely outside the day-to-day managing of the company.
In my opinion control environment is the consciousness and activities of management regarding situations within an organization or entity. There should be assurance, consciousness, and activities of management regarding situations; its importance or effect on an organization or entity.
The three kinds of controls are:
• Preventive Controls – are controls that are gear towards stopping or avoiding a situation from occurring.
Examples:
a. At work, all transactions above $1,000.00 must be verified and approved by a supervisor for completion.
b. All visits must be badged in to enter the building. If an employee is badging a visit in, it must be
recorded at the security desk.
• Detective Controls – seek to avail or identify lapses in preventive control.
Examples:
a. All document with personal and confidential information are required to be locked in our cabinet when
we are away from our desk. Audit does a routine check to ensure no document with personal or
confidential information is left unattended.
b. Supervisors review staff performance periodically to ensure goals and objectives are achieved.
• Corrective Controls – provide resolution to preventive controls errors or situation revailed by detective
controls. Corrective control answer “What should be done, or What should have been done.
Examples:
a. Before the badge access process started at my work, anybody could walk in the building before talking
to security. A document got missing, and it discovered that a former employee took the document
after he was fired. Thus, before entering the building an employee badge is need.
b. Approval of over limit payment were set for employees, but a verification structure was not put in place.
A colleague approved a transaction above his limit it was the beneficiary that called our attention and
said that is not the amount I requested. Today, every transaction over one limit requires verification and
approval.
3. The role of board of directors in IT governance is to set the path or standard (policy) and monitor for
implementation to ensure that IT structure supports the organization to achieve its goals or objectives.
Some of the focus point are: risks, communication, independence (segregation of duties), etc.
4. According to COBIT, EDM01 “ensure governance framework setting and maintenance
Audit/Assurance Program.” Base on the definition, I believe EDM01 is the most important. It is the most
important because it is the foundation upon which all other EDM’s are built and will function. All the EDM’s
are ensuring the execution of the framework set in EMD01.
5. Yes, I have seen IT governance where I work. It was a policy that all computer not in use and manned
must be locked or turned off. It was discovered that some computers were left unlocked after work. A
decision was reached and became policy that IT does a routine check for computer left unattended for
four(4) hours and locked (encrypt) them. To restart those computers you will have to contact IT.
Pascal – be careful about your examples. Locking confidential materials is a preventative control. Auditing the numbered copies of a confidential document to ensure they are all safe would be detective. Remotely wiping a PC with confidential materials on it would be corrrective.
The three type of controls are as folllowed
Preventive control are controls intended to proactively mitigate the occurrence and impacts of risk.
Example#1 Brushing my teeth twice to mitigate the risk of having cavities.
Example#2 Eating healthy/ working out will mitigate the risk of me having bad health.
Detective control are controls that operate after the fact to identify if a predefined event occurred.
Example#1 Going to the dentist after having a tooth ach
Example#2 Taking my car to the mechanic for a check up.
Corrective controls are tasked with restoring the current state to an approved state.
Example#1 I’m an accountant that have to correct expenses accountwhen it’s coded under the wrong account by the ap department.
Example#2 paying a driving ticket to get it off my record.
Heiang – Going to the dentist for a checkup is a detective control. Going with a tooth ache is more of a corrective control.
A control environment is the basis for how every organization sets the tone for how business is to be conducted and how things are expected to be done (i.e. mission statement, code of ethics). It should be a consistent top-down approach with everyone understanding their roles and responsibilities in regards to the organizations mission so that everyone is working towards to the same overall goal regardless of the function that person works in.
Michael – You bring up a good point that the control environment should be a consistent top-down approach. If the tone at the top is not focused, an organization can surely expect everything else to be a little chaotic. In a good control environment, policies and procedures should be clearly defined as well as roles and responsibilities of those supporting the organization.
i. Preventive – controls designed to stop something from happening.
a. Two examples of Preventive controls from my everyday life include the building access system at my employer. This control allows me badge entrance to the building but does not give me access to the electrical rooms or the data center.
b. Another example of a preventive control would be ATM cards. The cards after verification of your PIN, go through a network to check your available balance. That check prevents you from withdrawing more than your available balance (or up to a certain amount to reduce fraud).
ii. Detective – controls designed to find out something bad happened.
a. An example of a detective control would be a smoke detector and/or a carbon monoxide detector. These devices do not prevent a fire or the cause of CO2 in your living space but they let you know that something needs to be looked at.
b. Vehicle dashboard lights are also examples of detective controls. The check engine light flashes or stays on to let you know something has happened that has thrown an error code. The owners manual recommends you have it looked at by a professional to diagnose the issue and prevent more damage.
iii. Corrective – controls designed to fix something that happened.
a. I was recently on a project involving over 500 excel spreadsheets that were being used to recalculate interest paid over a 5 year period. Those spreadsheets then aggregated to a master spreadsheet so all 500 accounts over the 5 year period could be viewed at a higher level. One of the spreadsheets was accidently altered and another deleted. We requested a restore of that file from our file server from the previous day to get the data back.
b. I recently moved and discovered a dead tree in my back yard. I couldn’t do anything to prevent it, I moved to late to remediate the issue so now my only option is to cut it down.
Speaking as someone also moving soon, I like your example of the tree. To try for some creativity, a preventive policy for dead trees would be to check the age of the growth in a given location prior to purchasing the house. This is usually known by local government and can be publicly analyzed. A person would reduce the chance of dead trees by finding newer growth. Another preventive control is to avoid homes in flood plain areas, as this increases the odds of trees having their root systems drowned or torn up in floods.
Thank you for giving me a chance to get outside the box on this one!
The role the board of director’s plays in IT Governance varies depending on the organization. The board of directors should have a voice when it comes to IT Governance. I have not come across any specific frameworks that define the Board’s role as it is related to IT but in general terms, but at a minimum, the Board should be in tune to how IT is supporting the organization to achieve its objectives. This could include status reports on technology spending, human resources needed to achieve those results, involvement with critical areas of the organization such as disaster recovery, incident response, and innovation. I am seeing more and more regulation with an IT focus and this should be a priority for a board to know how IT is responding to the changing regulatory landscape.
Michael,
I like how you mentioned that the board of directors should have a voice when its comes it comes to IT Governance. It feel like this statement is very true. I think that most of the policies and decisions are made by the lower people in the organization like directors and managers and then once everything has been finalized the CIO, CTO, CISO, or CEO will explain these findings to the board for their “blessing”. Most people on a board of directors are at the top of their specific field however, when it comes to things like IT they not be as well versed. Even though their input should be taking into consideration because of possible outcomes of the implementation that they may have thought of that your team hasn’t, I think its more of a formality than anything else. I have noticed a lot while working in IT that we are invisible to most departments and people. The only time we are noticed is if something goes wrong and things do not really change until something catastrophic happens a lot of the times.
Monitoring is the most important EDM process. I feel that any process or project can be completed but if there is no monitoring in place to substantiate those results and periodically checking to ensure those processes are still functioning as intended, then the entire process or project could fail without anyone realizing the extent of the failure.
Michael,
I agree that monitoring is very important however. I feel like the other 2 do hold a rather important role as well. EDM or Evaluate, direct and monitor is part of the colbit5 domain. Even though monitoring might be really important I feel like that you cant properly monitor a situation unless a proper evaluation has been completed. Once the evaluation has been completed and you are sure you know what has to be done you can move forward and dictate to your team what needs to be put into place. Once all these controls are put into place you can start to monitor. I feel like they are all equally as important because they seem to all work together.
I felt that the first step, Evaluation, was the most important in the EDM process, however you make a valid argument for monitoring. Although monitoring is important and there is no way to ensure the process is effective without proper monitoring, However, if the proper procedures are not established in the Evaluation phase there is no way to ensure that the monitoring is being done effectively.
This is like the “Chicken or the Egg argument”, which came first and which is more important. In my opinion you are both right. Each step in the process is just as important as the next or the preceding. On single step can’t be effective unless the other ones around it are functioning properly. The process as a whole is important in it’s effectiveness. Pulling individual units out, or emphasizing specific phases will negatively effect the entire process.
Thank you Anthony! I agree with the “Chicken or the Egg” argument. I think your description drives it home that these are all continuous processes and can’t be looked at like Project Management where a project starts, hits some milestones, and is marked as success. I believe it’s more of an information security continuous monitoring approach (define, establish, implement, analyze/report, respond, review/update/monitor, and repeat).
Examples I have seen related to IT governance in my organization include reporting of observations from internal audit and/or external examiners to the Audit Committee. This reporting allows the Audit Committee to ask questions and provide direction if they feel the organization is taking on a level of risk that is outside of their risk tolerance. The Board is also involved in Strategic Planning and a subset of the overall Strategic Plan includes an IT Strategic Plan that is aligned with the top level plan. The Board approves this plan on a periodic cycle as well as the budget that reflects items covered in both plans.
Control Environment-
The control environment is a tenure of the Financial audit, internal audit, and enterprises risk management.
The Information policy and control environment for expectations, requirements regarding of delivery of value from information technology investments, Appetite for risk, integrity, ethical values and responsibility. The control environments should be based on culture support. The control Environment is the set of standards. Developement and structure that provides the basis for carrying out internal control across the organization.
Hi –
I agree, Financial audit, internal audit, and enterprise risk management are the key players in the control environment in an enterprise. Their responsibilities are to, achieve its strategic objectives, provide reliable financial reporting to internal and external shareholders, operate its business efficiently and effectively, apply with all applicable laws and regulations, and safeguard its assets. Also, the board of directors are have the responsibility for developing the structure and ensuring the control environment is based upon an agreed upon vision based on the culture of the organization.
Control Environment as I see it is defined as is the base system that all the internal controls are created and enforced under. It is the ground work that everything must adhere to in order to stay in compliance. However, with that being said there are 3 different controls that are the most common. These controls are preventive, detective, and corrective.
Preventative controls are controls that are set up to try and avoid risks from happening in an organization before they happen. A couple examples for this that I can think of in an organization is locking down the peripheral ports on device. This way user cannot user a USB drive in order to bring infected material into the environment or bring classified or sensitive information out of the environment. Another example is having an anti-virus software installed on all the devices in the environment. This is important because of if there a specific piece of software that is install to block and stop the infections from getting in even if someone would try something it should block them.
Detective controls are controls that re set up to try and sense a risk as it is about to happen and stop it before it starts. An example for this kind of control could be a firewall where it blocks all traffic to specific server or system unless you are on a specific subnet or VLAN. This way if someone tries to get in the traffic would get blocked before it even goes anywhere. Another example that could be used is again an anti-virus. This is important here too because the system can detect a threat from anywhere and do the proper steps to avoid it.
Finally, corrective controls are controls that are setup to fix problem after they have shown up. A good example for this would be a software like Deepfreeze. No matter what would happen to the system you are on if you would restart it, the device would essentially be reimaged. This would easier any of the threats and revert everything back to a proper working state. Another example for a corrective control is having backs up of all system. This will help because if something happens you can always restore from backup and have the system return to normal operation after a couple hours of down time and not have to rebuild from scratch.
Jonathan – be careful with the word “system” in this topic. I think you are using it correctly but many readers may assume that you are speaking of a computer system. Automatic listening can lead to many confusions.
Thanks for the Clarification!
I was using the word system in this case as a more board word that encompassed all of information services through an organization not only limited to a computer system. There are many other different types of “systems” in an organization that can be controlled by and fall under the IT governance umbrella that we are talking about.
I would opine that having consistent back-ups qualify as preventive and corrective controls. They are preventive in that they allow you to avoid chaos from losing valuable data, and they are corrective in the way you described. From a cybersecurity standpoint, they may even be detective, as an investigator can cross-reference the data from a back-up to a current save with some compromised data, thus providing a useful comparison and way to locate issues that may otherwise be harder to detect.
Hey Michelangelo,
I tend to agree with you. After thinking more on this subject I feel like having backup of any kind can be places into all 3 categories. It can be preventative because it could prevent a disaster from happening. For example, I work in a hospital, since we have back ups of all the critical systems it will prevent a lapse in patient care and prevent outages from happening. It can also fall under detective because if something is detected to be out of place or wrong there could be a script in place to replace it with a correct back up to avoid down times on a specific system. Finally corrective will be important because if all hell breaks loose and nothing is going right, a user or admin and do a total restore on something from back up and be able to restore everything in a couple hours instead of days.
Agreed. I would also throw in a forensic investigation as a detective control that could use backups. Those backups could hold information that leads to the discovery of an issue which could then be used to correct that issue in the production environment.
2. Define the three kinds of common controls and give two examples of each from your everyday life.
• Preventative controls are defined policy or procedures to control risks. Some examples would be, requiring a supervisor sign-off on an request for access form. Getting ID checked at POS when using a credit card.
• Detective controls are process of identifying problem after occurrence. Reading logs to see why a process failed on an application. Checking process monitor for process status.
• Corrective controls is the restore of a system to a state after a defined disaster. An example from would be getting a database image restored after user error altered data incorrectly. Another would be to run SQL updated to correct an errored process.
3. What is the role of the board of directors in IT governance?
• The Board of directors role is to ensure the future of the company by aligning the executive team with the company’s goals. One of the most important responsibility of the board is to evaluate the overall strategy and direction of the company.
4. Which of the EDM processes do you think is most important and why?
• In my opinion EDM01 would be the most important, if IT governance is in line with enterprise governance it would make the other processes much easier to implement. If strategically both IT and Enterprise goals are aligned, efforts for buy-ins of executives and non-executive stakeholders would be an ease.
5. If you’re working, have you seen examples of active IT governance in your organization?
• Working for the Philadelphia Housing Authority, our mission is to provide affordable housing for low income families. One way to provide that to as many families as possible is to control costs. In addition to controlling costs we also have many guidelines that we must follow since a portion of our budget does come from HUD. Based on these factors we are very IT centric. Almost all aspect of the company revolves around our ERP and a few minor applications. Our IT governance is support these applications/processes and make it as effective and efficient as possible.
The DentDel Case
Think about the following questions before class next week.
1. What processes were ineffective and allowed this situation to occur.
• The initial requirements gathering process failed. If the CIO talked to super users or subject matter experts, he would’ve have learned that the process was moving toward online ordering instead of office visits.
2. Where could stronger IT governance have helped DentDel avoid this situation?
• In my opinion, stronger IT governance would of helped DentDel from this project. Stronger IT governance would have had more reviews of this project by the right stakeholders and the right resources. A more defined PM team and a Project committee could of saved the company from finding out too late that they wasted $8 millions.
Duy – You say “Our IT governance is support these applications/processes and make it as effective and efficient as possible.” I would say that those are the outcomes of your IT governance, not the governance itself. Who decided on getting an ERP? What parts of the operation are underserved/over-served by IT? To whom does the CIO go when he/she has a problem? If you can’t answer those questions quickly, then the IT governance is likely ad hoc and your strategies may have just evolved.
Yes, you are correct. I mixed IT governance with goals/outcome. Our CITO has a board/committee that he reports to aside from the board of directors. The board is made up of executives from across departments.
In your own words, how would you define a control environment?
A control environment is set of rules, policies, and procedures in place to attempt to protect the integrity and value of a company. It is an organizational culture where members/employees of an organization actions should reflect the expectations of that culture. The strongest influences in a controlled environment are the leaders of the organization and their actions set the tone for the controlled environment.
Define the three kinds of common controls and give two examples of each from your everyday life.
The three types of common controls are preventive, detective, and corrective controls. Preventive control are actions taken to avoid undesirable losses to an organization. Two examples of preventive control I use daily are locks on my doors and a password for my computer. Detective controls are controls that alert an organization that something or someone is not doing what is expected or simple monitors an environment. Two examples of detective control I use daily is fire alarm and fraud detection on bank account. Corrective control are actions taken to minimize loss or avoid a loss from happening or occurring again. Two examples of corrective control I use daily are blocking my credit card from being used out of my residential state and an alarm clock to wake up.
What is the role of the board of directors in IT governance?
The role of board of directors in IT governance are the leaders of an organization. They ensure the future of an organization by monitoring the performance and actions of senior management.
Which of the EDM processes do you think is most important and why?
The EDM process I think is most important is monitoring. Monitoring is most important because it is the results of evaluating and directing. Reports from monitoring can provide information on what processes should be improved, what new processes should be introduced and what processes lack value.
If you’re working, have you seen examples of active IT governance in your organization?
I have seen examples of IT governance in my organization. One example is limited system access. Based on your role at my organization determines the amount of access you are granted in specific applications or software. You could be in a position that provides limited access to an application or no access at all.
Monique – I think blocking your credit card out of state is really a preventative control. Still using credit cards as an example, I think the bank cancelling your card, limiting your loses to $50 and issuing a new card are corrective controls.
Following up on the Credit Card example…my current role is with Fraud/Risk Oversight at JPMC and one of the groups I provide oversight for is Credit Card Fraud. In order to prevent fraud we establish numerous preventative controls called “rules” that can prevent certain transactions based on a certain criteria. One of those could be limiting out of state transactions. One of our primary detective controls are army of fraud analyst that are constantly scouring data looking for evidence of fraud and possible trends.
We have the rules in place to prevent prevent fraud, but fraudsters are clever and always seem to find a way around them.
Here are several more answers to the week’s questions.
Define the three kinds of common controls and give two examples of each from your everyday life.
The three kinds are preventive, detective, and corrective controls. Preventive are used to prevent errors in security oversight, detective are to identify errors not found or prevented by preventive controls, and corrective are to address problems not prevented or identified. In other words, they are to correct errors that have already occurred and avoided identification at first. A valuable preventive control would be two-factor authentication on your inbox to prevent intrusion, and another would be the use of biometric scanning on smartphones. Two detective controls would be a malware program like Avast on one’s PC, or a root-scanning tool to detect changes to the root directory on a daily basis. Two corrective controls could be basic command lines to auto-correct grammatical mistakes in a database, or perhaps a password suite able to automatically create new passwords across multiple sites. One such tool is LastPass.
What is the role of the board of directors in IT governance?
The board is absolutely fundamental to IT governance because they are overseeing the appropriate application of IS tools, processes and policies. Their duty to shareholders and employees is to use their unique big-picture view of the organization to understand and respond to patterns and problems either as they arise or preempting them through appropriate governance. At no point should the board be oblivious to the role of IT governance in the organization, nor should they be ignorant of current issues facing them in that arena. By keeping on top of things and understanding the current issues, the board also perpetuates a culture of responsibility and concern – a philosophy that would trickle down to the rest of the organization.
Hi Michelangelo,
I agree that the board has a unique big picture view of the organization that is used to respond to patterns and problems in the business. This view is used to establish an agreed-on direction for governance. The board must articulate this vision and it must be communicated to everyone in the enterprise and continually reinforced to foster a culture that will implement the practices required to move toward this vision.
Yes, the board must keep the big picture view of the organization, but they must also be able to answer the “hard questions” in the event that a major event happens. This is only possible if they maintain an active role within the governance process. Either by directly interacting, or keeping open communication channels with whomever is delegated to run the governance.
The role of the Board in IT Governance
As stated in the IBIT reading, the Board of Directors basically has two choices when it comes to IT Governance/Cyber Security Risk. They can either own the responsibility as a whole, or delegate it delegate it to a standing committee of the board. If they chose the second route, the board must ensure that the committee keeps the board as a whole apprised of it’s activities. In either case, each member of the board must feel comfortable being able to answer any questions the would arise from an IT/Cyber incident.
The IBIT reading goes on to explain that the board must further decide who, within the board (or committee) owns the actual oversight responsibility. Whoever this person is, they must be able to “speak the language of the business” as well as understand the intricacies of the IT structure. Communication is key in order to keep management “in the loop” with the governance structure.
A control environment is an area in which policies and procedures exist to ensure that a business is able to properly run its daily operations with an ability to mitigate its risk. A control environment is used as an area for the business to review its practices to ensure risk cannot overtake its model and cause it to ultimately fail. By adhering to a proper control environment, all laws and rules should be followed and the business would be run ethically and stand out in its competitive market. Within this, everyone in the business should have a clear understanding of their roles and responsibilities to ensure that the business is continuously run efficiently and effectively to ensure success in the market.
There are three different types of controls available for an organization. Preventive controls ensure that policies and procedures are written and followed because management sees a potential risk and developed methods to prevent it. Examples of these controls would be having a supervisor approve an order made by an associate to ensure it is warranted or having a credit card become authorized by the card service to ensure the purchase from a store is legitimate. Detective controls are in place in an organization in order to identify problems that already exist within the business. Examples of these would be auditors reviewing logs from a computer to see access errors when users log in and make changes or reconciliation of bank accounts to ensure cash flow is tracked and legitimate. Corrective controls are in place in order to repair the current state of an objective to the ideal, approved state. Examples of this are fixing a system with a virus by restoring it to a version without the virus installed or removing changes to a business in order to appease customers wanting the old business model back. Ultimately, controls are the administrative practices within a business that are used to achieve objectives within the business and to mitigate all negative occurrences.
The role of the board in IT Governance is to ensure that management is effectively managing the business from a top down perspective, making sure to appease shareholders and provide a positive return on their investment. In the specific reading focused on IBIT, a primary role of the board is to determine a clear owner and communication person for cyber security risk who works closely with the CEO. Another crucial decision that the board needs to take is deciding where its primary oversight will lie. This ensures that the board will have a key focus as to what it wants in the organization. For example, the board does not write policy but will review policies that are proposed to be set in place, review them, and decide whether or not to accept or reject the proposals. Another essential piece of the board in governance is ensuring that the cyber security owner is able to effectively communicate with directors using the business risk language. It is also crucial for the board to have reoccurring meetings to ensure that they are informed on current information and able to enact decisions to benefit the future of the organization.
#4 which of the EDM process is most important and why. Out of the 5 I would think the the first one is the most important. Ensure governance framework setting and maintenance because it set the foundation for all the processes that follows. Like we talked about last class it’s about the “right things, done right’ mantra. EDM 01 is the analyse and articulate the requirements for the governance of enterprise IT and put in place and maintain effective enabling structure, principles, processes and practices with clarity of responsibilities and authority to achieve the enterprises mission, goal and objectives. With out this all the other processes are just the right thing and not done right.
There are definitely examples of IT governance where I currently work at even though I don’t’ work in the IT department you notice there a certain procedure to get certain things done. There are multiple approval process to be able to get things done. For example I’m an accountant and I can’t get ISM to remove a post unless my manager approves it. You could tell the chain of command and know what each person in the IT department.
While I think that each EDM process is crucial to ensuring the smooth operation of an organization, I think the most key one is the first one: Ensure governance framework setting and maintenance. By focusing on the governance aspect, a system is established that the organization can abide by and grow with. The goal of the process alone is stated as it “put in place and maintain(s) effective enabling structures, principles, processes, and practices, with clarity of responsibilities and authority to achieve the enterprise’s mission, goals, and objectives.” EDM two through five focus on benefits, risk optimization, resource optimization, and stakeholder transparency. While all are crucial to have an organization properly function, governance is that key foundation as to how the business will conduct itself. With IT governance establishing a key base, the organization is better able to realize the true benefit the IT brings to the overall business value. With governance as a key foundation, the other EDMs can operate effectively as risk is mitigated through the use of governance. Governance ultimately provides an organization with a basis and a set of standards to operate effectively.
In any organization, IT Governance will be evident throughout daily activities. Given that I work in IT Audit, our organization is rather prevalent and familiar with IT Governance as we must abide by specific standards and policies, however, we also go through and audit specific policies to ensure that they are compliant with governance objectives. One thing I’ve learned in my organization is that while there is an overall governance objective, in a large organization governance will exist at many different levels. Similar teams may follow different governance structures in order to suit their specific needs running accordingly in order to provide value to the organization as a whole. One thing I notice in IT Audit is how some of these specific governance objectives are not very effective and may require a restructure in order to remain compliant with the overall organizational governance goals. The crucial thing in identifying a form of governance is understanding what it does, how it provides a framework, and why it provides value to each business unit and the organization as a whole.
In the DentDel case there are a couple places where ineffectiveness caused this situation to occur. The biggest problem that I saw was the lack of leadership especially at the executive level. The project is costing the company millions of dollars. Since this project was priority number 1 and had to get done right away the company did not include the board in the decision making process and was told what was happening and that is it. Also, there was an ad hoc team put together with Sarah, Cedrick, and Chuck. These 3 made all decisions on the project however there was no point person or chair. So there was no overall voice that made a final decision when things came up. Since everyone was doing their own thing there was no control over the project and no set out duties it caused the project to fall apart and money to be lost as a result.
If DentDel were able to implement strong IT Governance to the point where there was a clear leader, and fully included the board in decision making it could have saved a company a lot of money by stopping over spending. Finally, it would have cut back on a lot of confusion due to the lack of a chair person and final decision maker.
This seems like the best place to check in on this, since there is heavy comment traffic. Does anyone know where or if class meets tonight? I was under the impression that we’re meeting in a classroom and not on WebEx.
Three kinds of controls would be preventative, detective and corrective. We have all kinds of preventative controls in my work including passwords, encryption, segregation of duties. We also utilize several corrective controls that typically occur during off peak hours. These are patch updates, windows updates, and other software updates. These can be both preventative and corrective.
The board’s role in IT is three fold. First is to appoint a position such as a chief security officer or chief information security officer. The board must then determine how they want to see the reporting structure within the organization. Finally there needs to be structured communication implemented between the board and the person responsible for IT.
The DentDel, Inc. case was clearly a situation that had no structure with project implementation. The budget was never formally approved. The value of the product was not clearly identified. There should some kind of net present value or IRR calculation performed to prove the investment is worth the cost. There should be budget reviews throughout the project with board oversight and approval to confirm that everyone is aware of the progress. Overall there was a severe lack of structure and communication which is likely a sign of the culture.
DentDel, Inc had a serious control environment issue. Who created or appointed the ad hoc committee? Who approved the budget?How was the fund availed to the project team for spending? Who are the stakeholders (sponsors) ? Who is monitoring the project?
The DentDel, Inc case called a “project” was ineffective and inefficient. There was no bearing of a project – no project plan (goal, schedule, definition, etc.). Because of the lack of efficient planning and structuring of the project (communication, risk management, financial, deliverable, etc.) the action to resolve the original issue seem a charade.
A serious audit is required to ensure there was a need for the project and how the project was instituted and performed.
The control environment needs revitalization (preventive, detective, and corrective controls).
1. In your own words, how would you define a control environment?
I would define the control environment as the governance of the controls. What is the tone at the top of the organization relating to controls? How are the controls documented? Are there policies and procedures in place. These are a reflection of how serious the organization is committed to a strong internal control environment.
2. Define the three kinds of common controls and give two examples of each from your everyday life.
Preventive controls: These are the controls implemented to avoid the error occurring or limit the significance of the error.
a. Passcode required at ATM – reduces risk of unauthorized withdrawals
b. Withdrawal limits – limits amount of money that can be withdrawn daily. So if someone does have your ATM card, they can’t take out your entire life savings in a day.
Detective controls: These controls help you to identify that an error has occurred.
a. Balancing Checkbook – By writing out transactions on checkbook, we can verify against bank statement to identify misuse or errors
b. Banking Alerts – Can opt in to alerts from Bank to alert you to the fact that your card has been used, below a certain limit, etc. This prevents potential overdraft fees as well as alert you to card transactions that you didn’t authorize.
Corrective controls: These controls help get back to the original starting point.
a. Password Reset – After several incorrect passwords has been entered on your account, your account is locked until the owner unlocks the account.
b. Overdraft Protection – Enroll in overdraft protection, so that in the event your account is overdrawn, you will have funds transferred from another account to cover the balance.
3. What is the role of the board of directors in IT governance?
Role of the board of directors in IT governance is to ensure that IT decisions make sense given the overall direction of the company. In instances, where there are issues the board should ensure there is necessary corrective action to protect the interest of stakeholders.
4. Which of the EDM processes do you think is most important and why?
The most important EDM process is to ensure governance framework setting and maintenance. This process is the foundation for the remaining processes. By setting up the necessary structures there will be a plan to execute on. When things deviate from expectations, the structures and practices in place will allow the organization to course correct because goals and procedures have been clearly articulated.
5. If you’re working, have you seen examples of active IT governance in your organization?
Steering committees related to new applications or modifications to existing applications. Before a project is completed, all of the stakeholders (IT, Finance, Internal Audit/SOX, external Auditors, etc) are allowed to participate. In this forum, concerns can be shared with the larger audience to avoid creating a situation where an modification creates an unforeseen impact to the organization.
Case Questions
1. What processes were ineffective and allowed this situation to occur.
This project was lacking all of the EDM processes. The business strategy was never aligned to the IT strategy. Employees looked for a quick fix that was not clearly researched. There was no indication that a cost benefit analysis was performed to ensure that the initiative would be worth the cost. The risks of failure / write-off were not considered in the initial business case or the executive committee would have been involved. There was no attempt to make sure that the resources would be available at the right times during implementation of the project. The executive committee was not involved in the decision making therefore eliminating shareholder transparency.
2. Where could stronger IT governance have helped DentDel avoid this situation?
Procedures in place that required consultation/approval of executive committee for expenditures over a certain threshold.
No accountability. The same people that were responsible for the idea were also consulted. There was no mechanism to get feedback.
Additional information should have been required for the business case. There are things that were discovered during the course of the project that could have been fleshed out with additional research.
In your own words, how would you define a control environment?
To me, a control environment encompasses several things such as processes/procedures, attitudes, expectations, as well as contingency planning.
Processes & procedures are put in place to assist with protecting the firm in many ways. For instance, in the DentDel case, if they had a procedure where every project which is estimated to cost over ‘x’ dollars, it must be presented to and approved by all of the executive committee, their situation may have been avoided.
Overall employee attitude must also be refocused on adhering to and improving controls and security. This can be achieved many ways, but should be consistently brought up by management and employees at all levels in forums such as town-halls, and panel discussions to reinforce the importance and reasoning behind it.
Everyone must be held to certain expectations surrounding the control environment. There should be recognition for strides in the right direction and improvements in control adherence, and there must also be consequences for failure to follow and negligence.
As much as we would all like to say that the control environment is fool-proof and perfect, there will always be risk and most likely people here and there who do not place the same importance on it as senior management does. That being said, part of the control environment should also encompass contingency planning for cases where something goes wrong. Understanding that you can’t plan for every possible scenario, the general framework should be in place for general issues related to failures of the controls and control environment.
Define the three kinds of common controls and give two examples of each from your everyday life.
The three kinds of common controls are Preventative Controls, Detective Controls, and Corrective Controls.
Preventative controls, like the name implies, are controls put in place to prevent a risk occurrence. They include things such as policies and procedures, whether they be access related procedures or a policy for getting projects approved. These can be as simple as a speed limit on a street being used as a preventative control to lower the risk of you getting in a speed-related accident. A more technical example could be a company having in place a policy that only a select few people on a production management team are given access to a production environment and in order for them to make any updates, they would need to first have an official request created and approved by management. This type of policy could be in place to prevent just anyone from going and updating something in the production environment that could affect hundreds, thousands, or even millions of the firm’s customers.
Detective Controls don’t include policies or procedures and don’t prevent anything from happening. Detective controls keep a lookout for things that have already happened. They look for suspicious or out of the ordinary activities which may be indicative of something going wrong which may need to be acted upon. Going along with my earlier example of a speed limit, the detective control here would be a state trooper sitting there with his radar capturing the speed of traffic. Thirty cars may go by at or close to the posted speed limit, however his radar acts as the detective control and let him know when one of those vehicles is going beyond the legal limit.
Corrective Controls are tasked with bringing everything back to the expected results. Whenever a detective control finds something out of the ordinary, the corrective control would be responsible for bringing the outlier back within the allowable range. Continuing with the speed limit theme, an example of this could be something as benign as one of those radar speed signs which tells drivers how fast they are going to something as active as the state trooper pulling you over for speeding and giving you a fine. The speed sign is attempting to advise drivers that they may want to check their speed and getting pulled over is more impacting your mindset of correcting your speed as to not have to be inconvenienced or financially affected by getting a ticket.
The role of directors in information technology and governance focuses on risk management, intentional alignment, assessment generation, information security, IT process performance, and IT human capital management. Their clear responsibilities include judgment rights, reporting, mechanisms, content, place and the frequency of reporting and discussions.
Information security: Data must be classified then appropriate protection can be applied based on the classification of data. Systems can be designed to protect the information but the best security system will not be effective if the staff is not informed and does not abide by the information policy.
Risk management: Information technology risk is defined as the risk of non – performance of people, process and technology.
Human Capital Management: Capital management should cover the IT executive management, principles and operate within a comprehensive plan of corporate governance for the purpose of defining responsibilities, setting high standards of professional and personal conduct, and assuring compliance and corporate governance is essential to running business
Process Management and performance: The development and monitoring of key metrics within a performance dashboard are critical element of IT process management
1. In your own words, how would you define a control environment?
A control environment is the environment that a company operates in everyday regarding action, policies, and values that are set by management to lower risks to the overall organization. Management sets the tone at the top, so it is important that the tone is one that promotes behaviors and values that support the control environment. An organization may have all the proper actions, policies and procedures in place to mitigate risks, but the control environment plays an important role in how effective they will be.
2. Define the three kinds of common controls and give two examples of each from your everyday life.
Three common controls are: detective, preventive and corrective. A preventive control is the anti-virus software i have installed on my laptop. A corrective control is the monthly backup of my computer to a hard drive.
3. What is the role of the board of directors in IT governance?
The role of the board of directors in IT governance is to ensure IT management is following the IT strategy put in place, and align with business objectives to reduce the risks of the organization. Additionally, the board of directors oversees IT to ensure it adds value to stakeholders and owners.
4. Which of the EDM processes do you think is most important and why?
I believe EDM01 (Ensure Governance Framework Setting and Maintenance) is the most important to an organization. EDM01 focuses on IT and business strategy alignment and without a strong foundation in place and clear responsibilities, an IT organization will not have the proper business management support and be successful.
5. If you’re working, have you seen examples of active IT governance in your organization?
My organization relies heavily on IT since much of our work is done remotely, whether from home are at client sites, so I have seen examples of active IT governance. There are various IT initiatives that I have seen which have been developed to support new business initiatives relating to efficient communications or effective sharing of resources. Our IT strategies definitely seems to be aligned with business strategy and that is due in part to strong governance.