1COBITPart1ITGovernance---IT治理框架.ppt

COBITPart1 ITGovernance 2009年3月 开场时间 请简单介绍您自己名字公司 产业别工作性质贵公司推行IT治理的程度在这堂课中 想了解的事情任何愿意和大家分享的事 前沿小站 ITmanagementtoITGovernance ISO31000 ISO38500 BS25999 Prince2PMBOK COBIT ITILV3 ISO27001 ISPL SCAMPI TOGAF Security AvailabilityMgt ISO17799 ISO13335 ISO9001 SW CMMI QualityManagementSystem ITGovernance ServiceMgt Governance RiskMgt ISO15408 ProjectMgt Newservice ITILv2 ITManagement ITSCM Change ReleaseMgt TicketIT NIST800 SLM BR ConfigurationMgt ITSM SupplierMgt Mgtsystem Org Finance CapacityMgt ISO15504 Appraisal auditMgt MOF MSF ISO20000 COBITfoundationexam Theexamconsistsof40multiple choicequestions Topasstheexam anindividualmustcorrectlyanswer28ormorequestionsorattainascoreof70 orhigher PrerequisitesNone LearningOutcomesHowITmanagementissuesareaffectingorganizationsTheneedforacontrolframeworkdrivenbytheneedforITgovernanceHowCOBITmeetstherequirementforanITgovernanceframeworkHowCOBITisusedwithotherstandardsandbestpracticesTheCOBITframeworkandallthecomponentsofCOBITHowtoapplyCOBITinapracticalsituationHowtheuseofCOBITissupportedbyITGI COBITisaregisteredtrademarkofISACA Certificationsoverview ISO38500 ISO20000 ISO27001 COBITfoundationexam ITILFoundationexamServiceManagerExpert CISA CISMCISSP BUSINESS INDIVIDUAL 学习目标 了解何為IT治理及為何需要IT治理 Agenda GovernancetowhyweneedITGovernanceWhatisITGovernanceITGovernanceFrameworkITAlignmentValueDeliveryRiskManagementResourceManagementPerformanceManagementISO38500 2008VSCGEITConclusions World classIT AlignedwiththebusinessandprovidingtransparentvalueTopmanagementattentionthroughappropriateITGovernancemechanismsEngagedinperformancemeasurementCommittedtocontinuousimprovement Enterprisegovernanceisasetofresponsibilitiesandpracticesexercisedbytheboardandexecutivemanagementwiththegoalof ProvidingstrategicdirectionEnsuringthatobjectivesareachievedAscertainingthatrisksaremanagedappropriatelyVerifyingthattheenterprise sresourcesareusedresponsibly EnterpriseGovernance Enterprisegovernanceisabout ConformanceAdheringtolegislation internalpolicies auditrequirements etc PerformanceImprovingprofitability efficiency effectiveness growth etc EnterpriseGovernanceDrivesITGovernance EnterprisegovernanceandITgovernancerequireabalancebetweenconformanceandperformancegoalsdirectedbytheboard Performance Conformance ScenarioIT Governance ITisanintensivelydiscussedtopicinOrganisationsandEnterprises Discussionrangesfrom costfactor to businessenabler AcloselinkbetweentheEnterprise StrategyandIT strategyiskey butitseemsthedistancebetweenEnterprise ManagementandITisgrowing TopManagerscomeveryoftenfromthe classical disciplines CIO sarenotveryoftenmembersoftheBoard FormanyEnterprisesare Consolidation Concentrationoncorebusiness and OperationalExcellence additionalprioritiesoftoday Organizationsrequireastructuredapproachformanagingtheseandotherchallenges ThiswillensurethatthereareagreedobjectivesforIT goodmanagementcontrolsinplaceandeffectivemonitoringofperformancetokeepontrackandavoidunexpectedoutcomes TheNeedforITGovernance KeepingITRunning Security Value Cost ManagingComplexity AligningITwithBusiness RegulatoryCompliance 2007ITGovernanceInstitute Allrightsreserved www itgi org ForcesDrivingITGovernance Compliance Security Business ITAlignmentROI ProjectExecution RoleofIT Sourceofdifferentiationandadvantage Supportcorebusinessprocesses Supportbackoffice Copyright TheBostonConsultingGroup 1960 s 1970 s 1980 s 1990 s 2000 s Airlines Retailing Automotive HealthCare FinancialServices 2010 s ITevolutionovertime ITrole ITneedstobelinkedwithbusinessstrategytogeneratevalueforthebusiness Copyright TheBostonConsultingGroup DevelopmentExhaustedOrNewFuturePushToBeExpected 1 ITevolvingfromSupportToolintoSourceofCompetitiveAdvantage WhygetintoITGovernance Duediligence ITiscriticaltothebusinessExpectationsandrealitydon tmatchIThasn tgottentheattentionitdeservesITinvolveshugeinvestmentsandlargerisks Sarbanes Oxley cont Sarbanes Oxley cont EffectsofSarbanes OxleyCreatedthePublicCompanyAccountingOversightBoard PCAOB ReinforcesAuditorIndependenceStrengthenInternalControlStructurewithorganizationsUpgradefinancialDisclosuresCreatedAccountabilityattheExecutiveLevelProtectInvestors 中国萨班斯 企业内部控制基本规范 2008 6 28由财政部 证监会 审计署 银监会 保监会联合颁布 2009 7 1起首先在上市公司范围内施行参照美国于2002 7 30颁布的 2002年萨班斯 奥克斯利法案 而制定萨班斯法案对公司治理 会计师行业监管 证券市场监管等方面提出了许多新的严格要求 并设定了内控风险管理的问责机制和相应的惩罚措施 自此 全球也掀起了加强企业内部控制和风险管理的飓风 迎接内控时代到来 規範的要求及突破 针对国内财务及会计监控体制的发展趋势 以及企业内部的委托 代理关系等各个方面的需求 要求上市公司应当对公司内部控制的有效性进行自我评价 披露年度自我评价报告 在企业内确定内部控制要素 建立内部控制机制突破界定了内部控制的内涵 强调内部控制是由企业董事会 监事会 经理层和全体员工实施的 在实现控制目标的过程 有利于树立全面 全员 全过程控制的理念 內控框架 五大目標五大要素 五大目標 合理保证 企业战略企业经营管理合法合规财务报告及相关信息真实完整提高经营效率和效果 促进企业实现发展战略资产安全五大要素 相互联系 相互促进 构建以内部环境为重要基础以风险评估为重要环节以控制活动为重要手段以信息与沟通为重要条件以内部监督为重要保证以企业为主体 以政府监管为促进 以中介机构审计为重要组成部分的内部控制实施机制 BaselII RiskClassification TotalRisk CreditRisk MarketRisk OtherRisks Considered Notconsidered SampleQuestions WhichoneofthefollowingiscurrentlydrivingtheinterestinITbestpractices ConvergenceinmanytechnologiesIndustrystandardisationIncreasinglycomplexIT relatedrisks Lowercostoftechnology SampleQuestions GovernanceandcontrolframeworksprovideITmanagementwithbestpracticeforwhichoneofthefollowing performingcomputeroperationsresolvingdisputeswithITvendorsremuneratingITstaffcomplyingwithregulatoryrequirements SampleQuestions WhichofthefollowingisacommonreasonwhyITprojectsexceedbudgetexpectationsordeadlines CostofITspecialistUnavailabilityofthelatesttechnologyUnderestimationoftheeffortrequiredLackofautomationofdevelopmenttools SampleQuestions WhichofthefollowingisthemostlikelyreasonwhyITprojectsexceedbudgetexpectationsordeadlines TechnicalproblemsShortageofskilledresourcesPoordevelopmentmethodologiesHighcostofITexperts Agenda GovernancetowhyweneedITGovernanceWhatisITGovernanceITGovernanceFrameworkITAlignmentValueDeliveryRiskManagementResourceManagementPerformanceManagementISO38500 2008VSCGEITConclusions Governance InherentRisk Control ResidualRisk LocalManagementareConcernedwiththese SeniorManagementareconcernedwiththis Whomakesdecisions why andhow TheCOSOInternalControlFramework TheCommitteeOnSponsoringOrganizations COSO InternalControl IntegratedFrameworkPublishedin1992Reissuedin1994ForSarbanes Oxley Section404 managementmustselectframeworkastheirbasisforcontrolreview COSOisthemostwidelyrecognizedinternalcontrolframeworkSponsoredbyAICPA AAA IIA IMA FEI Newframework InternalControl To EnterpriseRiskManagement Objectives components EntityStructure TheCOSOERMframework EnterpriseRiskManagementFrameworkFrameworkforevaluatingcontrolsandriskIncreasedfocusonriskmanagementFrameworktoeffectivelyidentify assess andmanageriskPublishedin2004ExpandsontheIntegratedFramework ITgovernanceistheresponsibilityoftheboardofdirectorsandexecutivemanagement Itisanintegralpartofenterprisegovernanceandconsistsoftheleadershipandorganizationalstructuresandprocessesthatensurethattheorganization sITsustainsandextendstheorganization sstrategiesandobjectives I T Governance ITGI BoardBriefingonITGovernance WhatisITGovernance ITprovidesvalueITdoesnotprovidesurprisesITpushestheenvelope AdecisionrightsandaccountabilityframeworktoencouragedesirablebehaviorintheuseofIT Expectation Need Definition ITgovernanceistheresponsibilityoftheboardofdirectorsandexecutivemanagement Itisanintegralpartofenterprisegovernanceandconsistsoftheleadershipandorganizationalstructuresandprocessesthatensurethattheorganization sITsustainsandextendstheorganization sstrategiesandobjectives ITGovernanceFocusAreas StrategicalignmentValuedeliveryResourcemanagementRiskmanagementPerformancemeasurement COSO COBIT Cube CourtesyoftheITGovernanceInstitute sdocument ITControlObjectivesforSarbanes Oxley ITGovernancePrinciples DirectandcontrolResponsibilityAccountabilityActivity Setdirections Compare SetobjectivesandMeasures Reports Measures Measures Reports PerformActivities Direct Control Responsibility Accountability Activities Board ITOrganizations 2007ITGovernanceInstitute ITGovernanceStakeholders Businessmanagement SetdirectionforIT monitorresultsandinsistoncorrectivemeasures DefinesbusinessrequirementsforITandensuresthatvalueisdeliveredandrisksaremanaged DeliversandimprovesITservicesasrequiredbythebusiness ProvidesindependentassurancetodemonstratethatITdeliverswhatisneeded Measurescompliancewithpoliciesandfocusesonalertstonewrisks Riskandcompliance ITaudit ITmanagement Boardandexecutive ITGovernanceinContext ITgovernanceandassociatedgovernancemechanismsprovidethelinkagebetweenresponsiblecorporategovernanceandeffectiveITmanagement CorporateGovernance ITGovernance ITmanagement CorporateGovernance ITGovernance ITmanagement OveralldecisionmakingandaccountabilitystructureEstablishgoals measures policiesEnsuresshareholdersinterestsarerespectedOverallITdecisionmakingandaccountabilityEnsuresvalueisdeliveredtoshareholdersthroughITinvestmentsandactionsCreatesbusinessvaluethroughITmanagesITbudgets resources projects operations vendorsRunsITasabusiness QualitySystem ITPlanning ProjectMgmt ITSecurity AP Dev SDLC ServiceMgmt ITOperations ITGovernanceModel COSOCOBIT SOX ISO SIXSigma CMMI ISO17799 PMI TSOISStrategy ISO20000 QualitySystems Mgmet Frameworks ISO38500 Complianceframework Therearefourcompatibleframeworks operatingatdifferentlevelofdetailandscope thatprovideasetofcontrolsandgovernanceforITLevel1 COSOOrganizationwidecontrolsLevel2 COBITCansatisfyandextendCOSOcontrolsrelatingtoITLevel3 ITILCansatisfyandextendCOBITcontrolsrelatingtoITLevel4 ISO27002 17799ITSecuritycontrolstomeetandextendCOBITsecurity KeyFindingsoftheSurveyITGovernanceGlobalStatusReport 2008 AlthoughchampionshipforITgovernancewithintheenterprisecomesfromtheC level indailypracticeITgovernanceisstillverymuchaCIO ITdirectorissue Thefewnon ITpeopleinthesamplehaveamuchmorepositiveviewofITthandotheITprofessionalsthemselves TheimportanceofITcontinuestoincrease Self assessmentregardingITgovernancehasincreasedandisquitepositive CommunicationbetweenITandusersisimproving butslowly ThereisstillsubstantialroomforimprovementinalignmentbetweenITgovernanceandcorporategovernance aswellasforITstrategyandbusinessstrategy IT relatedproblemspersist Whilesecurity complianceisanissue peoplearethemostcriticalproblem GoodITgovernancepracticesareknownandapplied butnotuniversally OrganisationsknowwhocanhelpthemimplementITgovernance butappreciationfortheavailableexpertiseanddeliverycapabilityisonlyaverage ActionisbeingtakenorplansareunderwaytoimplementITgovernanceactivities Alargeincreaseisevidentwhencomparedtothe2006report Organisationsusethewell knownframeworksandsolutions COBITawarenesshasexceeded50percent andadoptionanduseremainaround30percent a Twenty fiveto35percentofrespondentsapplyCOBITtotheletterorareverystrict b FiftypercentofrespondentsindicatethatCOBITis oneofthereferencesources c Ingeneral thereishighappreciationofCOBIT ashasbeenseeninpriorreports MorethanhalfoftherespondentsapplyorplantoapplyValITprinciples butarenotfamiliarwiththeValITbranditself MajorobstaclestoadoptionanduseofValITprinciplesincludeuncertaintyregardingthereturnoninvestment ROI andlackofknowledge expertise SelectedITGovernanceFrameworks BenefitsofITGovernance ConfidenceoftopmanagementResponsivenessofITtobusinessHigherreturnoninvestment ROI MorereliableservicesMoretransparency ITGovernance ITgovernanceisanintegralpartofcorporategovernanceandanalogouslycombinesleadership organizationalstructures andprocessesthatensurethatITsustainsandextendstheorganization sstrategiesandobjectivesITgovernanceprovidesguidelines establishescriteriaandstandardsfordecisionmaking monitoring measuring andimprovingtheperformanceofITITgovernanceistheresponsibilityoftheexecutiveboardandtheexecutivemanagement incl IT andsupportstheinteractionofalltheorganization spartiesinvolvedwithIT What How Who Thoughguidedbyit dailyoperationsoroperativeprojectmanagement arenotcorepartofITgovernancenorcanITgovernancesubstituteforasoundbusinessstrategy Whatnot OurDefinitionofITGovernanceemphasizesthecloseLinkofITtotheOrganizationasawhole WhatisITGovernance It saboutorganizationleadershipDecisionmakingthatleadstobetteralignmentofITandthebusinessITdeliveringmorebusinessvalueITresourcesareusedresponsiblyITrisksaremanagedappropriately SampleQuestions WhichofthefollowingisakeybenefitofITgovernance ImprovedbusinessprocessesGreaterawarenessofavailabletechnicalsolutionsResponsivenessofITGreateruseoftechnologyIncreasedbudgetforITprojects SampleQuestions TheCOSOframeworkisaframeworktohelporganizationsestablishanddetermine AccountingstandardsAuditingstandardsInvestmentdecisionsTheeffectivenessoftheirinternalcontrols SampleQuestions WhichstatementbelowbestdescribestheCommitteeofSponsoringOrganisationsoftheTreadwayCommission COSO sInternalControl IntegratedFramework Aframeworkforinternalauditing Aframeworkforsystemsmanagement Aframeworkforriskmanagement Aframeworkforinformationsystems SampleQuestions WhichofthefollowingisanITGovernanceconcernofatradingpartner ConfidentialcompanyinformationisnotgiventocompetitorsTheITsystemsarebasedonthelatesttechnologySystemchangesarenotmadewithoutthepartnersapprovalTheIToperationiscosteffectiveandefficient SampleQuestions WhichofthefollowingisaprincipleofITgovernance AccountabilityReliabilityAvailabilityProbability Agenda GovernancetowhyweneedITGovernanceWhatisITGovernanceITGovernanceFrameworkITAlignmentValueDeliveryRiskManagementResourceManagementPerformanceManagementISO38500 2008VSCGEITConclusions ITGovernanceFramework SetObjectivesITisalignedwiththebusinessITenablesthebusinessandmaximizesbenefitsITresourcesareusedresponsiblyIT relatedrisksaremanagedappropriately Compare ProvideDirection MeasurePerformance ITActivitiesIncreaseautomation makethebusinesseffective Decreasecost maketheenterpriseefficient Managerisks security reliabilityandcompliance BedrivenbystakeholdervalueAsktherightquestionsFocusonIT s AlignmentwiththebusinessValuedeliveryRiskmanagementMeasureresultsAdoptanITgovernanceframework WhatshouldBoardsdoaboutit I T GovernanceFocus Whatdoesitcover WhatshouldManagementdoaboutit AlignITstrategywithbusinessgoalsCascadestrategyandgoalsdownintotheorganizationSetuporganizationalstructuresthatfacilitatestrategyimplementationAdoptandITcontrolandgovernanceframeworkProvideITinfrastructuresthatfacilitatecreationandsharingofbusinessinformationEmbedresponsibilitiesforriskmanagementintheorganizationFocusonimportantITprocessandcoreITcompetenciesMeasureperformance BalancedBusinessScorecard WhatshouldAuditorsdoaboutit ObtainanunderstandingaboutITGovernanceGettheBoardandManagementtofocusontheissuesintheprevioustwoslidesRecommendtheadoptionofanITcontrolandgovernanceframework suchasCOBITSetuporganizationalstructuresinyourareasthatfacilitateastrategicimplementationofsuchaframeworkMeasureyourownperformance BalanceBusinessScorecard ITGovernanceFocusAreas Valuedelivery FocusesonensuringthelinkageofbusinessandITplans ondefining maintainingandvalidatingtheITvalueproposition andonaligningIToperationswithenterpriseoperations Isaboutexecutingthevaluepropositionthroughoutthedeliverycycle ensuringthatITdeliversthepromisedbenefitsagainstthestrategy concentratingonoptimisingcostsandprovingtheintrinsicvalueofIT Isabouttheoptimalinvestmentin andthepropermanagementof criticalITresources applications information infrastructureandpeople Keyissuesrelatetotheoptimisationofknowledgeandinfrastructure Requiresriskawarenessbyseniorcorporateofficers aclearunderstandingoftheenterprise sappetiteforrisk understandingofcompliancerequirements transparencyaboutthesignificantriskstotheenterprise andembeddingofriskmanagementresponsibilitiesintheorganisation Tracksandmonitorsstrategyimplementation projectcompletion resourceusage processperformanceandservicedelivery using forexample balancedscorecardsthattranslatestrategyintoactiontoachievegoalsmeasurablebeyondconventionalaccounting Performancemeasurement Riskmanagement Resourcemanagement Strategicalignment FocusAreas Definestrategy Preservevalue Createvalue Goodthingshappened Badthingshappened Resolveproblems Exploitopportunities ContinuousImprovement MeasureResults What How ITAlignmentFocus RiskManagementFocus ITResourceManagement PerformanceMeasureFocus ValueDeliverFocus Agenda GovernancetowhyweneedITGovernanceWhatisITGovernanceITGovernanceFrameworkITAlignmentValueDeliveryRiskManagementResourceManagementPerformanceManagementISO38500 2008VSCGEITConclusions Strategicalignment focusesonensuringthelinkageofbusinessandITplan ondefining maintainingandvalidatingtheITvalueproposition onaligningIToperationswiththeenterpriseoperations andestablishingcollaborativesolutionstoAddvalueandcompetitivepositioningtotheenterprise sproductsandservicescontaincostswhileimprovingadministrativeefficiencyandmanagerialeffectiveness ITGovernanceFocusAreas BusinessStrategy AlignmentActivities ITOperations ITStrategy BusinessOperations ITalignment ITalignmentisajourney notadestination WhatisStrategicAlignment ITSupportingStrategicObjectives EnterpriseStrategy BusinessFunctions ApplicationArchitecture TechnicalInfrastructure Sourcing Staffing Founding SampleQuestions Whichofthefollowingisapotentialbenefitofstrategicalignment OptimaluseofresourcesUseofthelatesttechnologyBeingfirsttomarketDeliveryontimeandwithinbudget SampleQuestions WhichofthefollowingisacommonproblemencounteredwhentryingtoalignITandthebusinessUseofanexternalITconsultantforprojectmanagementCommunicationgapsbetweenthebusinessandITInadequacyofproblemmanagementpracticesRushingtodeveloptooquickly SampleQuestions Whichofthefollowingisabenefitofstrategicalignment Producinghigh qualitysoftwareMaintainingskilledresourcesMeetingprojectdeadlinesIncreasingthevalueofbusinessproductsandservices SampleQuestions WhichofthefollowingisthemostlikelyproblemencounteredwhentryingtoalignITwiththebusiness DevelopedtooquicklyInadequateproblemmanagementpracticesUseofanexternalITconsultantforprojectmanagementLackofcommittedbusinesssponsorsforITprojectsComplexityofprojectsInabilitytosetpriorities Agenda GovernancetowhyweneedITGovernanceWhatisITGovernanceITGovernanceFrameworkITAlignmentValueDeliveryRiskManagementResourceManagementPerformanceManagementISO38500 2008VSCGEITConclusions Valuedeliveryisaboutexe