File Content -
Governance: (BCCI =
Governance)
The term “Governance” is derived
from the Greek verb meaning “to
steer”.
(Now in a cricket, multiple stakeholder
of IPL enable to say that Evraj singh is
option due to dhoni’s directional setting
and mohit sharma’s complete
performance. Whatever, Dhoni is
Satisfied because of he has achieved his
Specific Objective)
A governance system typically
- refers to all the means and
mechanisms
- that will enable multiple
stakeholders in an enterprise - to
have an organized mechanism for
evaluating options, setting direction
and monitoring compliance and
performance,
- in order to satisfy specific enterprise
objectives..
IT Governance (CISA=
CA(Govrnance)+IT)
(CISA Department’s BOD and
executive Mgmt has made available set
of responsibilities and practices to CISA
student , with goal of providing starategic
direction in study and ensuring that passing
% objectives are achieved as well as failure
risk are managed)
‘The set of responsibilities and
practices
- exercised by the board and executive
management
- with the goal of providing strategic
direction,
- ensuring that objectives are achieved,
- ascertaining that risks are managed
appropriately
- and verifying that the organization’s
resources are used responsibly.
Governance of Enterprise IT
(GEIT) (IPL = GEIT)
IPL = BCCI
(Enterprise/Governance) +
I(international)T(teams)
IPL is Subset of BCCI and facilitating
implementation of
International Standered control
within India as relevant.)
Governance of Enterprise IT is a
sub-set of corporate governance and
facilitates implementation of a
framework of IS controls within an
enterprise as relevant and
encompassing all key areas.
Benefits of Governance (BCCI =
Governance)
(BCCI achieved objective (Won
Worldcup) by ensuring msission,
strategy are assigned and transport
decion framework. In press conference
they told that their secrets , they
defined and desirable behaviors in use of
International Teams coach and
execution of Iternational Teams
Outsourcing Arrnagement.
Implementing & Integrating desired
Batting Practice into the team,)
1 . Achieving enterprise objectives by
ensuring that each element of the
mission and strategy are assigned and
managed with a clearly understood and
transparent decisions rights and
accountability framework.
Benefits of IT Governance (CISA=
CA+IT)
(CA auditors value increased through CISA
degree also their user(client) satisfaction
increased with CISA auditor because they
have to pay low fees and they can do better
cost performance. Auditors can bring
improvement in supporting business needs
like accounting, taxation hence company
can do compliance with relevant laws and
optimum utilization of IT Resources.)
Increased value delivered through
enterprise IT;
Increased user satisfaction with IT services
Improved agility in supporting business
needs
Benefits of GEIT (IPL=GEIT))
(BCCI=Enterprise /
Governance)
IPL ensure that International Team-
related decisions are made in line
with the BCCI’s strategies and
objectives.
IT Ensure that that International
Team-related processes are overseen
effectively and transparently.
IPL confirms compliance with legal
and regulatory requirements of
Indian Lwas
It ensures. that the BCCI
requirements for board members are
met
It provides a consistent approach
integrated and aligned with the
enterprise governance approach.
It ensures that IT-related decisions are
made in line with the enterprise's
strategies and objectives.
2. Defining and encouraging desirable
behavior in the use of IT and in the
execution of IToutsourcing
arrangements;
3. Implementing and integrating the
desired business processes into the
enterprise
4. Providing stability and overcoming
the limitations of organizational
structure
5. Enabling effective and strategically
aligned decision aking for the IT
Principles that define the role,
architecture, Infrastructure of IT
Better cost performance of IT
Improved management and mitigation of
IT-related business risk
IT becoming an enabler for change rather
than an inhibitor
More optimal utilization of IT resources
Improved compliance with relevant laws,
regulations and policies
It ensures that IT-related processes
are overseen effectively and
transparently
It confirms compliance with legal and
regulatory requirements.
It ensures that the governance
requirements for board members are
met
Good corporate governance
requires
(Audit Committee has conflict of
Interest in Philips (Sound) Co.
Internal Departments Control;
Hence they failed to comply with
relevant laws and regulations &
Corporate disclosure
requirements.)
- segregation of incompatible functions,
elimination of conflict of interest,
- establishment of Audit Committee,
- risk management and compliance
with the relevant laws and
-standards including corporate
disclosure requirements.
Critical Ensure of Defined Benefit of
IT Goverence (CISA =IT Govn)
(CISA Exam’s ownership is defined
and agreed. It is relevant and link to
ICAI’s Strategy.
Risk, Assumption and passing
(relisation) benefits are understood,
correct and current.
Timely and accurate result data of
CISA Exam are easy to obtain or
available on website.)
• Ownership is defined and agreed;
• It is relevant and links to the business
strategy;
• The timing of its realization of benefit is
realistic and documented;
• The risks, assumptions and dependencies
associated with the realization of the
benefits
are understood, correct and current;
• An unambiguous measure has been
identified; and
• Timely and accurate data for the measure
is available or is easy to obtain.
Best practices of corporate
governance
(After “SATYAM” Fraud case,
many co. introduce corporate
governance system which
include assignment of
responsibilities and decision-
making authorities,
Establishment of a mechanism
for the interaction and
cooperation among the board of
directors,
Implementing strong internal
control systems Special
monitoring of risk exposures
where conflicts of interest)
• Clear assignment of responsibilities
and decision-making authorities,
incorporating an hierarchy of
required approvals from individuals
to the board of directors;
• Establishment of a mechanism for
the interaction and cooperation
among the board of directors, senior
management and the auditors;
• Implementing strong internal
control systems, including internal
and external audit functions, risk
management functions independent
of business lines, and other checks
and balances;
• Special monitoring of riskexposures
where conflicts of interest are likely
to be particularly great, including
business relationships with borrowers
affiliated with the bank, large
shareholders, senior management, or
key decision-makers within the firm
(e.g.traders);
• Financial and managerial incentives
to act in an appropriate manner
offered to senior management,
business line management and
employees in the form of
compensation, promotion and other
recognition.
Key Governance Practices of Risk
Management
Evaluate = Identify/Analyse
Effects / WHO,HOW, WHAT
question relating to decision
Direct = Estalbilish/Assure
/Guide
Monitor = Monitor Goals/result/
matrics/performance
Evaluate Risk Management:
Continually examine and make
judgment on the effect of risk on the
current and future use of IT in the
enterprise.
Direct Risk Management: Direct
the establishment of risk management
practices to provide reasonable
assurance that IT risk management
practices are appropriate to ensure that
the actual IT risk does not exceed the
board’s risk appetite;
Monitor Risk Management:
Monitor the key goals and metrics of the
risk management processes and establish
how deviations or problems will be
identified, tracked and reported on for
remediation.
Key practices to determine status of
IT Governance
Evaluate = Identify/Analyse Effects
/ WHO,HOW, WHAT question
relating to decision
Direct = Estalbilish/Assure /Guide
Monitor = Monitor Goals/result/
matrics/performance
• Who makes directing, controlling and
executing decisions? (Evaluate)
• How the decisions are made? (Evaluate)
• What information is required to make the
decisions? (Evaluate)
• What decision-making mechanisms are
required? (Evaluate)
• How exceptions are handled? (Direct)
• How the governance results are
monitored and improved? (Monitor)
Key Governance Practices of
GEIT
Evaluate = Identify/Analyse
Effects / WHO,HOW, WHAT
question relating to decision
Direct = Estalbilish/Assure
/Guide
Monitor = Monitor
Goals/result/
matrics/performance
Evaluate the Governance
System:
- Continually identify & engage with
the enterprise's stakeholders,
document an understanding of
requirements
- make judgment on the current and
future design of governance of
enterprise IT;
Direct the Governance System:
- Inform leadership and obtain their
support, buy‐in and commitment.
- Guide the structures, processes and
practices for the governance of IT in
line with agreed governance design
principles, decision‐making models
and authority levels.
- Define the information required for
informed decision making.
Monitor the Governance
System:
- Monitor the effectiveness and
performance of the enterprise’s
governance of IT.
- Assess whether the governance
system and implemented mechanisms
are operating effectively and provide
appropriate oversight of IT.
key management practices, which
need to be implemented for
evaluating ‘Whether business
value is derived from IT’,
Evaluate = Identify/Analyse
Effects / WHO,HOW, WHAT
question relating to decision
Direct = Estalbilish/Assure
/Guide
Monitor = Monitor Goals/result/
matrics/performance
Business Value = IT Enabled
investment, Investment Claimed
Benefits, Expected Benefits,
Realized Benefits
-Evaluate Value Optimization
Continually evaluate the portfolio of IT
enabled investments, services and assets
to determine the likelihood of achieving
enterprise objectives and delivering
value at a reasonable cost.
-Direct Value Optimization
Direct value management principles and
practices to enable optimal value
realization from IT enabled investments
throughout their full economic life
cycle.
-Monitor Value Optimization.
Monitor the key goals and metrics to
determine the extent to which the
business is generating the expected
value and benefits to the enterprise
from IT-enabled investments and
services.
Key Management Practices for
Aligning IT Strategy with Enterprise
Strategy
(CU CU AD relating to IT service,
strategy, enterprise environment)
Understand enterprise direction:
understanding of the enterprise
environment and requirements.
Define the target IT capabilities:
Define the target business and IT
capabilities and required IT services.
Assess the current environment,
capabilities and performance Assess
the performance of current internal
business and IT capabilities and external IT
services and
develop an understanding of the enterprise
architecture in relation to IT.
Conduct a gap analysis between the
current and target environments
Understand enterprise direction
Consider the current enterprise
environment and also consider the
external environment of the enterprise.
Communicate the IT strategy and
direction (Create awareness and
understanding of the business and
IT objectives and direction)
Key Management Practices of
Risk Management
(MAD CAR related to IT Risk)
Collect Data: Identify and collect
relevant data to enable effective IT
related risk identification,
analysis and reporting.
• Analyze Risk: Develop useful
information to support risk decisions
that take into account the business
relevance of risk factors.
• Maintain a Risk Profile:
Maintain an inventory of known risks
and risk attributes, including
expected frequency, potential impact,
and responses, and of related
resources, capabilities, and current
control
activities.
• Articulate Risk: Provide
information on the current state of
IT- related exposures and
opportunities in a timely manner to
all required stakeholders for
appropriate response.
• Define a Risk Management
Action Portfolio: Manage
opportunities and reduce risk to an
acceptable level as a portfolio.
• Respond to Risk: Respond in a
timely manner with effective
measures to limit the magnitude of
loss from IT related events.
Key Management Practices of IT
Compliance
(IOCO related to Compliance
Requirement)
Compliance = Internal & External
Laws, Regulation, Agreement,
Reports, Working Practice,
Review Updates, Fine Penalties
COBIT 5 provides key management
practices for ensuring compliance with
external compliances as relevant to the
enterprise.
Identify External Compliance
Requirements - On a continuous
basis, identify and monitor for changes
in local and international laws,
regulations, and other external
requirements that must be complied
with from an IT perspective
Optimize Response to External
Requirements
Review and adjust policies, principles,
standards, procedures and
methodologies to ensure that legal,
regulatory and contractual requirements
are addressed and communicated.
Conform External Compliance
and
Confirm compliance of policies,
principles, standards, procedures and
methodologies with legal, regulatory
and contractual requirements
Obtain Assurance of External
Compliance - Obtain and report
assurance of compliance and adherence
with policies, principles, standards,
procedures and methodologies.
Confirm that corrective actions to
address compliance gaps are closed in a
timely manner.
key management practices for
assessing and evaluating the system
of internal controls in
an enterprise are
(MRP Independent & Qualified IPS)
• Monitor Internal Controls:
Continuously monitor, benchmark and
improve the control environment and
control framework to meet organizational
objectives.
• Review Business Process Controls
Effectiveness: Review the operation of
controls, including a review of monitoring
and test evidence to ensure that controls
within business processes operate
ffectively.
• Perform Control Self-assessments:
Encourage management and process
owners to take positive ownership
of control improvement through a
continuing program of selfassessment to
evaluate the completeness and
effectiveness of management’s control over
processes, policies and contracts
• Identify and Report Control
Deficiencies: Identify control
deficiencies and analyze and identify their
underlying root causes. Escalate control
deficiencies and report to stakeholders.
• Ensure that assurance providers are
independent and qualified: Ensure
that the entities performing
assurance are independent from the
function, groups or organizations in scope.
• Plan Assurance Initiatives: Plan assurance
initiatives based on enterprise objectives
and conformance
objectives, assurance objectives and
strategic priorities, inherent risk resource
constraints, and sufficient
knowledge of the enterprise.
• Scope assurance initiatives: Define
and agree with management on the scope
of the assurance initiative,
based on the assurance objectives.
key functions of the IT Steering
committee
(Set, Ensure, facilitate, Review
Make ,Report)
• To sets priorities according to size
and scope of IT function within its
scope;
• To ensure plans of the IT
department are aligned with
enterprise goals and objectives;
• To facilitate implementation of IT
security within enterprise;
• To facilitate and resolve conflicts in
deployment of IT and
ensure availability of a viable
communication system exists
between IT and its users; and
• To approve and monitor key
projects by measuring result of IT
projects in terms of ROI, etc.
• To review and approve major IT
deployment projects in all their
stages;
• To review and approve standards,
policies and procedures;
• To review the status of IS plans and
budgets and overall IT performance;
• To make decisions on all key aspects
of IT deployment and
implementation;
• To report to the Board of Directors
on IT activities on regularly
Key Metrics for Assessing
Compliance Process
Metrics = Cost, Percentage,
Number, Frequency
Compliance = Internal & External
Laws, Regulation, Agreement,
Reports, Working Practice,
Review Updates, Fine Penalties
• Compliance with External Laws
and Regulations: These metrics are
given as follows:
- Cost of IT non-compliance, including
settlements and fines;
- Number of IT related non-ompliance
issues reported to the board or causing
public comment or embarrassment;
- Number of non-compliance issues
relating to contractual agreements with
IT service providers; and
- Coverage of compliance assessments.
• IT Compliance with Internal
Policies: These metrics are given as
follows:
- Number of incidents related to non
compliance to policy;
- Percentage of stakeholders who
understand policies;
- Percentage of policies supported by
effective standards and working
practices; and
- Frequency of policies review and
updates.
key metrics For Evaluation of
Business value from use of IT
Metrics = Cost, Percentage, Number,
Frequency
Business Value = IT Enabled
investment, Investment Claimed
Benefits, Expected Benefits,
Realized Benefits
• Percentage of IT enabled investments
where benefit realization monitored
through full economic life cycle;
• Percentage of IT services where expected
benefits realized;
• Percentage of IT enabled investments
where claimed benefits met or exceeded;
• Percentage of investment business cases
with clearly defined and approved
expected IT related costs and benefits;
• Percentage of IT services with clearly
defined and approved operational costs and
expected benefits; and
• Satisfaction survey of key stakeholders
regarding the transparency, understanding
and accuracy of IT financial information.
Metrics of Risk Management
Metrics = Cost, Percentage,
Number, Frequency
Risk Management = Critical
Business Process, IT Services,
Significant IT Related Incidents,
IT Related Risk, Risk Profile
Assessment
• Percentage of critical business
processes, IT services and IT-enabled
business programs
covered by risk assessment;
• Number of significant IT related
incidents that were not identified in
risk Assessment;
• Percentage of enterprise risk
assessments including IT related risks;
and
• Frequency of updating the risk
profile based on status of assessment
of risks.
COBIT 5 Business Framework –
Governance and Management
of Enterprise IT
(Manage IT Risk, Policy
Development, Increase User
Satisfaction, For All Business)
COBIT 5 helps enterprises to manage IT
related risk and ensure compliance,
security and privacy. Cobit % enables
clear policy development and good
practice for IT management including
Integrating COBIT 5 with Other
Frameworks
COBIT 5 builds and expands on COBIT
4.1 by integrating other major
frameworks, standards and resources,
including
-GEIT
Customizing COBIT 5 as per
Requirement
(Women Director (GIRL)Assure
the Activities of CSR
Reporting)
COBIT 5 can be tailored to meet an
enterprise’s specific business model,
technology environment, industry,
location and corporate culture.
Because of its open design, it can be
increased business user satisfaction. The
key advantage in using a generic
framework such as COBIT 5 is that it is
useful for enterprises of all sizes,
whether commercial, not for profit or
in the public sector.
-ISO 27001
-ITIL
-Risk IT
-Val IT
-TOGAF (The Open Group
Architechture)
-ISO 38500
The framework and resulting
enablers should be aligned with and in
harmony with (amongst others) the:
• Enterprise policies, strategies,
governance and business plans, and
audit approaches;
• Enterprise risk management
framework; and
• Existing enterprise governance
organization, structures and
processes. applied to meet needs related to:
• Information security,
• Risk management,
• Governance and management of
enterprise IT,
• Assurance activities,
• Legislative and regulatory
compliance, and
• Financial processing or CSR
reporting.
Need for Enterprises to Use COBIT
5
(Increase Value Creation using
UID card. In future support
compliance with relevant laws &
regulation of UID will be
increased )
• Increased value creation from use of IT
• User satisfaction with IT engagement
and services;
• Support compliance with relevant
laws, regulations and contractual
requirements;
• Development of more business-
focused IT solutions and services; and
• Increased enterprise wide involvement
in IT-related activities
Components in COBIT5
(PM CM on FC Road)
• Framework - Organize IT governance
objectives and good practices by IT
domains and processes, and links them to
business requirements
• Process Descriptions - A reference
process model and common language for
everyone in an organization. The processes
map to responsibility areas of plan, build,
run and monitor.
• Control Objectives - Provide a
complete set of high-level requirements to
be considered by management for effective
control of each IT process.
• Management Guidelines - Help
assign responsibility, agree on objectives,
measure performance, and illustrate
interrelationship with other processes
• Maturity Models - Assess maturity and
capability per process and helps to address
gaps.
Benefits of COBIT 5
(Combine answer of Benefit of IT
Governance and Cobit GEIT
Framework)
• A comprehensive framework such as
COBIT 5 enables enterprises in
achieving their objectives for the
governance and management of
enterprise IT.
• The best practices of COBIT 5 help
enterprises to create optimal value
from IT by maintaining a balance
between realizing benefits and
optimizing risk levels and
resource use.
• Further, COBIT 5 enables IT to be
governed and managed in a holistic
manner for the entire enterprise,
taking in the full end-to-end business
and IT functional areas of
responsibility, considering the IT
related interests of internal and
external stakeholders.
• COBIT 5 helps enterprises to
manage IT related risk and ensures
compliance, continuity, security and
privacy.
• COBIT 5 enables clear policy
development and good practice for IT
management including increased
business user satisfaction.
• The key advantage in using a generic
framework such as COBIT 5 is that it
is useful for enterprises of all sizes,
whether commercial, not-for-profit -
or in the public sector.
• COBIT 5 supports compliance with
relevant laws, regulations,
contractual agreements
and policies.
Five Principles of COBIT 5
Co. ne stakeholder ki meeting
bulai, meeting mein sare chair end
to end full (cover ) ho gaye, Sabne
milk ek single plan banaya ki hum
Holi ko Mathura Jayenge but
management and governance
separate jayenge
Principle 1:
Meeting Stakeholder Needs
Provides all of the required processes
and other enablers to support business
value creation through the use of IT. An
enterprise can customize COBIT 5 to
suit its own context & creates value for
its stakeholders through the use of IT
Principle 2: Covering the Enterprise
End to End
It does not focus on IT function, it
considers all IT related governance and
management enablers to be enterprise-
wide & end to end including each &
everything
Principle 3: Applying a Single Integrated
Framework
There are many IT related standards and
best practices, each providing guidance
on a subset of IT activities. COBIT 5
framework aligns with them at a high
Seven Enablers of Cobit 5
Ek origination ne aisa decision liya
ki hum principles and policies for
day to day management ke liye
banayenge ki agar koi staff co. ki
process ko wrong cultural , ethical
and behavior se follow karta hai to
use next month se service desk pe
shift karenge aur uskee skill and
competence sudharne ke liye
training denge (correct Action).
Aur aise staff ki information dene
wale ko inam denge.
Principles, policies and Frameworks
are the vehicle to translate the desired
behaviour into practical guidance for
day-to-day management.
Processes
describe organized set of practices and
activities to achieve certain objectives &
produce a set of outputs in support of
achieving overall IT-related goals.
Oraganisation structure
are the key decision-making entities in an
enterprise
Culture, ethics and behaviour
Culture, ethics and behaviour of
individuals and of the enterprise are very
often underestimated as a success factor in
governance and management activities.
Service, Infrastructure and
application
Cobit 5 Reference Model
It defines and describes in detail a
number of governance and
management processes.
It represents all of the processes
normally found in an enterprise
relating to IT activities providing a
common reference mode
understandable to operational IT and
business managers
Govenance Process -
-Evaluate direct monitor
practices (EDM ) – 5 Processes
Management Process -
-Audit , Plan , Organise – 13
Process
- Build, Acquire and implement
– 10 processes
level & serve as an overarching
framework to simplify complexity.
Principle 4: Enabling a Holistic
Approach
COBIT 5 defines a set of 7 enablers to
support the implementation
of a comprehensive governance and
management system for enterprise IT.
Principle 5: Separating Governance
from Management
Cobit 5 Make Clear Dstinction between
Governance and management. The
COBIT 5 recognizes that these two
disciplines (governance and
management)are involved in different
types of activities, serve different
purposes and requires different
organizational structures to fulfil their
individual needs.
include the infrastructure, technology and
applications that provide the
enterprise with information technology
processing and services.
People, Skill and Competence
Are linked to people and are required for
successful completion of all activities and
for making correct decision and correct
action.
Information
Information is required for keeping the
oraganisation ruuning and well goverened .
Perational level information is key product
of the enterprise itself. -Deliver, Service Support – 6
Process
-Monitor, Evaluate, Accesses -3
Processes
4
CAclubindia
