Download (direct link):
The extremes of centralization versus decentralization are manifested through decision making, management models (central versus autonomous), information imperatives (access versus sharing), and planning focus (entire enterprise versus line of business). On each end of the spectrum resides anarchy versus dictatorship (see Exhibit 3.4).
The challenge is how to develop an appropriate element of control. The real issue is one of trust. Governance helps bridge these issues by maximizing information use and strategically integrating technology with business units.
COBIT: MANAGING THE RISK AND CONTROL OF IT 91 EXHIBIT 3.4 CENTRALIZATION VERSUS DECENTRALIZATION
A A A L
Centralization ¦<..............> Decentralization
• Internalization ³ Externalization
- Absolute control
- Information access
Sweet spot of the company (centers or teams)
For many exemplar companies, IT governance is both a top-down and a bot-tom-up approach. This balance is called the federalism of IT—creating the ideal balance between the centralized and decentralized IT.13 There must be a balance between being responsive to local customer needs and prioritizing company-wide integration. However, focus on alignment to the strategic intent, reuse, and balance provides opportunities to gain important economies of scale and scope, define and redefine value propositions across the company, and assure that the company is focused on moving in the same direction.
COBIT: MANAGING THE RISK AND CONTROL OF IT
Developed by the Information Systems Audit and Control Association (ISACA) in 1996, the control objectives for information and related technology (CobiT) were originally intended for IT auditing. However, the subsequent versions have expanded the applicability and scope of the CobiT. The CobiT manages the risk and control of IT, bridging the gap between business risks, IT technical issues, and control needs consisting of 34 IT processes and 318 detailed control objectives
92 CHAPTER 3 PEOPLE AND GOVERNANCE
grouped across four critical domains: planning and organization, acquisition and implementation, delivery and support, and monitoring. Many companies are using the checklists contained in CobiT as a framework for Sarbanes-Oxley compliance. The CobiT model views risks and controls from three distinct vantage points:
1. Line of business issues: business managers focus on quality, fiduciary, and security issues. Questions that can be addressed using CobiT include:
a. Does the system do what it is intended or designed to do, and does it meet or exceed the line of business expectations?
b. Does it optimize the most economical and productive use of resources?
c. Is the system compliant with laws and regulations?
d. Does the system prevent the unauthorized disclosure, modification, or destruction of data? Are the data reliable and up-to-date?
2. IT resources: IT managers might focus IT resources in areas such as data repositories (internal/external, graphics, video, sound), application systems (manual and programmed procedures), technology (hardware, OS, DBMS, networking, multimedia), facilities (warehousing and supporting IT), and people (skills, awareness, and productivity). Questions that can be addressed using CobiT include:
a. Is there an adaptable, scalable infrastructure in place to meet the line of business needs?
b. Are the requirements better met through a selective sourcing agreement?
c. Are adequate and trained resources available to code and support the business application?
3. IT processes: process owners, IT specialists, and staff members have a specific interest in a particular process or activity/task. Auditors and companies that must comply with Sarbanes-Oxley pay close attention to this area. Questions that can be addressed using CobiT include:
a. Does the process employ control procedures in alignment with information policy and generally accepted IT best practices?
b. Do the processes support control objectives?
Exhibit 3.5 shows a graphical representation of the 34 essential IT processes as identified by CobiT.
It is not surprising that a chapter on any type of governance (which is a term derived from government) would be filled with excessive theory and rhetoric.
EXHIBIT 3.5 COBIT—MANAGI NG THE RISK AND CONTROL OF IT