Anda di halaman 1dari 17

INTERNAL AUDIT, RISK & COMPLIANCE

IS GOVERNANCE: COBIT Gap Analysis

ADVISORY

Jan, 20XX

Index

Page Executive Summary Plan and Organize Gap Analysis Acquire and Implement Gap Analysis Deliver and Support Gap Analysis Monitor and Evaluate Gap Analysis 2 3 20 42 57

2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (KPMG International), una entidad suiza. Derechos reservados. Impreso en el Per

Executive Summary
This document illustrates the analysis made as a result of the validation process of the controls based on the COBIT Quick Start framework, related to the current practice of the IT Department.

Its purpose is to present the analysis of the current situation / current work practices, issues identified and recommendations in order to improve the IT control environment under the COBIT Quick Start framework.

This report should be used to generate an IT High-Level Work Plan that will close the gaps identified, and take corrective action in a cost-benefit manner, in the context of implementing an internal control system.

This report present the controls for each four domain that comprises COBIT Quick Start framework.

2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (KPMG International), una entidad suiza. Derechos reservados. Impreso en el Per

Plan & Organize Gap Analysis

2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (KPMG International), una entidad suiza. Derechos reservados. Impreso en el Per

Plan and Organize Gap Analysis


COBIT domain: Plan and Organize Process Description: PO1 Define a Strategic IT Plan Sub process IT Value Management Current Practice IT investments related to IT projects are estimated based on referrals from past acquisitions or provider market position. Investments are prepared independently by IT or business areas. Afterward, IT Department centralizes the estimations and proceeds to evaluate them. Gap IT investments does not contain programmes that include business cases. Recommended Actions Ensure the management activities of IT-enabled investments use a formal process that requires business cases that include: cost-benefit analysis, risk assessments, SLAs for IT Services and the impact to the current portfolio. Ensure that accountability for value delivery is clearly assigned at an appropriate level.

Business-IT Alignment

IT Manager was involve during the process of the strategic planning. IT Manager established the initiatives which are aligned and integrated to business strategies.

User areas prepare their own initiatives and they sometimes do not communicate that to IT department. IT department knows about that when user areas are requesting a quick answer to implement the initiatives and take action as soon as possible.
System tools are not used on a regular basis to evaluate the current capability and performance.

Ensure that IT management contributes to business strategy planning and identifies capabilities available to support enterprise goals and other opportunities to contribute to business value. Make the scope of the IT strategic and planning initiatives enterprise wide such that they address, document and consider all business and support activities.
Ensure that enterprise management and key stakeholders discuss with IT management future business directions and enterprise goals to collaborate and develop a common understanding of the potential for IT to enable business goals. For actual requirements, compare the actual IT capabilities (systems, resources, people) with future requirements, in order to deliver the required solutions and services in a timely manner.

Assessment of Current Capability and Performance

IT Department evaluates the current capability and performance of its services only when the budget is being prepared.

2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (KPMG International), una entidad suiza. Derechos reservados. Impreso en el Per

Plan and Organize Gap Analysis


COBIT domain: Plan and Organize Process Description: PO1 Define a Strategic IT Plan Sub process Current Practice Gap Recommended Actions

IT Strategic Plan

There is an IT Strategic Plan that is defined and formally approved.

Some business requirements are not incorporated into the IT Plan, and must be treated separately , because they are reported to IT manager out of time.

Ensure that IT has established a process to identify, document and adequately address organizational changes, technology evolution, regulatory requirements, business process re-engineering, staffing, in- and outsourcing opportunities, etc., in the planning process. Formally approve and communicate the IT strategic plan and ensure that it is clearly understood by those who need to translate it into budgets, tactical plans, sourcing and acquisition strategies, processes, and organizational structures.
Translate the approved IT strategic plan into tactical plans. Ensure that the content of the tactical plans includes clearly stated project definitions for all programmes, project time frames and deliverables, required resources, and business benefits to be monitored . Develop and promulgate prioritization schemes relating prioritization criteria to business goals and technical requirements. Project prioritization may be modified due to the availability of scarce resources, implementation alternatives, funding methods, risks, and timing of competing or complementary projects. Communicate projects that will be delayed, postponed or not continued so that business and IT management can use resources in an efficient and effective manner.

IT Tactical Plans

IT initiatives are defined in a high level mode.

Lack of IT tactical plans that should be sufficiently detailed to allow the definition of project plans.

IT Portfolio Management

IT initiatives have been defined and planned to be deployed during the period 2010-2012. Each IT initiatives have a specific beginning and end date

Even if each IT initiatives have a specific beginning and end date, execution could not be performed on time due to lack of enough personnel.

2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (KPMG International), una entidad suiza. Derechos reservados. Impreso en el Per

Plan and Organize Gap Analysis


COBIT domain: Plan and Organize Process Description: PO2 Define the Information Architecture Sub process Current Practice Gap Recommended Actions

Enterprise Data Dictionary and Data Syntax Rules


Data Classification Scheme

A data dictionary is in place for some systems such as balance, SIAF, Accounting.

Syntax rules are not documented.

Establish and maintain data syntax guidelines that are valid throughout the organization. Implement data dictionary management software to manage and maintain the organization's data dictionary and data syntax rules .
Define data classification levels for each of the defined attributes. Identify business owners accountable for information (data owners). Ensure that the data owner classifies all information using the defined scheme and levels. Classification covers the whole life cycle of information from creation to disposal. Where an asset has been assessed as having a certain classification, any component inherits the same classification. Implement procedures to manage and maintain data integrity and consistency throughout the complete data process and life cycle.

Data classification scheme is not defined and implemented. Data ownership is assigned to C-Level but it is not formally established.

Lack of data classification policy and procedure.

Integrity Management

Some procedures to ensure the integrity and consistency of all data are documented. However, these procedures have not been formalized and communicate to Exploration Department who manages their own systems.

Lack of procedures to manage and maintain all data integrity and consistency in Exploration Department.

2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (KPMG International), una entidad suiza. Derechos reservados. Impreso en el Per

Plan and Organize Gap Analysis


COBIT domain: Plan and Organize Process Description: PO3 Determine Technological Direction Sub process Technological Direction Planning Current Practice Existing and emerging technologies are known by IT Department and documented as initiatives in the IT Strategic Plan. Gap There are some deviations due to that the IT Department does not know about the initiatives from user areas on a timely basis Recommended Actions Perform a SWOT (strengths, weaknesses, opportunities, threats) analysis of all current critical and significant IT assets on a regular basis. Identify what is needed in terms of technological directions for business systems architecture, migration strategies and contingency aspects of infrastructure components. Ensure that adequately skilled staff members within the IT department routinely monitor technological developments, competitor activities, infrastructure issues, legal requirements and regulatory environment changes, and provide relevant information to senior management. Ensure that the organization's legal counsel monitors legal and regulatory conditions in all relevant locations and informs the IT steering committee of any changes that may impact the technology infrastructure plan. Ensure that management establishes and maintains an approved list of vendors and system components that conform with the technological infrastructure plan and technology standards. Establish a process to prevent the acquisition of nonconforming systems or applications.

Monitor Future Trends and Regulations

Law/regulatory conditions are managed by Legal Department. Future trends to acquire technical software and hardware are reviewed by both IT Department and Exploration Department.

C-Levels has not established a process to monitor future trends and regulatory conditions.

Technology Standards

IT Manager has established standards to acquire notebooks, PCs / Servers and office software.

Technology standards are not documented and formally approved.

2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (KPMG International), una entidad suiza. Derechos reservados. Impreso en el Per

Plan and Organize Gap Analysis


COBIT domain: Plan and Organize Process Description: PO4 Define the IT Processes, Organization and Relationships Sub process IT Steering Committee Current Practice The IT Manager does not play a key role in the Management Committee meetings, only participates when an explanation of current projects are required. Gap There is not an IT Steering Committee. IT Manager participates in the Management Committee once a week or on demand. Recommended Actions Establish and IT Steering Committee (or equivalent) composed of executive, business and IT management. Determine that the responsibilities for the committee include at least: o Determination of prioritization of IT-enabled investment programmes in line with the enterprises business strategy and priorities. o Tracking of status of projects and resolution of resource conflict. o Monitoring of service levels and service improvements. Establishment of Roles and Responsibilities Tasks and responsibilities have been documented on November 20XX for all IT staff, except for the new position related with Information Security Officer. Job descriptions and responsibilities for key positions are still under reviewing of Human Resources Department. Information Security Officer responsibilities are not clearly defined. Formalize the skills, experience, authority, responsibility and accountability for each IT task, and get approval of High Level manager. Ensure that management initiates regular training and awareness campaigns to reinforce staff knowledge of roles. This may be supplemented with occasional assessments of understanding and compliance.

2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (KPMG International), una entidad suiza. Derechos reservados. Impreso en el Per

Acquire and Implement Gap Analysis

2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (KPMG International), una entidad suiza. Derechos reservados. Impreso en el Per

Acquire and Implement Gap Analysis


COBIT domain: Acquire and Implement Process Description: AI1 Identify automated solutions Sub process Definition and maintenance of business functional and technical requirements Current Practice Based on the methodology of development and maintenance known as RAD (Rapid Application Development), business requirements are presented in "Information Collection format. As a reference: Local Balance (development prepared 3 years ago). IT Department uses a format to manage change requests from applications. Feasibility studies are not prepared. There is an initial definition of system information context, where requirements are defined in a top level overview in order to begin the development. Gap Documentation was developed for a project of information systems 3 years ago and may not include the necessary elements that control the functional and technical aspects. Recommended Actions Define and implement a requirements definition and maintenance procedure and a requirements repository that are appropriate for the size, complexity, objectives and risks of the business initiative that the organization is considering undertaking. This procedure should take into account the nature of the enterprises business, strategic direction, strategic and tactical IT plans, in-house and outsourced business and IT processes, emerging regulatory requirements, people skills and competencies, structure, business case, and enabling technology. Confirm that all user, functional and technical requirements, including relevant acceptance criteria, are considered, captured, prioritized and recorded in a way that is understandable, and includes business sponsors and technical implementation personnel. Define and implement a procedure that document and formalize a feasibility study that clearly and concisely describes the key alternative courses of action that will satisfy the business and functional requirements with an evaluation of their technological and economic feasibility. Identify required actions for the acquisition or development, and take into account scope and/or time and/or budget limitations. Review the alternative courses of action with all stakeholders, and select the most appropriate one based on feasibility criteria, including risks and cost. Translate the preferred course of action into a high-level acquisition/development plan identifying resources to be used and stages requiring a go or no-go decision.
10

Feasibility study and formulation of alternative courses of action

Lack of working procedures and documentation supporting the feasibility study and the establishment of alternative solutions in a technical manner.

2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (KPMG International), una entidad suiza. Derechos reservados. Impreso en el Per

Deliver and Support Gap Analysis

2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (KPMG International), una entidad suiza. Derechos reservados. Impreso en el Per

11

Deliver and Support Gap Analysis


COBIT domain: Deliver and Support Process Description: DS01 Define and Manage Service Level Sub process Service Level Management Framework Current Practice Service Level Agreements (SLAs) have not been defined and documented yet, but some Key Performance Indicators (KPI) have been established by Planning Department. Gap There is not a framework for IT management services. Recommended Actions Define and document an SLA framework to manage the IT service life cycle. The process should involve senior management representing both the business and IT functions. The framework should include processes for creating service requirements, service definitions, SLAs, OLAs and funding sources

Review of Service Level Agreements and Contracts

No control identified.

activities have been

SLAs not defined and documented, including Exploration Department.

Conduct reviews of contracts (Ucs) on impacted parties to effective and are in objectives.

SLAs and Underpinning a regular basis with all ensure that they remain alignment with business

2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (KPMG International), una entidad suiza. Derechos reservados. Impreso en el Per

12

Monitor and Evaluate Gap Analysis

2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (KPMG International), una entidad suiza. Derechos reservados. Impreso en el Per

13

Monitor and Evaluate Gap Analysis


COBIT domain: Monitor and Evaluate Process Description: ME1 Monitor and evaluate IT performance Sub process Definition and Collection of Monitoring Data Current Practice There is an informal process of gathering information on a limited basis particularly in support activities, and does not include all IT services. It also does not include IT services areas from Exploration Department that manages its own data center. Gap Lack of procedures to collect information, analyzing and reporting. Recommended Actions Define targets for the IT metrics in line with the coverage and characteristics of the metrics defined in the monitoring framework. Obtain IT and business management approval for the targets. Collect performance data needed by the monitoring approach in an automated fashion wherever feasible. Compare the measured performance to the targets at agreed-to intervals. Ensure consistency, completeness and integrity of performance monitoring source data. Ensure control over all changes to performance monitoring data sources. Define performance targets and focus on those that provide the largest insight-toeffort ratio. Assess the integrity of the data collected by carrying out reconciliation and control checks at agreed-upon intervals.

2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (KPMG International), una entidad suiza. Derechos reservados. Impreso en el Per

14

Monitor and Evaluate Gap Analysis


COBIT domain: Monitor and Evaluate Process Description: ME1 Monitor and evaluate IT performance Sub process Performance Assessment Current Practice IT Department have established maintenance activities for inventory of applications, patching, help desk. There are some reports of Novell network servers and actions for improvement the technology platform. There is a schedule for implementing these activities. However, there are no common practices. Gap Lack of procedures to execute performance assessment. Recommended Actions Compare the performance values to internal targets and benchmarks and, where possible, to external benchmarks (industry and key competitors). Consider implementing in parallel with the performance management system a less formal feedback mechanism to obtain alternative measures of perceived performance. Use the data to improve the performance measurement system and, where necessary, solution and service delivery. Assess performance against targets and analyze results. Compare measured performance to targets at agreed-to intervals. Ensure that performance targets and results are communicated to IT and senior and business management via the established performance monitoring framework. Analyze the cause of deviations against targets, initiate remedial actions, assign responsibilities for remediation, and follow up. At appropriate times, review all deviations and search for root causes, where necessary. Document the issues for further guidance if the problem recurs. Collect and retain the appropriate evidence and documentation to support the analysis. Where feasible, link achievement of performance targets to the organizational reward compensation system.

2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (KPMG International), una entidad suiza. Derechos reservados. Impreso en el Per

15

Monitor and Evaluate Gap Analysis


COBIT domain: Monitor and Evaluate Process Description: ME1 Monitor and evaluate IT performance Sub process Board and Executive Reporting Current Practice There is a level of reporting through e-mail and a formal way in a quarterly basis both in Lima and Mirafloes offices. This includes project activities with IT suppliers related with important issues. Gap Lack of procedures to report activities in a formal manner. Recommended Actions Establish a board and executive reporting process, based on the performance monitoring framework, for regular, accurate and timely reporting on ITs contribution to the business by measuring achievement of IT goals, mitigation of IT risks and the usage of resources. Design senior management reports to highlight key issues (positive and negative) generally relating to ITs contribution to the business and specifically to IT solution and service delivery capability and performance. Consolidate results of IT performance measurement. Translate them into business performance impacts (positive or negative) and incorporate the results into standard periodic reports to the board. Clearly link IT performance measurement to business outcomes and identify how IT supports business strategy.

2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (KPMG International), una entidad suiza. Derechos reservados. Impreso en el Per

16