IT Governance Effectiveness

September 2015
 Your Presenter
Gordon Braun
Managing Director within Protiviti's Kansas City Office
Member of Protiviti's global IT Effectiveness and Control Team
16+ years in information technology, internal audit, and risk consulting
spanning a variety of industries, including healthcare, financial
services, and consumer products, among other industries
Experienced in a broad range of projects, from short-term audits and
assessments to full-scale process re-engineering and system
implementation programs
~ At least dozen projects specifically categorized as IT governance-
ish in the last 5 years
Gordon.braun@Protiviti.com
913.661.7406 - office

1 2015 Protiviti Inc. An Equal Opportunity Employer.

 About Protiviti

Protiviti is a global business consulting and internal audit

firm composed of experts specializing in risk, advisory and
transaction services.
Protiviti is a wholly owned subsidiary of Robert Half
International Inc. (NYSE: RHI). Founded in 1948, Robert
Half International is a member of the S&P 500 index.
Protiviti's client base includes over 35% of the Fortune
1000, 35% of the Fortune 500, 40% of the Fortune 100
companies.
Protiviti is in 20+ countries and has over 70 locations
around the world.
2 2015 Protiviti Inc. An Equal Opportunity Employer.
 Today's Agenda:
Critical Questions

Is IT governance important? Is it a top risk?

If it is why do so few companies audit it?

What are the key elements of IT governance?

What is Internal Audit's role / responsibility?

What is involved in a "typical" IT governance

audit?

Can we see some examples and cases?

3 2015 Protiviti Inc. An Equal Opportunity Employer.

 How important is IT governance?
Is it a top risk?

4 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT Governance: IT objectives are
aligned with business objectives

(well come back to IT

governance definitions)

5 2015 Protiviti Inc. An Equal Opportunity Employer.

 Transformation Within IT
Organizations
Protivitis 2015 IT Priorities Survey confirms that for the second year in a row, IT transformation has
become the new normal for companies: Nearly two-thirds of respondents report that some form of
major IT transformation is underway in their organizations. Even more important: Not only is IT
altering its structure, the function is also transforming its fundamental mission. ITs objective is
shifting from leveraging technology in support of the business to the higher-reaching goal of
protecting and enhancing business value.
The most notable 2015 priorities for survey participants included:

IT Changes with
Collaboration is Key
Increased Demand

Search for Balance-

Security Enhance and Protect
Value

Strengthening IT Asset
and Data management

6 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT spend is increasing

7 2015 Protiviti Inc. An Equal Opportunity Employer.

 Should you be nervous if your
organization is in the 33% of
companies that are not going
through an IT transformation?

8 2015 Protiviti Inc. An Equal Opportunity Employer.

 Deploying IT resources to the
wrong IT enabled initiatives
could result in devastating
impacts agree?

9 2015 Protiviti Inc. An Equal Opportunity Employer.

 Having a bad process to ensure
the alignment of business and IT
objectives could be devastating

10 2015 Protiviti Inc. An Equal Opportunity Employer.

 Are we auditing the effectiveness
of IT governance?

11 2015 Protiviti Inc. An Equal Opportunity Employer.

 IIA Standard Says Thou Must!

Standard 2110-A2:
The internal audit activity must
assess whether information
technology governance of the
organization sustains and
supports the organizations
strategies and objectives.

12 2015 Protiviti Inc. An Equal Opportunity Employer.

 Protiviti IT Audit Benchmarking Survey

13 2015 Protiviti Inc. An Equal Opportunity Employer.

 Protiviti IT Audit Benchmarking Survey

14 2015 Protiviti Inc. An Equal Opportunity Employer.

 Protiviti IT Audit Benchmarking Survey

15 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT Governance Audit?
Ensure the IT organization has adopted and applied sound
project management techniques for each project undertaken
which includes project ownership, user involvement, task
breakdown and milestones, allocation of responsibilities, cost,
quality plan, and security plan for sensitive systems.

Verify a change management system exists which provides for

analysis, implementation and follow-up of all changes requested
and made to the existing IT infrastructure. Process should take
into consideration the identification of changes, categorization,
prioritization and emergency procedures, impact assessment,
change authorization, release management, and software
distribution.

Verify that appropriate information security policies have been

established and communicated to user community and ensure a
process is in place to monitor compliance to security policies.

16 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT Governance & Business Value
According to Sloan (MIT), entities effective governance can
achieve 40% greater returns from IT investment through:
Clarified business strategies and the role of IT
Measurement of IT spend and value
Assignment of accountability
Learning from each implementation to become more
adept at sharing and reusing IT assets
According to the IT Governance Institute, fewer than 40% of
enterprises feel they have effective IT governance.

Implies that over 60% of enterprises fail to realize

opportunities for enhanced business success & value.
17 2015 Protiviti Inc. An Equal Opportunity Employer.
 Why arent we auditing IT
governance processes, really?

18 2015 Protiviti Inc. An Equal Opportunity Employer.

 What is IT governance?

19 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT Governance an example ISACA graphic

20 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT Governance ValIT

21 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT Governance Gartner definition

IT governance (ITG) is defined as the processes that ensure the effective and efficient use
of IT in enabling an organization to achieve its goals.

IT demand governance (ITDGwhat IT should work on) is the process by which

organizations ensure the effective evaluation, selection, prioritization, and funding of
competing IT investments; oversee their implementation; and extract (measurable)
business benefits. ITDG is a business investment decision-making and oversight process,
and it is a business management responsibility.

IT supply-side governance (ITSGhow IT should do what it does) is concerned with

ensuring that the IT organization operates in an effective, efficient and compliant fashion,
and it is primarily a CIO responsibility.

22 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT Governance Institute

The terms "governance", "enterprise governance" and

"GEIT" may have different meanings to different
individuals and enterprises depending on (amongst
others) the organizational context, e.g., maturity,
industry and regulatory environment, or the individual
context, e.g., job role, education and experience.

23 2015 Protiviti Inc. An Equal Opportunity Employer.

 CobIT 5.0 Implementing
Governance & Controls
CobIT 5.0 will provide a renewed
and authoritative governance and
management framework for
enterprise information and related
technology
Builds on the current widely
recognized and accepted CobIT
framework
Links and reinforces other major
ISACA frameworks and guidance
such as Val IT and Risk IT.
CobIT 5.0 connects to other major
frameworks and standards in the
marketplace (ITIL, ISO standards,
etc.)

Source: ISACA CobIT Framework for IT and Control, www.isaca.org

24 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT Governance CobIT 5

COBIT 5: A BUSINESS FRAMEWORK FOR THE GOVERNANCE AND

MANAGEMENT OF ENTERPRISE IT

25 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT Governance CobIT 5

26 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT Governance CobIT 5

27 2015 Protiviti Inc. An Equal Opportunity Employer.

 What are the key elements of IT
governance?

28 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT Governance: Responsibility

IT Governance is the responsibility of the board of

directors and executive management. It is an integral
part of enterprise governance and consists of the
leadership and organizational structures and
processes that ensure that the organization's IT
sustains and extends the organization's strategies
and objectives.

- IT Governance Institute

29 2015 Protiviti Inc. An Equal Opportunity Employer.

 Five Elements of IT Governance
IT Governance Practices and Goals
Strategic Alignment
Strategic Alignment
Linkage between business and IT plans
Performance Resource
Define IT value proposition / archetype Risk Management Management Management

Develop IT architecture that enables business Value Delivery

objectives

Risk Management Resource Management

IT risk awareness and understanding risk Optimize investment in resources
appetite
Discipline management of resources
Transparency
Align capabilities
Accountability and risk management processes

Performance Management Value Delivery

Measure strategy implementation Deliver benefits against strategy
Measure value delivery Execute the IT Value Proposition
Drive behaviors and improve Improve intrinsic value of IT

30 2015 Protiviti Inc. An Equal Opportunity Employer.

 Strategic Alignment

31 2015 Protiviti Inc. An Equal Opportunity Employer.

 Strategic Alignment
Objective: IT Governance Practices and Goals
Strategic Alignment
Focus the linkage of business and IT plans; processes to define,
maintain and validate the IT value proposition; and on aligning IT Risk Performance Resource
Management Management Management
operations with enterprise operations.
Value Delivery
Example Governance Artifacts:
IT Strategic Plan
IT Steering Committee materials
IT presentations / communications to the Board of Directors
IT policies and governance processes
Third Party service provider agreements and RFP process

Typical Control Areas:

Roles and responsibilities in strategy development (BOD, executive management, IT leadership)
IT Steering Committee activities
IT management awareness and participation in the overall business strategy
Processes to link IT initiatives to one or more of the organizations strategic objectives
Communication between IT management and business management and IT management and the Board
Processes to manage 3rd party service providers
Impact IT has on the organization understand the archetype (utility vs. process enabler vs. revenue enabler)

32 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT Strategic Alignment Archetypes

The IT Process Institute (ITPI) identified

three common IT alignment archetypes:
1 Utility Providers: Are not proactively engaged with the
business; primarily focused on "keep the lights on"
services
2 Process Optimizers: Are more responsive to business
needs; focus on business applications and processes as
well as "keep the lights on" services
3 Revenue Enablers: Are well integrated into the business
strategy; focus on technology-enabled products as well
as business processes and "keep the lights on" services

33 2015 Protiviti Inc. An Equal Opportunity Employer.

 Risk Management

34 2015 Protiviti Inc. An Equal Opportunity Employer.

 Risk Management
Objective: IT Governance Practices and Goals
Strategic Alignment
Determine if activities are conducted relating to the
Risk Performance Resource
identification and analysis of risks impacting the achievement Management Management Management
of business objectives and the preparation of financial Value Delivery
statements.

Example Governance Artifacts:

IT risk assessment and risk mitigation strategies and activities
Communications to executive management and BOD related to IT risk management
IT risk catalog

Typical Control Areas:

Alignment of IT risk in ERM programs
Processes to identify, communicate, and manage IT risks
Involvement of key stakeholders (business and IT) in risk management strategies
Risk management activities in key process areas (security, change management, demand
management) and projects
Transparency into the IT risk profile and activities to manage risk (disaster recovery, etc.)

35 2015 Protiviti Inc. An Equal Opportunity Employer.

 Performance Management

36 2015 Protiviti Inc. An Equal Opportunity Employer.

 Performance Management
Objective: IT Governance Practices and Goals
Strategic Alignment
Determine if processes exist to ensure IT systems, processes, and
personnel are aligned with current and anticipated business needs. Risk Performance Resource
Management Management Management
Value Delivery
Example Governance Artifacts:
Performance metrics for services, projects, processes, and systems
Reports of ITs performance against defined metrics to key stakeholders and executive management
Service Level Agreements
Incident and Problem Management Policies and Procedures
Cost Allocation Policies and Procedures
IT Balanced Scorecard

Typical Control Areas:

Process to define and measure key performance indicators (KPIs)
Process to review and communicate metrics and KPIs to the business, and update KPIs as the business changes.
Processes to review key performance metrics and correct items falling below thresholds
IT scorecard linkage between business goals and IT goals..
Board of Directors and executive management awareness of IT performance based on quantifiable data
Budget analysis and benchmarking
Procurement & sourcing
37 2015 Protiviti Inc. An Equal Opportunity Employer.
 Resource Management

38 2015 Protiviti Inc. An Equal Opportunity Employer.

 Resource Management
Objective: IT Governance Practices and Goals
Strategic Alignment
Focuses on the optimal investment in, and the proper management of,
critical IT resources: applications, information, infrastructure and people. Risk Performance Resource
Key issues relate to the optimization of knowledge and infrastructure. Management Management Management
Value Delivery
Example Governance Artifacts:
IT organization chart and job descriptions
Policies, procedures and processes for resource management
Sourcing strategy for IT projects
IT Asset Management policies and procedures
Architecture policies and standards

Typical Control Areas:

IT procurement and IT sourcing processes and strategies
Identification of the resources required to execute IT strategies
Processes to identify gaps and ensure the availability of IT resources, skills and infrastructure to meet the strategic
objectives.
Processes to forecast future demand for IT resources
Processes to monitor and manage applications and IT assets
Processes to assess and implement IT segregation of duties
IT Architect involvement in strategy development, projects, key decisions, etc.

39 2015 Protiviti Inc. An Equal Opportunity Employer.

 Value Delivery

40 2015 Protiviti Inc. An Equal Opportunity Employer.

 Value Delivery
Objective: IT Governance Practices and Goals
Strategic Alignment
Evaluate processes to evaluate and approve IT investments; evaluate
whether IT delivers the promised benefits against the strategy; Risk Performance Resource
understand how IT optimizes costs and improves intrinsic value. Management Management Management
Value Delivery
Example Governance Artifacts:
IT Steering Committee Meeting Minutes
IT Project Portfolio
Policies related to identifying, reviewing and approving IT investments
Business cases for key / large investments
Processes to assess performance against defined business cases

Typical Controls Areas:

Linkage between approved IT investments and value to the business
Relationship between IT project performance indicators and business objectives
Business case requirements, development and approval process
Processes to ensure value from IT investments is realized
ROI for IT investments
IT demand management and project portfolio management

41 2015 Protiviti Inc. An Equal Opportunity Employer.

 Assessing IT Governance:
Considerations for Internal Audit

42 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT Governance Assessment:
Context & Approach
IT governance assessment does not need to follow a "one-size-fits-all"
audit program approach. When planning a review, the audit team can
decide what context is needed to make the audit more impactful.
Common variations include:
Enterprise-Level Governance
Audit Effort / Duration

Service / Process Area(s) 5 pillars?

Outsourced Service Provider/ Vendor Risk
Strategic Initiative(s)
Decision-Making & Strategy Alignment

Budget 2x-3x longer for scoping!

43 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT Governance Assessment:
Key Considerations & Resources
Strategic Risk Resource Performance Value
Alignment Management Management Measurement Delivery

Define IT Value Determine Risk Optimize IT Measure Strategy Deliver Against

Proposition Appetite / Tolerance Resources (e.g., Implementation Benefits Strategy &
people, technology) ROI
Linkage between IT Risk Awareness Measure Value
Business and IT Optimize Investment Delivery to IT Value Meeting Business
Transparency
Plans in Resources Proposition Requirements
Identify Risk
Deliver Value to Optimize IT SLAs Execute the IT
Exposures
Products and Knowledge (training, Value Proposition
Operational &
Services Risk Accountability career
Strategic Metrics On Time / Within
Risk Tracking / development)
Increase Managerial Budget
Reporting
Effectiveness Trending Align Capabilities
Integrity & Accuracy
Communication
Assist in Competitive Co-sourcing / of Information
Positioning Outsourcing Board & Executive
Awareness
Asset Management

44 2015 Protiviti Inc. An Equal Opportunity Employer.

 Maturity Mapping IT Governance Model
Legend:
Current State Strategic Risk Resource Performance Value
Management Goal Alignment Management Management Management Delivery

Realization
of Value Optimized
Key Takeaway: "Optimized" is not an
Proposition
appropriate target for most organizations
Managed
Process Maturity

Defined

Repeatable

Initial /
(Example)
Ad hoc

45 2015 Protiviti Inc. An Equal Opportunity Employer.

 Example 1

IT Governance Audit

46 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT Governance Audit Scope Summary (graphic)

47 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT Governance Audit Scope Summary (text)
Background: Enterprise governance is a set of responsibilities and practices exercised by the board and executive
management. The overall objective of enterprise governance over IT is to understand the issues and strategic importance of IT
so that the company can sustain its operations and implement strategies required to extend its activities into the future, ensuring
that ITs performance meets the following objectives:
Alignment with entity objectives and realization of promised benefits
Use of IT as an enabler by exploiting opportunities and maximizing benefits
Responsible use of IT resources
Appropriate management of IT-related risks

Objectives: Audit objectives include:

Determine current state of enterprise governance practices over IT
Identify enterprise governance practices of IT that are appropriate based on company objectives
Assess design gaps and improvement opportunities, determining a course of action to achieve appropriate level of enterprise
governance over IT

Approach: The primary evaluation and assessment will be conducted through:

Inquiry of key board members, executive management and extended leadership teams to assess current enterprise
governance practices over IT in addition to desired practices or expectations.
Assess current practices and capabilities against an enterprise governance over IT Maturity Model.
Benchmark (both formally and informally) current company practices.

Scope: The following processes are considered to be in scope:

Strategic Alignment
Value Delivery
Resource Management
Performance Measurement
Risk Management

48 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT Governance Audit Issue Example
Strategic
Issue #2 Inconsistent Process for Approving IT-related Projects Alignment

Description
There is no formally documented process by which IT projects are requested, evaluated, and approved.
Some corporate entities and Divisions indicated that they provide business case-related information, but
there is no required format to enable consistent review of projects on an equal basis. Additionally, there
are no defined criteria by which projects are evaluated to ensure that they are in alignment with the
organizations strategic objectives. Finally, there is no process that validates the achievement of benefits
after project completion.

Quotes
Its a disjointed process
There doesnt appear to be an apples to apples comparison between projects
In my opinion, there is no organized process for selecting projects for funding
Within our Division, we have a well-defined process for evaluating and prioritizing projects, but I dont
feel like thats taken into consideration when IT projects are selected by Corporate
Were told that certain projects arent approved due to lack of funding, but nobody has ever come
back to us to ask for additional funds

Action Plan Recommendations

Agree on key process steps/ activities to be carried out, then document and publish those activities.
Establish formal criteria for project evaluation and a required format for all submitted business cases.
Modify the project approval process to include feedback regarding project selection/ approval.
Implement a process to review, on a sample basis, completed projects to determine if the stated
49
benefits
2015 were
Protiviti Inc. An realized.
Equal Opportunity Employer.
 IT Governance Audit Issue Example
Performance

Issue #4 Inadequate Performance Metrics and Communication Metrics

Description
The IT organization regularly reports performance metrics to Senior Leadership. However, recipients do
not consider the metrics to be reflective of overall IT performance. Additionally, most indicated that
positive actions and achievements completed by the CIO organization are not adequately communicated
or celebrated.
Quotes
The metrics that we see from IT indicate that everything is great, but I can tell you that based on my
organization, that is not the case
They are either measuring the wrong things, or the things they are measuring arent being valued
correctly
While their metrics may reflect things like ticket closures, what it fails to capture is the fact that
people do anything they can to not call the service desk due to the frustrations that they experience
IT doesnt celebrate their achievements - when they increased the VPN capacity, which was a great
thing for the organization, it wasnt communicated at all
Action Plan Recommendations
Solicit feedback from Corporate functions and departments to establish new metrics that would be
more useful or representative of the value of the services they receive.
Evaluate the existing metrics reported by IT and determine if there are either additional data points
that can be communicated, or changes to existing data points which would more accurately portray
level of service.
Implement a mechanism to communicate IT achievements to the organization (i.e. email, intranet
notice, etc.)

50 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT Governance Audit Results CMM Summary

51 2015 Protiviti Inc. An Equal Opportunity Employer.

 IT Governance Audit Results 5 Pillars Example

52 2015 Protiviti Inc. An Equal Opportunity Employer.

 Example 2

Benefits Realization Review

53 2015 Protiviti Inc. An Equal Opportunity Employer.

 Benefits Realization Review Scope
As a part of the annual budget allocation and project approval activities,
each potential IT initiative is required to submit a benefits baseline for each
Business Case (BC). The project sponsor, with CIOs guidance, commits
to and is accountable for tracking, delivery and realization of benefits.

Internal Audit reviewed the benefits realization process and performed an

assessment to determine whether the direct and measurable benefits
contained in the business case were realized as stated. Other soft
benefits, such as improved employee satisfaction, were not considered.

Internal Audit did not review any of the costs that were incurred to fund
the achievement of benefits, nor was the overall ROI considered.

It was the responsibility of the initiative team to provide evidence

substantiating the benefits attained.
54 2015 Protiviti Inc. An Equal Opportunity Employer.
 Benefits Realization Review Results
The Business Travel Services: SBT business case identifies 4 key benefits, among others:
Lower transaction fees of $1M over a three-year period.
Availability of 24 by 7 services through an online booking tool will reduce traveler reliance
on higher-cost after-hours "emergency" services, as well as provide an official company-
sponsored alternative to booking online directly through the Internet.
Use of self-booking tools facilitates enhanced policy compliance through visible display of
cost-effective travel options and the ability to include compliance messaging at the user's
point-of-need. In addition, certain out-of-policy options (e.g. higher fare class) can be
blocked with the online tool, if required.
Based on the industry average reduced ticket price outside North America of 8-15%, we
have projected a conservative 10% lower average lower ticket price in each of the major
markets. The result is savings of $2.1M over a three-year period.
The business case indicates that $330,619 of direct and measurable benefits will be achieved
in FYxx. The initiative team submitted an FYxx benefits realization claim of $727,844.
Planned Benefits in USD
Benefit Type Organization Benefit Benefit FY20xx FY20xx FY20xx FY20xx
Accruing Operating Begins Benefits Claim
Benefit Function FQ/FYYY

Direct & XYZ Business FQ1/20xx $330,619 $727,844 $1,068,709 $1,662,156

Measurable Process
Operations

55 2015 Protiviti Inc. An Equal Opportunity Employer.

 Benefits Realization Review Results
Evidence that benefits were realized
Corporate Travel contract agreement indicates a blended, agent assisted transaction price of
$30 per transaction vs. an online transaction price of $10 per transaction. Datasource
reports indicate total number of transactions by category resulting in savings of $239,921.
Datasource reports also indicate gross savings based on average ticket price by market
resulting in savings of $487,923.
Additional detail only available in FYxx reporting indicates a model of savings for international
and domestic ticket types that substantiate the claimed 2% savings on average ticket price
for FY04.
Conclusion
While the business case indicates $330,619 of benefits would be attained in FYxx, initiative
management was able to substantiate the benefits realization claim of $727,844 of reduced
transaction fees and ATP.
Resulting Benefits in USD

Benefit Type Organizatio Benefit Benefit FY20xx FYxx Actual Actual FY20xx FY20xx
n Accruing Operating Begins (Planned) Benefits Benefits vs. (Planned) (Planned)
Benefit Function FQ/FYYY Planned
Direct & XYZ Business FQ1/20xx $330,619 $727,844 $397,225 $1,068,709 $1,662,156
Measurable Process
Operations

56 2015 Protiviti Inc. An Equal Opportunity Employer.

 Example 3

Performance Measurement -
Projects

57 2015 Protiviti Inc. An Equal Opportunity Employer.

 Project Tracking bad example
PROJ LIFETIMEAC
PROJID TITLE OWNER ITHRSLOGGED USERHRSLOGGED TUAL STATUS ACTUALENDDATE
86 New website Joe 13835 95 13930 In Progress
2012-12-11
88 (UL and Trad) for internal Bob 11123 48 11171 In Progress 00:00:00.0
2014-05-27
209 XYZ version 17 upgrade - Dev Tom 2960 261 3221 Complete 00:00:00.0
160 New Site for existing products Kirstin 2953 0 2953 Not Started
2013-12-13
89 Electronic contracting) Greta 2413 235 2648 Complete 00:00:00.0
386 LongView (Internal Resources) Bill 1571 0 1571 In Progress
2013-11-12
130 ABC software upgrade) Joey 1225 110 1335 Complete 00:00:00.0
2013-03-25
94 CRM system Tom 1185 0 1185 Complete 00:00:00.0
163 2011 - Communication App Ralph 1111 0 1111 Cancelled

58 2015 Protiviti Inc. An Equal Opportunity Employer.

 Project Governance good example

59 2015 Protiviti Inc. An Equal Opportunity Employer.

 Case Study Real Life

60 2015 Protiviti Inc. An Equal Opportunity Employer.

 Case Background
Franchisor - 700 + franchises around the world; approaching $1bn in global
franchise revenue
Technology Project: Replacement of core operational software
Legacy software was Access-based single instances across all franchises data
is loaded back to corporate for consolidation and reporting
Decision was made to purchase packaged software and heavily customize it;
project cost was over $20m
IT Steering Committee comprised of dedicated and smart people was setup and the
entire organization was behind the project
A PMO of existing employees was established and some elements of project
management were available for consideration
We were engaged by the President, who knew something was starting to smell bad
Bury the auditor technique was deployed - - but the issues were numerous

61 2015 Protiviti Inc. An Equal Opportunity Employer.

 Case 1 - Review Findings
Recommendation Related Observations Benefits of Challenges For Time Cost People
Implementation Implementation Impact Impact Impact
A. Develop a defined scope 1. There is no clear overall - Clear alignment - Due to the current Medium Low High
and roadmap for all NANS- strategy and vision for of business goals resource $
related initiatives. This NANS that has been with IT goals. requirements of the
document should include communicated to the SLT project, it may be
the prioritization of each and franchise owners. - Decreased difficult to engage
project, clear milestones 2. Key project-related confusion regarding the necessary
that allow for the tracking documents such as a expectations for people to develop
of progress, and high-level project plan and estimated NANS. the roadmap.
estimates of completion timelines have not been
dates for additional created and communicated - There is the
functionality. to management and the - Increased visibility
and transparency potential for
Once completed, network Franchise Owner
3. Confusion exists regarding to the NANS
communication of the dissatisfaction
the scope of NANS and project.
roadmap to the franchise depending on how
network and Home when specific functionality key functionality is
Office should be will be available. - Increased feeling prioritized and how
carefully managed. 4. The implementation timeline of accountability for quickly it is
of reaching a tipping point key project delivered.
Project status should be by the end of 2014 seems managers and
measured against the lengthy, given the amount of sponsors.
plan and reported to resources currently devoted
Senior Leadership and to the NANS project.
the NANS Steering 5. Budgets and timelines are
Committee on a regular consistently missed causing
basis. a lack of confidence in the
implementation.

62 2015 Protiviti Inc. An Equal Opportunity Employer.

 Case 1 - Review Findings
Recommendation Related Observations Benefits of Challenges For Time Cost People
Implementation Implementation Impact Impact Impact
B. Identify the individual(s) 1. It is not clear who is the - Clear ownership - Since NANS Medium Low Medium
ultimately responsible for ultimate owner of the will increase affects the entire
the NANS project. $
NANS project. accountability for organization, it may
This individual should be There are individuals the project. be difficult to
involved in all key within the organization pinpoint the right
project-related decisions, that view Technology as - Active person or persons
including budget and the overall NANS owner, participation from to own the overall
timeline considerations. while others see the the steering project.
More emphasis should owner as being various committee will help
be put on the NANS members of the SLT. ensure project - Increased
Steering Committee to objectives and involvement and
ensure they are also 2. Although a steering targets are scrutiny by both the
included in major project committee has been achieved. project owner and
decisions. established for the NANS steering committee
project, there has not been may add additional
While the overall NANS consistent attendance and
owner should come from time to the
participation during bi- decision-making
the business, there weekly committee
should be an individual process.
meetings.
who manages the project
solely from a technology 3. A full understanding of all
perspective, working project costs, including
closely with the project estimate to complete, has
owner. not been developed or
communicated to the SLT.

63 2015 Protiviti Inc. An Equal Opportunity Employer.

 10 Takeaways!
1. We are in a period of extraordinary technology development and
change dont put your head in the sand.
2. There is no one definition of IT governance, but effective governance
will ultimately lead to better performance. It is critical!
3. Internal Audit should have a view whether IT governance of the
organization sustains and supports the organization's strategies and
objectives.
4. When assessing IT governance, it is important to leverage research,
frameworks, and other best practice tools as "audit accelerators."
5. IT governance audits require an effective IT audit function and will
raise the profile of IT audit significantly.

64 2015 Protiviti Inc. An Equal Opportunity Employer.

 10 Takeaways!
6. There are multiple IT governance assessment approaches. Auditors
should consider the changing needs of the enterprise when planning
IT governance assessments.
7. An IT governance audit can be a very effective way to build a
relationship with IT leadership.
8. Remember to budget 2-3x longer for scoping when planning for an IT
governance project.
9. Adding additional time to the reporting process is also a very good
idea socializing the issues and obtaining buy in can take some
time.
10. If your IT audit scope/ risk assessment results havent changed in the
last few years, you likely have a problem (an IT problem, or an IT
audit problem).

65 2015 Protiviti Inc. An Equal Opportunity Employer.

 Confidentiality Statement and Restriction for Use

This document contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly-owned subsidiary of Robert Half International Inc.
("RHI"). RHI is a publicly-traded company and as such, the materials, information, ideas, and concepts contained herein are non-public, should be used
solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to your Company, and should not be used in any inappropriate manner
or in violation of applicable securities laws. The contents are intended for the use of your Company and may not be distributed to third parties.

2015 Protiviti Inc. An Equal Opportunity Employer.