Experienced CIOs and emerging IT leaders are challenged by ever-increasing complexities in the technology and business environments. Leaders are faced with increasingly complex regulatory environments, mergers and acquisitions, and the challenge of IT assignments. Often these opportunities involve performing a structured assessment of the IT organization, its relationship to the business and the general effectiveness of its overall control environment. Savvy IT leaders find that arming themselves with a high-level knowledge of COBIT (Control Objectives for Information and related Technology) can be a powerful way to increase effectiveness, create strong relationships with external auditors and positively impact IT governance.
Blackboard Inc. (NASDAQ BBBB) is a leading provider of online education products and services with more than 2,400 clients in more than 60 countries. The company has more than 50 employees in offices in Washington DC, and Phoenix, Arizona, USA; Amsterdam, The Netherlands; and Japan. Its Blackboard Learning System is available in more than 11 languages and has more than 12 million active users. The company was named to the Computerworld Smithsonian Collection of Laureates for leadership in using IT to improve society.
Compliance with regulations such as the Sarbanes-Oxley Act, the PATRIOT Act, and the Payment Card Industry Data Security Standard affects the practices of new and long-established enterprises. Public and private companies often have complex, interdependent processes embedded into their operations, with equally complex IT systems running them. Start-up companies face the pressures of transforming informal business processes into structured, auditable processes in an environment of rapid growth. This is especially true when companies are positioning themselves to go public. In the midst of this change, IT leaders find themselves creating cross-department relationships with auditors, peers and the external board of directors. Having an effective framework for assessing effectiveness and risks of the IT department can be a powerful tool to assist in navigating change.
COBIT provides a rich framework for entity-level and general operational controls. The framework is organized by summary controls objectives, which then break out into detailed controls. IT leaders can leverage collections of controls and create checklists to assess current operations and incorporate them into due diligence activities.
Although in most cases it is unnecessary for CIOs to learn the full COBIT framework, a good portion of the overall IT enterprise can be assessed and governed under COBIT, as shown in figure 1. This high-level summary serves as the basis for Blackboard’s ongoing dialogue with external auditors around Sarbanes-Oxley compliance.
Entity-level Strategy, Relationships and Communications
Looking at strategy, relationships and communications, one can quickly recognize the key areas of IT relationships and governance that impact all IT operations across all industries. At the entity controls level, CIOs must constantly assess the overall relationships between IT and the business. The entity-level controls address issues such as how well the organization communicates with the business, as well as the process by which IT involves the business in developing the ongoing portfolio of IT projects through IT steering committees and other focus groups. It also addresses how effectively the external board of directors is kept aware of IT investments, as well as how the IT organization uses metrics to measure performance and value. By leveraging the high-level entity controls in combination with executive surveys, CIOs can gain insight into the overall enterprise relationship between IT and the business.
Assessing IT Processes Against COBIT General Controls
CIOs can also leverage COBIT to assess specific IT processes, such as application change management, problem management and the system development life cycle. Internal security functions and infrastructure management groups are complex operations. IT leaders can leverage general control objectives to assess how well these groups are maintaining policies, ensuring consistent security practices and leveraging consistent processes to manage changes to production infrastructure configurations. Computer operations are covered under COBIT control objectives that assess management of data and operations management.
Nearly all IT organizations are characterized by third-party relationships, including hardware and software providers, outsourcing partners, managed security service providers (MSSPs), and IT auditors. COBIT provides a high-level framework to ensure that third-party IT suppliers observe company policies, adhere to IT architecture requirements and operate under business processes that are compatible with those of the customer.
Mergers and Acquisitions
One of the more challenging tasks a company will face is an acquisition of another organization or a merger. Unforeseen problems or weaknesses in another organization’s IT operations can weaken the value of a merger or wreak havoc on its success. CIOs often find themselves in the position of needing to do a fast, predictive assessment of a target’s IT operations. To the extent that both companies have implemented a common audit framework, due diligence teams can assess IT operations using a known framework. If not, COBIT provides a handy library to build assessment checklists.
Preparing for the IPO
Leading IT in a public company puts enormous pressures on CIOs that often do not exist in non-public enterprises. Corporations are now under the microscope to demonstrate effective, auditable business processes. This also extends to the business systems that support those processes. With the advent of Sarbanes-Oxley, most IT departments have had to radically reshape one or more major internal processes.
Companies that plan to go public need to understand that this may require change in how they operate or how they document their business processes. Based on interaction with venture capital firms, it is clear that they are placing increased emphasis on the ability for a startup to navigate these regulations and add to the value of the firm.
“A savvy executive team can position itself well ahead of a public offering and instill Sarbanes-Oxley-compliant processes early on, allowing a rapidly growing firm to grow with them in place. Again, new and seasoned IT executives should leverage control frameworks that are familiar to external auditors, to minimize rework later. COBIT is a well-recognized international framework that I have used with all of the major US audit firms,” said John Lambeth, CISA, CISSP, vice president, Blackboard Inc.
Leveraging Internal Audit Functions
IT leaders can find ready and able resources in corporate internal audit staff members to assist with assessments and implementing COBIT. While most firms of at least medium size have internal audit staff members who are familiar with internal business audit practices, some may still struggle with identifying appropriate IT audit frameworks.
CIOs can establish powerful and effective relationships with internal audit by initiating the adoption of IT audit frameworks in the organization.
Developing an understanding of COBIT and how it can be leveraged to lead IT organizations is an advantage that any CIO can acquire. Doing so will establish credibility with external auditors, shareholders and executive management.