COBIT and IT Governance Case Study: Unisys Corporation
Unisys, a leading international IT services company, recognized the need for a standardized IT strategy to support global operations, align the IT infrastructure with the company’s overall business strategy and help comply with Sarbanes-Oxley (SOX). Control Objectives for Information and related Technology (COBIT) was evaluated and adopted to provide an effective IT controls and IT governance framework. As a result of implementing COBIT, business processes within IT were improved and SOX-related controls were established.
Unisys is a global leader in information and technology solutions. In 2004 it had revenue of US $5.8 billion and 36,400 employees. The company is based in Blue Bell, PA, USA, and conducts business in more than 100 countries.
The Unisys internal audit staff introduced COBIT to the senior IT management team in early 2002. COBIT was championed by the Unisys CFO, general auditor and CIO as a good controls and governance framework. Unisys adopted the COBIT framework in the third quarter of 2002. During the second half of 2002, internal audit conducted its first audits of IT using COBIT. In 2003, the company expanded its use to the total workforce through comprehensive training.
The overall goal was for COBIT to provide a standardized framework across the entire Unisys IT organization. In addition, COBIT established the framework for SOX controls throughout 2003 and contributed to Unisys SOX certification in 2004. It also formed the basis of core vs. context analysis in 2004 that led to global sourcing activities in late 2004 and 2005.
Since 1997, Unisys has put significant focus on writing and publishing a worldwide IT strategy. The strategy needed to capture and manage the requirements of global operations and align the IT infrastructure with the overall strategy of the company. Unisys is a services-led, technology-enabled solutions provider for clients. Simple, global standard business processes remain a key IT governance goal.
Over the next few years, the company evolved an IT governance process that is structured around ROI-based projects, a formalized project initiation process (PIP) and a CEO-led IT Governance Council (ITGC) consisting of the senior business unit executives.
In 2002 the company identified certain controls that needed to be audited. The basic concepts of those controls were explained during the audits and management reviews of the audits. Unisys IT began using COBIT as a framework to design a service-driven approach for internal customers. This implementation of COBIT helped define roles and responsibilities, and continues to help guide modeling of internal processes using Unisys 3D Visible Enterprise (3D-VE) tools. (Unisys 3D-VE is a methodology to see the cause and effect across an enterprise of contemplated infrastructure changes before actually committing resources to the changes.)
In the first two quarters of 2003, a Unisys corporate task team was organized to develop the approach and plan for compliance with SOX Section 404. The SOX basic control framework for IT was developed by midyear, and formal and informal training programs were implemented over the next nine months. The CIO’s staff attended instructor-led classes. Two different webcasts were created for employees, in addition to other specific classes.
In addition to being used for SOX-related controls, COBIT is also implemented by Unisys to help drive process standardization for the software development life cycle (SDLC), where the company has integrated the Rational Unified Process (RUP) and COBIT. Unisys has also utilized COBIT as a guideline for developing its approach for outsourcing work to third parties by identifying processes and tasks within the domains of COBIT that can be outsourced vs. those that are better off being retained internally by Unisys IT.
Future plans for COBIT at Unisys include refining and developing IT policy around the 34 COBIT processes. Work has already begun on this initiative.
The business process within IT has improved as a result of using COBIT for ongoing SOX compliance and other IT governance related projects. Companies need a strong governance model in place to approve, prioritize and manage IT investments on an ongoing basis. This is necessary to align IT investments with the business requirements needed to deliver IT value to the company. The process of IT governance must involve the business units at the highest level in a partnership with IT to ensure that effective strategic alignment is achieved.
The Unisys board of directors is focused on SOX activities and on major investment areas. They receive input from the work of the SOX, internal audit and ITGC (IT Governance Council) reporting teams, and address major risk responsibilities including:
Ensuring the overall information security, disaster recovery and business continuity of the company’s IT infrastructure, as well as physical recovery of various major assets
Requiring a business case for major IT expenditures and analysis by the IT leadership to inform the board, so the board can approve or disapprove major IT proposals
Measuring the forecasted return on investment and other results and benefits tracked over a number of months or years against the original proposal
Ensuring alignment of the IT infrastructure so it provides maximum support to the accomplishment of the major business objectives and corporate strategy
COBIT has contributed to many areas within Unisys, including:
IT governance—Forming strategy, managing investments
Audit methodology—Developing audit plans and approaches
SOX—Assessing risks, processes and controls
Process standards—Managing infrastructure and application life cycle
Policy formation—Using control objectives as a foundation for standards
Outsourcing—Recognizing appropriate opportunities for third-party services
Security—Managing enterprise security efforts
In relation to the board’s goals and the company’s strategic requirements, COBIT has a number of key attributes that Unisys IT deems important:
Communication—Common terminology across IT to discuss policy, standards, process and controls
Quality—Comprehensive view of the IT enterprise
Consistency—Common approach to solve problems
Credibility—External standard against which to be measured
Maturity—Ability to monitor and measure progress over time
As business and IT strategies are further integrated in the future, COBIT should help Unisys remain an agile enterprise with world-class efficiency and effectiveness.