COBIT and IT Governance Case Study: Providing Maximum Benefits and Strong IT Governance and Control at Canadian Tire Financial Services
Employing more than 1,700 people and financing and managing the Canadian Tire Options® MasterCard® for more than three million cardmembers, Canadian Tire Financial Services, Ltd. (CTFS) is an important entity in the financial services industry. After recognizing the need to implement a proactive IT governance program, CTFS implemented Control Objectives for Information and related Technology (COBIT). COBIT helped the organization communicate to IT and management why they needed to care about effective controls and provide a framework for implementation. COBIT’s components were successfully used in many ways, such as building a strategic IT internal audit review plan, assessing process maturity and validating the accuracy of IT risk scoring.
As the financial services arm of Canadian Tire Corporation, Ltd., Canadian Tire Financial Services (CTFS) is primarily engaged in financing and managing the Canadian Tire Options MasterCard for more than three million cardmembers. The Options MasterCard is accepted at more than 24 million locations worldwide and offers the Canadian Tire “Money” On the Card loyalty program.
CTFS also markets a variety of insurance and warranty products to more than six million customers. In addition, its emergency roadside service, Canadian Tire Roadside Assistance™, provides peace-of-mind driving to many Canadians. CTFS’s goal is to build lifelong relationships with Canadian Tire customers by providing products and services they truly value.
The company began in 1961 as Midland Shoppers Credit Limited, a small financial service company offering third-party credit processing for local retailers. During the 1960s, the company began adding Canadian Tire Associate Stores to its client list. By 1968, Midland was servicing Associate Stores across Ontario. It eventually became a subsidiary of Canadian Tire Corporation, Ltd. and was renamed Canadian Tire Acceptance Limited (CTAL).
CTFS, with Canadian Tire Bank, currently employs more than 1,700 people, with offices in Welland, St. Catharines and Burlington, Ontario, Canada. Contributing significantly to Canadian Tire Corporation’s annual profits, CTFS is an important player in the financial services industry. The Service Quality Measurement Group Inc. (SQM) has repeatedly recognized CTFS as the “Best Call Centre in North America” and as an organization whose overall customer satisfaction ratings are at the world-class level. This designation requires 80 percent or more of customers to rate their satisfaction at the very satisfied level, which is the highest score possible on the SQM ratings.
CTFS recognized the need to implement proactive IT governance initiatives in 2004 because the upcoming CEO/CFO Certification requirements meant that it had to have a formalized process to successfully implement the appropriate controls. The CEO/CFO Certification requirements were developed by the Canadian Securities Administrators (CSA) and the Ontario Securities Commission (OSC) in response to the U.S. Sarbanes-Oxley Act. This set of rules requires CEO and CFO certification of annual and quarterly reports (MI 52-109, Certification of Disclosure in Issuers’ Annual and Interim Filings). The process was formalized and implemented in 2005 and 2006.
The next step was to pursue the support of senior management for the initiatives. Once it was determined and confirmed that there was a gap within the current process, the business plan was presented to the executive team and approval was obtained to move forward with the initial analysis required.
To successfully implement IT governance and CEO/CFO Certification activities, COBIT was recommended by an external audit consultant who had been working with CTFS Information Technology Product & Services (ITP&S), helping to determine the requirements for the CEO/CFO Certification scope. The COBIT framework came highly recommended as the appropriate framework for the division. Published by the IT Governance Institute, the COBIT guidance enabled CTFS to begin designing the implementation of a general computer controls model.
Reasons Behind CTFS’s Selection of COBIT:
- COBIT is an internationally accepted standard for IT governance and control practices.
- It provides a means for benchmarking internal control compliance.
- It can be used by management, end users, and IT audit and security professionals, and it provides a common language.
- The driving force for introducing COBIT was ensuring that all of IT and management understood why they needed to care about effective controls. Getting them to realize that there are many important business reasons for this was the initial milestone to be successfully addressed.
- COBIT easily maps to other leading standards, including ISO 17799, ITIL and NIST.
- CTFS was able to gain agreement with the external and internal audit partners on the same framework and control objectives.
- The COBIT framework addresses three main audiences: ITP&S, management and auditors. The benefits of implementing COBIT as our governance framework included better alignment based on business focus. It makes management understand IT better. There is senior level clarity of ownership and responsibilities, based on process orientation.
- CTFS is subject to many regulations and audit requirements, including PCI, OSFI, Privacy, (ICOFR) Internal Control over Financial Reporting associated to CEO/CFO Certification, IT General Controls Sub-certification, and COBIT serves as the framework that enables the company to implement or fine tune the appropriate control compliance and governance activities while maintaining the business alignment and understanding of the required changes.
COBIT was also used to establish and improve IT governance. Once departmental owners were assigned to each domain and subdomain of COBIT, they detailed a business plan and obtained approval to form an IT Risk Governance department to manage the governance and compliance of the controls on an ongoing basis internally and with external vendor relationships.
CTFS realized many benefits from COBIT, including the following:
- COBIT enabled CTFS to build and prepare a strategic IT internal audit review plan based on the 34 COBIT process areas.
- COBIT enabled CTFS to assess process maturity using the COBIT capability maturity model.
- COBIT was used to evaluate the IT risk identification based on the COBIT control objectives and the risk assessment process.
- COBIT was used to validate the accuracy of IT risk scoring based on objective and risk mapping.
- COBIT was used to rationalize the requirement for an audit using the COBIT framework descriptions.
- CTFS IT was able to prepare a tactical internal audit plan based on the COBIT audit guidelines.
- COBIT was used to break down the scope of the audit review using COBIT key goal indicators (KGIs) and critical success factors (CSFs).
- COBIT was used to help develop the required testing to assess control effectiveness based on the COBIT control practices.
By implementing COBIT, CTFS was able to analyze the key live blood areas of the company and the systems and applications associated with these business units. The management guidelines helped prioritize and monitor business processes by using KGIs, key performance indicators and maturity models. By addressing the COBIT control objectives and mapping them to the areas of defined risk, it helped to facilitate the system or process changes required to enhance the existing controls and the confidence of CTFS business managers that they can ensure that an adequate control system is provided for their IT environment. This allows them to continue to grow the business and focus on new business plans.
Board Involvement in IT Governance
CTFS believes that effective IT governance delivers the structured processes needed to meet business goals while defining the required regulation requirements and the controls associated with their shareholders and to ensure that the board’s objectives have been met and monitored. However, as the organization has learned, governance is only the first step toward improved IT decision making. The governance process begins with the board of directors and then funnels through the executive team and on to the operations staff. Through this approach, everyone can obtain the same goals and outcome.
The board is responsible for the review and approval of the strategic plans and direction of IT. Its members also ensure alignment between the needs of the business and the plans of IT. They will annually review the IT cost structure, and once every three years they review the results of a cost benchmark analyzing internal IT costs against a peer group of companies.
The benefits of technology are never doubted; however, to be a successful IT division the risks associated with implementing new technologies or changes to existing systems or applications have to be understood and managed. Fortunately, CTFS was introduced to COBIT early in its planning stages, and it was used to organize one of the most intensive process changes across all areas of IT. The COBIT framework was a strong partner in the organization’s success.
COBIT provides a clear, concise approach to aid the planning and implementation of IT general computing controls. It provides the ability to assign accountability across the domains, which has enabled CTFS to match up the owners of the functional area. CTFS looks forward to the ongoing value that using the COBIT framework will provide.
COBIT has enabled CTFS IT to provide managers, internal and external auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices used to ensure that the challenges of the CEO/CFO Certification regulatory requirements have been met. COBIT has been a valuable tool for maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in the company’s IT division.
As a successful organization, CTFS understands the benefits of information technology and uses this knowledge to drive shareholders’ value. The organization recognizes the critical dependence of many business processes on IT, the need to comply with increasing regulatory compliance demands and the benefits of managing risk. To enable the organization to successfully meet today’s business challenges; CTFS ITP&S will continue to utilize the IT Governance Institute’s COBIT framework. This framework will set the baseline for ongoing and new technology initiatives, including internal control requirements, allowing CTFS to provide a consistent approach to all ongoing work within IT.