IT Governance Case Study
Charles Schwab & Co., Inc. Implements COBIT and IT Governance
Charles Schwab's diverse and complex technology environment became even more complicated after it acquired US Trust and became a financial holding company. Because of the increased regulatory oversight resulting from this acquisition, senior management sought an improved IT governance control framework. Schwab's Internal Audit Department proposed implementing Control Objectives for Information and related Technology (COBIT®) to establish an IT governance program in the organization and to ensure consistency in risk management and IS audits. As a result, Schwab ensured that its audit approach is consistent with regulatory guidelines, improved its IS control environment, enhanced IT and business processes and educated internal clients on risk and control concepts.
The Charles Schwab Corporation is one of the nation's largest financial services firms engaged, through its subsidiaries, in providing securities brokerage and related financial services for more than 8 million active accounts. Clients include domestic and international individual investors, independent investment managers, institutions, broker-dealers and 401(k) plan sponsors.
The author of this case study is a long-time member of ISACA® and former past president of the San Francisco (California, USA) Chapter. He has been aware of COBIT since it was first released and has used COBIT during audits for Charles Schwab and other businesses.
Charles Schwab's implementation of COBIT was initiated when the company acquired US Trust and became a financial holding company. This transaction resulted in increased regulatory exposure, and senior management recognized the need for an improved IT governance and control framework.
Schwab's technology environment is diverse and complex. Internal audit is responsible for auditing in-house and vendor-developed applications and IT solutions. It also audits a range of hardware platforms including mainframes, distributed systems (e.g., UNIX, NT and Netware) and network components (e.g., routers and firewalls).
The internal audit team educated senior management about COBIT, the positive impact it would have on business and technology units throughout the firm, and how it would be implemented. The team also discussed the fact that many regulatory bodies use COBIT during examinations, and therefore COBIT would serve as a valuable tool to increase preparedness and facilitate communications.
Management concurred with internal audit's assessment and Charles Schwab adopted COBIT as a tool to ensure consistency in risk management and approach for information systems audits.
Schwab's IS/technology audit approach is based on a defined audit universe with 14 key elements. Annual risk assessments are completed and a rotational audit schedule is planned based upon the level of risk associated with each universe element. All IS audits are aligned with one of the audit universe elements, and all audits are planned to assess the control objectives associated with each element.
The internal audit team also defined several audit focal points to ensure consistency in the execution of all IS audits. The focal points, which serve as a general outline for audit planning documents and audit work programs, help produce trending reports regarding the status of controls in the organization's IT environment.
For example, the four audit focal points for the information security universe are:
- Access control
- System security configuration
- Monitoring and incident response
- Security management and administration
The four audit focal points for the infrastructure universe element are:
- Structure and strategy
- Methodologies and procedures
- Measurement and reporting
- Tools and technology
Each audit focal point is further broken down into multiple areas of emphasis that define the control areas focused on during each audit. These areas of emphasis are tailored to match the scope and objectives of each audit.
Schwab's approach for implementing COBIT focused on the following path:
- Map COBIT to the Federal Financial Institutions Examination Council (FFIEC) examination guidelines. Since the Schwab Financial Holding Company must comply with banking regulations, it wanted to ensure that its audit approach was consistent with relevant regulatory examination criteria. Mapping these criteria to the COBIT domains and control objectives enabled Schwab to document its interpretation of the relationships between the COBIT domains and control objectives and the examination criteria in the FFIEC IS Examination Handbook, which is used by examiners to review IS operations in financial institutions.
- Map the audit universe to COBIT's high-level control objectives. This mapping exercise ensured that each audit universe element addressed the relevant COBIT control objectives.
- Map scheduled audits to the COBIT detailed control objectives. This will become an annual mapping process completed during Schwab's yearly audit planning phase. Mapping detailed control objectives to each audit helps ensure that the strategy, objectives and scope for each audit include all of the relevant COBIT control objectives (i.e., a completeness check to identify gaps).
- Develop a COBIT control assessment questionnaire for each audit. The questionnaires document the results of joint risk assessments. They will be updated as processes change and re-evaluated during future audits in each area. They also evaluate the effectiveness of existing processes and control mechanisms and provide detail on risk mitigating action plans for areas that require improvements.
- Facilitate work sessions with clients. Proactive projects, such as developing the questionnaires, have had a positive impact on client relationships and have helped ensure consistency in the application of risk assessments over IT functions. They help evaluate the effectiveness of controls in place for the area under review. To ensure consistency and collaboration, the assessment results are documented using COBIT maturity ratings highlighted in the COBIT Management Guidelines component.
- Analyze, document and validate results. Schwab evaluated results of the joint risk assessment process by executing its audit work programs and performing tests of controls. They used the COBIT Audit Guidelines to facilitate audit testing, where relevant, by comparing existing audit work programs to the COBIT Audit Guidelines framework. After the testing is complete, results of each audit are documented in an audit report issued to senior management.
Implementing COBIT as part of its audit process has significantly enhanced Schwab's risk assessment process and has provided a confidence that its audit strategy covers industry best practices and control objectives. US Federal Reserve Board examiners have confirmed that Schwab's implementation of a COBIT-based audit approach is an appropriate method for assessing IT risks. Other benefits include increased client participation in audits and positive impacts on relationships with clients. Involved parties now believe internal audit's approach is effective and a win-win situation for all stakeholders.
During the joint risk assessment work sessions, internal audit advised clients on areas that require improvement. COBIT was a valuable tool that provided guidance related to global best practices in risk mitigating solutions. The COBIT-based audit approach has increased interaction between internal audit and its clients that has resulted in value-added consultation to enhance IT and business processes. COBIT also has made it easier to educate clients on control and risk concepts, which in turn has led to internal process improvement initiatives.
COBIT is an excellent open standard for all types of organizations. It provides a solid foundation to assess existing audit strategies and IT processes that help ensure appropriate controls are in place in the IT environment.
Looking forward to the future, Schwab will continue to implement and expand its COBIT-based audit approach. It is implementing a COBIT Management Guidelines Questionnaire to facilitate evaluation of management-level controls focused on management reporting, performance monitoring and metrics analysis.