COBIT and IT Governance Case Study: Allstate
With assets in excess of US $134 billion, revenues of more than US $32 billion and nearly 40,000 employees, Allstate serves more than 16 million households and is the largest publicly held property and casualty insurance company in the United States. In 2000 Allstate internal audit implemented a formal IT control framework and adopted Control Objectives for Information and related Technology (COBIT). Allstate internal audit uses COBIT to scope and plan all audits. In addition, efforts are underway by Allstate’s infrastructure group to build-in appropriate COBIT controls into select infrastructure processes. After the Sarbanes-Oxley Act was passed in the US, Allstate began using COBIT to evaluate IT governance and control, obtain benchmarks for assessing automated controls embedded in key business processes and assess the control activities performed by the company’s application support team. COBIT helps ensure alignment between business strategies and technology investments. Allstate has also found that COBIT helps it achieve an effective balance of appropriate and consistent controls to improve the efficiency and effectiveness of the business.
Allstate was founded in 1931 as part of Sears, Roebuck & Co., and became a publicly traded company in 1993. With assets in excess of US $134 billion and revenues of more than US $32 billion, the company has nearly 40,000 employees. It is based in Northbrook, Illinois, USA, and offers a wide range of protection and savings tools that work together to achieve financial security. The company serves more than 16 million households, and is the largest publicly held property and casualty insurance company in the United States.
Prior to 2000, Allstate Internal Audit did not have a formal IT control framework in place. A new director of internal audit reviewed the department and business environment, and subsequently worked with senior management to adopt Control Objectives for Information and related Technology (COBIT) as the IT governance model under which the team would operate.
The audit director achieved support of COBIT by demonstrating to management that its use provided a structured means to ensure consistent and appropriate IT controls throughout the company. In addition, COBIT provided a common control language that enabled related control and process communications..
The process of introducing and ultimately receiving the go-ahead to adopt COBIT consisted of a variety of steps. The team members constructed a COBIT-based risk assessment approach, then held interviews with strategic IT and business managers to obtain enterprise views about the key business objectives and potential risk areas. Based on the comments received, they developed and ranked, according to risk, critical application and infrastructure inventory. The team evaluated the risk ratings by business unit and the systems impact for each COBIT category. They identified audits related to specific risk areas and developed the annual audit plan. In addition, they designed audit programs and templates based on COBIT objectives.
Allstate has since used COBIT to scope, assess and document control activities associated with the company’s internal infrastructure areas. Goals for implementing COBIT focus on:
Increasing awareness of the importance of IT controls
Bringing attention to corporate IT governance
Fostering management accountability
Improving client/auditor communication
Providing a risk assessment framework
COBIT’s Role in Sarbanes-Oxley Compliance
After the Sarbanes-Oxley Act was passed in the US, Allstate used COBIT to evaluate IT governance and control, and used the Internal Control-Integrated Framework from the Committee of the Sponsoring Organizations of the Treadway Commission (COSO) to evaluate business process control. Control objectives derived from COBIT were used as benchmarks for assessing automated controls embedded in key business process. The team members also used COBIT to assess the control activities performed by the company’s application support team as they developed and maintained applications that were of significant importance from a Sarbanes-Oxley perspective. COBIT was also used to assess controls within Allstate’s infrastructure environment.
One of the first steps in Allstate’s Sarbanes-Oxley approach was to define three phases. Phase 1 focused on organizing and launching the plan, phase 2 included documentation and assessment workshops, and phase 3 concentrated on sustainment activities.
In phase 1 the IT audit team aligned Allstate’s IT processes into three distinct IT levels that define how the company views IT (figure 1). Level 1 was for the business control owner (automated application controls such as interface controls, system edit checks and end user security). Level 2 was for the application support control owner (general application controls such as change management, programmer security and system development lifecycle). Level 3 was for the infrastructure control owner (general computing controls such as data center operations, security administration and network administration).
Allstate IT Control Framework
The team members performed an IT risk assessment of COBIT to identify the objectives that relate to Sarbanes-Oxley (figure 2) and mapped the risk-assessed subset of COBIT objectives to the company’s level 1, 2 and 3 processes. They further drilled down the level 3 COBIT objectives to each infrastructure area. Next they used the risk-ranked business processes to scope their level 2 work (key applications) and elements of their level 3 work (key operating systems).
To further ease the control documentation gathering process, the team developed summary level control objectives (based on COBIT and customized by Allstate) that grouped like-kind COBIT objectives together. This led to identifying which of the underlying COBIT objectives were key to ensuring that each summary level Allstate objective would be met. At least one key control is required for each Allstate summary control objective.
Phase 2 focused on level 1, 2 and 3 control documentation workshops to help identify and confirm control activities, key controls and gaps. This enabled the development of an IT design gap decision tree and a control gap prioritization spreadsheet to assist with the gap remediation impact assessment.
As part of phase 3, periodic self-assessment of control objectives continues to be performed by the business and IT units. Although the approaches vary, best practices have been applied, such as:
All key controls must be self-assessed at least annually, with the majority assessed quarterly.
Key controls with open design gaps should not be self-assessed.
The individual who performs the key control activity cannot also perform the self-assessment.
All self-assessment testing must be evidenced by appropriate documentation.
Self-assessment scope and results must be summarized and reported to applicable certifiers.
In addition, attestation readiness reviews are performed by internal audit to assess management’s self-assessment activities. A repeatable process is required to be used throughout the company.
Allstate plans on continuing to use COBIT as its IT framework and to drive its audit planning process and subsequent audit work. In addition, because it proved to be such a beneficial tool, COBIT will remain an integral part of the company’s ongoing Sarbanes-Oxley sustainment efforts.
IT Governance Starts at the Board Level
The primary responsibility of the Allstate board of directors is to oversee the affairs of the company for the benefit of the shareholders. The board acts as advisor and counselor to senior management and ultimately monitors its performance. This includes monitoring IT governance, which is reviewed and discussed by the board’s audit committee, particularly with respect to compliance with company policies and standards, compliance with legal and regulatory requirements and the effectiveness of internal controls.
COBIT’s control objectives and management guidelines provide the board with a high level of assurance. Allstate uses this technology governance process to achieve and maintain alignment between business strategies and technology investments. For example:
- Business and IT stakeholders must be consistently involved in priority setting and resource allocation as Allstate pursues its enterprise strategies.
- A shared governance approach ensures that potential technology solutions are examined with the broader, cross-business unit perspective necessary for enterprise strategy optimization.
- Potential mismatches in technology acquisition and utilization between near-term business objectives and long-term strategic direction must be identified, discussed and resolved.
- Governance ensures that existing assets and solutions are leveraged where appropriate and that new assets and solutions are developed with sufficient breadth and flexibility to be leveraged by other initiatives.
Through its continual assessment and enhancement efforts, Allstate has found that while inadequate controls expose an organization to risks that could degrade or interrupt work and potentially harm its reputation, the overuse of controls is a burden to successfully running a business in a highly competitive environment. COBIT helps Allstate achieve an effective balance where appropriate controls are in place to improve the efficiency and effectiveness of processes. Examples of benefits realized include:
Edits early in the process reduced exceptions and rework.
Controls that provide consistency in data collection and processing help ensure accurate information and compliance with myriad states’ rules and regulations.
Properly securing information minimizes the need to recover data and systems, to explain why confidential information was disclosed or to address the loss of competitive information.
Including controls at the front end of the system development process saved time, effort and expense.
Technology investment decisions are aligned to the business goals.
Improved communications between the business and IT communities.
Management had a framework that promoted scope containment and financial management.