COBIT and IT Governance Case Study: Harley-Davidson
The business goal of Harley-Davidson Motor Company is to produce and sell high-quality motorcycles. Until the early 2000s, this goal was the sole focus, and limited attention was given to internal audit and controls. Because of increased scrutiny and regulations worldwide, it was important for the company to continue its successful business model and also incorporate new thinking regarding the importance of controls. The challenge was in getting management, information technology (IT) and audit speaking the same language and working toward increased control, while still respecting the company’s unique culture. A new department focused on control and risk mitigation needed a framework that focused on key value areas important to the business. This all had to be accomplished by building consensus among varied departments and without affecting quality or slowing production.
Harley-Davidson Motor Company was founded in 1903 in Milwaukee, Wisconsin, USA. It is the oldest producer of motorcycles in the US and has enjoyed 20 consecutive years of record revenue. For the year ended 31 December 2005, Harley-Davidson shipped 329,000 motorcycles (a 3.7 percent increase), had revenue of US $5.3 billion and experienced worldwide growth of 6.2 percent.
In 2003, Harley-Davidson had limited IT controls in place and staff had limited control knowledge. There were no standardized user access process, no defined and documented change management process, and no rigor on backup and recovery processes, and there were minimal organizational standards.
Although complying with Sarbanes-Oxley was going to be a challenge, the company took strong action, utilized COBIT (Control Objectives for Information and related Technology) and passed Sarbanes-Oxley year one compliance.
In addition, it had been difficult finding other manufacturers for benchmarking, and COBIT helped show Harley-Davidson management where the company was positioned regarding controls and what should be done to improve.
To jumpstart IT governance and Sarbanes-Oxley activities, Harley-Davidson created an IS compliance department and began implementing a vendor’s general computer controls model. After attending a COBIT User Convention, a Harley-Davidson risk specialist recommended COBIT to management and then converted the control framework to COBIT, published by the IT Governance Institute. Concurrently, the internal audit department was driving IT to move beyond pure compliance. The company realized it needed a broad control framework, which helped eliminate the constantly changing “bar” used as a benchmark.
Reasons behind Harley-Davidson’s selection of COBIT include:
- It is an internationally accepted standard for IT governance and control practices.
- It can be used by management, end users, and IT audit and security professionals, and it provides a common language.
- It provides a means for benchmarking controls compliance.
- Use of the COBIT framework, including tools and templates, is available essentially free as a download from www.itgi.org.
- Other leading standards, including ISO 17799, ITIL and NIST, harmonize and map to COBIT.
- The company was able to gain agreement with the external auditor on the same framework and control objectives.
Key to introducing COBIT was ensuring that all of IT and management understood why they needed to care about effective, value-focused controls. Getting them to realize that there are many important business reasons for this was the first key hurdle to be successfully addressed. COBIT’s business-focused language allowed management, IT and internal audit to ensure they were on the same road.
Harley-Davidson’s COBIT migration process needed to go beyond questions such as “Do you have a systems development life cycle process (SDLC)?” to stimulate internal conversations on what an SDLC really is and which skills were required. The team started by mapping implemented controls to COBIT and compared the results to a previously accepted Big 4 accounting firm’s COBIT mapping. Gaps were identified and plans were developed to close these gaps.
One of the major benefits of using COBIT as its overall internal control and compliance model was getting everyone—especially nontechnical motorcycle experts—revved up about control activities and why controls are important. Harley-Davidson is subject to many regulations, including HIPAA and Gramm-Leach-Bliley, and COBIT serves as an umbrella framework that helps the company zero in on appropriate control and compliance activities.
For example, it is a constant challenge to ensure that control owners truly understand effective control. Sometimes they assume “more is better.” With COBIT, the risk team could clearly show them that one or two good controls can be better than having seven controls, of which several are ineffective. Once control owners understood the value of expending fewer resources and less time for an equal or better control, they jumped on board.
Tracking and reporting are important components of ongoing IT governance activities. Team members must be able to learn about carry over and repeat findings, and follow up with management action plan owners to ensure forward momentum continues to address the issues. Harley-Davidson developed an MS Access issues-tracking database to have joint IT and internal audit visibility of known control weaknesses.
Driving internal change was also a key goal of this highly competitive company, and COBIT benchmarking was an invaluable tool for independent comparison. It put the information in the right perspective for management and to obtain overall buy-in. The framework shows peer comparison in an unbiased format and is used as part of every IT audit. Best of all, it invites discussion about where the company would like to be.
Prior to implementing the COBIT framework, areas the external auditor audited were chosen randomly or on loose justifications. Now the areas selected for auditing are firmly based on business value and control needs.
The breadth and depth of COBIT have naturally allowed it to be used successfully as a central control model. In addition, benefits Harley-Davidson has found by using COBIT as a control model include:
- IT governance personnel can map frameworks “behind the scenes.”
- End users need to be aware of only one standard.
- IT can easily show compliance with multiple frameworks.
- It helps establish a consistent focus.
- It gains external audit agreement on the company’s control position.
- It establishes the ability to use control objectives to help identify root causes.
- There is a comprehensive view of the risk and control environment.
- It provides a foundation for all future internal and Sarbanes-Oxley-related audits.
The company is also planning to conduct an IT governance audit using Val IT, a governance framework that helps boards of directors and executive management attain an appropriate return on investment (ROI) for IT-enabled investments. Company executives realize they need to go beyond knowing “what control is in place” and expand to understand “does this control really work” and “is the control objective really met.”