COBIT Case Study: IT Governance - Financial Audit Department
Government of Dubai Implements a Full Life Cycle for Continuous Improvement
The Financial Audit Department (FAD) is the supreme audit institution of Dubai. This office is headed by a Director General and reports to the Ruler of Dubai.
The FAD was established by the law No (1) of 1995 issued by His Highness the Ruler of Dubai on 29 January 1995 and was subsequently amended by the Law No (5) of 2000. Subsequent amendment by Law No.(3) of 2007 made FAD further independent, by empowering a direct reporting channel to His Highness the Ruler of Dubai.
The audit jurisdiction of FAD covers all government departments, public corporations, companies in which the Government shareholding is above 25 percent, organizations for which the Government provides a financial subsidy, and/or any other body where an audit is commissioned by His Highness the Ruler of Dubai.
The FAD conducts regular financial audits, information systems audits and performance audits for ascertaining the extent of legality, adequacy of financial prudency and management of financial operations. The objectives include reviewing of efficiency, effectiveness and economy in planning, directing, execution, controlling and monitoring of operations.
Dubai is one of the seven emirates in the UAE, which is on the eastern coast of the Arabian Peninsula in the southwestern corner of the Arabian Gulf. The total area of the UAE is approximately 77,700 square kilometers.
Dubai ’s economic growth from 2000-2005 has been remarkable, with double- digit gross domestic product (GDP) growth and relatively high per capita income, despite negligible dependence on oil. The driving force behind Dubai’s economic performance has been the Government, through investments and other initiatives, supported by the private sector, guided by Dubai Strategic Plan 2015. Since the year 2000, Dubai’s real GDP has been growing at a compounded annual growth rate of 13 percent.
The FAD recognized the need to promote, formalize and improve IT governance practices within Dubai as the extensive usage of information technology is widely accepted as an essential component in providing services to citizens, residents and business entities.
The Government of Dubai has a strong commitment in the use of technology as a business enabler in achieving its strategic positioning as a business hub of the region. The direct benefits of this have been realized through greater interactions among the government departments and the ease of doing business in Dubai. The Government has reinforced its commitment to good corporate and IT governance to provide services, secure information, protect privacy and nurture best practices to meet the growing challenges of adapting to economic advancement and social changes.
Information Systems Audits
To provide assurance on IT governance and encourage the adoption of leading practices for IT governance within government entities, an information system/technology audit function has been commissioned since 2000. The following mission statement was adopted for the Information System Audit section of the FAD.
To assess whether the governance, control and risk management of information systems:
- Safeguard assets
- Maintain integrity, confidentiality and availability
- Achieve organizational goals effectively
- Consume resources efficiently
- Comply with the leading practices and applicable regulations
- Align with the vision of the Government of Dubai
Benefits of using COBIT as a framework
Team members of the information systems audit section of FAD are mostly members and certified professionals of ISACA, either they hold the Certified Information Systems Auditor (CISA) or Certified Information Security Manager (CISM) or Certified in the Governance of Enterprise IT (CGEIT) designation. The team assumes the responsibility as internal champions for adopting ISACA/ITGI resources as required.
The Control Objectives for Information and related Technology (COBIT), IT governance framework, developed by ISACA’s affiliate, the IT Governance Institute (ITGI), had already been adopted as the resource serving as the overall framework for information systems audit methodology since 2000.
The information systems audit section of FAD recognized the need to be proactive. Hence, from merely using COBIT resources for assurance, the team decided to promote the best practices of COBIT resources among its audit community. COBIT provides control objectives, control practice statements and other resources supporting assurance processes as a global reference framework and benchmark.
As a significant step, the section has pioneered and implemented an IT Governance maturity model assessment as an integral part of all major IS Audits, since 2001. This is based on the COBIT maturity model and was a unique audit methodology in the government sector within UAE/GCC countries.
The following is the high-level approach diagram of information system audits.
Improving process maturity using COBIT
COBIT-based maturity model assessment/rating are mandatory components in all major audit assignments. This necessitates adopting the best practices suggested by COBIT by the auditees and mandates the need for demonstrating improved maturity on IT-related processes. In turn, this drives internal programs to identify and improve upon process maturity on prioritized areas that are supported by the business. The IT governance assessment has been supported by an internally designed tool for arriving at the scores. An indicative presentation of overall score and domain scores would be as follows:
FAD has undertaken IT governance assessments using COBIT and has introduced the advantages of COBIT in many Government entities. In many entities, multiple assessments have been undertaken since 2000. So far, FAD has done more than 40 IT Governance assessments using COBIT. The following is a sample list of entities that had been subject to IT Governance assessments, where the best practices of COBIT have been introduced successfully.
- Dubai Customs World
- Dubai Health Authority
- Dubai Airport Free-zone
- Royal Air Wing
- Dubai Electricity & Water Authority
- Dubai Police
- Dubai Municipality
- Dubai Duty Free
- Dubai World Trade Center
- Dubai Chamber of Commerce and Industries
- Dubai E-Government
- Dubai Civil Aviation (Dubai Airports)
- Dubai Financial Market
- Roads and Transport Authority
- Dubai Land Department
- Government Information Resources Planning
- Department of Naturalisation & Residency
- Department of Economic Development
- Dry Dock World
- Dubai Gas Company
- Emaar properties
- Mercator – Emirates Airlines
- Dubai Islamic Bank
- Dubai Aluminium ( DUBAL )
- Emirates National Oil Company (ENOC)
Obtaining senior management support
IT governance assessments promoted the benefits of raising the level of process maturity as a way towards building and sustaining IT governance culture. To achieve the mission and objectives most effectively, apart from conducting IS/IT audits, FAD mooted an initiative named Information Technology Governance Assurance Forum (ITGAF). ITGAF (www.ITGAF.ae), was founded in 2006 as a not-for-profit professional organization exclusively to promote IT governance in Dubai. This was formed to propagate IT governance, more specifically, to build, sustain and improve IT governance practices within the Government of Dubai and its establishments.
Commitment from the Director General (DG) of the Financial
Audit Department (FAD), on the concept of setting up the ITGAF, followed as a natural outcome of thought leadership. The DG of the FAD assumed the role of the founding chairman of ITGAF and the key sponsor of the initiative. This gave ITGAF the impetus to design and authority to deliver various programs, making significant progress in pursuing and accomplishing the stated mission and objectives.
The following have been formally adopted as the mission and high-level objectives of ITGAF.
To provide support to boards and executive managements of Government community on the direction, successful usage and governance of information technology towards achieving organizational goals
- Promote IT governance practices as an integral part of corporate governance among Dubai Government community.
- Brainstorm on the leading practices/frameworks for effective IT governance.
- Establish a forum of IT decision makers to network and facilitate continuous improvement on the stated objectives.
- Facilitate continuous educational support to the Government Community.
- Empower the audit departments of the Government Community by building IS control/audit strengths.
The following are the highlights of key activities that were undertaken by ITGAF.
- Conferences: The conferences of 2006, 2007 and 2008 were focused on adopting, implementing and sustaining leading practices on IT governance, respectively. Presenters at the conferences included IT governance/Corporate governance leaders such as Mr. Erik Guldentops, advisor to the ITGI board, Dr. Nasser Al Saidi, Executive Director, Hawkamah, The Institute of Corporate Governance, etc.
- Workshops: Propagating COBIT as a model framework by conducting workshops on a regular basis. ITGAF conducted several workshops in 2007 and 2008 on related topics, including Implementing IT Governance Practices. A workshop titled Using COBIT for Effective IT Management and Implementing IT Governance was held in November 2008 and repeated in February 2009.
- Awards: Commencing 2006 through 2008, ITGAF instituted an award that is bestowed to the IT department among the Government of Dubai that demonstrates highest level of process maturity in IT governance. The award is named as “ITGAF Process Maturity Award”. The criteria for evaluation of process maturity are based on the COBIT maturity model framework. The maturity model score collation and evaluation are done using an in-house-developed tool for standardized evaluation.
- In 2008, FAD developed and rolled out a pilot project to conduct IT Governance Maturity Model Assessments as a Control Self Assessment (CSA) initiative. Once this project is fully implemented, all Dubai Government Departments will assess and report the outcome of CSA to FAD. To support this activity, an exercise of identifying “Champions” within all Dubai Government Departments and a workshop was organized to equip the Champions, who will in turn lead the CSA projects. While this was a pilot project, it is expected to become a formal activity in 2009. Upon gathering the feedback, this is expected to be extended to all other entities owned by the Government.
- Scope, applicability and reach of ITGAF extends beyond one organization. In effect, the above activities have actually made significant contribution towards adoption and implementation of good governance practices in government departments and in more than 40 other major to medium establishments, where the Government of Dubai has a stake.
- ITGAF/FAD has an existing Memorandum of Understanding (MOU) with the local chapter of ISACA for collaborative efforts in the areas of IT governance. This has been in place since 2007. ITGAF, as an initiative, advocates the cause of IT governance and that of ISACA/ITGI. The following are the stated objectives in the MOU between ITGAF and the ISACA UAE Chapter.
The ITGAF and ISACA-UAE Chapter share a common goal, namely to promote best practices in IS and improve upon IS practices related to assurance, control, security and governance in the region. This goal is supported by the following objectives:
(A) To improve the IT governance practices among government departments and companies owned by the government of Dubai, thus improving the overall IS infrastructure and the security of IS assets.
(B) To help develop modern IT-related governance frameworks for entities within Dubai, UAE, in accordance with international best practices
(C) To disseminate IS knowledge with focus on assurance, control, security and governance among the entities
(A) Coordinating and conducting conferences, seminars, roundtables, workshops and tutorials for dissemination of knowledge
(B) Publishing material related to IS/ IT governance for spreading the knowledge and to assist in implementation of controls
(C) The cooperation in all activities will be subject to the constitution, relevant bylaws and policies of ITGAF and ISACA UAE Chapter
- ITGAF/FAD in the past has designed, developed and delivered customized training sessions on IT governance, information security, IS audits and preparation of the CISA examination since 2001.
- ITGAF has announced and is in the process of gathering and distributing case studies on successfully implemented IT governance initiatives within all Dubai Government establishments.
Roles of the Board of Directors
ITGAF has the following structure. Presently, the chairman, president and vice presidents constitute the board of directors.
Goals Achieved in enhancing IT Governance Practices
The risk of not having a framework toward the usage of technology has been addressed. The next endeavor is to work on expanding adoption and sustenance of practices.
The information systems audit/IT governance assessments drive and forge a learning enthusiasm towards COBIT. This creates the need for all auditees to develop and acquire skills and knowledge of COBIT resources. The training initiatives of ITGAF are positioned to fill the required resource gaps through trainings, workshops and conferences. The ITGAF Process Maturity Award gives the incentive to demonstrate a high level of process improvement. Thus, a full life-cycle process for continuous improvement has been set in place.
According to Mr. Yassir Amiri, Director General of the Financial Audit Department and Chairman of ITGAF:
“ITGAF is the next step to reiterate our commitment to assure information technology governance and encourage adopting leading practices for IT governance within government departments/organizations/companies. I hope these initiatives gain further momentum in the coming years, and we expand research and educational activities to lead the thinking and ultimately be in service to the community and region.”
According to Mr. Tariq Al Ghaith, Director of Information Systems Audit and President of ITGAF:
“Today, for most organizations, success in the achievement of business goals depends directly on the extent and capability of technology enablement. In such an environment, governance over technology usage is as critical as any other corporate governance function. Effective information technology governance helps ensure that it supports business goals, maximizes business investment in technology, and appropriately manages information technology-related opportunities and risks.”
The goals set for implementing the best practices suggested in COBIT within the Government of Dubai:
- Establish COBIT as the preferred framework of leading practices for the IT professionals within the Government Departments/Establishments.
- Develop CGEIT as the most preferred certification for eligible IT professionals within the Government Departments/Establishments.
- Further propagate the benefits of CISA certification within the Government Audit Community.
The adoption of COBIT by the Financial Audit Department, the Government Audit Department of Dubai, has driven the need by the auditee management for knowing, understanding and using COBIT resources within the IT and business community. In turn, this has led to the wide acceptance and practical adoption of best practices of COBIT among auditee entities within the Government of Dubai. Many of these organizations have adopted the COBIT framework, in principle, as a de facto standard.
Future plans focus on positioning ITGAF as a leading provider of educational programs on IT Governance within the Government Community across the MENA (Middle East and Northern Africa) region and propagate the benefits of COBIT as an ideal IT Governance framework.
In addition, ITGAF will adopt best efforts to contribute and work with ISACA’s local chapter on the next steps for sharing the benefits of ITGI/ISACA publications for promotion/propagation of IT governance best practices. A COBIT User-Convention among the Dubai Government Departments/Entities is under consideration, slated for 2010.
Case Study Disclaimer
This case study is intended for informational purposes only. The advice, opinion, statements, materials and other information expressed and contained in this case study are solely those of the authors and do not necessarily reflect the views, policies or opinions of ISACA or the IT Governance Institute (ITGI). ISACA/ITGI is not responsible for the accuracy, currency, completeness, reliability or usefulness of any advice, opinions, statements or content contained in the case study and makes no claim that use of the case study will assure a successful outcome.