Applying IT Governance at Home: Oversight of a Computer Acquisition
Publicado por Ricardo Castro [ricardocastro] em 25/1/2006 (4678 leituras)
By Lynn Lawton, CISA, BA, FCA, FIIA, PIIA
The following is a description of the IT governance processes the ISACA Board of Directors has applied to the acquisition of the new International Headquarters computer system.
It was March 2000 when the topic first came up. Toward the end of a long, hard meeting of the ISACA Board of Directors, there it was on the agenda: "Recap of HQ Y2K status and HQ computer system."
It was a brief item. A verbal report to the effect that ISACA had weathered 1 January 2000 with no incidents and that, having passed that milestone, the current system was nearing the end of its useful life. It was increasingly becoming expensive to maintain and was unable to provide effective support for the many and varied activities that ISACA had taken on since the system was first acquired seven years ago.
The board agreed. After all, many were the times when the board's requests for different views of financial information from International Headquarters had been met with a look of dread and a sigh. Although our requests always were satisfied eventually, no one would claim that the information to manage our business was available at the push of a button. International Headquarters staff volunteered to evaluate alternatives, and the board requested an update at the next meeting.
Figure 1We received verbal updates at the next two board meetings, in July and October 2000, as the ISACA staff set about defining their requirements and meeting with potential suppliers. The next meeting was in February 2001, and once more "Computer System Update" was on the agenda. Again, we received a brief verbal report. However, this time it had a number attached to it: US $500,000. We became excited. We asked questions (see figure 1). We challenged assumptions. We resisted the notion that we should leave it all to International Headquarters staff. And we set up a task force to exercise IT governance over this project.
Our first job was to create the task force's objectives and agree on them with the International President. This proved fairly easy. Turning to the IT Governance Institute's publication Board Briefing on IT Governance, we identified the IT governance objectives that we wanted to achieve from page 10. Scrutiny of the IT processes for Acquiring and Implementing systems in Control Objectives for Information and related Technology (COBIT®) helped us scope the terms of reference by listing the IT processes involved. A review of the control objectives from the same source enabled us to articulate our approach and list some of the documents we thought we would want to see in the course of carrying out our duties. Finally, the hard work--a paragraph we had to make up all on our own! This set out the respective management and reporting responsibilities of the task force and the International Headquarters staff. The complete set of terms of reference (see appendix 1) was agreed upon by the International President and staff, and we were off.
Our starting point was the business case. This was described to the board as "a no-brainer." A more accurate description would have been an undocumented set of assumptions and an incomplete estimate of costs. By August, staff had transformed this situation into an excellent business case document setting out what we wanted to do, why, how, when and what we expected it to cost (see appendix 2 for a table of contents and brief description of the project). The estimated costs by now included all of the additional changes (hardware, infrastructure, etc.) that would be required for the selected system to perform effectively (see figure 2), plus a 7 percent contingency. The total had risen from the original estimate, but the new figure was supported not only by a detailed breakdown, but also by benchmarking against other, similar organisations and ISACA's purchase of its current system seven years ago.
This comprehensive material was presented to the board, together with a motion recommending approval of the project, tied to the budget, delivery date and staff resource required to achieve successful implementation of the selected system. The motion was passed in a telephone conference call in September 2001.
In parallel with the creation of the business case, staff members were working hard to evaluate potential systems. They followed ISACA's own best practices, creating detailed specifications, involving the system users, organising software demonstrations, visiting reference sites and carrying out due diligence on potential suppliers as well as obtaining detailed cost estimates to support the budget. The task force's involvement in this was minimal--we are not experts on what the system should do, only on how it should be selected. Therefore we received reports on the process being carried out and reviewed evidence of these, for example, the specifications.
Once the project was approved by the board, the next stage was to negotiate contracts with the suppliers selected. None of the International Headquarters staff or task force members are lawyers, and after going through the arduous process of ploughing through all of the small print in the contracts, I for one am very glad I am not. To make up for this lack of expertise, ISACA called on its legal counsel to undertake the drafting, reviewing and redrafting. Of course, our suppliers also had a similar operation in progress. At times staff had some hard negotiating to do to ensure that the suppliers' contractual obligations would meet our needs. However, by the board meeting in November 2001, we were able to report that the contracts were signed, the software suppliers were on site running design workshops and the hardware and infrastructure upgrades and additions were in progress.
Important in a membership organisation is that we, as a board, are accountable to the members for the way in which we spend the association's funds. The task force has therefore been careful to ensure that the project team developed a communication plan, and that communications have been issued to members and chapters in accordance with that plan. In this way, everyone is kept up-to-date with progress, and with how it affects them as members and as chapter board members.
The first implementation milestone was the end of December 2001 for the accounting software. This milestone was met, with a lot of hard work from the project and accounting staff. The task force had a conference call midway through testing to monitor progress, and another at the time of the go-live decision. Naturally, there were some issues, but none that were critical to live operation of basic functionality. As accounting staff always are busy with the year-end accounts for the first three months of the year, and these were on the old system, this was considered acceptable. Full use of the new functionality would, in any case, have had to wait until April, and plans were in place to have the delayed modules in place and tested by then. Those plans are being achieved to date.
In June 2002, the first phase of the operational system went live. The task force has convened by conference call on a monthly basis to review progress. We now work through a standard agenda (see appendix 3) to ensure that we cover everything pertinent to this phase of the project. We reported to the board again in March 2002, pleased to be under budget to date, and with phase 1 of the project successfully live. Naturally, there also were some risks and issues on the table, together with International Headquarters' approach to managing them. The task force has a schedule of future calls, linked to key milestones in the project, and was able to report just as positively at the board meeting in July 2002.
Although the task force's oversight of this project has entailed a great deal of time and effort, it has been necessary to ensure that ISACA applies the good practices of IT governance it espouses through the IT Governance Institute. Perhaps the best example of the rigorous nature of our governance processes can be demonstrated through a question raised by a board member at our latest meeting. He asked, "What do our suppliers think of our governance process for this project?" Paraphrasing the supplier comments quoted by staff, it seems clear they have found it more demanding than most!
The following is a description of the IT governance processes the ISACA Board of Directors has applied to the acquisition of the new International Headquarters computer system.
It was March 2000 when the topic first came up. Toward the end of a long, hard meeting of the ISACA Board of Directors, there it was on the agenda: "Recap of HQ Y2K status and HQ computer system."
It was a brief item. A verbal report to the effect that ISACA had weathered 1 January 2000 with no incidents and that, having passed that milestone, the current system was nearing the end of its useful life. It was increasingly becoming expensive to maintain and was unable to provide effective support for the many and varied activities that ISACA had taken on since the system was first acquired seven years ago.
The board agreed. After all, many were the times when the board's requests for different views of financial information from International Headquarters had been met with a look of dread and a sigh. Although our requests always were satisfied eventually, no one would claim that the information to manage our business was available at the push of a button. International Headquarters staff volunteered to evaluate alternatives, and the board requested an update at the next meeting.
Figure 1We received verbal updates at the next two board meetings, in July and October 2000, as the ISACA staff set about defining their requirements and meeting with potential suppliers. The next meeting was in February 2001, and once more "Computer System Update" was on the agenda. Again, we received a brief verbal report. However, this time it had a number attached to it: US $500,000. We became excited. We asked questions (see figure 1). We challenged assumptions. We resisted the notion that we should leave it all to International Headquarters staff. And we set up a task force to exercise IT governance over this project.
Our first job was to create the task force's objectives and agree on them with the International President. This proved fairly easy. Turning to the IT Governance Institute's publication Board Briefing on IT Governance, we identified the IT governance objectives that we wanted to achieve from page 10. Scrutiny of the IT processes for Acquiring and Implementing systems in Control Objectives for Information and related Technology (COBIT®) helped us scope the terms of reference by listing the IT processes involved. A review of the control objectives from the same source enabled us to articulate our approach and list some of the documents we thought we would want to see in the course of carrying out our duties. Finally, the hard work--a paragraph we had to make up all on our own! This set out the respective management and reporting responsibilities of the task force and the International Headquarters staff. The complete set of terms of reference (see appendix 1) was agreed upon by the International President and staff, and we were off.
Our starting point was the business case. This was described to the board as "a no-brainer." A more accurate description would have been an undocumented set of assumptions and an incomplete estimate of costs. By August, staff had transformed this situation into an excellent business case document setting out what we wanted to do, why, how, when and what we expected it to cost (see appendix 2 for a table of contents and brief description of the project). The estimated costs by now included all of the additional changes (hardware, infrastructure, etc.) that would be required for the selected system to perform effectively (see figure 2), plus a 7 percent contingency. The total had risen from the original estimate, but the new figure was supported not only by a detailed breakdown, but also by benchmarking against other, similar organisations and ISACA's purchase of its current system seven years ago.
This comprehensive material was presented to the board, together with a motion recommending approval of the project, tied to the budget, delivery date and staff resource required to achieve successful implementation of the selected system. The motion was passed in a telephone conference call in September 2001.
In parallel with the creation of the business case, staff members were working hard to evaluate potential systems. They followed ISACA's own best practices, creating detailed specifications, involving the system users, organising software demonstrations, visiting reference sites and carrying out due diligence on potential suppliers as well as obtaining detailed cost estimates to support the budget. The task force's involvement in this was minimal--we are not experts on what the system should do, only on how it should be selected. Therefore we received reports on the process being carried out and reviewed evidence of these, for example, the specifications.
Once the project was approved by the board, the next stage was to negotiate contracts with the suppliers selected. None of the International Headquarters staff or task force members are lawyers, and after going through the arduous process of ploughing through all of the small print in the contracts, I for one am very glad I am not. To make up for this lack of expertise, ISACA called on its legal counsel to undertake the drafting, reviewing and redrafting. Of course, our suppliers also had a similar operation in progress. At times staff had some hard negotiating to do to ensure that the suppliers' contractual obligations would meet our needs. However, by the board meeting in November 2001, we were able to report that the contracts were signed, the software suppliers were on site running design workshops and the hardware and infrastructure upgrades and additions were in progress.
Important in a membership organisation is that we, as a board, are accountable to the members for the way in which we spend the association's funds. The task force has therefore been careful to ensure that the project team developed a communication plan, and that communications have been issued to members and chapters in accordance with that plan. In this way, everyone is kept up-to-date with progress, and with how it affects them as members and as chapter board members.
The first implementation milestone was the end of December 2001 for the accounting software. This milestone was met, with a lot of hard work from the project and accounting staff. The task force had a conference call midway through testing to monitor progress, and another at the time of the go-live decision. Naturally, there were some issues, but none that were critical to live operation of basic functionality. As accounting staff always are busy with the year-end accounts for the first three months of the year, and these were on the old system, this was considered acceptable. Full use of the new functionality would, in any case, have had to wait until April, and plans were in place to have the delayed modules in place and tested by then. Those plans are being achieved to date.
In June 2002, the first phase of the operational system went live. The task force has convened by conference call on a monthly basis to review progress. We now work through a standard agenda (see appendix 3) to ensure that we cover everything pertinent to this phase of the project. We reported to the board again in March 2002, pleased to be under budget to date, and with phase 1 of the project successfully live. Naturally, there also were some risks and issues on the table, together with International Headquarters' approach to managing them. The task force has a schedule of future calls, linked to key milestones in the project, and was able to report just as positively at the board meeting in July 2002.
Although the task force's oversight of this project has entailed a great deal of time and effort, it has been necessary to ensure that ISACA applies the good practices of IT governance it espouses through the IT Governance Institute. Perhaps the best example of the rigorous nature of our governance processes can be demonstrated through a question raised by a board member at our latest meeting. He asked, "What do our suppliers think of our governance process for this project?" Paraphrasing the supplier comments quoted by staff, it seems clear they have found it more demanding than most!
| Navegue pelos artigos | |
A crise e a mitigação de riscos nas empresas
|
|
|
Os comentários são de propriedade de seus respectivos autores. Não somos responsáveis pelo seu conteúdo.
|
||||
Fotos