Are your managing IT risks and controls for better performance?
The IT Compliance Management decision area consolidates information from different compliance initiatives. It commonly requires three sources of information:
- Compliance program management software, such as that used for Sarbanes-Oxley. This allows IT to ensure that compliance tasks take place and are meeting program milestones.
- Information from the controls themselves. Of the 34 IT processes across four domains used in COBIT, a subset is required for Sarbanes-Oxley, notably around security and access controls, change and release management, and incident and problem management. These controls involve reviewing large volumes of data and flagging exceptions to established procedures.
- Metadata. Companies have mostly manual internal controls. About two-thirds are "detective" controls, versus the more reliable "preventive" ones. Detective controls mean reviewing transaction records in both detailed and summary form. You need a clear audit trail linking the source of information with the definitions and business rules that apply. Monitoring and analyzing which metadata governs which reports and who has access to it creates a more reliable control environment.
To help with this analysis, the IT Compliance Management decision area lets you set planning goals and scorecarding metrics for performance management elements such as:
- Compliance completion (%).
- Compliance costs ($).
- Material deficiencies (#).
- Regulatory compliance (%).
- Controls & exceptions (#).
- External audit fees & outsourced internal audit costs ($).
With a performance management system in this decision area, you can analyze these goals and metrics by a number of dimensions, including:
- Application software type.
- Infrastructure environment.
- Control owner & frequency.
- Financial account.
- IT control processes (COBIT).
- Transaction status.
Using the IT Compliance Management decision area
As an IT professional, the IT Compliance Management decision area let you ask questions such as:
- Controls: Are we decreasing the number of manual controls for a particular application, or are they growing and increasing the demand for resources?
- Compliance completion: Is there a consistent trend by control owner for meeting compliance demands?
- External audit fees: Do we see an increase in external fees for a particular account when we decrease our internal resource commitment? What is the total cost?
