SHIFTING TO THE CLOUD: UNDERSTANDING IT INVESTMENT ... › media.guidebook.com › ... · SHIFTING...
Transcript of SHIFTING TO THE CLOUD: UNDERSTANDING IT INVESTMENT ... › media.guidebook.com › ... · SHIFTING...
SHIFTING TO THE CLOUD:
UNDERSTANDING IT INVESTMENT
MANAGEMENT BEYOND YOUR
DATA CENTER WALLS
KATHERINE FORE
JENNIFER MCGILL
CAROLINAS HEALTHCARE SYSTEM
AHIA 35th Annual Conference – September 11-14, 2016
www.ahia.org
1
75 Years of
Caring
1940 - 2015
2
3
Agenda
Learning Objectives
Background on IT Governance and IT Investment Management
Investment Management Lifecycle
Emerging IT Investment Shift to Cloud
Changing Roles and Responsibilities in the Cloud Era
Risks and Control Objectives
Audit and Assessment Techniques
Questions
4
4
Learning Objectives
Discuss the principles of IT investment management (ITIM)
Share audit strategy for evaluating the planning, funding, maintenance, and replacement of IT investments over their full economic lifecycle
Compare in-house and cloud-hosted information services solutions, and discuss emerging investment considerations
Describe emerging risks related to changing roles and responsibilities for in-house IT personnel
5
5
IT Governance
IIA Standard 2110: Governance states, “the
internal audit activity must assess whether the
information technology governance of the
organization supports the organization’s strategies
and objectives.”
Many internal audit departments report that they
have not yet performed an IT governance
assessment
6
6
Why is it important?
According to Protiviti’s 2015 IT Priorities Survey, 60% of organizations are undergoing a major IT transformation
For 54% of organizations, the duration of IT transformation is expected to be one year or longer
Auditors need to understand how these changes influence the ongoing effectiveness of overall IT entity-level controls and IT process-level controls
7 Source: “A Global Look at IT Audit Best Practices”, ISACA and Protiviti, 2015.
7
The Bottom Line
Organizations with superior IT governance have
25% higher profits than those with poor IT
governance, given the same strategic objectives
8 Source: “IT Governance: How Top Performers Manage IT Decision Rights for Superior Results”, Peter Weill and Jeanne Ross, 2004.
8
IT Governance Overview
Source: ISACA Knowledge Center, “COBIT Overview”, http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx
9
9
Connection Points
10
10
Typical Challenges in Creating Value Delivery
11
Problems delivering technical capabilities
Limited or no understanding of IT expenditures
Business abdication of decision making to the IT
function
Communication gaps between the IT function and the
business
Questioning of the value of IT
Major investment failure
Source: “Enterprise Value: Governance of IT Investments, Getting Started With Value Management”, IT Governance Institute, 2008.
Value Delivery = IT Investment Management
12
IT Investment Management helps to make sure that:
IT is aligned with the business
IT enables the business and maximizes benefits
IT resources are used responsibly
IT risks are managed appropriately
http://www.isaca.org/Knowledge-Center/Val-IT-IT-Value-Delivery-/
IT Investment Management Overview
IT-enabled investments will:
Be managed as a portfolio of investments
Include the full scope of activities required to achieve business value
Be managed through their full economic life cycle
Value delivery practices will:
Recognize there are different categories of investments that will be evaluated and managed differently
Define and monitor key metrics and respond quickly to any changes or deviations
Engage all stakeholders and assign appropriate accountability for the delivery of capabilities and the realization of business benefits
Be continually monitored, evaluated and improved
Source: ISACA, “Val IT Overview”, http://www.isaca.org/knowledge-center/val-it-it-value-delivery-
13
13
IT Value Chain
14
Source: “COBIT 5 Processes From a Systems Management Perspective”, Myles Suer, Chane Cullens and Don Brancato, 2014.
A number of operational
processes work together
to enable IT value
delivery
Understanding your
organization’s
capabilities in these
areas helps to pinpoint
where to begin with your
audit
Which of these risks apply in your organization?
15
Inexperienced or unqualified IT staff
Limited physical space for IT equipment
Inadequate understanding of the process or function requiring an IT solution
Limited capital for IT investment
Undocumented IT portfolio
Acquisition of solutions incompatible with technical environment
IT investments not aligned with organizational goals and objectives
Vendor Management Lifecycle
Source: ISACA, “Vendor Management Using COBIT 5”, http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Vendor-
Management-Using-COBIT5.aspx
16
16
Vendor Management Definitions
Vendor Management: The strategic process that is dedicated to management
of vendor relationships so that value creation is maximized and risk to the
enterprise is minimized.
Vendor Management Due Diligence: Third-party vendor due diligence is a
process used to make an informed business decision concerning the selection of
the appropriate vendor. Due diligence is the gathering and analysis of detailed
information about possible vendors. As with all business decisions, there are
some risks that cannot be eliminated but can be managed. The purpose of due
diligence is to help choose the best third-party vendor relationship given the
risks and abilities or services available, and then to negotiate, contract,
implement, and monitor to mitigate any residual risks. Source: Credit Union National Association, “Third Party Vendor Management Guide”, http://www.cuna.org/Stay-Informed/CUNA-Initiatives/CUNA-
Due-Diligence-Task-Force/
Source: ISACA, “Vendor Management Using COBIT 5”, http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Vendor-
Management-Using-COBIT5.aspx
17
Vendor Management Ownership
Source: ISACA, “Vendor Management Using COBIT 5”, page 9, http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Vendor-
Management-Using-COBIT5.aspx
18
Establishing and managing vendor relations is not solely the responsibility
of IT or the business process owners. The vendor management process
involves many stakeholder functions within the enterprise, for example:
The legal function validates contracts
The compliance, legal and audit functions are consulted during the
review of service agreements
The enterprise risk function analyzes vendor-related risk
The board approves budgets
The procurement function ensures that vendor management activities are
integrated into the overall selection and management process
18
Emerging IT Investment Shift to Cloud
The term "moving to the cloud" refers to an organization
moving away from a traditional capital expenditure model
(buy dedicated hardware and depreciate it over a period of
time) to an operating expense model (use a shared cloud
infrastructure and pay as we use it).
Cloud computing means that the computer hardware and
software we use is provided for us as a service by another
company and is accessed over the Internet, rather than sitting
on our desktops or somewhere inside our network.
Strong vendor due diligence practices are critical to protecting the
organization’s interests in this type of arrangement.
19
19
What is “The Cloud?”
20
Source: http://www.inthecloudtechnology.com/cloud-usage/
Most Common Types of Cloud Solutions
21
Source: https://www.quora.com/What-are-basic-differences-between-IaaS-PaaS-and-SaaS
Current Cloud Trend
22
23
Changing Roles and Responsibilities in the Cloud Era: It’s Not You, It’s Me
Source: https://www.ironsidegroup.com/2015/06/03/driving-analytics-saas-paas-and-iaas-with-managed-services-the-difference-that-experts-make/
Translation to Cloud Responsibilities:
24
Source: https://www.ironsidegroup.com/2015/06/03/driving-analytics-saas-paas-and-iaas-with-managed-services-the-difference-that-experts-make/
Cloud Security: The Handshake
25
Shared Responsibility • Facilities
• Physical Infrastructure
• Network Infrastructure
• Virtualization Layer
• Operating System
• Application
• Data
Seven Best Practices for Cloud Security
26
Keep in mind, you are responsible for your data no matter where the lines of responsibility are drawn
Secure your code
Develop strong access management policies & processes
Strengthen your patch management process
Adopt a consistent monitoring process
Incorporate your security toolkit (anti-malware, IPS/IDS, encryption, etc)
Stay informed / be ready to react to new vulnerabilities
Have full understanding of your cloud provider’s security model
The big picture at CHS
27
The “lay of the land” as we started our work:
An IT Steering Committee was the governance group with
responsibility for oversight of IT investments
Large budget projects (greater than $1million) required
approval by the Board
Significant oversight existed for large budget projects
IS was able to account for 90%+ of systems and solutions in
the portfolio
CIO announced strategy to get out of data center business
and move most solutions to the Cloud
Accounting for IT projects happened in IT, not Finance
CHS had three capital project approval bodies for different
types of activities
IT capital spending was second only to new construction
projects
27
Risks and Control Objectives
28
28
Measurement of IT Investments
• IT investment measurement
criteria defined
• Leadership is monitoring &
documenting:
▫ Realization of business case
▫ Budget vs. actual costs (hard
& soft costs)
▫ Project timeline
▫ Overall operating costs
Business Unit
Information Services
Portfolio Management
• Requirements for portfolio
management defined
• Comprehensive inventory of IT
investments is maintained
• Investments are categorized
according to strategic
alignment
• Strategic planning for ongoing
support & future investments
exists
• Method for prioritization of
investments exists
• Corporate leadership / Board
oversight of IT value delivery
is evident
Information Services
CHS Leadership Risks
ITIM Step
Control Objectives
Participants
Issues impacting the successful
delivery of IT solutions may go
unrecognized or may not be
addressed timely
IS may not be able to present an
accurate picture of the IT
portfolio, potentially impacting
leadership decision making about
staffing, budget, etc.
Business Unit
Information Services
IT Committees
• Requirements for business case
established (Needs Assessment)
• Alignment of investment with
corporate strategy is defined
• Relevant financial analysis
including hard & soft costs
• Request for proposals
conducted
• Responsible personnel
identified (owner, ongoing
support, etc)
• Review & approval by
appropriate leadership
obtained
Business Case Development
Business cases may not consider
all significant information
resulting in budget overruns or
approval of projects that do not
meet needs of business
Risks
Testing Approach – Business Case Development
29
Obtain access to the minutes from the prior 12 months of IT Steering Committee meetings
Select a sample of Business Line Leaders who have presented projects for review
Interview the Leaders to understand the process that they followed
Review project documentation to determine if needs assessment was conducted
Interview IT personnel assigned to the project to understand the process that they followed
Determine if regulatory and information security requirements were defined and addressed
Interview the Business Line Leaders to understand the process that they followed to make the final selection
Review project documentation to determine if the selection was reviewed and approved by authorized leaders or committees
Business Unit
Information Services
IT Committees
• Requirements for business
case established (Needs
Assessment)
• Alignment of investment with
corporate strategy is defined
• Relevant financial analysis
including hard & soft costs
• Request for proposals
conducted
• Responsible personnel
identified (owner, ongoing
support, etc)
• Review & approval by
appropriate leadership
obtained
Business Case Development
Business cases may not consider
all significant information
resulting in budget overruns or
approval of projects that do not
meet needs of business
What is a Needs Assessment?
30
Method for defining the gap between the current situation and the desired future state
Involves communication between the people who use an existing system that will be replaced (or a new system that will automate a manual process) and the people who will help find the system that best meets their needs
Establishes a basis for evaluating competing products and vendors
Provides a foundation for estimating the resources needed to achieve the desired future state
What is a Request for Proposal?
31
A request for proposal (RFP) is a document that an organization posts to
elicit bids from potential vendors for a desired IT solution. The RFP specifies
what the customer is looking for and establishes evaluation criteria for
assessing proposals.
Generally includes:
Background on the issuing organization and its lines of business
A set of specifications that describe the sought-after solution (including
regulatory constraints and information security requirements)
Evaluation criteria that disclose how proposals will be graded
May also include a statement of work, which describes the tasks to be
performed by the winning bidder and a timeline for providing
deliverables.
Source: Posted by Margaret Rouse on WhatIs.com, Re-posted to http://searchitchannel.techtarget.com/definition/request-for-proposal
How is Vendor Analysis performed?
32
Start with the decision makers – How do they digest the information
provided by the vendors?
See what was documented – What information did they use to
make their decisions?
Identify the focus of the exercise – Is the emphasis on who they are
doing business with, or what they are planning to buy?
Find out if they are leveraging in-house expertise – Is IT Security
reviewing responses to security questions? Will the solution meet IT
standards and architectural requirements? Has Compliance
screened for conflict of interest?
Determine what type of risk/control-related information has been
provided - SSAE16, SOC 2, or similar third-party audit report
Testing Approach – Measurement of IT Investments
33
Obtain documentation that provides guidance to project owners regarding expectations to measure IT investments through the lifecycle of the investment. The guidance should define the measurement criteria and tracking expectations.
Review a sample of implemented projects to determine if IT investment measurements are being monitored and tracked throughout the lifecycle of an investment.
Expected measurements include: Realization of business case
Budget vs. actual costs (hard & soft costs)
Project timeline
Overall operating costs
33
Measurement of IT Investments
• IT investment measurement
criteria defined
• Leadership is monitoring &
documenting:
▫ Realization of business
case
▫ Budget vs. actual costs
(hard & soft costs)
▫ Project timeline
▫ Overall operating costs
Business Unit
Information Services
Issues impacting the successful
delivery of IT solutions may go
unrecognized or may not be
addressed timely
Testing Approach – Portfolio Management
34
Obtain documentation that provides guidance regarding expectations to measure IT investments as a portfolio of investments
Obtain the list of IT investments to determine if a comprehensive inventory is being maintained
Review a sample of implemented projects to determine if IT investments (future, present, and retired) are being measured by management
Expected measurements include: Investments are meeting corporate strategic goals and
target investment mix
Strategic planning includes ongoing support for current and future investments (resource planning)
Investments are prioritized based on corporate strategic goals and business readiness needs
Corporate leadership/Board involvement is evident
Portfolio Management
• Requirements for portfolio
management defined
• Comprehensive inventory of
IT investments is maintained
• Investments are categorized
according to strategic
alignment
• Strategic planning for
ongoing support & future
investments exists
• Method for prioritization of
investments exists
• Corporate leadership /
Board oversight of IT value
delivery is evident
Information Services
CHS Leadership
IS may not be able to present
an accurate picture of the IT
portfolio, potentially impacting
leadership decision making
about staffing, budget, etc.
Our Results
Identified need for comprehensive, documented process
All parties involved followed a process, but it differed from one project
team to the next
None of the Business Line Leaders were familiar with the process
Documentation was inconsistent, project names shifted from start to finish,
IT personnel handed projects off from phase to phase
IT personnel did not assert subject matter leadership to guide Business
Line Leaders to make selections inclusive of IT strategy as well as business
strategy
Found a loophole in a fundamental organizational policy
If responsibility for all IT vendor relationships and IT solution management
resides with IT, make sure the policy states it explicitly
35
35
Common Results
RFP process not consistently followed
No due diligence for new solutions being sought from an
existing vendor relationship
One-time-only approach to due diligence so that once the
vendor is “in the door” they are never evaluated again
IT personnel receive information from vendor and “check it off”
but don’t actually review it
Business leaders go outside the process to procure systems and
services without input from IT
IT projects are not aligned with company goals, so they fail to
support highest priority activities
36
36
How to Get Started
37
Do decisions about IT investments happen outside of
IT? Find out if your organization has an IT Steering
Committee or similar governance function for
project approval and funding
Is there a shift to the Cloud?
38
Talk with your IT organization
to find out about the computing
environment and what
services/solutions are in use.
Note: Many organizations have
a hard time accounting for all
of their solutions.
Which situations are relevant?
39
Preparing for a major system implementation or replacement?
Experienced a lot of IT leadership turnover?
Has the Board asked for information about how IT is performing?
Is there aging equipment and limited funds to address the problem?
Is responsibility for IT systems selection managed outside of IT?
Have there been any failed implementations?
Choose an approach that can move the needle
40
Incremental progress will help the organization
improve its governance posture
If the risk justifies a more expedited approach,
consider bringing in outside help to get the work
done
Questions? 41
Save the Date
August 27-30, 2017
36th AHIA Annual Conference