Page 92 - CITP Review
P. 92

Exhibit 3-3 — Control environment aspects of COBIT and COSO


                    COBIT – Plan and Organize                      COSO – Control Environment

                    PO1 – Define IT strategic plan                 Integrity and ethical values
                    PO2 – Define information architecture          Board of directors
                    PO3 – Determine technological direction        Management’s philosophy and operating
                    PO4 – Define IT organization/relationships     style
                    PO5 – Manage IT investment                     Organizational structure
                    PO6 – Communicate management goals and         Financial reporting competencies
                    direction                                      Authority and responsibility
                    PO7 – Manage human resources                   Human resources (of IT function)
                    PO8 – Ensure compliance with external
                    requirements
                    PO9 – Assess risks
                    PO10 – Manage projects
                    PO11 – Manage quality


                   For instance, Walmart has a high-tech strategic approach to the supply chain, which they refer to
                   as quick response. It involves bar coding, data mining, just-in-time (JIT) inventory, electronic data
                   interchange (EDI), and other technologies.

                   Walmart also uses a strong control environment, the principles mentioned herein; therefore, when
                   a business unit manager asks for new IT or updates to IT, the business case would need to show
                   how the project will enhance Walmart’s ability to have an effective and especially efficient supply
                   chain — which is its unique financial and strategic advantage in the market — in order to gain
                   capital funds for the IT project.

              Controls would need to be in place to make sure these objectives are being met.
              One control would be a group to report to the BoD about the IT function as it relates to strategic
               planning on a regular basis. That could be a subcommittee of the BoD, or a cross-functional IT
               steering committee, or even another form. This body would manage the capital budget funds, award
               IT projects, prioritize IT projects, oversee major IT projects, and in general, make sure that the IT
               function is satisfying the entity’s needs related to strategic use of IT.




            IT governance principles

            The principles of IT governance cover strategy and planning, value delivery management, resource
            management, risk management, and performance management.


            Strategy and planning
            Executive management’s role of planning includes the IT function. Whether it is several documents or a
            single composite strategic plan, the outcome should be a document or set of documents that define the
            IT function.



            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-8
   87   88   89   90   91   92   93   94   95   96   97