Last year, part 1 of this article outlined how CPA firm Yount, Hyde & Barbour was using COBIT to help build processes to allow its IT department to better serve the enterprise’s needs. While progress has been slow, the firm has seen improvements due to its implementation efforts.
A mid-sized regional accounting firm with 18 shareholders and 140 employees, the enterprise has 6 locations—1 recently relocated and a 7th location planned for inclusion in first quarter 2015. The staff is to be very mobile with at least 20 people working remotely or at a client’s location at any given time. Given these conditions, there is a complexity to the IT function that is greater than the size of the organization would suggest.
The firm looked to use COBIT to organize the IT function using a framework to create efficiency and meet the needs and expectations of stakeholders. Using the 7 phases outlined in ISACA’s COBIT 5 Implementation, the firm began by identifying the drivers. The 3 major drivers identified were:
- A general disconnect existed between IT and the needs of the professionals.
- IT spending, while within budget, did not align with firm needs.
- IT expectations and demands among the firm’s shareholders varied.
Based on the 7 phases of the implementation life cycle defined in COBIT (figure 1), the firm determined that while it was progressing with phase 2 (Where Are We Now?) and phase 3 (Where Do We Want to Be?), it continued to struggle with these. Further, the 3 drivers identified as the biggest issues are interrelated with the same issue: the IT department does not understand the needs of end users. This disconnect causes the IT department to spend resources in areas that do not address the real needs of users. The IT department feels a need to satisfy the leaders of the firm (the 18 shareholders), but sometimes at the expense of the needs of the firm as a whole.
Figure 1—The Seven Phases of the Implementation Life Cycle
Source: COBIT 5 Implementation, 2012
Figure 2 illustrates where the firm needs to be. It defines the segregation of governance and management and illustrates where most of the firm’s issues have been.
Figure 2—COBIT 5 Governance and Management Key Areas
Source: COBIT 5, 2012
This diagram illustrates that business needs should flow through the governance function so that the needs can be evaluated and passed on to the management side to plan, build and run. The problem the firm has is that business needs often flow directly from the management side and, therefore, begin at the build and run steps. With this scenario, resources are spent on the problems that management sees and little is done to evaluate whether these are the best places to spend the resources or to plan projects properly. Because the governance role is bypassed, projects are usually implemented inefficiently and, in too many cases, fail to meet expectations.
The firm performs IT audits for a large number of clients. Most of these clients are small (less than 500 employees) with limited IT staff and, generally, no one in a chief technology officer (CTO) type of role. The firm’s management determined that it should be a leader and use COBIT as the model to implement a governance and management structure, thus offering it and its clients an example of COBIT use. Small companies face the same risk management and governance concerns as larger companies.
Small companies face the same risk management and governance concerns as larger companies.
The biggest challenge the firm faces is that it is a professional services company and, therefore, the leaders of the firm are also responsible for client services. The firm must fulfill the needs of its clients and, therefore, internal needs are sometimes not given the priority that they require. Due to the size of the organization, the firm has a single role, the technology principal, within the IT structure spanning both governance and management. This role is responsible for governance of the IT function, but when major projects are underway or numerous staff members are working remotely for clients, this role may be called upon to help with day-to-day tasks of the IT department. As an IT auditor with experience in network administration, the technology principal has the knowledge and background to step in when needed.
These issues made the firm step back and ask the question: Can COBIT really be of any value in developing the processes needed in a small company?
The answer it found is simply that COBIT is a valuable tool that should be used with the understanding that it will take some scaling. The firm’s COBIT implementation will not be the end goal, but rather the paradigm through which it will develop and evaluate the firm’s processes.
To illustrate this, one process (BAI01) can be used as an example. BAI01 Manage programs and projects is described as, “Manage all programs and projects from the investment portfolio in alignment with enterprise strategy and in a coordinated way. Initiate, plan, control and execute programs and projects, and close with a post-implementation review.”
One of the issues the firm needs to address is managing projects so that they meet the end users’ needs.
The first consideration is who will be responsible for this? The Responsible, Accountable, Consulted and Informed (RACI) chart lists 26 roles to assign the practice. Obviously, not every company has all of these titles, but in small companies, even fewer of these specific titles exist.
The firm has employees with responsibility for significant roles similar to most of these positions, but their time is shared with other responsibilities, including client services. So, this is the first modification to the COBIT implementation process for the firm. Responsibility and accountability are assigned, and those who should be consulted or informed are determined. The firm broke down the roles as board member, firm administrator, human resources, IT principle and IT manager.
As an accounting firm, staff members are very comfortable using metrics. However, the metrics suggested in COBIT 5 and its related products did not fit the firm’s size. The IT-related goal of Alignment of IT and business strategy shows a related metric as the percent of enterprise strategic goals and requirements supported by IT strategic goals. The leaders of the firm are also the owners of the firm (shareholders/principals). They work together to develop strategic goals. Therefore, the IT strategic goals are developed at the same time as the goals for the firm as a whole. A good substitute metric for the firm would be the number of projects started that align with the strategic goals.
One of the biggest challenges in an IT project is BAI01.03 Manage stakeholder engagement. When stakeholders have client responsibilities and fiscal metrics to achieve, maintaining engagement is difficult. In a smaller organization, identifying stakeholders is a relatively easy task. Keeping them engaged is much more difficult. Communication is critical, but other responsibilities interrupt timely discussions and decisions. In the end, there are 18 shareholders, all with varying expectations and levels of involvement. However, they all must be comfortable with the results.
While these issues exist in companies of all sizes, the lack of human capital in a small company is more evident when trying to establish controls, processes and plans as they are described in the COBIT documentation.
Where Are We Now?
A fair analysis of the firm’s progress would be to say it continues to work through phase 2 to phase 3 of implementation. The COBIT process has addressed several of the concerns that drove the firm to begin this project. The firm has implemented strategies that allow better communication between the end users and the IT department, better aligning IT staff’s efforts with the needs of the organization. The firm’s strategic goals are becoming more defined and correlation to IT strategies is more evident. While the segregation of governance and management continues to overlap due to the firm’s size, there is recognition of the processes being uniquely different.
What the firm has accomplished has been to identify the key processes within departments, and it is currently working on assessing risk so that IT processes better support these processes and align resources based on this risk assessment. Most important, the firm has opened dialogue to better integrate IT in the business.
While the firm still has continued implementation of COBIT as a goal, it will never be able to say the COBIT processes are fully implemented. However, it is certain that the firm has made great improvements to its processes by using COBIT as a framework. Implementation of COBIT is the destination, but whether the firm arrives is irrelevant. Great improvements have occurred because of the journey.
The firm has put into place more definable processes and has aligned processes with the business goals. Through discussions to develop where it wants to go, IT has a better understanding of the business goals and, more important, the shareholders and staff better understand that IT can better serve them when they communicate their goals. Through the use of COBIT 5, IT has become less of a silo and more integrated and pervasive in the business.
When one has a goal in mind, it is critical not to ignore the accomplishments along the way. In this case, the firm has been looking to build better IT systems and processes to improve the company as a whole. It is accomplishing this, and in addition, the firm has succeeded in focusing the IT department on alignment with the goals of others and the staff is more aware of how important it is to communicate with IT.
R. Curtis Thompson, CISA, CPA, CITP
Is a shareholder at Yount, Hyde & Barbour, PC, a regional CPA firm. His practice is focused on technology and internal controls services for various industries with a concentration in financial institutions.