WIXLIB

Information TechnologyGovernanceSeptember 2013The University of Texas at AustinOffice of Internal AuditsUTA 2.302(512) 471-7117

The University of Texas at AustinInternal Audit CommitteeMr. Frank W. Maresh, CPA, Chair, External MemberMr. William O’Hara, External MemberMr. Tom Carter, External MemberMs. Lynn Utter, External MemberMr. William C. Powers Jr., PresidentDr. Steven W. Leslie, Executive Vice President and ProvostMr. Kevin P. Hegarty, Vice President and Chief Financial OfficerDr. Patricia L. Clubb, Vice President for University OperationsMs. Patricia C. Ohlendorf, Vice President for Legal AffairsDr. Juan M. Sanchez, Vice President for ResearchDr. Gage E. Paine, Vice President for Student AffairsDr. Charles A. Roeckle, Deputy to the PresidentMs. Mary E. Knight, CPA, Associate Vice PresidentMr. Paul Liebman, Chief Compliance Officer, University Compliance ServicesMr. Cameron D. Beasley, University Information Security OfficerMr. Michael W. Vandervort, Director, Office of Internal AuditsMr. J. Michael Peppers, Chief Audit Executive, The University of Texas SystemThe University of Texas at AustinOffice of Internal AuditsDirector:Assistant Directors:Michael Vandervort, CPAAngela McCarter, CIA, CRMA*Chris Taylor, CIA, CISAAuditor III:Ashley Foster, CPABrenda GuerreroAuditor II:Cameosha JonesMiranda PruettDerek StuartAuditor I:Cynthia Martin-HajmasySr. IT Auditor:IT Auditor:* denotes project members*Tod Maxwell, CISA, CISSPBrandon Morales, CISA, CGAPThis report has been distributed to Internal Audit Committee members, the LegislativeBudget Board, the State Auditor’s Office, the Sunset Advisory Commission, theGovernor’s Office of Budget and Planning, and The University of Texas System AuditOffice for distribution to the Audit, Compliance, and Management Review Committee ofthe Board of Regents.IT GovernanceProject Number: 774.11

Information Technology GovernanceSeptember 2013TABLE OF CONTENTSExecutive Summary .1Background .2Scope, Objectives, and Procedures .3Audit Results.4Conclusion .6

Information Technology GovernanceSeptember 2013EXECUTIVE SUMMARYIn October 2008, the Strategic Information Technology Advisory Committee (SITAC)was formed to identify and address the core Information Technology (IT) issues facingThe University of Texas at Austin (UT Austin). Composed of key leaders andstakeholders, SITAC was responsible for developing and delivering a unified vision for ITcampus-wide.SITAC focused on IT issues and priorities that the campus community identified as vitalto the mission and purpose of UT Austin. The first of these initiatives centered on thecreation of an IT Governance framework that would provide the strategic, operational, andtechnical decision‐making process necessary to enable UT Austin to excel in its ITmission.The scope of the audit included current information technology controls related to UTAustin’s IT Governance framework. The audit objective was to determine if ITGovernance supports UT Austin’s operational strategies and objectives.Based on a review of policies and procedures, interviews with relevant staff, a review ofapplicable documentation, and a review of survey results, the Office of Internal Auditsconcludes that UT Austin’s IT Governance framework supports UT Austin’s operationalstrategies and objectives; however, four suggested enhancements were noted.This audit was performed at the request of The University of Texas SystemAdministration.Page 1

Information Technology GovernanceSeptember 2013BACKGROUNDThis audit was performed at the request of The University of Texas SystemAdministration.Information Technology (IT) Governance is the establishment of structures, principles,and practices that foster the alignment of IT initiatives with the purposes and objectives ofthe enterprise. A productive IT Governance framework demonstrates that an organizationcan articulate its strategic plan and demonstrate the plan’s effectiveness relating to valuedelivery, resource and risk management, and performance measurement of IT resources.In October 2008, the Strategic Information Technology Advisory Committee (SITAC)was formed to identify and address the core IT issues facing The University of Texas atAustin (UT Austin). Composed of key leaders and stakeholders, SITAC was responsiblefor developing and delivering a unified vision for IT campus-wide.SITAC focused on IT issues and priorities that the campus community identified as vitalto the mission and purpose of UT Austin. The first of these initiatives centered on thecreation of an IT Governance framework that would provide the strategic, operational, andtechnical decision‐making process necessary to enable UT Austin to excel in its ITmission.UT Austin’s IT Governance FrameworkFully implemented in January of 2010, UT Austin’s IT Governance framework comprisessix distinct committees. The following diagram illustrates the IT Governance committeeframework at UT Austin.1Each committee is composed of a flexible combination of permanent and term members.Permanent members hold critical academic or administrative related positions while termmembers are chosen from a wide-range of colleges, schools, or units (CSU) to promote1How IT Governance works - http://www.utexas.edu/cio/itgovernance/Page 2

Information Technology GovernanceSeptember 2013even distribution across multiple disciplines. In some cases, an individual may beappointed to more than one committee.At the request of the Chief Information Officer’s office, term members typically serveeither one or two year appointments facilitating a staggered membership that allows forcommittee continuity. Faculty and staff may request membership to specific committeesbased on their CSU and/or job duties; however, all nominations must be approved by thepresident’s office.IT GovernanceThe University of Texas System does not have a specific policy relating to ITGovernance. A number of industry supported frameworks exist that can be used as amodel. One of the most popular frameworks is ISACA’s Control Objectives forInformation and Related Technology (COBIT).ISACA is an independent, nonprofit, and global association that provides practicalguidance, benchmarks and other effective tools for all enterprises that use informationsystems. Through its comprehensive guidance and services, ISACA defines the roles ofinformation systems governance, security, and audit professionals worldwide.In 1996, ISACA released the first version of the COBIT framework. COBIT encompassesseveral domains within the framework including process descriptions, control objectives,management guidelines, and maturity models.According to ISACA’s web site 2, “COBIT is an IT governance framework and supportingtoolset that allows managers to bridge the gap between control requirements, technicalissues and business risks. COBIT enables clear policy development and good practice forIT control throughout organizations. COBIT emphasizes regulatory compliance, helpsorganizations to increase the value attained from IT, enables alignment and simplifiesimplementation of the COBIT framework.”SCOPE, OBJECTIVES, AND PROCEDURESThe scope of the audit included current information technology controls related to UTAustin’s IT Governance framework. The audit objective was to determine if ITGovernance supports UT Austin’s operational strategies and objectives.To achieve this objective, the Office of Internal Audits (Internal Audits) staff: Reviewed related policies, procedures, and processes; Reviewed the meeting agendas and minutes for the IT Governance Committees; Interviewed Information Technology Services staff; and Surveyed IT Governance Committee members.2ISACA COBIT – http://www.isaca.org/cobit/pages/default.aspxPage 3

Information Technology GovernanceSeptember 2013For internal controls criteria, we used COBIT 4.1 – Section 4: Monitor and Evaluate theIT Governance Framework.This audit was conducted in accordance with the International Standards for theProfessional Practice of Internal Auditing and with Government Auditing Standards.AUDIT RESULTSSITAC has created the foundation for effective IT Governance that aligns with UTAustin’s operational strategies and objectives. In addition, there appears to be reasonablecontrols over all processes found within section 4.1 of COBIT: Establishment of an IT Governance Framework Strategic Alignment Value Delivery Resource Management Risk Management Performance MeasurementIT Governance Survey ResultsInternal Audits surveyed past and present IT Governance committee members and received atotal of 26 responses from all five committees targeted. The responses to the survey indicatedthat participants hold a positive position on the effectiveness of UT Austin’s IT Governancefunction as the figures below attest:My committee: Is effective overall.strongly agreeagreeneutraldisagreestrongly disagree0%5%10%15%20%25%30%35%40%45%For the committee that I serve on: It is important that goals of IT initiatives align withbusiness and/or academic needs.strongly agreeagreeneutraldisagreestrongly disagree0%10%20%30%40%Page 450%60%70%80%

Information Technology GovernanceSeptember 2013Which of the following best characterizes IT Governance workflow for your committee?Processes are structured, documented, and well communicatedProcesses follow a loose but consistent pattern.Processes are informal and uncoordinated.0%20%40%60%80%Initiatives tend to achieve the committee's expectations.strongly agreeagreeneutraldisagreestrongly disagree0%10%20%30%40%50%60%Suggested EnhancementsAlthough it appears UT Austin’s IT Governance framework is well aligned with businessstrategy, we are providing four suggested enhancements identified from our review ofsurvey results and other relevant documentation that could further strengthen thisalignment. UT Austin’s Chief Information Officer has provided responses for each of oursuggested enhancements.Suggested Enhancement 1:Management should consider limitingpermanent committee members to no morethan one third of total membership and thatterm members are rotated to allow otherstakeholders across campus have anopportunity to serve. Depending on theobjectives of the committee, retainingmembers with subject matter expertise,process ownership, or specialized businessknowledge may be necessary.Management Response:Across the six IT governing committees there are98 members this fiscal year, and 27 are permanent(27.5%). So, we have limited the permanentmembers to less than a third of the total number.All non-permanent members are rotated to enablemore stakeholders on campus more opportunitiesto serve. A review of all IT governance committeemembership is conducted each year, to be certainthe colleges, schools and units are fairlyrepresented as specified in the SITAC report, andall appointments are made by the President'sOffice. We agree that all permanent membersshould be clearly identified on the CIO website.Suggested Enhancement 2:Management Response:Management should consider providingWe agree with this suggestion, and will provideadditional training and documentedmore formal orientation to all IT governing groupsguidelines to successfully alloweach September. The "How IT Governance Works"committees to manage their responsibilities documented guidelines will be enhanced. We alsoand create consistency in the ITplan to have exit discussions with out-goingGovernance function.committee chairs and members, which proved veryinformative last year. We want to better setPage 5