5. Case study 2: Harley -Davidson
Harley-Davidson Motor Company was founded in 1903 in Milwaukee, Wisconsin, USA. It is the oldest producer of motorcycles in the US and has enjoyed 20 consecutive years of record revenue. In 2003, Harley-Davidson had limited IT controls in place and staff had limited control knowledge. There were no standardized user access process, no defined and documented change management process, and no rigor on backup and recovery processes, and there were minimal organizational standards.
Although complying with Sarbanes-Oxley was going to be a challenge, the company took strong action, utilized COBIT and passed Sarbanes-Oxley year one compliance.
In addition, it had been difficult finding other manufacturers for benchmarking, and COBIT helped show Harley-Davidson management where the company was positioned regarding controls and what should be done to improve.
PROCESS
To jumpstart IT governance and Sarbanes-Oxley activities, Harley-Davidson created an IS compliance department and began implementing a vendor’s general computer controls model. After attending a COBIT User Convention, a Harley-Davidson risk specialist recommended COBIT to management and then converted the control framework to COBIT, published by the IT Governance Institute. Concurrently, the internal audit department was driving IT to move beyond pure compliance. The company realized it needed a broad control framework, which helped eliminate the constantly changing “bar” used as a benchmark.
Reasons behind Harley-Davidson’s selection of COBIT include:
- It is an internationally accepted standard for IT governance and control practices.
- It can be used by management, end users, and IT audit and security professionals, and it provides a common language.
- It provides a means for benchmarking controls compliance.
- Use of the COBIT framework, including tools and templates, is available essentially free as a download from www.itgi.org
- Other leading standards, including ISO 17799, ITIL and NIST, harmonize and map to COBIT.
The company was able to gain agreement with the external auditor on the same framework and control objectives.
Key to introducing COBIT was ensuring that all of IT and management understood why they needed to care about effective, value-focused controls. Getting them to realize that there are many important business reasons for this was the first key hurdle to be successfully addressed. COBIT’s business-focused language allowed management, IT and internal audit to ensure they were on the same road.
One of the major benefits of using COBIT as its overall internal control and compliance model was getting everyone—especially nontechnical motorcycle experts—revved up about control activities and why controls are important. Harley-Davidson is subject to many regulations, including HIPAA and Gramm-Leach-Bliley, and COBIT serves as an umbrella framework that helps the company zero in on appropriate control and compliance activities.
Tracking and reporting are important components of ongoing IT governance activities. Team members must be able to learn about carry over and repeat findings, and follow up with management action plan owners to ensure forward momentum continues to address the issues. Harley-Davidson developed an MS Access issues-tracking database to have joint IT and internal audit visibility of known control weaknesses.
Driving internal change was also a key goal of this highly competitive company, and COBIT benchmarking was an invaluable tool for independent comparison. It put the information in the right perspective for management and to obtain overall buy-in. The framework shows peer comparison in an unbiased format and is used as part of every IT audit. Best of all, it invites discussion about where the company would like to be.
CONCLUSION
Prior to implementing the COBIT framework, areas the external auditor audited were chosen randomly or on loose justifications. Now the areas selected for auditing are firmly based on business value and control needs.
The breadth and depth of COBIT have naturally allowed it to be used successfully as a central control model. In addition, benefits Harley-Davidson has found by using COBIT as a control model include:
- IT governance personnel can map frameworks “behind the scenes.”
- End users need to be aware of only one standard.
- IT can easily show compliance with multiple frameworks.
- It helps establish a consistent focus.
- It gains external audit agreement on the company’s control position.
- It establishes the ability to use control objectives to help identify root causes.
- There is a comprehensive view of the risk and control environment.
- It provides a foundation for all future internal and Sarbanes-Oxley-related audits.
posted by zeSt @ 2:10 AM
0 Comments:
Post a Comment
<< Home