Section 8.2.  What Does Monitoring Mean?

8.2. What Does Monitoring Mean? Chapter 2 established the following high-level definition for the COBIT monitoring domain: "The monitoring phase uses the SLAs or baseline established in the subsequent phases to allow an IT organization to not only gauge how they are performing against expectation but also provides them with an opportunity to be proactive." Previous chapters discussed good quality practices; Plan, Do, Check, Act (PDCA), and continuous improvement. This chapter attempts to accomplish three things: Give you more information on Deming and his quality system. Illustrate PDCA more clearly. Demonstrate, via Deming's PDCA cycle, that monitoring is not the end of the process, but rather the beginning. 8.2.1. Deming's PDCA Cycle In the 1950s, W. Edwards Deming developed a quality system for the continuous improvement of business processes. Deming's quality system contended that business processes should be analyzed and measured to identify the sources of variations that cause products to deviate from customer requirements. He proposed that business processes be placed in a continuous feedback loop so that managers could identify and change the parts of the process that needed improvement. To illustrate his continuous improvement system, Deming developed a diagram using four arrows in a cyclical pat-tern. This diagram is commonly known as the PDCA cycle (see Figure 8.1). Figure 8-1. Deming's PDCA The sections of the diagram are defined as: PLAN Design or revise business-process components to improve results DO Implement the plan and measure its performance CHECK Assess the measurements and report the results to the decision makers ACT Decide on the changes that are needed to improve the process Although Deming's focus was on industrial production processes, his method and philosophies just as easily applied to modern business practices. If you look carefully at the COBIT Guidelines, you will see a strong resemblance to the Deming PDCA model. Whether intentionally or by accident, these guidelines illustrate the point that good quality business practices endure the test of time. How does this apply to the Sarbanes-Oxley Act of 2002 (SOX) and COBIT? Most monitoring activities in COBIT IV: Domain Monitoring come from service level agreements (SLAs). As much as possible, monitoring activities should be automated via Open Source tools such as Nagios and eGroupware. Keep in mind that when determining your thresholds, you may want to set them slightly below your SLA thresholds so that you have additional time to react and proactively correct problems prior to a service interruption. This chapter looks at the specifics of each control objective, and attempts to summarize and distill those that lend themselves to small and medium-sized companies. If a particular control objective or an individual item is not applicable to BuiltRight or NuStuff, it generally does not apply to small to medium-sized companies. (For a complete list of the COBIT Guidelines, please see Appendix A.) 8.2.2. Monitor the Processes This section discusses monitoring processes and activities associated with ensuring that previously defined systems and control objectives perform as expected. 8.2.2.1. Assessing Performance (SOX and Repositioning) This process should include key performance indicators and critical success factors, and be performed on a continuous basis utilizing good quality practices and concepts. As discussed previously, these performance indicators must be SLA-based. 8.2.2.2. Assessing Customer Satisfaction (SOX and Repositioning) Customer satisfaction should be measured at regular intervals, and any shortfalls should be addressed as part of a continuous improvement process. Again, the measurement criteria should be based on SLAs. As part of the normal course of operations, internal controls must be monitored for effectiveness through management and supervisory activities. As with Deming, any deviations must require analysis and corrective action plan(s). Also, these deviations must be reported to the individual responsible for their function and at least one level of management above. Any serious deviations should be immediately reported to executive management. This particular control objective is critical in the development of processes and procedures for SOX compliance. 8.2.3. Assess Internal Control Adequacy Once you have implemented the various policies, processes, and procedures, and have obtained SOX compliance, you must sustain your new environment. This is where the various Open Source tools identified in this book pay off. Because the COBIT guidelines were developed in 1996, a lot of the recommended "Internal Control Adequacy" assessing activities appear to have been incorporated into the SOX compliance process. 8.2.4. Obtain Independent Assurance Although the control objectives in this section have no bearing on Sarbanes-Oxley Compliance, they are noteworthy to review with regards to possibly adding credence to the effectiveness of an IT organization after obtaining Sarbanes-Oxley Compliance and/or any repositioning efforts. 8.2.5. Provide for Independent Audit The control objectives in this section aren't required to comply with Sarbanes-Oxley, but because these control objectives are what Sarbanes-Oxley Compliance is all about, we felt compelled to list them and provide a few insights. As unfortunate as it is, most small to medium-sized companies can't afford the staffing on a full-time basis to comply with this COBIT section or periodically perform self-audits. However, what might be more feasible and realistic is to designate an audit team made up of existing employees. The main caveat to keep in mind is that the employee performing the audit of a department cannot work within the audited department. If the luxury of budgetary funding does exist at your organization, we would advise the periodic use of an independent audit firm, rather than one of the big four, to ensure your controls are still effective. The reason for using an independent audit firm is because the impartiality of the independent audit firm will lend more credence to the audit findings and your audit firm.