IT Governance and Management Case Study - U.S.

Industries
Company Information:
U.S. Industries manufactures engineered products and materials for the chemical, industrial, energy,
transportation, and infrastructure markets, with operations principally in the Western United States. It
operates in three segments: Fiberglass-Composite Pipe, Water Transmission, and Infrastructure
Products. The Fiberglass-Composite Pipe segment provides filament-wound and molded composite
fiberglass pipe and fittings for various process industries, including industrial, petroleum, chemical
processing, and petrochemical industries. The Water Transmission segment offers concrete and prestressed concrete cylinder pipe, steel pipe, and reinforced concrete pipe for water transmission, storm
and industrial waste water, and sewage collection. Its customers include local, state, and federal
agencies; developers; and general contractors. The Infrastructure Products segment supplies readymix concrete, crushed and sized basaltic aggregates, dune sand, concrete pipe, and box culverts to
the construction industry. It also offers concrete and steel poles for highway, street and outdoor area
lighting, and traffic signals in the U.S. U.S. Industries markets its products through direct sale force,
manufacturers’ representatives, distributors, and licensees. The company has revenues just over
$4.0B per year. Revenues are growing at about 8% annually. The company is headquartered in
Pasadena, California.
Situation:
You lead the IT governance function in the organization and have been contacted by Michael Ruiz,
the new CIO, to review current IT governance and management processes, and make
recommendations for improvement. Michael has been with the company for about three months and
wants to transform the IT organization so that it can be better aligned and add value to the business.
The CEO had been frustrated with the prior CIO due the following key symptoms:
 The CEO and business unit leaders have provided the business goals, strategies approved
by the board to IT leadership but have not seen an IT strategy.
 IT did not seem to deliver the value required for the business units to meet their business
strategy and objectives. IT costs, both for capital projects and operational expenses, were
growing yet they were not seeing any significant new benefits.
 IT projects were did not seem to meet the business requirements requested, and the
projects were often delivered late and over budget.
 They recently had a security breach that brought their servers down which caused their
main application where orders were recorded and inventory maintained to be unavailable
for 1 day. When the servers were restored, data was not current and client orders were
lost.
 This security breach was also reported in the Los Angeles Times newspaper. Additionally,
management had to inform clients of the possibility of their personal data being
compromised.
 IT management had difficulties pulling data together for reporting to the executives and
board to communicate how they were doing against their goals or where they had areas
requiring improvement.
Page

-1 -

9/1/2015

There is high level documentation on IT risk management but no procedures or guiding principles. The previous CIO had communicated the IT goals and progress to the IT organization through their quarterly town hall meetings. IT risks are on the committee’s agenda but you haven’t provided the CIO with any formal IT risk information. In response to pressures from the CEO. No one on the team has taken formal risk management training except for attending ISACA dinner meetings on this topic. has been impressed with the people brought into your IT Governance group. There is an IT strategic plan but it hasn’t been shared with the business process owners. He does not want to discard the current program or its people. Michael. Everyone on the team is aware of the importance of risk management. They don’t have a formal process to meet with the business units regularly. The help desk service and response has not been consistent especially to executives which resulted in them calling the CIO to intercede on their behalf to problem solve which was not an efficient use of the CIO’s time. IT had recently outsourced their infrastructure support but the business has not seen the where this decision has provided the organization with savings or value. They are also having a difficult time recruiting talent in the Los Angeles market. There is no formal measurement of achieving their strategic plan or reporting to senior executives and the board. COBIT5. They are still in the process of developing a governance framework and program but have been constrained by resources. There is an IT Steering Committee but the roles and responsibilities are not documented. you have been concerned about the aging workforce and haven’t had the opportunity to communicate this to the CIO. But rather.  The IT organization consistently had repeat findings from the Internal Audit group which were not remediated timely. Page -2 - 9/1/2015 . compliance personnel and individuals with several years managing IT. There is no resource management plan. An enterprise risk management (ERM) committee was formed last year of which the CIO is a member of. You and your team are scheduled to do a findi ngs and recommendations presentation in a month. The new CIO. There has been no systematic process for identify a universe of IT risks across the organization and an understanding of how they are aligned to operational risks. Your team has interviewed the following individuals: VP IT Governance – Assignment Team Leader - - There’s a range of skill sets in the IT governance group including prior IT auditors. There is a risk management process but it is informal. the prior CIO had implemented a formal IT Governance program 12 months ago. he would like an objective assessment of the current IT governance and management processes using the globally accepted IT governance and management framework. but he is not sure if the governance program is achieving the desired results.

He’s concern that IT doesn’t understand the business and the requirements in these large projects. He doesn’t know how IT manages the data or the knowledge of the organization.He represents the biggest business area in terms of revenue. They are reliant on Internal Audit or the SOX group to tell them what they need to do. participates in meetings concerning IT development projects that support product development and enhancements. . Meetings are held on an ad hoc basis.Their application captures a significant amount of data about their customers which the business would like to leverage to better understand customer needs and increase revenue.He finds that the delivery of IT to support business requirements is sporadic and not consistent.He is responsible for all the development projects to support the Water Transmission business operations. there hasn’t been an integrated BCP and DRP test performed yet.The deficiencies have been communicated to each of the IT departments as well as copied to the IT Governance department. there isn’t a central repository of project risks they are too busy on projects. .The regulators are also concerned about repeat findings but IT doesn’t seem to have a good way to track and remediate their audit and control findings. . The development staff frequently has to work long hours. . He has made several requests for business intelligence to help with business decisions but IT hasn’t been able to meet this request other than for simple ad hoc reports. .They recently had their key application down for a day during their busiest time not allowing them to take orders.There have been significant IT general controls deficiencies identified through Management’s assessment over internal controls associated with SOX 404 for the last two years. Often the project team does not include people with the knowledge of the business segment that they are supporting. . Page -3 - 9/1/2015 . .He is concern that there is no process to prioritize projects. there is an excessive backlog of user requests where project priorities always change. the person with the loudest voice seems to receive the most funding. Most concerning is the segregation of duties issue – Developers have update access to the production systems. . .Each project manager documents and manages risks for their own projects.He has made numerous complaints to the previous CIO with no results. .There is no formal forum to discuss project status. The business has a business continuity plan (BCP) which they activated but they didn’t know how the plan was integrated with IT’s disaster recovery plan (DRP).Budget overruns are common and in addition. VP IT SOX – John MacDorman .They are always short of resources and don’t have a way to manage their resource needs and capacity. VP Water Transmission Application Development – Brad Brown . .He suspects that many of the deficiencies have not been addressed because IT has been focused on incidents that cause business disruptions and trying to deliver projects to support the business. . .VP Product Development and Implementation – Ed Smith .

. governance and management activities in this case study. Research and develop a 30 minute presentation to answer the following: 1. For each of the COBIT processes you reviewed. He is aware of several IT deficiencies but he’s too busy “fighting fires”. present the following: i. Write up a findings and recommendations report that you will present as follows: a. He does receive some sort of statistical reports from the vendor but does not have time to review them. no one is perfect! IT Audit Director – Lucy Liu .VP IT Infrastructure – Paul Downy . He’s not sure why the policies are being followed resulting in frequent security audit findings. 3. Risk as a result of the finding (what can go wrong) Page -4 - 9/1/2015 .She has completed the IT audit risk assessment and annual audit plan but did not include any involvement or review of governance initiatives. . Explain the differences between IT governance and management. .He manages the relationship with the Outsourced company .He feels that his Security Manager does good work. What are the benefits of performing your review utilizing the COBIT5 framework? 4. He doesn’t think they have any security procedures although they have policies. b.He states that security breaches happen to all companies from time to time – after all. . why fix them”. .He feels that the IT Governance department is responsible for managing IT risks and controls.She’s newly hired and has been with the company for six months. Provide examples of what the roles and responsibilities of an IT Steering Committee should be.He outsourced infrastructure function because he had high turnover of staff. . select two COBIT processes and identify current gaps/issues.She has reviewed the list of outstanding IT findings and plans to meet with the IT senior management team to discuss them Exercise: You will be presenting the results of your assessment to the CIO and the IT leadership team. For a designated domain (Figure 1). He hasn’t heard any complaints about the outsourcer other than the odd help desk complaint. Background and executive summary of the problems you found in reviewing processes within this domain. Finding ii. Give examples of 2.He’s been with the company 35 years and believes that “if things aren’t broke.

Organization Structures (RACIs) 4. Infrastructure and Applications (being consumed by the process) 6. Principles. Recommendation to improve or manage the risk. Information (Inputs and Outputs) 5.iii. Policies and Framework (guidance to successful execute processes) 2. Processes (Purpose. People.COBIT5 Reference Model Page -5 - 9/1/2015 . Services. key activities) 3. Include a consideration of the COBIT5 enablers (Figure 2) in the design: 1. Skills and Competencies (required to perform the processes) Figure 1 .

Figure 2 – COBIT5 Enablers Page -6 - 9/1/2015 .