Professional Documents
Culture Documents
Explain the significance of enterprise process model in comparison to normal process models? Write in detail
what features makes and enterprise model?
Q # 2: (5)
a. Discuss the five typical questions that pop up while fact finding( enterprise architecture) while following
zachmans framework?
Q #4: (10)
Q # 5: (10)
Q # 6: (20)
The business goal of Harley-Davidson Motor Company is to produce and sell high-quality motorcycles. Until
the early 2000s, this goal was the sole focus, and limited attention was given to internal audit and controls.
Because of increased scrutiny and regulations worldwide, it was important for the company to continue its
successful business model and also incorporate new thinking regarding the importance of controls. The
challenge was in getting management, information technology (IT) and audit speaking the same language and
working toward increased control, while still respecting the company’s unique culture. A new department
focused on control and risk mitigation needed a framework that focused on key value areas important to the
business. This all had to be accomplished by building consensus among varied departments and without
affecting quality or slowing production.
Harley-Davidson Motor Company was founded in 1903 in Milwaukee, Wisconsin, USA. It is the oldest
producer of motorcycles in the US and has enjoyed 20 consecutive years of record revenue. For the year ended
31 December 2005, Harley-Davidson shipped 329,000 motorcycles (a 3.7 percent increase), had revenue of US
$5.3 billion and experienced worldwide growth of 6.2 percent. In 2003, Harley-Davidson had limited IT
controls in place and staff had limited control knowledge. There were no standardized user access process, no
defined and documented change management process, and no rigor on backup and recovery processes, and
there were minimal organizational standards.Although complying with Sarbanes-Oxley was going to be a
challenge, the company took strong action, utilized COBIT (Control Objectives for Information and related
Technology) and passed Sarbanes-Oxley year one compliance.In addition, it had been difficult finding other
manufacturers for benchmarking, and COBIT helped show Harley-Davidson management where the company
was positioned regarding controls and what should be done to improve. To jumpstart IT governance and
Sarbanes-Oxley activities, Harley-Davidson created an IS compliance department and began implementing a
vendor’s general computer controls model. After attending a COBIT User Convention, a Harley-Davidson risk
specialist recommended COBIT to management and then converted the control framework to COBIT, published
by the IT Governance Institute. Concurrently, the internal audit department was driving IT to move beyond pure
compliance. The company realized it needed a broad control framework, which helped eliminate the constantly
changing “bar” used as a benchmark. Reasons behind Harley-Davidson’s selection of COBIT include:
Key to introducing COBIT was ensuring that all of IT and management understood why they needed to care
about effective, value-focused controls. Getting them to realize that there are many important business reasons
for this was the first key hurdle to be successfully addressed. COBIT’s business-focused language allowed
management, IT and internal audit to ensure they were on the same road. Harley-Davidson’s COBIT migration
process needed to go beyond questions such as “Do you have a systems development life cycle process
(SDLC)?” to stimulate internal conversations on what an SDLC really is and which skills were required. The
team started by mapping implemented controls to COBIT and compared the results to a previously accepted Big
4 accounting firm’s COBIT mapping. Gaps were identified and plans were developed to close these gaps. One of
the major benefits of using COBIT as its overall internal control and compliance model was getting everyone—
especially nontechnical motorcycle experts—revved up about control activities and why controls are important.
Harley-Davidson is subject to many regulations, including HIPAA and Gramm-Leach-Bliley, and COBIT serves
as an umbrella framework that helps the company zero in on appropriate control and compliance activities. For
example, it is a constant challenge to ensure that control owners truly understand effective control. Sometimes
they assume “more is better.” With COBIT, the risk team could clearly show them that one or two good controls
can be better than having seven controls, of which several are ineffective. Once control owners understood the
value of expending fewer resources and less time for an equal or better control, they jumped on board. Tracking
and reporting are important components of ongoing IT governance activities. Team members must be able to
learn about carry over and repeat findings, and follow up with management action plan owners to ensure
forward momentum continues to address the issues. Harley-Davidson developed an MS Access issues-tracking
database to have joint IT and internal audit visibility of known control weaknesses. Driving internal change was
also a key goal of this highly competitive company, and COBIT benchmarking was an invaluable tool for
independent comparison. It put the information in the right perspective for management and to obtain overall
buy-in. The framework shows peer comparison in an unbiased format and is used as part of every IT audit. Best
of all, it invites discussion about where the company would like to be.
Q1: Write the conclusions you have drawn from the above case study's process based on COBIT
framework?