COBIT Case Study: Unisys, an Agile Enterprise with World-class Efficiency

Unisys, a leading international IT services company with more than 30,000 employees, recognized the need for a standardized IT strategy to support global operations, align the IT infrastructure with the company’s overall business strategy and help comply with Sarbanes-Oxley regulations. Control Objectives for Information and related Technology (COBIT), published by the IT Governance Institute, was evaluated and adopted to provide an effective IT controls and IT governance framework. As a result of implementing COBIT, business processes within IT were improved and Sarbanes-Oxley related controls were established.

With revenues of more than U.S. $5 billion and business conducted in more than 100 countries, Unisys faced significant opportunities and challenges. To help the company stay ahead of the continually evolving business and technology environment, COBIT was championed by the Unisys CFO, general auditor and me, as CIO at the time, as a good controls and IT governance framework. The company initially adopted the COBIT framework in the third quarter of 2002, when internal audit conducted its first audits of IT using COBIT. In 2003, the company expanded its use of COBIT to the total workforce through comprehensive training.

The overall goal was for COBIT to provide a standardized framework across the entire Unisys IT organization. In addition, COBIT established the framework for Sarbanes-Oxley controls and contributed to Unisys Sarbanes-Oxley certification. It also formed the basis of core vs. context analysis that led to global sourcing activities.

For many years prior to adopting COBIT, Unisys had put significant focus on writing and publishing a worldwide IT strategy. The strategy needed to capture and manage the requirements of global operations and align the IT infrastructure with the overall strategy of the company. Unisys is a worldwide technology services and solutions company for clients in focused industries including government, financial services, transportation and others. Global standard business processes are a key IT governance goal.

Over the next few years, the company evolved an IT governance process that was structured around ROI-based projects, a formalized project initiation process (PIP) and a CEO-led IT Governance Council (ITGC) consisting of the senior business unit executives.

Unisys IT began using COBIT as a framework to design a services-driven approach for internal customers. This implementation of COBIT helped define roles and responsibilities, and continues to help guide modeling of internal processes using Unisys 3D VE. Unisys 3D-VE is a blueprinting methodology that lets you see the impact of contemplated infrastructure changes across an enterprise before actually committing resources to the changes.

In the first two quarters of 2003, a Unisys corporate task team was organized to develop the approach and plan for compliance with Sarbanes-Oxley Section 404. The Sarbanes-Oxley basic control framework for IT was developed by midyear; formal and informal training programs were implemented over the next nine months. The CIO’s staff attended instructor-led classes. Two different webcasts were created for employees, in addition to other specific classes.

Improved Business Process

In addition to being used for Sarbanes-Oxley related controls, COBIT is also implemented by Unisys to help drive process standardization for the software development life cycle (SDLC), where the company has integrated the Rational Unified Process (RUP) and COBIT. Unisys has also utilized COBIT as a guideline for developing its approach for outsourcing work to third parties by identifying processes and tasks within the domains of COBIT that can be outsourced vs. those that are better off being retained internally by Unisys IT.

The business process within IT has improved as a result of using COBIT for ongoing Sarbanes-Oxley compliance and other IT governance related projects. Companies need a strong governance model in place to approve, prioritize and manage IT investments on an ongoing basis. This is necessary to align IT investments with the business requirements needed to deliver business value to the company. The process of IT governance must involve the business units at the highest level in a partnership with IT to ensure that effective strategic alignment is achieved.

Board of Directors Involvement

The Unisys board of directors focused on Sarbanes-Oxley activities and on major investment areas. The directors received input from the work of the Sarbanes-Oxley, internal audit and reporting teams, and could therefore address major risk/responsibilities in order to

• Ensure the overall information security, disaster recovery and business continuity of the company’s IT infrastructure, as well as physical recovery of various major assets
• Require a business case for major IT expenditures and analysis by the IT leadership to inform the board, so the board can approve or disapprove major IT proposals
• Measure the forecasted return on investment and other results and benefits tracked over a number of months or years against the original proposal
• Ensure alignment of the IT infrastructure so it provides maximum support to the accomplishment of the major business objectives and corporate strategy
  

COBIT Contributions to the Business

COBIT has contributed to many areas within Unisys, including

• IT governance—Forming strategy, managing investments
• Audit methodology—Developing audit plans and approaches
• Sarbanes-Oxley—Assessing risks, processes and controls
• Process standards—Managing infrastructure and application life cycle
• Policy formation—Using control objectives as a foundation for standards
• Outsourcing—Recognizing appropriate opportunities for third-party services
  
• Security—Managing enterprise security efforts

In relation to the board’s goals and the company’s strategic requirements, COBIT has a number of key attributes that Unisys

IT deems important:

• Communication—Common terminology across IT to discuss policy, standards, process and controls
• Quality—Comprehensive view of the IT enterprise
• Consistency—Common approach to solve problems
• Credibility—External standard against which to be measured
• Maturity—Ability to monitor and measure progress over time

As business and IT strategies are further integrated in the future, COBIT should help Unisys remain an agile enterprise with world-class efficiency and effectiveness. COBIT is available as a complimentary download from www.isaca.org/cobit.