Professional Documents
Culture Documents
C
orporate strategy today is increasingly reliant upon
nonorganic growth through mergers and acquisitions direction of the systems integration. The background of key
(M&A). The volume of M&A activity is increasing officials in the merged organization, the philosophy at the top
after several quiet years, and today’s business environment and issues of perception relating to the relative efficiency of
emphasizes governance and risk management as much as the merged companies play an equally important role in
operational and financial efficiencies. M&A activity is now deciding the course to be followed for the systems integration
part of business-as-usual for most organizations, and not effort. Decision-making around mergers tends to be
merely a once-in-a-lifetime corporate event. This creates a judgmental, with key decisions taken first and later justified
unique challenge for chief information officers (CIOs) and by financial criteria. The integration effort around the systems
information security personnel who need to manage the of the two entities involved is often no different. An
integration of the merging businesses’ systems according to an appropriate governance framework makes it possible to
established governance framework that can stand up to build a rational case for the systems integration option
subsequent scrutiny. ultimately adopted.
Transaction risks, or the risks from an M&A transaction The rest of this article considers:
gone bad, can be a source of personal liability for corporate • Applying the Control Objectives for Information and related
officers. A source of transaction risk is the integration of the Technology (COBIT) IT processes to manage an integration
merging entities’ IT systems, which, if not done correctly, may project
render impossible the realization of many of the synergies • Options that a company can consider in a post-merger
factored into the merger valuations. The use of an appropriate scenario when looking at systems integration
risk assessment and governance framework can help manage • Special considerations that the IT project manager may need
transaction risks and demonstrate that the right governance to take into account while executing the project
processes were applied in managing the merger.
Many companies are setting up board-level M&A COBIT IT Processes as a Project Driver
committees, with the CIO and IT professionals directly COBIT can be used to help ensure that project plans
reporting to them in respect to their roles in the post-merger incorporate generally accepted phases in IT planning,
integration efforts. Therefore, IT integration needs to be acquisition and development, service delivery, and project
controlled using repeatable, mature processes carried out under management and assessment. Most of COBIT’s IT processes
an established framework, as opposed to being managed as and related control objectives can be used as a framework to
once-off, ad hoc projects. drive an IT program for merger integration.
Part of the governance needed over merger integration is to Figure 1 depicts how an IT integration exercise would be
achieve operational objectives; for example, poorly integrated carried out within COBIT’s domains.
systems could mean deserting customers, lack of a focused Project objectives are determined at the initial stages of the
corporate brand identity for the newly merged entity and project and are driven by business requirements from the
spiraling costs. Timely integration of systems and processes is overall integration program. These requirements can almost
necessary for the merged entity to derive the economies of always be translated into specific informational requirements
scale and eliminate duplicate functions to allow the synergies that drive the project objectives. Project resources include the
to be achieved. entire repertoire of what comprises IT resources, including
Companies face many choices when bringing together their people and the available technology. IT processes that need to
systems. The resulting duplication of more than one be carried out to complete an integration project can be
application system serving the same business process in each mapped to COBIT domains and help organize a complete effort
of the merged entities means that the merged entity could that addresses business requirements and alignment with the
either move away from one of the systems or continue both of business and IT strategy within an overall framework of strong
them with data aggregation at a high level that provides a and auditable internal controls.
global picture for the new combined operations, or the Merger integration projects tend to be high-risk as well as
opportunity may be used to implement something completely high-profile, and IT’s failures can undermine not only the
new. Integration is not merely about consolidating data from overall integration program, but also the credibility of IT.
disparate systems, but also about evaluating options, making Project risks need to be continually reassessed at each stage of
decisions, and prioritizing and resourcing the choices made. the project, and the project manager must be aware of the
Every new integration project is an opportunity to review IT myriad non-IT-related environmental constraints to which
governance goals and performance. he/she is subject.
Like all other integration issues, people factors and human
IT Processes for
Integration
Ensure compliance with strategic IT plan.
DELIVER AND Ensure alignment with information architecture.
SUPPORT Incorporate IT organizational relationships in integration.
Comply with external requirements.
ACQUIRE AND Manage projects as part of integration program.
IMPLEMENT Manage quality.
impact
Understand and manage project risks.
Identify solutions.
Acquire and maintain application software.
Manage performance and capacity. Acquire and maintain technology infrastructure.
Ensure continuous service. Develop future state procedures.
Ensure systems security. Manage changes.
Arrange user training. Ensure system accreditation and user acceptance.
Manage integration problems and issues.
Project Risks
Business Alignment | Time and Cost Overruns | Service Interruptions | Failure to Integrate | Resourcing Risks
Project Risks and
Constraints Project Constraints
Unclear Mandate | Political Climate | Merger Time Line | External Expectations | Legacy Deficiencies | Process Decisions
Special Considerations and these may further be related to external expectations, say
Much of the guidance available through COBIT directly at the board level, or the market’s expectations. There may be
applies to a post-merger or acquisition situation. The project legacy issues around architecture (choices relating to
manager carries out the different IT processes, considers the applications that are too big to deal with in such a time line),
control objectives and uses the COBIT framework to guide the and these may considerably constrict the space in which the
efforts of the integration team. project manager operates. Decisions on common business
The COBIT framework is available in the public domain and processes may not be timely from functional managers, and the
should be referred to for a detailed explanation of the different IT project manager may need to proceed with a best-guess
IT processes. This paper focuses on the special challenges, approach, with built-in contingencies to deal with gaps.
particularly those relating to application evaluation and All these factors may lead to a suboptimum alternative
implementation, that a merger situation presents. The following being pursued in the short term, but as long as there is a
sections discuss the special considerations that the systems conscious understanding of these issues—the overriding long-
integration project manager needs to take into account for each term objectives—the integration team will have done a job that
of the four COBIT domains. stands up to scrutiny in hindsight.
Risk Assessment
Immaterial
Not Sure
Medium
High
Low
COBIT IT Process Integration Project Task
PO1 Define a strategic IT plan Ensure compliance with strategic IT plan
PO2 Define the information architecture Ensure alignment with information architecture
PO4 Define the IT organization and relationships Incorporate IT organizational relationships in integration
PO8 Ensure compliance with external requirements Comply with external requirements
PO9 Assess risks Assess integration risks
PO10 Manage projects Manage IT integration projects
PO11 Manage quality Establish project quality plan
AI1 Identify automated solutions Identify integrated application
AI2 Acquire and maintain application software Obtain solution software
AI3 Acquire and maintain technology infrastructure Establish technology infrastructure
AI4 Develop and maintain procedures Develop future state procedures
AI5 Install and accredit systems Accredit integrated applications
DS3 Manage performance and capacity Reassess performance and capacity requirements
DS4 Ensure continuous service Ensure continuity of service
DS5 Ensure systems security Ensure security configured in applications
DS7 Educate and train users Arrange user training
DS10 Manage problems and incidents Manage integration problems and issues
M1 Monitor the processes Monitor integration processes
M2 Assess internal control adequacy Assess internal controls
Special Considerations:
Figure 3—Assessing Business Risks Acquire and Implement
Determining Options
Risk Assessment The integration team needs to investigate options along a
time-based framework—what is possible in the medium term
Immaterial
and what is desirable for the longer term. Ideally, both options
Not Sure
COBIT
Medium
Information lead down the same path, but occasionally that may not be
High
Low
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems
Systems Control
Control Journal
Journal
does not attest to the originality of authors' content.
2005 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM
© Copyright 2004
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.
www.isaca.org