The following article (by me) first appeared in the June 2010 issue of Internal Auditor. I will comment in a separate post about how I see IT governance changing as a result of advances in technology.
It is difficult to imagine any organization being effective today without the benefit of information technology (IT). IT is the foundation on which many businesses run, and the impact of a failure in IT can be tremendous. For example, according to ComputerWeekly, Agilent's CFO blamed their poor 2002 third quarter results on "a problem-strewn big-bang ERP rollout. The failure to get the system up and running properly cost the company $70m in lost operating profits, as manufacturing went offline for a week." In another example, Heartland Payment Systems disclosed in January, 2010 that it had agreed to pay issuers of Visa-branded credit and debit cards up to $60 million for losses resulting from a data security breach. (For more information on the breach, see my September 2009 blog at www.theiia.org/blogs/nmarks).
Technology can help fulfil a visionary dream, but often its use is closer to a sobering nightmare!" – Vesa Vaino, CEO Merita Bank, 1998.
IT spending is also a significant investment of corporate resources. According to IT Spending And Staffing Benchmarks 2009/2010 from Computer Economics, Inc: "In 2009, the median organization is spending 1.5% of its revenue on IT — the same level as reported in 2008 ... median IT spending per user rose to $7,284 from last year's $6,924, adjusted for inflation." These numbers don't include capital spending on IT, whether for application systems or hardware.
Yet, optimizing the value of spending on IT has been a problem for decades. Jack Welch, former CEO of General Electric, is quoted as saying that "IT has been the longest running disappointment in business in the last 30 years." I particularly like a 2001 quote from Philippe Corniou, CIO of Renault. He said ""I am writing a book on the history of information technology... in order to understand why it is such a mess!"
What Is IT Governance?
The concept of IT governance, and the frameworks and other materials that have been developed to enhance the governance of IT, is relatively recent. Perhaps the most important development was in 1998, when the Information Systems Audit and Control Association (ISACA) helped establish the IT Governance Institute (ITGI). Since then, ITGI has contributed excellent research, thought leadership, and guidance — aimed not only at IT executives, but at leaders of the enterprise including members of the board of directors.
As with many concepts, the definition of terms is critical to a discussion of IT governance. In its Board Briefing on IT Governance, ITGI says that IT governance "consists of the leadership and organisational structures and processes that ensure that the enterprise's IT sustains and extends the enterprise's strategies and objectives." The Board Briefing goes on to explain that IT governance is not an activity that is isolated within IT and the sole responsibility of IT management. "IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation's IT sustains and extends the organization's strategies and objectives."
IT governance is the term used to describe how those persons entrusted with governance of an entity will consider IT in their supervision, monitoring, control and direction of the entity. How IT is applied within the entity will have an immense impact on whether the entity will attain its vision, mission or strategic goals". Professor Robert S. Roussey, University of Southern California"
PricewaterhouseCoopers studied the importance of IT governance and concluded, in their 2008 IT Governance Survey, that "Stronger IT governance practices correlate positively with better IT outcomes, i.e., IT governance is more often found in organizations where IT is a significant contributor to (business) value."
While ITGI advocates strongly for the board to provide active oversight of IT governance, surveys by the National Association of Corporate Directors (NACD) in the United States indicate board members have a different view. Information technology is not rated a major priority by board members and expertise in IT is not a highly-valued attribute of new board members (unfortunately, knowledge of internal auditing rated even lower in the 2008 NACD Public Company Governance Survey). My personal experience, supported by an internet search of company filings, indicates that few boards have a committee dedicated to oversight of information technology. Instead, executive management is expected to provide that oversight and only bring IT-related issues of significance to the board on an exception basis.
This perception among board members may be changing and internal auditors should be alert to increased attention from the audit committee and other members of the board. One indicator is that the King Code of Governance, published in 2009 and applicable to South African public companies, includes a chapter on IT governance. In addition to explaining the importance of information technology to the business, and to the achievement of strategies and objectives, the Code says: "In exercising their duty of care, directors should ensure that prudent and reasonable steps have been taken in regard to IT governance."
The IIA has recognized the importance of IT governance. In fact, IIA Standards specifically require that strong consideration be given to assessing the adequacy of IT governance. Standard 2110.A2 was added in 2008: "The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization's strategies and objectives."
Internal Audit and IT Governance
Internal audit should, as indicated in Standard 2110.A2, consider assessing the adequacy of IT governance activities. Those activities should be risk-assessed, and audit engagements planned where appropriate. In some cases, especially where management needs advice on establishing effective IT governance, a consulting engagement may be more value-add than an assurance engagement.
As noted earlier, IT governance is an "integral part of enterprise governance." Therefore, audit departments that plan to assess the adequacy of overall governance activities should consider whether to:
- Include IT governance as an element of their audits of organizational governance.
- Perform separate audits of IT governance as a whole, or
- Perform audits of selected IT governance activities (those considered to represent higher risks).
IT governance activities support several objectives. These include ensuring:
- The alignment of organizational and IT strategies and plans.
- IT projects and operations provide the values and benefits needed by the business.
- Opportunities presented by information technology are realized.
- IT resources are used responsibly and effectively managed.
- Risks to the business related to IT are managed, and
- IT-related activities comply with applicable laws, regulations, and corporate standards for behavior, etc.
Some discuss IT GRC (governance, risk management, and compliance) rather than IT governance. As can be seen from the above list of objectives, the two terms have the same scope and are interchangeable.
A number of IT-related processes are involved in achieving the objectives of IT governance, including:
- Enterprise and IT strategic and operational planning.
- Budgeting and resource management.
- IT capital portfolio and project management.
- Systems development and maintenance (including change management).
- IT performance monitoring and management.
- Information security, privacy, and compliance.
- Risk management.
ISACA and ITGI recommend using their frameworks (COBIT and VAL/IT) to assess IT governance, and certainly those are accepted and credible assessment vehicles. Another approach is to take each of the IT governance objectives, identify the processes and controls management has in place to achieve the objectives, assess, and then test the adequacy of those controls.
The alignment of organizational and IT strategies and plans
The auditor might consider the following in assessing whether controls are in place that provide reasonable assurance that this objective will be achieved:
- Are all IT projects directly related to and justified, at least in part, by their contribution to enterprise strategies, objectives, and plans?
- Is the chief information officer (CIO) actively engaged in the development of organizational strategies, such that the opportunities presented by technology are considered?
- Is there an IT steering committee or other vehicle that provides oversight to IT planning, ensuring that IT plans, projects, and priorities are aligned with business strategies and needs?
- Does management and, where appropriate, the board receive appropriate reporting so they can monitor IT strategies and plans as part of their monitoring of on organizational strategies and plans?
IT projects and operations provide the values and benefits needed by the business
A large number of processes, including many IT general controls, relate to this objective. Consideration should be given to whether:
- Controls within the software development and change management processes provide assurance that projects fulfill user requirements, on time, and within budget.
- Controls over operations ensure an acceptable level of systems and network availability and performance.
- Information necessary to manage the business is protected from inappropriate change.
- IT and executive management receive sufficient information to monitor IT performance.
Opportunities presented by information technology are realized
This objective is related to the first objective, around strategies and plans. The difference is whether management is aware of and able to deploy new and emerging technology to improve the way the organization operates. One example is the use of social media and related technology, which can be used, for example, to:
- Change how customers contact the company. Some companies now allow customers to notify them of service-related problems using Twitter. Others have Facebook and LinkedIn pages.
- Obtain customer feedback on new products and services. A number of companies 'float' ideas using social media to see market response. Others monitor the growing number of bloggers and their comments on new products.
- Improve collaboration among teams. Project members can share ideas and hold discussions virtually.
Auditors should consider how:
- The potential for new technology to benefit organizational performance and strategies is monitored.
- Opportunities are shared with operating and executive management. IT and business leaders will generally need to work together to understand not only the technology but how it can be applied within the organization.
IT resources are used responsibly and effectively managed
Controls should be assessed over:
- The procurement of IT-related hardware, software, and services.
- IT budgeting, both expense and capital.
- IT resource management (including personnel, hardware and network utilization, etc.).
- Software licensing and other costs.
Risks to the business related to IT are managed
One of the interesting aspects of the ITGI definition of IT governance is that it includes (correctly) the management of risks. Whether internal audit elects to assess risk management as part of its audit of enterprise-wide risk management processes or as a separate engagement will typically depend on (a) the extent to which there is a mature enterprise-wide risk management program, and (b) the level of integration between enterprise or corporate risk management and IT risk management.
ISACA has published the Risk IT Framework, which may be used in evaluating risk management within an organization. The Framework defines IT risk as "the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. It consists of IT-related events that could potentially impact the business. It can occur with both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives.
Consideration should be given to whether:
- Risk management is embraced and used by management in the setting and management of strategy, performance management, the management of projects, and in day-to-day decision-making.
- Risks related to IT processes and activities are managed independently, or (preferably) assessed in relation to their ability to impact the achievement of business objectives.
- The risk management process and related controls provide reasonable assurance that risks will be identified, assessed or evaluated, compared to approved risk tolerances, and responses identified and managed on a timely basis.
- Management and the board are provided appropriate and timely information relating to the more significant risks to the enterprise and how they are managed.
IT-related activities comply with applicable laws, regulations, and corporate standards for behavior, etc.
Just as IT governance includes risk management, it also includes the risk of non-compliance with applicable laws and regulations, contracts with vendors and customers, etc. Organizations today also need to consider societal expectations for behavior, and many consider "compliance" to include voluntary compliance with these expectations. Codes of conduct will normally set out expected standards of behavior that go beyond compliance with laws and regulations.
To assess controls over compliance, auditors should evaluate the controls over:
- The identification, understanding, and communication of compliance requirements to appropriate management, staff, and the extended enterprise (e.g., vendors, customers, and service providers. This will include the adequacy of related policies and procedures in establishing guidance and clear expectations of employees at all levels.
- Ownership of and accountability for compliance with each requirement. The IIA's Practice Guide on Assurance Maps is an excellent tool for this purpose.
- Compliance with each requirement, including monitoring of compliance controls and the handling of exceptions.
Management IT Governance Self-assessment
At California-based Seagate Technology, a leader in the hard drive and digital storage industry, IT has initiated a self-assessment process to measure their IT health. According to Kris Kahn of Seagate's eSecurity Governance function, "Using the ISO 27001 Information Security Management framework, they assigned ownership of each security domain to a senior manager, who is responsible for assessing their strengths and weaknesses. Related process objectives, individually selected from the COBIT framework, were aligned to each domain and used to measure security process maturity. The results, together with corrective actions as needed, are shared with executive management. This self-assessment process provides management with visibility of IT security health, and the results can be leveraged by Seagate's internal audit department."
A self-assessment process like this could be extended to all of IT governance. Internal audit would then review the results and confirm the assessments with independent testing as appropriate.
IT represents both an opportunity and a source of risk to any organization. It cannot be treated by the board, executive management, or internal audit as a "black box" that should be left to the technicians to handle. It is too critical to organizational success.
Instead, the organization should ensure that IT operations, risks and opportunities are managed to optimize performance. Internal audit can provide a value-add service to the board and executive management through periodic assessments of the adequacy of IT governance processes.