Deloitte has given us yet another fabulous document. This is called "The Tech-Intelligent Board: Priorities for Tech-Savvy Directors as They Oversee IT Risk and Strategy" (PDF)
Even though this is an excellent document, I have three problems with it, the first of which is easily overcome: the title. This is not just for directors who are already tech-savvy.
- All directors should study this closely, apply the principles, and make use of the suggested questions to frame discussions.
- Board Secretaries and Chief Audit Executives should help the board and the audit committee with their oversight of the IT impact on strategy and risk.
- Chief Executives can not only ensure the board provides the appropriate level of oversight (and obtains the information necessary), but ask themselves whether they themselves have the knowledge of IT-related activities that they should.
The second problem is the way Deloitte has explained the "reasons to get involved in the oversight of information technology (IT)." The only reasons they list are privacy, safeguarding of intellectual property, and compliance. Yet, IT provides the applications and the capability to run the business — if it fails in any respect, the damage can be catastrophic. Fortunately, Deloitte recognizes this to some extent later in the document (pages 3-7).
Deloitte has made a number of points that I really like (I have taken the liberty of extending their commentary to its logical conclusion in a couple of cases):
- Technology can improve board operations. I am thrilled to see this, as it is one of the frequently overlooked aspects of governance — the often-silent G in GRC
- Spend the time providing oversight on IT that the level and nature of risks require. Deloitte has suggested the extent of oversight be scaled depending on the level of reliance placed on IT, and the risks to the organization from an IT failure
- Align IT strategy to business strategies. This is the core of IT governance (I refer you to the excellent ITGI guidance on IT governance). I extend that point to:
- Include consideration of IT in board discussions of risk and strategy. The "traditional" view is that the board should have separate discussions of IT. I prefer (with the exceptions of the next point) to see IT-related issues included in business discussions of strategy and risk.
- Provide oversight on major IT projects. I agree with Deloitte that just as they should for other major projects and initiatives, the board should ask the appropriate questions to obtain assurance that major IT projects are successful.
I have left the third problem to last: the omission of internal audit as a source of assurance on IT-related matters.
Where are these questions?
- Does the internal audit activity include sufficient knowledgeable, experienced IT auditors?
- Does the internal audit plan provide sufficient coverage of IT-related risks, including the impact of IT operations on business strategies and risks?
- Is effective use made of IT auditors on major IT initiatives, where they provide proactive consulting and assurance services to prevent issues rather than waiting and auditing after-the-fact?
- Do the IT auditors work effectively with management?
- Does the board receive sufficient assurance from internal audit on the effectiveness of the IT function, including its compliance with laws and regulations, the management of other risks (in collaboration with other risk management functions), efficiency and effectiveness in supporting the business, and alignment of IT operations with business strategy and operations?
I welcome your comments.
PS — if you are interested, I tweet about internal audit, governance, risk management, GRC, and more at http://twitter.com/normanmarks