From the June 2008 issue of Internal Auditor

Putting IT Governance Into Action

As internal control experts, auditors can help turn desired IT strategies into reality.

Many organizations have policies and procedures in place to manage the work of employees and business partners and ensure their consistency. Similar control processes are essential in it operations and can be achieved by implementing an effective IT governance framework that addresses the roles and responsibilities of business groups and individuals; articulates the rules and procedures for making IT decisions; and helps to set, attain, and monitor IT objectives.

IT governance activities go a few steps further than standard operating policies: They align an organization’s IT strategies with its overall goals and objectives. Effective IT governance initiatives can measure performance and help organizations achieve regulatory compliance in different areas, while balancing the interests of stakeholders. As part of the governance structure, internal auditors can focus an organization’s attention on the technology resources that create business value and determine if existing IT controls ensure accountability.

IDENTIFYING HIGH-RISK AREAS

IT controls, policies, and procedures are a key aspect of the IT governance structure. Using a maturity model can help auditors evaluate overall attitudes toward IT governance, IT controls, and high-risk issues. In addition, a maturity model provides a standard way to document the state of internal controls. Key stakeholders, such as senior managers and IT and business process owners, can help auditors identify high-risk issues and rate IT controls using a four-step review process.

1. Select and Define Relevant IT Performance Areas
Auditors can help develop a scorecard that focuses on high-level factors affecting critical IT performance areas, including strategy implementation, project completion, resource use, and process performance. The maturity of critical IT performance areas will help auditors diagnose where governance improvement efforts are most valuable. To help define these areas, auditors can ask questions such as:

• Is the IT infrastructure able to meet business needs?
• How is IT performance measured?
• How are IT investment decisions proposed, shared, and delivered?
• How is IT performance accountability divided between the organization and IT department?
• Does IT staff need to understand strategic business goals and objectives?
• Do employees recognize, define, and communicate IT needs effectively?

Answering these questions does not require an in-depth understanding of published technology frameworks; IT process owners can help auditors select the most relevant business areas. Auditors also need to identify any risk management issues so that senior managers can understand their role in addressing them. If the relationship between IT and business process owners is not well-established, auditors can recommend hiring a third-party to identify IT performance areas, needs, and expectations and minimize problems among key stakeholders.

2. Develop Key Factors for Performance Areas and Survey Stakeholders
Areas identified in the previous step should have multiple factors that can help auditors narrow their evaluation. For example, when using the maturity model to gauge how performance areas share accountability, it might be relevant to know whether risks and successes are shared and how often, to what extent business managers and IT staff trust each other, and whether IT projects include business sponsors at a level commensurate with the project’s scope.

To report on the state of the organization’s IT management efforts, auditors can ask business and IT managers to select one of five statements, each corresponding to a business practice’s maturity level. For example, a level 1, or low-maturity statement, might be, “The IT department can’t be trusted to perform its work,” while a level 5, or high-level statement, might be, “The IT department completes projects successfully.” Low scores can indicate management believes IT resources must be micromanaged for their success, while high scores can indicate managers trust the IT department’s work performance.

Initially, auditors might consult frameworks such as the UK Office of Government Commerce’s IT Infrastructure Library or the IT Governance Institute’s Control Objectives for Information and Related Technology (COBIT) for guidance when developing the maturity model. However, their use may add a level of complexity the organization is not ready to adopt during the IT governance program’s early stages.

3. Decide Which Maturity Level Is Best for the Organization
Different business stakeholders may be interested in the organization’s overall IT maturity level, including executive, business, and IT managers and internal auditors. As a result, these groups need to identify key performance areas to determine who will decide which maturity level is best for the organization. For example, organizations that use COBIT as their control framework strive to achieve a maturity level of three or four. Decisions related to financial and time investments also are critical in deciding which maturity level is best as overall costs to achieve a higher maturity level can be prohibitive when compared to its future benefits.

4. Recommend an Action Plan to Prioritize Improvements
After comparing desired and perceived maturity levels, auditors can help business managers and IT process owners agree on a schedule of necessary improvements that includes milestones, resource requirements, and deliverables. It is a good idea to prioritize the deployment of initiatives to increase maturity ratings using a time-based planning horizon (e.g., between one and three years). It is also important to reassess schedules periodically to measure incremental improvements or refocus efforts based on industry, business, or IT changes.

AVOIDING PITFALLS

Like other initiatives, IT governance has its share of potential pitfalls, including: 

• Ownership Issues. IT governance should not be an IT project. Owners of the IT governance initiative include senior managers who approve investments that meet the organization’s overall vision. Another ownership issue is estimating total ownership costs inaccurately. While business partners can help managers forecast the total ownership costs of new IT systems, implementation expenses are only one part of the total costs. Other expenses include user training, maintenance and storage fees, and changes to business continuity plans.
• Excessive Scope. Implementing an IT governance program can be a daunting task that includes the creation of modified roles, responsibilities, decision-making criteria, and a new language to define business performance. Rather than engaging in a full-scale implementation, auditors can recommend a smaller pilot project. This approach will enable organizations to determine the validity and acceptance of governance concepts and apply any lessons learned to the overall program.
• Allowing Deviations. Effective IT governance requires structure and discipline. IT process owners, therefore, should refrain from creating substitute processes. However, the governance framework should be flexible enough to allow for emergency changes. If exceptions are needed, they should be thoroughly evaluated and approved through a formal change management process.
• Automating Everything. While third-party software can manage IT demands with intelligence engines, hyperlinks, and colorful displays, vendors may assume the governance model has effective policies and procedures to control investment priorities. If the information entered in the software has integrity risks, it does not make sense to display the data more attractively. Higher value can be achieved during the early stages of the IT governance initiative by writing formal policies and procedures, creating standard forms and templates, and communicating design and control audit expectations.

NEXT STEPS

Once the IT governance program is established, auditors can refer to existing frameworks to assess the program’s effectiveness. For example, IT governance activities can be mapped to the four COBIT domains — planning and organization, acquisition and implementation, delivery and support, and monitoring — to support audit work. In addition, using best practices can help improve IT processes, enhance awareness of IT controls, and improve communication throughout the organization. 

To stay competitive, many organizations are delivering products and services with fewer resources, while meeting compliance requirements and managing change effectively. An effective IT governance program can help organizations accomplish this and more — IT governance is as much a tool for value realization as it is a means of compliance. As control experts, auditors can help organizations mitigate risks by recommending ways to enhance IT governance activities and their successful integration into the organization’s culture.

Paul Rozek is the director of technology risk management of Jefferson Wells’ Milwaukee office.

To comment on this article, e-mail the author at paul.rozek@theiia.org.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

---

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

---