control, and governance
From the June 2008 issue of Internal Auditor
Putting IT Governance Into Action
As internal control experts, auditors can help turn desired IT strategies into reality.
Many organizations have policies and procedures in place to manage the work of employees and business partners and ensure their consistency. Similar control processes are essential in it operations and can be achieved by implementing an effective IT governance framework that addresses the roles and responsibilities of business groups and individuals; articulates the rules and procedures for making IT decisions; and helps to set, attain, and monitor IT objectives.
IT governance activities go a few steps further than standard operating policies: They align an organization’s IT strategies with its overall goals and objectives. Effective IT governance initiatives can measure performance and help organizations achieve regulatory compliance in different areas, while balancing the interests of stakeholders. As part of the governance structure, internal auditors can focus an organization’s attention on the technology resources that create business value and determine if existing IT controls ensure accountability.
IDENTIFYING HIGH-RISK AREAS
IT controls, policies, and procedures are a key aspect of the IT governance structure. Using a maturity model can help auditors evaluate overall attitudes toward IT governance, IT controls, and high-risk issues. In addition, a maturity model provides a standard way to document the state of internal controls. Key stakeholders, such as senior managers and IT and business process owners, can help auditors identify high-risk issues and rate IT controls using a four-step review process.
1. Select and Define Relevant IT Performance Areas
Auditors can help develop a scorecard that focuses on high-level factors affecting critical IT performance areas, including strategy implementation, project completion, resource use, and process performance. The maturity of critical IT performance areas will help auditors diagnose where governance improvement efforts are most valuable. To help define these areas, auditors can ask questions such as:
Answering these questions does not require an in-depth understanding of published technology frameworks; IT process owners can help auditors select the most relevant business areas. Auditors also need to identify any risk management issues so that senior managers can understand their role in addressing them. If the relationship between IT and business process owners is not well-established, auditors can recommend hiring a third-party to identify IT performance areas, needs, and expectations and minimize problems among key stakeholders.
2. Develop Key Factors for Performance Areas and Survey Stakeholders
Areas identified in the previous step should have multiple factors that can help auditors narrow their evaluation. For example, when using the maturity model to gauge how performance areas share accountability, it might be relevant to know whether risks and successes are shared and how often, to what extent business managers and IT staff trust each other, and whether IT projects include business sponsors at a level commensurate with the project’s scope.
To report on the state of the organization’s IT management efforts, auditors can ask business and IT managers to select one of five statements, each corresponding to a business practice’s maturity level. For example, a level 1, or low-maturity statement, might be, “The IT department can’t be trusted to perform its work,” while a level 5, or high-level statement, might be, “The IT department completes projects successfully.” Low scores can indicate management believes IT resources must be micromanaged for their success, while high scores can indicate managers trust the IT department’s work performance.
Initially, auditors might consult frameworks such as the UK Office of Government Commerce’s IT Infrastructure Library or the IT Governance Institute’s Control Objectives for Information and Related Technology (COBIT) for guidance when developing the maturity model. However, their use may add a level of complexity the organization is not ready to adopt during the IT governance program’s early stages.
3. Decide Which Maturity Level Is Best for the Organization
Different business stakeholders may be interested in the organization’s overall IT maturity level, including executive, business, and IT managers and internal auditors. As a result, these groups need to identify key performance areas to determine who will decide which maturity level is best for the organization. For example, organizations that use COBIT as their control framework strive to achieve a maturity level of three or four. Decisions related to financial and time investments also are critical in deciding which maturity level is best as overall costs to achieve a higher maturity level can be prohibitive when compared to its future benefits.
4. Recommend an Action Plan to Prioritize Improvements
After comparing desired and perceived maturity levels, auditors can help business managers and IT process owners agree on a schedule of necessary improvements that includes milestones, resource requirements, and deliverables. It is a good idea to prioritize the deployment of initiatives to increase maturity ratings using a time-based planning horizon (e.g., between one and three years). It is also important to reassess schedules periodically to measure incremental improvements or refocus efforts based on industry, business, or IT changes.
Like other initiatives, IT governance has its share of potential pitfalls, including:
Once the IT governance program is established, auditors can refer to existing frameworks to assess the program’s effectiveness. For example, IT governance activities can be mapped to the four COBIT domains — planning and organization, acquisition and implementation, delivery and support, and monitoring — to support audit work. In addition, using best practices can help improve IT processes, enhance awareness of IT controls, and improve communication throughout the organization.
To stay competitive, many organizations are delivering products and services with fewer resources, while meeting compliance requirements and managing change effectively. An effective IT governance program can help organizations accomplish this and more — IT governance is as much a tool for value realization as it is a means of compliance. As control experts, auditors can help organizations mitigate risks by recommending ways to enhance IT governance activities and their successful integration into the organization’s culture.
Paul Rozek is the director of technology risk management of Jefferson Wells’ Milwaukee office.
To comment on this article, e-mail the author at firstname.lastname@example.org.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.