May 2014

Are Auditors Taking IT Governance Seriously?

Strong IT governance practices can reduce IT costs and risks, yet internal auditors often ignore this area. Auditors need to overcome the excuses that prevent them from auditing IT governance.

Syed Salman


Strong IT governance practices at an organization can lead to significant benefits, according to the IT Governance Institute’s most recent Global Status Report on the Governance of Enterprise IT (GEIT)–2011, which surveyed 834 CEOs, senior executives, chief information officers (CIOs), and IT managers in 21 countries and 10 industries. Among other benefits, nearly 40 percent of respondents cited lower cost as an outcome of GEIT practices, and almost 30 percent cited improved business competitiveness. More than 40 percent say they were able to manage IT-related risk better through IT governance practices.

Such statistics point to the need for internal auditors to realize the importance of strong IT governance processes and perform audits of this area. The International Standards for the Professional Practice of Internal Auditing (Standards) Standard 2110.A2 states “Internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives.”

However, Protiviti’s recent IT Audit Benchmarking Survey (PDF) finds that most internal audit functions have not audited IT governance activities in accordance with Standard 2110.A2. Among organizations with less than US $1 billion in annual revenue, more than 70 percent of internal audit departments surveyed do not audit IT governance processes and practices; at organizations with annual revenue of more than US $1 billion, 52 percent of internal audit departments do not review them.

In my interactions with IT auditors, I have encountered four reasons why they shy away from reviewing IT governance processes.

Governance and Management

IT auditors must draw a clear distinction between IT governance and IT management processes:

  • Governance is related to overall stakeholder needs, enterprise objectives to be achieved, setting direction, and monitoring overall performance and compliance.
  • Management involves planning, running, and monitoring activities in accordance with the direction set by the board of directors or equivalent..

1. Lack of Guidance

Although many IT auditors complain that they have not found sufficient guidance and advice they need to perform an effective audit of IT governance processes, there are materials they can consult. ISACA’s recent publication, COBIT 5 for Assurance and the related audit program, EDM01: Ensure Governance Framework Setting and Maintenance Audit/Assurance Program, are excellent resources for planning and performing an audit of this critical area. In addition, The IIA’s Global Technology Audit Guide (GTAG) 17: Auditing IT Governance is useful for performing such reviews.

These publications emphasize establishing and agreeing on appropriate performance metrics for the IT department. IT auditors should focus on how these metrics were agreed upon in their organization and whether the data used to measure performance is appropriate and reasonable.

2. IT Governance Activities Aren’t Taken Seriously

Another concern IT auditors have is their IT governance recommendations will fall on deaf ears at their organization, making such audits a waste of time. After completing an IT governance audit, auditors may recommend that boards play a more active and effective role in IT governance. To be taken seriously at the organization’s highest level, this recommendation needs to highlight IT governance’s benefits to enterprisewide governance, rather than dwell on IT-specific details. If presented appropriately, board members will want to actively participate in IT governance.

For example, in an organization that does not have a formal process for IT help desk management, the board could resolve the issue by directing IT management to formalize such a process and by investing in personnel and technology to support it. To bring this to the board’s attention, IT auditors may recommend: “The IT department should establish a defined help desk management process to record and track service requests from initiation to completion.” Presented this way, the board may consider it to be a specific IT department issue that does not require its direct interference, rather than a strategic issue that concerns the enterprise as a whole. As a result, the board may decide that if the organization has functioned without this process until now, it probably can continue to do so in the future with no significant impact.

IT auditors can gain the board’s attention by presenting the same recommendation in a manner that demonstrates the overall impact to the organization: “To develop a customer-oriented service culture, the IT department should establish a defined help desk management process to record and track service requests by end users from initiation to completion.” The key phrases in the revised recommendation are “customer-oriented service culture” and “end users.” Because these phrases stress the organizationwide impact, they are more likely to influence board members to play a more active IT governance role, direct IT management to follow the recommendation of IT auditors, and approve the required resources.

Other areas that may encourage the board to become more active in IT governance are:

  • The number of products and services that provide competitive advantage.
  • Stakeholder value of IT investments.
  • The number of business disruptions due to IT service incidents.
  • The number of security incidents and events reported and addressed.

Frameworks and Standards

The growing importance of IT in organizations has spurred the publication of IT governance frameworks and standards:

  • ISO/IEC 38500 is an international standard for corporate governance of IT published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
  • AS 8015 is the Australian Standard for Corporate Governance of Information and Communication Technology.
  • COBIT 5 is a framework for the governance and management of enterprise IT.

3. The Board Isn’t Comfortable With IT Matters

Another complaint is that the board lacks technology knowledge, which makes it hard to convince directors to adopt IT governance best practices. This is beginning to change, as boards around the world are becoming more tech-savvy and taking more interest in IT due to its importance to their organization, according to the Deloitte publication, The Tech-Intelligent Board (PDF).

IT auditors should advise their board to build sound IT governance capabilities among their members. One way to achieve this is to bring experienced IT professionals onto the board. Another way is by directing CIOs to prepare comprehensive presentations that allow members to understand the overall picture of IT at the business and how it brings value to the organization.

4. Auditors Are Focused on IT Management

The final excuse is that IT auditors currently are focused on improving IT management, but plan to switch their focus to IT governance when that has been accomplished. However, IT auditors should make IT governance their priority instead. Having strong IT governance practices in place can make improving IT management processes easier to bring about and more quickly adopted by IT managers.

Difficult, but Rewarding

By making IT governance audits a priority, IT auditors can bring governance issues to the attention of their board and encourage directors to engage more actively in governance processes. That doesn’t mean that establishing these processes is easy. Bringing about this change can take considerable time based on the size, culture, complexity, and even local corporate governance laws. However, this difficulty should not deter IT auditors from convincing their stakeholders to adopt strong IT governance practices by using available tools and by learning from the experiences of other organizations around the world.

Syed Salman, CISA, is a senior manager in the IT audit function of Deloitte & Touche Bakr Abul Khair & Co. in Riyadh, Saudi Arabia.


Share This Article:    

 

Subscribe_June 2014 

IIA_AllStar_July2014

 IIA_AllStar_July2014

IIA Academic_Nov 2013

IIA SmartBrief

 IIA Vision University

 

 Twitter

facebook IAO 

IA APP