July 2006

Promoting IT Governance at the CEO Level

Crossing the language divide between senior executives and internal auditors is important to ensure audit reports are understood and IT governance becomes a business priority.

Jackie Bassett
Chief Executive Officer
BT Industrials Inc.

Many internal auditors use compliance with different laws and industry regulations, such as Europe's Risk Management Basel II Accord and the U.S. Sarbanes-Oxley Act of 2002, as a way to make IT governance a priority among senior managers and executive boards. Unfortunately, getting the attention of executives may not be as easy as it seems. It's not that internal auditors and executives don't want the same results — they do. Auditors and executives simply express their goals differently.

One of the main objectives of IT governance is the adoption of standards and best practices that ensure business success and continuity — this is where both auditors and corporate executives talk the same language. However, from here, they usually go their separate ways. Getting the attention of executives happens fastest when the behavioral delta is smallest. Therefore, internal auditors need to communicate audit results in a language senior executives know and understand for IT governance to be a priority.


Today's chief executive officers (CEOs) must deal with equally compelling priorities simultaneously. For instance, a CEO's primary focus might be to drive innovation in an increasingly competitive global economy, while simultaneously growing new sources of revenue and maintaining existing profit margins in rapidly maturing markets. Consequently, although IT governance might be a business priority, it may not be at the top of the CEO's list. The fastest way for IT governance to become a priority is for CEOs to understand the added value of IT governance and its key role in other business priorities.

Internal auditors are in the perfect position to promote the significance of IT governance due to their knowledge of governance and compliance best practices. The challenge for auditors is to align report recommendations with strategic goals and objectives. Doing so will help ensure the implementation of audit report recommendations and help CEOs see the value of IT governance as a top business priority.

Oftentimes, internal auditors believe they've laid out an action plan in their IT audit reports as part of their recommendations. The problem lies when CEOs don't fully grasp these recommendations — many senior executives simply may not have the IT knowledge needed to translate recommendations into a plan of action that aligns with companywide initiatives. For example, CEOs, who speak in terms of gross margins and EBITDA (i.e., earnings before interest, taxes, depreciation, and amortization), may not understand how compliance with the IT components of Basel II or Sarbanes-Oxley can help the company’s bottom line (e.g., higher sales and stock prices).

To help CEOs cross this language barrier, internal auditors need to translate audit reports into information CEOs will find useful. Otherwise, recommendations will continue to get lost in translation and IT governance efforts will continue to take a back seat. Questions pertaining to IT governance internal auditors should keep in mind when drafting audit reports include:

  • What is the business value of IT governance?
  • How can IT governance directly contribute to revenues, profitability, and shareholder value?
  • What is the relevance and perceived value of audit recommendations to a CEO?

While addressing these questions, auditors should present the information in a way that enables CEOs to take action. Doing so will help bring IT governance to the forefront and become more than a cost of doing business or a checkmark in a CEO's agenda. Auditors also should remember that the ultimate goal of IT governance goes far beyond writing an audit report — auditors need to provide recommendations that are implemented effectively and efficiently for IT governance to succeed. Unless executives understand the recommendations provided in the audit report, and the negative consequences associated with maintaining the status quo, audit results will not get the level of attention they deserve.


Internal auditors know the importance of companywide adoption of standards and best practices. Employing proper information systems, resources, and controls maximizes business processes and minimizes risk.

Successfully reaching the CEO requires the description of relatable scenarios that are specific to the audited company. These scenarios should be part of the report, thus enabling CEOs to incorporate audit recommendations into companywide goals and objectives. The following three scenarios will help illustrate how auditors can best communicate recommendations to make IT governance a top business priority.

Scenario 1
An audit report from a publicly traded company indicated that some of its quality assurance (QA) reporting systems have critical interoperability failures — several critical application controls were missing, which pose a serious security risk to the company's customer service activities. These missing controls were the result of faulty programming code during the software development phase. In this scenario, how does the adoption of compliance standards translate into CEO items for immediate action, such as profit margins and stock price?

Auditors can answer this question by indicating how the implementation of effective IT controls and monitoring mechanisms enable companies to have the necessary QA controls needed to identify programming errors earlier in the product's life cycle. This would result in a higher quality application that helps the company bring in expected sales revenues. In addition, the potential impact of implementing sound QA controls can help internal auditors bring IT governance best practices to the forefront and allow the CEO to understand how implementing effective IT controls benefits the company's profit margin and stock price.

Auditors also can point out the negative consequences of not implementing audit recommendations. Using the same example above, auditors could let CEOs know what would happen if sound QA controls are not established. For instance, disregarding report recommendations to fix QA control deficiencies can make it easier for a security breach to occur, thus compromising the integrity of sensitive customer information. The negative effects of a security breach could be catastrophic for a company, potentially leading to lower customer and stockholder confidence, and a decrease in sales and stock value.

Although the knowledge that IT controls improve quality is intuitive to internal auditors, a CEO reading an audit report may not be able to make this connection if the report does not specify how IT governance best practices can improve the company's bottom line. A language CEOs can understand and that provides real or hypothetical examples executives can relate to can give CEOs enough incentive to take action on audit recommendations.

Scenario 2
The company is developing a database application that will enhance the way data is captured and used. How can compliance with IT best practices in data management ensure that the product is innovative and its launch is successful? Innovation is a primary focus of many companies in today's increasingly competitive global economy. However, innovation demands great discipline. IT governance best practices allow companies to have the IT infrastructure necessary to support a well-disciplined process or, in this case, a product launch. Suppose an IT audit report finds that the company has poor internal processes in customer data capture, including a lack of input consistency and extensive delays in the reporting of customer purchasing activity. An effective audit report states what is wrong and makes the appropriate recommendations.

To ensure a successful implementation of recommendations, auditors should align their suggestions for IT infrastructure improvements directly with the company's business goal of driving innovation. Audit recommendations need to be stated in terms of the potential for improved margins and inventory as the result of having more relevant information available in a shorter period of time. For instance, a faulty product design might lead the executive team to make innovative product strategy decisions based on erroneous customer information from the database application. Following audit report recommendations will enable CEOs to make decisions based on the most accurate, relevant data, thus maximizing corporate data assets and resources.

Scenario 3
A final example of how to reach CEOs successfully can be seen in today's mergers and acquisition environment. Interfaces are key controls, such as feeds from a company's central billing system into its general ledger and financial reporting packages. Most IT infrastructures support thousands of company reports that are part of their financial reporting processes. Standards and best practices in system configuration, change management, and data management all impact the accuracy of those reports.

Oftentimes, internal auditors recommend the implementation of IT best practices and controls to improve the accuracy of financial reports. If the CEO waits until the merger or acquisition is near to implement IT audit report recommendations, important valuation numbers are the least likely to be accurate, potentially putting the CEO in a less favorable negotiating position. Thus, auditors could point out the negative consequences of a cost undervaluation. As every CEO knows, whoever goes into a merger and acquisitions negotiation with the most accurate data stands the best chance of winning the best deal.


Whether the company is a financial institution looking to identify potential money-laundering operations, a manufacturer looking to IT to improve processes that will recapture contract revenues, or a telecommunications company that uses technology to maximize its billing operations for voice over Internet protocol services, IT governance needs to be seen as a business priority. Auditors can and should take a leadership role in making that happen. Oftentimes, CEOs simply don't have the time to take that initial first step.

For CEOs to give IT governance best practices the attention they deserve, the language and focus of audit reports need to change. The core of the problem is the language in which reports are written. Reports need to evolve from being seen as a simple index of the company's compliance level to a business intelligence tool. Therefore, for audit results to be implemented and IT governance to become a priority, reports need to provide an action plan that uses clear business language.

The most effective way to cross the chasm between auditors and corporate executives is to detail specific business process improvement solutions in terms that proactively drive executive decisions everyday. The end game isn't compliance; it's business process improvement. Therefore, chief audit executives and internal audit managers should be willing to leverage compliance data proactively from audit reports, and value the importance placed by the CEO on operational efficiency and profitability when writing the report. Furthermore, auditors who don't have a finance background should become familiar with acronyms and terms, such as EBITDA, gross margins, and shareholder value, and relate audit results as much as possible to them. This would enable CEOs to measure audit recommendations in terms of profits and savings. Although getting CEOs to pay more attention to audit reports may not happen overnight in some companies, it is up to auditors to drive this change.

Jackie Bassett is CEO of BT Industrials Inc., a security consulting firm. Bassett helps CEOs and chief security officers of global 500 companies integrate security into their business strategies and processes. Previously, Bassett worked for Netscreen Security and started her career in investment banking at State Street International.


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.





To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>


Subscribe_June 2014 



IIA Academic_Nov 2013

IIA SmartBrief

 IIA Vision University



facebook IAO