Putting IT governance into action: as internal control experts, auditors can help turn desired IT strategies into reality.MANY ORGANIZATIONS HAVE POLICIES and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental in place to manage the work of employees and business partners and ensure their consistency. Similar control processes are essential in IT operations and can be achieved by implementing an effective IT governance Governance makes decisions that define expectations, grant power, or verify performance. It consists either of a separate process or of a specific part of management or leadership processes. Sometimes people set up a government to administer these processes and systems. framework that addresses the roles and responsibilities of business groups and individuals; articulates the rules and procedures for making IT decisions; and helps to set, attain, and monitor IT objectives.
IT governance activities go a few steps further than standard operating policies: They align align (līn),
v to move the teeth into their proper positions to conform to the line of occlusion. an organization's IT strategies with its overall goals and objectives. Effective IT governance initiatives can measure performance and help organizations achieve regulatory compliance in different areas, while balancing the interests of stakeholders Stakeholders
All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. . As part of the governance structure, internal auditors Internal auditor
An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. can focus an organization's attention on the technology resources that create business value and determine if existing IT controls ensure accountability.
IDENTIFYING HIGH-RISK high-risk adjective Referring to an ↑ risk of suffering from a particular condition Infectious disease Referring to an ↑ risk for exposure to blood-borne pathogens, which occurs with blood bank technicians, dental professionals, dialysis unit AREAS
IT controls, policies, and procedures are a key aspect of the IT governance structure. Using a maturity model can help auditors evaluate overall attitudes toward IT governance, IT controls, and high-risk issues. In addition, a maturity model provides a standard way to document the state of internal controls. Key stakeholders, such as senior managers and IT and business process owners The process owner is the person who co-ordinates the various functions and work activities at all levels of a process. This person might have the authority or ability to make changes in the process as required, and manages the entire process cycle to ensure performance , can help auditors identify high-risk issues and rate IT controls using a four-step review process.
1. SELECT AND DEFINE RELEVANT IT PERFORMANCE AREAS Auditors can help develop a scorecard that focuses on high-level factors affecting critical IT performance areas, including strategy implementation, project completion, resource use, and process performance. The maturity of critical IT performance areas will help auditors diagnose diagnose /di·ag·nose/ (di´ag-nos) to identify or recognize a disease.
1. To distinguish or identify a disease by diagnosis.
2. where governance improvement efforts are most valuable. To help define these areas, auditors can ask questions such as:
* Is the IT infrastructure able to meet business needs?
* How is IT performance measured?
* How are IT investment decisions proposed, shared, and delivered?
* How is IT performance accountability divided between the organization and IT department?
* Does IT staff need to understand strategic business goals and objectives?
* Do employees recognize, define, and communicate IT needs effectively?
Answering these questions does not require an in-depth understanding of published technology frameworks; IT process owners can help auditors select the most relevant business areas. Auditors also need to identify any risk management issues so that senior managers can understand their role in addressing them. If the relationship between IT and business process owners is not well established, auditors can recommend hiring a third-party to identify IT performance areas, needs, and expectations and minimize problems among key stakeholders.
2. DEVELOP KEY FACTORS FOR PERFORMANCE AREAS AND SURVEY STAKEHOLDERS Areas identified in the previous step should have multiple factors that can help auditors narrow their evaluation. For example, when using the maturity model to gauge how performance areas share accountability, it might be relevant to know whether risks and successes are shared and how often, to what extent business managers and IT staff trust each other, and whether IT projects include business sponsors at a level commensurate com·men·su·rate
1. Of the same size, extent, or duration as another.
2. Corresponding in size or degree; proportionate: a salary commensurate with my performance.
3. with the project's scope.
To report on the state of the organization's IT management efforts, auditors can ask business and IT managers to select one of five statements, each corresponding to a business practice's maturity level. For example, a level I, or low-maturity statement, might be, "The IT department can't be trusted to perform its work," while a level 5, or high-level statement, might be, "The IT department completes projects successfully." Low scores can indicate management believes IT resources must be micromanaged for their success, while high scores can indicate managers trust the IT department's work performance.
Initially, auditors might consult frameworks such as the UK Office of Government Commerce's IT Infrastructure Library or the IT Governance Institute's Control Objectives for Information and Related Technology (COBIT (Control OBjectives for Information and related Technology) A business-oriented set of standards for guiding management in the sound use of information technology from the Information Systems Audit and Control Association (ISACA) (www.isaca.org). ) for guidance when developing the maturity model. However, their use may add a level of complexity the organization is not ready to adopt during the IT governance program's early stages.
3. DECIDE WHICH MATURITY LEVEL IS BEST FOR THE ORGANIZATION Different business stakeholders may be interested in the organization's overall IT maturity level, including executive, business, and IT managers and internal auditors. As a result, these groups need to identify key performance areas to determine who will decide which maturity level is best for the organization. For example, organizations that use COBIT as their control framework strive to achieve a maturity level of three or four. Decisions related to financial and time investments also are critical in deciding which maturity level is best as overall costs to achieve a higher maturity level can be prohibitive pro·hib·i·tive also pro·hib·i·to·ry
1. Prohibiting; forbidding: took prohibitive measures.
2. when compared to its future benefits.
4. RECOMMEND AN ACTION PLAN TO PRIORITIZE pri·or·i·tize
v. pri·or·i·tized, pri·or·i·tiz·ing, pri·or·i·tiz·es Usage Problem
To arrange or deal with in order of importance.
v.intr. IMPROVEMENTS After comparing desired and perceived maturity levels, auditors can help business managers and IT process owners agree on a schedule of necessary improvements that includes milestones, resource requirements The components of a system that are required by software or hardware. It refers to resources that have finite limits such as memory and disk. In a PC, it may also refer to the resources required to install a new peripheral device, namely IRQs, DMA channels, I/O addresses and memory , and deliverables. It is a good idea to prioritize the deployment of initiatives to increase maturity ratings using a time-based planning horizon Planning horizon
The length of time a model or investor or plan projects into the future. (e.g., between one and three years). It is also important to reassess reassess
to reconsider the value or importance of
Verb 1. reassess - revise or renew one's assessment
reevaluate schedules periodically to measure incremental Additional or increased growth, bulk, quantity, number, or value; enlarged.
Incremental cost is additional or increased cost of an item or service apart from its actual cost. improvements or refocus Verb 1. refocus - focus once again; The physicist refocused the light beam"
focus - cause to converge on or toward a central point; "Focus the light on this image"
2. efforts based on industry, business, or IT changes.
Like other initiatives, IT governance has its share of potential pitfalls, including:
* Ownership Issues. IT governance should not be an IT project. Owners of the IT governance initiative include senior managers who approve investments that meet the organization's overall vision. Another ownership issue is estimating total ownership costs inaccurately. While business partners can help managers forecast the total ownership costs of new IT systems, implementation expenses are only one part of the total costs. Other expenses include user training, maintenance and storage fees, and changes to business continuity plans.
* Excessive Scope. Implementing an IT governance program can he a daunting daunt
tr.v. daunt·ed, daunt·ing, daunts
To abate the courage of; discourage. See Synonyms at dismay.
[Middle English daunten, from Old French danter, from Latin task that includes the creation of modified roles, responsibilities, decision-making criteria, and a new language to define business performance. Rather than engaging in a full-scale implementation, auditors can recommend a smaller pilot project. This approach will enable organizations to determine the validity and acceptance of governance concepts and apply any lessons learned to the overall program.
* Allowing Deviations. Effective IT governance requires structure and discipline. IT process owners, therefore, should refrain from creating substitute processes. However, the governance framework should be flexible enough to allow for emergency changes. If exceptions are needed, they should be thoroughly evaluated and approved through a formal change management process.
* Automating Everything. While third-party software can manage IT demands with intelligence engines, hyperlinks, and colorful displays, vendors may assume the governance model has effective policies and procedures to control investment priorities. If the information entered in the software has integrity risks, it does not make sense to display the data more attractively. Higher value can be achieved during the early stages of the IT governance initiative by writing formal policies and procedures, creating standard forms and templates, and communicating design and control audit expectations.
Once the IT governance program is established, auditors can refer to existing frameworks to assess the program's effectiveness. For example, IT governance activities can be mapped to the four COBIT domains--planning and organization, acquisition and implementation, delivery and support, and monitoring--to support audit work. In addition, using best practices can help improve IT processes, enhance awareness of IT controls, and improve communication throughout the organization.
To stay competitive, many organizations are delivering products and services with fewer resources, while meeting compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). and managing change effectively. An effective IT governance program can help organizations accomplish this and more--IT governance is as much a tool for value realization as it is a means of compliance. As control experts, auditors can help organizations mitigate mit·i·gate
To moderate in force or intensity.
miti·gation n. risks by recommending ways to enhance IT governance activities and their successful integration into the organization's culture.
PAUL ROZEK is the director of technology risk management of Jefferson Wells' Milwaukee office.
To comment on this article, e-mail the author at email@example.com.
Send "Tech Forum" story ideas to: Raquel Filipek
The Institute of Internal Auditors “IIA” redirects here. For IIA in decision theory, see Independence of irrelevant alternatives.
Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association of more than 128,000 members with global headquarters in Inc.
247 Maitland Ave.
Altamonte Springs Al·ta·monte Springs
A city of east-central Florida, a residential suburb of Orlando. Population: 40,900. , FL 32701 USA