Find Resources and Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

Subscribe to this discussion

Interviewing the Senior Management Team

I am conducting our organisations first IT Governance auditand have plenty of controls to look at. One thing I keep reading about is that some members of the SeniorManagement Team should be interviewed, however I can’t really find anything tosuggest what I should be asking them.

I have already got a few simple questions put together froma presentation on here such as; Do you feel there is alignment between the business's strategic objectivesand IT's strategic objectives?” and “What is IT governance in your mind?”

Can anyonesuggest what sort of questions I should be asking or point me in the directionof any websites/documents that discuss this part of an IT Governance audit?

You must sign in to rate content.
(Unrated)

Comments

RE: Interviewing the Senior Management Team

An out-of-office message containing personal information or a comment that violates community policies was deleted by the administrator.
YosheenPObserver at 5/1/2015 7:33:07 AM Quote
You must sign in to rate content.
(Unrated)

RE: Interviewing the Senior Management Team

Haven't audited IT Governance, however, these are the questions I would start with (classic reporter questions - who, what, when, where, how - not why).  I would also ask my audit manager for advice on what questions to ask, and I would see if I can somehow get some coaching from someone who knows the audience. Some organizations actually have people who advise you on how to phrase questions, serving as a filter for their executives to assure an effective/efficient use of the executives' time.

(Who) Do you have governance responsibilities?  What are they? Who else has governance responsibilities?

What information do you use to make strategic decisions and set direction? What are your strategic goals? (listen for risk, value and resources)

When/how frequently to you fulfill your responsibilities, make strategic decisions, set strategic goals or monitor progress?

Where do you get your information from? Where are decisions made or policy/direction set?

Where/how do you communicate policy, direction and objectives?

How do you know or how can you tell your IT strategy is aligned with the business's strategic objectives?

How do you know or how can you tell you are on track to meeting your strategic goals?

How do you manage and monitor risk or exposure to bad things happening?

How do you make decisions about investing in risk remediation or risk prevention?

How do you reward or reinforce objectives or direction?


(I stay away from asking "why", tends to be interpreted as questioning the person's motives.  Substitute "what makes you say that" for "why")

Hope this helps,
Debra MalletteSocial at 5/1/2015 7:33:03 PM Quote
You must sign in to rate content.
(2 ratings)

RE: Interviewing the Senior Management Team

hi Alex, Some specific questions will will depend on when you are interviewing Senior Management team. However, I encourage you to refer to the Chapter 4 "IDENTIFYING IMPLEMENTATION CHALLENGES AND SUCCESS FACTORS" from the "COBIT5 Implementation" publication. The guidance will give you plenty of food for thought in terms of what you would like to explore. The best part is that the guidance also will help you with suggested improvements that you can include in your report. All the best with your audit.
Paras_Shah1Energizer at 5/4/2015 7:14:31 PM Quote
You must sign in to rate content.
(1 ratings)

RE: Interviewing the Senior Management Team

"Do you feel there is alignment between the business's strategic objectives and IT's strategic objectives?"

Is it only perception "alignment" or we can do some objective analysis on it in order to show it to the executives?
-adnan-Influential at 5/26/2015 3:36:28 AM Quote
You must sign in to rate content.
(Unrated)

RE: Interviewing the Senior Management Team

Hello Debra,

Thanks for sharing some very valuable tips about interviewing the Senior Management, especially "staying away from WHY questions".
Rohit BanerjeeInfluential at 9/15/2015 2:46:27 AM Quote
You must sign in to rate content.
(Unrated)

RE: Interviewing the Senior Management Team

When looking at IT Governance, you need to understand the organizational relationships as well as the framework for governance being used. The organizational relationships are more than just the structure or the hierarchy or the reporting relationships -- although those are important too, and easy to identify. But you will also want to find out who participates in which meetings that discuss projects, plan new initiatives, and identify new technology infrastructure. Look at the policies and procedures for IT changes to see if any of the business leaders are included -- unknown changes are a risk to the business, so they're not just an IT concern. Look at the charters for any IT standing committees to see who should be involved, and then ask those executives if they've been to the last few meetings. Then try to determine, maybe from the CIO or the CISO, is there is a standard being used for the governance of IT. There are plenty to choose from, so if they are not using COBIT that's not necessarily a failure. King III and ISO 38500 can also provide good guidance. But even if they are using a hybrid approach, with bits and pieces from various frameworks, that should be documented and that documentation should give you a baseline for comparison. One of the keys to testing governance is to study the baseline information in advance so you can determine what controls should be in place. Then when you are interviewing the executives, ask them what aspects of the governance process -- policies, procedures, standards, regulations, standing committees, architecture and infrastructure guidance, change management process, etc. -- they feel are most critical and then which areas need the most improvement. With luck, the key findings of your review will be quickly identified by those very executives.
Richard FowlerEnergizer at 9/16/2015 1:03:07 PM Quote
You must sign in to rate content.
(Unrated)

RE: Interviewing the Senior Management Team

When looking at IT Governance, you need to understand the organizational relationships as well as the framework for governance being used. The organizational relationships are more than just the structure or the hierarchy or the reporting relationships -- although those are important too, and easy to identify. But you will also want to find out who participates in which meetings that discuss projects, plan new initiatives, and identify new technology infrastructure. Look at the policies and procedures for IT changes to see if any of the business leaders are included -- unknown changes are a risk to the business, so they're not just an IT concern. Look at the charters for any IT standing committees to see who should be involved, and then ask those executives if they've been to the last few meetings. Then try to determine, maybe from the CIO or the CISO, is there is a standard being used for the governance of IT. There are plenty to choose from, so if they are not using COBIT that's not necessarily a failure. King III and ISO 38500 can also provide good guidance. But even if they are using a hybrid approach, with bits and pieces from various frameworks, that should be documented and that documentation should give you a baseline for comparison. One of the keys to testing governance is to study the baseline information in advance so you can determine what controls should be in place. Then when you are interviewing the executives, ask them what aspects of the governance process -- policies, procedures, standards, regulations, standing committees, architecture and infrastructure guidance, change management process, etc. -- they feel are most critical and then which areas need the most improvement. With luck, the key findings of your review will be quickly identified by those very executives.
Richard FowlerEnergizer at 9/16/2015 1:03:07 PM Quote
You must sign in to rate content.
(Unrated)

RE: Interviewing the Senior Management Team

Hello Debra,

Thanks for sharing some very valuable tips about interviewing the Senior Management, especially "staying away from WHY questions".
Rohit BanerjeeInfluential at 9/15/2015 2:46:27 AM Quote
You must sign in to rate content.
(Unrated)

RE: Interviewing the Senior Management Team

"Do you feel there is alignment between the business's strategic objectives and IT's strategic objectives?"

Is it only perception "alignment" or we can do some objective analysis on it in order to show it to the executives?
-adnan-Influential at 5/26/2015 3:36:28 AM Quote
You must sign in to rate content.
(Unrated)

RE: Interviewing the Senior Management Team

hi Alex, Some specific questions will will depend on when you are interviewing Senior Management team. However, I encourage you to refer to the Chapter 4 "IDENTIFYING IMPLEMENTATION CHALLENGES AND SUCCESS FACTORS" from the "COBIT5 Implementation" publication. The guidance will give you plenty of food for thought in terms of what you would like to explore. The best part is that the guidance also will help you with suggested improvements that you can include in your report. All the best with your audit.
Paras_Shah1Energizer at 5/4/2015 7:14:31 PM Quote
You must sign in to rate content.
(1 ratings)

RE: Interviewing the Senior Management Team

Haven't audited IT Governance, however, these are the questions I would start with (classic reporter questions - who, what, when, where, how - not why).  I would also ask my audit manager for advice on what questions to ask, and I would see if I can somehow get some coaching from someone who knows the audience. Some organizations actually have people who advise you on how to phrase questions, serving as a filter for their executives to assure an effective/efficient use of the executives' time.

(Who) Do you have governance responsibilities?  What are they? Who else has governance responsibilities?

What information do you use to make strategic decisions and set direction? What are your strategic goals? (listen for risk, value and resources)

When/how frequently to you fulfill your responsibilities, make strategic decisions, set strategic goals or monitor progress?

Where do you get your information from? Where are decisions made or policy/direction set?

Where/how do you communicate policy, direction and objectives?

How do you know or how can you tell your IT strategy is aligned with the business's strategic objectives?

How do you know or how can you tell you are on track to meeting your strategic goals?

How do you manage and monitor risk or exposure to bad things happening?

How do you make decisions about investing in risk remediation or risk prevention?

How do you reward or reinforce objectives or direction?


(I stay away from asking "why", tends to be interpreted as questioning the person's motives.  Substitute "what makes you say that" for "why")

Hope this helps,
Debra MalletteSocial at 5/1/2015 7:33:03 PM Quote
You must sign in to rate content.
(2 ratings)

RE: Interviewing the Senior Management Team

An out-of-office message containing personal information or a comment that violates community policies was deleted by the administrator.
YosheenPObserver at 5/1/2015 7:33:07 AM Quote
You must sign in to rate content.
(Unrated)

RE: Interviewing the Senior Management Team

Haven't audited IT Governance, however, these are the questions I would start with (classic reporter questions - who, what, when, where, how - not why).  I would also ask my audit manager for advice on what questions to ask, and I would see if I can somehow get some coaching from someone who knows the audience. Some organizations actually have people who advise you on how to phrase questions, serving as a filter for their executives to assure an effective/efficient use of the executives' time.

(Who) Do you have governance responsibilities?  What are they? Who else has governance responsibilities?

What information do you use to make strategic decisions and set direction? What are your strategic goals? (listen for risk, value and resources)

When/how frequently to you fulfill your responsibilities, make strategic decisions, set strategic goals or monitor progress?

Where do you get your information from? Where are decisions made or policy/direction set?

Where/how do you communicate policy, direction and objectives?

How do you know or how can you tell your IT strategy is aligned with the business's strategic objectives?

How do you know or how can you tell you are on track to meeting your strategic goals?

How do you manage and monitor risk or exposure to bad things happening?

How do you make decisions about investing in risk remediation or risk prevention?

How do you reward or reinforce objectives or direction?


(I stay away from asking "why", tends to be interpreted as questioning the person's motives.  Substitute "what makes you say that" for "why")

Hope this helps,
Debra MalletteSocial at 5/1/2015 7:33:03 PM Quote
You must sign in to rate content.
(2 ratings)

RE: Interviewing the Senior Management Team

hi Alex, Some specific questions will will depend on when you are interviewing Senior Management team. However, I encourage you to refer to the Chapter 4 "IDENTIFYING IMPLEMENTATION CHALLENGES AND SUCCESS FACTORS" from the "COBIT5 Implementation" publication. The guidance will give you plenty of food for thought in terms of what you would like to explore. The best part is that the guidance also will help you with suggested improvements that you can include in your report. All the best with your audit.
Paras_Shah1Energizer at 5/4/2015 7:14:31 PM Quote
You must sign in to rate content.
(1 ratings)

RE: Interviewing the Senior Management Team

An out-of-office message containing personal information or a comment that violates community policies was deleted by the administrator.
YosheenPObserver at 5/1/2015 7:33:07 AM Quote
You must sign in to rate content.
(Unrated)

RE: Interviewing the Senior Management Team

"Do you feel there is alignment between the business's strategic objectives and IT's strategic objectives?"

Is it only perception "alignment" or we can do some objective analysis on it in order to show it to the executives?
-adnan-Influential at 5/26/2015 3:36:28 AM Quote
You must sign in to rate content.
(Unrated)

RE: Interviewing the Senior Management Team

Hello Debra,

Thanks for sharing some very valuable tips about interviewing the Senior Management, especially "staying away from WHY questions".
Rohit BanerjeeInfluential at 9/15/2015 2:46:27 AM Quote
You must sign in to rate content.
(Unrated)

RE: Interviewing the Senior Management Team

When looking at IT Governance, you need to understand the organizational relationships as well as the framework for governance being used. The organizational relationships are more than just the structure or the hierarchy or the reporting relationships -- although those are important too, and easy to identify. But you will also want to find out who participates in which meetings that discuss projects, plan new initiatives, and identify new technology infrastructure. Look at the policies and procedures for IT changes to see if any of the business leaders are included -- unknown changes are a risk to the business, so they're not just an IT concern. Look at the charters for any IT standing committees to see who should be involved, and then ask those executives if they've been to the last few meetings. Then try to determine, maybe from the CIO or the CISO, is there is a standard being used for the governance of IT. There are plenty to choose from, so if they are not using COBIT that's not necessarily a failure. King III and ISO 38500 can also provide good guidance. But even if they are using a hybrid approach, with bits and pieces from various frameworks, that should be documented and that documentation should give you a baseline for comparison. One of the keys to testing governance is to study the baseline information in advance so you can determine what controls should be in place. Then when you are interviewing the executives, ask them what aspects of the governance process -- policies, procedures, standards, regulations, standing committees, architecture and infrastructure guidance, change management process, etc. -- they feel are most critical and then which areas need the most improvement. With luck, the key findings of your review will be quickly identified by those very executives.
Richard FowlerEnergizer at 9/16/2015 1:03:07 PM Quote
You must sign in to rate content.
(Unrated)

Leave a Comment

* required

You must login to leave a comment.