Today’s corporate governance is increasingly becoming a key requirement of good organizational management. The mismanagement of organizations resulting in major collapses (e.g., Enron, WorldCom) has highlighted this call. But, what is corporate governance? There is no one global definition of corporate governance, although the following are examples of some useful definitions:
- “Corporate governance is concerned with improving the performance of companies for the benefit of the conduct of and relationship between the board of directors, managers and the company shareholders.”—Investment and Financial Services Association Guidance No. 2.00
- “Corporate governance generally refers to the processes by which organizations are directed, controlled and held to account. It encompasses authority, accountability and stewardship, leadership, direction, and control exercised in the organization.”— Principles of Corporate Governance, Organization for Economic Cooperation and Development
- “IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.”— Board Briefing on IT Governance, 2nd Edition, IT Governance Institute
Corporate governance extends to the organization’s IT environment.
What Is IT Governance?
IT governance is a framework that supports the effective and efficient management of information resources (e.g., people, funding and information) to facilitate the achievement of corporate objectives. The focus is on the measurement and management of IT performance to ensure that the risks and costs associated with IT are appropriately controlled. The recently released draft Australian Standard, Corporate Governance on Information and Communication Technology (ICT), DR04198, outlines the following guiding principles1:
- Establish clearly understood responsibilities for ICT.
- Plan ICT to best support the organization.
- Acquire ICT validity.
- Ensure that ICT is of the required quality.
- Ensure that ICT performs when required.
- Ensure that ICT conforms with the formal rules.
- Ensure that ICT use respects human factors.
The draft standard claims that the benefits of using this standard are both legal and organizational. The draft standard will assist organizational management in meeting its many legal obligations and minimize management’s personal liability in relation to breaches in security, breaches of privacy legislation and poor data assurance.
There are other legal compliance requirements, such as maintenance of financial records for taxation purposes.
The draft standard states that the organizational benefits include:
- Better client services
- Increased market share
- Financial improvement
- Product and service innovations
- Increased organizational reputation
The level of dependency that organizations have on IT has grown significantly over the last 20 years and continues to grow. It is now difficult to find any business process that is not in some way dependent upon technology. This dependency has grown to the point whereby almost no office or service industry employee can work effectively without access to IT. For many organizations, there is a high degree of risk if the IT infrastructure is not available.
Not only have the dependencies grown, but the development, implementation and maintenance of information systems are now major cost drivers, which have the potential to provide a competitive edge.
During the 1960s and 1970s, IT investment decisions were the domain of an organization’s EDP department. Generally, senior management looked upon IT as a black box and left the decisions to the EDP department. Therefore, IT acquisition and development were principally driven by IT personnel rather than the stakeholders who were dependent on the systems. Additionally, the selection of a specific hardware vendor invariably dictated the software, standards and processes that would be used by the organization.
During the 1980s and 1990s, computer processing was decentralized. Today, the desktop environment has considerable processing power. Additionally, decisions regarding the allocation of IT resources and the prioritization of IT initiatives have become more complex and political. As a result, there is now a greater emphasis on the business driving the adoption and maintenance of IT with the IT department providing more of an advisory and support role.
Over time, there have been many examples of non-IT business units making their own decisions on the allocation of human and financial resources for IT purposes. This decentralization has introduced new risks. One that has often materialized is the acquisition and development of incompatible IT architectures. The larger the organization, the higher the risk of long-term commitments to incompatible systems consuming valuable resources and ongoing maintenance. Some organizations became “IT milk bars” maintaining a large number of flavors of different hardware, operating systems, relational database management system (RDBMS) and development tools.
It is generally accepted that the decentralization of IT-related decision-making increases the potential risk that:
- Acceptable returns on the IT investment will not be achieved.
- It will become increasingly difficult and expensive to adequately support or maintain the IT investment and ensure its alignment with the organization’s strategic objectives.
However, it is important to note that these risks still exist even where decision-making is centralized. Competing interests can lead to decisions that may benefit a small number of stakeholders in the short term but may be detrimental to the organization as a whole in the long term.
Additionally, with the increase in demand for and dependence on IT, the costs associated with IT have grown steadily over recent decades. As a consequence, there is now a growing need to manage investment in IT to ensure that expected benefits are realized. To achieve this, an appropriate, well-managed IT governance structure must be in place. This means adequate governance over all phases of IT investment including:
- Establishment of IT initiatives
- IT acquisition/development
- IT implementation
- IT maintenance
- Measurement of the return on investment and benefits realization through the entire life cycle of the investment/project
The absence of an effective IT governance structure significantly increases financial and operational risks. “Various studies show that IT promises are rarely fulfilled—with failure rates as high as 97 percent being quoted for particular types of projects. The issue is not how many projects or ideas succeed or fail, but the cost and benefits derived from the effort.” 2 In summary, the main risks associated with not having an effective IT governance structure in place include:
- An unaligned IT strategy—An IT strategic plan not aligned with the organization’s strategies may lead to poor decisions and poor investments relating to IT.
- Uncontrolled expenditure—Expenditure associated with development, maintenance and operations may grow uncontrollably, resulting in a detrimental impact on the organization’s profitability and viability.
- Inaccurate information relating to the actual cost of IT—Good IT investment decisions or decisions on whether IT should be modified or replaced are dependent on knowing the current cost of IT. Poor accounting practices may make it difficult to determine the true cost of IT.
- Poor performance measurement—If performance is not adequately measured and reported, determination of benefits and future improvements is compromised.
- Noncompliance to relevant legislation or corporate policy—Noncompliance to relevant legislation or corporate policy can result in financial penalties on the organization. Without good governance, there is an increased risk that IT assets are poorly managed and proper accountability is compromised.
IT Governance Model
The overall objectives of IT governance are to facilitate and enhance the organization’s ability to attain or continue to deliver on its objectives and to make the best-informed decisions about incorporating information technologies into its operations, programs and services in the short and long term.
IT should be seen as a means for enhancing the accessibility, speed and comprehensiveness of information that supports and improves the decision-making processes within an organization.
Decisions on IT investment and maintenance should balance the needs of the individual business units with those of the organization as a whole.
The Australian Standard AS8015 provides a model or framework for IT governance, shown in figure 1.3
To achieve this, there must be a structured control framework, incorporating:
- The organization’s strategic plan provides guidance as to what technology and supporting processes may be needed in the near future (i.e., two to five years).
- Guidance for the rationalization of hardware, software, operating systems and development tools
- Prioritization for the development/acquisition and implementation of new information technology
- Policies, guidelines and standards, which provide guidance relating to:
- Organizational expectations (e.g., information security, data custodianship, system development, business continuity, intellectual property, privacy, data retention)
- Business ethics
- Legislative requirements
- Structure and responsibilities:
- Lowest level—All stakeholders can have input so new information technology can be considered. This usually involves individuals or interest groups within the organization.
- Second level—Stakeholder representatives evaluate and recommend solutions. This usually involves groups made up of individuals with the necessary expertise representing all the stakeholder groups.
- Top level—Stakeholder representatives accept, approve and monitor performance. This is usually achieved through an IT steering committee (ITSC) and includes stakeholder representation at the senior management level.
- Potential applications for IT are identified at a high level by stakeholders.
- Recommendation for resourcing a more detailed evaluation is made and either approved, deferred or rejected.
- The technology is evaluated, including cost-benefit analysis and alignment with the organization’s strategic plan.
- If approved, it must be prioritised and funded accordingly.
- The development, operation and maintenance must be continually monitored and reviewed to ensure that strategic objectives are being achieved and the expected return on investment is attained.
The key stakeholders in IT governance are:
- IT steering committee
- Board audit committee
- IT management
- Project sponsor
- Project director/manager
- Business unit managers
How Can IT Governance Fail?
“Corporate governance is not just about rules and regulations. Fundamentally, it is about corporate culture and the way a company conducts its business in an ethical, responsible way.”4
This statement applies equally to IT governance. The main reason for any type of governance failure is poor corporate culture. All the planning, policies, guidelines, procedures and reporting structures may be in place, and they may all conform to best practice requirements. However, if the culture is not right, people will always look for opportunities to circumvent correct procedures or do things that suit their own vested interests.
In organizations where the culture is at odds with the strategic direction and intent of the board and executive management, the phrase “rules are made to be broken” is often heard.
It is accepted that policies, legislation and rules all add cost and time to any task. However, it is not the intention of policy and process makers to frustrate employees. Rather, policies and processes are in place to minimize risk and help the organization manage its resources efficiently and effectively, so that objectives can be attained in a timely and cost-effective manner.
Culture is an important element in ensuring successful governance. The “tone at the top” is essential for ensuring the right culture. Senior executives cannot just make rules of governance and expect them to be followed. They must take an active role and champion the rules by communicating, setting the example by adhering to the rules themselves, monitoring compliance and resolving instances of noncompliance. They have to not only “talk the talk,” but more important “walk the walk.”
The Cost-benefit Analysis
D. Tapscott 5 argues that “the probability of a chooser accepting a cost-benefit analysis is directly proportional to the degree to which he/she is favorably inclined to the technology anyway.” This argument raises questions about the usefulness of conducting a cost-benefit analysis. If the results of the evaluation do not suit those who initiated it, then there is a high probability that it will be discarded.
While there are many examples of good, well-balanced and comprehensive cost-benefit analyses, there are also many studies that are full of what could best be described as fanciful half-truths. In short, some studies contain false assumptions, lies and exaggerated truths and exclude important detail so the reader is not fully informed of the facts. Poor IT initiatives can be approved when senior management has little or no understanding of IT and depends upon the individuals promoting the technology to explain the advantages and disadvantages (i.e., there may be inadequate independent scrutiny), or the initiative may be driven by vested interests rather than the strategic or business needs of the organization.
As a result, the organization can end up with an investment that is strategically incompatible with its overall strategic direction and a financial commitment that may result in the organization suffering major losses.
All IT initiatives should be treated as capital investments that will provide the organization with tangible benefits and a positive return that meets a predetermined financial benchmark. On the surface, this is an obvious expectation. However, experience indicates that despite all the good cost-benefit studies, once a system has been implemented, few organizations undertake a post-implementation review to determine whether the organization has achieved the stated benefits and financial return. At minimum, all IT initiatives should be evaluated for technical, financial, strategic and business viability.
The Approval Process (Circumventing Delegated Authority)
As part of the organization’s control framework, there should be approval levels for each level of management. This listing is often referred to as delegation of authority. Anyone with a financial delegation has the potential to financially commit the organization. To minimize the risk of an individual committing the organization to an inappropriate acquisition or service contract, segregation of the purchasing process into several tasks and enforcing the segregation of these tasks (e.g., raising a purchase order, receipting and approving payment) is essential. It is important that the individuals performing these tasks be vigilant in ensuring that the other individuals involved in the process have performed their tasks correctly (i.e., the person raising the purchase order should ensure that those raising requisitions are not order splitting).
One interesting example of an individual’s efforts to circumvent this control process occurred when an IT manager entered into an ISP contract for 12 months. On review, this appeared unusual because all previous ISP contracts entered into had been for three-year periods. By limiting the period of service to 12 months for quoting purposes, the total value of the contract was under the delegation limit. Therefore, the IT manager did not need to refer the contract to the IT steering committee for approval. Additionally, to extract the most out of the ruse, the contract entered into was an open-ended contract and could not be terminated unless explicitly requested by one of the parties.
Representation and Responsibilities (Committees, Mentoring and Delegating Responsibility)
Experience has indicated that a large number of IT projects go “off the rails” (i.e., over budget and/or poor-quality deliverables) when key stakeholders are not clear about their role, responsibilities and authority.
Good project outcomes do not just happen. They are usually the result of hard work and good management. Therefore, auditors need to be suspicious when:
- Project participants, especially key stakeholders and the project sponsor, evade their responsibilities by not attending meetings, not making decisions, or not reviewing performance and progress.
- The project sponsor or key stakeholders have delegated their project responsibilities. While reviewing failed projects, a number of occasions have been found with evidence of problems remaining unresolved for extended periods of time due to a lack of proper authority. Internal squabbling between groups with vested interests has been known to bring a project to a standstill.
- An inexperienced or unqualified project manager has been appointed to develop skills and is mentored by an individual from one of the stakeholder groups (usually the IT division). Invariably, the stakeholder group providing the mentor will take control of the project, often to the detriment of all other stakeholders.
Poor Project Management
The basic elements of project management are the same regardless what is being developed. Whether constructing a bridge across the Strait of Messina, building a rocket ship to Mars or developing an information system, the cost, risks, quality and timing of the deliverables are all prime considerations. All four elements are inexorably intertwined (i.e., changing one will have an impact on the others).
The budget, functionality and timing expectations are determined at the beginning of an IT project. Certainly, cost and functionality are relevant during the cost-benefit analysis phase. The project may be considered a failure if it runs over budget, does not achieve all of the system functionality or is not delivered on time.
There are many reasons why project management can fail. The following is a list of examples that have contributed to project failures in the past:
- Corporate culture, through the lack of direction, policies, procedures and attitude, results in delays to the implementation of the project.
- Changes in business strategy not conveyed to the project team result in strategic business systems not meeting the changing business environment.
- Poor, nonspecific project management methodology or procedures exist.
- The project management charter is unclear in specifying the role, duties and responsibilities of the project manager or project team members.
- The authority of the project manager is implied rather than stated and communicated to all the stakeholders by executive management.
- A project manager and/or project team without the skills or training is selected to undertake the role. Often the project manager is user-appointed because he/she “knows” the current system.
- Project team members work independently without any overall coordination resulting in wasted resources and contributing to the failure of the project.
- Project reporting lines are not clearly or appropriately established.
- Project monitoring systems are not established or developed at the outset of the project.
- Inappropriate monitoring standards or benchmarks exist to measure the performance of project management.
- Project reports are not sufficiently detailed to help executive management monitor the progress of the project in terms of work completed against milestones and budgets.
- Project objectives are poorly defined.
- There is a lack of resources.
- Poor project organization exists.
- Requirements and specifications are incomplete.
- Testing is inadequate
- Budgeting is incorrect.
- Costs are mismanaged.
- System development methodologies are misused.
- Technology infrastructure is immature or poor.
- Hardware is inappropriate.
These are some of the symptoms of poor project management, which can result directly from poor IT governance. A project failure is not the result of a once-off decision that can be blamed solely on the project manager (although, in more cases than not, the project manager tends to be the victim).
To ensure that the project does not go “off the rails,” project management must include continuous independent review. This is usually achieved through the regular reviews performed by the project steering and IT steering committees. If these review bodies do not take a proactive role in the projects, the risk of failure increases significantly.
Providing a “Leg Up”
This applies to situations where one supplier is given an unfair advantage over other suppliers, which can be to the detriment of the purchasing organization. The risk of this occurring increases when the process of specifying and requesting offers from interested parties and the evaluation of offers is left to an individual with the same vested interest. The evaluation criteria may be unfairly applied, or confidential tendering information submitted by other suppliers may be passed on to the favored supplier before submission of their tenders. This risk can be easily minimized by enforcing a closed tendering process (i.e., all tenders are placed in a locked tender box and opened together at a predetermined time in front of witnesses) and a transparent evaluation process that involves representation from all stakeholder groups.
The act of giving a supplier an unfair advantage can be covert. For example, one review revealed that an IT manager commissioned a number of development projects unbeknownst to senior management. Poor budgeting processes employed by this organization allowed the IT manager to create his/her own “slush fund” or “bucket accounts.” The IT manager kept all purchases and payments under his/her delegated authority (i.e., by order splitting), so that he/she was not required to seek senior management approval for the expenditures. All expenditures were falsely recorded in the company’s accounting and reporting systems as operational expenditures. In this way, new systems could be covertly developed and implemented without proper:
- Stakeholder input
- Review, analysis and evaluation
- Risk, cost and benefit analysis
- Control over expenditure
- Approval from senior management
The risks here include the organization being encumbered with IT systems that are not aligned with the strategic plan, provide poor return on investment, do not satisfy the needs of all stakeholders, and are not subject to proper evaluation after the fact to determine whether any benefits or disadvantages were realized.
This risk can be somewhat minimized by ensuring that:
- Adequate controls are in place for accurately capturing expenditure data.
- Appropriate reporting and monitoring processes are in place for evaluating performance.
- Budgeting processes include rigorous analysis and evaluation of submissions.
- All IT initiatives are analyzed and approved by the appropriate level of management (i.e., the IT steering committee for all major projects).
The Auditor’s Role and Responsibilities
As stated previously, corporate culture is a key element in ensuring that any type of governance works appropriately. Planning, policies, guidelines, procedures, reporting structures and committees are only “window-dressing.” The ethics and principles employed to carry out the organization’s business ensure good governance.
Independent review by senior management or the IT steering and audit committees can go a long way in helping ensure that IT expenditure and activity are aligned with the organization’s objectives and strategies, as can senior management’s commitment to good governance and vigilance in their direction and monitoring. Additionally, the reporting systems must provide accurate and relevant information in a timely manner.
The audit function is usually in a unique position to provide independent and objective opinion relating to IT initiatives and operations. In most instances, the audit function is responsible to the board audit committee and is in regular communication with other key stakeholders (e.g., IT steering committee, board members, project sponsor, project director/manager, IT manager and business unit managers).
It is generally accepted that an audit function may provide:
- Independent analysis and an opinion on the adequacy of controls, including the flow and accuracy of information
- Expert advice on how to improve controls or rectify control deficiencies
Its effectiveness, however, is dependent upon its relationships with key stakeholders. Indeed, if the relationships with senior management and the board are poor, the very existence of the audit function can be on shaky ground.
From an ethical and professional perspective, auditors cannot let poor relationships or even close friendly relationships impact their overall responsibilities. This opinion was enforced in Australian case law in the AWA Ltd. vs. Daniels case (1992) where it was stated:
When auditors detect a deficiency in the client’s internal control system, they must raise the matter at the proper level of management. If management does not respond adequately having regard to the seriousness and urgency of the matter, the auditors have a legal responsibility to raise the matter with the board.6
In that case, the senior auditor was found to be negligent by not trying hard enough to confront management and the board over a serious problem.
Auditors must warn the appropriate managers of control deficiencies or problems. If they are ignored, they must raise the issues again and, if required, escalate the issues to higher levels of management.
The need for IT governance is growing. Members of the board and executive management are demanding greater accountability of IT activities and expenditure. Shareholders are also demanding greater accountability of companies.
Executive management has now heard the call and is putting in place processes that help management to manage more effectively, and IT governance is one of those processes. IT governance can succeed if executive management puts in place policies, processes and culture to support it. Otherwise, IT governance will be compromised.
Angell, I.O.; S. Smithson; Information Systems Management: Opportunities and Risks, MacMillan Education Ltd., London, 1991
AWA Ltd. vs. Daniels, New South Wales Supreme Court, Australia, 3 July 1992
“The Code of Conduct—Laying a Cornerstone for Effective Governance,” The Bulletin, vol. 1, issue 5, p. 1, www.protiviti.com, 2003
da Cruz, M.; “ICT Governance Paper,” www.ramin.com.au/marg/ictgovpaper.html, 2003
Honorable Rogers, A. (QC); “AWA to HIH: Asleep at the post?,” Keeping Good Companies, November 2002
Investment and Financial Services Association Guidance No. 2.00
Ribbers, P.M.A.; R.R. Peterson; M.M. Parker; “Designing Information Technology Governance Processes: Diagnosing Contemporary Practices and Competing Theories,” Proceedings of the 35th Hawaii International Conference on System Sciences, 2002
Australian Standards Association Standard AS8015, Corporate Governance of Information Communication Technology
1 Australian Standards Assocation: Draft Standard DR01498, Corporate Governance of Information Communication Technology, 4 August 2004
2 Marghanita da Cruz, www.ramin.com.au/marg/ictgovpaper.html, 2003
3 Op. cit, Draft Standard DR01498, Corporate Governance of Information Communication Technology, 4 August 2004
4 “The Code of Conduct—Laying a Cornerstone for Effective Governance,” The Bulletin, vol. 1, issue 5, p. 1, www.protiviti.com, 2003
5 Tapscott, D., cited in Angell, I.O.; S. Smithson; IS Management: Opportunities & Risks, p. 198, 1991
6 AWA Ltd vs. Daniels, New South Wales Supreme Court, Australia, 3 July 1992
Ken Doughty, CISA, CBCP is the former CIO of Tab Limited. He has 25 years of information systems auditing experience with 15 years of business continuity planning experience in the public and private sectors. He also lectures at Macquarie University, Sydney, New South Wales, Australia, and has published many papers in leading auditing and business continuity journals in Australia and the United States. In 2000, he published a book on business continuity, and in 2002 he received ISACA’s International Best Speaker/Conference Contributor Award.
Frank Grieco, CISA is a director of Ascent Accounting, which is an IS auditing, training and business continuity planning consultancy. Grieco has more than 15 years of experience as an information systems auditor in the public and private sectors.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by ISACA®, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA® and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
© Copyright 2005 by ISACA® Inc., formerly the EDP Auditors Association. All rights res erved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA® Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2005