Where networking and knowledge intersect.
Larry Marks, CISA, CGEIT, CRISC, CFE, CISSP, PMP
As IT management is identifying its most significant challenges and prioritizing its goals for 2011, this article seeks to join the debate and identify a tentative list of the most prominent issues that are impacting stakeholders in the governance space in 2011.
IT governance is, or should be, an integral part of enterprise governance. It provides the direction and control to help ensure that the significant investments made in IT bring value to the enterprise, IT’s resources are used responsibly and its risks are mitigated.1 One of the key findings from the recent Global Status Report on the Governance of Enterprise IT (GEIT)—2011, issued by the IT Governance Institute® (ITGI®), was that governance of enterprise IT (GEIT) is a priority within most enterprises—only 5 percent indicated that they do not consider it important.2
IT governance is a subset discipline of enterprise governance and is focused on IT systems and their performance in the context of risk appetite and risk tolerance. According to the Global Status Report on GEIT, the “main driver for activities related to GEIT is ensuring that IT functionality aligns with business needs, and the most commonly experienced outcomes are improvements in management of IT-related risk and communication and relationships between business and IT.”3 The ITGI report also indicates that GEIT initiatives must take a balanced and holistic view of the five GEIT focus areas (strategic alignment, risk management, value delivery, resource management and performance measurement).4 GEIT helps firms achieve the goals and strategies of an enterprise through clear achievement of activities by the various governance structures or management levels within an enterprise.
The recent Taking Governance Forward5 initiative, also from ITGI, provides a high-level overview of governance. It defines three views of governance: enterprise, entity and asset. Enterprise governance incorporates all views of governance within an enterprise. Entity governance deals with a specific line of business, function or business entity within the enterprise. Assets may be tangible or intangible; they are critical to the enterprise’s success and involve many stakeholders. The ITGI Taking Governance Forward initiative indicates that:
Enterprises exist to deliver value to their stakeholders. Delivering value is achieved by operating within a value and risk atmosphere that is acceptable and advantageous and using resources responsibly. In a rapidly changing environment, speedy direction setting and quick reaction to change are essential. Decision-making accountabilities must be shared among many people—and when accountability must be shared, governance comes into play. Successful enterprises ensure that they have implemented an overarching system of governance that facilitates the achievement of their desired outcomes, both at the enterprise level and at each level within the enterprise.6
An Executive View of IT Governance, a 2009 ITGI survey report, found that IT governance practices and IT outcome are correlated. Stronger IT governance practices correlate positively with better IT outcome, i.e., IT governance is more often found in organizations in which IT is a significant contributor to (business) value.7 In some ways, 2011 is similar to 2010. The 2011 report found that there are many opportunities for firms to transition IT’s role to a more proactive one. This can be accomplished through GEIT boards and standardized processes to bridge business demand with IT supply.
Based on the author’s experience and taking the Global Status Report on GEIT into consideration, the most prominent, unranked governance issues that appear to impact stakeholders in the governance space for 2011 are:
The board of directors and other stakeholders such as auditors, business sponsors, and compliance and risk management personnel need to ask themselves the following questions:
The ISACA® Risk IT framework can help management answer these questions. The Risk IT framework complements COBIT®, which provides a comprehensive framework for the control and governance of business-driven, IT-based solutions and services. Risk IT provides the background and steps to help create and implement an ERM model and describes a detailed process model for the management of IT-related risk.
IT risk management has become a significant issue because it affects the delivery of the overall business strategy and IT’s contribution to the business. Threats and vulnerabilities have to be identified, managed and monitored. Challenges exist to the value creation of IT investments: Increasing costs, globalization of business and competition, and an insufficient number of staff (e.g., IT staff) affect the service and value delivery of services to the business.
ITGI’s 2011 report found that most respondents (57 percent) indicated a lack of familiarity with any kind of standard or framework that they could use for assistance/guidance in governing IT. The 43 percent who did know of some appropriate guidance were asked to name those with which they were familiar. About one-third pointed to international frameworks such as International Organization for Standardization (ISO) standards, ITIL or COBIT; an equal number referred to their own corporate or internal frameworks.8 It is with this expectation that firms will contract with outside expertise to help identify; assess; and, at least, plan to implement an enterprisewide IT governance framework on an increasing basis. According to the ITGI Board Briefing on IT Governance, 2nd Edition:
The ultimate reason IT governance is important is that expectations and reality often do not match. Boards usually expect management to:
Deliver IT solutions of the right quality, on time and on budget.
Harness and exploit IT to return business value.
Leverage IT to increase efficiency and productivity while managing IT risks.9
Employees and senior management need to share a sense that they are part of the greater whole—the enterprise for which they work. They have to realize that they share common goals. Employees have to realize that senior management must understand the high-level issues and concerns that affect employees on a daily basis and that affect an employee’s ability to contribute to the business’s bottom line. On another level, employees have to determine what they can do to help their departments and companies achieve their strategic goals and objectives. If employees can understand the strategic goals of their departments and how they align with senior management’s vision, they can be aligned, as the Global Status Report on GEIT indicates,10 with the long-term approach of senior management to help achieve these strategic goals and, hence, improve senior management’s contribution to the bottom line. Put another way, all oars can lift all boats. Senior management needs to enable employees and knock down the employees’ barriers to success. It is imperative for the IT function to increase its value to the enterprise and eliminate IT initiatives that do not create sufficient value.
With senior management scrutinizing all budgets, including those of IT, on a closer basis, it is the responsibility of the chief information security officer (CISO) to ensure that a process is in place to identify, evaluate and prioritize projects that deliver value to the business and minimize managed and unmanaged risks related to process, controls and technology. Managed risks are risks that are minimized by management to an acceptable level though careful planning and implementation of process, controls and technology. Unmanaged risks, on the other hand, are risks for which management has not yet implemented processes, controls or technology to minimize or eliminate the risk. There is another filter that the CISO has to apply to projects: to ensure that a value delivery model to manage actual costs and maximize return on investment (ROI) is in place for information security projects. As the Board Briefing on IT Governance indicates:
The capacity to deliver is dependent on:
Timely, usable and reliable information about customers, processes, markets, etc.
Productive and effective practices (performance measurement, knowledge management, etc.)
The ability to integrate technology11
To be successful, enterprises need to be able to establish the metrics that will be used to measure the success of IT. The IT balanced scorecard (BSC) should cover these measures and be developed with input and approval from business management. For those in the public sector, other metrics relating to compliance may be in order.
The US Gramm-Leach-Bliley Act (GLBA) requires that a formalized information security program be in place and approved by the board of directors. However, as security challenges, from social media to botnets, become more complex, the role of information security becomes more activist. As Dmitri Alperovitch, threat research vice president at McAfee Labs, stated, “We are seeing an escalating threat landscape in 2011.”12
The board of directors also has to take on a more activist role. The board and audit committee have to understand the firm’s “pain point” and ensure that they are obtaining an unbiased view of the landscape of issues and challenges. The board of directors has to ensure that:
Respondents in the 2011 Global Status Report indicated that “60 percent use or are planning to use cloud computing for nonmission-critical IT services and more than 40 percent are planning to use it for mission-critical IT services.”14 Hewlett-Packard defines the cloud as a “massive data processing infrastructure, which interconnects users, information and services through technology.”15 It is not the intent of this article to identify the governance issues that impact a firm’s decision to use cloud technology in its enterprise IT. Instead, as IT costs increase and firms decide to go ahead with cloud initiatives, the following governance issues will impact their IT environments:
The Global Status Report on GEIT indicates that data privacy and security concerns are the main reasons that some enterprises do not have plans to go to the cloud. Clients can now more effectively adopt and implement cloud-ready solutions, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS). This helps accelerate delivery of business services, decrease related time and effort by automating the deployment and management of resources in the cloud, and mitigate the risk of a failed cloud initiative. The Global Status Report on GEIT also indicates that cloud-computing-related concerns about security, data privacy and legacy infrastructure investments are generally higher in large enterprises than in small ones.16
In a July 2008 webinar from The Institute of Internal Auditors (The IIA), continuous auditing was defined by Deloitte as a detective control to be used to monitor controls, transactions and technology configurations,17 and according to the American Institute of Certified Public Accountants (AICPA):
Continuous auditing defines the technologies and processes that allow an ongoing review and analysis of business information on a real-time basis. Continuous auditing will require specialized skills of audit personnel to monitor information electronically and incorporate the use of intelligent agents, computer modeling and other software tools.18
ISACA defines continuous auditing as an approach that “allows IS auditors to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer.”19 Perhaps as businesses become more competitive, cost-conscious and global, and as they look for competitive advantages over other firms, businesses will pursue continuous auditing because it will enhance the governance framework and directly link with the enterprise’s risks and IT strategies. At least, one can hope so.
As Norman Marks relates in his article “Continuous Auditing Reexamined”:
Auditors should not go to their favorite software vendor and buy their automated testing solution until after they know what they want to accomplish. Auditors must identify the risks for which they will provide assurance, identify the key controls that manage the risks, determine the best way to test those controls on a continuing basis, and finally select the tools.20
This article discussed what the author believes to be the top governance issues impacting stakeholders in the governance space in 2011. These issues were determined based on the author’s experience in the governance space and review of the 2011 Global Status Report on GEIT. They are IT risk management, the establishment of a governance framework, a sense of teamwork and of enterprise, value delivery through IT, a more activist information security department and board of directors, cloud computing, and continuous auditing and assurance. These issues represent the author’s view, but are not ranked in any particular order. Furthermore, these issues represent opportunities for a firm to strengthen its governance practice and to make IT’s role a more proactive, productive one.
It is suggested that readers access ISACA’s web site to learn more about the 2011 governance issues that they believe will impact daily operations and that need to be addressed. ISACA members can also use the ISACA web site to connect to other members; voice their opinions, concerns and related thoughts; and start discussions on governance and other issues. For more information, please visit www.isaca.org/Knowledge-Center/Pages/default.aspx.
1 IT Governance Institute (ITGI), An Executive View of IT Governance, USA, 2009, www.isaca.org/Knowledge-Center/Research/Documents/An-Executive-View-of-IT-Gov-Research.pdf2 ITGI, Global Status Report on the Governance of Enterprise IT (GEIT)—2011, USA, 2011, www.isaca.org/Knowledge-Center/Research/Documents/Global-Status-Report-GEIT-10Jan2011-Research.pdf3 Ibid.4 ITGI, Board Briefing on IT Governance, 2nd Edition, USA, 2003, www.isaca.org/Knowledge-Center/Research/Documents/BoardBriefing/26904_Board_Briefing_final.pdf5 ITGI, Taking Governance Forward 6 Ibid.7 Op cit, ITGI, 20098 Op cit, ITGI, 20119 Op cit, ITGI, 200310 Op cit, ITGI, 201111 Op cit, ITGI, 200312 Chabrow, Eric, “Eight IT Security Threats for 2011: Dmitri Alperovitch on the New Year’s Digital Threats,” GovInfoSecurity.com, 28 December 2010, www.govinfosecurity.com/podcasts.php?podcastID=908&rf=2010-12-28-eg13 Op cit, ITGI, 200314 Op cit, ITGI, 201115 Hewlett-Packard Development Company, L.P., “Top Five Things to Know About Cloud,” http://h10134.www1.hp.com/news/features/5354/?jumpid=reg_R1002_USEN16 Op cit, ITGI, 201117 The Institute of Internal Auditors (The IIA), “Continuous Auditing: What Works Best,” webinar, July 200818 Kepczyk, Roman H.; “AICPA Top 5 Emerging Impacts on You!,” Accounting Today, 25 April 199919 ISACA, Glossary, www.isaca.org/Pages/Glossary.aspx?tid=1141&char=C20 Marks, Norman; “Continuous Auditing Reexamined,” ISACA Journal, vol. 1, 2010, www.isaca.org/journal
Larry Marks, CISA, CGEIT, CRISC, CFE, CISSP, PMPis a consultant for Matlen Silver. He is currently assigned as a project manager in the information security program management office of a financial services client. Marks is a member of ISACA’s Government and Regulatory Agencies Regional Area 4 Subcommittee and a member of a number of US Technical Advisory Groups (TAGs). He is also a member of the Association of Certified Fraud Examiners (ACFE) Editorial Advisory Review Committee and is vice chair of the ACFE Foundation Scholarship Committee.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.