What is IT Governance?

Transcription

1 30 Caada What is IT Goverace? ad why is it importat for the IS auditor By Richard Brisebois, pricipal of IT Audit Services, Greg Boyd, Director ad Ziad Shadid, Auditor. from the Office of the Auditor Geeral of Caada Itroductio I Caada ad i most coutries, IT goverace is a commo theme at IT cofereces ad semiars. I most cases, IT goverace has bee discussed from a private sector perspective. This article aims to bridge the gap betwee private ad public sector cocepts ad approaches. ito IT

2 Caada 31 Corporate Goverace vs. IT Goverace Corporate goverace is the set of processes, customs, policies, laws, maagemet practices ad istitutios affectig the way a etity is cotrolled ad maaged. It icorporates all the relatioships amog the may stakeholders ivolved ad aims to orgaise them to meet the goals of the orgaisatio i the most effective ad efficiet maer possible. A effective corporate goverace strategy allows a orgaisatio to maage all aspects of its busiess i order to meet its objectives. Iformatio techology goverace, however, is a subset disciplie of Corporate Goverace. Although it is sometimes mistake as a field of study o its ow, IT Goverace is actually a part of the overall Corporate Goverace Strategy of a orgaisatio. Various Defiitios of IT Goverace Corporate Goverace The field of Corporate Goverace is a multi-faceted subject that icludes several fields of study. These fields iclude areas such as: 1. Accoutability ad fiduciary duty. These advocate the implemetatio of guidelies ad mechaisms to esure maagemet acts i good faith ad that the public orgaisatio is protected from wrogdoig or fraud. 2. Ecoomic efficiecy view. This ivolves how the corporate goverace system iteds to optimise results, ad meet its objectives. 3. Strategic efficiecy view. This ivolves public policy objectives that are ot directly measurable i ecoomic terms such as alleviatio of poverty, access to The structure, oversight ad maagemet processes which esure the delivery of the expected beefits of IT i a cotrolled way to help ehace the log term sustaiable success of the eterprise. IT goverace is the resposibility of the board of directors ad executive maagemet. It is a itegral part of eterprise goverace ad cosists of the leadership ad orgaisatioal structures ad processes that esure that the orgaisatio s IT sustais ad exteds the orgaisatio s strategies ad objectives. A structure of relatioships ad processes to direct ad cotrol the eterprise i order to achieve the eterprise s goals by addig value while balacig risk versus retur over IT ad its processes. Specifyig the decisio rights ad accoutability framework to ecourage desirable behaviours i the use of IT. Goverace is ot about what decisios get made that is maagemet but it is about who makes the decisios ad how they are made. markets, icome stabilisatio, health care ad job creatio. These are issues that are the mai focus of most public sector istitutios ad are ot readily measured i ecoomic terms. 4. Stakeholder view. This area of study focuses more attetio ad accoutability o other stakeholders such as citizes, employees, busiesses ad other levels of govermet (i.e. provicial, muicipal or local authorities). IT Goverace IT Goverace focuses specifically o iformatio techology systems, their performace ad risk maagemet. The primary goals of IT Goverace are to assure that the ivestmets i IT geerate busiess value, ad to mitigate the risks that are associated with IT. This ca be doe by implemetig a orgaisatioal structure with well-defied roles for the resposibility of iformatio, busiess processes, applicatios ad ifrastructure. IT goverace should be viewed as how IT creates value that fits ito the overall Corporate Goverace Strategy of the orgaisatio, ad ever be see as a disciplie o its ow. I takig this approach, all stakeholders would be required to participate i the decisio makig process. This creates a shared acceptace of resposibility for critical systems ad esures that IT related decisios are made ad drive by the busiess ad ot vice versa. IT goverace is the term used to describe how those persos etrusted with goverace of a etity will cosider IT i their supervisio, moitorig, cotrol ad directio of the etity. How IT is applied will have a immese impact o whether the etity will attai its visio, missio or strategic goals. ito IT

3 32 Caada Why IT Goverace is Necessary IT goverace is eeded to esure that the ivestmets i IT geerate value-reward-ad mitigate IT-associated risks, avoidig failure. IT is cetral to orgaisatioal success effective ad efficiet delivery of services ad goods especially whe the IT is desiged to brig about chage i a orgaisatio. This chage process, commoly referred to as busiess trasformatio, is ow the prime eabler of ew busiess models both i the private ad public sectors. Busiess trasformatio offers may rewards, but it also has the potetial for may risks, which may disrupt operatios ad have uiteded cosequeces. The dilemma becomes how to balace risk ad rewards whe usig IT to eable orgaisatioal chage. IT Goverace Best Practices Despite efforts of the software idustry to idetify ad adopt best practices i the developmet of IT projects, there is still a high rate of failure ad missed objectives. Most IT projects do ot meet the orgaisatio s objectives See summary of survey carried out by the Stadish Group. Stadish Group s Chaos Survey The Stadish Group s Chaos bieial survey of IT projects over the last 10 years, has aalysed the success ad failure treds of approximately 50,000 IT projects. I a 2004 report the group cocluded, 29% of projects succeeded (delivered o time, o budget, with required features ad fuctios); 53% are challeged (late, over budget ad/or with less tha the required features ad fuctios; ad 18% have failed (cacelled prior to completio or delivered ad ever used). A key best practice is implemetig a orgaisatioal structure, icludig a effective goverace framework, with well-defied roles ad resposibilities for IT stakeholders icludig IS auditors. Such a framework esures that IT ivestmets are aliged ad delivered i accordace with corporate objectives ad strategies; without this framework, IT projects are more susceptible to failure. But may orgaisatios fail to cosider the importace of IT goverace. They take o IT projects without fully uderstadig what the orgaisatio s requiremets are for the project ad how this project liks to the orgaisatio s objectives. Idetifyig orgaisatioal objectives for IT is aother key best practice for IT goverace. Historically, seior maagers saw IT projects from the limited perspective of iput ad output objectives. This iefficiet ad ieffective perspective stemmed directly from these maagers lack of techical experiece to deal with the complexity of such projects. I additio, these maagers were ujustly blamed for the vast iefficiecies caused by the orgaisatio s failure to itegrate the objectives of IT projects with the overall objectives of the orgaisatio. To be successful a orgaisatio should cosider all of the followig factors, which lead to best practices: high-level framework, idepedet assurace, performace maagemet reportig, resource maagemet, risk maagemet, strategic aligmet, ad value delivery: High-level framework icludig defiig leadership, processes, roles ad resposibilities, iformatio requiremets, ad orgaisatioal structures esures the IT ivestmet is aliged with the overall strategies of the orgaisatio, maximisig the applicatio of available IT opportuities. Idepedet assurace, i the form of iteral or exteral audits (or reviews), ca provide timely feedback about compliace of IT with the orgaisatio s policies, stadards, procedures, ad overall objectives. These audits must be performed i a ubiased ad objective maer, so that maagers are provided with a fair assessmet of the IT project beig audited. Resource maagemet, through regular assessmets, esures that IT has sufficiet, competet, ad efficiet resources to meet the orgaisatio s demads. Risk maagemet embedded i the resposibilities of the orgaisatio, esures that the orgaisatio ad IT regularly assess ad report IT-related risks ad orgaisatioal impact. Exposures of ay problems are followed up, with special attetio paid to ay potetial egative effects o the overall objectives of the orgaisatio. Strategic aligmet a shared uderstadig betwee the orgaisatio s maagemet ad the IT departmet, eables the board ad seior maagemet to uderstad strategic IT issues. IT strategy demostrates the orgaisatio s techology isights ad capabilities ad esures that the IT ivestmet is aliged with the overall strategies of the orgaisatio, maximisig the use of available IT opportuities. Value delivery demostrates the beefits that ca be achieved from each IT ivestmet. Such ivestmet should always provide value to the orgaisatio ad be drive by the eeds of the ivestig etity. Performace maagemet reportig, icludig accurate, timely, ad relevat portfolio, programme, ad IT project reports to seior maagemet, provides a thorough review of the progress beig made towards the idetified objectives of the IT project. Through this review, the orgaisatio ca assess IT performace i terms of which deliverables have bee obtaied, ad what shortfalls eed to be addressed. Performace metrics is a good way to get some of the data eeded for performace. ito IT

4 Caada 33 The Importace of Performace Metrics for IT Goverace Performace metrics is the basis for soud ad rigorous IT goverace. I order for a orgaisatio to have good goverace, it must be able to see where true value is beig added to its IT projects. Havig a well-defied set of performace metrics provides maagemet with the meas to measure success ad determie what areas eed to be focused o i order to improve the effectiveess ad efficiecy of IT projects. Without performace metrics to back oe up, it would be difficult to gauge the progress that IT projects are makig towards achievig IT objectives. The beefits of performace metrics iclude: improvemet i the quality of IT services over time, reductio i IT risks over time, ehaced delivery, ad reductio i costs of deliverig IT services over time. There are two types of performace metrics, (1) developmet metrics that are used to measure the performace of IT projects i developmet ad (2) services metrics that are used to measure the success of ogoig or repetitive IT services. For developmet performace metrics, a prescribed set of measuremets are used to track project developmet ad allow a orgaisatio to measure the progress of a project at all stages of the life cycle. For service metrics, geerally, IT service costs are assiged to the programme based o a measure of the IT services activity used by the programme. Oe would ever be able to list all the differet metrics used to measure IT effectively, but the followig metrics are commo to most orgaisatios ad, depedig o whe ad where oe collects the data, ca be used for both project developmet ad services: IT costs by category ad by activity. The orgaisatio ca see the amout ivested i each activity ad determie the value added by the fiacial ivestmet ivolved. IT staff umbers ad costs aalysed by activity. The orgaisatio ca measure the value added of each activity compared with the amout of resources committed. Outsourcig ratios. The orgaisatio ca determie the effectiveess of its ow staff ad allow them to gauge their reliace o exteral resources. IT-related operatioal risk icidets (umber ad value). The orgaisatio ca measure how well risk is beig hadled by idetifyig risks, their mitigatio, ad the cost of failig to mitigate them; these measuremets should the be brought to the attetio of maagemet. Other examples of some commo metrics iclude full-time versus cotract IT staff, workstatio costs, IT-related operatioal risk icidets (umber ad value), IT-security icidets (umber ad value), various metrics for IT projects, ad IT ivestmet maagemet capability maturity model (CMM) level (curret ad projected). What Ca Iformatio Systems (IS) Auditors do to make IT Goverace effective? I order to assist i the developmet of effective IT goverace, IS auditors must: 1. Cotribute to performace metrics 2. Esure IT Goverace is o the Ageda 3. Promote IT Goverace strategies. ito IT

5 34 Caada Cotribute to Performace Metrics IS auditors ca cotribute to performace metrics by assistig the orgaisatio i accurately collectig reportig ad aalysig the metrics i order to iform corporate goverace o results achieved: IS auditors ca assist i IT performace metrics aalysis, icludig what the metrics mea, what the implicatios are, ad what actios are recommeded. IS auditors ca also provide advice by providig idepedet corroboratig iformatio o the causes of observed metrics ad the effectiveess of the plaed actios to correct variaces. IS auditors ca provide idepedet assurace about the accuracy ad completeess of performace metrics by periodic assessmets of the metrics reported to the orgaisatio s corporate goverace. IS auditors ca use their skills to idetify performace criteria for usig metrics to measure programme performace. Esure IT Goverace is o the Ageda IS auditors ca esure IT goverace is o the ageda of the Supreme Audit Istitutio (SAI) ad the orgaisatio s audit committee. Auditors ca use historical research studies ad audits completed by other SAIs to highlight the scope ad objectives that ca be achieved i a audit of IT goverace i the orgaisatio. They ca also promote IT goverace as a audit domai that eeds to be examied withi the orgaisatio. IS auditors ca also iform the orgaisatio about IT performace ad risks, as well as brief the orgaisatio s audit committee o the importace of a idepedet audit review of IT goverace. Promote IT Goverace Strategies IS auditors ca promote the strategies of IT goverace: to ask the right questios so as to esure that maagemet is iformed about the problems, risks, ad rewards that arise from the use of IT ad help bridge the commuicatio gap betwee the orgaisatio ad the IT departmet. Auditors ca esure that a orgaisatio s IT delivers busiess value. This meas fast, secure, ad quality systems that geerate a retur o ivestmet (ROI) that makes the orgaisatio s programmes more efficiet ad effective. Auditors ca also brig together the IT developers ad IT users withi a orgaisatio. To achieve the orgaisatio s objectives, the developers ad users ca arrive at a commo uderstadig of the risks, as well as obstacles, they face ad how to move forward i a coordiated pla of actio. IT Goverace Costraits There are may costraits that face orgaisatios that are tryig to implemet a effective Goverace structure, particularly whe there are sigificat IT ivestmets ivolved. Without effective goverace to deal with these costraits, IT projects will have a higher risk of failure. Each orgaisatio faces its ow uique challeges as their idividual evirometal, political, geographical, ecoomic ad social issues differ. Ay oe of these issues ca preset obstacles to providig effective goverace. Oe would ever be able to list all the ihibitors relatig to IT Goverace but the followig are commo to most orgaisatios: "There are may costraits that face orgaisatios that are tryig to implemet a effective Goverace structure" ito IT

6 Caada 35 Seior Maagemet ot Egagig IT A major issue that ihibits the success of IT projects is that seior maagemet ted to be uwillig to ivolve IT i the decisio makig process. Maagemet eeds to work with their IT departmet whe cosiderig major IT ivestmets to esure that they are provided with the kowledge ad feedback ecessary to make appropriate decisios. Poor Strategic Aligmet Little or o busiess value may be derived from major IT ivestmets that are ot strategically aliged with the orgaisatio s objectives ad resources. Such poor strategic aligmet meas that IT may ot be efficietly ad effectively cotributig to the achievemet of the orgaisatio s objectives. Lack of Project Owership I the past may IT projects were left solely i the hads of the IT departmet ad seior maagemet teded to steer clear of takig owership for such projects. A lack of clear leadership from seior maagemet puts the IT project at risk of failig to itegrate its objectives with the overall objectives of the orgaisatio. Ofte maagemet passes the buck o to the IT departmet, leadig to a lack of itegratio ad aligmet of IT with the overall objectives of the orgaisatio. This creates vast iefficiecies, for which IT maagers are usually blamed. Poor Risk Maagemet Poor risk maagemet is a major costrait to the success of most IT projects. Risk maagemet ivolves assessig all potetial threats to the project ad mitigatig them. If these issues are ot addressed at the oset of the project ad throughout, the risk of failure is extremely high. Ofte, the most damagig IT risks are those that are ot well uderstood by seior maagemet. Ieffective Resource Maagemet To achieve optimum results at miimum costs, a orgaisatio must maage its IT resources effectively ad efficietly. Makig sure that there are eough techical, hardware, software ad most importatly huma resources available to deliver IT services is key to achievig value from ivestmets i IT. Coclusio I summary, IT is a itegral part of the public sector programme delivery. IT goverace is a itegral part of corporate goverace. IT goverace esures that IT goals are met ad IT risks are mitigated such that IT delivers value to sustai ad grow the orgaisatio. IT govereace drives strategic aligmet betwee IT ivestmet ad programme delivery ad must judiciously measure performace. ito IT