IECH FORUM

Putting IT Governance Into Action

As internal control
experts, auditors can iielp
turn desired IT strategies
into reality.
BY PAUL ROZEK

ANY ORGANIZATIONS HAVE POLICIES

and procedures in place to manage the
work of employees and business partners
and ensure their consistency. Similar controt processes are essential in IT operations
and can be achieved by implementing an
effective IT governance framev^fork that
addresses the roles and responsibilities of
business groups and individuals; articutates tbe rules and procedures for making
IT decisions; and helps to set, attain, and
monitor IT objectives.
IT governance activities go a few steps
flirther than standard operating policies:
Tbey align an organization's IT strategies with its overall goats and objectives.
Effective IT governance initiatives can
measure performance and hetp organizations achieve regutatory compliance
in different areas, white balancing the
interests of stakeholders. As part of tbe
governance structure, internat auditors
can focus an organization's attention on
the technotogy resources that create business value and determine if existing IT
controls ensure accountabitity.
IDENTIFYING HIGH-RISK AREAS

IT controts, policies, and procedures are a

key aspect of the IT governance structure.
Using a maturity model can help auditors
evaluate overatl attitudes toward IT governance, IT controts, and high-risk issues.
In addition, a maturity modet provides a
standard way to document the state of
internal controls. Key stakeholders, such
as senior managers and IT and business
process owners, can hetp auditors identify
high-risk issues and rate IT controts using
a four-step review process.

areas, including strategy implementation, project completion, resource use,

and process performance. T h e m a t u rity of critical IT performance areas witl
help auditors diagnose w h e r e governance i m p r o v e m e n t efforts are most
valuable. T o help define these areas,
auditors can ask questions sucb as:
Is the IT infrastructure able to meet
business needs?
How is IT performance measured?
How are IT investment decisions proposed, shared, and delivered?
How is IT performance accountabitity
divided between tbe organization and
IT department?
Does IT staff need to understand strategic business goals and objectives?
Do employees recognize, define, and
communicate IT needs effectively?
Answering these questions does not
require an in-depth understanding of
published technology frameworks; IT
process owners can belp auditors select
the most relevant business areas. Auditors
also need to identify any risk management
issues so that senior managers can understand their rote in addressing them. If the
retationsbip between IT and business process owners is not wett-established, auditors can recommend hiring a third-party
to identify IT performance areas, needs,
and expectations and minimize probtems
among key stakeholders.

2. DEVELOP KEY FACTORS FOR PERFORMANCE

AREAS AND SURVEY STAKEHOLDERS Areas
identified in t h e previous step should
have multiple factors that can hetp auditors narrow their evatuation. For example,
when using tbe maturity model to gauge
1. SELECT AND DEFINE RELEVANT IT PERFOR- bow performance areas share accountMANCE AREAS Auditors can hetp devetop ability, it migbt be relevant to know
a scorecard that focuses on high-level whether risks and successes are shared
factors affecting critical IT performance and how often, to what extent business
JUNE 2 0 0 8

INTERNAL

AUDITOR

TECH FORUM
managers and IT staff trust each other,
and whether IT projects include business
sponsors at a level commensurate with
the project's scope.
To report on the state of the organization's IT management efforts, auditors can
ask business and IT managers to select one
offivestatements, each corresponding to
a business practice's maturity level. For
example, a level i, or low-maturity statement, might be, 'The IT department can't
be trusted to perform its work," while a
level 5, or high-level statement, might be,
"The IT department completes projects
successfully." Low scores can indicate
management believes IT resources must
be micromanaged for their success, while
high scores can indicate managers trust
the IT department's work performance.
Initially, auditors might consult frameworks such as the UK Office of Government Commerce's IT Infrastructure
Library or the IT Governance Institute's
Control Objectives for Information and
Related Technology (COBIT) for guidance when developing the maturity
model. However, their use may add a
level of complexity the organization is not

ready to adopt during the IT governance

program's early stages.

resource requirements, and deliverables.

It is a good idea to prioritize the deployment of initiatives to increase maturity
3. DECIDE WHICH MATURITY LEVEL IS BEST ratings using a time-based planning horiFOR THE ORGANIZATION Different busi- zon (e.g., between one and three years).
ness stakeholders may be interested in It is also important to reassess schedules
the organization's overall IT maturity periodically to measure incremental
level, including executive, business, and improvements or refocus efforts based
IT managers and internal auditors. As a on industry, business, or IT changes.
result, these groups need to identify key
performance areas to determine who wiU AVOIDING PITFALLS
decide which maturity level is best for the Like other initiatives, IT governance has
organization. For example, organizations its share of potential pitfalls, including:
that use COBIT as their control frame- Ownership Issues. IT governance
work strive to achieve a maturity level of
should not be an IT project. Owners
three or four. Decisions related to finanof the IT governance initiative include
cial and time investments also are critical
senior managers who approve investin deciding which maturity level is best as
ments that meet the organization's
overall costs to achieve a higher maturity
overall vision. Another ownership
level can be prohibitive when compared
issue is estimating total ownership
to its future benefits.
costs inaccurately. While business
partners can help managers forecast
4. RECOMMEND AN ACTION PLAN TO PRIORITIZE
the total ownership costs of new IT
IMPROVEMENTS After comparing desired
systems, implementation expenses are
and perceived maturity levels, auditors
only one part of the total costs. Other
can help business managers and IT process
expenses include user training, mainowners agree on a schedule of necessary
tenance and storage fees, and changes
improvements that includes milestones.
to business continuity plans.

Oh, What Significance

One Degree Makes:

MBA for CPAs & CIAs

educated.com

UIU's online MBA Program is a great complement to an existing CPA or CIA.

It can provide the added value and broad business knowledge to help grow
your organization and enhance its future. Isn't that what everyone wants?
MASTER OF BUSINESS ADMINISTRATION DEGREE.
N O RESIDENCY REQUIRED.

CAN COMPLETE IN TWO YEARS OR LESS.

ALL COURSES AVAILABLE ONLINE.
HIGHLY QUALIEIED AND SUPPORTIVE FACULTY.

UPPER IOWAtmiVERSITY

ACCREDITED, AEFORDABLE AND CONVENIENT.

Established in 1857

CONTACT u i u ONLINE AT online@uiu.edu

OR BY TELEPHONE AT 1-866-225-2808

www.uiuonline.com
Upper Iowa Vmvrsy is accredited b)' Tlie Higder Learning Commission and is a member of the North Central Association.
URL: http://www.ncahigherlearningcommission.org
or Phone: 312-263-0465
The MBA Program is accredited by the International Assembly for Collegiate Business Education. URL: http://www.iacbe.org or Phone: 913-631-3009

INTERNAL A U D I T O R lUNE 2008

i Excessive Scope. Implementing an IT

governance program can be a daunting taste that includes the creation of
modified roles, responsibilities, decision-itiaking criteria, and a new language' to define business performance.
Rather than engaging in a fiiU-scale
implenientation, auditors can recommend] a smaller pilot project. This
approach will enable organizations to
determine the validity and acceptance
of governance concepts and apply any
lessons learned to the overall program.
I Allowing Deviations. Effective IT governance requires structure and discipline.IT process owners, therefore,
should refrain from creating substitute processes. However, the governance framework should be fiexible
enough to allow for emergency
changes. If exceptions are needed,
they should be thoroughly evaluated and approved through a formal
change management process.
I Automating Everything. While
third-party software can manage IT
demaiids with intelligence engines,
hyperlinks, and colorfial displays.

To stay competitive, many organizations are delivering products and services

with fewer resources, while meeting
compliance requirements and managing
change effectively. An effective IT governance program can help organizations
accomplish this and more IT governance is as much a tool for value realization as it is a means of compliance. As
control experts, auditors can help organizations mitigate risks by recommending
ways to enhance IT governance activities
and their successful integration into the
organization's culture.

vendors may assume the governance

model has effective policies and procedures to control investment priorities. If the information entered in
the software has integrity risks, it
does not make sense to display the
data more attractively. Higher value
can be achieved during the early
stages of the IT governance initiative
by writing formal policies and procedures, creating standard forms and
templates, and communicating design
and control audit expectations.
NEXT STEPS

Once the IT governance program is

established, auditors can refer to existing frameworks to assess the program's
effectiveness. For example, IT governance
activities can be mapped to the four
COBIT domains planning and organization, acquisition and implementation,
delivery and support, and monitoring
to support audit work. In addition, using
best practices can help improve IT processes, enhance a\vareness of IT controls,
and improve communication throughout
the organization.

PAUL ROZEK is the director of technotogy

risk management of Jefferson Wells'
Milwaukee office.
To comment on this article, e-mail the author
at paul. rozek@theiia. org.
Send "Tech Forum" story deas to:
Raquel Fitipek
The Institute of Internal Auditors Inc.
247 Maitland Ave.
Altamonte Springs, FL 32701 USA
e-mail: raquel.fiilpek@tlielia.org

MSc Audit Management

and Consultancy
Full time - one year in the UK
Distance Learning - three years study, with UK tutorial weeks
The (yiSc Audit Management and Consultancy combines internal
audit, external audit. IT audit, management audit, advanced risk
management, corporate governance, management consultancy,
strategic management and financial management as weU. as all
the essential tools lo begin or enhance your career in Audit or
Risk Management.
The course is a member, at partner level, of the new lAEP
programme of The Institute of Internal Auditors and is taught by
a highly qualified British-American course team with
world-wide practitioner experience.
Also available - CIA, CCSA, CGAP, CISA and CFSA, subject to
additional cost.
Full time fees 9/i00 from September 2008
Distance Learning fees approx 7500
Top quality teaching and low living costs
UK full-time accommodation/living expenses: approx 6000
For further information visit vJVJW.bcu.ac.uk
bcuinternationaliaenquiries.uk.com
Tel+UlOl 121 331 67U

Waste Reduction
Put an end to excess benefits spending
IT'S REVOLUTIONARY. Finally, a robust analytical solution,
known as BenefitsWatch, that analyzes 100% of your claims data
before generating information to successfully manage costs and
risks associated with all areas of your employee health benefits.
IT'S INVALUABLE. BenefitsWatch identifies ways to improve
benefit expenditures while establishing better controls over
benefit costs. It monitors three critical areas (compliance,
financial management, and cost and utilization) and provides
benchmarking for objective, fact-based decision making.
IT'S PROSPECTIVE. And proactive. Updates are provided
quarterly with program savings identified and continuous factbased data for benefits decision making and savings.

HEM

HEALTHCARE DATA
MANAGEMENfT. INC.

BUSINESS SCHOOL

800.859.5119

Learn more. Contact HDM today.

Independent Audit
Cost & Risk Management
Health Benefits Intelligence
info@hdminc.com

www.hdminc.com

lUNE 2008 INTERNAL

AUDITOR