Professional Documents
Culture Documents
What Is IT Governance?: and Why Is It Important For The IS Auditor
What Is IT Governance?: and Why Is It Important For The IS Auditor
What is IT Governance?
and why is it important for the IS auditor
Introduction
By Richard Brisebois, principal In Canada and in most countries, IT governance is
of IT Audit Services, Greg Boyd, a common theme at IT conferences and seminars.
In most cases, IT governance has been discussed
Director and Ziad Shadid, from a private sector perspective. This article aims to
bridge the gap between private and public sector
Auditor. from the Office of the concepts and approaches.
Auditor General of Canada
into IT
Canada | 31
into IT
32 | Canada
Why IT Governance is Necessary are more susceptible to failure. But n Resource management, through
many organisations fail to consider regular assessments, ensures that
IT governance is needed to ensure
the importance of IT governance. IT has sufficient, competent, and
that the investments in IT generate
They take on IT projects without efficient resources to meet the
value-reward-and mitigate
fully understanding what the organisation’s demands.
IT-associated risks, avoiding failure.
organisation’s requirements are for
the project and how this project links n Risk management embedded
IT is central to organisational success
to the organisation’s objectives. in the responsibilities of the
– effective and efficient delivery
organisation, ensures that the
of services and goods – especially
Identifying organisational objectives organisation and IT regularly
when the IT is designed to bring
for IT is another key best practice for assess and report IT-related
about change in an organisation. This
IT governance. Historically, senior risks and organisational impact.
change process, commonly referred
managers saw IT projects from the Exposures of any problems
to as “business transformation,” is now
limited perspective of input and are followed up, with special
the prime enabler of new business
output objectives. This inefficient attention paid to any potential
models both in the private and public
and ineffective perspective stemmed negative effects on the overall
sectors. Business transformation
directly from these managers’ objectives of the organisation.
offers many rewards, but it also has
lack of technical experience to
the potential for many risks, which n Strategic alignment – a shared
deal with the complexity of such
may disrupt operations and have understanding between the
projects. In addition, these managers
unintended consequences. The organisation’s management and
were unjustly blamed for the
dilemma becomes how to balance the IT department, enables the
vast inefficiencies caused by the
risk and rewards when using IT to board and senior management
organisation’s failure to integrate
enable organisational change. to understand strategic IT issues.
the objectives of IT projects with the
overall objectives of the organisation. IT strategy demonstrates the
IT Governance Best Practices organisation’s technology insights
Despite efforts of the software To be successful an organisation and capabilities and ensures
industry to identify and adopt best should consider all of the following that the IT investment is aligned
practices in the development of factors, which lead to best practices: with the overall strategies of the
IT projects, there is still a high rate high-level framework, independent organisation, maximising the use
of failure and missed objectives. assurance, performance management of available IT opportunities.
Most IT projects do not meet the reporting, resource management, risk
organisation’s objectives – See management, strategic alignment, n Value delivery demonstrates the
summary of survey carried out and value delivery: benefits that can be achieved
by the Standish Group. from each IT investment. Such
n High-level framework – including investment should always
defining leadership, processes, provide value to the organisation
Standish Group’s Chaos Survey
roles and responsibilities, and be driven by the needs of the
The Standish Group’s Chaos biennial survey of IT information requirements, investing entity.
projects over the last 10 years, has analysed the
and organisational structures
success and failure trends of approximately 50,000 IT n Performance management
– ensures the IT investment is
projects. In a 2004 report the group concluded, “29% reporting, including accurate,
aligned with the overall strategies
of projects succeeded (delivered on time, on budget, timely, and relevant portfolio,
of the organisation, maximising
with required features and functions); 53% are programme, and IT project
challenged (late, over budget and/or with less than the application of available
IT opportunities. reports to senior management,
the required features and functions; and 18% have
provides a thorough review of
failed (cancelled prior to completion or delivered
n Independent assurance, in the the progress being made towards
and never used).”
form of internal or external audits the identified objectives of the
(or reviews), can provide timely IT project. Through this review,
A key best practice is implementing feedback about compliance the organisation can assess IT
an organisational structure, of IT with the organisation’s performance in terms of which
including an effective governance policies, standards, procedures, deliverables have been obtained,
framework, with well-defined and overall objectives. These and what shortfalls need to be
roles and responsibilities for IT audits must be performed in an addressed. Performance metrics
stakeholders including IS auditors. unbiased and objective manner, is a good way to get some of the
Such a framework ensures that so that managers are provided data needed for performance.
IT investments are aligned and with a fair assessment of the IT
delivered in accordance with project being audited.
corporate objectives and strategies;
without this framework, IT projects
into IT
Canada | 33
The Importance of Performance n IT costs by category and by What Can Information Systems
activity. The organisation can
Metrics for IT Governance (IS) Auditors do to make IT
see the amount invested in
Performance metrics is the basis for each activity and determine the Governance effective?
sound and rigorous IT governance. value added by the financial In order to assist in the development
In order for an organisation to have investment involved. of effective IT governance, IS
good governance, it must be able auditors must:
to see where true value is being n IT staff numbers and costs
added to its IT projects. Having a analysed by activity. The 1. Contribute to performance metrics
well-defined set of performance organisation can measure the
metrics provides management with value added of each activity 2. Ensure IT Governance is on
the means to measure success and compared with the amount of the Agenda
determine what areas need to be resources committed.
3. Promote IT Governance strategies.
focused on in order to improve
the effectiveness and efficiency of n Outsourcing ratios. The
IT projects. Without performance organisation can determine the
metrics to back one up, it would effectiveness of its own staff
be difficult to gauge the progress and allow them to gauge their
that IT projects are making towards reliance on external resources.
achieving IT objectives. The benefits
n IT-related operational risk
of performance metrics include:
incidents (number and value).
n improvement in the quality of IT The organisation can measure
services over time, how well risk is being handled by
identifying risks, their mitigation,
n reduction in IT risks over time, and the cost of failing to mitigate
them; these measurements
n enhanced delivery, and should then be brought to the
attention of management.
n reduction in costs of delivering IT
services over time. Other examples of some common
metrics include full-time versus
There are two types of performance
contract IT staff, workstation costs,
metrics, (1) development metrics that
IT-related operational risk incidents
are used to measure the performance
(number and value), IT-security
of IT projects in development and
incidents (number and value),
(2) services metrics that are used to
various metrics for IT projects,
measure the success of ongoing or
and IT investment management
repetitive IT services.
capability maturity model (CMM)
For development performance level (current and projected).
metrics, a prescribed set of
measurements are used to track
project development and allow an
organisation to measure the progress
of a project at all stages of the life
cycle. For service metrics, generally,
IT service costs are assigned to the
programme based on a measure
of the IT services activity used
by the programme.
into IT
34 | Canada
into IT
Canada | 35
into IT