Professional Documents
Culture Documents
A Thorogood Special Briefing It Governance
A Thorogood Special Briefing It Governance
2nd edition
IT GOVERNANCE
Managing Information Technology
for Business
David Norfolk
2nd Edition
IT GOVERNANCE
Managing Information Technology
for Business
David Norfolk
THE AUTHOR
The author
David Norfolk BSc, MBCS, CITP, CEng, LRPS, joined Bloor Research as a Senior
Analyst for Development in 2007 and is now Practice Leader for Development
and Governance.
He then worked in DBA and Operations Research for the Australian Public Service
in Canberra. Returning to the UK in 1982, David worked for Bank of America
and Swiss Bank Corporation, where he occupied positions in DBA, Systems
Development Method and Standards, Internal Control, Network Management,
Technology Risk and even Desktop Support. He was instrumental in introducing
a formal Systems Development Process for the Bank of America Global Banking
product in Croydon.
In 1992, David became disillusioned with the way people issues were being
handled in City IT and decided to start a new career as a professional writer
and analyst. Since then he has written for many of the major computer magazines
and various specialist titles around the world. He helped plan, document and
photograph the CMMI Made Practical conference at the IoD, London, in 2005
and has written many industry white papers and research reports.
A T H OR O GO O D S P EC I AL B RI E F I NG iii
I T G O V E R N A N C E – M A N A G I N G I N F O RM A T I O N T E C H NO L O G Y F O R B U S I N E S S
iv A TH O R OG OO D S PE CI AL BR I E FI NG
I T G O V E R N A N C E – M A N A G I N G I N F O RM A T I O N T E C H NO L O G Y F O R B U S I N E S S
accurately know how many PCs they have and what programs run on them?
How many organisations don’t have an overall picture of exactly what is stored
on their servers?
When the directors of such companies accept responsibility for what their
organisation does and how it does it, how can they do so with any confidence
at all? Such a state of affairs cannot be allowed to continue.
Definition of IT governance
IT Governance is that part of corporate governance in general which ensures
that automated systems contribute effectively to the business goals of an
organisation; that IT-related risk is adequately identified and managed (mitigated,
transferred or accepted); and that automated information systems (including
financial reporting and audit systems) provide a ‘true picture’ of the operation
of the business.
viii A TH O R OG OO D S PE CI AL BR I E FI NG
References
References in square brackets, e.g. [8th DirCons, web], refer to entries in the
Resources appendix, at the end of this Report.
A T H OR O GO O D S P EC I AL B RI E F I NG ix
I T G O V E R N A N C E – M A N A G I N G I N F O RM A T I O N T E C H NO L O G Y F O R B U S I N E S S
find them sufficiently challenging. They call for Audit Committees to adopt a
broader role in corporate governance and reiterate that the Board should maintain
an effective internal control regime. This implies accuracy and transparency in
the IT reporting systems that must be a foundation of any such effort.
The Financial Reporting Council reviewed Turnbull in July 2004, which affects
accounting periods starting on or after 2006. This review found that the Turnbull
guidance still generally achieves its intended effect, in the light of UK and
international experience since 1999 although there are questions as to how far
it has succeeded in promoting the actual embedding of governance in business
processes. The Turnbull Review Group made only a small number of changes
to the Turnbull Guidance, one being that the board’s statement on internal control
should confirm that necessary actions have been, or are being, taken to remedy
any significant failings or weaknesses in internal control. Turnbull at present is
concerned with the spirit of corporate governance and isn’t very prescriptive;
it remains to be seen whether it becomes more prescriptive over time, along
the lines of Sarbanes-Oxley (which is more prescriptive and longer than Turnbull,
although less purely prescriptive than is usual with US regulations). The UK
Auditing Practices Board revises its bulletins on The Combined Code on corporate
governance: Requirements of Auditors under the Listing Rules of the Financial
Services Authority [APB, web] in the light of any changes to Turnbull; Bulletin
2004/3 was replaced with Bulletin 2006/5 in September 2006, and part of this is
superseded by Bulletin 2009.4, Developments in Corporate Governance
Affecting the Responsibilities of Auditors of UK Companies, issued in December
2009 (see the list of Bulletins at [APB, web], for example).
12 A TH O R OG OO D S PE CI AL BR I E FI NG
The Combined Code is now under the auspices of the Financial Reporting Council
(FRC) and further changes can be expected as and when needed to ensure that
it remains relevant in the face of changing business conditions and technologies.
The main act affecting companies in the United Kingdom is the Companies Act
2006. This is the longest Act of Parliament ever enacted in the United Kingdom
(305,397 words) and it is supported by numerous regulations having the force
of law. In effect, it establishes an equivalent to the US Sarbanes-Oxley Act (see
below) in the UK. It is less prescriptive and detailed than SOX (UK companies
(unless registered on the US stock exchange or subsidiaries of US companies
etc) should concern themselves with the Companies Act before getting paranoid
about SOX), although the devil is in the detail of how the regulators and law courts
interpret the Act. The Companies Act 2006 affects (or is capable of affecting) IT
governance in many ways, but the following should perhaps be particularly noted:
A T H OR O GO O D S P EC I AL B RI E F I NG 13
I T G O V E R N A N C E – M A N A G I N G I N F O RM A T I O N T E C H NO L O G Y F O R B U S I N E S S
Statutory registers
Each company is required to maintain and update as necessary a register of
members and certain other statutory registers.
Accounting records
A company must keep adequate accounting records sufficient to show and explain
the company’s transactions, to disclose with reasonable adequacy the financial
position of the company at any time and to enable the directors to prepare accounts
in accordance with the Act (s. 386).
Statutory accounts
Directors are required to use the accounting records to produce statutory accounts
that fulfil the legal requirements, and to prepare a directors’ report (and in some
cases other reports) that give prescribed information. These must be signed to
indicate that the directors accept responsibility. If an audit is compulsory or if
an audit has been commissioned even though it is not compulsory, the accounts
are then audited and the auditor will sign the audit report. In all cases, signed
accounts must be sent to every company member and to Companies House.
Obviously, IT systems must provide accurate information for these purposes.
Auditors’ rights
Auditors have a right of access at all times to the books, accounts and vouchers
of the company. They also have the right to require from directors, other officers,
employees and certain other persons such information and explanation as they
think necessary for the performance of their duties. Any person who, in making
any statement (orally or in writing) that purports to convey information or
explanations to the auditors in the course of their audit, knowingly or recklessly
makes such a statement that is misleading, false or deceptive in a material particular,
commits an offence punishable by a fine or imprisonment for up to two years
(or both). Failure to provide requisite information or explanations is also
punishable, unless the person concerned can prove that it was not reasonably
practicable to provide them (s. 501).
14 A TH O R OG OO D S PE CI AL BR I E FI NG
Further, the only practical way you can be sure that your policies concerning
the provision of audited financial information have actually been adopted in the
automated systems that you use, is to implement recognised ‘industry best
practice’ processes for the development of automated systems and the
operational management of the infrastructure that they run on – such as the
Dynamic Systems Development Method [DSDM, web] and the IT Infrastructure
Library [ITIL®, web] procedures. Beyond even this, a company might find that
process improvement (the ability to say what you are going to do, measure what
you actually do and apply changes to the process that reduce any gap between
aspiration and achievement) helps it to address regulatory criticisms in a cost-
effective way and to cope with changing circumstances. One recognised
process improvement regime for IT organisations is CMMI (Capability Maturity
Model Integration) from the Software Engineering Institute [CMMI, Web].
A director must exercise the degree of care, skill and diligence that would be
exercised by a reasonably diligent person with:
• the general knowledge, skill and experience that the director actually
has.
A T H OR O GO O D S P EC I AL B RI E F I NG 15
I T G O V E R N A N C E – M A N A G I N G I N F O RM A T I O N T E C H NO L O G Y F O R B U S I N E S S
The director must meet the higher of the two requirements and it is interesting
to note that this duty follows the duty set out in Section 214 of the Insolvency
Act 1986.
It is relatively easy to set out the required standard, but it must of course be
translated into a myriad of individual circumstances, which may not be easy in
practice. Judges have in the past (especially in the distant past) taken a very relaxed
view about the standards expected, but the requirements have grown more
demanding over the years, and especially in recent years.
16 A TH O R OG OO D S PE CI AL BR I E FI NG
companies; nor doing significant business with US companies (in which case
they’ll need to supply the information their partner needs to satisfy SOX); nor
likely to be taken over by, nor merge with, a US company.
The essence of SOX compliance seems to be that you build a rod for your own
back. You must develop a defensible approach to internal control for your business
(and this can be criticised), and then you devise a defensible approach to internal
control for your systems and then you must demonstrate that you are adhering
to your own rules. In other words, it’s not simply a case of adhering to the rules,
there’s an effectiveness measure too (and this is more along the lines of European
regulatory practice).
The impact on IT is that it must facilitate this process, by building into its systems
and processes facilities that provide the information needed by SOX, the audit
trails needed to assure the integrity of this information, and so on. The IT Group
must also be aware of ‘Silver Bullet’ solutions: cosmetic ‘quick fixes’ for
compliance, that are a constant maintenance overhead when the business changes
[Faegre, web].
The two sections with most impact on IT are 302 and 404(a), which deal with
the internal controls that should be in place to ensure the integrity of a company’s
financial reporting and this will impact directly on the software that controls,
transmits and calculates the data used to build the company’s financial reports.
Since August 29, 2002, Section 302 has made CEOs and CFOs commit to the
accuracy of their company’s quarterly and annual reports. They must state:
3. That to the best of their knowledge, the financial statements and other
financial information in the report fairly present, in all material aspects,
the company’s financial position, results of operations and cash flows.
A T H OR O GO O D S P EC I AL B RI E F I NG 17
I T G O V E R N A N C E – M A N A G I N G I N F O RM A T I O N T E C H NO L O G Y F O R B U S I N E S S
• The Health and Safety at Work Act in the UK [HAS, web]. This applies
to workers in IT just as much as anywhere else. It isn’t perhaps an IT
governance issue, exactly, but it is important to remember that IT
workers are not exempt from Health and Safety issues – and some of
these (the impact of computer monitors on eyesight and Repetitive
Strain Injury (RSI) from keyboard use, for example) are particularly
related to computer use.
• The Disability Act, 1995 [Disability, web]. Again, like Health and Safety,
IT organisations are not exempt. In particularly, web sites must be
designed to facilitate access by the differently abled. The key standard
in this area is probably the Web Content Accessibility Guidelines 1.0
(1999; work continues on these and a Working Draft 2.0 was produced
in 2003), created by the Web Accessibility Initiative of the W3C [WCAG,
web].
22 A TH O R OG OO D S PE CI AL BR I E FI NG
(as amended), the Drug Trafficking Act 1994 and the Terrorism Act
2000 (as amended). This largely, although not exclusively, affects banking
and financial organisations, which must make Suspicious Transaction
Reports (STRs), if money laundering is suspected, to either the law
enforcement authorities or to the relevant Money Laundering
Reporting Officer (MLRO).
A T H OR O GO O D S P EC I AL B RI E F I NG 23
3 ORGANISATIONAL IMPACT
to serious CMMI practitioners for taking a rather superficial view of the subject.
You should also remember that although CMMI deals with more than just
software development, it doesn’t cover every aspect of an organisation, even if
its levels could provide a convenient shorthand for describing maturity in areas
where CMMI proper doesn’t apply. For those seeking more information, refer
to the CMMI, web address in Resources Appendix [CMMI, web].
Level 1 doesn’t mean that you have no process or that projects always fail or
that nothing good happens – a common misconception. However, at Level 1 any
successes can’t be guaranteed – they may depend on particular people or circum-
stances and a way of working in one project that delivers success may be
abandoned or, at least, not used somewhere else, simply because management
doesn’t recognise what it has. It is hard to see how you can claim any great degree
of IT Governance at the equivalent of CMMI Level 1.
Going from Level 1 to Level 2 can be quite onerous, because it involves recognising
and documenting what you have – and that often brings you up against the usual
people issues as your IT ‘mavens’ may feel that documenting what they do and
sharing it with others diminishes their value in the organisation. At Level 2, you
are starting to have a degree of IT Governance – and, remember, that we are
only using the CMMI Levels as a framework for describing maturity levels. You
may effectively be at something corresponding to CMMI Level 2 as far as IT
Governance is concerned, even if you aren’t formally implementing a CMMI
initiative and haven’t undergone CMMI assessment (just don’t claim to be at
CMMI Level 2 unless you do undergo proper appraisal, undergo regular re-
appraisals and publish the appraisal class – A, B or C – and its scope).
A T H OR O GO O D S P EC I AL B RI E F I NG 29
I T G O V E R N A N C E – M A N A G I N G I N F O RM A T I O N T E C H NO L O G Y F O R B U S I N E S S
30 A TH O R OG OO D S PE CI AL BR I E FI NG