Copyright © 2006 ISACA. All rights reserved. www.isaca.org.
Shifting Governance Roles and Responsibilities:
Improving Management Reporting as
Part of Corporate and IT Governance
By Hugh Parkes, CISA, FCA
I
n 1992, a committee set up by the Financial Reporting
Council, the London Stock Exchange and the UK
accountancy profession, under the chairmanship of Sir
Adrian Cadbury, made recommendations on good practice
covering the responsibilities of executive and non-executive
directors in reviewing and reporting information to
shareholders. It recommended a code of best practice based on
openness, integrity and accountability to improve standards of
corporate behaviour, strengthening controls over businesses
and their public accountability, while retaining the essential
spirit of enterprise. It identified board responsibilities for
governance, including setting strategic aims, providing
leadership, supervising management and reporting to
shareholders on their stewardship. This marked the start of the
international movement toward better corporate governance.
Ten years later, in January 2002, the US Congress passed
the Sarbanes-Oxley Act in response to the Enron, WorldCom
and other financial scandals that had emerged. In reality, these
scandals were corporate governance failures, not just financial
scandals. Subsequent trials in the US have found a number of
CEOs, CFOs and fellow executives who aided or abetted them
guilty of a range of offences. Investors, employees and
business organisations were among those that lost money. A
far wider group of stakeholders—including the US Securities
and Exchange Commission (SEC), audit firms and investment
advisors—lost credibility based on the systemic failures
revealed.
The US Congress seems to have been under pressure and in
a hurry when it passed Sarbanes-Oxley. It focuses on an
entity’s financial statements, but not on the other activities that
make up around 80 percent of the market value of an
enterprise (using Microsoft’s net value attributable to
shareholders in its financial statements divided by the market
value of stock units it has on issue, as an example) as
determined by the SEC or other capital markets.
The elements of corporate governance listed for Cadbury
Schweppes (appendix in Corporate Governance and
Chairmanship by Sir Adrian Cadbury, 2002) that are not
directly covered by financial reporting include company
character and reputation; quality management to achieve
corporate integrity (straight dealing); customer goodwill;
brand positioning; competitive ability; clear strategic
objectives; effective management of change; simple
organisation and harmonisation with corporate goals;
committed people sharing personal, team and corporate goals;
openness and trust inwardly and to customers and outside
JOURNALONLINE
parties; and acceptance of broad responsibilities to
shareholders, employees, customers, suppliers, governments
and society. These are all about honesty and integrity but are
not covered by contemporary accounting frameworks
(International Financial Reporting Standards [IFRS] and
others), nor by the directions taken by corporate regulators in
their quest for legal form compliance as opposed to the
substance of corporate integrity.
Stronger Governance a Critical Priority
So, there is a bigger shift coming in corporate governance
reporting than Sarbanes-Oxley section 404. The first part is
section 302, which requires the CEO and CFO to certify that
they have confirmed within the last 90 days that the internal
controls within their organisation are operating effectively.
Given the internal control deficiencies reported from the
section 404 process around the world, and the reportedly poor
condition of managerial monitoring systems to reliably
confirm that internal controls are operating effectively every
day, such certifications might be considered high risk to those
making them. The assurance process from external auditors is
not likely to provide much comfort to CEOs and CFOs if
balance sheet substantiation is still being used rather than an
interactive monitoring of controls throughout the accounting
period. New audit methodologies are urgently needed here. But
bigger still, beyond section 302, lies the need for some real
corporate governance reporting, covering the fuller span of
corporate activities (the other 80 percent) and the integrity
with which these are performed.
There is also a big question mark over the way in which
reporting is currently presented—either to management, or to
boards of directors or other stakeholders. Are 200-plus pages of
tightly written compliance legalese meaningful? This is what
most corporate annual reports contain. Are internal reports
much better for the purpose of sharing useful information
amongst organisation managers so that they can govern the
business well—or are they, too, ready for major improvement?
This article builds on both management and audit
committee experience to propose that a picture is indeed worth
a thousand words. Broader spectrum reporting is needed for
better governance, but only if it is succinct and absorbable in
coloured pictures. Getting executives or directors to discuss
complex reports has caused them to focus on coloured
overview charts of the context and the issues at hand—not on
the mass of text backing up the diagrams. This article
continues with selected examples of what can be done and
1
 raises some of the broader spectrum of possibilities for
managers and those providing governance assurance.
Sources of Issues
What should management reporting cover if the financial part
comprises only 20 percent? A start can be made by considering
an organisation from the CEO’s perspective—the sources of
issues that come across his/her desk each day and each year.
Sources of issues on the CEO’s desk will include some or
all of the following:
• People—Role of the personnel director, as well as the CEO
and every executive
• Business operations—Domain of the chief operating
officer (COO)
• Strategies and their implementation and progress—Domain
of the CEO and corporate strategy directors
• Board strategic input and feedback—A primary role for
the CEO
• Risk assessment and management—Role and responsibility
of all executives
• Solvency and funding levels—Covered in treasury reporting,
financial accounting framework reporting, cash flow
statements; the domain of the CFO or the corporate treasurer
• Major strategic projects—Responsibility of business heads
with CEO overview
• Customers and the customer base condition—Not IT’s
responsibility. Responsibility should be that of every business
unit head with customer contact. Information architecture and its
use are the responsibility of the chief information officer (CIO).
• Sales and marketing activities that bring in business—Every
business unit head’s responsibility
• Systems—Responsibility of each business unit head in
conjunction with the CIO and the chief knowledge officer (CKO)
• Compliance with legislation—Responsibility of CEO, CFO
and each business unit head; monitored by the group internal
auditor for independent assurance
• Information—Its architectural design falls to the CIO,
responsibility for its quality, currency and use rests with
each business unit. This is the largest store of value in
the organisation.
• Knowledge use—Domain of the CKO, but with the personal
involvement of every business unit head or activity director
• Building the business for the future—Role of the CEO, chief
scientists or chief research officers and involves other
business unit heads
• Internal controls in practice—Responsibility of each
executive; the CEO and CFO take on personal responsibility
for their colleagues’ assurances on internal controls
functioning (section 302)
• Security measures being used and operational—Role of chief
security officer (CSO) in association with each business
unit head; the CEO’s main involvement is when something
goes wrong
Examples of summarized reports for some of these
organisational capabilities are shown in figure 1, with likely
commentary from CEOs reviewing them.
Looking at each source of issues in turn, there is a range of
possible management reports that can provide better governance
if management has confidence in what these reports contain.
Keeping in mind some of the governance objectives listed in the

Figure 1—Example Report

CEO Chief Operating Officer Chief Finance Officer Sales Director CIO

IT—Development
Lawyers Risk Management Finance Staff Sales Team Networks and Operations

Research Staff Knowledge Manager Treasury Unit Call Centre Staff Call Centre Manager

Manufacturing Manufacturing Manufacturing Warehouse and Supply Warehouse

Belgium Chain Manager Shipping
Singapore California Staff

Good morale
Some morale issues
Major morale risks
Assurance and Compliance
Severe morale risks (Formerly Audit) Shared Services Staff Human Resources
Report based on
Confidential recent
internal opinion survey

2 JOURNALONLINE
 introduction to this article, the question then arises as to what
management reports are available and where new ones may be
required to strengthen governance processes.
People
Accounting coverage is limited to costs of payroll and
employee benefits. Most of the important organisational culture,
ethical standards in operation, climate of integrity, level of
customer service focus, employee identification with and
ownership of organisation processes and outcomes issues are not
covered or reported. The competency levels, age profiles, staff
retention rates, and the strategic fit of expertise with what is
needed to implement the strategies that are being followed are
also not recorded. Information of this kind can be obtained from
surveys of employee morale, from what are called human asset
recording and management (HARM) systems and similar
sources—if they exist in the organisation. This is the domain of
the personnel director or human resources in larger entities. It is
a top priority area for better reporting for better corporate
governance, and it takes up much CEO time.
Business Operations
Business operations are usually seen by accountants in the
context of the organisation being a ‘going concern’ (able to
meet financial solvency requirements). However the COO has
a different perspective: How do we keep our business
processes operating every day? Are the infrastructure and
systems robust and reliable? Are the supply chains in and
working? Do I have the staff I need? Are we achieving the
throughput I am required to deliver? Is inventory moving fast
enough? Is further capital investment justified? What are the
implications on operations of new strategic initiatives? Am I
getting meaningful, reliable reports about all these issues?
Strategies
This comprises the implementation and progress of
strategies. Are the management reports in place to tell
management the actions needed convert strategies to reality?
Can these reports be relied upon, and can they be verified by
assurance providers? Can management confidently share these
management reports with the board?
Board Strategic Input and Feedback
Having decided on organisation strategies, how do board
members know that these strategies are being implemented in
practice? Does the organisation have sound project direction
and management in place, and does it have the resources
needed to convert them to reality on the ground? Are the CEO
and his/her management team committed to delivering the
strategic outcomes to the board?
Risk Assessment and Management
Besides having a documented risk assessment covering all
entity activities and a documented listing of all the
management actions proposed to manage the identified risk,
does the entity have reports from monitoring systems to tell
how each activity is operating 24 hours a day, 365 days a year?
JOURNALONLINE
Levels of risk management vary by entity; for example, banks
need interactive monitoring for business risks, and
manufacturing may require similar levels of operating
process monitoring. There is also a direct interest as to
whether business unit heads are owning (taking responsibility
for) risks within their area of responsibility.
Solvency and Funding Levels
Covered in treasury reporting, financial accounting
framework reporting and cash flow statements, this is the
domain of the CFO or the corporate treasurer. Useful
management reports include cash flow and solvency levels,
financial and solvency projections, and comparative costs of
sources of funds. These are useful management reports and are
not related to exhaustive compliance data required elsewhere in
annual reports.
Major Strategic Projects
These refer to major process or system changes in this
context. Effective project management reporting is needed to
ensure that projects are delivered on time and within budget.
Reporting to heads of involved business units, CIO and IT
staff, outsourced service providers, and others involved in large
projects is essential and needs to be reliable.
Customers and the Customer Base Condition
Not usually valued or covered in the accounting framework,
this information is of the utmost importance, and the condition
of the information (up to date, complete, accurate, integrated,
etc.) is vital to the organisation’s relations with its customers,
both for call centre access and marketing prospects.
Sales and Marketing Activities
Management reports on the progress of marketing initiatives
and sales campaigns are important. Analytical reports on
market segmentation and penetration are important to ensure
that sales and marketing are correctly focused to bring in
business and provide services effectively.
Systems
These include both the system software, which allows the
entity infrastructure to function, and the application software,
which incorporates most of the entity’s business process
knowledge with which its activities operate. Management
reports as to system uptime are of vital importance to all
activities, but particularly to the operations function. Similarly,
reports on the condition and reliability of application software
are vital to CIOs and to business unit heads. Systems that do not
work or are unreliable place the whole entity at risk. Boards
have a direct interest in what is being done to build new system
functionality or replace obsolete or unreliable software.
Compliance With Legislation
Management reports to confirm that compliance activities
are in place and operating continuously are essential for
Sarbanes-Oxley compliance and to prevent legal or regulatory
intervention.
3
 Information enterprise’s activities into the future. Reporting on this issue in
It sounds simplistic, but every organisation stores all its value the accounting framework covers only the next 12 months
within its information bases, which are in turn set up within the rather than the next five or 10 years, and is limited in scope as
entity’s information architecture. Management reports needed to what is covered.
include ones on the currency, quality, accessibility and use made
of the information. Information is a fundamental building block Internal Controls in Practice
on which every entity relies, so corrupted or inaccessible Management reporting to provide constant assurance that
information causes major problems for minute-by-minute internal controls are in place and that they are functioning
operations and impacts whether strategic goals can be achieved. effectively may be in place in well-governed businesses. The
monitoring of internal controls is a Sarbanes-Oxley section
Knowledge Use 302 requirement, but an organisation will get more value if
Management reports need to cover the extent to which the Sarbanes-Oxley compliance is a subsidiary benefit of activities
organisation has incorporated its entity knowledge into its normally carried out to run a good entity. Set out in figure 3 is
systems and procedures, and how effectively this has been an internal control summary chart example. In real life,
done. The contrast is between a paper procedure manual sitting information as to how it is put together would be sought from
on a shelf and an integrated interactive system that guides business unit heads as well as from the internal audit function.
employees on how to make the best use of the processes
available to them. The extent of knowledge used in an entity is Security Measures
a major differentiator between ‘smart’ entities and other Security measures need to be in place and functioning
entities. An illustration of knowledge use reporting is shown effectively. Management reporting needs to be risk-based and
in figure 2. should alert the CEO if a major problem has occurred or may
occur soon. The details of security software operation on a
Building the Business for the Future daily basis are likely to be of interest to responsible entity
Board and management reports are needed to set out management rather than to the organisation’s leaders.
progress on strategic initiatives and development projects
building future business capabilities. The absence of reports
suggests that little or nothing is being done to sustain the

Figure 2—Example of Knowledge Use Report

LOGICAL AND PHYSICAL

SECURITY
OVERVIEW Sales and
Web Server
Marketing
Server Firewall Belgium
Server

Firewall
Supply Chain
Server Purchasing
Head Office Servers Warehouse
Firewall Singapore
Server Physical
Security
Firewall Firewall

California Major security

Server
risks plus
Firewall Server Firewall identified
Servers Manufacturing Physical Research exposures
Korea SCADA Mainframe
Security
Firewall Controller Security exposures
identified, under
Remote Physical investigation
Computers Security
Well secured plus
India assurance received within
Server last three months BS 7799
Firewall HR
Server

Ireland
Server
Firewall Network
Security Comms.
Gateways Controllers
Firew

Canada
Server
all

Data
Firewall
Research Shared
SHARED
Services
SERVICES Data
and PABX
Development
Finance
Server IT Operations
Research and Applications
Mainframe Data
Internal Main Computer Disk Array
Data
Firewall HR Security Environment
Stores Data Server
Stores Data
Facilities
Server

4 JOURNALONLINE
 Figure 3—Internal Control Summary

Sound internal controls—

How Our Internal automated monitoring in place (for
assurance review within last 12 months)
Controls Are Control deficiencies identified,
Operating management action in progress
being monitored
Major control issues identified;
International CEO and board attention required
Marketing
Sales and Marketing International Sales Not assessed by assurance within 12 months;
Knowledge Support internal control condition not validated. No
automated monitoring in place. Do not know!

Board of Directors Operations International Operations

Operations Inventory
Processes and Support Management

Belgium
Board Processes

Supply Chain Supply Chain Singapore

Processes Globally Purchasing Warehouse
Distribution
Processes

California Overall
Operation of
Executive Internal
Team Manufacturing Korea Manufacturing Manufacturing Controls
Processes

Executive Team
Processes
Call Centre
Call Centres Processes India Ireland Canada

Facilities
Shared Support Finance and Management Information Systems
Accounting Personnel
Services Australia
Extent of 24/7/365
Automated
Monitoring of
Internal Finance/Accounting HR Processes Facilities Management IT Processes
Controls Processes Globally Globally Processes Globally
Research and Development

Figure 4—Example Report of Security Overview

Excellent knowledge access and

sharing, integrated, effective
Process and knowledge charts exist
on system, not fully integrated
Knowledge stored in written
International manuals, no integration, access poor
Marketing Only managers have knowledge;
Sales and Marketing International Sales high risk; not shared or stored
Knowledge Support

Board of Directors Operations Operations International Operations Inventory

Processes and Support Management

Belgium
Board Processes

Supply Chain Supply Chain

Processes Globally Purchasing Distribution Warehouse Singapore
Processes

California
Organisation
Executive Level of
Team Manufacturing Korea Manufacturing Knowledge
Manufacturing Integration
Processes

Executive Team
Processes
Call Centre
Call Centres Processes India Ireland Canada

Facilities
Shared Support Finance and Personnel Management Information Systems
Services Accounting Australia

Research
Knowledge
Support Finance/Accounting HR Processes Facilities Management
Processes IT Processes
Processes Globally Globally Globally
Research and Development

JOURNALONLINE 5
Conclusion
Effective management reporting allows organisation
managers at all levels to govern the entity well. Managers who
‘own’ their management reports and action them well are able to
provide justified assurance to CEOs and CFOs on the condition
of the enterprise. The reverse—unsuitable or irrelevant
management reporting—poses the question as to how the
managers manage if they are wholly or partly uninformed. The
same question can be directed to the auditing profession: How
can one provide believable assurance if one is wholly or partly
uninformed?
The answer lies in sound governance being based on
management reporting with the necessary integrity and scope of
coverage. This article has referred to only some of the options
for meaningful management reporting; there is much more that
can be considered under each of the categories listed, as they are
made relevant to the organisation in question.

Hugh Parkes, CISA, FCA

is a consultant based in Melbourne, Victoria, Australia,
working on corporate and IT governance, and business and IT
strategy. He has served on ISACA’s Board of Directors, was a
founding board member of the IT Governance Institute, and
has served on the Australian Auditing Standards Board. His
work has been recognised by the Harold Weiss Award and by
an ISACA Presidential Appreciation Award.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.

© Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.

www.isaca.org

JOURNALONLINE