Practical IT issues are increasingly becoming a focal point of concern on the agendas of senior management meetings in many organisations. Since IT is a critical component of company survival and growth nowadays, decision-makers should be able to address IT governance in a way that ensures IT is aligned with current and future business strategies.
Unfortunately, some top executives – directors and executive management – are prone to make a number of negative connotations with IT: that it is beyond their comprehension, too expensive and results in frequent project and system failures.
Despite its increased importance to the success of an organisation, they still leave the management and governance of IT solely in the hands of the chief information officer or the head of IT.
However, in the aftermath of high-profile incidents – such as DDOS attacks on the largest US banks like JPMorgan Chase in 2014; Obamacare’s Healthcare.gov website, which failed to work on launch; and NatWest and RBS system failures – IT governance now matters to everyone, especially to those at the very top, since ultimately they are accountable for the consequences.
This is where IT strategy committees step in: to advise management boards on their IT governance responsibilities, support them when coordinating discussions about IT value, risks and performance, and ensure appropriate action is being taken.
Any investment in effort to improve and develop IT governance structures within a company has been shown to give rise to a number of benefits, namely: increased transparency of IT costs and processes and better accountability; performance improvements, which lead to enhanced opportunities for joint ventures and responsiveness to market challenges; and better compliance with legal and regulatory requirements, which in turn enhances brand reputation and image.
CobiT is an important model used to orient businesses towards more effective IT governance practices. This framework for IT control and governance has been increasingly adopted by organisations around the world to integrate and coordinate stakeholders’ efforts, and it is designed to be employed not only by users and auditors, but also by management and business process owners.
The CobiT framework is based on a simple and pragmatic premise, that: “in order to provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.” These processes are grouped into four domains: planning and organisation; acquisition and implementation; delivery and support; and monitoring, thus covering all aspects of information and the technology supporting it.
Any investment in time and effort to improve and develop IT governance structures within a company has been shown to give rise to a number of benefits
CobiT owes its origin within the Information Systems Audit and Control Association (Isaca) and its early adoption by members of Isaca, who are mostly from the computer audit profession, enabled it to spread into the wider IT community.
With increasing regulatory requirements, both auditors and IT managers are adopting CobiT as the compliance framework for IT controls. The CobiT IT Process model has helped convey a view of IT that is understandable to business management, auditors and IT, while providing a basis for IT functions to be organised more effectively into a process structure with accountable process owners.
The roles of IT and audit for IT governance are separate yet intertwined. IT professionals often have a poor understanding of what controls are and why they are needed. Audit can help with this by working together with IT, providing training that facilitates a change in the culture of the IT organisation and adopting a focus on controls. Audit can test IT controls, especially where control is critical, and assurance is required, but increasingly there is a trend for IT to perform self-assessments. A common framework for control like CobiT ensures that everyone is on the same page.
The implementation of self-assessments can serve as a bridge between the functions and goals of IT and internal audit, and makes it more likely to motivate autonomous corrective action, thus avoiding the need to rely on limited IT audit sources. Examples of self-assessments include risk assessments, compliance with specific standards and regulatory requirements and quality of service assessments.
There are a number of constraints and challenges relating to these kind of self-assessments, and their effectiveness depends on the quality, objectivity, skill and experience of the people performing the review. The use of the CobiT framework and specialised training in IT governance are means to supplement any limitations in these criteria and improve the expected outcome of self-assessment.
For more information on how to implement the CobiT framework in your organisation and the pathways available for executives to obtain the Certified in the Governance of Enterprise IT (CGEIT), an internationally-recognised qualification in IT governance, as well as certifications in related fields, including IT audit, security and risk, consult www.isaca.org.
This article has been written by the Isaca Malta Chapter.
Independent journalism costs money. Support Times of Malta for the price of a coffee.Support Us