IT GOVERNANCE
The Role of the Auditor in IT Governance
By Alex Woda
I
nformation technology (IT) governance is defined by the
IT Governance Institute as ensuring that the organization
aligns the IT strategy with the enterprise strategy and manages the risks in the ongoing development and operation of IT
systems. This is a broad, high-level objective carried out
through the implementation of business processes and activities directed by the board and senior management to create an
effective and controlled IT environment.
How does the auditor fit into the picture? The auditor has
been a strong supporter and catalyst for helping organizations
establish governance in IT and in other areas such as financial
management, regulatory compliance and operational management. However, the pace of change and amount of resources
invested year after year in IT make the management of IT similar to white water rafting or wild horse bronco riding. Control
in a turbulent and dynamic environment is more than a challenge—it is an adventure. It is now more important than ever
that the auditor become involved in supporting and helping
implement corporate governance in IT and management.
So what are the best practices in establishing IT governance? Aligning the IT strategic plan with the enterprise business strategy is much easier said than done. During the last
decade, new types of business and IT strategy models have
emerged which have broken away from the traditional longterm, rigid plans. They focus on diversified strategies that are
dynamic models, which are constantly measured and monitored. These diversified strategies use market feedback mechanisms and indicators to assist management in deciding which
business areas, directions and products should be pursued.
Over the last couple of years, new types of feedback and
monitoring systems have emerged to support this business
planning process. As an example, in the entrepreneurial model,
which is quite popular for strategic business units and corporate spin-offs, some companies have adopted the continuous
feedback model with their customers to assist them in determining the best strategy to pursue. This does not mean that all
other strategies are abandoned, it means that the direction and
focus of the company shifts and adapts to allow experimentation and exploration.
Does this type of approach take up more resources and
spread existing corporate resources too thin? Of course it does.
But, two things should be pointed out:
1. It lowers the risk of pursuing a losing long-term strategy
which does not fulfill customer needs and expectations.
2. It is supported by a dynamic management team that is
constantly assessing strategy, approaches and corporate
direction.
An analogy to this is the use of advanced scouts moving
well in front of the marching army, who report on conditions,
terrain and enemy positions.
So what does this mean for the IT strategic planning
process? It means that the process is more important than the
end product. The by-product or resulting product from a strategic plan is an IT business plan. The business plan lists the priorities, resources committed and descriptions of the application
systems and infrastructure projects planned for the next year.
With the new types of strategic monitoring processes, these
plans can and will change quickly and dramatically.
There also have been radical changes in the development
processes of systems and applications. Purchased packages,
prototyping, rapid systems delivery, cosourcing, object-oriented
code and client-centered systems all add to the ever-growing
list of new systems and technologies that need to be harnessed.
It is of the utmost importance that the organization use standards, objectives and guides for systems planning, analysis,
design, development, testing and implementation. Keeping
track of and managing the quality, plans and schedules of system development projects are fundamental requirements of IT
governance.
Another observation in current business management is the
substitution of rigid strategic plans with creatively stated corporate values and ethics. The last decade has seen an increase
in the delegation of more authority and responsibility to staff
and middle management. Employees are empowered to carry
out their tasks within a framework and set of guidelines directed through broad corporate values, such as “respect for customers and employees,” “quality is our product” and “commitment to improving service is our goal.” The ethical aspects of
such broad mission statements are meant to guide the behavior
of employees in ethical actions and decisions. For example,
ethical statements such as “all customers are treated equally,”
“we stand behind our product quality” and “we follow the
rules” seem to have a stronger impact on employee actions and
behavior than 50 volumes of corporate policies and standard
operating procedures that are referred to only when the auditor
asks if policies exist.
This is not to say that standards and procedures should not
exist, it means that the role of standards should be to guide and
enable employees to meet the business objectives. This is in
contrast to the approach of directing and commanding people
to follow processes and methods that do not necessarily directly support business objectives. In other words, there is a
stronger emphasis on what needs to be done than on how it is
to be done.
Organizations using the approach of corporate values and
ethics to foster a creative and dynamic environment tend to
focus more on establishing objectives and goals in the business
planning process. These objectives and goals combine with
corporate values and ethics to create a framework for planning,
developing, monitoring and controlling operations and new
business projects.
Governance should be focused more on how to achieve
objectives and less on how to follow a process. Historically,
standard operating procedures have been used to manage companies in a controlled manner. In today’s operating climate,
especially in IT, there is more of an emphasis on setting
requirements for project deliverables and defining measurable
standards of quality than there is on following the methodology. This does not mean standards, methodologies and operating
procedures have been eliminated, since this is not a binary
decision. It is a matter of degree and emphasis, and it involves
applying relevant control practices to where the risks are significant and exposures are harmful. Throw away the concept of
implementing control for the sake of control. Use the metaphor
of a scale to balance the application of control.
The metaphor of weight on a scale can be used when analyzing how much control should be applied to a process or system to minimize risks. Risks and controls need to be balanced
for controls to be considered efficient and effective. In addition, the controls must fit within the capacity, form and objective of the process.
Changing a process by removing discrete formal steps and
empowering the people by establishing frameworks, guides
and deliverables will make a process more efficient. However,
the risks will most likely remain the same. How do we balance
the scale? One way is to apply more weight on one side of the
scale, such as placing more emphasis on control. But this may
overload the capacity of the scale. The goal is to combine efficient processes with efficient controls and efficient people, and
move the center line or the pivot point of the scale to create a
lever. Moving this pivot point is accomplished through the
design of more efficient processes and controls and better people management. A well-communicated and properly implemented governance system supports corporate efficiencies.
Balancing Act
So how do we operate as auditors in this new type of management style? The role of the auditor should be seen as a partner. The auditor still has the responsibility to provide independent assessments and opinions on company operations and
controls and these should be outlined in audit plans and
approved by the board of directors. But the auditor also can
work with management by:
• Developing and implementing communication and awareness
programs
• Recommending appropriate checks and balances to support
the new business processes
• Identifying risks and vulnerabilities in the context of IT
planning, development of systems and operations
IT governance and corporate governance are concerned with
communications and checks and balances. Checks and balances refer to the internal control structures and processes to
manage risk, ensure compliance to regulatory requirements and
carry out business processes in a manner that supports business
objectives and business values.
Listed below are six steps that can help an organization
implement a governance framework for IT.
Step 1—The auditor should get involved in the business
plan development and monitor all changes made to the IT business plan. With the new type of strategic planning processes
and development of business plans, it is absolutely essential
that the auditor be part of the process and be informed on IT
business plans.
Step 2—The auditor should participate in systems development projects and provide advice on control techniques and
risk minimization. Active participation on a project team during the development of systems is extremely valuable in the IT
governance process. With the use of outside contractors and
project managers, the number of internal company representatives on a project team can be quite small. Governance helps
the project team achieve its objectives and deliver quality systems. (On time and on budget also are important.) The auditor
can help ensure that project deliverables, standards and
required governance objectives are met. The auditor should
participate as a governance and control consultant.
Step 3—The auditor should evaluate IT business processes
to ensure the processes:
• Fit with the organization’s culture and structure
• Address risks effectively
• Enable the IT department to meet business objectives
Business process audits that span multiple departments and
areas of responsibility are viable audit areas. With companies
struggling to streamline processes and improve risk management, the business process is one of the key building blocks of
corporate operations. It also is the entity from which corporate
governance is established and delivered. Armed with tools such
as COBIT (Control Objectives for Information and related
Technology) and skills of facilitation and risk analysis, the
auditor can be a valuable resource in identifying process weaknesses and suggesting improvements derived from industry
best practices.
Step 4—The auditor should contribute to the implementation of IT governance by facilitating training and awareness of
risk management, controls and best practices. Control models,
such as COBIT and information security best practices, are
available to use as the auditor’s tool box. Similarly, techniques
such as facilitated control self-assessment and risk analysis
workshops can build the level of control and risk awareness in
the organization.
Step 5—The auditor should partner with information security, human resources, legal and risk management departments
to align audit plans and adopt consistent approaches and supporting roles in risk assessments, control model developments
and compliance processes. Being a part of the solution rather
than part of the problem should be the motto of the audit
department. Getting involved and partnering with other control
and risk specialists is an efficient way of getting the message
across.
Step 6—The auditor should develop an inventory of corporate IT assets and apply a risk assessment and ranking model
to identify the importance and risk of IT projects, application
systems, infrastructure components and IT business processes.
This inventory should be updated constantly and used for audit
planning, risk analysis and the assessment of IT governance.
Having the right information at the right time is knowledge.
Being able to analyze and use that knowledge is power. With
the increase in the level of responsibility of the auditor in this
new business model, it will become more important for the
auditor to be able to create and adapt existing information and
knowledge into new risk and control models. These models are
essentially methods of best practices, deliverables and sets of
activities that can be applied when building new systems or
assessing existing business applications. Having a support system that can provide the tools and knowledge base to create
new models is a valuable risk and audit management tool.
processes and culture of the company. Making IT business
processes efficient and effective is key to making the machine
work. By utilizing governance and risk management support
systems the auditor can help build an effective control and risk
framework in the IT governance model.
Conclusion
Alex Woda, CISA
is president of Alex Woda and Associates, an information
technology consulting firm specializing in professional
services and developing software products for enterprise
risk management, auditing and security. Previously, he was
a manager in the information integrity services group at
PricewaterhouseCoopers. He has over 20 years’ experience in
systems development, computer audit and information systems
security. Woda also is the codeveloper of Corporate Risk
Management Suite, an enterprise risk and audit management
system.
The expanding role of the auditor in today’s IT environment
requires a new way of looking at the challenges and issues facing IT management. The new demands placed on IT departments and the pace of change involving third-party arrangements and new systems will create a need for IT management
to look for skills inside the company and to work with management and project teams in reducing risks and delivering
quality systems. The IT governance model, used as a framework and guide, should be customized to fit with the business