Who Is Responsible for IT Governance?
The board of directors, IT executives, business executives, and internal auditors all has signi?cant roles in IT governance assurance and the auditing of IT governance and strategies. The big question for many companies is how these stakeholders should work together to ensure that everything that should be done to protect sensitive information is being done and that the company’s information assets are protected appropriately.
- The board of directors must provide oversight at a level above IT executives. The directors’ role in IT governance is to ask executives the right questions and encourage the right results. Directors must set an appropriate tone at the top, making executive management aware of their oversight and ensuring they have adequate information to make intelligent decisions about IT strategy and direction. To this end, many boards establish IT committees, which include representatives from both IT and business organizations. The board also has a role in setting the IT governance culture, which includes organizational values and attitudes. According to ITGI, boards should guide IT management to deliver measurable value by: 1) delivering solutions and services with the appropriate quality, on time and on budget, 2) enhancing reputation, product leadership and cost-ef?ciency, and 3) providing customer trust and competitive time to market.
- Business executives must have some insight into and in?uence on IT governance and programs, since business managers are ultimately accountable for the results of the business processes enabled by IT systems. Managers should review IT strategy to ensure it is appropriate, despite ever-changing risks and business requirements. This is, in fact, a form of auditing IT governance. And managers who own business unit information must also help de?ne their IT requirements based on business objectives, the signi?cance of the information involved, legal requirements, and the seriousness of risks associated with data integrity and security. Especially if the IT organization reports to the CEO or other business leader, that of?ce is responsible for providing resources and organizational structure to support IT strategy.
- IT executives work with the board to de?ne IT identity characteristics. These can include the IT organization’s business plan and model, expectations and commitments, and vision. Chief information of?cers (CIOs) and chief security of?cers (CSOs) should understand the business organization well enough to bridge the gap between IT and senior business managers or the board. IT executives look both into and outward from their organization to assess the impact on IT of industry norms and trends, regulatory changes, contractual obligations, even environmental threats. Internally, executives ensure that objectives and strategies are supported and understood across the organization. Finally, by subjecting IT processes, resources, and leadership to audit and board review, IT executives advance the goal of corporate oversight and promote its continuous improvement and success.
- IT managers marshal many of the requirements of IT governance, ensuring internal compliance with leadership mandates and drafting policies and procedures that support strategic goals. IT managers are also the eyes and ears of the IT organization. They are responsible for reporting up to executive management. And, when controls fail, IT managers are generally responsible for drafting remediation plans that meet governance requirements.
- Internal auditors provide strategic, operational, and tactical value to IT leaders. For example, the internal auditing function:
- Informs the board and IT executives as to whether business and IT staff understand the importance of governance objectives and strategy. Auditors can tell IT leaders whether staff is adhering to IT policies, whether key information assets and systems are suf?ciently secure, whether business continuity programs are suf?cient, whether governance efforts continually strengthen IT performance, whether resources are suf?cient, and whether policies are reasonable. In brief, internal audits assess the state of the IT governance environment and recommend improvements.
- Independently validates that the organization’s governance and strategy are proactive and effective against fraud, information security threats, and business disruption. To provide this level of assurance, internal auditors may compare current organizational practices with industry practices and regulatory guidelines.
- In addition, the auditing function should complement, but never replace, management’s responsibility to ensure IT security controls are operating effectively. To ful?ll an audit’s potential, internal auditors need to: 1) know what they are doing (have the knowledge and skills to perform appropriate audits); 2) understand both technical and the business environments; 3) know what to ask for from the board, executives, and managers; and 4) complete regular and ongoing training to stay on top of new guidance and standards of practice.
- Of course, auditing provides only a reasonable level of assurance. Auditors cannot provide an insurance policy against any fault or de?ciency, particularly in regard to activities that cannot be totally controlled, such as collusion and management override