Download (direct link):
Last, all of these steps should be evaluated, measured, monitored, and improved on a continuous basis. IT governance and IT portfolio management should use keisen principles. It is not advisable to continue rotating key individuals on IT governance committees.
IT governance is a critical capability and plays an important role in gating decisions made in the IT discovery, IT project, and IT asset portfolios as described in the next chapter.
1. Win Van Grembergen, Strategies for Information Technology Governance, Idea Group Publishing, 2004.
96 CHAPTER 3 PEOPLE AND GOVERNANCE
2. “Management’s Report on Internal Control over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports,” Securities and Exchange Commission, August 14, 2003, www.sec.gov/rules/final/33-8238.htm.
3. Michael Lester, “Supporting Sarbanes-Oxley Compliance with Enterprise Portfolio Management,” Portfolio Knowledge, www.portfolioknowledge./news/cio-perspectives.articles.asp?id =leste
4. Richard Pastore and Lorraine Cosgrove Ware, “How to Run IT Like a Business—The Best Best Practices Finding,” CIO Magazine, May 1, 2004.
5. Alice Dragoon, “Deciding Factors,” CIO Magazine, August 15, 2003.
6. Richard Pastore and Lorraine Cosgrove Ware, “How to Run IT Like a Business—The Best Best Practices Finding,” CIO Magazine, May 1, 2004,
7. Peter Weill and Jeanne W Ross, IT Governance, Harvard Business School Press, 2004.
8. Roberto Newell and Gregory Wilson, “A Premium for Good Governance,” McKinsey Quarterly, no. 3 (2002): 20—23; and Peter Weill and Jeanne W. Ross, IT Governance, Cambridge, MA: Harvard Business School Press, 2004.
9. Helen Pukszta, “The New IT Mindset,” Cutter Consortium, Executive Report, Vol. 4, No 12, 2001.
10. Peter Weill and Richard Woodham, “Don’t Just Lead, Govern! Implementing Effective IT Governance,” MIT Center for Information Systems Research, CISR WP No. 326, April 2002.
11. Peter Weill, “Don’t Just Lead, Govern! Effective IT Governance,” MBS Alumni Thought Leadership Forum, October 2003.
12. Robert S. Kaplan and David P. Norton, The Strategy-Focused Organization, Cambridge, MA: Harvard Business School Press, 2001.
13. Peter Weill and Jeanne W. Ross, IT Governance, Cambridge, MA: Harvard Business School Press, 2004.
Sarbanes-Oxley Compliance Road Map
9. Build Sustainability
* Internal evaluation
* External evaluation
* Significant weakness
* Material weakness
6. Evaluate Operational Effectiveness
* Internal audit
* Technical testing
* All locations and controls (annual)
1. Plan and Scope: Gain an understanding of how the financial reporting process works and identify where technology is critical in the support of this process; key systems, subsystems.
98 CHAPTER 3 PEOPLE AND GOVERNANCE
2. Perform Risk Assessment: Performed for systems supporting the financial reporting process—for example, quality and integrity of information managed by IT systems, access controls, authorizations, availability and timeliness of information, recoverability controls, and so on. The probability and impact of possible failures at various locations, within business units, and so on, is critical.
3. Identify Significant Controls: Identify significant accounts and relevant application controls. Application controls are business processes designed within an application to prevent/detect unauthorized transaction, ensuring completeness, accuracy, authorization, and validity of processing transactions. Companies should assess the controls that support the quality and integrity of information.
4. Document Controls: Documentation is a unique aspect to the Sarbanes-Oxley compliance process and for many companies will present significant challenges. A company should document its approach to IT control, encompassing the assignment of authority and responsibility for IT controls as well as their design and operation.
5. Evaluate Control Design: Evaluate the ability of the company’s control program to reduce IT risk to an acceptable level and ensure it is understood by users.
6. Evaluate Operational Effectiveness: After assessing control design, its implementation and continuing effectiveness must be confirmed. Initial and ongoing tests should be performed to check on the operating effectiveness of the control activities. Companies should consider how the IT control impacts financial and disclosure reporting processes.
7. Determine Material Weaknesses: Engage individuals with experience performing IT control audits to identify the weaknesses of IT internal control programs.
8. Document Results: Provide a comprehensive, easily understood summary of control effectiveness that is inclusive of all testing activities performed. This documentation should culminate in a management report that can be shared with senior executives and demonstrates the overall reliability, quality, and integrity of IT systems.