Download (direct link):
9. Build Sustainability: Ensure that internal controls are sustainable. IT management should be in a position to sign off on the IT internal control program effectiveness. IT has no option—control assessment and management competencies must become part of the IT department’s core competency.
Note: This appendix includes text from IT Control Objectives for Sarbanes-Oxley and Board Briefing on IT Governance, 2nd Edition. Copyright © 2003 IT Governance Institute® (ITGI®). AH rights reserved. Reprinted by permission.
Top Issues Faced by Management
• Strategic alignment: Focus on aligning with the business and strategic objectives with collaborative solutions—moving in the right direction and being better aligned than the competition both today and for the future. Consideration is given to the value/cost trade-offs of current and future technologies, capabilities required of IT to deliver current and future levels of service, cost versus benefit of current infrastructure to delivering measurable value to the company, etc. IT strategy is developed based on these considerations, and the board assures alignment of IT strategy with business and strategic objectives, ensuring delivery against the IT strategy, balancing the IT portfolio for investments that can transform versus run the business, and the focus of IT resources drive competitive advantage. Alignment also requires that IT maintains a role in the development of strategy, clarifying the role of IT (utility versus enabler), assuring that business maxims lead to IT guiding principles, and continuously monitoring and assessing the value of the discovery, project, and asset portfolios
• Value delivery: Concentrating on optimizing expenses and proving the value of IT—on-time, on-budget, delivering the quality solutions as committed. In business terms, this translates to competitive advantage, elapsed time for order/service fulfillment, customer satisfaction, customer wait time, employee productivity, and profitability. IT adds value through:
• Meeting business requirements (delivering on time, with appropriate functionality and achievement of the intended benefits)
100 CHAPTER 3 PEOPLE AND GOVERNANCE
• Maintaining agility and flexibility to meet future requirements (rapidly integrate technologies, breaking into new markets, improving customer satisfaction, assuring customer retention, driving competitive strategies)
• Streamlining throughput and response times (timely, usable, accurate and reliable data and information)
• Providing ease of use, resiliency and security, and the integrity, accuracy, and currency of the information
IT balanced scorecards are an effective tool to establish value measures that are in concert between the business and IT. As opposed to the private sector that is concerned with financial measures like return on investment, payback periods, and internal rates of return, the public sector focuses on measures such as compliance and due diligence.
• Risk management: Addressing the safeguarding of IT assets, disaster recovery, and continuity of operations. Risks include areas such as operational and systemic risk, within which technology risk and information security issues are prominent. The board is responsible for ascertaining the risks, determining the risk-taking policies (the company’s appetite for risk), assuring internal controls are in place to accurately measure and monitor risks, and having decision trees and rules in place on how to communicate and solve areas that present risk exposures. Risk management focuses on impacts to future investments in technology, extent to which IT assets are protected, and the level of assurances required.
• Resource management: Optimizing knowledge and IT infrastructure— optimal investments and assuring the best use and allocation of IT resources (people, applications, technology, facilities, data) in servicing the needs of the company and its value chain. The board assures that leadership, recruitment, retention, and training are in place and that appropriate facilities support the ability to meet requirements. This is an important area as human resources are the largest cost line item and the most valuable asset in most companies. The asset portfolio is the largest area of expenditure for most companies; therefore, effective control of the baseline operations through use of performance metric tools such as business-oriented service-level agreements provides the basis for effective oversight and monitoring of both internal and outsourced IT services, balancing the cost of infrastructure assets with the quality of service required. Effective management of the life cycle of hardware, software licenses, service contracts, and permanent and contracted human resources is a critical success factor.
• Performance management: tracking project delivery and IT infrastructure, pertaining to both tangible and intangible assets. Balance scorecards are an effective performance management system, providing a holistic short-term