Achieving Good IT Governance
Mike O’Hehir, Principal at OCM
Many organisations are operating at a highly dynamic pace and rely heavily on their information technology (IT) operations. In order to be successful, these organisations must understand and be able to manage and govern their IT operations effectively. Otherwise, the chance for survival is slim. Corporate governance requirements from government bodies / organisations and of course the specific governance requirements of the Sarbanes-Oxley Act, make corporate executives explicitly responsible for establishing, evaluating and monitoring the effectiveness of internal controls over financial reporting and disclosure. The role of information technology (IT) is crucial to achieving this objective as it forms the basis for a sound internal control environment. Good governance requires that management understand the level of IT risk exposure within an organisation and that they build a foundation of internal controls to address these risks. So how can good IT governance be achieved? Executives and management must now take on the challenge of enhancing their internal control systems to support new levels of compliance. Accordingly, management should consider the following steps to assess IT risk and ensure compliance with good corporate governance:
- Undertake a risk assessment to determine the current state of your IT control environment and to identify the key risks associated with IT use. Risk information helps define the level of control required.
- Assess the level of controls now implemented in your organisation. This will help you understand your current control readiness to address these risks.
- Perform a gap analysis between the current level of controls and the additional / enhanced controls that are now required to mitigate the key risks that threaten your organisation.
- Define an action plan to achieve a level of control that aligns with the level of risk.
- Close the gap by implementing an appropriate internal control structure over the IT environment.
The process to enhance internal control systems will create lasting benefits. In particular, organisations can seize the opportunity to turn compliance into competitive advantage by establishing strong governance models designed to ensure accountability and responsiveness to business requirements. Building a strong internal control programme within IT can help do the following:
- Enhance overall IT governance.
- Enhance the understanding of IT among executives.
- Make better business decisions with higher quality and more timely information.
- Align project initiatives with business requirements.
- Prevent loss of resources and the probability of system breach.
- Contribute to the requirements of other regulatory requirements such as privacy.
- Gain competitive advantage through more efficient and effective operations.
- Optimise operations with an integrated approach to security, availability and processing integrity.
- Enhance risk management competencies and prioritisation of initiatives.
If you’re now wondering if your organisation is exposed to risk and to what extent, take the following quick quiz and find out…