Print this issue
Send your comments

IT Governance is a concept associated with a holistic approach to the management of IT and is often recognized as a subset of Corporate Governance. While 2006 marks the first appearance of this topic on the AICPA's Top Technologies list; the concept is certainly not new.

For example, the IT Governance Institute (ITGI) was established and first published its often-cited IT Governance framework in 1998. Along the way, many other leading professional organizations and research groups also promoted the concept of IT Governance. The ITGI offers this definition: "IT governance is a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise's goals by adding value while balancing risk versus return over IT and its processes."

The emergence of IT Governance near the top of this year's Top Techs list is a strong indication of how quickly and significantly this concept affects our profession and the role of the IT professional. Clearly, compliance requirements associated with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404) are the primary driver of this emergence of the IT Governance concept. In 2004, the ITGI published IT Control Objectives for Sarbanes-Oxley. This guidance quickly became the de facto worldwide standard for the definition of control objective and control activities as part of Sarbanes-Oxley compliance.

The guidance represented by IT Control Objectives for Sarbanes-Oxley focuses on establishing controls to mitigate financial reporting risk. However, it also has helped create mainstream awareness of the broader concept of IT Governance. In fact, this guidance was derived from CoBIT, Control Objectives for Information and related Technology, also published by the ITGI. CoBIT is recognized as a leading worldwide framework for IT Governance. Other leading IT Governance frameworks include the IT Infrastructure Library and ISO 17799 (Information Technology - Security Techniques - Code of Practice for Information Security Management).

While IT Governance frameworks can help businesses and organizations address compliance requirements such as SOX 404, the concept is most useful as a means of ensuring that IT is effectively aligned to business requirements and that IT services are delivered cost-effectively. In fact, many businesses and organizations practice IT Governance because it makes good business sense. Businesses that stand to benefit the most from deployment of an IT Governance framework include those where:

• The use of IT is a core component of the business model. For example, the use of IT is pervasive in the delivery of products and services in industries such as financial services, healthcare, pharmaceuticals and consumer product goods.
• The use IT is a primary enabler of efficiency and effectiveness of core processes. For example, over the past decade or more, companies performing manufacturing and distribution have made tremendous investments in IT to streamline and globalize business processes.
• IT is a primary source of risks, including disruption from change, non-compliance, ineffective controls, missed opportunities and excessive costs. Typically, the more a company uses and depends on IT, the greater the risk IT will represent to the company.

Perhaps the most important element of IT Governance frameworks such as CoBIT is that they provide guidance to help companies effectively deploy IT planning and management into all aspects of the business. Old-school approaches to the management of IT place responsibility for IT solely on the senior IT manager, and that person is not a trusted partner working with the entire senior management team.

Under a new-school "IT Governance approach," IT is an executive management responsibility, not just that of the senior IT manager. IT governance means that the IT management is partnering with executive management from operations, finance, personnel management and compliance, to leverage technology to solve business problems, and to take an organized, orchestrated approach to planning and deploying IT solutions that are most-effective for the company.

As a result, effective IT Governance requires strong IT leadership with not just strong technical skills, but great all around business and people skills.

Companies that deploy IT governance have strong IT leadership that is actively involved in supporting all aspects of operations, finance, personnel management and compliance. Companies that effectively deploy IT Governance carefully consider IT in all strategic planning, operational management, and compliance-related management activities. Effective IT governance also provides for continuous monitoring and evaluation of effectiveness and efficiency.

For more information, visit AICPA's IT Governance Center at http://infotech.aicpa.org/Resources/IT+Governance+and+Regulatory.

About the Author: Dan Schroeder, CPA.CITP, CISA, CIA, is the Partner in charge of the Technology Risk Services practice with Amper, Politziner & Mattia, LLP Dan manages IT and Corporate Governance initiatives with clients in several industries, including Financial Services, Healthcare, Pharmaceuticals and Consumer Product Goods. Contact him at dschroeder@amper.com.

AICPA's Top Technologies 2006 is a project of the AICPA's Information Technology (IT) Membership Section, and led by the IT Executive Committee and CITP Credential Committee. For more information on the AICPA's technology initiatives, including Top Technologies, the CITP Credential and the IT Membership Section, visit http://www.aicpa.org/infotech. Any hardware or software products mentioned do not in any way represent an endorsement by the Institute or Section.

Contact: Dan Schroeder