Effective enterprise governance focuses individual and group expertise and experience on specific

areas where they can be most effective. Information technology, long considered only an enabler
of an organization's strategy, is now regarded as an integral part of that strategy. Chief executive
officers (CEOs). chief operating officers (CODs). chief financial officers (CFOs) chief information
officers (CIOs) and chief technology officers (CTOs) agree that strategic alignment between IT and
enterprise objectives is a critical success factor. IT governance helps achieve this critical success
factor by economically, efficiently and effectively deploying secure, reliable information and
applied technology. Information technology is so critical to the success of enterprises that it
cannot be relegated to either IT management or IT specialists, but must receive the attention of
both in coordination with senior management.

A key element of IT governance is the alignment of business and It leading to the achievement of
business value.

Fundamentally, IT governance is concerned with two issues: that IT delivers value to the business
and that IT risks are managed. The first is driven by strategic alignment of rr with the business. The
second is driven by embedding accotmtability into the enterprise.

2.4 INFORMATION TECHNOLOGY MONITORING AND ASSURANCE PRACTICES FOR BOARD AND
SENIOR MANAGEMENT

IT governance implies a system in which all stakeholders, including the board internal customers
and departments such as finance, provide input into the decisión-making process.

IT governance is the management system used by directors. In other words. IT governance is

about the stewardship of IT resources on behalf of the stakeholders who expect a return from
their investment. The directors responsible for this stewardship will look to management to
implement the necessary systems and IT controls. While managing risk and ensuring compliance
are essential components of good governance, it is more important that governance be focused on
delivering value and measuring performance.

IT governance is the responsibility of the board of directors and executive management.

Shared responsibility prevents the IT department from independently making, and later being held
solely responsible for, poor decisions. Shared responsibility also prevents critical users front later
complaining that the system does not behave or perform as expected "A board needs to
understand the overall architects of its company's IT applications portfolio. The board must ensure
that management knows vihat information resources are out there, what condition they are in and
what role they play in generating revenue.

The purpose of IT governance is to direct IT endeavors to ensure that IT performance meets the
objectives of aligning IT with the enterprise's objectives and the realization of promised benefits.
Additionally, IT should enable the enterprise by exploiting opportunities and maximizing benefits.
IT resources should be used responsibly, and IT risks should be managed appropriately.

Implementing the IT governance framework addresses these two issues by implementing practices
that provide feedback on value delivery and risk management. The broad processes are:
• IT resource management which focuses on maintaining an updated inventory of all n. resources
and addresses the risk management process.

• Performance measurement which focuses on ensuring that all IT resources perform as expected
to deliver value to the business and also extends to identifying risks early on. This process is based
on performance indicators that are optimized for value delivery and from which any deviation
might lead to a materialization of risk.

• Compliance management which focuses on implementing processes that address legal and
regulatory compliance requirements.

2.4.1 BEST PRACTICES FOR IT GOVERNANCE

IT governance integrates and institutionalizes good practices to ensure that the enterprise's IT
supports the business objectives. IT governance enables the enterprise to take hill advantage of its
information, thereby maximizing benefits, capitalizing on opportunities and gaining competitive
advantage. IT governance is a structure of relationships and processes used to direct and control
the enterprise toward achievement of its goals by adding value while balancing risk vs. return over
IT and its processes. Use of technology in all aspects of economic and social endeavors has created
a critical dependency on information technology to initiate, record, move and manage all aspects
of economic transactions, information and knowledge, creating a critical place for IT governance
within enterprise governance.

The topics that executive management needs to address to govern IT within the enterprise are
described in five focus areas: strategic alignment value delivery, resources management, risk
management and performance measurement (see exhibit 2.2).

IT governance has become significant due to a number of factors:

• Business managers and boards demanding a better return from IT investments (i.e., that IT
deliver what the business needs to enhance stakeholder value)

• Concern over the generally increasing level of IT expenditure

• The need to meet regulatory requirements for IT controls in areas such as privacy and financial
reporting and in specific sectors such as finance, pharmaceutical and healthcare

• The selection of service providers and the management of service outsourcing and acquisition
(e.g.. cloud computing)

• IT governance initiatives that include adoption of control frameworks and good practices to help
monitor and improve critical IT activities to increase business value and reduce business risk

• The need to optimize costs by following, where possible, standardized rather than specially
developed approaches

• The growing maturity and consequent acceptance of well-regarded frameworks

• Strategic alignment focuses on ensuring the linkage of business and IT plans; defining,
maintaining and validating the IT value proposition; and aligning IT operations with enterprse
operations.

• Value delivery is about executing the value proposition throughout the delivery cycle. ensuring
that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and
proving the intrinsic value of IT.

• Risk management requires risk awareness by senior corporate officers, a clear understanding of
the enterprise's appetite for risk, understanding of compliance requirements, transparency about
the significant risks to the enterprise and embedding of risk management responsibilities into the
organisation.

• Resource management is about the optimal investment in, and the proper management of,
critical IT resources: applications, information, infrastructure and people. Key issues relate to the
optimization of knowledge and infrastructure.

• Performance measurement tracks and monitors strategy implementation, vowel completion,

resource usage. process performance and service delivery, using, for example, balanced
scorecards that translate strategy into action to achieve goals measurable beyond conventional
accounting.

IT Governance Frameworks

Listed below arc examples of IT governance frameworks:

• COBIT was developed by ISACA to support IT governance by providing a framework to ensure

that IT is aligned with the business, IT enables the business and maximizes benefits, IT resources
are used responsibly, and IT risks are managed appropriately. COBIT provides tools to assess and
measure the performance of 34 IT processes within an organization.

• The ISO/IEC 27001 (ISO 27001) series of standards is a set of best practices that provides
guidance to organizations implementing and maintaining information security programs. ISO
27001 originally was published in the United Kingdom (UK) as British Standard 7799 (BS7799) and
has become a well known standard in the industry.

• ITIL was developed by the UK Office of Government Commerce (OGQ, in partnership with the IT
Service Management Forum and is a detailed framework with hands-on information regarding
how to achieve successful operational service management of IT.

• The IT Baseline Protection Catalogs, or IT-Grundschutz Catalogs, (known prior to 2005 as the IT
Baseline Protection Manual) are a collection of documents from the German Federal Office for
Security in Information Technology (PSI). The documents are useful for detecting and combating
security weak points in the IT environment. The collection encompasses over 3,000 pages.

• The Information Security Management Maturity Model (1SM3) is a process-based ISM maturity
model for security.

• AS8015-2005 is the Australian standard for corporate governance of information and

cotmnunicanon technology. AS8015 was adopted as ISO/IEC 38500 in May 2008.
 • ISO/IEC 38500:2008 Corporate governance of information technology (very closely based on
AS8015-2005) provides a framework for effective governance of IT ISO/IEC 38500 assists those at
the highest organizational level to understand and fulfill their legal, regulatory and ethical
obligations in respect to their organizations use of IT ISO/IEC 38500 is applicable to organizations
of all sizes, including public and private companies, government entities and not-for-profit
organizations. This standard provides guiding principles for directors of organizations on the
effective, efficient and acceptable use of IT within their organizations.

Audit Role In IT Governance Enterprises

Enterprise are governed by generally accepted good or best practices, ensured by the
establishment of controls. Good or best practices guide organizations in determining bow to use
resources. Results are measured and reported, providing input to the cyclical revision and
maintenance of controls.

Similarly, IT is governed by good or best practices which ensure that the organization's information
and related technology: support the enterprise's business objectives (i.e., strategic alignment).
deliver value, use resources responsibly, manage risks appropriately and measure performance. U
is now intrinsic and pervasive within enterprises rather than being a separate function
marginalized from the rest of the enterprise. How IT is applied within the enterprise will have an
immense effect on whether the enterprise will attain its mission, vision or strategic goals. For this
reason, an enterprise needs to evaluate its IT governance since it is an important part of the
overall enterprise governance.

Audit plays a significant role in the successful implementation of IT governance within an

organization. Audit is well positioned to provide leading practice recommendations to senior
management to help improve the quality and effectiveness of the IT governance initiatives
implemented.

As an entity that monitors compliance, audit helps ensure compliance with IT governance
initiatives implemented within an organization. The continual monitoring, analysis and evaluation
of metrics associated with IT governance initiatives require an independent and balanced view to
ensure a qualitative assessment that subsequently facilitates the qualitative improvement of IT
processes and associated IT governance initiatives.

2.4.3 IT BALANCED SCORECARD

The IT balanced scorecard (BSC) is a process management evaluation technique that can be
applied to the IT governance process in assessing IT functions and processes:Ile technique goes
beyond the traditional financial evaluation, supplementing it with measures concerning customer
(user) satisfaction. internal (operational) processes and the ability to innovate. These additional
measures drive the organization toward optimum use of It which is aligned with the organization's
strategic goals. while keeping all evaluation-related perspectives in balance. To apply the BSC to It
a three•layered structure is used in addressing four perspectives:

• Mission—for example:

– Become the preferred supplier of information systems.

– Deliver economic, effective and efficient IT applications and services.

– Obtain a reasonable business contribution from IT investments.

– Develop opportunities to answer future challenges.

• Strategies—for example:

– Develop superior applications and operations.

– Develop user partnerships and greater customer services.

– Provide enhanced service levels and pricing structures.

– Control IT expenses.

– Provide business value to IT projects.

– Provide new business capabilities.

—Analysis of Steering Committee Responsibilities

IT Strategy Committee

Responsibility

• Provides insight and advice to the board on topics such as:

- The relevance of developments in IT from a business perspective

- The alignment of IT with the business direction

- The achievement of strategic IT objectives

- The availability of suitable IT resources, skills and infrastructure to meet the strategic objectives

- Optimization of IT cost, including the role and value delivery of external IT sourcing

- Risk. retum and competitive aspect of If investments - Progress on major if project

- The contribution of IT to the business

- Exposure to IT risks, including compliance risks

- Containment of if risks - Direction to management relative to rf strategy

- Drivers and catalyst for the board's IT

IT Steering Committee

• Decides the overall level of IT spending and how costs will be allocated

• Aligns and approves the enterprise's IT architecture

• Approves project plans and budgets, setting priorities and milestones

• Acquires and assigns appropriate resources

• Ensures projects continuously meet business requirements. including reevaluation of the

business case

• Monitors project plans for delivery of expected vane and desired outcomes, on time and within
budget

• Monitors resource and priority conflict between enterprise divisions and the IT function as well
as between projects

• Makes recommendations and requests for changes to strategic plans (priorities, funding.
technology approaches. resources, etc)

• Communicates strategic goals to project teams

• Is a major contributor to management's fT governance responsibilities and governance practices

Authority.

• Advises the board and management on IT strategy

• is delegated by the board to provide input to the strategy and prepare its approval

• Focuses on current and future strategic IT issues

• Assists the executive in the delivery of the IT strategy

• Oversees day-to-day management of If service delivery and rf projects

• Focuses on implementation Membership

• Board members and specialist nontaard members

• Sponsonng executive

• Business executive (key users)

• CIO

• Key advisors as reouwed (Tr, audit, legal. finance)