Page 32 - Courses
P. 32
IT Essentials — Introduction to IT
it may simply reside on spreadsheets maintained by multiple administrators. My team has
documented seven governance risks that I will take you through now.
Governance Risk One
Roman: Let me start with the one my team ranked highest.
IT strategy and direction are misaligned with the business or organization’s strategy. Often, the
technology road map is designed to improve the current business model and operations or is
focused on IT infrastructure initiatives, but not to enable or accommodate potential future business
objectives or models. If adaptability and flexibility are ignored, competitiveness and innovation may
be hindered.
Sally: Past audits have indicated variation between the technology road map and the product road
map, which lead to funding issues and product launch delays.
Governance Risk Two
Roman: That brings us to our second item in the register.
IT leadership does not have a seat at the table when business strategy is being developed, or is not
part of the decision-making process on business direction. IT may be excluded in business strategy
development. Failure to engage information security and IT early in planning stages may result in an
increased risk for adverse consequences, such as additional costs, reduced performance, regulatory
fines and penalties, and even increased threat of inappropriate data/information exposure.
Sally: That makes sense. IT leadership does need to understand the intent of business and business
needs to ensure the data and information assets are properly secured.
Governance Risk Three
Roman: Yes. The collaboration between business and IT is critical. Both teams need to collaborate
not only from the strategic perspective but also from the tactical perspective. Let me explain.
Roman: The use of “rogue IT.” The concept of rogue IT, also known as end-user computing or
“shadow IT,” occurs when anyone in the organization uses technology that is not sanctioned or even
known to IT. This is a significant risk when an organization has multiple business units, locations,
campuses, or subsidiaries.
Roman: Common instances might include:
• A business unit that purchases and/or uses applications or programs (e.g., an Excel
macro).
• Platforms or infrastructure, as a service to better meet their perceived needs, fails to
consult IT leadership and/or follow appropriate governance protocols prior to
proceeding with implementation.
Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.