IT Essentials — Introduction to IT

            it may simply reside on spreadsheets maintained by multiple administrators. My team has
            documented seven governance risks that I will take you through now.

            Governance Risk One

            Roman: Let me start with the one my team ranked highest.
            IT strategy and direction are misaligned with the business or organization’s strategy. Often, the
            technology road map is designed to improve the current business model and operations or is
            focused on IT infrastructure initiatives, but not to enable or accommodate potential future business
            objectives or models. If adaptability and flexibility are ignored, competitiveness and innovation may
            be hindered.

            Sally: Past audits have indicated variation between the technology road map and the product road
            map, which lead to funding issues and product launch delays.

            Governance Risk Two

            Roman: That brings us to our second item in the register.
            IT leadership does not have a seat at the table when business strategy is being developed, or is not
            part of the decision-making process on business direction. IT may be excluded in business strategy
            development. Failure to engage information security and IT early in planning stages may result in an
            increased risk for adverse consequences, such as additional costs, reduced performance, regulatory
            fines and penalties, and even increased threat of inappropriate data/information exposure.

            Sally: That makes sense. IT leadership does need to understand the intent of business and business
            needs to ensure the data and information assets are properly secured.

            Governance Risk Three

            Roman: Yes. The collaboration between business and IT is critical. Both teams need to collaborate
            not only from the strategic perspective but also from the tactical perspective. Let me explain.

            Roman: The use of “rogue IT.” The concept of rogue IT, also known as end-user computing or
            “shadow IT,” occurs when anyone in the organization uses technology that is not sanctioned or even
            known to IT. This is a significant risk when an organization has multiple business units, locations,
            campuses, or subsidiaries.

            Roman: Common instances might include:
                       •  A business unit that purchases and/or uses applications or programs (e.g., an Excel
                          macro).
                       •  Platforms or infrastructure, as a service to better meet their perceived needs, fails to
                          consult IT leadership and/or follow appropriate governance protocols prior to
                          proceeding with implementation.



            Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.