IT Essentials — Introduction to IT

            Roman: When protocols are not followed, either deliberately or by an honest mistake, it is an
            indication of poor IT governance and a demonstration of a weak relationship between the business
            function and IT. Business units within an organization should collaborate with IT to ensure the entire
            organization follows established processes for assessing, onboarding, and managing hardware and
            software.

            Governance Risk Four

            Sally: During our audit engagements, the business commonly tells my team they engage in end-user
            computing activities for a variety of reasons:
               •  Our technology solutions have shortcomings.
               •  Using IT to develop reporting takes too long.
               •  Using IT to develop reporting is cost prohibitive with our internal accounting chargeback
                   systems.

            Is there an item in your risk register associated with any of these reasons?

            Roman: Yes, there are actually two entries. I will explain both. Here is the first one, which relates to
            shadow IT (end-user computing).

            The organization perceives IT as an impediment to selecting the best solution or optimizing the
            sourcing of an IT service. The tension that can result when deciding between internally and
            externally delivered IT services can cause significant challenges. These challenges can be overcome
            when IT provides an ROI statement or cost savings potential for their services. This essentially allows
            the internal IT organization to provide the same request for proposal (RFP) that an external vendor
            would, and it allows for a side-by-side comparison, which can then be used to make a well-informed
            decision on the best solution for the organization’s need.

            Governance Risk Five

            Roman: The term, “technology debt” is described as a lack of IT investment; either financially or in
            upgrades, that contributes to inefficiencies, risks (particularly around information security), or lost
            opportunities that can build up over time. This is the second item on our risk register.

            The technology solutions in use are obsolete or poorly maintained.  Ensuring that software and
            infrastructure components are up to date and supported is essential for reliable IT operations.
            Business and IT functions should cooperate to establish adequate maintenance windows to ensure
            updates, patching, and other critical refresh activities are funded and performed in a timely manner.
            Failure to keep technology up to date can result in technology debt. Unrecognized levels of
            technology debt can lead to uninformed decisions, and is often the root cause of operational or
            strategic issues. It is possible for technology debt to be accepted, planned, or even built-in, but when
            doing so, the risks and impacts should be formally understood and accepted by management.



            Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.