Page 33 - Courses
P. 33
IT Essentials — Introduction to IT
Roman: When protocols are not followed, either deliberately or by an honest mistake, it is an
indication of poor IT governance and a demonstration of a weak relationship between the business
function and IT. Business units within an organization should collaborate with IT to ensure the entire
organization follows established processes for assessing, onboarding, and managing hardware and
software.
Governance Risk Four
Sally: During our audit engagements, the business commonly tells my team they engage in end-user
computing activities for a variety of reasons:
• Our technology solutions have shortcomings.
• Using IT to develop reporting takes too long.
• Using IT to develop reporting is cost prohibitive with our internal accounting chargeback
systems.
Is there an item in your risk register associated with any of these reasons?
Roman: Yes, there are actually two entries. I will explain both. Here is the first one, which relates to
shadow IT (end-user computing).
The organization perceives IT as an impediment to selecting the best solution or optimizing the
sourcing of an IT service. The tension that can result when deciding between internally and
externally delivered IT services can cause significant challenges. These challenges can be overcome
when IT provides an ROI statement or cost savings potential for their services. This essentially allows
the internal IT organization to provide the same request for proposal (RFP) that an external vendor
would, and it allows for a side-by-side comparison, which can then be used to make a well-informed
decision on the best solution for the organization’s need.
Governance Risk Five
Roman: The term, “technology debt” is described as a lack of IT investment; either financially or in
upgrades, that contributes to inefficiencies, risks (particularly around information security), or lost
opportunities that can build up over time. This is the second item on our risk register.
The technology solutions in use are obsolete or poorly maintained. Ensuring that software and
infrastructure components are up to date and supported is essential for reliable IT operations.
Business and IT functions should cooperate to establish adequate maintenance windows to ensure
updates, patching, and other critical refresh activities are funded and performed in a timely manner.
Failure to keep technology up to date can result in technology debt. Unrecognized levels of
technology debt can lead to uninformed decisions, and is often the root cause of operational or
strategic issues. It is possible for technology debt to be accepted, planned, or even built-in, but when
doing so, the risks and impacts should be formally understood and accepted by management.
Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.