Page 86 - CITP Review
P. 86

IT governance and strategy






            Role of IT governance within an organization

            IT governance is a critical success factor for control environment, if it is relevant to the entity. That would
            be true if the entity has major IT projects on a regular basis; writes its own software or modifies software;
            has risky IT projects, such as major changes to core, critical applications; has a high level of IT
            sophistication (and is likely true for medium level nature and complexity of IT); or operations that are
            highly reliant on IT. Even in the smallest of entities, or lowest levels of IT sophistication, some form of IT
            governance principles should be employed.

            For instance, there should be a formal basis for updating and replacing its commercial, standard IT. IT
                                                                                              1
            governance is simultaneously a process, a formal structure, and a monitoring system.
            Assuming the entity qualifies for the need of it, IT governance plays a role in an effective control
            environment. The IT Governance Institute (ITGI) defines IT governance as:

                    … a set of principles to assist enterprise leaders in their responsibility to ensure that IT is aligned
                   with the business and delivers value, its performance is measured, its resources properly
                   allocated, and its risks mitigated.

            The P&P should describe the specific nature of the structure for IT governance. It could be an IT expert
            on the board of directors (BoD), and possibly a BoD subcommittee. It could be a cross-functional team
            that oversees critical aspects of the IT function and reports to the BoD at each meeting. It could take
            other forms as well. Evidence of the presence of the structure should be determinable from a review of
            the P&P and interview of the chief information officer (CIO) or manager of the IT function.

            An assessment of the level of effectiveness of that structure would involve gathering evidence of the
            processes involved and measuring results against the five objectives in the definition. The substance of
            the IT governance process should be to meet the objectives indicated in the definition. That generally
            involves capital budgets, regular reviews of the IT portfolio, the engagement of the BoD, and best
            practices for project management, change management, and IT governance in general.










            1  IT governance (ITG) and project management (PM) have dual roles in the control environment and change
            management elements of ITGCs. For the sake of making the distinction, the control environment would focus on
            the structure (presence and form) of ITG and PM, and the stated objectives of those structures. Change
            management would focus on the processes of the two, what is done, compliance with the principles of ITG and PM,
            and how well they meet their control environment (P&P) objectives in their application.


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-2
   81   82   83   84   85   86   87   88   89   90   91