Posts Tagged ‘IT’

The importance of IT General Controls

August 30, 2021 8 comments

Matt Kelley of Radical Compliance has shared an interview he had with a couple of people from the IIA about IT General Controls (ITGC). It’s in a podcast that you can find, with a write-up, here.

Matt’s piece is worth reading, although I have slight disagreements with these comments:

IT now drives business functions — so your ability to understand and assess IT risk is essential to govern operational, finance or compliance risks as well. You can’t assess and manage those risks independent of considering how IT systems support those business processes, and how weaknesses in IT control might undermine them too.

My problem, slight as it may be, is with the very first part, that “IT drives business functions”. It certainly should not!

Technology supports business functions, as the last part of the excerpt correctly states.

It is important to understand that, similarly, risks to IT processes, systems, and assets only matter in terms of how they affect business risks, and enterprise business risks at that.

In order to understand ITGC as a source of business risk, you need to understand how business controls rely on technology, and then how weaknesses in ITGC processes could affect the continued and proper functioning of (the automated part, including reports of) controls in business processes relied upon to manage business risks.

The IIA has a proven and broadly-adopted methodology for understanding ITGC-related risks as they relate to SOX in the GAIT Methodology (available to IIA members)[1]. It is considered recommended guidance – and I certainly recommend it[2].

The other thing that Matt says as an offhand comment is:

I understand the IIA’s commercial interest in talking up the need for better knowledge of ITGCs, since selling training and certifications is what the IIA does.

That is not “what the IIA does”. The IIA supports the profession of internal auditing and one of the ways it does that is by providing training and certification. It is not a commercial, for-profit organization.

One new training course provided by the IIA is a half-day session on IT General Controls. I realize you can only cover so much in a half day, but I am very surprised that GAIT is not mentioned.

The GAIT Methodology is only one of three GAIT family methodologies (all of which are hidden, so I will share the links). The other recommended guidance are:

You can also find a very useful FAQ on their web site.

Please note that the GAIT Methodology family dates back to 2007 and 2008, but the content is not at all dated – only the references to the PCAOB standards, which have been updated.

There is one more point to be made: increasingly technology does more than support business processes. It is an essential component of an organization’s products (think of a smart refrigerator or car) and equipment (advance manufacturing). ITGC are critical to understanding related risks here as well.

I hope you enjoy these materials. Please share your comments.

[1] In the past, it was easy to find in the section of the IIA website under Standards and Guidance, and Technology. Now it is essentially hidden from view, so you find it either with a search or using the link I provided.

[2] I should: I am the author.


Assessing and addressing technology risk

June 10, 2021 5 comments

One of my frustrations over the years has been the continuing practice of those involved in addressing technology (or IT) risk and related audit of seeing it in a silo.

About 15 years ago, I was on a team of practitioners developing guidance for auditors (the GAIT Methodology, which continues to be recommended guidance by the IIA). One of the team members was Jay Taylor, head of IT Audit for GM at that time (later their CRO). He said something that resonates today:

“There is no such thing as IT risk, only business risk.”

We should not be concerned specifically with risk to systems availability, access, security, etc. or even to information assets. What we should be concerned with is risk to the business and the achievement of its objectives.

Any technology risk assessment should be made in terms of the potential effect on the business, not any effect on IT assets or goals.

Yet, guidance from ISO, NIST, and FAIR continues to focus on the silo not the whole business. It does not enable risks arising from technology-related issues to be measured against technology-related rewards, or other sources of business risk. It doesn’t enable decisions to be made about where scarce resources are best invested: for example, addressing ransomware risks or the possibility of being late to market with new products. After answering such strategic questions and determining the level of resources that should be spent on addressing cyber, for example, it is time to look inside the silo and decide in more detail and specificity where those resources should be focused.

I addressed this in Making Business Sense of Technology Risk, in many ways my most difficult book to write and which should be eye-opening to many IT risk and audit practitioners. Fortunately, I had an all-star cast of practitioner reviewers!

But the world continues to focus on IT risk instead of business risk.

Consider a recent piece from KPMG: IT Internal Audit Planning for 2021. While it has some interesting and useful observations about what is inside the silo, it recommends that IT audit practitioners focus there instead of the larger business – the context within which IT operates and serves.

For example, KPMG says:

IT Internal Auditors must stay aware of, and align themselves to, the IT transformation activities across the organization to stay relevant.

While this is true, what is more important is for all internal auditors, not just those who specialize in technology, to understand how the business is transforming! Auditors (and risk practitioners) should look to the future and understand how technology can and should be deployed for current and future benefit.

In other words, understand the strategic plans and initiatives of the enterprise and then consider how technology is and will be used.

Only now can technology-related risks to the business be identified and assessed – in terms of achieving those strategic plans and related objectives.


The other point I would make, which is overlooked by far too many, is that talking about “IT” is limiting. It is far better to talk about technology, which extends beyond the scope and control of IT management. Technology is being deployed in manufactured products as well as the equipment used to make them.


Technology should not be assessed in a silo.

We should not be talking about IT audit planning but planning for the entire internal audit organization. Often, I had integrated teams of operational and technology auditors working on major system development projects. And… planning should be continuous.

Staffing needs to be done with care. You need people who can see the big (business picture) as well as people with the technical skills for the technology of today and tomorrow.


I welcome your thoughts.

IT audit and IT risk

November 5, 2020 3 comments

I have to admit, I was a halfway decent senior financial auditor with (what is now) PwC. I was no star. But my life as a recently qualified chartered accountant changed when I was given a couple of career choices.

The first was to follow my heart and relocate to the Paris office. I loved France (and French women, let alone the food), having spent multiple summers there with French families or working in a warehouse in the East of Paris.

The second was to follow my head.

I had been a guinea pig in an experiment involving flowcharting and evaluating the controls over a client’s computer systems. It was weird: I had done my best with the new purple Internal Control Questionnaires (ICQs), but both they and the flowcharts could hardly be seen under the barrage of critical review comments and corrections by the Computer Audit Group (CAG). When I met with the CAG Supervisor to hear in person what he had to say about my pitiful attempt, I have to admit being more than a little upset by his harsh words. He asked if I had listened to a word of the training – and I replied that I had not received any training at all! He went from my greatest critic to an admirer, saying that while I had messed everything up it was a great job for somebody with zero experience or training.

Shortly after that strange episode, I met with my manager and he told me that in addition to the opportunity to move to France, I also had an offer to join CAG as a senior computer auditor.

It was a tough decision but CAG was a life-changing experience.

The trainers at the introductory training (CAG College) saw something in me. Even though I had no programming background and was learning COBOL for the first time, they asked me to become the technical expert. In addition to helping others with their COBOL programs, I was to research new developments in technology and interpret how they might affect our clients and our audits.

I fell in love with technology and it changed my life. I was promoted to manager and then senior manager very quickly (I believe I was the youngest manager in the firm at that time).

After I left PwC, it didn’t take long before I was able to move from IT audit to a VP position in IT with responsibility for multiple areas including information security. I hoped to become a CIO. But life intervened and the company I was with outsourced IT and I moved to a new company as CAE.

As CAE, as much as 25% of my team were IT auditors!

I am sharing this to explain why technology, its management and audit, has always been dear to my heart. I am no longer the techie that I was; I now have more of a business executive perspective.

So when I see interesting articles on IT risk and IT audit, my passion resurfaces.

I have known Matt Kelly for many years from when he ran Compliance Week. He is now the Editor and CEO of Radical Compliance, a newsletter I enjoy.

He has penned a piece for Galvanize, a “GRC” software vendor. The article is A better approach to managing IT risk.

Unfortunately, I cannot recommend the article. It has far too much of a compliance focus for me (understandable, since that is Matt’s professional focus and background).

I will just pick out a few statements for comment.

The article starts with this assumption and following statement:

IT security is fundamental to achieving business objectives—which means that understanding and managing IT risk is also fundamental to achieving business objectives.

This is because IT risk evolves across two fronts:

    1. The constantly growing number of regulations that govern issues like privacy or system integrity
    2. The always-shifting design of IT systems themselves.

What is wrong with that?

  • IT security’s potential effect on business objectives varies from organization to organization. Unfortunately, most do not assess how a breach could affect those business objectives (which I why I wrote a book about it). For some, it is huge; for others, not so much.
  • IT risk is far broader than IT security. It includes any failure in the use (or misuse) of technology, including such issues as:
    • The availability of the systems and so on relied on to support business operations
    • The availability of the systems relied on for delivery of services to customers
    • The quality of both, including providing the functionality needed by the business
    • The reliability of those systems to deliver what is needed when it is needed, etc.
    • The ability to support an agile organization
  • Few perform the quality assessment of technology-related risk and opportunity sufficient to make informed and intelligent business decisions. They assess risk to information assets instead of risk to business objectives.
  • There is no such thing as “IT risk”, only business risk (to quote Jay Taylor, former head of IT audit and then CRO at GM).
  • Sometimes, taking more IT-related risk (because of the opportunities) is the right business decision.
  • There are many other factors that can change IT-related business risk, such as a change in the business or an acquisition, a desire for new software by the business, an increase in software purchased or subscribed to directly by the user, an increase in the volume of network traffic that threatens reliability, the loss of maintenance support by a vendor, rapid testing of application changes, operating system changes, the delay of a major systems project, and so on.

Matt doubles down with (emphasis added):

One way a company ends up with too much IT risk is to let those IT systems fall out of compliance with regulatory obligations. Even worse: as we look at the business landscape today, it’s also painfully clear that this is becoming the primary way a company ends up with too much IT risk, too.

Compliance is probably the least concern for CIOs outside financial institutions.

If you want to understand “IT risk” it starts with understanding the reliance placed on technology by the business. Ask:

  • What needs to go right (when it comes to the use of technology) if we are to achieve our objectives?
  • What could go wrong in such a way that it imperils the achievement of objectives?

But management should be the one understanding and assessing risk, including risk related to technology.

While internal audit needs to understand technology-related risk (a far better term than IT risk, since technology is not managed only by the IT function), that is for audit planning purposes. It shouldn’t be for reliance by operating management – even though that is what Matt is saying in his article.

In fact, internal audit should be assessing how well management understands and addresses business risk, including but not limited to technology-related risks and opportunities.

IT audit and the understanding and management of technology-related risks and opportunities are very important (and dear to my heart).

But please, start with understanding the business and how it relies on technology.

Then ask those two questions:

  • What needs to go right (when it comes to the use of technology) if we are to achieve our objectives?
  • What could go wrong in such a way that it imperils the achievement of objectives?

Obtain answers that are ‘valued’ based on how they might affect the achievement of business objectives.

IT auditors: the best ones are those who not only have technology skills but have a deep understanding of the business.

Above all, there is far more to technology-related risk than information security.

I welcome your thoughts.

The latest information on cyber

September 20, 2020 1 comment

The Australian Cyber Security Center (ACSC) has published its annual Cyber Threat Report. The ACSC is an operational arm of the Australian government. It is responsible for “strengthening the nation’s cyber resilience, and for identifying, mitigating and responding to cyber threats against Australian interests. The ACSC also manages ReportCyber on behalf of federal, state and territory law enforcement agencies, providing a single online portal for individuals and businesses to report cybercrime.”

Over the year ended June 30th 2020, they “responded to 2,266 cyber security incidents and received 59,806 cybercrime reports at an average of 164 cybercrime reports per day, or one report every 10 minutes.”

Of the cyber security incidents, 803 (35.4%) were reported by government agencies. Healthcare was the sector with the next highest level of incidents at 164.

To put those statistics into context, according to the Australian government, as of June 30, 2019 there were “2,375,753 actively trading businesses in the Australian economy”. Of those, 141,628 were in healthcare.

So there was roughly 0.6 security incidents reported per thousand businesses, 1.2 per thousand in healthcare.

Cybercrime is a very broad category, including not only fraud but also online bullying and the sharing of intimate images or videos. It is not clear from the report how many of these targeted individuals rather than businesses or government agencies.

It is also unclear what the impact has been of cyber breaches, ransomware attacks, etc.

The ACSC report references a Microsoft-commissioned study from 2018. That study said:

…more than half of the organisations surveyed in Australia have experienced a cybersecurity incident (55%) in the last five months while 1 in 5 companies (20%) are not sure if they have had one or not as they have not performed proper forensics or a data breach assessment.

…a large-sized organisation (over 500 employees) in Australia can incur an economic loss of AU$35.9 million if a breach occurs. The economic loss is calculated from direct costs, indirect costs (including customer churn and reputation damage) as well as induced costs (the impact of cyber breach to the broader ecosystem and economy, such as the decrease in consumer and enterprise spending).

Fear and doubt surrounding cybersecurity incidents are undermining Australian organisations’ willingness to capture opportunities associated with today’s digital economy, with 66% of respondents stating that their enterprise has put off digital transformation efforts due to the fear of cyber-risks.

Microsoft says “the potential direct economic loss of cybersecurity incidents on Australian businesses can hit a staggering AU$29 billion per year, the equivalent of almost 2% (1.9%) of Australia’s GDP. Direct costs refer to tangible losses in revenue, decreased profitability and fines, lawsuits and remediation.”

But that is simply the potential, a projection of some sort. But is that a credible or a scare number? What is the likelihood of losses that high? You can decide for yourself, but I just don’t see 2% of a nation’s GDP being lost to cyber.

Microsoft bemoans “fear and doubt” but they are stoking it!

We need, as I have said many times, to assess for ourselves how a breach could affect our businesses and the achievement of our objectives.

There will be a range of potential effects, from trivial to major. Each point in that range has its own likelihood.

Don’t assess cyber or any other source of business risk using a single point in that range. Consider that entire range and whether it is acceptable.

If it is not acceptable, then consider what defense, detection, response, and preparedness you need to bring it down to where you are willing to take the risk. Consider whether the cost is justified based on the risk reduction – given that there are other uses for those resources.

Everybody should gauge the level of resource that should be applied to cyber based on their organization’s specific circumstances.

Don’t spend more than the risk merits – but spend enough.

What do you think?

Cyber and reputation risk are dominoes

February 18, 2017 12 comments

Anthony Fitzsimmons recently sent me a review copy of his new book, Rethinking Reputation Risk. He says that it “Provides a new perspective on the true nature of reputational risk and damage to organizations and traces its root causes in individual and collective human behavior”.

I am not sure that there is much that is new in the book, but if you want to understand how human behavior can be the root cause (in fact, it is very often the root cause) of problems for any organization, you may find it of interest.

The authors (Fitsimmons and Professor Derek Atkins) describe several case studies where human failures led to serious issues.

Humans as a root cause is also a topic I cover in World-Class Risk Management.

As I was reading the book, I realized that I have a problem with organizations placing separate attention to reputation risk and its management. It’s simply an element, which should not be overlooked, in how any organization manages risk – or, I should say, how it considers what might happen in its decision-making activities.

The same thing applies to cyber risk and even compliance risk.

They are all dominoes.


A case study:

  • There is a possibility that the manager in HR that recruits IT specialists leaves.
  • The position is open for three months before an individual is hired.
  • An open position for an IT specialist who is responsible for patching a number of systems is not filled for three months.
  • A system vulnerability remains open because there is nobody to apply a vendor’s patch.
  • A hacker obtains entry. CYBER RISK
  • The hacker steals personal information on thousands of customers.
  • The information is posted on the Internet.
  • Customers are alarmed. REPUTATION RISK
  • Sales drop.
  • The company fails to meet analyst expectations for earnings.
  • The price for the company’s shares drop 20%.
  • The CEO decides to slash budgets and headcounts by 10% across the board.
  • Individuals in Quality are laid off.
  • Materials are not thoroughly inspected.
  • Defective materials are used in production.
  • Scrap rates rise, but not all defective products are detected and some are shipped to customers.
  • Customers complain, return products and demand compensation. REPUTATION RISK
  • Sales drop, earnings targets are missed again, and …….
  • At the same time as the Quality staff is downsized, the capital expenditure budget is cut.
  • The Information Security Officer’s request for analytics to detect hackers who breach the company’s defenses is turned down.
  • Multiple breaches are not detected. CYBER RISK
  • Hackers steal the company’s trade secrets.
  • Competitors acquire the trade secrets and are able to erode any edge the company may have.
  • The company’s REPUTATION for a technology edge disappears. REPUTATION RISK
  • Sales drop. Earnings targets are not achieved, and……..

It is true that every domino and the source of risk to its stability (what might happen) needs to be addressed.

But, focusing on one or two dominoes in the chain is unlikely to prevent serious issues.

One decision at a low level in the company can have a domino effect.

Consider this slide deck by ERM Strategies, Inc. about the Deep Water Horizon disaster.

I welcome your comments.

The risk of an ineffective CIO

February 28, 2015 1 comment

According to McKinsey, “executives’ current perceptions of IT performance are decidedly negative”. An interesting piece, Why CIOs should be business-strategy partners, informs us that the majority of organizations are not benefitting from an effective CIO, one who not only maintains the infrastructure necessary to run the business but also works with senior management to drive new business strategies.

Why worry about the “big” risks on the WEF or Protiviti list when the “small” risks that let your business survive and thrive are huge?

For example, the survey behind the report found that:

  • “..few executives say their IT leaders are closely involved in helping shape the strategic agenda, and confidence in IT’s ability to support growth and other business goals is waning”.
  • “IT and business executives still differ in their understanding of the function’s priorities and budgets. Nearly half of technology respondents see cost cutting as a top priority—in stark contrast to the business side, where respondents say that supporting managerial decision making is one of IT’s top priorities.”
  • “In the 2012 survey on business and tech­nology, 57 percent of executives said IT facilitated their companies’ ability to enter new markets. Now only 35 percent say IT facilitates market entry, and 41 percent report no effect.”

With respect to the effectiveness of traditional IT functional processes, few rated performance as either completely or very effective:

  • Managing IT infrastructure – 43%
  • Governing IT performance – 26%
  • Driving technology enablement or innovation in business processes and operations – 24%
  • Actively managing IT organization’s health and culture (not only its performance) – 22%
  • Introducing new technologies faster and/or more effectively than competitors – 18%

There was a marked difference when the CIO is active. “Where respondents say their CIOs are very or extremely involved in shaping enterprise-wide strategy, they report much higher IT effectiveness than their peers whose CIOs are less involved.” McKinsey goes on to say:

“We know from experience that CIOs with a seat at the strategy table have a better understanding of their businesses’ near- and longer-term technology needs. They are also more effective at driving partnerships and shared accountability with the business side. Unfortunately, CIOs don’t play this role of influential business executive at many organizations. The results show that just over half of all respondents say their CIOs are on their organizations’ most senior teams, and only one-third say their CIOs are very or extremely involved in shaping the overall business strategy and agenda.”

The report closes with some suggestions. I like the first one:

“The survey results suggest that companies would do well to empower and require their CIOs and other technology leaders to play a more meaningful role in shaping business strategy. This means shifting away from a CIO with a supplier mind-set who provides a cost-effective utility and toward IT leadership that is integrated into discussions of overall business strategy and contributes positively to innovating and building the business. Some ways to encourage such changes include modifying reporting lines (so the CIO reports to the CEO, for example, rather than to leaders of other support functions), establishing clear partnerships between the IT and corporate-strategy functions, and holding both business and IT leaders accountable for big business bets.”

Is your CIO effective, both in supplying the infrastructure to run the business and in working in partnership with business leaders to enable strategic progress?

Is this a risk that is understood and being addressed?

I welcome your comments.

KPMG and I talk about changes at the Audit Committee meeting

February 21, 2015 11 comments

I am used to seeing some new thinking from our Canadian friends. That is hardly the case when you look at a recent publication from KPMG Canada, Audit Trends: The official word on what’s changing and how audit committees are responding.

That title not only sets the expectations high, but sets KPMG up for a fall.

This is how they start us off, with an astonishing headline section:


These include CFO succession management; forecasting & planning; liquidity; M&A; environmental, social and governance factors; fraud and more.

My first audit committee meeting, as the chief internal auditor, was about 25 years ago. If memory serves me well, the only audit committee meetings that focused only on “financial statements, reporting, and internal controls over financial reporting” over those 25 years were short calls to review earnings releases, and so on. Not a single in-person meeting was limited to these few topics.

KPMG continues:


Sorry, KPMG, but the world does not spin around the axis of the CPA firm.

Here’s another silly profundity, a highlighted quote from the Vancouver practice leader:

“Organizations today rely heavily on technology to manage internal processes and external customer relationships, it is therefore essential for ACs to understand what management is doing to mitigate IT risks.”

In 1990, my company was totally reliant on technology. Not only was it relied upon for internal business processes, but our oil refineries were highly automated. So-called IT risks (so-called, because the only risks are risks to the business – which may come from failure in the use or management of technology) were so extensive that I dedicated a third of my budget to IT audit. Going back even further, the savings and loan companies I worked for in the mid to late-1980s relied “heavily on heavily on technology to manage internal processes and external customer relationships”.

So what are the changes that should be happening at the audit committee? Here are six ideas:

  1. The audit committee should be asking management to provide assurance that it has effective processes for addressing risk (both threats and opportunities) as it sets strategies and plans, monitors performance, and runs the business every day. The audit committee should not be limited to a review of the “risk de jour”; it should require that management explain how it has embedded the consideration of risk into the organization’s processes and every decision.
  2. The audit committee should insist that it obtain a formal report, at least annually, from the chief audit executive, with an assessment of the adequacy of management’s processes for managing risk, including the adequacy of the controls over the more significant risks.
  3. With the enormous potential for both harm and strategic value of new, disruptive technology, the audit committee can help the full board by challenging management on its approach to new technology. Does the IT function have the agility, resources, and capability to partner with the business and take full advantage of new technologies, while managing downside risk?
  4. Continuing with that theme, is the organization hamstrung by legacy infrastructure and systems that inhibit its agility, its potential for moving quickly as business conditions and opportunities change? Is it able to change systems and processes fast enough?
  5. The COSO 2013 update of the Internal Controls – Integrated Framework is an opportunity to revisit a number of issues. One that should be high on the agenda is whether the company is providing decision-makers across the organization, from Strategy-setting to Marketing to Finance to Operations, with the information it needs to drive success? This is not just about the deployment of Big Data Analytics because that is just a tool. It is about (a) understanding what information is available and can be used to advantage, (b) obtaining it at speed, and then (c) delivering it everywhere it should be used in a form that enables prompt use and action.
  6. With all the demands on the audit committee, there is a need to re-examine its composition and processes. Do its members have all the experiences and skills necessary to perform with high quality, addressing issues relating to the management of risk, the use of technology, the changing global world, and so on? Should it receive more periodic briefings from experts on these topics? Do its members even have the ability to dedicate the time they need? Are they receiving the information they need to be effective (studies say they do not)?

If the audit committee is spending more than 20% of its precious time on “financial statements, reporting, and internal controls over financial reporting”, something is seriously wrong.

I welcome your comments – especially on these six suggestions.

Duct tape and IT governance

January 3, 2013 6 comments

The five years I spent as an IT executive ( after 10 years in IT audit and before 20 years running internal audit departments) had a lasting influence on my thinking about technology and its management.

I have seen a little good and a lot of bad management.

I have seen very few situations where IT led the organization to strategic excellence and operational quality.

I have seen many situations where IT served as a mechanic, liberally applying duct tape to keep the infrastructure operational. The only relationship they had with the seats at the executive table involved making sure they were well oiled. They didn’t even make sure they were a matched set that looked good together!

Consider these situations:

  • As a member of the Finance leadership team, I called the senior IT director responsible for supporting the CFO and invited her to an offsite meeting. The purpose of the offsite was to lay out a vision for Finance, including how we would leverage the opportunities presented by new and emerging technology. The IT director said she would prefer that we meet without her, decide what we needed, and let her know. She would implement whatever we selected.

I had to explain to her that we needed her to understand what technology, both new and emerging, was available and what it would allow us to do. But, she again declined. “Just tell me what you want”.

Not only did we not have her at the strategy table, but she demonstrated no interest in leading the organization.

  • I joined a company where the corporate IT function was engaged in selecting new corporate-wide ERP and supporting software. The latter would be selected not only for its individual functionality, but its ability to integrate with the ERP and other applications.

When the evaluation project was completed, the corporate CIO obtained the approval of the board. However, the company had set up each geographical region with its own CIO, reporting to the region leaders not the corporate CIO. One by one, they all rejected the corporate selection and opted for different solutions – one for each region.

As a result, duct tape was rolled out to bind the regional systems together to deliver fragile enterprise-wide reporting, both operational and financial.

Total cost far exceeded what a corporate solution would have entailed, and the individual ERPs were augmented by a variety of solutions (several for the same purpose) that had tenuous integration with the ERP and among each other.

  • At a conference, during a presentation I was delivering on the need for timely risk and performance information, one attendee said that he liked my vision but it was impossible for his company. When I asked why, he explained that they had a variety of legacy systems cobbled together with string. There was no way they could replace them with new technology without great risk and an extended timeline. So much for agility!

Consider these questions for your organization:

  1. Does the CIO not only have a seat at the leadership table but occupy it? Is he part of the team that develops strategy and does the company look to leverage technology, with him as visionary, to deliver new services, products, and capabilities to the market?
  2. Do the CIO and his team have effective control over the technology deployed across the organization? Does he even know what is used to run the business, or are business executives heads as well as their apps ‘in the cloud’? Do they ignore any need to have a consistent technology infrastructure where the needs of the whole take priority to the needs of the individual?
  3. Does the technology deployed across the organization work together without duct tape? Is it clear that it will continue to do so in the future?
  4. When multiple solutions are selected, from different vendors and using different technologies (including different cloud platforms and vendors), how do you expect the information security practitioners to protect the organization?
  5. Does the business trust IT?

Is your CIO a leader or a mechanic?

What are the top issues for IT governance?

June 7, 2011 6 comments

Larry Marks (no relation) has had an article published by ISACA on “top IT governance issues of 2011“. He has a great surname, but I am not persuaded that his points and priorities are so great.

Like Larry, I am a fan of the ISACA/ITGI guidance on IT governance, and his summary of it is excellent – highly recommended (although I even more strongly recommend checking out the complete guidance, available at

He has these as the IT governance issues of 2011:

  • IT risk management
  • The establishment of a governance framework
  • A sense of teamwork and of enterprise
  • Value delivery through IT
  • A more activist information security department and board of directors
  • Cloud computing
  • Continuous auditing and assurance
To pick on a couple: Larry does not (IMHO) emphasize sufficiently the need for risk management within IT to be integrated with and supportive of enterprise or corporate risk management. As Risk IT says (which he references), what is important is the effect that IT-related activities may have on business risks. There are no “IT risks” per se.
Then, why is selection and establishment of a governance framework so critical? I am more interested in results, and here are my top IT governance priorities:
  1. Include IT-related activities to enable as well as support enterprise strategies and goals. Be part of, if not lead, strategy-setting
  2. Provide leadership as technology enables new corporate strategies and initiatives. In these days of mobile computing, cloud, and ‘big data’, IT should be taking the lead to explain what is possible to management – rather than waiting to meet their (ignorant) requirements
  3. Integrate IT risk activities into the enterprise risk management process, and (if necessary and appropriate) taking a lead to ensure effective ERM
  4. Ensure that decisions are made on reliable, current, timely, and available (where it is needed, when it is needed) information. Move from managing based on old, inconsistent, and fragmented data to current information that is reliable
  5. Simplify the IT infrastructure, eliminating duplicative or redundant applications and data repositories, to not only contain cost but build the platform for the future
  6. Support all the compliance requirements, preferably through a strategy that relies on a single set of solutions rather than an incompatible rag-bag
Which Marks is right? Or are we both wrong?