Dan's Internal Audit Corner
Board Oversight of IT Is Needed
By Dan Swanson
Each month Dan Swanson, a senior security and internal audit professional will provide his list of recommended resources for AuditNet readers. If you have questions about this page or the links, you can reach Dan at www.securitybenchmark.com and dswanson_2005@yahoo.com.
Traditionally, and rightfully so, the board has focused on
governing the organization, that is, the board is ensuring the right
CEO is in place, that the right business strategies have been
developed, that performance is reported regularly and trending
properly, and that the right questions are being asked of
management. Nowadays, the board also needs to ensure that the
organization's human resources are being positioned for future
requirements, that digital information and assets are being
appropriately protected, and that the organization is always
progressing!
A basic focus of the Board is ensuring corporate viability;
protecting and increasing shareholder value. If IT is so critical
today to the long-term success of organizations then the Board needs
to provide oversight of IT. While the board should not get involved
in day to day management, it MUST maintain active oversight.
A fundamental question for each organization to investigate and
answer – is board oversight of IT a "blind side" in board governance
or is it a "non issue" in that organization. While it is most likely
somewhere in the middle of these two extremes it is up to the board
to decide its mandate including its roles, responsibilities, and
various oversight processes.
In my view it is always better to proactively decide the board's role going forward than to have it dictated by the next Enron that occurs.
Resources Regarding Board Oversight of IT
Excellent insights from a multi-year study by Deloitte and other
organizations’ research efforts are available, to support the
rethinking of the board's role in its oversight of IT. The Deloitte
"IT and the Board" survey and roundtable project concluded that IT
strategy is increasingly a board topic, because IT strategy is
critical to corporate strategy, because in many businesses IT is the
business, and because IT spending can be so large that it requires
board approval.
1.
Information Technology and the Board - "An Insightful Resource"
2. What the Board Needs to Know About IT: Phase II Findings Maximizing performance through IT strategy.
3. 20 Questions Directors Should Ask About IT (Revised April 2004)
Information technology is a critical part of an organization's internal control and management information system. Ensuring its integrity is an important responsibility for board members. ITAC has compiled 20 key questions about IT that should be asked about: strategic planning and technology, performance and personnel issues, internal control issues, risk and security, information privacy, e-business, availability policies, and legal issues.
4.
IT
Audit Checklist: IT Governance and Strategy
Guidance on assessing the completeness, effectiveness, and
sustainability of existing IT governance and strategy. Includes 74
specific checklist items.
5. The Computer Emergency Response Team (CERT) — part of the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University:
Governing for Enterprise Security
The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®