Corporate governance of information technology

Last updated March 21, 2024

Information technology (IT) governance is a subset discipline of corporate governance, focused on information technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. It has evolved from The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality management system.

Historically, board-level executives deferred key IT decisions to the company's IT management and business leaders. Short-term goals of those responsible for managing IT can be in conflict with the best interests of other stakeholders unless proper oversight is established. IT governance systematically involves everyone: board members, executive management, staff, customers, communities, investors and regulators. An IT Governance framework is used to identify, establish and link the mechanisms to oversee the use of information and related technology to create value and manage the risks associated with using information technology.

Various definitions of IT governance exist. While in the business world the focus has been on managing performance and creating value, in the academic world the focus has been on "specifying the decision rights and an accountability framework to encourage desirable behavior in the use of IT."^[1]

The IT Governance Institute's definition is: "... leadership, organizational structures and processes to ensure that the organisation's IT sustains and extends the organisation's strategies and objectives."^[2]

AS8015, the Australian Standard for Corporate Governance of Information and Communication Technology (ICT), defines Corporate Governance of ICT as "The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organisation."

Background

The discipline of information technology governance first emerged in 1993 as a derivative of corporate governance and deals primarily with the connection between an organisation's strategic objectives, business goals and IT management within an organization. It highlights the importance of value creation and accountability for the use of information and related technology and establishes the responsibility of the governing body, rather than the chief information officer or business management.

The primary goals for information and technology (IT) governance are to (1) assure that the use of information and technology generate business value, (2) oversee management's performance and (3) mitigate the risks associated with using information and technology. This can be done through board-level direction, implementing an organizational structure with well-defined accountability for decisions that impact on the successful achievement of strategic objectives and institutionalize good practices through organizing activities in processes with clearly defined process outcomes that can be linked to the organisation's strategic objectives.

Following corporate governance failures in the 1980s, a number of countries established codes of corporate governance in the early 1990s:

Committee of Sponsoring Organizations of the Treadway Commission (USA)
Cadbury Report (UK)
King Report (South Africa).

As a result of these corporate governance efforts to better govern the leverage of corporate resources, specific attention was given to the role of information and the underpinning technology to support good corporate governance. It was soon recognized that information technology was not only an enabler of corporate governance, but as a resource, it was also a value creator that was in need of better governance.

In Australia, the AS8015 Corporate Governance of ICT was published in January 2005. It was fast-track adopted as ISO/IEC 38500 in May 2008.^[3]

IT governance process enforces a direct link of IT resources & process to enterprise goals in line of strategy. There is a strong correlation between maturity curve of IT governance and overall effectiveness of IT.

Problems

IT governance is often confused with IT management, compliance and IT controls. The problem is increased by terms such as "governance, risk and compliance (GRC)" that establish a link between governance and compliance. The primary focus of IT governance is the stewardship of IT resources on behalf of various stakeholders whose ranking is established by the organisation's governing body. A simple way to explain IT governance is: what is to be achieved from the leveraging of IT resources. While IT management is about "planning, organizing, directing and controlling the use of IT resources" (that is, the how), IT governance is about creating value for the stakeholders based on the direction given by those who govern. ISO 38500 has helped clarify IT governance by describing a model to be used by company directors.

While directors are responsible for this stewardship it is not unusual to delegate this responsibility to management (business and IT) who are expected to develop the necessary capability to deliver the performance expected. Whilst managing risk and ensuring compliance are essential components of good governance, the primary focus is on delivering value and managing performance (i.e. "Governance, Value delivery and Performance management" (GVP)).

Despite the efforts to manage performance and create value, a study focused on fraud in the UAE demonstrated that corporate governance does not play a major role in reducing fraud, indicating that there is no significant difference in comparison to other traditional techniques for fraud prevention. Researchers have contended that due to this lack of contributions, there should be better oversight from senior management.^[4]

Frameworks

There are quite a few supporting references that may be useful guides to the implementation of information and technology (IT) governance. Some of them are:

AS8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology. AS8015 was adopted as ISO/IEC 38500 in May 2008
ISO/IEC 38500:2015 Corporate governance of information technology,^[5] (very closely based on AS8015-2005) provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT. ISO/IEC 38500 is applicable to organizations from all sizes, including public and private companies, government entities, and not-for-profit organizations. This standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.
COBIT is regarded as the world's leading IT governance and control framework. COBIT provides a reference model of 37 IT processes typically found in an organization.^[6] Each process is defined together with process inputs and outputs, key process activities, process objectives, performance measures and a maturity model. ISACA published COBIT2019 in 2019 as a "business framework for the governance and management of enterprise IT". COBIT2019 consolidates replaces COBIT 5, which itself replaced COBIT 4.1, Val IT and Risk IT into a single framework acting as an enterprise framework aligned and interoperable with TOGAF and ITIL.
IGPMM- The Information Governance Process Maturity Model^[7] depends on maturing 22 processes that help identify – and improve the management of – information value, cost and risk. CGOC updated the IGPMM in March 2017.^[8] The processes reflect the needs of the key information stakeholders, including legal, records information management (RIM), privacy and security, lines of business and IT. The maturation for each business process moves through four stages:
- Stage 1: Ad hoc and inconsistent
- Stage 2: Siloed and manual
- Stage 3: Siloed, consistent and instrumented
- Stage 4: Integrated, instrumented and optimized

Other frameworks offer a partial view on IT Management & IT Governance Processes:

CMM - The Capability Maturity Model: focus on software engineering
ITIL - Focus on IT Service management
ISO/IEC 20000 - Focus on IT Service management
ISO/IEC 27001 - Focus on Information Security Management
ISO/IEC 27005 - Focus on Information Security Risk Management
ISO/IEC 29148 and IREB - Focus on Requirement Engineering
ISO/IEC 29119 and ISTQB - Focus on Software Testing

Non-IT specific frameworks of use include:

PRINCE2 and PMBOK - Focus on Project Management
ISO 22301 - Focus on Business Continuity
The Balanced Scorecard (BSC) - method to assess an organization’s performance in many different areas
Six Sigma - Focus on quality assurance
The Open Group Architecture Framework (TOGAF) - methodology to align business and IT, resulting in useful projects and effective governance

Professional certification

Certified in the Governance of Enterprise Information Technology (CGEIT) is a certification created in 2007 by ISACA. It is designed for experienced professionals, who can demonstrate 5 or more years experience, serving in a managing or advisory role focused on the governance and control of IT at an enterprise level. It also requires passing a 4-hour test, designed to evaluate an applicant's understanding of enterprise IT management. The first examination was held in December 2008.
COBIT5 Foundation, COBIT5 Assessor and COBIT5 Implementation are certifications created in 2012 by ISACA.

Related Research Articles

Information technology service management (ITSM) are the activities performed by an organization to design, build, deliver, operate and control information technology (IT) services offered to customers.

COBIT is a framework created by ISACA for information technology (IT) management and IT governance.

ISACA is an international professional association focused on IT governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only. ISACA currently offers 8 certification programs, as well as other micro-certificates.

AS 8015-2005: Australian Standard for Corporate Governance of Information and Communication Technology is a technical standard developed by Standards Australia Committee IT-030 and published in January 2005. The standard provides principles, a model and vocabulary as a basic framework for implementing effective corporate governance of information and communication technology (ICT) within any organization. The standard was the first "to describe governance of IT without resorting to descriptions of management systems and processes." AS 8105 later became the catalyst and main infrastructure for the creation of the international ISO/IEC 38500:2008 Information technology — Governance of IT for the organization standard.

<span class="mw-page-title-main">Internal audit</span> Independent, objective assurance and consulting activity

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal auditing might achieve this goal by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.

Data governance is a term used on both a macro and a micro level. The former is a political concept and forms part of international relations and Internet governance; the latter is a data management concept and forms part of corporate data governance.

Governance, risk management and compliance (GRC) is the term covering an organization's approach across these three practices: governance, risk management, and compliance.

Val IT is a governance framework that can be used to create business value from IT investments. It consists of a set of guiding principles and a number of processes and best practices that are further defined as a set of key management practices to support and help executive management and boards at an enterprise level. The latest release of the framework, published by IT Governance Institute (ITGI), based on the experience of global practitioners and academics, practices and methodologies was named Enterprise Value: Governance of IT Investments, The Val IT Framework 2.0. It covers processes and key management practices for three specific domains and goes beyond new investments to include IT services, assets, other resources and principles and processes for IT portfolio management.

SOA Governance is a set of processes used for activities related to exercising control over services in a service-oriented architecture (SOA). One viewpoint, from IBM and others, is that SOA governance is an extension (subset) of IT governance which itself is an extension of corporate governance. The implicit assumption in this view is that services created using SOA are just one more type of IT asset in need of governance, with the corollary that SOA governance does not apply to IT assets that are "not SOA". A contrasting viewpoint, expressed by blogger Dave Oliver and others, is that service orientation provides a broad organising principle for all aspects of IT in an organisation — including IT governance. Hence SOA governance is nothing but IT governance informed by SOA principles.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.

ISO/IEC 27005 "Information technology — Security techniques — Information security risk management" is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) providing good practice guidance on managing risks to information. It is a core part of the ISO/IEC 27000-series of standards, commonly known as ISO27k.

Business–IT alignment is a process in which a business organization uses information technology (IT) to achieve business objectives, such as improved financial performance or marketplace competitiveness. Some definitions focus more on outcomes that means ; for example,

Alignment is the capacity to demonstrate a positive relationship between information technologies and the accepted financial measures of performance.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

ISO/IEC 38500 is an international standard for Corporate governance of information technology published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard is heavily based on the AS 8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology, originally published in January 2005.

Risk IT Framework, published in 2009 by ISACA, provides an end-to-end, comprehensive view of all risks related to the use of information technology (IT) and a similarly thorough treatment of risk management, from the tone and culture at the top to operational issues. It is the result of a work group composed of industry experts and academics from different nations, from organizations such as Ernst & Young, IBM, PricewaterhouseCoopers, Risk Management Insight, Swiss Life, and KPMG.

In information security, risk factor is a collective name for circumstances affecting the likelihood or impact of a security risk.

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

NIST Cybersecurity Framework (CSF) is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

References

↑ Weill, P. & Ross, J. W., 2004, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results", Harvard Business School Press, Boston.
↑ "Board Briefing on IT Governance, 2nd Edition" (PDF). IT Governance Institute. 2003. Retrieved June 24, 2014.
↑ Introduction to ISO 38500 ^{[ dead link ]}
↑ Halbouni, Sawsan Saadi; Obeid, Nada; Garbou, Abeer (6 June 2016). "Corporate governance and information technology in fraud prevention and detection: Evidence from the UAE". Managerial Auditing Journal. 31 (6/7): 589–628. doi:10.1108/MAJ-02-2015-1163.
↑ Tranchard, Sandrine (5 June 2008). "ISO/IEC standard for corporate governance of information technology". International Organization for Standardization. Archived from the original on 5 December 2008.
↑ Harguem, Saida (17 January 2021). "A Conceptual Framework on IT Governance Impact on Organizational Performance: A Dynamic Capability Perspective". Academic Journal of Interdisciplinary Studies. 10 (1): 136. doi: 10.36941/ajis-2021-0012 .
↑ Smallwood, Robert F. (2018-10-01). Information Governance for Healthcare Professionals: A Practical Approach. Taylor & Francis. ISBN 9781351339728.
↑ Maher, Heidi (2017-03-03). "New IGPMM Essential in Confronting Data Challenges". Corporate Compliance Insights. Retrieved 2018-11-21.