With the rapid development and advancement of today’s technology, organizations face more than ever the challenges of aligning business and IT strategies, establishing enterprise-wide IT governance, and classifying data. Not prioritizing his IT governance for the company limits realization of the full benefits. By auditing IT governance implementations, strategies, processes, and controls, organizations can ensure that their IT portfolio is aligned with business goals and objectives.
What is IT Governance (GEIT) and why is it important?
Historically, organizations view IT as an unnecessary expense rather than a valuable asset. These days, organizations are recognizing IT as a key factor in gaining a transformative edge over their competition. IT governance, also known as enterprise IT governance or GEIT, delivers value by creating processes to better manage and control key IT investments, decisions, and resources. Because IT governance aligns the business with IT’s goals and objectives, IT is seen as an enabler of the business, not just a technology. Absence or failure of IT governance puts the business at risk of failing to meet its financial goals and objectives.
COBIT, a well-known IT governance framework, defines IT governance (GEIT) in five main principles.
- Meet stakeholder needs.
- End-to-end coverage for your enterprise.
- Application of a single integration framework.
- Allows for a holistic approach.
- Separate governance from management.
Is SOC 2 a governance framework?
With SOC 2 testing, “A report received by the service organization and shared with stakeholders to demonstrate that common IT controls are in place to protect the services provided.” However, it is generally not considered a compliance framework for IT governance. Digging deeper into the Trust Service Criteria of the SOC 2 report, by contrast, reveals sections directly related to IT governance.
Board of Directors and IT Governance
Before understanding this concept, let’s first consider an organization’s board of directors. The board of directors of any organization plays the most important role in the IT governance process as it has ultimate responsibility and authority over her IT governance of the organization. You might ask yourself, “How can the board influence the control environment of the organization?” “Are the board controls tested with the SOC 2 report?” Board authority ensures proper resource allocation and should be considered in the management environment. In fact, the SOC 2 criteria specifically test the board’s oversight of an organization’s internal controls.
COSO Principle 2: “The board demonstrates independence from management and monitors the development and execution of internal controls. ”
The Board also advises and approves the alignment of business and IT initiatives, goals and objectives. Unfortunately, most boards do not understand the IT risks and challenges that their organizations face, either because they lack IT knowledge or because they do not understand their organization’s dependence on IT. We often see an organization’s board of directors delegate major IT initiatives and decisions to members of the IT team, where the board has yet to recognize the benefits of IT within the organization.
Without this understanding, the board may not be able to provide senior IT management with the necessary insight to help IT decisions be made to achieve business initiatives, goals, and objectives. Fortunately, another criterion in SOC 2 considers control deficiencies and the communication of risk assessment results to senior management.
COSO Principle 17“The entity will timely assess and communicate internal control deficiencies to those responsible for taking corrective action, including senior management and the board, as appropriate.”
A constructive relationship between IT senior management and the board of directors should be established to establish effective communication between the business and IT. Without an understanding of the operating efficiency of the organization’s control environment, the board can address control deficiencies, review IT operations, make accurate and clear business decisions, and guide business and IT strategies and objectives. It can no longer be created and adjusted. This can also increase the pressure on CIOs to manage and coordinate critical assets themselves.
Communicating IT Governance: Policies and Procedures
COSO Principle 12: “Entities deploy control activities through policies that establish what is effective. In the process of being expected and putting policies into action. ”
Maintaining up-to-date policies and procedures provides the most effective communication of employee control activities, responsibilities, and expected process outcomes and behaviors. Policies and procedures convey the tone of senior management that drives corporate culture and establishes values and expectations.
An organization cannot consistently predict employee behavior or guarantee that employees will comply with company policies and procedures, but it does not rely on employee approval of company policies and procedures. You can implement relevant controls to reduce the risk to your business as much as possible. These controls are most commonly present during the onboarding process, but should also be present at other times. At the same time, IT governance roles and responsibilities can be communicated to employees once IT governance is implemented. In doing so, IT governance becomes the responsibility of all employees, not just senior management or the board of directors. All operations, processes, and employee day-to-day activities must be consistently aligned with the achievement of the organization’s business initiatives and goals.
Below are examples of IT governance policies and procedures that an organization may require approval from employees and contractors.
- terms of service
- Information security policy
- Incident response policy
- Data classification policies and procedures
Accountability within the organization
COSO Principle 3: “Management, under the oversight of the Board of Directors, has appropriate authority and responsibility to pursue objectives. ”
COSO Principle 5: “The entity holds individuals accountable for their internal control responsibilities in pursuing their objectives.”
Boards and management are initially held accountable to the goals and objectives of the business before they expect employees to be held accountable as well. Boards and management are responsible for formalizing IT-based decision-making and effectively communicating it to employees. Unfortunately, in most organizations, employees are not accountable for helping the organization achieve its business and IT initiatives and goals, and generally do not understand how to meet stakeholder expectations. not. Worse, most organizations do not communicate this information to their employees, so most employees are unaware of how their roles and responsibilities help them achieve these goals. In order to effectively manage and control IT and human capital, the board, executive team and IT managers should ensure that employees are held accountable for the organization’s business and IT initiatives. Employees should be integrated into communication about objectives.
SOC 2 reports typically have several controls that test an organization’s ability to hold employees accountable.
- Written job descriptions, including employment, internal control responsibilities, and job and function prerequisites.
- Security training for employees.
- Complete employee performance appraisals with strategically aligned goals and metrics.
In summary, IT governance can be complex when you consider all the individuals in your company and their role in your organization’s IT governance process. Although SOC 2 is not known as an IT audit framework, the report tests an organization’s high-level IT governance controls and processes and provides a basic overview of its IT governance structure.