The most challenging aspect of an IT Governance audit for most enterprises is the fact they don’t have a defined IT governance policy, standard, methodology, or practice to use as a target or baseline. Formal audits are generally conducted to assure compliance to corporate mandates or legal/regulatory requirements. IT governance is not a legal or regulatory requirement per se and few enterprises have taken it upon themselves to establish IT governance policy or standards. Given this omission, against what is the audit being conducted? How can it be fair?
The lack of established enterprise IT governance policies is exacerbated (if not caused) by the fact there is not a singular industry-accepted definition of IT governance - despite the fact ISO published a standard in 2008 (ISO/IEC38500). By ISO’s own admission, the standard is a guideline for “directors” – and they don’t even specifically define who the directors are. I have encountered few organizations who embrace ISO38500 as the benchmark for IT governance. And this is a shame, because the standard is very closely aligned to the original academic views of IT Governance published by the IT Governance Institute (an adjunct of ISACA) in 1998. In my opinion, the ITGI documents on IT governance are still the best you can find on the subject. But even though this collateral has been available for more than 15 years, too few enterprises even know it exists, let alone use it.
The latest on IT governance out of ISACA is their new version of COBIT®. COBIT®5 is specifically intended to be a methodology for Enterprise Governance of IT (simply another name for IT Governance). COBIT®4 was also described as an IT Governance framework, though I always contended it fell short. I believe COBIT®5 squarely hits the IT Governance mark (COBIT®4 glanced it if you added ISACA’s ValIT© and the ISACA IT Risk framework.). One of the reasons COBIT®5 qualifies as a comprehensive approach to IT governance is due to ISACA's laudable decision to merge and enhance their suite of previous IT value and trust documents. That said, it is one huge elephant to eat, as would be any valid IT governance framework. Though COBIT®5 is arguably the richest and most thorough IT governance framework ever developed, good luck dropping it on your CEO’s desk and seeing a smile on his or her face after they fully grasp and appreciate the scope and volume of the solution. It is important to note, COBIT®5 supersedes all other ISACA/ITGI IT governance documentation (which breaks my heart given my fondness for the ITGI documents).
Despite their existence, using either of the aforementioned “standards” to conduct an IT governance audit is patently unfair. Take SOX for example, auditing SOX compliance is not unreasonable because the standard(s) are described in very specific detail and mandated by law. When SOX was first established, the initial audits were used to determine the gap between the existing “unregulated” state, and the SOX mandated state. Companies were given a grace period to meet the standards, and subsequent audits were then used to determine compliance. The point is, today’s SOX audits are “fair” because everyone knows (or should know) what the rules and expectations are. This is not true for IT Governance. I am not aware of a single enterprise that has adopted total compliance to ISO38500 or COBIT®5. And don’t expect this to change any time soon because as I mentioned earlier, there are no legal or regulatory requirements to adhere to either. (I have worked with a number of companies and government agencies that have self-mandated some form of IT governance policies and standards – but describing them as loosey-goosey is a compliment.)
Those enterprises not tempted to use ISO38500 or COBIT®5 to audit their IT governance won’t easily find many other options. The only other two I could find were from The Institute of Internal Auditors Global Technology Audit Guide (GTAG) – Auditing IT Governance, and The King III Code for IT Governance from South Africa.
So how does an enterprise approach auditing their IT governance? The first step is to determine the objectives of the audit,
- Is it to determine if IT governance is meeting requirements? This is the ideal reason to conduct the audit but it is not likely given formally established IT governance requirements are seldom implemented in enterprises today. This blog post is not intended for this incredibly rare circumstance.
- Is it to show IT governance does not exist? This is sometimes the case, but only when an enterprise has some truly savvy IT governance folks in its ranks.
- Is it to show IT governance is not working well? This is the most likely the reason, given IT auditors and risk managers have an awareness of IT governance and many of them want to assure IT governance success. Conducting an audit to show IT governance is not working well is also the most prevalent driver because most organizations are under the impression they have IT governance in place and there is often somebody who believes it isn’t working well. The desired outcome of the audit (or hidden agenda, if you will) is to expose IT governance inadequacies and gain the executive sponsorship, or “hammer,” to drive IT governance improvements.
Whether it is to show IT governance does not exist or is simply not working, conducting an IT governance audit will absolutely expose inadequacies if not outright failures (especially if the enterprise is measured against ISO38500 and COBIT®5). This will inevitably embarrass IT executives – as opposed to the business executives who should be the ones embarrassed. (More on that later in the post.) Embarrassing executives is not a good first step in gaining executive sponsorship.
Even when the IT governance audit is ultimately failed, those embarrassed executives would be right to ask, “So what?” And that ‘so-what’ advocacy is coming from an IT Governance Evangelist, a person convinced nothing contributes more to enterprise information technology business value delivery than IT governance. But that value delivery is only assured if there is executive buy-in AND the right fit and flavor of IT governance for the enterprise in question. Few things are worse than governance for the sake of governance. IT governance is for the sake of enterprise success. NOTHING else. Whether it is ISO38500, COBIT®5, or any other IT governance standard, framework or methodology – it should only be adopted if the enterprise has an acute understanding of the desired business value, and the means to anticipate and measure if the applied approach to IT governance delivers it.
Once an enterprise has determined the objective for the audit they need to answer some fundamental questions,
- “Do we have a defined view of IT governance and a clear understanding of the associated business goals and objectives?” (They need to ask this question whether or not said view is documented in a corporate policy or standard).
- “Have we defined, established, and managed the IT governance mechanisms to achieve those business goals and objectives? (Almost as bad as ‘governance for the sake of governance’ is IT governance that isn’t intelligently designed, thoughtfully implemented, and carefully managed.)
These questions are essential because an organization should only be audited against something they have been given a chance to accomplish in the first place. Again, I have found most enterprises answer the questions above with a reluctant “no”, but that doesn’t mean they should not conduct an IT governance audit.
The best reason and basis for an IT governance audit is to help an enterprise that knows how critical IT governance is to their success take the steps necessary to undergo the IT governance journey in earnest. In this situation an initial IT governance audit can be used to foster the activities required to level-set on a definition, establish a baseline, identify the end goal, and develop the roadmap to get there. Starting with a relatively blank-slate with help mitigate the risk of embarrassing IT leadership while illustrating the fact that IT governance is primarily a business executive function (something lost on most enterprises due to the near universal lack of true IT governance understanding).
So before auditing IT governance, every enterprise should determine and be transparent about whether a defined, communicated, and accepted view of IT Governance exists in the first place. If the answer is yes, it shouldn’t be too difficult to shape and execute the audit. If not, then I highly suggest the enterprise craft its IT governance audit as an ‘educational’ and ‘edification’ effort – vs. a “we’re going to see if you’re doing what you’re supposed to be doing effort.” Done properly, the education and edification will provide the evidence and insight to embark on the IT governance journey and rally everyone in the organization to take the voyage together. Once realized, subsequent audits can be used to determine if the enterprise is hitting the IT governance mark, and measure the incredible business value sound IT governance will undoubtedly deliver.