The increasing profiles of new regulations like the Companies and Sarbanes-Oxley Acts, and initiatives such as Basel II, have impacted the way that IT decisions and controls are implemented, just as earlier legislation like the Distance Selling Regulations and the Data Protection Act have already done.
But there is no single industry definition of governance and the expression has become widely interpreted to represent authoritarianism, or as something having a negative connotation. This is reinforced once the term compliance is used in conjunction with governance as a means of reinforcing the 'policeman' aspect to corporate management focus.
Whilst there is no single standard IT industry definition of governance, there are two main interpretations. The first is defined by the Office of Government Commerce (OGC) who explain that governance is concerned with accountability and responsibility in terms of the standards that are used to direct and control an IS department.
These standards will involve both the IS function and the wider organisation(s) that are customers of IS, driven by the realisation that an ever increasing proportion of services will be delivered electronically and in real time.
OGC goes on to say that governance must concern itself particularly with organisational issues, such as how priorities and partnerships are managed; with management issues such as how roles and responsibilities are established to manage business change and operational services, and policy issues such as what frameworks and boundaries are established for decision making. OGC are, of course, also the originators of ITIL® and supporters of ISO 20000 which makes them uniquely able to influence IS control prerequisites in the UK.
The second interpretation comes from the US-led IT Governance Institute (ITGI) that helps define standards and tools to help ensure that IS supports business goals as well as appropriately managing risks and opportunities in the business exploitation of IS. The ITGI also offers a standard governance tool - CobiT, or Control Objectives for Information Technology, which has been in existence since 1996 and is currently at release 4.1.
It is positioned as a practical toolkit for IT governance because corporate governance and risk management have become increasingly important issues to businesses. CobiT is structured around the whole IS lifecycle and all Sarbanes-Oxley requirements can be satisfied using this.
The context for governance
Corporate compliance regulations specify that companies have strict obligations in relation to the management and reporting of financial transactions, including the details of the accuracy of that financial information.
It can be argued that an effective enterprise accounting system like Oracle Financials or mySAP ERP already satisfies this, but where section 404 of Sarbanes-Oxley and the equivalent obligations in the amended Companies Act differ to established practice is that the information provided to, or accessed by, auditors has to be certified by corporate management as being accurate.
Both Oracle and mySAP will report on the quality of data contained within the scope of their deployment, but this may not be enough to satisfy the new accuracy criteria. For instance, has data been accessed by only the relevant people and does an audit trail exist of any changes made? How certain can a company be that privileged access controls needed by IS have not been used to circumvent system controls and manipulate underlying data?
These have always been legitimate concerns but the audit rules allow much greater scope for question and probing, with regulators likely to become increasingly outspoken on company transparency and accountability.
And audit firms will also look to ensure the quality of data and processes that manipulate it are as good as they need to be in order to protect themselves against accusations of sloppy work, as they have been heavily criticised in relation to corporate misdoings in Europe and the USA.
Use of balanced controls
What both ISO 20000 and CobiT offer is a balance in terms of how IS can be managed. The detail of both frameworks is similar in respect of the delivery and support of IS operations, with CobiT adding more audit and controls emphasis whilst ISO 20000 offers more scope to manage innovation.
Making the achievements and accountabilities of an IS organisation visible leads to the need for a reporting mechanism to show progress against such factors as IT strategy, financial effectiveness, control status, operational delivery and customer satisfaction.
This balance between strategy, control and performance - the driver, the brake and the throttle - is best achieved by the development of a dashboard, or scorecard, which looks at all these issues in an holistic way.
So the development and use of a balanced scorecard, or dashboard, is an effective way for an IS function to show its capability to enable and control both simultaneously and transparently. Figure 1 shows how a twin track scorecard will allow focus on both aspects of the control environment.
Figure 1 - A balanced scorecard approach to governance
The state of control technology is such that a real time reporting mechanism can be used to alert management to either actual or likely control breaches, based on ISO 17799 and ISO 20000 monitoring criteria. ITIL® control process monitoring is an effective way of ensuring consistency and hence achieving overall IS governance.
Figure 2 illustrates a simple ITIL® reporting dashboard
What this type of automation allows is the direct linkage of the status of individual IS processes to the target set for them, and to report any variance. Given the additional features introduced by ISO 17799 with its enhanced focus on management controls, such a dashboard is likely to offer one of the few cost effective ways to demonstrate governance and hence achieve compliance.