What Is IT Governance? In governing IT, we can learn from good financial and corporate governance.

For example, the CFO doesnt sign every check or authorize every payment. Instead, he or she sets up financial governance specifying who can make the decisions and how. The CFO then oversees the enterprises portfolio of investments and manages the required cash flow and risk exposure. The CFO tracks a series of financial metrics to manage the enterprises financial assets, intervening only if there are problems or unforeseen opportunities. Similar principles apply to who can commit the enterprise to a contract or a partnership. Exactly the same approach should be applied to IT governance. IT governance: Specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT This definition of IT governance aims to capture the simplicity of IT governancedecision rights and accountabilityand its complexity desirable behaviors that are different in every enterprise. Governance determines who makes the decisions. Management is the process of making and implementing the decisions. For example, governance determines who holds the decision rights for how much the enterprise invests in IT. Management determines the actual amount of money invested in a given year and the areas in which the money is invested. The senior management team designs IT decision rights and accountabilities to encourage the enterprises desirable behaviors. If desirable behavior involves independent and entrepreneurial business units, IT investment decisions will be primarily with the business unit heads. In contrast, if desirable behavior involves an enterprisewide view of the customer with a single point of customer contact, a more centralized IT investment governance model works better. More centralized models for HR (and the other key assets) would also assist in achieving a single point of customer contact. Problems occur when there is a mismatch between desirable behavior and governance. In one financial services firm, a key desirable behavior was rapid innovation by business units to meet the enterprisewide objective of an increased percentage of sales from products introduced in the last five years. In contrast to the stated desirable behavior, most of the IT governance mechanisms conspired to discourage innovation. A particular business unit wanted to lead its financial services industry segment with a new IT-enabled service providing alerts to important clients via their handheld devices like pagers and cell phones. To implement this service, the business unit had to pay the entire cost of the wireless infrastructure (the technical foundation for the product) plus the application development cost for the business process that would use the wireless infrastructure for alerts. This up-front payment was required even though other business units and product offerings would probably utilize the same wireless infrastructure. Thus the innovator was asked to bear all the risk and other business units could then utilize the infrastructure if successful. This practice is like asking the first car using the road to pay all the construction costs. This firms solution was to introduce a dividend system consistent with the firms culture. If the enterprises senior management saw a potential multibusiness unit application for the infrastructure, the CEO would fund some of the cost (typically 20 percent) from corporate funds. Then the innovating business unit would make the remaining infrastructure investment. If other business units later utilized the infrastructure, the innovating business unit received a dividend of

one-third its cost from each business unit using the infrastructure. This approach encouraged early adopters and created infrastructure to foster future innovation across the enterprise. The new funding mechanism, implemented via the executive management, capital investment, and IT architecture committees, carefully balanced risk and reward, encouraging rather than discouraging desirable behavior. This example highlights two complementary sides of governance articulated by the OECD:15 Behavioral side of corporate governance: Corporate governance encompasses the relationships and ensuing patterns of behavior between different agents in a limited liability corporation; the way managers and shareholders but also employees, creditors, key customers, and communities interact with each other to form the strategy of the company. Normative side of corporate governance: Corporate governance also refers to the set of rules that frame these relationships and private behaviors, thus shaping corporate strategy formation. These can be the company law, securities regulation, listing requirements. But they may also be private, self-regulation. The behavioral side of IT governance defines the formal and informal relationships and assigns decision rights to specific individuals or groups of individuals. The normative side defines mechanisms formalizing the relationships and providing rules and operating procedures to ensure that objectives are met. We found that enterprises often implement a dozen or more mechanisms to make IT decisions. Effective IT governance must address three questions: 1. What decisions must be made to ensure effective management and use of IT? 2. Who should make these decisions? 3. How will these decisions be made and monitored? The goal of this book is to provide frameworks and insights from top-performing enterprises to help management teams address these questions. Important IT Governance Concepts Governance Arrangements five interrelated IT decisions: IT principlesClarifying the business role of IT IT architectureDefining integration and standardization requirements IT infrastructureDetermining shared and enabling services

Its Time to Embrace IT Governance in India Dataquest

Many factors are influencing enterprise governance in India, and it is becoming imperative to implement IT governance practices. Here. we talk about the various regulatory requirements that are impacting the adoption of IT governance and take a closer look at the Control Objectives for Information and related Technology (COBIT) framework, which is extensively used in India as an IT governance and IT assurance framework. Why IT Governance? Corporate governance in India is evolving, primarily due to regulatory requirements, but also, to some extent, due to each enterprises specific needs and context. The objectives of corporate governance are fulfilled by setting up an appropriate structure and functioning mechanisms for the board of directors and audit committees, as laid down by the Companies Act, 1956. It is critical for each enterprise to establish its own specific governance system based on its own specific constraints and business culture. Listed Companies SEBI introduced a mandatory audit to ensure that this is maintained as per its norms by all listed companies as part of corporate governance and came up with an updated Clause 49 to address this requirement. Although Clause 49 primarily focuses on corporate governance, there are two key sectionsClause 49 IV (C) and Clause 49 Vthat make it imperative for listed companies to implement IT governance. Clause 49 IV (C) Board Disclosures on Risk Management requires every listed company to lay down procedures to inform board members about the risk assessment and minimization procedures. These procedures must be periodically reviewed to ensure that executive management controls risk through means of a properly defined framework. Indian companies often adopt a combination of home-grown, in-house practices and globally recognized frameworks for risk management. The ideal approach would be to adopt a globally accepted risk management framework such as COSO, which provides a framework for enterprise risk management, and then integrate the local practices as relevant. The amendments effected in Clause 49 V (C) and (D) clearly bring out:

The responsibility entrusted to the CEO/CFO is in relation to establishing and maintaining internal controls for financial reporting. The CEO/CFO has to assert that he/she has evaluated the effectiveness of internal control systems of the company pertaining to financial reporting. The CEO/CFO certificate will further state the manner in which deficiencies (if any) in the design or operation of such internal controls have been disclosed to the auditors and the audit committee. The CEO/CFO certification will also state the steps they have taken or proposed to take to rectify these deficiencies in the design or operation of such internal control pertaining to financial reporting.

The first step is to map the relevant business goal of an enterprise from the point of compliance with the business goals provided in COBIT. For example, one such business goal under the financial perspective category of such listed companies is to improve corporate governance and establish transparency. This business goal can be linked with two IT goalsto respond to governance requirements in line with board direction and to establish clarity of business impact of risks to IT objectives and resources. The selection of these IT goals provides the specific IT processes (under the domains of plan and organize [PO] and monitor and evaluate [ME]) of COBIT to be selected to meet compliance requirements:

PO1 Define a strategic IT plan PO4 Define the IT processes, organization and relationships PO9 Assess and manage IT risks PO10 Manage projects ME1 Monitor and evaluate IT performance ME4 Provide IT governance

The final step would be to select the relevant control objectives under these IT process and use them as a benchmark for adoption/evaluation as required. The Companies Act The statement on the Companies (Auditors Report) Order, 2003 (CARO) applies to all companies, including foreign enterprises. Companies that are exempt from this are insurance companies, banking companies, section 25 companies and private companies with paid-up capital and reserves of not more than Rs 50 lakh that do not have outstanding loans exceeding Rs 20 lakh from any bank or financial institution, and that do not have a turnover exceeding Rs 5 crore at any point of time during the financial year. CARO stipulates the need for companies to have an internal control system in the key areas and also mandates that the companies have internal audits commensurate with the size of the company and nature of the business. Hence, even unlisted companies that require statutory audits would need an implementation and review of internal controls. The Institute of Chartered Accountants of India (ICAI) has started a certification course on information systems audit. Further, ICAI has entered into a memorandum of understanding (MOU) with ISACA to provide ISACA standards, guidelines and procedures to all its members. This will go a long way in promoting IT governance and IT assurance in India through the chartered accountants. In the Government The scope and coverage of IT in C&AG encompasses various types of information systems audit, process approach, specialized audits, forensic audit, system development life cycle approach, value for money (VFM) approach, financial audit and performance audit. All of the IT audits by C&AG staff are based on COBIT as the main audit criteria. COBIT is used as the umbrella framework under which specific technology and business related controls are integrated. The audit guidelines of the COBIT framework are suitably adapted to the specific IT and business environment of the enterprise. The audit objectives are mapped to COBIT, and the relevant high level control objectives are selected for evaluation. C&AG has done excellent work

in promoting IT governance among all the government entities by using COBIT best practices as a benchmark for all the IT audits it conducts. Banking The Reserve Bank of India (RBI) has been at the forefront of promoting IT usage in India. It has issued regular guidelines on IT, IT security and controls, and IT governance, and has been conducting IT audit as part of the regulatory review of banks IT systems. RBI has used COBIT as a reference framework for issuing guidelines to banks and also for conducting IT audits. Various components such as pre-launch audit, post-implementation studies and regular IS audit follow internationally accepted norms and approaches. The large scale use of IT in day-to-day operations has also added a new dimension to the risks associated with these activities, which has necessitated appropriate risk management systems. In MNCs MNCs use IT extensively for integrating their Indian operations with the global operations. As part of the standardized global operations, these companies mandate the implementation of global best practices. Hence, the adoption of IT governance best practices is an accepted norm in these companies. Further, these companies are subject not only to Indian regulatory requirements, but also to regulatory requirements of their parent companies. Consequently, implementing IT security and control practices based on globally accepted frameworks is enforced. IT Companies Adoption of IT governance in IT companies is necessitated by a combination of regulatory and management requirements. Most of the IT companies are at the forefront of adopting global best practices as a business requirement, as this acts as a differentiator in procuring clients and demonstrates the organizations services and capabilities. Further, as the majority of Indian IT companies revenue comes from providing software development, IT implementation and IT consulting to companies outside India, they have to meet the relevant regulatory requirements of their clients. These companies are also subject to regulatory audits, such as a SAS 70 audit, which makes it imperative for them to adapt global best practices. Many of the top IT companies have started IT governance consulting services as one of their key offerings. Conclusion IT governance as a concept in India is not as widely known as it needs to be, but it is being adopted and implemented to an extent as a result of various regulatory requirements and effective best practices. IT governance is being implemented as a subset of corporate governance due to the regulatory and assurance requirements of SEBI, C&AG, RBI and the Companies Act. However, it is also increasingly being recognized that the real benefit of IT governance is not just implementing it from a compliance perspective, but from a performance perspective also to ensure that the organization receives real business value from IT.

IT Governance/COBIT IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organisational structures and processes that ensure that the enterprises IT sustains and extends the organizations strategies and Objectives. Why adopt COBIT? COBIT implementation in organisation makes business sense if you have the following internal challenges (not exhaustive)!

Is IT strategy aligning with the business strategy? Are we measuring ITs performance? Can we assure investors and shareholders that a standard of due care around mitigating IT risks is being met by the organisation? Do we have a framework to meet regulatory requirements for IT controls in areas such as privacy and financial reporting (e.g., the US Sarbanes-Oxley Act, Basel II) and in specific sectors such as finance, pharmaceutical and healthcare? Is IT likely to achieve its objectives? Is IT resilient enough to learn and adapt? Is IT appropriately recognizing opportunities and acting upon them? Are we obtaining value from IT investments? Are we in control of the selection of service providers and the management of service outsourcing and acquisition? Are we managing the increasingly complex IT-related risks, such as network security? Are we as an enterprise performing against generally accepted standards and our peers (benchmarking)?

How robust is COBiT?

COBiT is based on the consolidated research activities of many organisations. The 34 high-level control objectives and the 318 detailed control objectives have been exposed to the IT industry and the IT audit profession to allow an opportunity for review, challenge and comment. The feedback received has been incorporated in COBiT. In order to assure the final quality of COBIT, several measures have been taken. The most important are: The whole research process has been governed by the COBIT Steering Committee (CSC). Besides preconceiving the deliverables, the CSC has also been responsible for the final quality of these deliverables.

The detailed research results have been quality controlled throughout. The preliminary research results, as well as the framework, have been exposed to two groups of experts including business managers. Before issuing the final texts they have been distributed to a number of specialists for

comments. The Management Guidelines were developed by a world-wide panel consisting of 40 security and control experts, IT management and performance management professionals, industry analysts and academics who participated in a residential workshop conducted by professional facilitators. The workshop deliverables went through a quality assurance process and were exposed for review. However, it needs to be emphasized that these guidelines remain generic, generally applicable and do not provide industry specific norms. Organisations will in many cases need to customise this general set of directions to their own environment. Overall, experience shows that the COBIT model appeals to business management as a whole and that they appreciate the added value of it in view of improving their control over IT. In this regard, we are confident that the required quality level, beyond customer satisfaction, has been achieved.

Who should use COBiT? COBiT is designed to be useful to: Management - to balance risk and to control investments in IT.

Users - to obtain assurance about the IT services received. Process Owners - to discharge their responsibility for controlling the information aspects of the processes. Auditors - to plan, audit and report on the systems of internal control established over IT processes. COBiT's Management Guidelines are generic, action orientated statements for the purpose of addressing management concerns about performance measurement, better control, minimising risk and comparisons against benchmarks. These can be used in a variety of ways, for example: 1 Assess actual outcomes of a particular process (based on key goal indicators and maturity levels). 2 Identify problem areas (those IT processes with low maturity scores). 3 Define best practices (acceptable IT process maturity). 4 Improving management processes and action planning. 5 Benchmarking.

COBiT's Framework and 318 detailed control objectives enable the end user to identify the controls that should support the IT services that they receive. End users are better able to communicate their concerns and understand the issues that may need attention. As a result, the end user will derive greater assurance about the IT services delivered. COBiT's business process orientation enables process owners to evaluate the performance of IT within their specific process and enable them to understand their accountability for

IT. COBiT provides the process owner with a framework that should enable them to control the IT activities within their processes. COBiT's Audit Guidelines provide auditors with assistance in preparing their audit plans for reviewing the entity's IT processes using the 34 high-level control objectives and 318 detailed control objectives. Each guideline consists of a statement pertaining to the general understanding of the Process, points to be considered in evaluating controls and assessing compliance, and guidance on substantiating the risks associated with the specific IT process.