Congratulations!  You are now in charge of IT!

  •  | 
Print this page By R. Curtis Thompson, CPA.CITP, CISA
Where would we be without our computers? We communicate through them. We do our accounting and inventory on them. We buy, sell, and process data with them. Business relies on information, and we need technology to manage and report that information. Reliable systems start with strong information technology (IT) governance.

In many companies, oversight of the IT department falls to the CFO or another non-technical person. In many cases, they feel uncomfortable with that role and delegate too much to the IT manager; however, this exposes a very real risk that the technology becomes misaligned with the company’s business goals. Using the Information Systems Audit and Control Association’s (ISACA) COBIT 5 model, the CFO would be responsible for governance, and the IT manager is responsible for management.
Let’s say that CFO should be responsible for monitoring, evaluating and directing the management of IT. In other words, the CFO is acting in the governance role while the IT Department is using these directions to plan, build, run and monitor the IT function.

Let’s say that you have just been given the role of overseeing IT. What do you need to know and do? Don’t panic — you are not being asked to design the network or implement a security model. You are being asked to head up the governance role.
Here are some key areas that role will entail.

Risk assessment
When you drive to work in the morning and decide on a particular route, you ask yourself several questions. Is this the fastest route? What is the likelihood of a backup? Will it make me late? This is a risk assessment. In governance, a risk assessment is also needed. You should involve others for different perspectives, and to ensure everyone understands, you need this documented. You may need to complete risk assessments for different goals, such as protecting data, vendor management and business continuity.

The ultimate goal of risk assessment is to rank your risks so that you will know where to allocate your resources. This will help drive your decisions on where to spend time and money.

Strategic planning and budgeting
Does your company have a strategic plan and an IT strategic plan? Your new role is going to help bring IT planning into the strategic planning process. If your company is expanding, IT needs to plan for new equipment, telecommunications, applications, etc. Conversely, management needs to know about current equipment that needs upgraded during strategic planning.
By analyzing last year’s costs, you can project this year’s IT expenses. Your risk assessment helps you allocate resources to reduce risks. Your strategic plan will help you decide on what you will need to invest in growth. Many CIOs use an approach to budgeting called Run, Transform and Grow (RTG). With the above, you have all the information to develop a robust IT budget.

Policy development
Policies are how management communicates expectations and direction. IT policies are expectations — not just of how to behave, but of how the systems should operate. No matter the size of the company, it is important that management properly communicates the meaning of these policies.
There is no definitive answer about the policies you need. I recommend, at a minimum, having policies on protecting data (security) and usage of company resources (internet, email, equipment, etc.) Like policies, you need to document the disaster recovery plan (how you will recover your systems in the event of a disaster) and the business continuity plan (how you will keep your employees working and the needs of your clients met).

Now that you have developed your risk assessment, strategic plan, budget, and policies then you need to evaluate their effectiveness. How can you be sure the resources you’ve allocated are accomplishing your goals and addressing your risks? Did you stay within your budget? Why not? Does everyone know the policies? Are they following them?

Sometimes monitoring is as simple as having discussions with management and IT to determine what is working. In more complex environments or issues, it may mean an internal or IT audit.

IT management needs to monitor system capacity, security issues, etc. This information should not be ignored for governance, though. They may help drive the direction of IT as well.

Governance and management
This is the cycle: monitoring and evaluating provide the information to determine direction, which helps IT plan, build, and run the systems and processes that are monitored, and so on.

If in your new role, you take on these governance roles and the IT department takes on the management roles, the delivery of the IT function will run properly. You don’t need to be an IT expert. We all have a role to play, and if everyone plays their part, IT will run smoothly and meet everyone’s expectations.

R. Curtis Thompson, CPA.CITP, CISA is a principal with Yount, Hyde & Barbour’s Risk Advisory Services Team. He and his team blog regularly on breaking down the communication barriers between the IT department and management at http://www.yhbcpa.com/detech .

showhide shortcuts