INFORMATION TECHNOLOGY GOVERNANCE
A Discussion Paper for Lawyers
Rebecca Kacaba and Donald B. Johnston Aird & Berlis LLP Toronto, Canada INFORMATION TECHNOLOGY GOVERNANCE
A Discussion Paper for Lawyers
Rebecca Kacaba and Donald B. Johnston Aird & Berlis LLP Toronto, Canada1
The governance of information technology is not a subject that is well understood, and there exists a good deal of confusion about it, including among many information technology professionals. Moreover, it is a subject that seems odd to connect with lawyers, whose bailiwick does not, in the minds of most people, extend to bits, bytes, boxes and networks. Nevertheless, lawyers play an important role in the governance of information technology.
Where Does IT Governance Fit?
Information technology governance (which we will call IT Governance for the balance of this paper) is a subdivision of corporate governance – and, like corporate governance, has both internal and external aspects. Its primary purpose is to make it obvious to people who should care – management, shareholders, lenders and other stakeholders – that the information technology systems upon which a business relies transparently supports stated business objectives. Its secondary purpose is to ensure that information technology resources are both appropriate and sufficient, and are effectively and efficiently used. IT Governance is strategic business activity. As a bonus, IT Governance may help keep Directors and senior officers of public companies out of jail, which is often seen as a good thing.
1 Rebecca Kacaba is a student-at-law at Aird & Berlis LLP, Toronto, Canada. Donald B. Johnston is a partner, the leader of its Technology Industry Group and co-leader of its Corporate-Commercial Practice Group.
1 IT Governance is the decision rights and accountability framework for encouraging desirable behaviour in the use of information technology.2 It is not the decisions themselves, but the framework in an organization for making those decisions.3 Most businesses have some form of
IT Governance in place, but research indicates that systems are not as efficient as they could be.4
A proper IT Governance system is imperative for effective internal control and accurate financial reporting.
We have said that IT Governance is a subset of corporate governance. What we mean is that corporate governance (in the Sarbanes-Oxley | Basel II | Bill 198 sense that all lawyers care deeply about) cannot be carried on without IT Governance.
Think about it.
The U.S. Sarbanes-Oxley Act of 20025 (“SOX”) was an early response to massive failures of corporate governance that resulted in the overnight loss of billions of dollars in share value in companies such as Enron, WorldCom, Global Crossing and others. Transparency, accountability and proper internal controls were critically lacking in each case. In each case, no accountable body or person “owned” the governance process.
In Canada, the Canadian Securities Administrators responded to the crisis by taking actions similar to the SOX initiative.6 Ontario initiated omnibus Bill 198 (“Bill 198”), which authorized the Ontario Securities Commission to create SOX-like regulations and guidelines. These
2 Jeanne Ross and Peter Weill, “How Effective is your IT Governance?” (2005) 5 MIT CISR Research Brief 1B, at page 1. 3 Focus on Ross, supra note 4. 4 Focus on Ross, supra note 4. 5 Also called the Public Company Accounting Reform and Investor Protection Act of 2002, Pub. L. 107-204, 116 Stat. 745 6 See Multilateral Instruments 52-111 (reporting on internal controls) and 52-109 (disclosure certification). Some of the provisions of MI 52-111 are now merged with MI 52-109.
2 resulted in requirements for CEOs and CFOs to certify the internal controls of “reporting issuers”, i.e., public companies, and set out certain other requirements. Non-compliant senior officers are now open to serious civil liabilities and/or jail time.
While it is not the purpose of this paper to go into detail on the larger subject of corporate governance (which is the mother of IT Governance), it is worth considering what CEOs and
CFOs of reporting issuers are now required to do. In rough terms, they must now certify personally:
• that they have reviewed all public filings and that those filings do not contain any untrue
material statements or omit any material statements
• that the company’s financial information fairly represents the financial condition of the
company
• that they have implemented proper disclosure controls, tested them and set out their
conclusions in the Management Discussion and Analysis report
• that they have implemented internal controls over financial reporting, so that the public
financial statements will fairly represent the financial condition of the company in
accordance with generally accepted accounting principles
• that all material changes to internal controls have been disclosed in the Management
Discussion and Analysis report
3 These requirements are basically enforced on a “no-excuses-the-buck-stops-here” basis. As a result, senior managers of a public company are highly motivated to ensure that internal controls are in place and properly functioning so that corporate governance “works”.
How these requirements mesh with IT Governance should be intuitive (but probably isn’t for many managers for whom information technology systems are, essentially, magic). In large corporations, virtually the only way to implement fully functioning internal controls is to do so with the aid of information technology. While this is patently the most efficient (and sometimes the only) way to do it, it also presents senior management with a problem: how do they know that they can rely upon the information technology systems that the public company for which they are responsible implements as part of the internal control process? The answer is that they cannot know if they can rely upon their information technology systems unless they subject those systems to controls no less rigorous than the controls that are applied to financial matters. In short, they have to “own” responsibility for the information technology systems. That
“ownership” is what IT Governance is all about.
Is IT Governance Mere Regulatory Activity?
While it might be convenient to think of IT Governance as one of the steps to avoid jail, large fines, civil liability and personal bankruptcy – none of which a wise executive will consider to be career-enhancing – it is far better to elevate IT Governance to a matter of principle rather than a mere compliance issue. Good IT Governance is good business. If you are a CEO or a CFO, IT
Governance is your friend. It gives you a reliable handle on some of the most important
4 activities in the enterprise for which you are responsible.7
Good IT Governance is therefore not merely an important compliance exercise. It is strategic activity within the enterprise and should be regarded in that light. Who “owns” strategy? It is the Board of Directors and senior management who do. So, the Board and senior management must also “own” IT Governance.
A proper IT Governance system also has significant profitability benefits. Research shows that the lack of value being attained from IT investments is due to bad planning or execution of projects, rather than bad choices of where to invest funds.8 IT Governance allows management and executives to view and evaluate the risks, budget and complexity of the proposed projects. It allows management to view the status, progress and issues that are being faced as projects are developed. Finally, proper IT Governance will allow review and evaluation of IT projects, so that their value can be assessed, future projects can be assessed with this knowledge and a company can maximize product lifecycle management.9
IT Governance is characterized by Board-imposed comprehensive control over the information technology assets used by the enterprise, by means of:
• wise policies set by the Board of Directors with both internal and external assistance
o clear aims and purposes of the policies so that responsible insiders understand
them (this will likely include testing the extent to which they are understood)
7 The same argument has been made for privacy. A good manager knows that a mere “compliance” approach to privacy may keep an organization out of the deepest pitfalls, but that a proactive approach that elevates privacy to a matter of principle, and that implements privacy using a best practices model, cannot only keep the organization compliant with virtually all privacy regimes to which it may be subject over multiple jurisdictions but can also be something about which the organization can brag. In the right industry, it can be a competitive advantage. 8 Focus on Ross, supra note 4. 9 Origitano, supra note 7.
5 o oversight by the Board, to ensure that the policies are fully implemented,
enterprise-hardened and enforced at all times
• organizational structures that allocate isolate responsibility and “ownership” of IT
Governance-related tasks, so that responsibility for such tasks is not diluted or diffused
o must include the most senior management
o responsible persons know what to do upon the happening of certain events
• the implementation of decision-making and reporting rules, within such organizational
structures, in accordance with the policies set by the Board
• by virtue of the organizational structures, the decision-making and reporting rules, the
Board of Directors and senior management know, at all relevant times, the state and
reliability of the information technology systems upon which the enterprise relies10
• change management systems that allow the enterprise to be flexible, and to respond
quickly, effectively, appropriately and predictably to requirements of business,
competition and change of all kinds
• a “life-cycle management” approach to information technology assets
• testing and auditing of the information technology systems on a regular basis, with
regular reports to the Board and senior management
10 Members of the Board and senior management don’t need to know how the IT systems work, of course, any more than the average driver needs to know how the family car works. However, just as every driver needs to know the state of the brakes and steering, the last time the oil was changed and when the next service appointment should be, Board members and senior officers need to know that certain inputs into the IT systems will reliably yield known and expected outputs.
6 • planning for increased service capacity, machine, network and software life-cycle
management (including confidential disposal of media and maintenance of back-up data
in accordance with data retention policies)
Many organizations – even some that are very sophisticated outside the IT area – take a “hands off” approach to information technology. The reasons for this vary, but often include (i) a failure to acknowledge the importance of IT to the organization, (ii) an ignorance, or even a fear, of IT systems, and (iii) abdication to the CTO or IT staffers11.
How Do Lawyers Fit In?
Lawyers play a number of roles in the arena of IT Governance. These include (i) strategic and advisory roles that revolve around compliance with such statutes as SOX and Bill 198 and such international initiatives as Basel II12, (ii) IT policy creation and drafting, (iii) education of senior managers in what is required for compliance, (iv) IT Governance Committee membership and
(v) participation in the internal audit process.
One can expect lawyers to take a primarily regulatory compliance role in IT Governance, although a wise lawyer will elevate the matter from one of compliance – critically important as that may be – to one of principle and good business that includes both regulatory compliance and a regime of best practices and continuous improvement.
11 This is the worst of all possible worlds. It is sometimes easy to spot a situation where IT staff has taken over: just look for big, unbudgeted, whiz-bang development projects that nobody in senior management knows much about and a CTO nicknamed “Dr. No”. It means that the inmates have taken over the asylum. 12 “Basel II” is shorthand for the “International Convergence of Capital Measurement and Capital Standards - A Revised Framework” instituted by the Basel Committee on Banking Supervision the members of which include representatives from all the major economies of the world. The main focus of Basel II is the adequacy of the capital reserves of Banks and the means by which the requirements for such reserves are measured. It is extremely complex, and makes SOX and Bill 198 appear simple in comparison.
7 From the lawyer’s regulatory point of view, SOX and Bill 198 (and, if the corporation is a Bank,
Basel II) will drive compliance. However, it is important to recognize that the worlds of regulatory compliance and technical IT Governance are not separate. In fact, certain of the methodologies of IT Governance are explicitly recognized by the U.S. Securities and Exchange
Commission as compliant with its requirements.13 Accordingly, a consummate lawyer in the IT
Governance context will be conversant with the appropriate regulatory statutes and regimes, will be familiar, in a broad sense, with how the public company’s information technology infra- structure is used and the extent to which the company relies upon it for accurate financial and operational information, will be on a first-name basis with the Chief Technology Officer of the company and will work to make that relationship one of mutual trust and respect, will assist in the preparation or review of key information technology policies (e.g., privacy, data security, network security, reporting, life-cycle management and audit policies), will ensure that senior management whose roles include the certification of financial statements and reports understand the important of IT Governance to the company and may even sit, either as an observer or a participant, on the IT Governance Committee of the company.
The involvement of lawyers will be particularly important whenever a corporate or business process change occurs. The most prominent examples that challenge IT Governance are merger and acquisition activity and outsourcing, primarily because of the massive effects each of those activities can have on internal corporate governance generally.14
13 See reference to COSO, infra. 14 We recommend for the reader’s review the excellent discussion notes on the effect of outsourcing on corporate governance prepared by Richard F.D. Corley and Richard C. Owens, Blakes LLP, for the tenth annual Canadian IT Law Association Conference held on October 26 and 27, 2006.
8 Implementing changes to become compliant with the new regulations will result in many overall corporate improvements. Changes will result in stronger corporate governance and decrease overall risk.15 Changes will also result in a more streamlined process and stronger underlying infrastructure. This will aid with any growth or expansion plans.16 It will also result in more successful mergers, which are becoming an increasingly common part of business today.17
Better records will make it easier for management to recognize opportunities for realignment, outsourcing, centralizing or decentralizing and process changes. Improved and reliable financial reporting will given insight into business operations, and help to focus employee training. Better procedures and reporting will cause the company to become more transparent and therefore become more attractive to investors.18 Some companies have found initiating compliance with new control regulations to be costly, however, there are ways to decrease expenses.
IT Governance Internal Control Models
Under reporting regulations, public companies must (and other companies, we recommend, should) show that they have not only taken care to provide security around their data and network, but they have done so using a best practices model.19
The Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) is comprised of representatives from major American financial, accounting and auditing
15 Massood Oroomchi and Alec Moore “Sarbanes-Oxley/Bill 198- Is the glass half empty or half full?” online: Finex Group
9 associations.20 COSO has developed the Internal Control Integrated Framework, which is the model most commonly used to establish an internal control system.21
COSO defines internal control as a process effected by the company’s Board of Directors, management and other personnel to provide reasonable assurance regarding objectives in effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.22 COSO outlines five key components of internal control: risk assessment, control environment, control activities, information and communication, and monitoring.23
Other systems have provided internal control models: the Institute of Internal Auditors Research
Foundation’s Systems Auditability and Control (“SAC”), issued in 1991 and revised in 1994, the
Information Systems Audit and Control Foundation’s COBIT, issued in 1996, and the CICA’s
Criteria of Control (“CoCo”) model, published in 1995, are three examples.24
All of these models (COSO, CoCo, SAC and COBIT) define internal control slightly differently, but there is a number of concepts that run through all of them. They can be condensed down to the following:
• internal control is not only about policies and procedures, but a process or system
affected by people, who are central to adequate internal control
20 “Managing Risk from the Mailroom to the Boardroom” (2003) 18 Tone at the Top [hereinafter “Mailroom to Boardroom”] 21 Mailroom to the Boardroom ibid. 22 “COSO Definition of Internal Control” online: COSO
10 • internal control does not guarantee that an organization will meet its accuracy and control
objectives, but provides reasonable assurance that these objectives will be met25
• limitations include human error, misunderstandings, management override, and cost-
benefit considerations, which mean that not all possible controls will be implemented
• parties who merit special attention in the internal control process are management, the
Board of Directors (including the audit committee team), internal auditors and external
auditors.26
The following is a model of internal governance that is based largely on the COSO model that has been accepted by the U.S. Securities and Exchange Commission as an effective model for internal control.
1. Self Assessment
Most companies have some kind of disclosure control and procedure in place that can be adapted to meet regulatory requirements.27 A proper self-assessment should be performed on existing systems before initiating any changes.28 Often, in smaller companies, the systems that are in place are not clear. Control standards may be met by clarifying personal responsibility (often
25 Under Bill 198, the standard is one of “reasonable assurance” not, as in SOX, that a system will “ensure” compliance. 26 Ibid. 27 “Understanding Disclosure Controls and Procedures: Helping CEOs and CFOs Respond to the Need for Better Disclosure”, online: The Canadian Institute of Chartered Accountants
11 called “ownership”) for acts that are already being performed.29 A proper self assessment should consider factors such as:
• whether executives understand the requirements and what the changes will mean for the
company
• what are the firm culture and attitude toward change
• whether a long-term sustainable future plan is in place
• whether the company has at hand the resources and whether the staff holds the expertise
necessary to make the necessary changes
• what the current structure is for responsibility and accountability
• what the current level of risk tolerance is
• how effective the existing process is for exchanging information with external parties
• whether the external auditor (who, under SOX, must certify financial statements) agrees
with current assessments and the compliance plan30
Many companies underestimate the changes necessary for compliance. This results in poorly executed projects, or starting and stopping and re-starting projects, increasing costs significantly.31 Proper self-assessment at the outset will reduce costs significantly.32
29“Internal Control Over Financial Reporting-Guidance for Smaller Public Companies: Volume I Executive Summary”, online: COSO
12 2. Setting Objectives
A company’s first step is to develop financial reporting objectives. At a high level, the purpose is to prepare reliable financial statements that are free from material misstatements. Flowing from this, management must establish supporting objectives relating to business activities and individual circumstances. These will include consideration of regulatory requirements such as
SOX, Bill 198 and Basel II. Efficiencies can be gained by focusing only on what is relevant to the business at issue.33 Objectives may be:
• Strategic – the achievement of strategic goals
• Operational – the effective and efficient use of resources34
• Reporting – to achieve reliability in reporting
• Compliance – to achieve compliance with applicable laws and regulations
• Safety – the safeguarding of resources35
Implementing compliance changes in conjunction with any necessary system upgrades is a good way to cut costs significantly.36 Not only is it good business, but it creates a culture within the company of managing change in a proactive and principled manner.
31 Murray Wolfe “Change of Mindset” online: Camagazine
13 3. Risk Assessment
Since legislative changes now require executives to sign off on the accuracy of financial statements and certify the company’s internal control framework personally, risk assessment is not only a matter of good business sense, it is a question of how much risk each CEO and CFO are willing to personally take. A proper system of internal control and an IT Governance system constitute excellent protection from lawsuits and criminal or regulatory charges.
Risk assessment is the consideration of factors that could potentially affect the reliability of financial reporting, and identifying where in the process something could go wrong.37 Risks must be identified and assessed and then managed and mitigated by a strong internal control system.38 Companies must be aware of what risks must be mitigated and what risks they can live with. Good risk assessment also improves profitability; when risks are well managed companies can calculate and pursue new opportunities they could not otherwise pursue.39
There are a number of approaches to risk assessment. According to COSO, the major principles of risk assessment are:
• The importance of financial reporting objectives;
• The identification and analysis of financial reporting risks; and;
• The assessment of fraud risk.40
37 Guide for Small Companies, supra note 18 at page 6. 38 Mailroom to Boardroom, supra note 10. 39 George Westerman “Building IT Risk Management Effectiveness” (2004) IV MIT CISR Research Brief 2C [hereinafter “Westerman”]. 40 Enterprise Risk Management, supra note 23.
14 Enterprise risk management (“ERM”) is a process developed by COSO for identifying and analyzing risk company-wide.41 IT is based on eight components: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication and monitoring.42 ERM is most effective when the audit process is built into management’s decision-making plans, and responsibility for controls is allocated logically and in an auditable manner throughout the company, and are perceived and acknowledged to be in everyone’s best interest.43
Effective risk management consists of success in three disciplines.44 Companies must be adequate, although not necessarily excel, in all of these three areas to manage risk effectively.
First, the IT Governance foundation: an effective IT Governance foundation that is well- architected and well-managed is less risky than the more complex kind that has grown like
Topsy and has not been planned from the ground up. Second, the risk governance process: a risk governance process that includes policies and procedures to identify, assess, prioritize and monitor risks is necessary. (The role of lawyers in this process is obvious.) Thirdly, risk awareness: risk awareness is necessary to identify and assess threats and mitigate risk.
Most people think of IT assets as the data on servers and do not realize that the network itself is part of the asset this must be included in risk consideration. Assessing network security includes understanding what is at risk, the value of the asset, how to protect the asset, and how to reduce risk in a way that can be verified in an audit.45
41 Mailroom to Boardroom, supra note 10. 42 Enterprise Risk Management, supra note 23. 43 Mailroom to Boardroom, supra note 10. 44 Westerman, supra note 27. 45 Kanellakis, supra note 9.
15 Focus should include areas such as security and access controls (and, as Corley and Owens point out in their paper – see footnote 9, outsourcing controls if outsourcing is being carried out.46)
Caldon Mills Consultancy advises consideration of controls at the entity level first, in order to prevent duplication of documentation and testing at the transactional level.47
When assessing risk, there is a number of indicators of material weakness. These include: restatement of previously issued financial statements (this always makes the market nervous), material audit adjustments, ineffective audit committees, ineffective internal audit or risk assessment functions, ineffective regulatory compliance, fraud of any magnitude by senior management and failures to correct significant deficiencies in a timely manner.48
4. Control Environment
The control environment is deeply affected by the “tone at the top”, i.e., the tone set by top management. It is an integral influence on the corporate environment within which financial reporting occurs.49 Visible Senior Management support was cited by Chief Information Officers as one of the major positive aids to overcoming resistance to IT Governance efforts.50 Clear IT
Governance will allow managers to see how they can effectively participate in creating value from IT and will enable an attitude that views internal control and regular audits as part of the planning and decision-making process, rather than a “necessary evil”.51 The board should
46 Massood Oroomchi and Alec Moore “Sarbanes-Oxley/Bill 198 Compliance Requirements- Are You Ready?” online: FinEx
16 establish a code of conduct or charter to enforce expectations.52Gaining business value from IT requires firm-wide participation in the entire IT process, from targeting IT investment to ensuring IT performance is useful and enabling any necessary process changes. Garnering support for this integration is largely the role of the CIO.53
It is important that the company structure supports effective internal control over financial reports. This includes having competent individuals to carry out this task, and ensuring they have the proper level of authority to do so.
It is normal for the control environment to change and adapt as the results of previous controls are evaluated.54 This should be monitored for any necessary changes.
5. Control Activities
Once risks are assessed, management can determine how risks should be managed through a range of control activities.55 Management should consider what activities must be undertaken to mitigate risk and achieve financial reporting objectives. Polices should be established and maintained throughout the company. A truly strong system of internal control contains effective controls not only in the area of financial management but also in operations and compliance.56
Different control activities include: IT controls being designed and implemented,57 oversight controls by management, segregation of duties, independent reconciliation.58 Two types of controls should be used: those that prevent errors (accounting policies, safeguarding assets), and
52 Goodfellow and Willis, supra note 36 at page 27. 53 What Makes an Effective CIO, supra note 39. 54 Guide for Small Companies, supra note 18 at page 8. 55 Ibid. 56 Putting COSO Into Practice, supra note 1. 57 Guide for Small Companies, supra note 18 at page 11. 58 Putting COSO Into Practice, supra note 1 at page 3.
17 those that monitor performance to detect errors (internal audit, review of reconciliations, monitoring financial performance against budgets).59 Use of these controls must be balanced at both the entity level and the process level.60
Networks must be regularly reviewed including the number, type and identity of all devices that are connected, from time to time, to the network.61 (This is particularly tough to do with the growth in the use of laptops and remote access.) It is advisable for the audit committee to review and approve the process when it is developed, as some theories are excellent on paper but may not work in practice, and any material changes to the process will have to be disclosed in later reports.62
CEOs of larger entities may consider bottom-up controls, such as sub-certification from business units or from individuals who play an integral role in the process.63 They may also wish to consider specific fraud-control features, such as verification procedures in the system to identify inaccurate reporting (e.g., control questions).
Management should consider how much documentation is necessary to support internal control, and can achieve efficiency by focusing on only producing documentation that is: 1) necessary for auditors as evidence, and; 2) that goes towards achieving the objectives of the business.64
Although in small businesses a large portion of risk assessment may be performed in the heads of
59 Goodfellow and Willis, supra note 36 at page 16. 60 Goodfellow and Willis, supra note 36 at page 16. 61 Kanellakis, supra note 9. 62 Goodfellow and Willis, supra note 36 at page 15. 63 Goodfellow and Willis, supra note 36 at page17. 64 Guide for Small Companies, supra note 18 at page 7.
18 the managers, they must be aware that in certain areas, such as risk assessment, some documentation of managers’ thought processes is necessary.65
6. Information and Communication
Relevant financial information must be identified, captured and used at all levels of the company.
It must be distributed in a timeframe and form that supports the achievement of the financial reporting objectives. Communications must support internal control at all levels of the organization, between levels of the organization, and to outside parties.66 Information technology can be useful in standardizing communication controls, creating reliability and efficiency.67
7. Monitoring
Monitoring ensures that all five components of the control system are in place, properly designed, and functioning properly.68
Management should evaluate: 1) the design of the controls it has implemented, and; 2) the operation of the controls.69 Ongoing and separate evaluations should be conducted to allow management to see whether internal control is proceeding as planned. Deficiencies must be reported and communicated in a timely manner so that corrective action can be taken.70
65 Guide for Small Companies, supra note 18 at page 7 66 Guide for Small Companies, supra note 18 at page 11. 67 Putting COSO Into Practice, supra note 1 at page 3. 68 Putting COSO Into Practice, supra note 1 at page 3. 69 Massood Oroomichi and Alec Moore “Overview of the December 2006 SEC Guidelines for Evaluating Internal Controls over Financial Reporting” online:
19 If any deficiencies exist at the end of the fiscal year, they must be reported. If any material weaknesses have been remedied by the end of the fiscal year, management may exclude disclosure of those from its assessment and state that internal control over financial reporting
(“ICFR”) is effective as of the end of the fiscal year.71
Businesses progress through a growth cycle and the ICFR that is applicable to a start-up company will need to change as the business grows. Consequently, the control system itself must be constantly monitored and adapted to remain effective.72
Programs to coordinate changes within companies are difficult to execute because they require convincing many people to think differently about their jobs and positions. In trying to comply with new disclosure regulations many companies have wasted money and resources by trying to initiate change in their employees in the wrong way.73 In other words, they have ignored corporate culture.
The nature of new disclosure regulations changes firm culture to focus on internal controls. This involves a change in mindset and not just a change in each employee’s day to day tasks.74
According to the Canadian Institute of Chartered Accountants’ “CoCo” model (which builds on
COSO)75 there are four conditions to changing mindset for employees:
• Purpose – Employees must see the reason for the change and agree with it. This means
that the purpose of the change must be defined, communicated and reinforced to
employees. It has been suggested that this can be done through regular emails, or a portal
71 Overview of December 2006 Guidelines, supra note 57 at page 5. 72 Goodfellow and Willis, supra note 36. 73 Wolfe, supra note 20. 74 Wolfe, supra note 20. 75 Internal Control Systems, supra note 14.
20 on the company’s intranet dedicated to explaining the compliance project or performance
reviews.76
• Commitment – Role models must model the changes, which means that management
must understand the changes, and demonstrate their commitment to change. It is
essential to have champions at influential levels of the enterprise to demonstrate
commitment to change.
• Monitoring – All behavioural reinforcements must communicate the same message. This
includes targets, performance measures, financial and non-financial awards. Monitoring
and reinforcement must continue to ensure employees remain committed to changes and
to learning to perform their new tasks well over time.
• Capability and Learning – Employees must have the resources necessary to make
changes. This may mean adding staff or education programs. Employees must also have
the capability to execute changes.77
The control process that is established must work to fulfill statutory requirements, and prevent and detect fraudulent reporting. The internal auditor is typically responsible for ensuring the adequacy of the system of internal control, reliability of data, efficient use of resources, identifying control problems and solutions for strengthening internal controls in all areas such as operations, finance and compliance.78 The internal auditor’s staff, status, reporting lines and relationship with the audit committee of the Board of Directors must ensure that they have the
76 In the personal experience of one of the authors (the much older one), management by email exhortation or, worse, intranet portal exhortation is fruitless. While it may or may not be possible to make a horse drink that has been led to water, it is definitely not possible to lead that horse to water using email. 77 Wolfe, supra note 20. 78 Internal Control Systems, supra note 14.
21 capacity to be objective and effective. The internal auditor’s activities should be coordinated with a licensed public accountant.79
Audit committees also play an integral role in the process. The audit committee should oversee the financial reporting process and internal controls. The COSO commission recommends that the Board of Directors should have an independent audit committee of entirely independent
Directors, and that the duties of the audit committee be set out in a charter.80
External auditors are necessary to evaluate the effectiveness of internal control, focusing primarily on controls that affect financial reporting. They report to the Board of Directors.81
The role of the internal auditors, external auditors, and the audit committee, and the steps taken by these parties to evaluate and certify a corporation for: 1) disclosure controls and procedures
(known as DC&P) and 2) internal control over financial reporting (i.e., ICFR), is another process that can be explored in greater detail.
Five Key Information Technology Decisions
There are five separate domains in which IT decisions are made: principles, architecture, infrastructure, business application needs and prioritization and investment decisions.82
1. Principles
Each company needs a clear understanding of what role IT will play in the company, what its goals and objectives are and how to achieve these using the IT system.83 Essentially, IT strategy
79 COSO Summary, supra note 37. 80 COSO Summary, supra note 37. 81 Internal Control Systems, supra note 14. 82 Peter Weill and Jeanne Ross “A Matrixed Approach to Designing IT Governance” (Winter 2005) MIT Sloan Management Review [hereinafter “Weill and Ross”].
22 must be aligned with the organization’s business strategy.84 A long-term overall plan takes time to develop and achieve.85 This is an important high-level decision because everything that follows will implement this decision. If management does not dictate IT’s role, the responsibility, in effect, falls on the IT department, which can always respond to individual projects but cannot build a platform to provide escalating benefits over the long-term, because of lack of guidance.86 Likewise if the goals are defined too broadly, IT will have difficulty creating tangible projects that generate predictable benefits..
UPS for example, began significant investment in IT during the 1980s and built a package database that could act as a platform for other programs, rather than creating a specific package tracking program. UPS drivers used a linked “Delivery Information Acquisition Device” to collect data from customers, which saved 30 minutes a day by eliminating the need to later input data into a computer. In addition to these initial benefits, the system also resulted in more accurate records of deliveries and increasing revenues, allowing UPS to introduce new products such as guaranteed deliveries and new processes such as on-line package tracking. Due to a clear understanding of their goals and consistent investments in the system, the sum of UPS’
ROIs has exceeded the sum of each project investment.87
83 Michael Ridley “Information Technology (IT) Governance: A position paper” September 2006 online: < http://www.isc.uoguelph.ca/documents/061006ITGovernance-PositionPaper-September2006.pdf> [hereinafter “Position Paper”]. 84 John F. Rockart et al. “Eight Imperatives for the New IT Organization” (1996) 38 Sloan Management Review 1 at page 47 [hereinafter “Eight Imperatives”]. 85 Charlie S. Feld and Donna B. Stoddard “Getting IT Right”, (2004) Harvard Business Review, at page 6 [hereinafter “Feld and Stoddard”]. 86 Six IT Decisions, supra note 3 at page 2. 87 Six IT Decisions, supra note 3 at page 3.
23 Four management objects have been found to guide investment in IT.88 Each objective results in a different IT asset class:
• Transactional – cut costs or increase processing by automating commonplace processes
• Informational – provide information for accounting, management, teaching, compliance
with government regulations
• Strategic – gain competitive advantages in the marketplace
• Infrastructure – provide a foundation for shared IT services89
Each class has a different risk-return profile that must be balanced to achieve the desired results.
IT principles should be re-evaluated periodically as the company’s objectives change. For example, as technology that was once strategic becomes commonplace, goals for IT will change from strategic to transactional.90
2. Architecture
Technical choices such as the processes that will be used, what capabilities will be standardized enterprise-wide, and what technology will be used are architectural decisions. Capabilities of the
88 Peter Weill and Anne Johnson “Managing the IT Portfolio: Where Did the Infrastructure Go?” (2005) V MIT Sloan CISR 3A [hereinafter “Weill and Johnson”]. 89 Ibid. 90 Ibid.
24 IT system should be built around the principles established by the company’s senior management.91
Many companies have their IT departments determine what systems will be used. However, this is not the department that should be making this decision. It’s like letting the taxi driver decide where the passenger wants to go. Characteristics of a system, such as reliability, responsiveness and accessibility come at a cost. For some companies, such as investment banks, top of class service is absolutely necessary as they cannot afford downtime. For other companies, a slower response time, or occasional downtime, are tolerable, and systems can be upgraded as they become more affordable. An IT department making this decision might be tempted to recommend high level of service when this is not always completely necessary. Such decisions need to be made by corporate executives, auditors and lawyers.92 Likewise, high level security systems are expensive and inconvenient. Executive decision-makers need to have a clear understanding of what level of security is necessary in order to meet this requirement cost- effectively.93
Many IT systems have developed over time, resulting in haphazard data silos that serve separate areas of the company, such as accounting, marketing etc. Feld and Stoddard recommended that a simplified, unifying corporate technology platform is implemented with a horizontal architecture to serve the company as a whole.94
Delta Airlines is an example of such a system change. Delta was running more than 30 major IT platforms that were not integrated. It had one silo for each activity, such as baggage, gate, tower
91 Focus on Ross, supra note 4. 92 Six IT Decisions, supra note 3 at page 6. 93 Six IT Decisions, supra note 3 at page 7. 94 Feld and Stoddard, supra note 77. Charlie Feld has successfully applied these principles at a number of Fortune 100 companies including Frito-Lay, Delta Air Lines, Burlington Northern and Santa Fe Railroads.
25 etc. By creating an architecture that included a common set of databases based on a well communicated set of principles, the company was able to eliminate certain inefficiencies and effectively keep track of reservations, ticketing, check-in, baggage handling and crew operations.95 Replacing this system would have been extremely costly, and so Delta developed an new set of software, or middleware, to transfer the data from one program to another. This way the individual programs could be replaced when necessary, allowing costs to be spread over time.
3. Infrastructure
Once the capabilities of the IT system are built, who will have access, for how long, and what data will be shared, must be determined. This includes considering what services are critical, what systems will be implemented enterprise-wide, what the service-level requirements are, and how technology will be kept up to date. As IT infrastructure becomes more efficient, spending in this area will decrease.96 Again, management must know enough to provide guidance and oversight on such questions.
4. Enterprise Application Needs
Application needs are the business requirements for the systems and services that are either purchased or internally developed. How IT needs are addressed within the system architecture will depend on the principles the IT system is there to enhance. Management must consider what applications are required and how this is determined; whether each unit decide on their requirements, or whether applications are provided. It cannot be left up to lower level staff to
95 Feld and Stoddard, supra note 77 at page 7. 96 Weill and Johnson, supra note 80.
26 make such decisions. On the contrary, it is for senior management to decide and for the Board of
Directors to oversee.
5. IT investment
IT investment is the decision of where to invest in IT, how much, and when. Who decides on the prioritization of projects is important, and there must be justification for such investment that is defensible at the Board and senior management levels. Successful IT investments come from using multiple approaches to evaluate IT investments.97 The goal of IT investment is to achieve short-term profitability and long-term survival and growth for the company. To address these dimensions companies need to invest in four areas: transformation, renewal, process improvement and experiments.98 Research suggests developing four pools of resources so that contributions are made equally to all areas.
(i) Transformation
Transformation investments are investments to overhaul an inadequate core businesses system that is preventing it from achieving long-term strategic goals. Delta Airline’s overhaul of their silo system in favour of a horizontal platform is an example of a transformation investment.
These investments are risky and sizable, but they are usually undertaken when they are critical for a business to remain competitive. Decisions for transformation funding are made by the executive. Examples of transformation projects are network transformations, building data warehouses or standardizing desktop technologies.99
97 Jeanne Ross and Cynthia Beath “Beyond the Business Case: New Approaches to IT Investing” (Winter 2002) 43 MITSloan Management Review 2 at page 53. 98 Ibid at page 53. 99 Ibid at page 53 & 54.
27 (ii) Renewal
Renewal is upgrades or improvements to existing technology such as operating systems or memory. This is usually done to reduce costs, raise quality, or is due to a vendor’s decision to stop supporting existing technology. Decisions to fund this type of investment are made by business case or annual allocations by the CIO.100
(iii) Process Improvements
Process investments are driven by an opportunity to improve existing technology performance.
These are low-risk investments because they are changes to existing operational outcomes.
When Delta Airlines implemented its new system, it continued use of the old system, giving it certainty as to what continuing costs would be, what improvements would result, and what the value of those improvements was. Decisions to fund these investments are usually made by a business case.101
(iv) Experiments
Investments in experiments are driven by new technologies, new ideas for products or new business models. Successful experiments give companies an opportunity to adopt new business models and can lead to investment in the other three areas. Decisions to fund experiments are made at the business or executive level.102
It was through investment in these four areas that UPS was able to realize the changes described earlier in this paper. It invested in the transformation of a new centralized data center and on this
100 Ibid at page 54. 101 Ibid at page 54. 102 Ibid at page 55.
28 foundation it initiated process improvements to customer service and broadened service offerings. Instead of only viewing business case presentations charters were present to support the cross-functional process. UPS now has a standard renewal system administered by the CIO and experimentation funding, such as an e-Ventures unit that tests e-business opportunities.103
Although these areas overlap, companies should distinguish between the four areas of investment so that investment can be tracked, and profitability estimates can be properly attributed to their source.104
(v) Funding: Distributing Funds Across Investment Types
Executives can decide how funding shall be allocated based on:
• Perceived possible opportunities
• Necessary infrastructure change
• Income generation
• A combination of set funding and competition for funding based on return105
(vi) Prioritizing Funds within Investment Type
Techniques to guide fund prioritization will be different in each of the four categories. Funding transformations are large costs that do not produce direct profits. Value is only derived in the
103 Ibid at page 56. 104 Ibid at page 55. 105 Ibid at page 58.
29 long term when processes are changed. Decision-tree analysis or real-option analysis may aid in determining the funding for this type of investment.106
Funding renewal is usually justified by a business plan presented by the “owner” of the technology or the IT unit responsible for servicing it, and priority can be established based on these business plans. Process improvements are usually cross-funded which will impact funding in this area. Dependency on these programs also may impact how funding is determined. Local process improvements are often funded differently than company-wide investments, through a set allowance.107
IT experiments can be difficult to value, making fund prioritization more intangible and usually determined by the manager’s enthusiasm for the project. A real-option analysis has been recommended for valuation of IT experiments. Experiments can also be funded in the form of special business development units such as e-business units.108
Conclusion
As technology has become more sophisticated, companies are gaining access to mass amounts of information as never before. A proper control system, including a solid IT Governance system, is essential to controlling this information instead of being controlled by it.109 There is no shortcut to developing an efficient and effective IT system. Companies, whether public or private, must engage in long-term planning processes in connection with IT. Throwing money at a bad governance system will only amplify the problem. 110 Although it can be a great change to
106 Ibid at page 58. 107 Ibid at page 58. 108 Ibid at page 58. 109 Origitano, supra note 7. 110 Origitano, supra note 7.
30 undergo, planning and engaging in a control process is well worth it, as not only is it legally necessary, but also it is essential for long-term sustainability.
© Copyright 2007, Donald B. Johnston, Rebecca Kacaba, Aird & Berlis LLP
31