IT Governance and the Audit Committee Recognizing the Importance of Reliable and Timely Information

Transcription

1 IT ADVISORY IT Governance and the Audit Committee Recognizing the Importance of Reliable and Timely Information KPMG INTERNATIONAL

2

3 IT Governance and the Audit Committee: Recognizing the Importance of Reliable and Timely Information 1 IT Governance and the Audit Committee Recognizing the Importance of Reliable and Timely Information IT governance is a set of business processes that impose management and control disciplines on IT activities to help ensure the integrity and protection of IT operations and the achievement of targeted business goals. These disciplines drive: Proper communications and planning to help keep IT goals aligned with those of the business Identification, definition, and prioritization of IT investments that create and sustain business value through regulatory compliance, risk mitigation, operational performance enhancements, processing reliability, cost effectiveness, and responsiveness to change Appropriate commitment to controls and reporting to address accountability, transparency, processing integrity, and data protection Identification and continuous involvement of the business stakeholders who work with IT to identify and agree on business objectives and hold IT accountable for their realization. There have been a number of high-profile instances where processes that govern the integrity of information technology operations (IT governance) are not sufficiently effective to guard companies against serious financial loss. Companies have damaged their operations and negatively impacted revenue recognition, profit, and reputation by compromising the integrity or availability of their information as a result of problems associated with IT system implementations. Many companies have inadvertently made private customer data available to unauthorized parties and, more troubling, were not aware of the extent of the problem until much later. Unfortunately, these types of serious business incidents are not isolated in an economy that is powered by complex information systems. These events can occur when processes that govern the integrity and protection of IT operations are not appropriately aligned with business objectives and goals. They show that controls and normal reporting are not always enough. The incidents also underscore the idea that unexpected combinations of events and lack of discipline around the execution of controls can create major business vulnerabilities. How companies use and control information continues to increase in importance as they rely on technology for virtually every aspect of business operations. IT governance does much more than consider the security of information. IT governance as a vital element in overall corporate governance creates an environment where information can be leveraged to deliver overall business value. It can be used to measure the effectiveness of information technology, the quality of IT management and staff, and the efficiency of decision-making structures and rules. The right IT governance enables new IT systems to be developed and operated with greater effect at lower risk.

4 2 IT Governance and the Audit Committee: Recognizing the Importance of Reliable and Timely Information IT governance plays an important role in the management of many general business risks. IT is one of the largest and least-understood costs. IT plays an important role in protecting the business from: Errors caused by incorrect processing of information Business interruption as a result of inadequate contingency capabilities Compromise of processing integrity as a result of uncontrolled changes Unauthorized access to information, such as breaches of privacy rights, compromise of processing integrity, and processing interference with malicious intent. to these serious business issues. Such laws, rules, and regulations have placed great importance on overall corporate governance and the attendant role of IT governance. To be sure, IT governance is on the minds of many senior corporate officers, but how often is the issue discussed when audit committees meet? IT governance is critical to many aspects of the business that are important to audit committees, such as the integrity of the information that supports the financial statements. IT governance is also an important factor in managing the cost-effective and reliable delivery of business process enhancements. Audit committees can play an important role by influencing the priority businesses place on the steps necessary to implement and maintain adequate governance of their IT activities. To better understand how U.S. audit committee members actually address IT governance, KPMG s Audit Committee Institute and the National Association of Corporate Directors (NACD) conducted their Second Annual Audit Committee Member Survey, polling over 250 audit committee members around the country. Only 9 percent (see Chart A) reported being Very satisfied that audit committees devote sufficient agenda time to the oversight of IT risk. Chart A: One in three companies are Not satisfied that the audit committee devotes sufficient agenda time to IT risk oversight. Fewer than one in ten are Very satisfied with the agenda time spent on IT risk oversight. IT governance should therefore be an important consideration for the audit committee. Incidents such as exposing private data may have a direct bearing on the audit committee s responsibilities with respect to internal controls and risk management, because they can impact financial statements. For that reason alone, IT governance should merit the attention of the audit committee; but when you add other kinds of IT problems that can lead to business performance issues impacting business profitability, consumer confidence, investor confidence, regulatory compliance, and even the long-term viability of the business, you find additional reasons why IT governance should be high on board agendas and, many times, audit committee agendas. Governments in virtually every major economy have imposed some type of investor-protection legislation in response Percentage of Respondents 100% 80% 60% 40% 20% 0% 32% Not satisfied May Not Add Up To 100% Due To Rounding Somewhat satisfied Very satisfied This lack of satisfaction is especially relevant after recognizing that IT governance has a direct correlation to virtually all of the top seven oversight priorities that audit committee members identified in our survey (see Chart B). Those priorities included internal controls, risk management, IT data security, and business strategy. Contrasted against those priorities is the widely accepted notion that many senior members of business organizations do not have a working understanding of IT, let alone IT governance. And, while there is general recognition that IT is pervasive and important, many executives do not believe that IT delivers a clear return on investment (ROI). 59% Source: ACI/NACD Annual Audit Committee Member Survey 9%

5 IT Governance and the Audit Committee: Recognizing the Importance of Reliable and Timely Information 3 Chart B: IT governance has not been an audit committee priority, but should it be? Companies rated the following areas of oversight among the highest priorities on the audit committee agenda for Accounting judgments and estimates Internal controls Risk management Information technology, data security Legal/regulatory compliance Internal Auditor effectiveness Business strategy External Auditor effectiveness Taxes Fraud risk Other 31% 28% 22% 19% 16% 14% 11% 3% Source: ACI/NACD Annual Audit Committee Member Survey 59% 56% It is generally accepted that IT governance and its enhancement must come from the top of the organization. When audit committee members were polled to determine whether they are satisfied with their board s oversight of IT risks, the results show that there is plenty of room for improvement (see Chart C). Only 19 percent of respondents said they are Very satisfied with the board s oversight of IT compliance and control. In addition, based on its importance in controlling risk and driving demonstrable business value, IT governance should be viewed as: An integrated element of good corporate governance Part of the oversight responsibility of board members and executives Dependent on top-down commitment and management An essential factor in the alignment of IT with the priorities of the business An essential factor in managing controls, recognizing important issue correlations, and imposing the appropriate disciplines around performance and accountability. 47% 0% 20% 40% 60% 80% 100% Percentage of respondents Chart C: Satisfaction with audit committee IT risk oversight is low. IT compliance and controls 29% Business continuity Information security/privacy May Not Add Up To 100% Due To Rounding 38% 40% 47% Source: ACI/NACD Annual Audit Committee Member Survey Percentage of respondents Multiple Responses Allowed Many of the Audit Committee Priorities often involve issues of IT Governance. 52% 19% 50% 13% 13% 0% 20% 40% 60% 80% 100% Needs improvement Somewhat satisfied Very satisfied Some of those who more effectively manage IT governance realize that focus on IT governance can mean the difference between a costly failure and a measurable success. They also realize that when an organization demonstrates a commitment to the integration of IT governance into its overall corporate governance, it can send a clear message to regulators, shareholders, stakeholders, bond-ratings agencies, and the capital markets that it is serious about accountability, controls, and processing integrity. Despite the importance of IT governance, the marketplace demonstrates that many IT organizations do not have a working accountability for the business value they create, have not created a design architecture that facilitates change, and may not be fully leveraging the opportunities afforded by recent compliance legislation and regulation. Executives Agree that IT Governance Is Important, but Challenges Remain Corporate information assets can account for more than 50 percent of capital spending*, yet there is a pervasive perception that many IT projects do not meet expectations. Some IT project failures have been highly damaging, such as the case of a multinational foods company that spent more than USD100 million and 30 months on an enterprise resource planning (ERP) system that was plagued with problems from the start. When the company launched its ERP system it discovered shipments were slow and some orders were incomplete. As a result, customers were angry and quarterly profits fell by USD150 million, compared with the same quarter a year earlier. If this project had more formal * Information Technology and the Board of Directors, Harvard Business Review, October 2005

6 4 IT Governance and the Audit Committee: Recognizing the Importance of Reliable and Timely Information governance procedures in place it might have had better-defined business objectives, regular management of progress, control checkpoints, financial controls, and clear accountability for results, all of which may have helped identify issues earlier. The board and audit committee might have received specific, periodic messages about potential failure well in advance of this catastrophe. Consider the findings of a recent KPMG-commissioned global survey on attitudes about IT. Nearly half (47 percent) of respondents said their organizations do not monitor and measure project results, making the analysis of ROI particularly difficult. The survey, which was conducted for KPMG by the research firm Ipsos Corp., also found that 34 percent of respondents do not prepare a business case for every IT investment opportunity. For those organizations that reported that they did complete business cases for IT investments, about one quarter (26 percent) do not monitor and manage the costs, schedule, scope, and performance of the projects to keep them consistent with the original business case assumptions. It is no wonder, then, that a 2005 KPMG Project Management survey discovered that half of the respondents reported at least one IT project failure in their organization during a 12-month period. Eightysix percent of organizations also reported losing up to 25 percent of target benefits across their entire project portfolio. According to the 2005 Technology Issues for Financial Executives Survey, conducted by the Financial Executives Research Foundation (FERF), only about half (47 percent) of survey respondents appeared to be satisfied with the returns on their IT investments. FERF notes that companies with strategic IT plans that are fully aligned with their corporate strategy report higher returns from their IT investments than those companies for which business alignment is a problem. There are many explanations as to why projects do not meet expectations, but perhaps the most basic is that the IT people and the business people inside an organization often speak different languages. When IT executives speak to colleagues in operations they sometimes use technical jargon that puts off their audience and do not communicate frequently enough to stay aligned as business environments change. It is therefore important that when audit committee members discuss IT governance issues with the board they emphasize the importance of frequent communications and cross-training for the business and technical executives. The Ipsos Corp. research also shows that while organizations acknowledge the importance of IT governance, they lack the commitment to build it into their corporate governance efforts. Respondents were asked to describe what IT governance means to them, and were later asked whether their organization had implemented any of those measures. Although 73 percent of respondents said they believe the establishment of policies is an essential component of governance, only 56 percent actually have such processes in place in their organizations. This represents a significant gap of 17 percentage points between what is perceived as important and what is actually implemented. In addition, 65 percent of respondents said management of risk was an essential component of IT governance, yet only 53 percent said their organizations have actually implemented any IT governance practices aimed at managing risk.

7 IT Governance and the Audit Committee: Recognizing the Importance of Reliable and Timely Information 5 What Audit Committees Can Do Information and information technology are vital to virtually all companies today, and will be even more important in the future. Moreover, the risks to information and the technology driving it from information quality and reliability, to privacy and security, to business continuity /disaster planning can pose critical threats to the business. Yet, many audit committees lack the time and expertise to oversee the management of these risks as well as IT governance generally. As a result, audit committees and boards may need to consider how best to align their oversight responsibilities for IT governance what arrangement makes sense? The audit committee clearly has responsibility to oversee financial reporting-related IT risks. The question is, who the audit committee, the full board, or another board committee should have oversight responsibility for other categories of IT risk, as well as IT strategy and investments. Audit committees can play an important role, and serve as a catalyst, in clarifying these oversight responsibilities. Ultimately, through their oversight activities, audit committees and boards can help ensure that management has effective IT governance processes to manage IT risks, as well as IT strategy and investments.

8 kpmg.com Contacts Richard K. Anderson Principal, IT Advisory Stephen G. Hasty Jr, Partner, IT Advisory Lawrence Raff Partner, IT Advisory Caryn P. Bocchino Senior Manager Audit Committee Institute The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. Visit KPMG on the World Wide Web at KPMG International. KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Printed in the U.S.A. Document code: GSC041