Recent publicity over accounting failures emphasise the need for
timely, accurate and complete information. While effective IT
management cannot eliminate the risk posed by incompetent or
dishonest business leaders, it can help reduce it to the lowest
possible level.
Enron, WorldCom, Xerox, just three of the major US corporations
that have suffered significant and widely reported accounting and
financial reporting problems in recent months each leading to
significant and, in some cases, almost total loss of shareholder
value and market confidence.
In turn, these problems have contributed to the greatest fall in
worldwide stock market prices and investor confidence that has been
seen in recent years. These cases and others have led to
allegations of failures in corporate governance and oversight.
Only time, and the detailed forensic investigations that will
surely now take place, will tell us how these problems really
occurred and to what extent the boards and their external advisers
were really aware of the underlying issues.
Did they see the problems coming? Did they make a conscious
decision to ignore them? Were they party to the alleged management
actions in the first place? Were the directors, and particularly
the non-executive directors misled, or did they just fail to ask
the right questions or fully understand the answers?
These are all essential questions, full answers to which must be
forthcoming from the aftermath if the corporate and regulatory
world are to learn from any mistakes that might have been made and
minimise the chances of similar problems happening in the
future.
But what has this got to do with the world of information
technology? Surely these were just accounting and corporate
 | | There is of course a danger that
the messages of strong IT governance may seem to be trivialised and
sidelined in the light of what may be seen as failures of corporate
governance at the highest levels. This would be understandable but
wrong. | | | | | |
| | Paul Williams | | |
|
|
governance issues with no relevance to the governance of IT?
It would be unfortunate if this were to be the perception. There is
of course a danger that the messages of strong IT governance may
seem to be trivialised and sidelined in the light of what may be
seen as failures of corporate governance at the highest levels.
This would be understandable, but wrong. These cases perhaps
underline even more fundamentally the need for effective governance
of IT. Perhaps, if anything, these
| | Perhaps these recent events will
cause them to seek positive assurance on the continued reliability
of key management information. Not only are they being told the
truth but, equally importantly, is it the whole truth? | | | | | |
|  | Paul Williams | | |
|
|
recent events move the emphasis of IT very firmly from the T to the
I - information. This would not be a bad thing.
Boards of directors, particularly non-executives, need to have
access to timely, accurate and complete information if they are to
discharge their governance responsibilities correctly and fully.
In complex business models such as those allegedly employed by, for
example, Enron, where the business transactions became ever more
complex to understand, it is even more important that those charged
with governance responsibilities have access to the right
information and that they understand what it all means.
Unless they are able to do this there is no way that they will be
able to ask the right questions, understand the risks and ensure
that risks are properly mitigated. Information technology has a
clear role to play in this.
It is the IT systems that process, analyse and deliver the
information. It is the controls exercised over that information as
it moves from raw transaction data to fully analysed and summarised
reported information that will help ensure its propriety, its
accuracy, its completeness and therefore its reliability.
It is an effective control structure that will minimise the risk of
wilful interference in the compilation of reliable management
information. In my many years' experience as an IT risk consultant
and IT auditor it never ceased to amaze me how the concept of
control, which to me seemed so fundamental, was often addressed as
an afterthought, if at all, in the specification of systems.
Such systems generally are designed by and for those who will be
directly involved in the day-to-day operation of the relevant
automated business processes. Rarely in my experience is there any
involvement from those responsible for the oversight or the
governance of the processes or the business transactions.
Of course those directly involved in the day-to-day activities
usually understand the business fundamentals and therefore make
assumptions as to the information they might need and its
underlying reliability based on their own close involvement in
these processes.
They also often make totally misjudged assumptions on the need for
controls to be built into and around the system. Therefore how do
those with the higher-level responsibilities satisfy themselves
that the information they get is complete and accurate? How also do
they satisfy themselves that the system of controls cannot be
ignored or overridden?
The simple answer is that generally they don't even ask the
question. They often make assumptions or are ignorant of the fact
that the management information presented to them may not be
totally complete or reliable.
Perhaps these recent events will cause them to seek positive
assurance on the continued reliability of key management
information. Not only are they being told the truth but, equally
importantly, is it the whole truth?
In this they can be assisted and advised by their internal audit
functions who will, or should, have the skills to review control
structures and advise on omissions and vulnerabilities.
Internal audit should be involved in the specification of all
significant business and management information systems in order to
help ensure that the right risks are addressed and that the
controls over both the day-to-day processing and the management
reporting are up to the standard expected.
Guidance on controls can be obtained from professional bodies such
as the
IT Governance
Institute,
Information
Systems Audit and Control Association, the
Institute of Chartered
Accountants in England and Wales, and the
Institute of Internal
Auditors.
Of course, no system of control, no matter how good, will eliminate
the risk of corporate failure caused by reckless or incompetent
management. However, the reduction of risk is all about managing
risk down to the lowest possible level.
An appropriate and reliable structure of controls should assist
directors in providing them with regular positive assurance on the
completeness and reliability of the information with which they are
presented.
Such assurance is an essential pre-requisite for them to properly
discharge their governance responsibilities. IT governance in all
its components should remain firmly on the corporate agenda.
Paul Williams is an independent consultant specialising
in IT governance, IT due diligence and project risk management. He
can be contacted atpaul@paulwilliamsconsulting.co.uk
.