Enron, WorldCom, Xerox, just three of the major US corporations that have suffered significant and widely reported accounting and financial reporting problems in recent months each leading to significant and, in some cases, almost total loss of shareholder value and market confidence.
In turn, these problems have contributed to the greatest fall in worldwide stock market prices and investor confidence that has been seen in recent years. These cases and others have led to allegations of failures in corporate governance and oversight.
Only time, and the detailed forensic investigations that will surely now take place, will tell us how these problems really occurred and to what extent the boards and their external advisers were really aware of the underlying issues.
Did they see the problems coming? Did they make a conscious decision to ignore them? Were they party to the alleged management actions in the first place? Were the directors, and particularly the non-executive directors misled, or did they just fail to ask the right questions or fully understand the answers?
These are all essential questions, full answers to which must be forthcoming from the aftermath if the corporate and regulatory world are to learn from any mistakes that might have been made and minimise the chances of similar problems happening in the future.
But what has this got to do with the world of information technology? Surely these were just accounting and corporate
It would be unfortunate if this were to be the perception. There is of course a danger that the messages of strong IT governance may seem to be trivialised and sidelined in the light of what may be seen as failures of corporate governance at the highest levels.
This would be understandable, but wrong. These cases perhaps underline even more fundamentally the need for effective governance of IT. Perhaps, if anything, these
Boards of directors, particularly non-executives, need to have access to timely, accurate and complete information if they are to discharge their governance responsibilities correctly and fully.
In complex business models such as those allegedly employed by, for example, Enron, where the business transactions became ever more complex to understand, it is even more important that those charged with governance responsibilities have access to the right information and that they understand what it all means.
Unless they are able to do this there is no way that they will be able to ask the right questions, understand the risks and ensure that risks are properly mitigated. Information technology has a clear role to play in this.
It is the IT systems that process, analyse and deliver the information. It is the controls exercised over that information as it moves from raw transaction data to fully analysed and summarised reported information that will help ensure its propriety, its accuracy, its completeness and therefore its reliability.
It is an effective control structure that will minimise the risk of wilful interference in the compilation of reliable management information. In my many years' experience as an IT risk consultant and IT auditor it never ceased to amaze me how the concept of control, which to me seemed so fundamental, was often addressed as an afterthought, if at all, in the specification of systems.
Such systems generally are designed by and for those who will be directly involved in the day-to-day operation of the relevant automated business processes. Rarely in my experience is there any involvement from those responsible for the oversight or the governance of the processes or the business transactions.
Of course those directly involved in the day-to-day activities usually understand the business fundamentals and therefore make assumptions as to the information they might need and its underlying reliability based on their own close involvement in these processes.
They also often make totally misjudged assumptions on the need for controls to be built into and around the system. Therefore how do those with the higher-level responsibilities satisfy themselves that the information they get is complete and accurate? How also do they satisfy themselves that the system of controls cannot be ignored or overridden?
The simple answer is that generally they don't even ask the question. They often make assumptions or are ignorant of the fact that the management information presented to them may not be totally complete or reliable.
Perhaps these recent events will cause them to seek positive assurance on the continued reliability of key management information. Not only are they being told the truth but, equally importantly, is it the whole truth?
In this they can be assisted and advised by their internal audit functions who will, or should, have the skills to review control structures and advise on omissions and vulnerabilities.
Internal audit should be involved in the specification of all significant business and management information systems in order to help ensure that the right risks are addressed and that the controls over both the day-to-day processing and the management reporting are up to the standard expected.
Guidance on controls can be obtained from professional bodies such as the IT Governance Institute, Information Systems Audit and Control Association, the Institute of Chartered Accountants in England and Wales, and the Institute of Internal Auditors.
Of course, no system of control, no matter how good, will eliminate the risk of corporate failure caused by reckless or incompetent management. However, the reduction of risk is all about managing risk down to the lowest possible level.
An appropriate and reliable structure of controls should assist directors in providing them with regular positive assurance on the completeness and reliability of the information with which they are presented.
Such assurance is an essential pre-requisite for them to properly discharge their governance responsibilities. IT governance in all its components should remain firmly on the corporate agenda.
Paul Williams is an independent consultant specialising in IT governance, IT due diligence and project risk management. He can be contacted at email@example.com .