THE CRITICAL IMPORTANCE OF IT GOVERNANCE IN AN ORGANIZATION (STUDY OBJECTIVE 8)
The establishment and use of an IT governance committee and an SDLC are critically important for an organization to accomplish IT governance. Three major purposes are served by the continual and proper use of the IT governance committee and the SDLC:
- The strategic management process of the organization
- The internal control structure of the organization
- The fulfillment of ethical obligations
The manner in which the SDLC accomplishes these three purposes is described in the sections that follow.
SDLC AS PART OF STRATEGIC MANAGEMENT
As discussed in the introduction of this chapter, IT systems are an extremely important resource in most organizations. IT systems improve efficiency, effectiveness, and long-term success of operations. Each organization may approach IT governance in a slightly different manner, but each organization should establish procedures for IT governance. The models presented in this chapter of an IT governance committee and a systems development life cycle are typical of IT governance. An SDLC process serves as the mechanism to continually assess the fit of IT systems to long-term strategy and short-run goals of the organization. Once the IT governance committee has identified which types of IT systems are appropriate for the organization, the SDLC becomes the mechanism to properly manage the development, acquisition, and implementation of IT systems.
SDLC AS AN INTERNAL CONTROL
Chapter 4 provided an overview of the AICPA Trust Services Principles and their role in the internal control structure of IT systems. These Trust Services Principles include many details about an IT governance committee and the SDLC and the role of these two strategic management processes in the internal control structure. The Trust Services Principles illustrate that the SDLC and an IT governance committee are important parts of the IT system of an organization. Without the use of an IT governance committee and the SDLC, the process of revising or updating systems can be chaotic and uncontrolled. The organization is likely to find that an uncontrolled approach results in poorly designed and documented systems. In addition, systems that result from such a chaotic process would probably not meet user needs and would not be likely to support the strategic objectives of the company.
A few excerpts from the Trust Services Principles are presented in Exhibit 6-8 as examples of the role of an IT governance committee and the SDLC in internal controls. The term steering committee is becoming less popular in the IT industry than the newer term IT governance committee.
These excerpts illustrate that an IT governance committee and the SDLC are used as internal control mechanisms to monitor and control security, availability, acquisition, implementation, and maintenance of IT systems. These internal control mechanisms allow management to ensure that IT systems meet organizational needs and that the development and implementation of new IT systems is properly controlled.
Security 4.3 Environmental and technological changes are monitored and their effect on system security is assessed on a timely basis. Senior management, as part of its annual IT planning process, considers developments in technology and the impact of applicable laws or regulations on the entity's security policies. The entity's IT security group monitors the security impact of emerging technologies. Users are proactively invited to contribute to initiatives to improve system security through the use of new technologies.
Availability 2.5 Changes that may affect system availability and system security are communicated to management and users who will be affected. Planned changes to system components and the scheduling of those changes are reviewed as part of the monthly IT steering committee meetings.
Availability 3.9 Procedures exist to identify, report and act upon system availability issues and related security breaches and other incidents. Network performance, system availability, and security incident statistics and comparisons to approved targets are accumulated and reported to the IT steering committee monthly.
Security 3.8 Design, acquisition, implementation, configuration, modification, and management of infrastructure and software related to system security are consistent with defined system security policies to enable authorized access and to prevent unauthorized access. The entity has adopted a formal systems development life cycle (SDLC) methodology that governs the development, acquisition, implementation, and maintenance of computerized information systems and related technology. The SDLC methodology includes a framework for classifying data and creating standard user profiles that are established based on an assessment of the business impact of the loss of security. Users are assigned standard profiles based on needs and functional responsibilities.
Process Integrity 3.2 The procedures related to completeness, accuracy, timeliness, and authorization of system processing, including error correction and database management, are consistent with documented system processing integrity policies. The entity's documented systems development life cycle (SDLC) methodology is used in the development of new applications and the maintenance of existing applications. The methodology contains required procedures for user involvement, testing, conversion, and management approvals of system processing integrity features.
Exhibit 6-8 Selected Sections8 of the AICPA Trust Principles9