Having had the opportunity to study, review and apply IT Governance, risk, security, audit and controls in my daily work, and observing the socio-economic landscape of my beloved country, Zimbabwe, I smiled and yet professionally broken because of the huge task ahead of us.
Where do we start in the midst of an after storm, considering the lack of governance over IT, adequate technology investments and IT appreciation by the organisation’s key stakeholders? It is a journey, we acknowledge as those charged with the responsibility and accountability of governance, control, value addition and protection of information technology and related information assets.
However, the objective is to begin with the end in mind and take the ideal and let it manifest in the now. This will result in organisations worrying less about governance and security but instituting security governance and controls on an iterative approach to assist with the protection of technology and information assets in line with acceptable best practice frameworks and standards.
Executives may wonder how to respond to advice from either internal or external auditors about the risks pertaining to their organisation’s technology environment and subsequently the impact it may have on financial reporting and disclosures. The questions is how do we address the risk findings and still focus on sustaining the business to at least above minimum or average operating capital and have a focused and sustained growth in the short to medium term?
To put this question into perspective, it is a fact that if IT governance and protection of technology and information assets are not planned for carefully and in detail, it will be costly to an organisation. So much that the business will not realise its return on investment. Poorly designed security framework or standards exhibit potential control weaknesses compromising organisational information and technology or it could be that the technology division may not be meeting the objectives of the business. So what can be a meaningful and sizeable starting point to kick start security in an organisation in light of the Zimbabwean economy and the hunger to return to real profit margins and a healthy balance sheet?
Because of independence issues in regards to auditors (internal or external), organisations can take advantage of skilled governance, risk and security professionals to assist them with instituting governance, controls, security and continuity over its information technology investment and related information not limited to financial data.
I guess from a simple but informed point of view executives can mandate a risk gap analysis to be conducted on their behalf and this exercise will take into account each past audit report issued by any auditor. The basis of this gap analysis is to identify where the company is, in regards to information security and benchmark against acceptable best practices to assess the gap and the potential risks and impact if risk mitigation plan is put in place.
This detailed document provides management with a starting point to then address control weaknesses identified. From the gap analysis, further work may be carried out to qualify and quantify each risk identified, its resolution, cost and benefit, resources and skills required and its potential impact on the technology environment and the business.
This vital stage allows the organisation to perform an impact assessment and determine the plan of action, what activities should be conducted and how the plan will be managed and accounted for by those charged with the responsibility. Is this a feasible starting point, an example will be key to bring clarity to this point?
Let us take information technology general controls (ITGC) as an example a key area that audit looks at for their audit procedures to determine whether or not to place reliance on IT and information being processed by these systems – is it correct, complete and accurate.
Taking change management a subcomponent of ITGC, assuming that there were risks identified by the auditors – if management reads the findings, potential impact and recommendation carefully, you may find that generally the key issues that come out are the lack of a clearly defined policy or process. This subsequently results in noncompliance such that reliance may not be placed on the control environment.
In addressing the issue a gap analysis will help management identify what the root cause of the problem could be – in this case it may be that IT governance or clearly define process have not been put in place or that there may be a lack of qualified skills in house to fully articulate and comply with the IT policy or other reasons but the underlying principle is to then take the root cause and translate it into a workable solution to bridge the gap and mitigate the risks involved.
This is just a high level and summarised example but the fact of the matter is that now is the time for executives and management take control over their technology and information assets. Institute security and protect the organisation’s technology assets and information.
Defining, implementing and continuously improving security and control over technology and information for an organisation should not wait till an organisation is in the right standing. Now is the time, hence the awareness initiatives. Let us engage and always remember it can be done.
This article was written for Techzim by guest writer Lemuel Longwe (CISA)
Share
Home
3 comments
Thanks for the article Lemuel.As you rightly mentioned in your article,appreciation of IT governance starts at the very top in any organisation.Presently in Zimbabwe,my view is that most company executives think of IT Governance as small issue and only realise the need for it when disaster strikes.The main issue for most companies is uptime/availabilty of IT systems,anything else becomes secondary to them.IT systems and equipment are generally very expensive to purchase and maintain.Without a well structured IT Governance and Control frame work,its difficult to have an idea let alone calcualte return on investment of IT systems and equipment.In most case ,companies break their back buying systems and equipment whose value addition to the company is minimal or nonexistent.
Liberty. There are various ways and means to get management and executives involved and the critical element been the change in organisational culture in order for them to embrace IT for what it is and its impact on the business. Having done that, its imperative that you work with them closely to appreciate the role of IT and business and then take things from that perspective to realign IT with the business from a strategic and value view point.
I studied for a degree in Computer Science and am looking for information on where and how I can further study for IT Auditing. Please help