Interest in IT governance is increasing due to the changing role and relevance of IT within organizations for supporting, sustaining and expanding business. According to the IT Governance Institute, IT governance is the form of leadership, organizational structures and processes that ensure an organization’s IT sustains and extends the organization’s strategies and objectives. While management’s role in IT governance is imperative, practitioners and academics have also long advocated board involvement in IT governance. However, the literature shows that boards may not be very involved in IT governance. This could be because board members may not have the needed IT expertise to provide direction on important operational and strategic IT-related issues. Boards may also not be very involved because IT does not get put on the board’s agenda or board members simply do not understand their roles regarding IT governance.
Our recent Journal article addresses this issue of the board’s role in IT governance by examining the charters of board-level IT committees. We reviewed the committee charters to analyze the prescribed roles and responsibilities of these committees. If the charters are not clear or complete, board members may misunderstand their roles. We found that only 23 Fortune 500 companies had board-level IT committees at the time of our study. We used content analysis to categorize the documented roles and responsibilities according to the 5 IT governance domains: strategic alignment, value delivery, resource management, risk management and performance measurement. Our Journal article contains our findings and discusses the opportunities for these committees to improve their governance roles.
A topic that we are interested in beyond the scope of our article is the IT auditor’s role in ensuring the effectiveness of these committees or the board at large in terms of IT governance. During an IT governance audit, the auditor should examine the committee charters to ensure committees are set up to fulfill best practices and COBIT-related IT governance roles. Examining meeting minutes and matching them to the prescribed roles could further ensure these committees are effective in their oversight role. In fact, IT-related issues may be discussed and documented in board meeting minutes regardless of whether the company has a specifically designated board-level IT committee. We hope to explore some of these issues in the future.
Read Nancy Lankton and Jean Price’s recent Journal article:
“Board-level Information Technology Committees,” ISACA Journal, volume 2, 2016.
Nancy Lankton, CISA, CPA, and Jean Price
[ISACA Journal Author Blog]