Our recent Journal article addresses this issue of the board’s role in IT governance by examining the charters of board-level IT committees. We reviewed the committee charters to analyze the prescribed roles and responsibilities of these committees. If the charters are not clear or complete, board members may misunderstand their roles. We found that only 23 Fortune 500 companies had board-level IT committees at the time of our study. We used content analysis to categorize the documented roles and responsibilities according to the 5 IT governance domains: strategic alignment, value delivery, resource management, risk management and performance measurement. Our Journal article contains our findings and discusses the opportunities for these committees to improve their governance roles.
A topic that we are interested in beyond the scope of our article is the IT auditor’s role in ensuring the effectiveness of these committees or the board at large in terms of IT governance. During an IT governance audit, the auditor should examine the committee charters to ensure committees are set up to fulfill best practices and COBIT-related IT governance roles. Examining meeting minutes and matching them to the prescribed roles could further ensure these committees are effective in their oversight role. In fact, IT-related issues may be discussed and documented in board meeting minutes regardless of whether the company has a specifically designated board-level IT committee. We hope to explore some of these issues in the future.
Read Nancy Lankton and Jean Price’s recent Journal article:
“Board-level Information Technology Committees,” ISACA Journal, volume 2, 2016.
Nancy Lankton, CISA, CPA, and Jean Price
[ISACA Journal Author Blog]