KnowledgeLeader Blog

Auditing IT Management: Aligning IT with Business Priorities

Posted by Sharise Cruz on Wed, May 15, 2013 @ 09:45 AM

""The "Holy Grail" for IT has always been to be closely aligned with business efforts. For years, business has encouraged IT to focus on delivering business priorities. At the same time, IT has tried to be an integral part of business planning and align IT efforts and investments with business priorities. Ultimately, effective IT alignment really does require the ongoing and engaged involvement of all key participants. 


ALIGNING IT AND BUSINESS PRIORITIES IS A NEVER-ENDING EFFORT

Where does one start? The organization’s strategic planning effort should be the first place to start; the board and senior management need to define their strategic direction, key business priorities and objectives, and a roadmap to get there. If the organization has not defined where they are going, how will IT be able to implement strategic solutions?

What does IT need to do? The organization’s IT planning efforts need to be integrated with the organization’s business plans. As business plans change and business priorities evolve, the IT function needs an investment management process by which to continually refine priorities. IT also needs to acquaint the business with what is currently possible, and at what price. IT also needs to explain the technology impacts of business directions and decisions. 

If not actively involved in the strategic planning processes, IT management at least needs to understand the organization’s strategic directions and plans in detail. Simply reading strategy papers will not be sufficient since there are often important elements that are not written down. Strategy is best discussed with those who are driving its development. 

Take the question of strategic planning timescales, for example. Far-thinking organizations may have strategic plans stretching decades into the future. Others may not be thinking much beyond the next few years. By matching the organization’s timescales, IT can get beyond the issue of being too resource-constrained to do everything it needs to do in the present budget cycle. With a longer timeframe in mind, the inevitable tactical quick-fix imperatives can be balanced against genuine strategic initiatives. Prioritizing and coordinating plans needs this bigger view.

At lower levels of detail, overall corporate strategies get broken down into a suite of interlocking investment programs, business plans, budgets, tactical moves and projects. IT is likely to be a significant component in many of these elements; in theory, many business managers should be speaking to IT about what they anticipate doing and what level of IT support they expect. Again, open discussion is likely to be more beneficial than just reading proposals, or worse, still waiting for fully-formed IT project requests to be approved. Proactively engaging with the organization’s strategic development and investment management processes is one of the most critical aspects of the CIO’s job.

Even within IT, strategic planning usually can be taken further. For example, developing data-driven strategies, integrated application portfolios, and “blue sky” awareness of emerging technologies and competitor activities, are a few areas where IT can take a leadership role. At the base level, management systems for quality assurance, data management, IT development and operations, processes, and information security management all contribute to delivering on strategies, goals, contractual commitments and service level agreements. Developing, implementing and continuously improving management systems should be part of IT’s overall quality strategy.

Don’t forget that the process of strategic alignment works both ways. IT can enable and drive new business opportunities through new technologies. As with business priorities, technology is constantly evolving and IT is generally best placed to identify new strategic opportunities. Of course, new technologies also bring new risks, so a balanced understanding is required to fit IT-related risks into the bigger picture of corporate risk appetite.

WHY CARE WHETHER IT AND BUSINESS ARE WELL-ALIGNED?

The development of a winning business strategy requires the thoughtful assessment of market forces, competitive challenges, organizational strengths and weaknesses, and customer needs. Successful execution of that strategy depends on aligning an organization’s capabilities with the key success factors that enable a competitive offering. IT capabilities are an increasingly important component of an organization’s capabilities. Business expectations for IT are rising. The vast majority of business processes are enabled by computers, and there are no fall back paper processes. Process changes are virtually impossible without the corresponding technology changes. High levels of availability, reliability and security are assumed, and needed, for key business systems. 

According to the U.S. Government Accountability Office’s (GAO) extensive research, high-performing organizations have strong IT investment management processes in addition to robust business planning processes and IT management practices (see resource sidebar). 

The board’s involvement in strategic IT issues also is very beneficial (see the Canadian Institute of Chartered Accountants’ 20 Questions Directors Should Ask of IT). 

IT CONTRIBUTES SIGNIFICANTLY TO ORGANIZATIONAL SUCCESS

Senior management must oversee their IT activities, including the assignment of organizational responsibilities for the various IT policies and practices that are to be implemented. The organization’s information must be protected from harm and meet various privacy requirements. This is achieved by implementing both strong IT management and IT security management practices, both parts of IT governance and hence part of corporate governance.

IMPROVING IT/BUSINESS ALIGNMENT WITH AUDIT’S HELP

Although achieving and maintaining IT-business alignment is really a management issue, internal audit can help. Internal audit evaluation of an organization’s strategic planning efforts, including how IT supports the business priorities, can provide valuable feedback to the board and senior management.

An audit of IT investment management processes should determine whether:

  • Significant business priorities are being appropriately identified and assessed on an ongoing basis

  • Changes to those priorities are monitored

  • Significant investment management controls are operating effectively and consistently

  • Risk management techniques are in place and effective

  • Management and staff have the processes in place to recognize and respond to new business opportunities as they arise

  • IT-related investments are being effectively and efficiently managed

There are two distinct elements to most IT investment management audits:

  1. Evaluation of the specification, design and implementation of the IT investment management processes

  2. Evaluation of the operational practices of the IT investment management processes, including an assessment of the business priorities currently being addressed

In general, internal auditors should:

  1. Assure management and the board that all that should be done is being done

  2. Provide guidance on process effectiveness and feedback on managerial decisions and results

  3. Independently and objectively assess the organization’s efforts to continually align IT and business priorities

Further issues worth considering in an audit of IT investment management include:

  • Are the organization's planning activities appropriate to its needs? This includes management’s recognition of and response to new and emerging business opportunities.

  • Has an effective IT investment management process been developed and implemented? (e.g., using ISACA’s ValIT approach, which treats IT projects as investments to improve the business.)

  • Is accountability well-established and acknowledged by those to be held accountable?

  • Are there appropriate systems, policies, procedures, guidelines, etc. relating to IT investment management?

  • Has the organization embraced joint ownership of the problem, ensuring ongoing alignment of IT and business priorities?

  • How successful is IT with meeting business needs?

  • Do we need to increase the alignment of IT efforts and business efforts?

  • What else needs to be done to get a grip on the organization’s IT priorities?

FIVE CRITICAL ISSUES TO EVALUATE

Does management have a strategic IT plan in place which is updated regularly and supports the annual plans, budgets and prioritization of the various IT efforts?

Has a long-term direction regarding IT been defined, and is a rationalization of the IT spending priorities available? Ideally, an IT strategic plan is developed and approved by the board, but the IT planning document may take many forms, such as a separate IT plan combined with the organization’s overall business plan or a series of business case submissions over time.

The auditor should look for a demonstration of an overall strategic planning process regarding IT investment and IT spending prioritization. It is also important to remember that business planning should be driving the IT priorities and IT investment decisions.

What level of investment in IT and IT security has occurred over the past two to three years? What is planned over the next two to three years? Is there a reasonable level of expenditure, compared to the overall operating and capital budgets of the enterprise?

While no specific level of investment in IT is deemed to be appropriate, the auditor should assess the reasonableness of IT and IT security expenditures in relation to the overall capital and operating budgets and consider benchmarking with others in the same industry. They also should review whether the expenditure trend line can be explained by the business and IT plans. Is there an investment management process in place to manage the expenditures involved with IT and IT security? In other words, is there under-investing or over-investing in IT and/or security? 

Have the roles and responsibilities for IT management, including IT investment management, been defined and assigned within the organization?

The responsibilities for the various IT activities within the organization related to IT management and IT investment management should be defined and assigned to specific personnel. The auditor should look for a logical allocation of IT responsibilities within the organization and third party provider(s), if any, permitting the IT function to operate effectively and resulting in reliable IT operations because of a well-functioning IT function.

Have performance indicators for the IT function and IT security function been developed? Is performance being periodically reported to the board?

What major issues are being reported regarding IT and IT security? Is there a healthy debate at the board level regarding concerns raised by management or the board?

Does management monitor IT’s performance as well as its capability to continue providing the services upon which the organization relies?

This question explores the operational monitoring that is performed by management regarding IT operations and whether it is outsourced or managed internally, should it be occurring. The formality of the monitoring can vary greatly; with outsourced arrangements, it could be said that monitoring becomes more critical and therefore should happen more frequently.

SELECT IT MANAGEMENT PRACTICES TO SUPPORT BETTER ALIGNMENT

Key practices driving more effective alignment, thereby improving IT Investment results, have been identified by the IT Process Institute (ITPI) and include:

  • Actively identify opportunities to use emerging technology to meet objectives

  • Have an effective process and methodology for justifying and prioritizing IT investment decisions

  • Develop and enforce enterprise infrastructure standards

  • Have a project management office function to provide oversight to business-prioritized IT projects.

  • Have a formal periodic process for identifying what is needed by the business

THE BOTTOM LINE

IT investment management needs to be integrated into the organization’s ongoing strategic planning effort to ensure IT efforts are effectively and consistently contributing to the organization’s priorities. Executive management should revisit how they define their IT investment priorities, and a formal audit would be a great place to start.

 

This article was written by Dan Swanson.

 

Topics: information technology risk, Hot Issues, Dan Swanson, project management, IT infrastructure, IT strategy, IT investment management, ISACA

Add a Comment:

Subscribe to Our Blog

About KnowledgeLeader

KnowledgeLeader, provided by Protiviti, is the premier resource for internal audit and risk management professionals.

With over 1,400 customizable tools and 1,300 articles by industry experts, we offer the most comprehensive service on the market.

For more information:

 Tour the Site

Recent Posts

Posts by Topic

see all