IT strategy and governance
The importance of alignment between technology and business strategies
As IT and business strategies are continually being refreshed, internal audit (IA) functions should provide assurance on whether these strategies align with the organisational objectives and vision. IA should challenge and review how both of these strategies work cohesively to enable desired organisational outcomes, as well as assess whether the organisation has the right skills to deliver against their respective IT and business strategies. IA should also consider broader aspects of innovative technologies and practices
The importance of robust governance frameworks
As a result of continuous change and the digitalisation of businesses, IA functions should examine the requirements and processes within the governance framework to ensure that the appropriate level of oversight has been applied from programme initiation through to completion. For example, if key requirements have not been met and the project has been allowed to continue from one phase to another, IA should be ready to challenge the rationale behind these key decisions, the appropriateness of the approvers and whether value for money (VfM) targets have been successfully met. Furthermore, IA can help identify the gaps and assist with aligning the IT and business strategies to help shape the direction of the organisation as a whole.
IT governance frameworks allow organisations to effectively manage IT risks and ensure that activities linked to technology are aligned to the organisation’s business objectives. There are various best practices which organisations can use effectively – for example, COBIT (Control Objectives for Information Technologies) is a recognised IT governance control framework which helps organisations to bridge the gap between business risks, technical issues and control requirements.
Together with the implementation of a robust IT governance framework, technology departments should also consider continuous assessment in order to successfully implement the targets set out within the IT and business strategies. Continuous assessment should involve a regular review of the IT infrastructure in order to help update or enhance security controls and performance. Assessment of business requirements and ongoing projects should also be proactively monitored through the usual committee meetings and discussions.
Evolution of digital transformation and the scale of change
The COVID-19 pandemic has accelerated the requirement for business and IT strategies to be updated in order to prioritise “short, medium and long-term” strategic plans. Many organisations have been undertaking major digital and transformational programmes. Organisations have naturally shifted their focus on transforming their overall business operations together with the underlying technology infrastructure to remain competitive and meet future customer needs. From a technology lens, we have noted that organisations are rapidly moving away from legacy to cloud-based solutions which is a direct sign of the digital transformation evolution.
As part of the digital transformation, we can collectively agree that ‘data’ is becoming the new ‘gold’ for organisations globally. Below we cover the five phases which could be considered along the transformation journey:
Recommended by LinkedIn
1) Current state analysis: To reach the organisational objectives, a current analysis on where the organisation currently stands and where it is heading should be fully understood. Reviewing areas such as people, process and technology allows organisations to identify strength, weaknesses and opportunities for improvement.
2) To-be definition: Upon completion of the current state analysis, organisations can move forward to the desired state phase which should define the target state and areas of improvement within the organisation. Benchmarking against industry good practice will help the organisation identify key targets and priorities.
3) Roadmap: Having now defined the current and to-be states, the organisation can now create an end-to-end roadmap for key strategic areas. The appropriate allocation of resources for short and long-term initiatives will be important during this phase. Having a robust governance framework is important in ensuring that the appropriate check and challenge takes place over the risks, progress and outcomes in a timely manner.
4) Implementation: This phase should primarily focus on three core aspects: people, processes and technology. Each organisation is unique, so therefore the implementation phase will solely depend on individually defined roadmaps. Defining the roles and stakeholders who are responsible and accountable will be key, along with the process definition and technology solutions should be covered here.
5) Embedding: Data management and governance is not a specific task – it is a transformation which occurs by embedding programmes within the organisation. For example, a change management process will play an important role during this phase which will help scale-up solutions and establish dashboards for live reporting.
So how can internal audit (IA) functions provide support?
IA functions should proactively challenge senior members, IT and business departments on their ability to deliver the technology and business transformation programmes which are aligned to the overall organisational strategy. Continuous assessments of large transformational programmes should also be on the radar of IA functions – in particular, the right level of governance controls should be in place to ensure key requirements are being met for the successful delivery of technology or business projects.
VfM targets should also be proactively monitored in order to avoid the organisation experiencing financial strain. Project sponsors and key stakeholders of the project should regularly update the project steering committee on VfM targets. Through regular discussions and attendance at project steering committees, IA functions should be prepared to challenge and understand whether targets will be met. Furthermore, in a changing world, IA functions should understand the type of project management methods
Note: The views reflected in this article are the views of the authors and do not necessarily reflect the views of the global EY organisation or its member firms.
