We understand the specialized markets in which you operate and provide tailored solutions to meet your unique business needs.
Our comprehensive suite of business services combines industry expertise, market knowledge and professional insights.
MNP is a leading national accounting, tax and business consulting firm in Canada.
Suite 2000, 330 5th Ave. S.W.
Submit an RFP
MNP careers are Different by Design. As an entrepreneurial firm, we truly believe there are no limits to where your career can go.
This paper was originally published as part of CPA Canada’s
Technology Spotlight Series and has been reproduced with permission.
MNP Partner Peter Yien, CPA, CA, CISA, CRISC, LPA, provides an overview of a CPA’s role in IT governance and discusses how to create and sustain value — along with strategies for avoiding common pitfalls of ineffective governance programs.
"If I was to choose one factor that most contributed to the success of IT, it is IT governance." — Peter Weill, chairman of the Center for Information Systems Research, Massachusetts Institute of Technology
IT governance is the management and control of the information technology environment, including the data needed for the benefit of the organization and its stakeholders. IT governance is the responsibility of the board of directors and executive management and forms an integral part of enterprise governance. IT governance requires the establishment of the leadership, organizational structures, policies, processes and internal controls that enable IT to meet the stakeholders’ and organization’s strategy and objectives. Put simply, IT governance is the people and processes supporting decision-making for technology initiatives. Effective IT governance results in balancing enterprise value creation with risk mitigation.
The Organisation for Economic Co-operation and Development (OECD) defines enterprise-wide or corporate governance as the system by which organizations are directed and controlled. The corporate governance structure specifies the distribution of rights and responsibilities among various participants: the board of directors, board subcommittees, executive management, management, shareholders and other stakeholders. It sets the directorial and managerial tone; establishes goals; manages objectives; establishes culture and values; and spells out the processes, procedures and rules for decision-making. Furthermore, corporate governance also provides the structure through which the organization’s objectives are established and the means of attaining those objectives. It establishes metrics for key performance and goal indicators as well as a process to escalate findings and initiate changes and improvements.
An online retailer identified the strategic need to grow sales and increase profitability but found it difficult to do because of competition. Management used both the company’s internally generated market data as well as data purchased from external researchers to find the buying patterns and behaviours that would identify the opportunities for carrying out the corporate strategy. An external cloud service vendor was engaged to collaborate with the business and IT groups to customize product content, create client-specific discounts, and provide additional product suggestions. By utilizing sophisticated business intelligence and leveraging internal and external IT systems and data, this online retailer was able to provide its customers with matched product offerings that met their needs while increasing customer satisfaction and reducing product returns. The company met its business growth strategy by exceeding its sales and profit targets, reducing the cost of returns and increasing customer loyalty. Furthermore, IT collaborated closely with internal marketing, legal, finance and operational teams as well as with the external cloud provider to ensure compliance with all laws and regulations.
An important enabler of successful IT governance is regular communications with key stakeholders regarding the status of strategic and tactical IT plans. This communication results in meaningful dialogue that creates transparency and identifies areas where risk could escalate: operational delays, cost overruns, benefits realization, stakeholder disengagement, scope changes, technology challenges and lack of resources. Furthermore, enabling IT to have a “seat at the table” results in clearly articulated and pragmatic communication with the steering committee, audit committee, risk committee and the board of directors while providing the organization with sufficient and timely understanding of the value and risks of IT for effective board and senior management governance.
Frequently IT strategic and tactical plans are prepared in isolation from enterprise strategic plans or as a one-time exercise, and without regular communication and monitoring. This results in misaligned IT plans that fail to support existing, new or planned enterprise initiatives. The focus on IT operational issues instead of broader strategic issues could lead to missed opportunities to create new enterprise value. IT governance, when implemented appropriately and effectively, would enable IT to drive or lead corporate initiatives and enterprise strategies.
When effectively implemented, IT governance creates an environment where the organization can fully leverage its IT assets to create and sustain value, provide competitive advantage, and ultimately help achieve strategic goals. Effective IT governance also increases the likelihood IT will deliver services within scope and budget. Unfortunately, many businesses struggle to understand and govern the IT organization, processes and activities. As a result, the failure to fully realize the potential benefits of IT’s people, processes, technologies and initiatives can lead to a loss of value and an increase in business risks.
IT Governance The role of IT has evolved as a result of the emergence of technology, data and information as enablers of innovation and business value creation. Strong IT governance is required to effectively utilize IT resources in support of business strategy and to mitigate new and emerging risks. Establishing an effective IT governance enables the business to create the appropriate culture and operating model. When IT governance is implemented effectively, value is derived from IT investments and operations. The enterprise’s vision, strategy, programs, initiatives and plans are aligned with the plans and tactics needed for their realization. Because the people, processes and technology are operating together to move the enterprise forward, the enterprise is able to meet or exceed it goals.
At the board and committee levels, CPAs need to understand IT governance, but rarely would they be part of the IT governance structure and process itself. Typically, the board and/or committees would be responsible for approving overall risk tolerance levels, including IT risks such as privacy, cybersecurity, and business continuance. They would also approve the allocation of resources, including IT resources, and the overall strategies and performance goals, including IT-specific goals and objectives, for the organization. From this perspective, CPAs need a broad understanding of IT issues and trends. CPAs also play a critical role in IT governance issues at the program and project levels. These programs could be IT-driven initiatives that impact the operations of the organization, such as cybersecurity. For example, the decision to shut down operations if a cyberthreat is imminent could impact the safety or staff or customers. This decision cannot be made by the IT function alone. The CPA needs to ensure proper representation of senior executives is in place and that the process for these types of program is tested regularly to ensure preparedness when actual emergencies occur. At the project level, CPAs should be part of the project governance team alongside IT and the business requesting the project. CPAs should support the development of business cases and budgets, ensure representatives from both IT and business are on the project team, but recognize that the overall decision-making remains with business. Without CPAs in place to ensure proper governance, IT programs and projects may become solely IT driven and lack business support. If this happens, the project may fall out of alignment with the enterprise’s vision and strategy and likely become doomed to fail.
Data is very valuable to businesses due to the emergence of sophisticated analytic techniques and computing power that enable data-driven decisions. The rising prominence of data and its association with the IT environment makes it another area where IT must play a critical role. So when it comes to IT governance, data governance must also be considered. Although many may say the data is “owned” by business, data ownership needs to be customized to fit the culture and structure of the whole organization. Some may argue that because of IT’s expertise in safeguarding an organization’s IT assets, data ownership should fall to it. However, regardless of which part of the organization owns the data, it is important to treat data as one of the organization’s most valued assets. Appropriate internal controls must be put in place to protect these assets from cyber attacks, theft, misappropriation, and non-compliance with privacy laws and other regulations. This is where IT plays an important role as a strategic partner in enhancing the integrity, security and completeness of data to support data-driven decision-making and manage data as a key strategic asset.
The business benefits of implementing an IT and data governance program include:
To fully realize these benefits, organizations need to have a strategy in place to mitigate some of the common pitfalls of ineffective IT and data governance programs. The table below summarizes these risk areas and suggests appropriate mitigation strategies.
The importance of information technology to an organization’s strategy and objectives have increased significantly. Organizations looking to realize the full potential of their information technology assets need to have people, process and technology working together towards the same organizational goals. Having an effective IT and data governance program is key to making that happen.
Peter Yien, CPA, CA, CISA, CRISC, LPA, is Partner with MNP’s Enterprise Risk and Technology Services practice groups. To learn more about how our team can help you implement a robust, sustainable and value-driving data governance program, contact him at 416.596.1711 or [email protected]
Categories:Enterprise Risk Services; Technology Solutions
Related Topics:Technology; Corporate Governance
Suite 2000, 330 5th Ave. S.W.
Find an office near me