To be successful, management must define a strategy and provide for effective corporate governance. Strategy is defined as "an adaptation of behavior or structure with an elaborate and systematic plan of action." Another more specific definition of strategy is "to create a fundamental change in the way the organization conducts business." Obviously, the Second definition indicates that there are only a handful of people with that much authority. Corporate governance is often defined by ISACA as "ethical behavior of corporate executives toward shareholders and stakeholders to maximize the return of a financial investment." To clarify who is responsible for corporate governance, we could use this definition: "to lead by position or authority."
Three high-level management objectives to be verified by the auditor are as follows:
- A strategic alignment between IT and the enterprise objectives (formal strategy). Proper planning is required to deploy resources in the right place for the right reason. Management is always responsible for getting it done (corporate governance, preventive controls).
- A process of monitoring assurance practices for executive management. The senior executives need to understand what is actually occurring in the organization (staying involved by using detective controls).
- An intervention as required to stop, modify, or fix failures as they occur (corrective action). Everyone has some kind of problem. Management should be working to resolve the issue immediately rather than covering it up by hiding the truth.
Each organization needs to develop their directional strategy. What direction should the business take to fulfill its goals? The strategy selected progresses to focus on client needs and how to fulfill that market. Critical success factors are selected. Marketing initiatives are designed to generate revenue with plans for fulfillment to the buyer. Figure 1 demonstrates the path of organizational requirements in conjunction with the IT requirements.
The revenue process entails a significant amount of administrative overhead and record keeping. The expectation in every business is to make money and not be hampered by a particular technology nor tied to a particular vendor.
The IT department is looking for a clearly stated purpose that IT is expected to fulfill. The department looks at the demands and requirements necessary to be successful. A structured service-level agreement can be generated with this data, complete with staffing and technology growth plans.
Technology plans have to fulfill a business objective. For instance, take Amazon.com. This very successful bookseller isn't necessarily hung up on using Microsoft Windows, Macintosh, or Unix. What the executives want to know is that all the money is processed and the product arrives on time to fulfill their customers’ expectations. Systems management and auditing on the back end will verify that all their bookkeeping and internal controls are functioning effectively. In an industry-leading move, Amazon added same-day shipping as a $5 option on select stock for customers geographically located near the Amazon warehouses. The bookseller downloads the daily courier route schedules and then compares the pickup and delivery schedule to the buyer's address. Orders placed in the morning can arrive the same afternoon in select major cities. A same-day delivery option is automatically added to the shopping cart for eligible purchases. Amazon demonstrates excellent integration of the business and IT strategy.
The top side of Figure 1 is motivated by gains in revenue. Executives take calculated risks to exploit new opportunities for their business to make more money. Conversely, IT is expected to prevent service failures that hurt revenue. IT may also be expected to focus on activities that enable revenue and concurrent activities to prevent loss based on risk management planning. This can make it difficult to determine which problem or goal is the priority.
Auditors can gain insight by looking into the IT reporting structure. The CEO is solely responsible for revenue-generating functions, and other revenue functions may be delegated to an underlying chief operating officer (COO). IT functions reporting to the COO provide services that generate revenue. If the IT operation does not generate revenue, it's a support function (aka cost center) reporting to the chief financial officer (CFO). Refer to Figure 2.
The principal mechanism for ensuring IT alignment is an IT steering committee. The business unit executives identify operating challenges in their workflow, priorities, and desired technical direction.