Deploy to Organization One of the biggest challenges the improvement effort faces is successful deployment of a revised process. If possible, existing methods of training and change management should be utilized if the organization has such methods in place. If there is an existing training mechanism, use it for training employees on the new process tasks.
The deployment package can consist of:
§ Detailed procedures
§ Training courses
§ Handbooks and manuals
§ Computer-aided instruction
SUMMARY
This approach to process management in IS organizations is based on decomposing processes into subcomponents in order to make the whole more understandable and manageable. The process works equally well whether one is installing new application systems, managing IT projects, or selecting the IT portfolio. After deciding on the focus (decreasing the project cost overruns, decreasing the schedule slips, or increasing customer satisfaction with delivered applications), key processes are defined at a detail level and barriers to improvement are identified. The barriers are removed and a new or revised process is defined. Finally, an implementation plan for the newly revised process is created and deployed.
This approach has a number of benefits, including:
§ It results in an increasing clarity of work actually being performed in the organization; people refer to, monitor, and improve the process.
§ It diffuses personal attacks in the organization. It changes the focus from people and personalities to processes and task steps.
§ It establishes clear direction. The management group can select a process to focus on for the current period. The approach does require some managing group or person to select a focus (quality, cost, delivery, or multiples). This sets the expectation for what is to be fixed and the level of change required, both of which are often unspoken or unknown.
Chapter 21: The Myths and Realities of IT
Steering Committees
Ken Doughty
OVERVIEW
The ITSC performs a critical function in supporting the implementation of the corporate information technology strategic plan (ITSP). Further, the committee ensures that it minimizes the risks associated with implementing the IT strategies and receives a return on its investment.
Too often organizations do not monitor the activities and decisions of their IS
department. Rather, they rely on the IS department to provide the IT solutions because executive management does not understand technology.
However, this attitude must change; otherwise, the organization may find that decisions made in isolation by the IS department may cause the organization to waste valuable resources (both human and financial) in implementing technologically superior solutions, and not business solutions. When this occurs, the organization receives a poor return on its investment in IT.
It is critical from the outset that the ITSC be empowered to monitor and control the IT investment of the organization.
ISACA has recognized the need for organizations to have an ITSC. The Control Objectives for Information and Related Technology (COBiT) PO4 — Define the Information Technology Organization and Relationships Control Objective states: The organization’
s senior management should appoint a planning or steering
committee to oversee the information services function and its activities. Committee membership should include representatives from senior management, user management, and the information services function. The committee should regularly meet and report to senior management.
However, IS auditors do not review this critical organizational control process. If this control were part of the system development life cycle, it would be reviewed.
Because it is outside of the IT department and is seen as an extension of executive management, it is not reviewed. Because of the impact it may have on the success of the organizational investment in IT, it is essential that the IS auditor audits the role and the effectiveness of the ITSC of the organization.
CONDUCTING THE AUDIT
Audit Objectives
1. To determine that the responsibilities and duties of the IT Steering Committee are documented and communicated throughout the organization
2. To determine the effectiveness of the IT Steering Committee in monitoring and controlling the activities of IT within the organization
3. To determine that the members of the ITSC understand the responsibilities and duties of their positions and are suitably qualified to undertake the role Audit Scope
The scope of the audit encompasses an evaluation of the effectiveness of the ITSC
(see Exhibit 1).
Exhibit 1. IT Steering Committee Audit
Control Risks
During the audit of the effectiveness of the ITSC, the following control risks may be encountered:
§ No ITSC charter
§ The ITSC charter is not communicated
§ The ITSC charter does not provide a “watchdog” role over the implementation and investment in information technology
§ The lack of management skills by the ITSC members to understand the impact of noncompliance with the approved IT strategic plan
§ Poor understanding by the ITSC members of their role and responsibilities
§ Inappropriate membership by organizational manager(s) (political forum)
§ No key performance indicators (KPIs) to measure the effectiveness of the committee
§ Lack of empowerment for the ITSC to take action (where appropriate)
§ ITSC requirements are not communicated to line management and the IS
department
§ No monitoring processes on IT investme nt within the organization
§ No reporting by the ITSC to executive management
STEP 1 — REVIEW THE IT STEERING COMMITTEE
CHARTER
The IS auditor is to obtain a copy of the ITSC charter. In reviewing the charter the IS
auditor is to determine that:
§ The role of the ITSC has been defined and its responsibilities clearly specified (this should be supported by position descriptions for its members). Where there are position descriptions, the IS auditor is to review the descriptions to determine if they are appropriate.
§ The charter of the ITSC is aligned with the corporate strategic objectives of the organization including the IT objectives.
§ The ITSC has provided for the continuous review of the ITSP to ensure compliance with the corporate plan and overall corporate requirements and that the plan is kept current by revision.
§ The ITSC has the authority to review (and approve/reject) all proposals for IS
development over a specified amount (e.g., over $10,000) from user/managers. The ITSC is to prescribe the required format of the IT
proposals, e.g., business case format, including a cost/benefit analysis with a rate of return — internal rate of return (IRR) or net present value (NPV).
However, in some circumstances proposals may not be justified on a rate of return basis, but on a community or customer benefit.
§ The ITSC has the authority to manage the IS project portfolio, setting priorities for the development of the business information systems
development, allocating the necessary resources, and monitoring the progress of each project against objectives and budgets.
§ The ITSC requires postimplementation reviews to be undertaken that are independent of the IS department and requires that the findings and recommendations of the review are presented to the committee with a response from the IS department.
§ The ITSC oversees and directs the activities of any subcommittee including project steering committees.
In essence, the role of the ITSC is that of a corporate watchdog. The watchdog role will ensure that the IS departme nt does not lose focus in providing the organization with cost-effective IT products and/or services and meets its commitment to assist the organization in achieving its strategic objectives.
Too often the IS department becomes involved in “technical issues” rather than in implementing a “business” solution(s) to meet the requirements of the organization.
STEP 2 — DETERMINE THE EFFECTIVENESS OF THE IT
STEERING COMMITTEE
For this step there are a number of audit procedures to be performed. The effectiveness of the ITSC will be measured by the following.
2.1 ITSC Documentation
This audit procedure requires the IS auditor to review the minutes/reports and associated supporting documents of the ITSC. By reviewing the documentation, the IS auditor can determine if the ITSC has carried out its role and responsibilities not only in accordance with the charter, but also in accordance with any processes that have been established.
Sample selections of the documentation, e.g., minutes/reports, business case(s) are to be reviewed. However, the sample size will be dependent upon
§ The elapsed time since the establishment of the ITSC and the audit being undertaken
§ The frequency of ITSC meetings
§ The format, quality, and quantity of the documentation
§ Availability of the documents
The contents of the documents are to be reviewed. The details are required to be checked against supporting documentation, e.g., ITSP, corporate plan, business unit action plans, project plans, budgets, etc. For example, any variances or exceptions to the ITSP are to be referred to the ITSC chairperson for clarification.
It is important that all variances or exceptions are investigated as it may be an indicator that the ITSC has either not understood its role and responsibilities or that the supporting processes have internal-control weaknesses.
2.2 Interview IS Department Management
This audit procedure requires the IS auditor to interview the IS department’
s
management. The objective of this procedure is to identify what processes are used to monitor, measure, and report on performance of IS function’