s performance. ITSC
is required to provide the IS department with its reporting requirements of IT
activities (including resource utilization, project status, etc.).
During the interviews, the IS auditor is to determine if the IS department’
s
management is given the opportunity to raise issues with the ITSC, particularly if the issues may impact the process or success of implementing the IT Strategic Plan.
Often the IS department management feels that the ITSC is an imposition on its activities, because it believes that it is in the best position to determine what the organization should have in regard to IT.
If the IS department is raising issues that are not being addressed by the ITSC, it may be indicator (i.e., KPI) of the effectiveness of the committee. However, the IS
auditor must be aware of any attempt by the IS department to influence unduly the opinion of the effectiveness of the ITSC without supporting and compelling evidence.
Any issues raised should be followed up, provided there is sufficient evidence to justify the effort.
2.3 Interview Business Unit Managers
From the information gathered in Section 2.1 the IS auditor is to select a sample of IS projects (accepted or rejected by the ITSC) and interview the responsible project sponsors, i.e., business unit managers.
During the interviews and an examination of any documentation provided by the project sponsors, the IS auditor is to identify:
§ Deviations from the processes implemented by the ITSC with regard to
§ Requirements in preparing a business case
§ Submission and presentation of the business case
§ Project monitoring and reporting
§ Communications from the committee with regard to changes in project implementation status, i.e., priorities, resource allocation, and objectives, etc., which is important as it may have an impact on the business unit achieving its strategic business objectives approved by the corporate executives
§ Reasons for the rejection of business case(s)
The interviews should also be an opportunity for the business managers to express any opinion on the effectiveness of the ITSC in fulfilling its role as per the charter.
The interviews may provide sufficient evidence which would support audit recommendations to change
§ The charter
§ Membership of the ITSC
§ ITSC processes
2.4 Benchmarking
The fourth audit procedure requires the IS auditor to benchmark the ITSC against similar organizations or appropriate international standards or recognized industry best practices.
The benchmark exercise is undertaken to provide compelling evidence that the structure, role, responsibilities, and supporting processes of the ITSC are sound.
To benchmark the ITSC, the IS auditor will be required to contact a number of similar organizations to obtain the necessary information. For example,
§ ITSC charter
§ Member position descriptions
§ Number of members
§ Composition
§ Reporting structure
§ Processes
§ Copies of “edited” minutes/reports (where possible)
From this information, the IS auditor can benchmark the organization ITSC. The benchmarking exercise will provide evidence if the shape of the organization ITSC is appropriate.
STEP 3 — INTERVIEW IT STEERING COMMITTEE
MEMBERS
The IS auditor is to interview members of the ITSC to determine if the members fully understand their duties and responsibilities in monitoring and providing a supervisory role of the IT activities within the organization.
During the interviews, the IS auditor is to ascertain that
§ The committee members have the relevant experience, skills, and available time to undertake this critical role.
§ The committee is “balanced” to ensure that there is no “bias” by the committee members or any one member.
§ The chairperson has the delegated authority of the chief executive officer of the organization to take appropriate action on his or her behalf.
§ Resources have been allocated by the organization to support the functions or processes of the committee.
§ The charter is supported by processes to increase awareness, understanding, and the IT skills of the ITSC members.
§ There are processes (i.e., policies and procedures) to support the operations and decisions of the ITSC.
§ The committee has prepared, documented, and communicated
Guidelines and procedures for the preparation and submission of business cases to the committee,
Reporting requirements, i.e., format, contents (e.g., actual results against planned deliverables), and timing of reports,
ITSC meetings, i.e., format, structure, and timing.
§ Key performance indicators (i.e., KPIs) have been determined to measure the effectiveness of the committee.
§ Processes (i.e., procedures) for reviewing submissions, reports, and presentations to the committee have been formalized and agreed upon by the committee members.
§ The IS department management is given every opportunity to explain variances or exceptions.
§ Decisions and action taken by the ITSC are documented and communicated to all stakeholders.
§ Minutes and supporting documentation of the ITSC meetings are prepared and distributed to all interested parties.
Ideally, the committee is to include a member who is independent of any line function who will provide the chairperson of the committee with an impartial view.
The IS auditor is to verify, where appropriate, information provided by the ITSC
members to ensure it is complete and accurate and to document its findings.
STEP 4 — AUDIT REPORT
After performing the audit of the ITSC, the IS auditor is to prepare an audit report detailing his or her findings and audit recommendations. The IS auditor has to be aware of the organizational “politics” when preparing the draft findings and recommendations. In particular, the ITSC chairperson may have significant “political”
power within the organization.
Therefore, from the outset, the IS auditor must “sell” the contents of the audit report and ensure that all findings and recommendations are discussed with all the stakeholders. The findings must be supported by documentary evidence (where appropriate) to ensure acceptance of the recommendations by the ITSC and executive management. Any errors of fact will detract from the objective of providing executive management with a detailed analysis of the effectiveness of the ITSC.
The audit report must provide sufficient detail to allow management to take specific action to address the issues found during the audit.
SUMMARY
Today, organizations are highly dependent upon their IT to assist the organization in achieving its corporate objectives. Executive management, therefore, requires the IS
auditor to deliver an independent appraisal of the effectiveness of the ITSC in monitoring and supervising the investment in IT.
The effectiveness of the ITSC is of strategic importance to the overall success of the organization in achieving not only its IT strategic objectives, but also in gaining a competitive advantage from its investment in IT.
The IS auditor must convey to executive management the importance of having an effective ITSC and its value to the board of directors of the organization in the discharge of its fiduciary duties. There is overwhelming evidence to support the assertion that the failure of the ITSC of an organization to monitor and supervise IT
investment decisions and operations has been the one of the main contributors to the failure of an organization in failing to achieve its corporate strategic objectives.
APPENDIX: INFORMATION TECHNOLOGY STEERING
COMMITTEE CHARTER
Where it is the policy of the organization to have a committee to monitor and control the implementation of information management–related policies and procedures, an Information Technology Steering Committee (ITSC) has the delegated authority to implement information management related policies and procedures throughout the organization.
Role of ITSC Committee
The overall responsibility of the committee is the monitoring and enforcement of information management–related policies and procedures, which are conveyed through various forms, e.g., corporate plan, corporate policies, executive directives, etc.
Specifically the role of the committee is to:
§ Review on a continuous basis the information technology strategic plan (ITSP) to ensure compliance with the corporate plan and overall corporate requirements
§ Initiate and oversee information systems and technology development plans and major business projects
§ Consider all proposals for information systems development from user/managers and approve their adoption or otherwise in terms of cost, resource requirements, net benefit, organizational impact, and technology impact.
§ Manage the information systems project portfolio, setting priorities for the development of the business information systems development, allocating the necessary resources, and monitoring the progress of each project against objectives and budget
§ Oversee the conduct of postimplementation reviews to assess whether or not projected benefits are achieved
§ Monitor and control “end-user computing” or any ad hoc information systems or technology development that is unplanned, has the potential to create excessive computer demand, duplicates effort, or does not create a “shared”
business or corporate resource
§ Oversee and direct the activities of any subcommittee including project steering committees
§ Ensure that the ITSP is maintained up-to-date and that all changes are approved before being implemented
§ Determine policy on subjects such as research and development, user charging, and data custodianship
Chapter 22: Achieving Enterprise Culture
Change Through a Project Management
Program
Layne C. Bradley
Ginger H. Eby
OVERVIEW
Project management is one of the most difficult and challenging disciplines in any field, particularly IT. Statistics that have been gathered over many years support that statement. For example, according to the Gartner Group Symposium IT