While applications, infrastructure and general controls are commonly audited, a major area that is somewhat neglected is IT strategy
The main ingredient of a successful organization is to have a clear and documented vision and strategy whereby every department and employee believes in that vision and drives towards achieving its goals and objectives. Every department needs to have a strategy. The same applies to Information Technology (IT) which plays a critical role in the achievement of an organization’s objectives and growth targets. As with any endeavor, there are risks associated with an IT strategy and it is the role of internal audit to understand the concept of IT strategy in order to provide assurance on these risks.
Approaches to IT Strategic Planning
In many places, including some companies in the Middle East, IT is not yet seen a strategic element for the growth of the corporation. While for others, IT is seen as the core business of an organization (e.g. eBay, Amazon, eTrade.etc) and the key link to its customers. Regardless of how IT is positioned in a company, it cannot simply operate day-to-day and execute ad-hoc projects and services when requested. IT should develop its own strategy whether or not a documented corporate strategy is available.
But what exactly is an IT Strategy? It is a road map of where you want to go in terms of IT organization, capacity, people and budget in order to meet business requirements and to achieve the overall strategy of the organization. Let us look at 2 scenarios: 1) Where a company already has a documented corporate strategy and 2) Where a company does not have a documented corporate strategy (which we see often in the Middle East).
Scenario 1: The IT strategy can be developed by translating the corporate strategy into IT specific goals and objectives and develop initiatives to achieve them. Let’s take for example a bank that wishes to expand into a new country as part of its corporate strategy. How does this translate into the IT strategy?
IT needs to know if the bank plans to enter the retail market, corporate market etc and the projected growth of the coming years. IT will need to plan the IT organization and resources (infrastructure, staff and budget) accordingly to deliver the strategy. IT will determine the priority of tasks based on the businesses timeline. This is an example of one of many initiatives in an IT strategy.
Scenario 2: Let’s say the company does not have a documented strategy. The IT department will need to look at the corporate priorities and will propose what needs to be done from the IT side. For example, a family business is focusing on reducing costs. One of the proposals from IT can be the creation of a shared services center or the outsourcing of certain aspects of IT. From there, an IT strategy can be developed. In this scenario, saying that there is no corporate strategy is not an excuse for not having an IT strategy.
In both scenarios, IT will have a variety of initiatives to work on. Some will be corporate wide and key to the organization such as cloud computing, mobility or BYOD. Others will be IT department focused such as staff training, process improvements, etc. While the rest may be function specific such as applications. When selecting initiatives, strategic alignment between business goals and IT goals is a critical area for companies. The strategic IT plan is the tool to achieve strategic alignment.
5 Steps to Developing a Fit for Purpose IT Strategy
- Define IT Vision: Understand corporate vision and stakeholder expectations to arrive at a vision statement and strategic goals for the IT department that are aligned with corporate strategy.
- Conduct Current State Assessment: Assess IT capabilities, performance as well as strengths, weaknesses, opportunities and threats.
- Set Strategic Initiatives: Select appropriate initiatives to achieve strategic goals while keeping in mind the current state of IT. Identify required resources, assign action owners, and set deadlines.
- Document, Approve & Communicate IT Strategy: Document the strategy, secure approval from the CEO and communicate it to all relevant stakeholders.
- Measure Performance: Determine progress against strategic milestones. Communicate with stakeholders and update the IT strategy as required.
What About Internal Audit?
So where do the internal auditors come in? As a Chief Information Officer (CIO), I’m always receiving audit reports on security, various applications, the network and on occasions I get a report on IT governance. Rarely, over my +20 year career, have I seen an audit report on IT Strategy.
Internal audit standards (2120.A1and 2130.A1) require that internal auditors evaluate risks to strategic objectives as well as the adequacy of corresponding controls. As such, the IT strategy, by default, is a component of this requirement.
Internal auditors need to understand both corporate strategy and information technology in order to carry out an effective audit of strategic IT risks.
By not doing an audit of IT strategy, internal auditors are missing out on the big picture. Confident CIOs would welcome audits of IT strategy and strategic IT risks, whether as a standalone review or as part of an overall audit against ISACA’s COBIT framework. Internal auditors should not shy away from such an audit.
Ticking the box to say that an IT department has an approved strategy or does not have a strategy is not enough. Internal auditors need to go into the details. But be cautious! Internal auditors are there to audit the IT strategic planning process and how well risks to the strategic plan are being managed. Auditors cannot and should not comment on the appropriateness of the strategies selected by management to achieve their goals. This is something for the business to decide on and any comments on this would be second guessing management.
Areas where internal auditors can add value to IT strategy include, but are not limited to:
- Reviewing the IT strategic planning process: Determine compliance with any policies. Assess whether the plan has the required components (vision, goals, objectives, initiatives, performance measures). Look for alignment with the organization’s objectives. Check if the strategy has been approved and communicated. Check whether detailed activities with action owners and deadlines have been set. Check whether cost and resource requirements are included. Assess how well risks to strategy have been identified and are being managed.
- Reviewing progress against strategy: Assess how well IT is doing compared to its strategic plan (What has IT achieved?). Check whether progress reports are communicated to stakeholders and whether the data included is accurate.
- Auditing / consulting on specific IT strategic initiatives: These vary in nature and could range from the implementation of an ERP to opening a new data center to certification against particular ISO standards.
For an audit of IT strategy to be effective, it must be executed by internal auditors with strong knowledge of strategy and IT governance. It is the skill of the internal auditor assigned to the audit which will determine the success of such an audit.
IT strategy is essential for companies regardless of which industry they operate under. A strategy should be established with proper governance and ownership from the top down with the appropriate processes to ensure strong realization, proper utilization of resources, and proper controls. Internal auditors need to dedicate a portion of the IT audit plan to auditing strategic IT risks including the IT strategy itself. By doing this, internal audit will be able to add real value to the business and move away from only issuing compliance focused reports.
SAID HMAIDAN is Group Chief Information Officer at a private holding company in Abu Dhabi.