Purpose:
To ensure that IT-related decisions are made in line with the enterprise’s strategies and objectives, ensure that IT-related processes are overseen effectively and transparently, compliance with legal and regulatory requirements is confirmed, and the governance requirements for board members are met.
Objective:
Provide a consistent approach integrated and aligned with the enterprise governance approach.
Description:
Analyse and articulate the requirements for the governance of enterprise IT, and put in place and maintain effective enabling structures, principles, processes and practices, with clarity of responsibilities and authority to achieve the enterprise’s mission, goals and objectives.
Inputs:
- Communications of changed compliance requirements
- Performance Reports
- Status and Results of Actions
- Results of bench-marking and other Evaluations
- Results of Internal Control Monitoring and Reviews
- Results of Reviews of Self-assessments
- Assurance Plans
- Compliance Confirmations
- Reports of Non-compliance Issues and Root Causes
- Compliance Assurance Reports
Outputs:
- Enterprise Governance Guiding Principles
- Decision-making Model
- Authority Levels
- Enterprise Governance Communications
- Reward System Approach
- Feedback on Governance Effectiveness and Performance
Controls:
- Business Environment Trends
- Regulations
- Governance/decision-making model guidance
- Constitution/bylaws/statutes of organisation
- Obligations
- Audit Reports
Task Instructions:
Evaluate the Governance System
- Analyze and identify the internal and external environmental factors (legal, regulatory and contractual obligations) and trends in the business environment that may influence governance design
- Determine the significance of IT and its role with respect to the business
- Consider external regulations, laws and contractual obligations and determine how they should be applied within the governance of enterprise IT
- Align the ethical use and processing of information and its impact on society, natural environment, and internal and external stakeholder interests with the enterprise’s direction, goals and objectives
- Determine the implications of the overall enterprise control environment with regard to IT
- Articulate principles that will guide the design of governance and decision making of IT
- Understand the enterprise’s decision-making culture and determine the optimal decision-making model for IT
- Determine the appropriate levels of authority delegation, including threshold rules, for IT decisions
Direct the Governance System
- Communicate governance of IT principles and agree with executive management on the way to establish informed and committed leadership
- Establish or delegate the establishment of governance structures, processes and practices in line with agreed-on design principles
- Allocate responsibility, authority and accountability in line with agreed-on governance design principles, decision-making models and delegation
- Ensure that communication and reporting mechanisms provide those responsible for oversight and decision-making with appropriate information
- Direct that staff follow relevant guidelines for ethical and professional behavior and ensure that consequences of non-compliance are known and enforced
- Direct the establishment of a reward system to promote desirable cultural change.
Monitor the Governance System
- Assess the effectiveness and performance of those stakeholders given delegated responsibility and authority for governance of enterprise IT
- Periodically assess whether agreed-on governance of IT mechanisms (structures, principles, processes, etc.) are established and operating effectively
- Assess the effectiveness of the governance design and identify actions to rectify any deviations found
- Maintain oversight of the extent to which IT satisfies obligations (regulatory, legislation, common law, contractual), internal policies, standards and professional guidelines
- Provide oversight of the effectiveness of, and compliance with, the enterprise’s system of control
- Monitor regular and routine mechanisms for ensuring that the use of IT complies with relevant obligations (regulatory, legislation, common law, contractual), standards and guidelines.
