Who doesn’t love a good dose of governance every once and a while? Well, to be fair, no one does, really. But Steve Romero writing for PM Hut believes that the right kind of IT governance audit can set organizations on track for a brilliant future–that is, once they get past the ‘audit’ and ‘governance’ parts.
Let’s start with the fact that most IT operations do not even have an IT governance standard to begin with. This is problematic from the standpoint of governance. If an organization does not comply with any industry-accepted standards (ISO/IEC38500 or COBIT), there is nothing to which an auditor can benchmark. To further complicate matters, it is debatable whether the industry “standards” can be labeled as such, since most organizations have little or no understanding of how these operate, and the manuals themselves admit to a fair degree of ambiguity.
IT Governance Is Important, Understood?
SOX standards work because they are codified in law. They are mandated by a real government. Unlike IT governance, SOX compliance could be considered fair in the sense that all parties involved understand what is required of them, and therefore have no excuse not to comply. An audit of IT governance, on the other hand, may result in any of the following three scenarios:
- IT governance is meeting requirements (the ideal, not the reality, and certainly not the norm).
- IT governance does not exist.
- IT governance is not working properly.
Whether it is to show IT governance does not exist or is simply not working, conducting an IT governance audit will absolutely expose inadequacies if not outright failures (especially if the enterprise is measured against ISO38500 and COBIT®5). This will inevitably embarrass IT executives – as opposed to the business executives who should be the ones embarrassed.
Romero suggests an approach to governance that gives the organization the benefit of the doubt. By starting the process as an “educational” and “edification” exercise, everyone in the organization can discover what it means to have IT governance, before auditors can tell them they have none.
Read the full post at: http://www.pmhut.com/conducting-a-fair-and-ultimately-successful-it-governance-audit