IT governance, a perpetuum mobile
Information technology (IT) was introduced decades ago, mainly within back-office processes to limit routine manual work, to drive efficiency and to standardize the outcomes. IT departments were set up to help realize these objectives and these were measured strongly on efficiency. The digital opportunities focusing on the commercial site, the client intimacy and the web-based interactions create a stronger focus on business value add and effectiveness. It is not the one or the other that applies, boards must create a solid governance in which both dimensions can be steered and monitored.
Provide technology solutions
Let’s think back to decades ago: it was a time when the business was at the mercy of the IT department for all its technology-enabled solutions. Although in those days the IT department as technology pusher did also exist, in essence the IT department was an order taker. Main objectives were to provide technology solutions and be a trouble shooter against minimal cost. It was a small, specialized group of people with responsibility for providing hardware, software and help desk services. The compliance agenda was based on rather static control objectives focusing on change management, user access management, operations, and business continuity. When ERP systems were introduced to replace the standalone applications, integrated process controls were implemented in these applications. The transition started from manual controls towards more technology-based application controls. In most cases the IT processes were run internally, and the controls testing could be organized internally.
Significant changes in the enterprise technology and application landscape
This is not fully consigned to the history books; it is interesting that many originations have a mixed bag of IT solutions. Still the traditional IT setup can exist combined with a more business-focused IT. However, since 2010 there have been significant changes in the enterprise technology and application landscape. Along with newer technologies such as cloud services, data and analytics, cognitive computing, and mobile becoming more pervasive, the consumerization of IT has also made it more accessible and usable by business users. Business users are more technology-savvy, entering a domain that was once exclusively controlled by the IT department. Chief Information Officers (CIOs) and other more recently created functions like the Chief Digital Officer and the Chief Data Officer reflect this business focus. CIOs continue to drive down maintenance and operation costs as a way to fund new initiatives required to meet the new business expectations. It basically means striking a balance between business as usual and transforming the IT organization towards a different value proposition.
Studies like that performed by the KPMG CIO Advisory practice indicate the shift in focus from minimizing costs towards maximizing value. Key characteristics include being a trusted advisor. IT should help the business in understanding the different technology options and solutions available. Not only by deploying an ERP system, but also advising about potentially using it as a software as a service (SaaS) instead of the traditional on-premises version. IT should also be agile in thought and action. Furthermore, IT is expected to be a growth enabler by being able to understand the business needs seamlessly. Lastly, the focus on delivering efficiently and improving performance is here to stay.
The reality is that without the right architecture and governance models in place the new business focus could easily result in higher IT spending and increased risks.
Read the full article here
This article originally appeared in the KPMG Board Leadership News, 2022.
This article is written by Prof.dr. Rob Fijneman RE RA
and is based on a combination of research insights, results of master theses and practical experience in the field of IT auditing. Rob Fijneman combines being a professor in IT auditing and Academic Director of the Executive Master of IT Auditing
at TIAS School for Business and Society with being a Technology Audit partner at KPMG AG in Switzerland.
Take your career to the next level with the Part-time EMITA
The part-time Executive Master of IT Auditing (EMITA)
takes your career to the next level. As a Master of IT Auditing, you have a wide range of skills. You are up to date on the latest IT developments, can design and perform complex audits and provide support to management. You can also advise broadly on IT policies and implementation and have an understanding of ethical dilemmas. The part-time Executive Master of IT Auditing imparts academic knowledge through practical case studies relevant to the duties of an IT auditor.
Read more about the program here »