KPMG IT governance survey

Corporate governance is considered a top priority in many organisations; and information technology an essential ingredient in ensuring the successful delivery of products and services in these organisations. With IT being critical to ensuring that an organisation meets its business objectives, how are these organisations managing the risk of their high dependence on IT while simultaneously getting optimum value from IT? Are organisations actively managing information technology governance as part of their corporate governance framework and is IT management actively involved in corporate governance issues?

To probe these important issues, a recent survey exploring the depth of implementation and level of effectiveness of IT governance in organisations was conducted by KPMG in the Europe, Middle East and Africa regions.

The survey was completed in the first half of 2004 by 198 respondents from a wide range of industries in 19 countries. The participants interviewed carried out varied roles in the organisation they worked in. These included the chief executive officer, the chief operating officer, the chief information officer and similar members of organisations. The results of the survey have been outlined below.

The KPMG IT governance survey revealed that the majority of the respondents felt IT governance was not an integrated part of the corporate governance structures of their organisation. As a best practice, IT governance should be aligned to and incorporated into the corporate governance framework. At a very basic level, the IT governance framework should be aligned with the organisation`s strategies, organisational structures, policies and internal processes, and these should form a piece of the corporate governance pie.

Many respondents indicated that although some form of IT governance was in place, it was essentially informal in nature. Additionally, this informality may be less robust than expected from regulators and the requirements of the Sarbanes-Oxley Act of 2002. The survey also highlighted the fact that the level and quality of IT governance in place did not vary significantly by industry and even heavily regulated industries, such as the credit and insurance industry, have not developed or implemented anything other than basic IT governance frameworks.

South African industries cannot afford to ignore international legislation even though this may not be legally enforceable in the country. Many of these policies may eventually become enforceable and markets should use their current opportunity as a means of getting better value from the information technology in their businesses. In particular, the banking and finance industry in SA needs to comply with Financial Intelligent Centre Act No 38 of 2001 (FICA) standards.

The requirements of client confidentiality, the maintenance of appropriate records and compliance with FICA`s reporting obligations must feed directly into the IT governance framework of an organisation. Non-compliance to FICA obligations may result in severe penalties where individuals may be fined up to R100 million and/or face imprisonment for up to 30 years, including possible forfeiture of the proceeds of the crime to the government. This is a typical example of local legislation that requires formalised IT governance structures be put in place.

It was also identified through the survey that the majority of the organisations that participated did not use recognised IT governance frameworks. Frameworks such as COBIT and ITIL had fewer adopters than expected. The general sentiment among participants was that in order to achieve the implied requirements of good governance, a flexible approach in the implementation of an effective framework needed to be followed. Essentially, this may be true to a certain degree but these best practice guidelines serve mainly as a response to management`s need for control and measurability of IT. Therefore, these guidelines serve as a tool to assist organisations with conforming to a formalised IT governance structure as needed in many organisations.

Respondents also indicated that there is a general lack of sophistication in the management and governance of outsourced arrangements. The survey reinforced the fact that although outsourcing has been a significant trend in the IT industry during the past few years and one that has challenged those organisations that have embraced it, the management of outsourced arrangements was generally achieved through informal arrangements. This poses a risk to the organisation, as management may not be able to determine if they are receiving value from their service providers. Informal agreements also make it difficult to manage and measure the risks of these arrangements and could possibly lead to management losing control of the outsourced functions to the outsource provider. The implementation of good governance standards would assist organisations in dealing with this risk.

The survey, together with KPMG`s experience with its clients, reveals that IT governance has yet to mature to the same level that corporate governance has in many organisations. To address this need and to remove the evident confusion surrounding IT governance, KPMG is driving a South African initiative to simplify and unify IT governance practices in SA.