Better ICT processes and controls: The key to good corporate governance
In SA, new legislation enacted over the past five years is being operationalised, leaving many large organisations with no shortage of challenges. In addition, regulatory requirements are set to increase globally. Unclear process and control requirements, tight deadlines and limited resources for accomplishing these goals exacerbate the situation for those organisations affected.
The answer, believes Gartner, lies in implementing suitable business processes and IT controls, and leveraging technology to support and enhance those processes.
The requirements of legislations and advisories such as AC133 (IAS39), the local King II Report, the Financial Advisory and Intermediary Services (FAIS) Act and the Financial Intelligence Centre Act (FICA), among others, must be met, providing transparency, accountability, security and processes and procedures behind these issues. In addition, legislation and deadlines are pending for Section 409 of Sarbanes- Oxley, Basel II, CAD 3 and Solvency 2, to name just a few.
The combination of ICT standards and flexible business service management solution architectures will lay the foundation, not only for ongoing regulatory compliance, but also responsive business and IT operations that need to be completed in the longer term. This is the recipe for success we see used most often by our largest global banking, brokerage and service provider customers - and they typically have the most complex environments and are hardest hit by new regulations.
The task of evaluating current ICT governance practices to establish quick and efficient support of changing regulatory requirements is no small undertaking. For this reason, many progressive organisations are turning to ICT service management best practice and control frameworks as a starting point. These include the Information Technology Infrastructure Library (ITIL) and Control Objectives for Information Technology (COBIT).
ITIL is a set of best practice standards for IT service management that were created to address the growing need for ICT to meet business needs and goals. These practice standards are increasingly becoming more recognised as companies begin to acknowledge that business goals and objectives should drive the development of ICT infrastructure and not the other way round. This is complemented by COBIT, an ICT process and control framework that provides the company- and activity-level objectives needed to link ICT to business requirements.
For many organisations, the adoption of ICT best practices and controls will provide the necessary future-proof course of action for implementation of process controls and IT functions that enable regulatory compliance. The processes and controls defined in COBIT and ITIL are similar and tend to fall into the following general categories:
* Change management
* Configuration management
* Incident and problem management
* Security and integrity management
* Availability and service continuity management
* Capacity and performance management
* Financial/cost management
* Service desk and customer support
For many regulatory measures, material weaknesses in ICT process and controls will be identified by independent auditors. Due to the lack of ICT-specific documentation in legislation, the specific interpretation of what constitutes a material weakness can be subjective, even though many of the audit firms use frameworks like COBIT.
In the final instance, enterprises evaluating software solutions to address future compliance needs should be aware that any solution they adopt will need to be flexible and open in design. This will allow them to address the unique IT environment of their organisation, their specific control requirements (as defined by auditors), and the IT standards and processes they have adopted.