IT Governance |
|
Article Purpose
The purpose of this article is to put the terms corporate governance and IT governance into perspective, with other software quality terms.
|
|
Corporate governance
The term corporate governance has been around since the 1930’s (following the Wall Street crash) but recently became prominent following the Enron crash (2001) with the establishment of Sarbanes Oxley (SOX). Following the recent financial melt down (late 2008) it is clear more government oversight for banks and financial institutions will be forth coming.
SOX is only one aspect of corporate governance, which overall seeks to establish transparency (and standards) for shareholders and regulators into the financial affairs of a company. Basically the goal of governance is to protect investors, for a more detailed overview of corporate governance see the wikipedia definition.
Where IT comes into the picture, for corporate governance, is within the SOX Section 404: Assessment of internal control, which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting (ICFR). Under SOX section 404 a company has to demonstrate that internal controls exist (and are followed) for those aspects of IT that will impact financial reporting for the company. Given the amount of automation of financial reporting and the fact that most commercial system’s data ‘flows’ to a GL, the implications for IT are significant.
All code changes, testing and deployment (that impacts the GL) has to be managed. This involves appropriate ‘sign offs’ as well as a recording that these events have happened. There are many guides to assist a company comply with SOX 404 including the COSO framework.
|
|
IT Governance
The term IT governance started to come into popular use following SOX and a widespread implementation of IT related (Section 404) activities. However, IT governance is now used as a framework for ensuring that the IT strategy is aligned to business strategy. Many can argue that frameworks like CMMi or other software process improvement (SPI) initiatives have the same basic goals as the newly defined term IT governance. This is true but there is a more executive oversight connotation to what is happening with the introduction of IT governance.
As IT becomes inseparable from a company’s workflow (and value\risk stream) executives are now understanding how much IT can hurt a business and how much risk there is associated with IT. The question being asked by executives is not “What can IT do for me?” but “How much can IT hurt me in delivering value?” In its simplest form IT governance is about:-
Balancing the Value of technology with the cost and risk of its utilization.
In the past technology would be predominantly ‘self governed’ that is the SQA department would be a part of (or heavily aligned with) the technology group.
IT governance requires an oversight by executives that are not a part of technology. Clearly IT governance is a good thing, for anyone that believes in the usefulness of CMMi or other formal software process improvement frameworks.
|
|
|
|
Conclusions
IT governance has in essence raised the awareness of non-IT executives to the real value of Software Quality Assurance. The fact that this has come about from the needs of SOX compliance (for corporate governance) can be seen as opportunistic for software quality professionals that seek to create customer value at the optimal cost.
|
|