With today’s rapid development and advancement in technology, organizations are more challenged than ever to align business and IT strategies with objectives, establish company-wide IT governance, and classify data. Failing to prioritize your company’s IT governance limits full benefits realization. By auditing IT governance implementation, strategies, processes, and controls, organizations can ensure their IT portfolio aligns with business goals and objectives.
What is IT Governance (GEIT) and Why is it Important?
Historically, organizations view IT as an unnecessary expense rather than a beneficial asset. More recently, organizations recognize IT as a crucial component in having an innovative advantage over competition. IT governance, also known as the governance of enterprise IT or GEIT, delivers value by creating processes to better manage and control key IT investments, decisions, and resources. Because IT governance aligns business with IT goals and objectives, IT is considered a business enabler rather than just technology. When IT governance is absent or fails, a business risks failure to achieve financial goals and objectives.
COBIT, a well-known IT governance framework, defines IT governance (GEIT) in 5 main principles:
- Meeting stakeholder needs.
- Covering the enterprise end-to-end.
- Applying a single integrated framework.
- Enabling a holistic approach.
- Separating governance from management.
Is SOC 2 a Governance Framework?
A SOC 2 examination produces “a report that service organizations receive and share with stakeholders to demonstrate that general IT controls are in place to secure the service provided” but is not typically considered an IT governance compliance framework. A deeper dive into the Trust Service Criteria of the SOC 2 report contrastingly reveals sections directly associated with the governance of IT.
The Board of Directors and IT Governance
Before understanding this concept, let’s first consider an organization’s Board of Directors. Because the Board of Directors has ultimate responsibility and authority for your organization’s IT governance, the Board of Directors of any organization plays the most critical role in the IT governance process. You may be asking yourself, “How can the Board of Directors influence my organization’s control environment?” and “Are controls of the Board of Directors tested in a SOC 2 report?” The authority of the Board of Directors ensures proper resource allocation so it must be considered in a control environment. In fact, a criterion in the SOC 2 specifically tests your Board of Directors’ oversight of your organization’s internal controls.
COSO Principle 2: “The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.”
The Board of Directors also advises and approves the alignment of business and IT initiatives, goals, and objectives. Unfortunately, most Boards of Directors fail to comprehend IT risks and challenges that their organizations encounter simply because of a lack of knowledge about IT or because they may not understand their organization’s dependency on IT. We often see organizations’ Boards of Directors defer key IT initiatives and decisions to members of the IT team, but this leaves a Board of Directors still unaware of the benefits of IT within their organization.
Without this understanding, a Board of Directors may fail to provide IT senior management with the required insight that aids in the IT decisions made to achieve business initiatives, goals, and objectives. Luckily, another criterion of the SOC 2 considers the communication to senior management of control deficiencies and risk assessment results:
COSO Principle 17: “The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.”
Constructive relationships between IT senior management and the Board of Directors should be established to create effective communication between the business and IT. Without an understanding of the operating effectiveness of your organization’s control environment, the Board of Directors would be inhibited from addressing control deficiencies, reviewing IT operations, making accurate and clear business decisions, and creating and aligning business and IT strategies and goals. This can also lead to increased pressure on your chief information officer to manage and coordinate critical assets by themselves.
Communicating IT Governance: Policies and Procedures
COSO Principle 12: “The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.”
Maintaining current policies and procedures most effectively communicates employee control activities, responsibilities, and expected process outcomes and behavior. Policies and procedures communicate senior management’s tone, which drives company culture and establishes values and expectations.
While organizations cannot consistently predict employee behavior or ensure employee compliance with company policies and procedures, organizations can implement controls related to employee acknowledgment of company policies and procedures to mitigate as much risk to the business as possible. These controls are most commonly present during the onboarding process but should be present at other times as well. At the same time, IT governance roles and responsibilities can be communicated to employees when IT governance is implemented. In doing so, IT governance becomes the responsibility of every employee rather than just of senior management and the Board of Directors. All operations, processes, and employees’ day-to-day activities should consistently align with achieving your organization’s business initiatives and objectives.
The following are examples of IT governance policies and procedures that organizations require their employees and contractors to acknowledge:
- Acceptable Use Policy
- Information Security Policy
- Incident Response Policy
- Data Classification Policy and Procedures
Accountability within the Organization
COSO Principle 3: “Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.”
COSO Principle 5: “The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.”
A Board of Directors and executive management are initially accountable to a business’s goals and objectives before expecting employees to also take responsibility. The Board of Directors and executive management are charged with formalizing and effectively communicating IT-based decisions to employees. Unfortunately, in most organizations, employees don’t take responsibility for helping their organization achieve business and IT initiatives and objectives, and generally don’t understand how to satisfy stakeholder expectations. Even worse, most employees are unaware of how their roles and job functions help achieve those objectives daily because most organizations fail to communicate this information to their employees. To effectively manage and govern IT and human capital, the Board of Directors, executive management, and IT managers must integrate employees into communication regarding organizational business and IT initiatives and objectives so that employees can also be held accountable.
There are several controls typically found in a SOC 2 report that test an organization’s ability to hold its employees accountable:
- Documented job descriptions that may include prerequisite considerations for employment, internal control responsibilities, and job role and functions.
- Security training for employees.
- Completing performance evaluations for employees that include strategically aligned objectives with evaluation criteria.
In summary, IT governance can be complex when you consider every individual in your company and their role in your organization’s IT governance processes. A SOC 2 isn’t known as an IT audit framework, but the report tests your organization’s high-level IT governance control and processes providing a basic overview of your IT governance posture.
Linford & Co., LLP, founded in 2008, is comprised of professional and certified auditors with specialized expertise in SOC 1, SOC 2, HIPAA, HITRUST, FedRAMP and royalty/licensing audits. Our auditors hold CPA, CISA, CISSP, GSEC licenses and certifications. Learn more about our company and our leadership team.