The ITSC performs a critical function in supporting the implementation of the corporate information technology strategic plan (ITSP). Further, the committee ensures that it minimizes the risks associated with implementing the IT strategies and receives a return on its investment.

Too often organizations do not monitor the activities and decisions of their IS department. Rather, they rely on the IS department to provide the IT solutions because executive management does not understand technology.

However, this attitude must change; otherwise, the organization may find that decisions made in isolation by the IS department may cause the organization to waste valuable resources (both human and financial) in implementing technologically superior solutions, and not business solutions. When this occurs, the organization receives a poor return on its investment in IT.

It is critical from the outset that the ITSC be empowered to monitor and control the IT investment of the organization.

ISACA has recognized the need for organizations to have an ITSC. The Control Objectives for Information and Related Technology (COBiT) PO4 — Define the Information Technology Organization and Relationships Control Objective states:

The organization’s senior management should appoint a planning or steering committee to oversee the information services function and its activities. Committee membership should include representatives from senior management, user management, and the information services function. The committee should regularly meet and report to senior management.

However, IS auditors do not review this critical organizational control process. If this control were part of the system development life cycle, it would be reviewed. Because it is outside of the IT department and is seen as an extension of executive management, it is not reviewed. Because of the impact it may have on the success of the organizational investment in IT, it is essential that the IS auditor audits the role and the effectiveness of the ITSC of the organization.

CONDUCTING THE AUDIT

Audit Objectives

1.  To determine that the responsibilities and duties of the IT Steering Committee are documented and communicated throughout the organization

2.  To determine the effectiveness of the IT Steering Committee in monitoring and controlling the activities of IT within the organization

3.  To determine that the members of the ITSC understand the responsibilities and duties of their positions and are suitably qualified to undertake the role

Control Risks

During the audit of the effectiveness of the ITSC, the following control risks may be encountered:

-   No ITSC charter

-   The ITSC charter is not communicated

-   The ITSC charter does not provide a “watchdog” role over the implementation and investment in information technology

-   The lack of management skills by the ITSC members to understand the impact of noncompliance with the approved IT strategic plan

-   Poor understanding by the ITSC members of their role and responsibilities -   Inappropriate membership by organizational manager(s) (political forum)

-   No key performance indicators (KPIs) to measure the effectiveness of the committee

-   Lack of empowerment for the ITSC to take action (where appropriate) -   ITSC requirements are not communicated to line management and the IS department

-   No monitoring processes on IT investme nt within the organization -   No reporting by the ITSC to executive management

STEP 1 — REVIEW THE IT STEERING COMMITTEE CHARTER

The IS auditor is to obtain a copy of the ITSC charter. In reviewing the charter the IS auditor is to determine that:

-   The role of the ITSC has been defined and its responsibilities clearly specified (this should be supported by position descriptions for its members). Where there are position descriptions, the IS auditor is to review the descriptions to determine if they are appropriate.

-   The charter of the ITSC is aligned with the corporate strategic objectives of the organization including the IT objectives.

-   The ITSC has provided for the continuous review of the ITSP to ensure compliance with the corporate plan and overall corporate requirements and that the plan is kept current by revision.

-   The ITSC has the authority to review (and approve/reject) all proposals for IS development over a specified amount (e.g., over $10,000) from user/managers. The ITSC is to prescribe the required format of the IT proposals, e.g., business case format, including a cost/benefit analysis with a rate of return — internal rate of return (IRR) or net present value (NPV). However, in some circumstances proposals may not be justified on a rate of return basis, but on a community or customer benefit.

-   The ITSC has the authority to manage the IS project portfolio, setting priorities for the development of the business information systems development, allocating the necessary resources, and monitoring the progress of each project against objectives and budgets.

-   The ITSC requires postimplementation reviews to be undertaken that are independent of the IS department and requires that the findings and recommendations of the review are presented to the committee with a response from the IS department.

-   The ITSC oversees and directs the activities of any subcommittee including project steering committees.

In essence, the role of the ITSC is that of a corporate watchdog. The watchdog role will ensure that the IS departme nt does not lose focus in providing the organization with cost -effective IT products and/or services and meets its commitment to assist the organization in achieving its strategic objectives.

Too often the IS department becomes involved in “technical issues” rather than in implementing a “business” solution(s) to meet the requirements of the organization.

STEP 2 — DETERMINE THE EFFECTIVENESS OF THE IT STEERING COMMITTEE

For this step there are a number of audit procedures to be performed. The effectiveness of the ITSC will be measured by the following.

ITSC Documentation

This audit procedure requires the IS auditor to review the minutes/reports and associated supporting documents of the ITSC. By reviewing the documentation, the IS auditor can determine if the ITSC has carried out its role and responsibilities not only in accordance with the charter, but also in accordance with any processes that have been established.

Sample selections of the documentation, e.g., minutes/reports, business case(s) are to be reviewed. However, the sample size will be dependent upon

-   The elapsed time since the establishment of the ITSC and the audit being undertaken

-   The frequency of ITSC meetings

-   The format, quality, and quantity of the documentation -   Availability of the documents

The contents of the documents are to be reviewed. The details are required to be checked against supporting documentation, e.g., ITSP, corporate plan, business unit action plans, project plans, budgets, etc. For example, any variances or exceptions to the ITSP are to be referred to the ITSC chairperson for clarification.

It is important that all variances or exceptions are investigated as it may be an indicator that the ITSC has either not understood its role and responsibilities or that the supporting processes have internal-control weaknesses.

Interview IS Department Management

This audit procedure requires the IS auditor to interview the IS department’s management. The objective of this procedure is to identify what processes are used to monitor, measure, and report on performance of IS function’s performance. ITSC is required to provide the IS department with its reporting requirements of IT activities (including resource utilization, project status, etc.).

During the interviews, the IS auditor is to determine if the IS department’s management is given the opportunity to raise issues with the ITSC, particularly if the issues may impact the process or success of implementing the IT Strategic Plan.

Often the IS department management feels that the ITSC is an imposition on its activities, because it believes that it is in the best position to determine what the organization should have in regard to IT.

If the IS department is raising issues that are not being addressed by the ITSC, it may be indicator (i.e., KPI) of the effectiveness of the committee. However, the IS auditor must be aware of any attempt by the IS department to influence unduly the opinion of the effectiveness of the ITSC without supporting and compelling evidence. Any issues raised should be followed up, provided there is sufficient evidence to justify the effort.

Interview Business Unit Managers

From the information gathered in Section 2.1 the IS auditor is to select a sample of IS projects (accepted or rejected by the ITSC) and interview the responsible project sponsors, i.e., business unit managers.

During the interviews and an examination of any documentation provided by the project sponsors, the IS auditor is to identify:

-   Deviations from the processes implemented by the ITSC with regard to -   Requirements in preparing a business case

-   Submission and presentation of the business case -   Project monitoring and reporting

-   Communications from the committee with regard to changes in project implementation status, i.e., priorities, resource allocation, and objectives, etc., which is important as it may have an impact on the business unit achieving its strategic business objectives approved by the corporate executives

-   Reasons for the rejection of business case(s)

The interviews should also be an opportunity for the business managers to express any opinion on the effectiveness of the ITSC in fulfilling its role as per the charter.

The interviews may provide sufficient evidence which would support audit recommendations to change

-   The charter

-   Membership of the ITSC -   ITSC processes

Benchmarking

The fourth audit procedure requires the IS auditor to benchmark the ITSC against similar organizations or appropriate international standards or recognized industry best practices.

The benchmark exercise is undertaken to provide compelling evidence that the structure, role, responsibilities, and supporting processes of the ITSC are sound.

To benchmark the ITSC, the IS auditor will be required to contact a number of similar organizations to obtain the necessary information. For example,

-   ITSC charter

-   Member position descriptions -   Number of members

-   Composition

-   Reporting structure -   Processes

-   Copies of “edited” minutes/reports (where possible)

From this information, the IS auditor can benchmark the organization ITSC. The benchmarking exercise will provide evidence if the shape of the organization ITSC is appropriate.

STEP 3 — INTERVIEW IT STEERING COMMITTEE MEMBERS

The IS auditor is to interview members of the ITSC to determine if the members fully understand their duties and responsibilities in monitoring and providing a supervisory role of the IT activities within the organization.

During the interviews, the IS auditor is to ascertain that

-   The committee members have the relevant experience, skills, and available time to undertake this critical role.

-   The committee is “balanced” to ensure that there is no “bias” by the committee members or any one member.

-   The chairperson has the delegated authority of the chief executive officer of the organization to take appropriate action on his or her behalf.

-   Resources have been allocated by the organization to support the functions or processes of the committee.

-   The charter is supported by processes to increase awareness, understanding, and the IT skills of the ITSC members.

-   There are processes (i.e., policies and procedures) to support the operations and decisions of the ITSC.

-   The committee has prepared, documented, and communicated Guidelines and procedures for the preparation and submission of business cases to the committee,

Reporting requirements, i.e., format, contents (e.g., actual results against planned deliverables), and timing of reports,

ITSC meetings, i.e., format, structure, and timing.

-   Key performance indicators (i.e., KPIs) have been determined to measure the effectiveness of the committee.

-   Processes (i.e., procedures) for reviewing submissions, reports, and presentations to the committee have been formalized and agreed upon by the committee members.

-   The IS department management is given every opportunity to explain variances or exceptions.

-   Decisions and action taken by the ITSC are documented and communicated to all stakeholders.

-   Minutes and supporting documentation of the ITSC meetings are prepared and distributed to all interested parties.

Ideally, the committee is to include a member who is independent of any line function who will provide the chairperson of the committee with an impartial view.

The IS auditor is to verify, where appropriate, information provided by the ITSC members to ensure it is complete and accurate and to document its findings.

STEP 4 — AUDIT REPORT

After performing the audit of the ITSC, the IS auditor is to prepare an audit report detailing his or her findings and audit recommendations. The IS auditor has to be aware of the organizational “politics” when preparing the draft findings and recommendations. In particular, the ITSC chairperson may have significant “political” power within the organization.

Therefore, from the outset, the IS auditor must “sell” the contents of the audit report and ensure that all findings and recommendations are discussed with all the stakeholders. The findings must be supported by documentary evidence (where appropriate) to ensure acceptance of the recommendations by the ITSC and executive management. Any errors of fact will detract from the objective of providing executive management with a detailed analysis of the effectiveness of the ITSC.

The audit report must provide sufficient detail to allow management to take specific action to address the issues found during the audit.

SUMMARY

Today, organizations are highly dependent upon their IT to assist the organization in achieving its corporate objectives. Executive management, therefore, requires the IS auditor to deliver an independent appraisal of the effectiveness of the ITSC in monitoring and supervising the investment in IT.

The effectiveness of the ITSC is of strategic importance to the overall success of the organization in achieving not only its IT strategic objectives, but also in gaining a competitive advantage from its investment in IT.

The IS auditor must convey to executive management the importance of having an effective ITSC and its value to the board of directors of the organization in the discharge of its fiduciary duties. There is overwhelming evidence to support the assertion that the failure of the ITSC of an organization to monitor and supervise IT investment decisions and operations has been the one of the main contributors to the failure of an organization in failing to achieve its corporate strategic objectives.

INFORMATION  TECHNOLOGY  STEERING COMMITTEE CHARTER

Where it is the policy of the organization to have a committee to monitor and control the implementation of information management -related policies and procedures, an Information Technology Steering Committee (ITSC) has the delegated authority to implement information management related policies and procedures throughout the organization.

Role of ITSC Committee

The overall responsibility of the committee is the monitoring and enforcement of information management -related policies and procedures, which are conveyed through various forms, e.g., corporate plan, corporate policies, executive directives, etc .

Specifically the role of the committee is to:

-   Review on a continuous basis the information technology strategic plan (ITSP) to ensure compliance with the corporate plan and overall corporate requirements

-   Initiate and oversee information systems and technology development plans and major business projects

-   Consider all proposals for information systems development from user/managers and approve their adoption or otherwise in terms of cost, resource requirements, net benefit, organizational impact, and technology impact.

-   Manage the information systems project portfolio, setting priorities for the development of the business information systems development, allocating the necessary resources, and monitoring the progress of each project against objectives and budget

-   Oversee the conduct of postimplementation reviews to assess whether or not projected benefits are achieved

-   Monitor and control “end-user computing” or any ad hoc information systems or technology development that is unplanned, has the potential to create excessive computer demand, duplicates effort, or does not create a “shared” business or corporate resource

-   Oversee and direct the activities of any subcommittee including project steering committees

-   Ensure that the ITSP is maintained up-to-date and that all changes are approved before being implemented

-   Determine policy on subjects such as research and development, user charging, and data custodianship