New Zealand may be slow off the mark with an equivalent of the US Sarbanes Oxley legislation and Australia’s CLERP 9 reporting standards (part of the government's Corporate Law Economic Reform Programme), aimed at tightening up corporate governance, but IT managers here are not putting their heads in the sand, says Mary Ann Maxwell of Meta Group Asia–Pacific.
“Whether [equivalent provisions] come or not, management is saying ‘we want to see our house in order’,” she says. The push to be able to demonstrate that the aims of the company have been well-defined and best efforts are made to achieve them comes naturally from the chief executive and the chief financial officer, but the CIO or IT manager is next in line to be told they have to be able to supply the figures to demonstrate this and to comply with government reporting requirements.
There is some evidence, Maxwell says, that CIOs are pushing the corporate governance angle themselves and their own critical role in it as a means of getting closer to top management and having more funds voted for projects that can be given a better-governance gloss. This is bound to be happening in New Zealand.
Maxwell, formerly CIO of Westpac, was one of four panellists at a seminar on corporate governance in Sydney last week.
Panellist Patrick Gunning, technology partner in commercial law firm Mallesons Stephen Jacques, says a recent Ernst & Young survey of companies fixing up internal controls “found that the majority of control failures were in the IT area”.
Maxwell identifies a number of crucial elements of provable good governance that are strongly tied to IT.
- Enterprise security is a key component; Sarbanes Oxley puts a lot of emphasis on attesting to proper security.
- Risk management is a key element, crucially dependent on good data.
- An enterprise architecture will be sought, with units and functions of the enterprise fitting smoothly together. This should at least be in the process of evolution and there should be a demonstrated plan to achieve it. IT governance and architecture will “strongly parallel” their equivalents in business governance.
- Records management, though often seen as routine, is another essential element, particularly with an increasing amount of unstructured data, such as emails playing a crucial role in the way the company is run.
- Lastly, IT is bound up in essential asset management, particularly the management of the IT assets.
While there is a definite “stick” driving companies to adopt the standards – if their governance is lacking and the company fails, directors could be made personally liable – tighter control results in smoother working and better resource utilisation, which provides the “carrot” to adoption, Maxwell says.
In Australia, the federal Auditor-General has recently been assessing the adequacy of controls in the financial management information systems of major government agencies. The Department of Defence was ranked one of the worst performers, with “problems with data quality in several areas,” says Gunning. Pricing data in an assets database, for example, was readily overwritable.
Joseph (Chip) Nemesi, vice president of business service management at software company BMC, notes that actual and threatened legislation is not the only spur to improve governance and to improve the alignment of business and IT. The companies of the 90s bet on huge ERP systems like SAP, which wound themselves deep into the financial structures of the company. “That got the CEO and CFO much more involved with IT.” Secondly, web enablement made the company’s internal processes much more visible to its cutomers.
The worries of the CIO used to be chiefly over whether the technology was working reliably, he says. “Now the CEO asks ‘how are the business processes running?’ And if something’s gone wrong, what are you, the CIO going to do to make sure it never happens again?”
Bell travelled to Sydney as a guest of BMC.