If your internal auditors showed up today to take a look at your IT
strategy would you be prepared? Do you know for sure how your company’s
investment in IT is benefiting your company? If you answered, “No”
to any of these questions, then you may not be organized for success.
In this article, I’ll give you some practical advice that you
can apply today, to structure your IT organization in a way that not
only makes your company more effective, but also makes it easier to
audit.
Earlier this month, Compliance Week’s columnist Dan Swanson ran
a great article on Auditing
a Company’s IT Strategies ( access required ). He suggests
that smarter companies leverage their internal auditors, to assess their
company’s investment in IT. According to Dan, there are two distinct
elements to most IT investment audits:
He then goes on to suggest a set of questions an internal auditor should
ask, to complete this assessment. I won’t go over all the questions
in this article, but what I will do is suggest a way of organizing your
IT function, so that the audit process is much cleaner.
Step # 1: Have an Attitude of Partnership with IT
The first step is making sure you have the right attitude about how
IT will engage. This is foundational, and usually done wrong in an
organization. Although IT’s role in the organization is to support
the other business functions, this should not be interpreted as a
“subcontracting” role. Rather, it’s much better
to view IT as a “partner” with the other business functions,
helping the business as a whole support the corporate strategy. For
instance, the CIO should report directly to the CEO, and be on par
with the CFO, COO, and all other C-Level staff.
This concept should flow down the organization. In my view, the best
way for IT to support your organization is from a predominantly decentralized
architecture. Have your IT clearly segmented by the business functions
important to your company’s success; Finance IT, Operations
IT, Marketing / Sales IT, Product Development IT, etc. An advanced
strategy for a larger company would even include an Audit IT department.
Of course at some point there needs to be a point of centralization
to avoid duplication of effort, and take advantage of consolidated
economy of scale, however the instant that centralization even slightly
impacts productivity in the business function, is the exact point
where centralization efforts should be reeled in.
Step # 2 : Align IT Priorities with Business Priorities
With the proper organization, your IT project prioritization process
is completely transparent to your business function. Of course, your
company’s process for managing business priorities must be intact,
but as long as that is in place, your IT function simply folds in.
For instance, sales and marketing should be organized to the point
where projects are executed in a structured manner, supporting the
company’s goals while staying within time and budgetary constraints.
What I’m suggesting, is that since your sales and marketing
IT function is strongly aligned to the business function, the sales
and marketing group should take the IT support of each project into
consideration, when setting the priority on projects to be executed.
Therefore, the IT cost estimates on any project are broken down into
two components; labor and materials ( i.e. hardware ). Labor in this
case is extremely straight forward – you know how many people
are in your group, so just extend that out to the expected term of
the proposed project. Materials ( i.e. database license, third party
software, etc. ) can then be negotiated with the centralized Corporate
IT function ( see below ).
Do not make the mistake of thinking this is inefficient organization,
and move to a more “pooled resource” architecture. This
is too much centralization, and will definitely come back to hurt
you. It’s important to keep your IT resources focused on the
priorities and goals of your business function.
Step # 3: Centralize the Rest – Lightweight but Effective
With the majority of the management and control of your IT investment
deferred to your business functions, the only group left to reconcile
is your centralized Corporate IT function. This will be your most
challenging task. As mentioned earlier, your Corporate IT function
needs to be at a delicate point between under-centralization and over-centralization.
Under-centralization would be characterized by unnecessary duplication
within the company because teams are not talking to each other. This
condition can explode to number of corporate deficiencies, such as
too many resources, and / or too many controls.
Over-centralization, as stated above, would be characterized be any
decrease in business function productivity. Of course quantitative
measures are the best indicators of business function decrease, but
even if these are not in place, some qualitative analysis can be done
in the business function, to determine if over-centralization has
taken place. Symptoms include frustration when it takes so long to
get something “simple” done, and an unwillingness to partner
with IT because it’s perceived as being cumbersome. In somewhat
extreme cases, you will see shadow IT pop up.
The only exception to this rule is when there are clear regulatory
concerns. For instance, the business might not like the fact that
you are required to scramble credit card numbers in the database;
however this is a privacy issue that must be complied with. Be careful
not to get too crazy with this “loophole” of sorts. I’ve
seen IT departments hide behind policies like this, to push any agenda
that want pushed through. Whenever a non-business related constraint
is put on a project, make sure there’s a very clear regulatory
reason why it’s there.
Auditing your investment in IT and its overall strategy indicates that
your company is responsible and mature in its thinking. The foundation
of a successful IT strategy, is the way IT is organized in the company.
Making sure you partner with IT and maintain a predominantly decentralized
structure, will pay off in dividends when it comes to surviving this
kind of audit. Take a serious look at the way your IT is organized today,
and if necessary start moving things around.
