Information Technology (IT) Governance is a subset of corporate governance that focuses on the management, assessment, performance and risk of IT resources in an organisation. IT governance was strongly pushed after the Sarbanes-Oxley Act in the USA (which came as a result from the numerous accounting scandals in the early 2000s such as Enron). IT governance is aligned with the goals and objectives of the firm and to hopefully create value through the effective and efficient use of IT resources. It is a tool that is used by many stakeholders such as executive management and the Board of Directors to assist them in reducing risk, creating value, set polices and internal controls of the firm. COBIT 4.0 defines IT Governance as ‘the responsibility of executives and the board of directors, and consists of the leadership, organisational structures and processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and objectives.’ A framework must be implement which sets out the standards, best practices and rules that must be adhered to for IT Governance to be successful. This report will identify, compare, discuss and analyse the three most used frameworks worldwide; ISO 38500, COBIT and ITIL v3.
Research and identify three IS governance frameworks that are the most widely adopted by business organisations worldwide. ISO 38500
ISO/IEC 38500 (2008) is a standard developed by the International Standard Organisation (ISO) for Corporate Governance of IT. This framework was originally written up by Standards Australia in 2005 and later adopted and standardised by ISO in 2008. According to the ISO, the standard is “a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT”. The framework focuses on 6 main principles;
1. Responsibility: to establish regulations and standards for others to follow 2. Strategy: Plan IT to best support the organization
3. Acquisition: methods of acquiring the best resources and support. 4. Performance: ensuring the IT system works well at all times 5. Conformance: continuing monitoring and the system adheres to rules and standards 6. Human behavior: to ensure IT use respects human factors of the end users.
By considering the 6 principles above, it is clear the standard is aimed mainly for the top level of management and for the Board of Directors. ISO states that the principles will allow for “good corporate governance of IT that express preferred behavior to guide decision making”. An effective, efficient and acceptable level of IT governance at the top level will allow the same culture change in IT throughout the whole organization. ISO 38500 is applicable in all organizations, irrespective of size, location, design, purpose or structure.
Directors should govern IT through three main tasks (Feltus, slide 31-34): * Evaluating the current and future use of IT. Directors must consider the pressures of the business internal and external environment such as economic, political, competitors and its own current and future needs. * Directing the preparation and implementation of plans and policies to ensure that the use of IT is aligned with the business objectives. Top management should ensure all transitions are run smoothly and encourage good corporate governance. * Monitoring the conformance to policies (both internal and external legal requirements). Also they need to compare performance against the plans and business objectives.
The diagram below is a representation of how ISO works within a...