Last year, when the state of California sought to remedy a massive technology headache — canceling a $95 million contract with Oracle Corp. when projected savings, bidding procedures, and even campaign contributions raised red flags — four state officials resigned and California dismantled a statewide information technology organization. Drastic as these measures may seem, California legislators are now considering a bill that would create a state board for IT oversight. If passed into law, it would bring the state into the brave new world of “IT governance.”
The intent is to bring a high-level view to IT planning and spending that keeps it on track and on strategy. “There was so much IT activity in the ’90s that didn’t produce any value,” says Jon Oltsik, founder and principal of Hype-Free Consulting, in Acton, Mass. “IT governance is a way to go back to a disciplined approach focused on process, procedure, and results.”
In fact, a mini-industry has sprung up around the idea of IT governance, including the IT Governance Institute; consultancies; software start-ups offering IT-governance suites; and even rigorous specifications, including one, called COBIT (for control objectives for information and related technology), that is already in its third edition. And the consensus among all those involved is that CFOs should sign on for IT governance, whatever it might be. “The CFO must ensure the investors’ satisfaction,” says Vani Kola, president and CEO of Nth Orbit, a software vendor that introduced governance software in May. “That’s why they should do IT governance — not just to follow the law.”
It’s a law, however, that’s driving the IT-governance trend. Within the Sarbanes-Oxley Act of 2002, there are three sections especially relevant to IT: Section 404, which requires officers to attest to the effectiveness of internal controls for financial reporting; Section 302, which requires officers to sign statements verifying the completeness and accuracy of financial statements; and Section 409, which requires that “material financial events” be reported in real time. And it’s a real challenge for CFOs “to fully comply without some really good IT governance in place,” insists Paul McFeeters, CFO of governance-software vendor Kintana Inc.
A Continuous View
Of course, there’s hardly a software maker today that doesn’t claim to solve some aspect of Sarbanes-Oxley, so how does IT governance fit in? And how does it differ — if in fact it does — from other long-standing approaches to managing IT, such as IT oversight committees or IT project portfolio management?
It’s largely a matter of purview. Oversight committees and portfolio-management methodologies tend to focus on approving and prioritizing IT projects, while governance formalizes a continuous look at strategy and execution: Should we be doing this project at all? If so, what financial returns should we expect, and in what time frame? What milestones will determine whether the project is still on track? That is, IT governance takes the highest-level view possible, which is why, in theory anyway, it may help firms understand whether they have the proper systems in place to meet regulatory requirements.