These days, many CIOs in Asia are in a frenzy over America’s Sarbanes-Oxley Act, or Sarbox. Not Daniel Lai, chief information officer of Hong Kong subway operator MTRC. In mid-2000, he and his team started developing an enterprise-wide IT governance system that aimed to document, monitor, and control all IT processes that deliver and sustain sources of business value—which means practically everything at IT-enabled MTRC. So when KPMG started its audit work in August, including the examination for the first time of internal-control systems under Sarbox, the IT department had everything in hand. “All the documentation and controls already exist,” says Lai.
If only others in Asia are as well-armed. According to the non-profit IT Governance Institute, only 17% of the world’s companies have implemented an IT governance solution, with another 19% in the process of putting such a framework in place. The findings are contained in the IT Governance Global Status Report 2006, the result of a survey of 695 CEOs and CIOs, of whom 38% are in the Asia Pacific. A whopping 36% of respondents are not considering instituting IT governance at all. Observes the report: “Implementing IT governance is not as easy as organizations might have thought.”
Maybe so, but companies may not have much choice going forward. Across Asia, legislation similar to Sarbanes-Oxley is wending its way through parliaments and congresses, with places like Australia, Korea, and India already requiring Sarbox-like regulations. In Japan, the Financial Instruments and Exchange Law passed in June this year requires companies to evaluate and certify internal controls by 2009 as part of the law’s “J-Sox” provisions. This means that the IT systems used to generate, amend, store, and transport data must be governed by controls that help assure external auditors the financial statements are accurate and reliable—and ensure that CEOs and CFOs who sign off on the numbers stay out of jail.
Beyond compliance, an even more powerful tide is the growing alignment of IT with the business, what the Economist Intelligence Unit (EIU) in a recent report calls the “expansion of IT’s mission from cost cutting to revenue generation.” In a survey of 288 executives from 58 countries, the EIU found that 83% of CEOs and board members polled believe that IT’s predominant strategic role in three years will be to enable revenue growth, rather than to drive cost efficiency as is the case today. With its focus not only on controls but also on transparency and return on investment, IT governance can play a key role in accomplishing this far-reaching mission.
Here’s the rub. While expectations about the role of IT in growing the business and governance are expanding dramatically, CIOs are cautious about how quickly they can rise to the challenge. The EIU detects an expectations gap between the executive suite and the IT troops, particularly in the Asia Pacific. While both C-level executives and IT managers in North America agree that IT’s primary role in the next three years will be revenue generation rather than cost reduction, IT specialists in Asia still see their contribution as chiefly enhancing operational savings. The EIU measures the gap between the two sides in Asia at 23 percentage points, compared with 13 points in Europe and just three in North America.