CICA Issues Boardroom Guide on Information Technology

The Canadian Institute of Chartered Accountants has published practical guidance for boards of directors and others who oversee Information Technology (IT). The guidance was summarized into a publication on the 20 Questions Directors Should Ask About IT.

Directors' Responsibility for IT

Building on an earlier research report entitled Beyond Compliance: Building a Governance Culture, the CICA suggests the IT oversight responsibilities of directors should include reviews of three broad areas:

  • The company's strategic planning processes, including approval of strategic plans and monitoring performance against plans.
  • The policies and processes that ensure the integrity of internal control and management information systems.
  • The policies and processes that (1) identify business risks and the level of risk that is acceptable to the corporation, and (2) ensure that systems and actions are in place to monitor risk.

To discharge these responsibilities, directors must keep abreast of issues pertaining to the company's management and control systems and ask the right questions.

Questions Directors Should Ask

CICA's suggested list of the 20 most useful questions to ask in each of the three broad areas of responsibilities is as follows:

  • Strategic Issues
    1. Does management have a strategic information systems plan in place that is monitored and updated as required? Does this plan form the basis for the annual plans, annual and long-term budgets and the prioritization of information technology projects?
    2. Have appropriate procedures been established to ensure that the organization is aware of technology trends, periodically assessing them and taking them into consideration when determining how it can better position itself?
    3. Have key performance indicators and drivers of the IT department been determined? Are they monitored from time to time and are they benchmarked against industry standards?
    4. How is the organization managing its relationships with third-party service providers?
    5. Does management have appropriate procedures to address information technology employee turnover, training and project assignment?
    6. How has management ensured that it has identified the required technology expertise and how is top talent attracted and retained?
  • Internal Control Issues
    1. Has the board considered the creation of an IT subcommittee or assigned a board member specific responsibility for the organization's investment in, and use of, information technology?
    2. Who on the management team has responsibility for IT corporate governance? Is this person in a sufficiently senior management position?
    3. What is management doing to ensure that employees are aware of, and are in compliance with, the company's information and security policies?
  • Risk Issues
    1. Does management have a plan to periodically conduct risk assessments covering the organization's use of information technology, including internal systems and processes, outsourced services and the use of third-party communications and other services? If it does, are the results of the assessments acted on where appropriate or required?
    2. How does management ensure data integrity, including relevance, completeness, accuracy and timeliness, and its appropriate use within the organization?
    3. What arrangements does the organization have for the regular review and audit of its systems to ensure risks are sufficiently mitigated and controls are in place to support the major processes of the business?
    4. Has the organization assigned someone the responsibility for privacy policy, privacy legislation and compliance therewith?
    5. Has the organization identified the various legislative and regulatory requirements for protecting personal information and developed a policy and procedures for monitoring compliance with them?
    6. If the organization uses e-business to buy or sell products or services, has there been a specific review of the risks and controls over the e-business activities?
    7. Are the organization's e-business activities appropriately protected from external attack by hackers or others that, if successful, would result in loss of customer satisfaction or public embarrassment?
    8. Has the organization adopted formal availability policies? Has it implemented effective controls to provide reasonable assurance that systems and data are available in conformity with availability policies?
    9. Does the organization understand the impact of an interruption in service and are there plans in place to deal with potential interruptions? Has a business continuity plan been adopted? If it has been adopted, is it tested regularly and are the results used to improve the plan?
    10. Has management considered and addressed legal implications that pertain to the use of software, hardware, service agreements and copyright laws?
    11. Have policies covering licenses, agreements and copyright been formulated and disseminated to all personnel?

    Download a copy of the entire CICA report.

    Note: Beyond Compliance: Building a Governance Culture is the Interim Report of the Joint Committee on Corporate Governance jointly released by the CICA, the Canadian Venture Exchange and the Toronto Stock Exchange in March 2001.

    -Rosemary Schlank

    You may like these other stories...

    Cybersecurity is no longer the domain of an organization's IT staff. It's moved to the boardroom, and in a big way. Accountants and financial managers may have been thinking it's just the province of the tech...
    You probably don't want to think about how many times you access the File menu in Excel 2010 or 2013. Personally I think Excel 2010 has the best possible File menu arrangement, other than having Print Preview grafted...
    Following other recent high-profile hacking events, investigators discovered yesterday that hackers broke into the draft work paper files of several famous CPA firms. Revealing images of the scantily clad documents have been...

    Already a member? log in here.

    Upcoming CPE Webinars

    Sep 24
    In this jam-packed presentation Excel expert David Ringstrom, CPA will give you a crash-course in creating spreadsheet-based dashboards. A dashboard condenses large amounts of data into a compact space, yet enables the end user to easily drill down into details when warranted.
    Sep 30
    This webcast will include discussions of important issues in SSARS No. 19 and the current status of proposed changes by the Accounting and Review Services Committee in these statements.
    Oct 21
    Kristen Rampe will share how to speak and write more effectively by understanding your own and your audience's communication style.
    Oct 23
    Amber Setter will show the value of leadership assessments as tools for individual and organizational leadership development initiatives.