The Canadian Institute of Chartered Accountants has published practical guidance for boards of directors and others who oversee Information Technology (IT). The guidance was summarized into a publication on the 20 Questions Directors Should Ask About IT.
Directors' Responsibility for IT
Building on an earlier research report entitled Beyond Compliance: Building a Governance Culture, the CICA suggests the IT oversight responsibilities of directors should include reviews of three broad areas:
- The company's strategic planning processes, including approval of strategic plans and monitoring performance against plans.
- The policies and processes that ensure the integrity of internal control and management information systems.
- The policies and processes that (1) identify business risks and the level of risk that is acceptable to the corporation, and (2) ensure that systems and actions are in place to monitor risk.
To discharge these responsibilities, directors must keep abreast of issues pertaining to the company's management and control systems and ask the right questions.
Questions Directors Should Ask
CICA's suggested list of the 20 most useful questions to ask in each of the three broad areas of responsibilities is as follows:
- Does management have a strategic information systems plan in place that is monitored and updated as required? Does this plan form the basis for the annual plans, annual and long-term budgets and the prioritization of information technology projects?
- Have appropriate procedures been established to ensure that the organization is aware of technology trends, periodically assessing them and taking them into consideration when determining how it can better position itself?
- Have key performance indicators and drivers of the IT department been determined? Are they monitored from time to time and are they benchmarked against industry standards?
- How is the organization managing its relationships with third-party service providers?
- Does management have appropriate procedures to address information technology employee turnover, training and project assignment?
- How has management ensured that it has identified the required technology expertise and how is top talent attracted and retained?
- Has the board considered the creation of an IT subcommittee or assigned a board member specific responsibility for the organization's investment in, and use of, information technology?
- Who on the management team has responsibility for IT corporate governance? Is this person in a sufficiently senior management position?
- What is management doing to ensure that employees are aware of, and are in compliance with, the company's information and security policies?
- Does management have a plan to periodically conduct risk assessments covering the organization's use of information technology, including internal systems and processes, outsourced services and the use of third-party communications and other services? If it does, are the results of the assessments acted on where appropriate or required?
- How does management ensure data integrity, including relevance, completeness, accuracy and timeliness, and its appropriate use within the organization?
- What arrangements does the organization have for the regular review and audit of its systems to ensure risks are sufficiently mitigated and controls are in place to support the major processes of the business?
- Has the organization identified the various legislative and regulatory requirements for protecting personal information and developed a policy and procedures for monitoring compliance with them?
- If the organization uses e-business to buy or sell products or services, has there been a specific review of the risks and controls over the e-business activities?
- Are the organization's e-business activities appropriately protected from external attack by hackers or others that, if successful, would result in loss of customer satisfaction or public embarrassment?
- Has the organization adopted formal availability policies? Has it implemented effective controls to provide reasonable assurance that systems and data are available in conformity with availability policies?
- Does the organization understand the impact of an interruption in service and are there plans in place to deal with potential interruptions? Has a business continuity plan been adopted? If it has been adopted, is it tested regularly and are the results used to improve the plan?
- Has management considered and addressed legal implications that pertain to the use of software, hardware, service agreements and copyright laws?
- Have policies covering licenses, agreements and copyright been formulated and disseminated to all personnel?
Download a copy of the entire CICA report.
Note: Beyond Compliance: Building a Governance Culture is the Interim Report of the Joint Committee on Corporate Governance jointly released by the CICA, the Canadian Venture Exchange and the Toronto Stock Exchange in March 2001.