The Ramifcations of IT OversightPosted: February 21, 2013
I recently saw the results of a PwC survey on where IT oversight resides at the board of directors’ level. In more than 50% of the companies it was with the audit committee, while 25% had it with the entire board and 8% had no oversight at the board level at all. It’s hard to imagine a business that does not use IT today. We may laugh at the commercials, but even the neighborhood kids’ lemonade stand is often publicized on Facebook (even if it is on Mom’s page). So, putting the 8% who live in the dark ages aside (and the 17% who didn’t even know what IT stood for?) I wondered about the implications of having IT oversight with the audit committee by 2/3’s of the companies who had board level oversight.
Using the audit committee seems to be a natural outgrowth from the way IT has been handled historically. CFO’s were often the officer that IT reported to before CIO’s started proliferating. In addition, boards often first deal with IT when something goes wrong – either with an access breach or a system failure which then impacts the financial results. Either way, the knee jerk reaction is IT is a “control problem” and that is what audit committees are supposed to handle. And of course, as is their nature, audit committees will treat IT as a control and compliance issue. Do our general IT controls work well enough for pass muster for the audit of our controls? Do we have the right protocols in place to comply with the HIPPA regulations over access? Are we doing enough to prevent breaches of our systems and the unauthorized release of sensitive customer information in order to prevent reputational damage from the next hacking attack?
These are all very important issues, but the problem is that in today’s world where business models can be disrupted by the next drunk college student writing code in his or her dorm room at two in the morning, IT can’t be viewed solely or even predominantly as a “control issue” (or is that an issue to be controlled). The use of IT is, or should be, a critical strategic issue for every company, and critical strategic issues should be the domain of the entire board of directors.
Am I saying that the entire board should be dealing with the minute details of IT? Of course not. In fact, that is what management is supposed to do, but the entire board should be very interested in any organization’s IT strategy, plans, risks and opportunities. The problem with sending IT oversight to the audit committee is that the risks will get a lot of attention while the other three areas will get less then they deserve or need. The solution for the twenty-first century company is to rethink who has responsibility for IT oversight at the board level. Maybe this is a case where the majority has it wrong.