Published on Compliance Home.com at http://www.compliancehome.com/news/SOX/12216.html
5 February 2008
Only 12 percent of businesses take technology seriously enough to operate full board-level oversight of their IT resources, according to new research from IT Governance Limited. Despite increasing compliance pressures under Sarbanes-Oxley, the UK Combined Code,
HIPAA and other regulatory regimes, boards still appear to be lagging badly in implementing appropriate IT governance measures. IT governance frameworks, such as ITIL, CoBIT and ISO27001, also appear to be used in less than 50 percent of organisations.
IT Governance Limited is the one-stop-shop for books, tools, training and consultancy on Governance, Risk and Compliance. Last month, it polled opinions of almost 100 technology and compliance professionals on a range of IT governance issues.
Despite the critical importance of technology to most organisations, only 12 percent said that IT governance was important in their organisations and that board-level IT oversight committees existed. While a further 16.5 percent reported that progress was being made towards achieving this, more than 50 percent indicated that this was far from the case.
Respondents were similarly sceptical about the grasp that board members have of technology's importance. Less than 7 percent said that board members understood the risks posed to business operations by information and IT systems. In contrast, 49 percent said this was not the case, with over 22 percent stating this emphatically.
Over 57 percent said that directors and officers failed to understand the age and health of the current IT portfolio and the business implications of deferring maintenance. Meanwhile, less than 37 percent said that IT governance frameworks were integrated with their company's enterprise risk management regime, with less than 7 percent saying that this was achieved fully.
Asked if their companies used standard IT governance frameworks, such as ITIL, CoBIT, ISO17799 or PMBOK, 9 percent said yes, and 19 percent said that good progress was being made towards this. However, over 21 percent said such frameworks were used only occasionally, and fully 30 percent indicated that they were not used at all.
Commenting on the findings, Alan Calder, chief executive of IT Governance, said: "These findings are a startling insight into the excessively relaxed attitudes that many boards have towards their governance obligations. It seems that almost every day we read a new story about lost customer data or expensively failed IT investments. However, it would seem that many board directors simply tune this out mentally and think it is a problem for somebody else. This could not be further from the truth, as the costly fines meted out by regulators to an increasing number of businesses demonstrate. We need to see more boards recognising that there is no dividing line between IT and the rest of the business, and that they consequently need to exercise the same governance as they would over finance or marketing."