Skip to main content

IT governance and internal control continue to evolve

IT governance remains a complex but critical element for gaining the maximum value from IT. We see developments in the area of IT on a daily basis. How different our lives are nowadays from 10 years ago, when we were introduced to Facebook and Gmail. Today, we use our BYOD tablet to download our documents from the cloud. The next generation will not need to be a technician or programmer to transform data into useful information. Information is ‘at hand’ and can (almost regardless of the amount of data) be analyzed on the basis of personalized, custom views. This change in paradigm is also happening in the workplace, where end-users play a key role in gaining maximum value from IT. New in-memory processing tools and reporting apps provide the business with new possibilities to process data based on these personalized, custom views.

New technological developments have implications for the structure of the IT organization. IT is no longer just the exclusive domain of the IT department. The current traditional demand-supply model seems to have come to the end of its lifecycle. Not only the IT organization, but also the board of directors and the supervisory board are searching for answers to questions about such changes in the area of IT. Not only do they have to adapt current strategies and operating models, but they are also being confronted by new IT risks.

The internal control of IT risks is an important part of IT governance. Within organizations, emerging IT and IT risks and reducing the cost-of-control (amongst others) drive the need for a higher level of assurance with regard to the internal control of IT risks. Data analysis and soft controls are often mentioned as new technologies to help organizations gain more assurance. Although these techniques are not new, there are still plenty of ongoing developments to further integrate these techniques into audits and process improvement projects. The new insights obtained by means of these techniques are helping organizations to improve, but unidentified IT risks will always pop up of course. Issues that appear to be insignificant can be assessed more accurately using data analysis and/or soft controls.

On the one hand, we see daily developments in the area of IT and, on the other, we have the need for more assurance regarding internal control. It is obvious to make a connection to IT developments in the area of internal control. When using GRC tooling, information is at hand, and can be analyzed by the user by means of personal dashboards. This shift from the audit and risk specialists to the end users is now in progress, allowing end-users to gain insight into the relevant IT risks. There lies a great future ahead, but we are not there yet. Where will we be next year? Who can tell? Let’s start to continue to closely follow the fantastic, daily developments in the area of IT!

Sander Kuilman