Why is it important?

With the increasing prevalence of technology and, importantly, the digitisation of business operations, the requirement for a strong link between information technology and business strategy has never been more important. And yet, many organisations still struggle to combine the two effectively. IT should be seen as a catalyst for business enablement contributing to a competitive edge and innovative customer offerings. Often there are organisational and cultural barriers hindering the effective engagement between IT and business functions, driven in part by a traditional (and frankly outdated) mindset that sees IT purely as a back office support function with limited added value to the customer.
 

What’s new?

CIOs and IT departments were at the forefront of COVID-19 crisis response activities supporting the continuity of operations and customer service, via infrastructure upscaling or the provision of new digital services. Robust IT governance arrangements that included efficient resource and vendor management, contingency plans, robust policies and operating procedures, proved to be the defining aspects of an effective, agile response during the crisis.
 

What should Internal Audit be doing?

Internal Audit have a continued role to play in challenging the strategic direction of IT as well its alignment with business objectives, and this role has been elevated by recent global events. Functions need to have a strong understanding of both the IT and business strategy as well a perspective on the complexities of the existing IT environment, in order to be well placed to assess risks and challenges in this area. Areas of focus should include:

IT Strategy Refresh Processes

• A review of current plans for refresh of the IT strategy should be timely, particularly in view of the economic outlook, changes to the broader market and operating environment. Of particular focus should be how clearly the IT strategy links to the business strategy, and the governance structures to ensure it is properly discussed, agreed and approved. Innovation and transformative ways to disrupt traditional IT operating models, such as migrating to the cloud, and adoption of DevOps operating models may be considered during strategic refresh to demonstrate diversity of thought and genuine challenge to the status quo. 

Digital Strategy and Architecture Enablement

•  Digital tools and a move to “digitalisation” is gaining sufficient traction in the sector. Many enterprises are considering their “digital strategy” and the architecture which enables the business to realise its digital goals. Internal Audit can play a role in highlighting the robustness of the approach and the strength of capability around digital strategy delivery. The suitability of the strategy itself as well as the maturity of the associated control framework and governance practices also form important areas for Internal Audit to provide a viewpoint on. 
• The current market, economic, and social conditions indicate “this is the time for transformational, not incremental, change” – something that in many cases puts pressure on CIOs to move quickly and lead digital transformation initiatives. There is a risk here that these programmes may be reactive to the market without having considered the integration with the existing, legacy technology estate. Getting the basics right, such as remediating existing technology weaknesses, before embarking into such initiatives would be key for success preventing unnecessary complexity that would raise the risk exposure of the organisation.

Shadow IT

• “Shadow IT” indicates IT systems deployed and supported by departments outside central IT and by definition not aligned to the central IT strategy and direction. A review of such areas in combination with broader governance practices, can provide useful insight into the strategic provision of IT within the business and its true alignment to business strategy. Business departments operating their own IT platform indicate of areas of the business which may not being fully served by the existing IT department and strategy. A high propensity for shadow IT can also be indicative of a poor culture, or engagement between IT and business.