IT governance risk management defines not-for-profit strategic alignment, value delivery, resource management, and performance measurement processes through responses to IT risk assessments. Within this context, as with for-profit entities, the IT risk assessment methodology will vary depending on the adopted risk management framework. Nevertheless, IT risk assessment techniques focus on mechanisms for identifying events that may impact objectives, potential consequences of considered events and corresponding likelihood of contemplated occurrences. Regarding not-for-profit IT service delivery, the outcome of an IT governance risk assessment is a prioritized list of possible events that can form the basis for further actions, if warranted, to ensure appropriate controls are deployed.
Governing an entity mandates management accurately conceptualize information criticality and communication paths. Reflective of the Australian/New Zealand Standard on Risk Management (AS/NZS ISO 31000:2009), risk management is an iterative process consisting of steps, which when taken in sequence, enable continual improvement in decision-making. It is also the logical and systematic method of identifying, analyzing, evaluating, treating, monitoring and conveying risks associated with any system, process, activity, or task in a way that will enable an entity to minimize losses and maximize opportunities. Consequently, management of risk represents the means by which an entity elects to administrate cataloged possibilities. As alternative responses, risks may be addressed by reducing, avoiding, transferring, or accepting potential threats. Specific to not-for-profit entities, these risks typically encompass: objective achievement, organizational credibility, equitable provision of services, and appropriate behavior of officials.
Regarding supplemental value delivery design and development assistance, the Davis’ ‘Governance Tree’ offers a conceptual frame of reference for defining IT governance practices from an information and communication perspective; therefore enabling comprehensive process integration for value realization. Through the Davis’ Governance Tree, details demonstrating governance sub-domain influences can be documented utilizing specific processes and applicable controls. In addition, governance development discussions are enabled to convey evolutionary baselines necessary for measuring managerial progress. Once abstraction elements are understood, management’s role in providing strategic alignment impacting not-for-profit service delivery can be defined and enabled to address control objective deployment subscribing to IT governance mandates. Lastly, the Governance Tree can provide a comparative assessment of best practices for monitoring and evaluating IT governance strategic alignment.
Through misinterpretation of framework applicability, there is a widespread belief that effective IT governance can only be deployed within for-profit entities. Furthermore, when discussing not-for-profit institutions, IT governance is often used interchangeably with terms with narrower meanings; such as e-government, Information and Communication Technology (ICT), systems governance, and even digitized enterprise — that generally do not meet the necessity for a holistic managerial approach. Nonetheless, several governance frameworks and internationally recognized standards such as Control Objectives for Information and related Technology (COBIT), IT Infrastructure Library (ITIL), Val-IT and ISO 20000 have methodologies for assisting in the implementation of IT Service Management (ITSM) — an IT governance sub-layer enabling effective processes — that can create a value delivery system for most not-for-profit entities.
Commonly, results-oriented IT services having significant value can be achieved when IT initiatives are successfully aligned with organizational strategies. However, IT alignments in not-for-profit entities are problematic because, unlike financially driven for-profit entities, they operate in more complex sociopolitical contexts, with different mandates and non-financial goals. For example, although no two countries are alike, the underlying IT objectives for governments and their agencies are commonly summarized as: value realization, service delivery, efficiency and political return. Yet, value realization and service delivery that sustains IT strategic alignment with a government’s mission remains elusive; especially where ““IT” is understood to encompass the infrastructure as well as the capabilities and organisation that establish and support it.”
Whether an organizational formation exists for-profit, or not-for-profit; to exercise effective governance throughout an entity, the top-level oversight committee and senior executives must have a clear understanding of what to expect from an IT governance program. Logically, as defined by ISACA, IT governance is a sub-domain of enterprise governance. Based on this premise, if properly designed and deployed, IT governance should provide a generally accepted means for ensuring: information and communication requirements are strategically aligned with the not-for-profit’s designated mission, investments are value driven, and risks are managed judiciously. Thus, not-for-profit information dissemination effectiveness is measurable by the degree strategic synchronization fulfills the entity’s mission.
Arguably; IT systems, processes, activities, and tasks represent the key support structure for effective and efficient information and communication configurations. Almost every organizational formation aspires to utilize technology for integrating information, achieving process efficiencies, and transforming service delivery into a paragon of effectiveness. However, organizational formations — such as professional groups, educational institutions, and government agencies — have come to realize that emphasizing technologies and entity-centric solutions will not produce the desired results and that a fused, holistic approach is required. Considering the context of these presented circumstances, designing and deploying a linked enterprise governance framework is the most appropriate response for achieving not-for-profit service delivery objectives.
Follow-up activities are essential to enabling continuous improvement in IT governance. IT audit must ensure follow-up activities are completed in a timely manner to reduce the cited risks to the entity’s operations. Nevertheless, management must take full responsibility for ensuring entity personnel pursue commitments to perform agreed corrective actions for gaps and/or weaknesses in the control system. Where corrective actions are not undertaken or completed within the expected timeframe, management should document the reason(s) for rescinding the obligation or why there was a delay in deployment.
A report on the status of follow-up activities, including agreed-upon recommendations not implemented, should be presented to the audit committee, if one has been established, or alternatively to the most appropriate management level of the entity. Preceding IT audit follow-up report preparation, where management provides information on actions taken to implement recommendations, and the IT auditor has doubts about the information provided, appropriate testing or other procedures should be undertaken to ascertain the true position or status — prior to concluding follow-up activities.
Control follow-up are activities pursued when an exception condition is identified and reported as presenting a risk to the entity. As a part of the follow-up activities, the IT auditor normally evaluates whether findings, if not implemented, are still relevant. Furthermore, inconsistencies and departures from applicable accounting principles, discovered during the IT audit follow-up procedures, are typically reviewed with a qualified financial auditor.