Director responsibility for IT governance

Abstract

Recent emphasis on corporate governance has raised the level of interest in and concern about directors' responsibilities. It has become much more critical for directors and others to know more precisely what their responsibilities are and how they might be discharged. This has been apparent in the area of internal controls, where directors have long held certain responsibilities, but where those responsibilities are now being redefined through such means as the Sarbanes–Oxley act [Sarbanes Oxley Act of 2002, Public Law 107–204, 107th Congress, USA] and regulatory actions related to corporate governance issues. Information technology (IT) plays a serious role in any modern business system, and therefore, IT considerations play an important part in the controls that are necessary to preserve and protect corporate assets from misappropriation, loss and misuse. However, many, if not most, directors do not have a strong understanding of the controls issues raised by IT and do not even know what questions they should ask to place themselves in a position to address their responsibilities. Recognizing this issue, in January 2002, The Information Technology Advisory Committee (ITAC) of the Canadian Institute of Chartered Accountants released a brochure called 20 Questions Directors Should Ask About IT to assist corporate directors in the discharge of their responsibilities. The document is also intended to be helpful to audit and IT steering committees. Audit committees, of course, are comprised of directors with a particular responsibility in the control area. They usually discharge these responsibilities by interviewing the external and internal auditors as well as key members of management. Again, the steering committee members need to understand what questions to ask in these interviews about IT. In addition, some of the questions will find their way back to such groups as IT steering committees, and the brochure was therefore directed to them as well. The purpose of this paper is to explore the responsibilities that are implicit or explicit in the ITAC brochure, to consider how the questions suggested therein relate to those responsibilities and finally assess the direction in which director responsibilities for IT seem to be going as a result of current events. A summary of the questions included in the ITAC brochure is included at the end of this paper for reference purposes.