Management | Technology |
IT AND DATA GOVERNANCE: RELEVANT TO IMA MEMBERSBy
Information technology governance isn’t just an issue for top management. All financial professionals should be familiar with it.
Generally when people hear the word “governance,” they think of the governments of nations, regions, provinces, states, cities, counties, or other civic bodies based on physical geographies and how they regulate their constituents. Within the confines of business, there are numerous and specific types of applicable governance (such as corporate governance, project and program governance, information technology (IT) governance, data governance, and others). As part of the IMA® Technology Solutions & Practices (TS&P) Committee, I wanted to step back to discuss the topic of IT governance and its applicability to accounting and finance professionals.
Why raise the matter of IT governance at all? As users of systems, technology, and data, we finance professionals are invested in the integrity of our information and its sources. Inevitably, we all have developed and provided a report that isn’t well received by our stakeholders based on the story, or implied story, behind the numbers. One of the first questions often is, “Are you sure these numbers are right?” Our first reaction is to state vehemently, “Of course, the numbers are correct.” When this situation comes up, do you ask yourself if the numbers are accurate? If so, how do you know? If not, how can you gain confidence that they are correct? (For an example of this situation, see “A Stressful Question.”) One of the factors in providing accurate reporting and analysis lies in having accurate data as an input to the reporting and analysis process. Developing confidence in the data comes from knowing and understanding that the source data was captured accurately and is effectively and accurately maintained in our organization’s systems. IT and data governance can provide the structure and rules to ensure data accuracy and availability while managing the associated risks.
In 2005, Standards Australia established AS8015-2005, an IT governance standard, as a Corporate Governance of IT Standard with a vision of two substandards: one for project management and one for service management of IT. Subsequently, in 2008, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) established ISO/IEC Standard 38500:2008, “Corporate governance of information technology,” based on the Australian standard. Prior to this, numerous frameworks were available and in use to both greater and lesser degrees. From a management perspective, the numerous different standards and frameworks—CobiT (Control Objectives for Information and Related Technology), ITIL (Information Technology Infrastructure Library), ISO 27001/27002, ISO 20000, PRINCE2 (PRojects IN Control Environments, version 2), PMBOK (Project Management Book of Knowledge), TOGAF (The Open Group Architecture Framework), IT balanced scorecards, and so on—support effective, efficient business operations that incorporate element accountability, performance, and risk. IT governance provides essentially the same for organizations’ technology capabilities.
ISO/IEC 38500:2008 was subsequently updated to ISO/IEC 38500:2015. According to ISO’s website, “ISO/IEC 38500:2015 provides guiding principles for members of governing bodies of organizations (which can comprise owners, directors, partners, executive managers, or similar) on the effective, efficient, and acceptable use of information technology (IT) within their organizations.”
In short, it provides high-level guidelines in a fashion similar to corporate governance for organizational technology employment. More detailed information, policies, procedures, guidelines, work processes, and the like are necessary to run IT operations effectively within an organization.
ENSURING YOUR DATA’S INTEGRITY
Every organization with shared data is concerned with data integrity. Data governance, a specific subelement of IT governance, parallels the capabilities of corporate governance and IT governance at the data level. This can be as simple as a set of rules specifying what data (e.g., system fields) is to be entered by whom, when, and from what source, to as complex as you want (e.g., multiple levels of data entry, audit, and control structures).
According to the Data Governance Institute (DGI), data stakeholders include anyone who “has an interest in how data is created, collected, processed and manipulated, stored, made available for use, or retired.” This allows for a much broader discussion than mentioned previously. DGI provides a framework for aligning people, processes, and actions (people and organizational bodies, processes, and rules of engagement) to support an organization’s data-related matters. These matters lie at the center of our analytical and reporting products.
At first glance, it may appear that IT and data governance are relevant only to our board members and executive management, but the inherent connection between these governance structures and our professional responsibilities to provide accurate and effective analysis and reporting products to our stakeholders is self-evident. If you aren’t familiar with your organization’s IT and data governance structures, I encourage you to explore them further, understand them, and even contribute to them in the spirit of ensuring our reporting lifeblood—data—is accurate and protected.
Sidebar: A Stressful Question
Tony is running the end-of-year inventory balances by location in preparation for this weekend’s physical inventory count. He and his team plan to work with the materials management team and their auditors to confirm the inventory count and value at each location. As he’s finishing up, the phone rings. He picks it up to receive a less-than-warm greeting from the auditors indicating that they won’t participate in the physical inventory because they understand the data in the inventory reports is inaccurate.
Tony takes a deep breath. Then he pleasantly responds by explaining that he’s confident the inventory count and value information on the reports are correct. Eight months ago, he would have panicked. At that time, he discovered that the data and system access (IT) governance structures that dictated who and when inventory data could be updated (e.g., location quantity changes, per-unit piece prices, bill of material component changes) were lacking or nonexistent. Inventory clerks were regularly making changes without any oversight or sign-off. Anyone in accounting was able to change the material master pricing fields. These and other issues prompted a full review of the governance and related policies, procedures, and system security settings. These shortcomings were cleaned up, and data was scrubbed to accurately reflect inventory counts and costs by inventory location across the organization. It had been a long haul working with a cross-functional team, including the Accounting, Purchasing, Receiving, and Shipping departments as well as the inventory manager, to ensure the current snapshot was accurate. More important, they established controls to ensure that the data entered at the docks (receiving and shipping) as well as internal physical inventory moves and adjustments (in other words, inventory processes) had clear ownership and accountability within the organization.
Tony was confident his reports were accurate because the data in the enterprise resource planning (ERP) system was sound. With the overview provided, the auditors agreed on a time to meet the next day and hung up. As he was taking one last look at the reports, Tony noticed an alignment error, turned to his computer, and reformatted the report. As he groaned a bit, he thought to himself, “Well, at least it’s just a formatting issue this time.”