/dqweek/media/agency_attachments/JNb31gQnqJvAm0jqPxaV.png)
Follow Us
Many factors are influencing enterprise governance in India, and it is
becoming imperative to implement IT governance practices. Here. we talk about
the various regulatory requirements that are impacting the adoption of IT
governance and take a closer look at the Control Objectives for Information and
related Technology (COBIT) framework, which is extensively used in India as an
IT governance and IT assurance framework.
Why IT Governance?
Corporate governance in India is evolving, primarily due to regulatory
requirements, but also, to some extent, due to each enterprise's specific needs
and context. The objectives of corporate governance are fulfilled by setting up
an appropriate structure and functioning mechanisms for the board of directors
and audit committees, as laid down by the Companies Act, 1956. It is critical
for each enterprise to establish its own specific governance system based on its
own specific constraints and business culture.
Listed Companies
SEBI introduced a mandatory audit to ensure that this is maintained as per its
norms by all listed companies as part of corporate governance and came up with
an updated Clause 49 to address this requirement. Although Clause 49 primarily
focuses on corporate governance, there are two key sections-Clause 49 IV (C) and
Clause 49 V-that make it imperative for listed companies to implement IT
governance.
Clause 49 IV (C) Board Disclosures on Risk Management requires every listed
company to lay down procedures to inform board members about the risk assessment
and minimization procedures. These procedures must be periodically reviewed to
ensure that executive management controls risk through means of a properly
defined framework. Indian companies often adopt a combination of home-grown,
in-house practices and globally recognized frameworks for risk management. The
ideal approach would be to adopt a globally accepted risk management framework
such as COSO, which provides a framework for enterprise risk management, and
then integrate the local practices as relevant.
The amendments effected in Clause 49 V (C) and (D) clearly bring out:
- The responsibility entrusted to the CEO/CFO is in relation to establishing
and maintaining internal controls for financial reporting. - The CEO/CFO has to assert that he/she has evaluated the effectiveness of
internal control systems of the company pertaining to financial reporting. - The CEO/CFO certificate will further state the manner in which
deficiencies (if any) in the design or operation of such internal controls
have been disclosed to the auditors and the audit committee. - The CEO/CFO certification will also state the steps they have taken or
proposed to take to rectify these deficiencies in the design or operation of
such internal control pertaining to financial reporting.
The first step is to map the relevant business goal of an enterprise from the
point of compliance with the business goals provided in COBIT. For example, one
such business goal under the financial perspective category of such listed
companies is to improve corporate governance and establish transparency. This
business goal can be linked with two IT goals-to respond to governance
requirements in line with board direction and to establish clarity of business
impact of risks to IT objectives and resources. The selection of these IT goals
provides the specific IT processes (under the domains of plan and organize
and monitor and evaluate
requirements:
- PO1 Define a strategic IT plan
- PO4 Define the IT processes, organization and relationships
- PO9 Assess and manage IT risks
- PO10 Manage projects
- ME1 Monitor and evaluate IT performance
- ME4 Provide IT governance
The final step would be to select the relevant control objectives under these
IT process and use them as a benchmark for adoption/evaluation as required.
The Companies Act
The statement on the Companies (Auditor's Report) Order, 2003 (CARO) applies
to all companies, including foreign enterprises. Companies that are exempt from
this are insurance companies, banking companies, section 25 companies and
private companies with paid-up capital and reserves of not more than Rs 50 lakh
that do not have outstanding loans exceeding Rs 20 lakh from any bank or
financial institution, and that do not have a turnover exceeding Rs 5 crore at
any point of time during the financial year. CARO stipulates the need for
companies to have an internal control system in the key areas and also mandates
that the companies have internal audits commensurate with the size of the
company and nature of the business. Hence, even unlisted companies that require
statutory audits would need an implementation and review of internal controls.
The Institute of Chartered Accountants of India (ICAI) has started a
certification course on information systems audit. Further, ICAI has entered
into a memorandum of understanding (MOU) with ISACA to provide ISACA standards,
guidelines and procedures to all its members. This will go a long way in
promoting IT governance and IT assurance in India through the chartered
accountants.
In the Government
The scope and coverage of IT in C&AG encompasses various types of
information systems audit, process approach, specialized audits, forensic audit,
system development life cycle approach, value for money (VFM) approach,
financial audit and performance audit. All of the IT audits by C&AG staff are
based on COBIT as the main audit criteria. COBIT is used as the umbrella
framework under which specific technology and business related controls are
integrated.
The audit guidelines of the COBIT framework are suitably adapted to the
specific IT and business environment of the enterprise. The audit objectives are
mapped to COBIT, and the relevant high level control objectives are selected for
evaluation. C&AG has done excellent work in promoting IT governance among all
the government entities by using COBIT best practices as a benchmark for all the
IT audits it conducts.
Banking
The Reserve Bank of India (RBI) has been at the forefront of promoting IT
usage in India. It has issued regular guidelines on IT, IT security and
controls, and IT governance, and has been conducting IT audit as part of the
regulatory review of bank's IT systems. RBI has used COBIT as a reference
framework for issuing guidelines to banks and also for conducting IT audits.
Various components such as pre-launch audit, post-implementation studies and
regular IS audit follow internationally accepted norms and approaches. The large
scale use of IT in day-to-day operations has also added a new dimension to the
risks associated with these activities, which has necessitated appropriate risk
management systems.
In MNCs
MNCs use IT extensively for integrating their Indian operations with the global
operations. As part of the standardized global operations, these companies
mandate the implementation of global best practices. Hence, the adoption of IT
governance best practices is an accepted norm in these companies. Further, these
companies are subject not only to Indian regulatory requirements, but also to
regulatory requirements of their parent companies. Consequently, implementing IT
security and control practices based on globally accepted frameworks is
enforced.
IT Companies
Adoption of IT governance in IT companies is necessitated by a combination
of regulatory and management requirements. Most of the IT companies are at the
forefront of adopting global best practices as a business requirement, as this
acts as a differentiator in procuring clients and demonstrates the
organization's services and capabilities. Further, as the majority of Indian IT
companies' revenue comes from providing software development, IT implementation
and IT consulting to companies outside India, they have to meet the relevant
regulatory requirements of their clients. These companies are also subject to
regulatory audits, such as a SAS 70 audit, which makes it imperative for them to
adapt global best practices. Many of the top IT companies have started IT
governance consulting services as one of their key offerings.
Conclusion
IT governance as a concept in India is not as widely known as it needs to
be, but it is being adopted and implemented to an extent as a result of various
regulatory requirements and effective best practices. IT governance is being
implemented as a subset of corporate governance due to the regulatory and
assurance requirements of SEBI, C&AG, RBI and the Companies Act. However, it is
also increasingly being recognized that the real benefit of IT governance is not
just implementing it from a compliance perspective, but from a performance
perspective also to ensure that the organization receives real business value
from IT.
CA A Rafeq, FCA, CISA, CCSA, CGEIT, ISACA member
maildqindia@cybermedia.co.in