One Stone, Two Birds

DQW Bureau
New Update


Many factors are influencing enterprise governance in India, and it is

becoming imperative to implement IT governance practices. Here. we talk about

the various regulatory requirements that are impacting the adoption of IT

governance and take a closer look at the Control Objectives for Information and

related Technology (COBIT) framework, which is extensively used in India as an

IT governance and IT assurance framework.

Why IT Governance?

Corporate governance in India is evolving, primarily due to regulatory

requirements, but also, to some extent, due to each enterprise's specific needs

and context. The objectives of corporate governance are fulfilled by setting up

an appropriate structure and functioning mechanisms for the board of directors

and audit committees, as laid down by the Companies Act, 1956. It is critical

for each enterprise to establish its own specific governance system based on its

own specific constraints and business culture.

Listed Companies

SEBI introduced a mandatory audit to ensure that this is maintained as per its

norms by all listed companies as part of corporate governance and came up with

an updated Clause 49 to address this requirement. Although Clause 49 primarily

focuses on corporate governance, there are two key sections-Clause 49 IV (C) and

Clause 49 V-that make it imperative for listed companies to implement IT



Clause 49 IV (C) Board Disclosures on Risk Management requires every listed

company to lay down procedures to inform board members about the risk assessment

and minimization procedures. These procedures must be periodically reviewed to

ensure that executive management controls risk through means of a properly

defined framework. Indian companies often adopt a combination of home-grown,

in-house practices and globally recognized frameworks for risk management. The

ideal approach would be to adopt a globally accepted risk management framework

such as COSO, which provides a framework for enterprise risk management, and

then integrate the local practices as relevant.

The amendments effected in Clause 49 V (C) and (D) clearly bring out:

  • The responsibility entrusted to the CEO/CFO is in relation to establishing

    and maintaining internal controls for financial reporting.
  • The CEO/CFO has to assert that he/she has evaluated the effectiveness of

    internal control systems of the company pertaining to financial reporting.
  • The CEO/CFO certificate will further state the manner in which

    deficiencies (if any) in the design or operation of such internal controls

    have been disclosed to the auditors and the audit committee.
  • The CEO/CFO certification will also state the steps they have taken or

    proposed to take to rectify these deficiencies in the design or operation of

    such internal control pertaining to financial reporting.

The first step is to map the relevant business goal of an enterprise from the

point of compliance with the business goals provided in COBIT. For example, one

such business goal under the financial perspective category of such listed

companies is to improve corporate governance and establish transparency. This

business goal can be linked with two IT goals-to respond to governance

requirements in line with board direction and to establish clarity of business

impact of risks to IT objectives and resources. The selection of these IT goals

provides the specific IT processes (under the domains of plan and organize

and monitor and evaluate ) of COBIT to be selected to meet compliance


  • PO1 Define a strategic IT plan
  • PO4 Define the IT processes, organization and relationships
  • PO9 Assess and manage IT risks
  • PO10 Manage projects
  • ME1 Monitor and evaluate IT performance
  • ME4 Provide IT governance

The final step would be to select the relevant control objectives under these

IT process and use them as a benchmark for adoption/evaluation as required.


The Companies Act

The statement on the Companies (Auditor's Report) Order, 2003 (CARO) applies

to all companies, including foreign enterprises. Companies that are exempt from

this are insurance companies, banking companies, section 25 companies and

private companies with paid-up capital and reserves of not more than Rs 50 lakh

that do not have outstanding loans exceeding Rs 20 lakh from any bank or

financial institution, and that do not have a turnover exceeding Rs 5 crore at

any point of time during the financial year. CARO stipulates the need for

companies to have an internal control system in the key areas and also mandates

that the companies have internal audits commensurate with the size of the

company and nature of the business. Hence, even unlisted companies that require

statutory audits would need an implementation and review of internal controls.

The Institute of Chartered Accountants of India (ICAI) has started a

certification course on information systems audit. Further, ICAI has entered

into a memorandum of understanding (MOU) with ISACA to provide ISACA standards,

guidelines and procedures to all its members. This will go a long way in

promoting IT governance and IT assurance in India through the chartered


In the Government

The scope and coverage of IT in C&AG encompasses various types of

information systems audit, process approach, specialized audits, forensic audit,

system development life cycle approach, value for money (VFM) approach,

financial audit and performance audit. All of the IT audits by C&AG staff are

based on COBIT as the main audit criteria. COBIT is used as the umbrella

framework under which specific technology and business related controls are



The audit guidelines of the COBIT framework are suitably adapted to the

specific IT and business environment of the enterprise. The audit objectives are

mapped to COBIT, and the relevant high level control objectives are selected for

evaluation. C&AG has done excellent work in promoting IT governance among all

the government entities by using COBIT best practices as a benchmark for all the

IT audits it conducts.


The Reserve Bank of India (RBI) has been at the forefront of promoting IT

usage in India. It has issued regular guidelines on IT, IT security and

controls, and IT governance, and has been conducting IT audit as part of the

regulatory review of bank's IT systems. RBI has used COBIT as a reference

framework for issuing guidelines to banks and also for conducting IT audits.

Various components such as pre-launch audit, post-implementation studies and

regular IS audit follow internationally accepted norms and approaches. The large

scale use of IT in day-to-day operations has also added a new dimension to the

risks associated with these activities, which has necessitated appropriate risk

management systems.


MNCs use IT extensively for integrating their Indian operations with the global

operations. As part of the standardized global operations, these companies

mandate the implementation of global best practices. Hence, the adoption of IT

governance best practices is an accepted norm in these companies. Further, these

companies are subject not only to Indian regulatory requirements, but also to

regulatory requirements of their parent companies. Consequently, implementing IT

security and control practices based on globally accepted frameworks is



IT Companies

Adoption of IT governance in IT companies is necessitated by a combination

of regulatory and management requirements. Most of the IT companies are at the

forefront of adopting global best practices as a business requirement, as this

acts as a differentiator in procuring clients and demonstrates the

organization's services and capabilities. Further, as the majority of Indian IT

companies' revenue comes from providing software development, IT implementation

and IT consulting to companies outside India, they have to meet the relevant

regulatory requirements of their clients. These companies are also subject to

regulatory audits, such as a SAS 70 audit, which makes it imperative for them to

adapt global best practices. Many of the top IT companies have started IT

governance consulting services as one of their key offerings.


IT governance as a concept in India is not as widely known as it needs to

be, but it is being adopted and implemented to an extent as a result of various

regulatory requirements and effective best practices. IT governance is being

implemented as a subset of corporate governance due to the regulatory and

assurance requirements of SEBI, C&AG, RBI and the Companies Act. However, it is

also increasingly being recognized that the real benefit of IT governance is not

just implementing it from a compliance perspective, but from a performance

perspective also to ensure that the organization receives real business value

from IT.