Sarbanes-Oxley Takes IT Front and Center
Information Technology Oversight: The Board's Newest Challenge

By Deborah E. Wallace

Information technology is no longer a back-office function in which many companies marginalized, indeed often failed to recognize, its strategic potential. For decades it was an underutilized overhead expense, but as requirements for compliance and governance reform keep the pressure on, information technology is assuming a central role in the planning and execution of long-term strategy. The trend to elevate information technology continues to gain momentum as issues beyond compliance also continue to gain momentum.

While many might assume that Sarbanes Oxley (SOX) was the driving force that elevated the role of IT to the board level, that legislation is only one reason that IT has become part of the lexicon of strategic planning. As designed, SOX was intended to provide guidelines for improving the accuracy of financial reporting using data supplied by IT. Although 53.4% (1) reported that they use IT mainly to support financial and operational control, it is rapidly becoming more than a mechanism for demonstrating compliance. For some companies, IT has become a vehicle for gathering competitive intelligence, for measuring employee productivity and even for assessing international growth opportunities. As IT becomes more of a presence in boardrooms, directors are obliged to add it to their oversight responsibilities.

As the business case for elevating and monitoring the IT function continues to build, (2) the need for effective oversight and for mechanisms by which to organize and operate the function is increasingly apparent. One such organizing mechanism is the IT Governance Committee. Usually lead by a person with considerable IT expertise, its main purpose is to oversee and monitor the development and execution of IT strategy. An equally important role for an IT Governance Committee is facilitating communication between the CIO and the board, ensuring that the CIO has timely and ready access as appropriate. In their 2005 article Information Technology and the Board of Directors, Nolan and McFarlan also recommend that an Audit Committee member sit on the IT Committee because IT issues and economic and regulatory matters, such as SOX compliance, can be so intertwined. (3)

While there is considerable debate about the efficacy of a separate IT Governance model, there is little disagreement that IT needs to be aligned with the company’s strategy and business model, and that it needs specific principals and guidelines in order to be most effective. The point to underscore here is that because IT has come to be recognized in the corporate environment as a strategic asset, boards must be willing to accept responsibility for its oversight and ultimately its value to the company. And a significant number of boards seem to be rising to the challenge. In a 2006 study conducted by Corporate Board Member Magazine and Deloitte Consulting, 66% of participating boards said that IT strategy should be a board-level issue in contrast to 28% who said that it is not. (4)

Acknowledging that IT should be a board-level issue is a necessary first step for boards in accepting oversight responsibilities. But intentionally and actively integrating IT with their annual agenda is the first step in demonstrating commitment.

In its 2007 Board and Information Technology Strategies Report, Corporate Board Member offers a set of questions for directors as they prepare to integrate IT with their business strategies. We also think they will be useful for directors in defining and clarifying their newest set of oversight responsibilities.

Beginning the Journey: Eight IT Questions For Directors and CEOs To Ask themselves (5)

• Can I describe my company’s technology strategy simply and succinctly?
• When was the last time our board discussed technology?
• How much time does our board allocate for technology discussions in a typical year?
• How much interaction have I had with the CIO or other senior IT managers?
• How many of our board members are technology “literate”?
• To what extent have we acknowledged technology oversight as a formal part of our board responsibility?
• Does our board have sufficient IT information regarding strategy, spending, and implementation to make well-informed decisions?
• Has our board considered ongoing IT training

(1) The Board and Information Technology Strategies: The complete results of the Corporate Board Member Magazine / Deloitte Consulting LLP Research Study June 2006

(2) Attention to IT strategy at the board level, and to measuring and monitoring the value of IT, correlates to improved business performance. 2007 Board and Information Technology Strategies Report: MAXIMIZING PERFORMANCE THROUGH IT STRATEGY Corporate Board Member/Deloitte Touche Tohmatsu
Survey on Information Technology in the Boardroom

(3) In their article, Information Technology and the Board of Directors, Harvard Business Review, October 2005, Richard Nolan and F. Warren McFarlan recommend that “the relationship of the IT governance committee to the audit committee be very close, because IT issues can affect economic and regulatory matters such as Sarbanes-Oxley compliance.” They also recommend having an audit committee member sit on the IT Committee. Further, they advise that “the charter of the IT committee should explicitly describe its relationship to the audit group, as well as its organization, purpose, oversight responsibilities, and meeting schedule”

(4) The Board and Information Technology Strategies: The complete results of the Corporate Board Member Magazine / Deloitte Consulting LLP Research Study June 2006

(5) 2007 Board and Information Technology Strategies Report: MAXIMIZING PERFORMANCE THROUGH IT STRATEGY. Eight Big Ideas from the Corporate Board Member/Deloitte Touche Tohmatsu
Survey on Information Technology in the Boardroom