Lecture 14

▪ Course Name:
▪ Information Systems Audit

▪ Prerequisites:
▪ Information Systems

▪ Course Code:
▪ ITEC305

▪ Credit Hours:
▪ 3-0 1
Overview of the IT Steering Committee
▪ The committee is managed by an executive chairperson.
▪ The CEO is expected to provide directional guidance in person or
via a representative, such as the COO, to identify targeted
sources of revenue.
▪ Each member of the committee is expected to participate in focus
discussions concerning business issues.
▪ On occasion, the committee may invite trusted observers or
presenters to the meeting to increase awareness of a particular
area.
▪ After the business objectives are identified, the next step is to
determine the business objectives for IT to fulfill.
2
Overview of the IT Steering Committee
▪ The steering committee sticks to high-level objectives rather than
dictating technical detail.
Let’s look at the representation necessary on the steering
committee:
Marketing
▪ Marketing should be represented on the steering committee.
▪ The purpose of all marketing is to attract buyers for the
organization’s product or service.
▪ Even if the organization builds the world’s finest product, it will not
matter unless a steady stream of buyers make a purchase.

3
Overview of the IT Steering Committee
Manufacturing/Software Development
▪ The input from manufacturing or software development is required
to align production efforts to sales efforts.
▪ Sales
▪ The sales function is to convert interested prospects from
marketing campaigns into closed sales.
▪ Sales executives are interested in using technology to facilitate
more sales.
▪ The cooperation of manufacturing and technology is necessary to
assist the sales effort.

4
Overview of the IT Steering Committee
Finance
▪ Financial guidance and budgeting skills are essential to optimize
the organization’s investment.
▪ Obtaining funding approval for projects would be difficult without
the cooperation of the finance comptroller.
Legal
▪ The executive from the legal department should ensure
compliance to the law.
▪ Qualified legal counsel advises management in areas of
uncertainty.
▪ Expert legal counsel should help protect the company from
excessive liability or undue risk as a result of a control failure. 5
Overview of the IT Steering Committee
Quality Control
▪ The quality process provides consistency in operations,
manufacturing, and risk mitigation.
▪ A well-run quality process is a major contributor to the
organization’s survival.
▪ Failures in quality control can damage market image or lead to
liability problems.
Research and Development (R&D)
▪ The Research and Development staff is constantly working on
creating new products and improving existing products.
▪ The R&D effort is focused on developing products that will
generate revenue six months to two years in the future. 6
Overview of the IT Steering Committee
Project and Program Management
▪ The head of the Project Management Office, if one exists, should
be on the committee to advise members on current and proposed
projects.
▪ Ideas presented by customers may require changes, causing the
need for new projects to modify existing programs.
▪ Change is required to be successful in business. Remember that
projects are temporary, while programs are ongoing for multiple
years or even long-lasting.

7
Overview of the IT Steering Committee
Business Continuity
▪ The head of business continuity planning should always be in
attendance.
▪ This person may possess the title of continuity manager or
program manager and have the authority of a vice president or
major director.
▪ This person’s job is to assess impact or help exploit opportunities
presented in support of the organizational strategy.
▪ It’s important not to sacrifice continuity in favor of shortsighted
decisions.

8
Overview of the IT Steering Committee
Information Technology
▪ The chief information officer (CIO) or vice president of IT listens to
business ideas and objectives raised by committee members.
▪ This person acts as a liaison to facilitate the involvement of IT.
▪ The IT member may delegate planning and research activities to
members of the IT organization.
Human Resources
▪ The management of personnel grows more complex each week.
▪ Compliance with labor standards is mandatory. International
organizations require special assistance that is beyond the
expertise of most non-HR executives.
▪ Noncompliance can carry stiff penalties. 9
Overview of the IT Steering Committee
Labor Management
▪ An executive representative from any labor organization, may
need to be involved in decisions concerning labor.
▪ This can be a touchy subject depending on the organization.
Administration
▪ Office administration functions include bookkeeping, record
keeping, and the processing of paperwork.
▪ Every executive would be handicapped without an administrative
assistant.

10
Overview of the IT Steering Committee
▪ The steering committee reviews ideas and opportunities to make
recommendations.
▪ Those recommendations go to the board of directors for review.
▪ If the idea receives preliminary approval, resources are allocated
for project planning.
▪ The steering committee executives perform a final review of
comparing the total cost and benefit to determine whether the
project is a “go” or “no-go.”
▪ If a go decision is reached, the organization specifies details,
charters the project, allocates funds, commits resources, and
moves the plan into execution.

11
Overview of the IT Steering Committee
▪ If the project is scheduled to be a repeating event, the project is
assigned to program status.
▪ Otherwise, it is managed as a project with fixed time duration, and
the assigned project team members will separate after project
completion.
▪ Figure 3.4 is a flowchart of the IT steering process.

12
Overview of the IT Steering Committee

13
Overview of the IT Steering Committee
▪ In strategic planning, plans generally run in a time frame of three
to five years.
▪ A tactical plan is going to be carried out over six months to a year
and it may go into two years.
▪ Daily plans are no more than steps in the tactical plan.
▪ When an organization projects three to five years, it is really
developing a strategy.

14
Overview of the IT Steering Committee
▪ Table 3.1 compares strategic plans, long-term plans, and
operational plans.

15
Using the Balanced Scorecard
▪ To set forth a strategic goal without proper planning and
meaningful definitions would be both negligent and thoughtless.
▪ One of the most powerful executive planning tools available is the
▪ balanced scorecard (BSC)
▪ The BSC is a strategic methodology designed for senior
executives.
▪ It turns out that the most successful executives are using the BSC
to define internal cause-effect relationships of smaller plans that
run their business, not just to report metrics as originally
conceived.

16
Using the Balanced Scorecard
▪ The scorecard approach converts organizational objectives of
customer perception, business processes, employee growth and
learning, and financial goals into a series of defined actions.
▪ We typically call these actions either projects or programs but the
BSC doesn’t care.
▪ The BSC refers to projects and programs as initiatives (what you
are doing).
▪ Plenty of people claimed knowledge of the BSC, yet consistently
failed to demonstrate how the inner details actually worked.
▪ When properly implemented, the scorecard concept enforces
better alignment by defining details of strategic business
objectives.
17
Using the Balanced Scorecard
▪ Overused terms such as world class and customer driven are
broken down into low-level definitions that the staff can actually
implement.
▪ Using the scorecard should eliminate activities of little or no
strategic value.
▪ The scorecard methodology is common outside the IT
environment.
▪ Information technology can benefit from using the balanced
scorecard if it is implemented by the CEO or CFO.
▪ To be effective, the scorecard must be driven from the top down.

18
Using the Balanced Scorecard
▪ A smaller number of organizations are successful at using the
balanced scorecard approach, while many fail.
▪ Upon investigation, several of the failing executives referred to
BSC as old news.
▪ It did not take long to discover that these executives had a lack of
BSC training, misunderstood the objective, and possessed little
BSC experience.

19
Using the Balanced Scorecard
The advantages and disadvantages of using the scorecard
methodology are as follows:
Scorecard advantages
▪ It promotes a focus on the specific if-then linkage between
different objectives and their budgets.
▪ The goal is direct support of organizational objectives.
▪ If you change funding or strategy on a linked initiative (project or
program), the effect can be seen moving through the scorecard.
▪ We are actually using the BSC to create well-defined articulated
strategies.
20
Using the Balanced Scorecard
▪ All the initiatives (project or programs) are linked into a complete
process flow that ignores departments and traditional boundaries.
▪ Never again will strategy be determined in one meeting and
budget determined somewhere else.
▪ When fully implemented, none of the departments will have their
own budget to spend.
▪ The result is project-based, program-based staffing.
▪ It does not matter whether the department function is internal or
external

21
Using the Balanced Scorecard
▪ Each department pledges its level of support to a defined strategy
initiative.
▪ The corresponding budget money is issued to the department,
provided it is meeting its delivery goals.
▪ No support of the linked project means no money, no people, and
no job.
▪ This blocks waste and personal agendas.
▪ Each employee works from a personal scorecard created by
cascading the BSC down into specific execution tasks.
▪ The combined effect of the personal scorecards will achieve their
department’s objective. 22
Using the Balanced Scorecard
▪ Achievement of the departmental objectives will help fulfill the
organizational objectives.
Scorecard disadvantages
▪ The scorecard requires a careful selection of initiatives by the
CEO or CFO.
▪ It is reported in executive trade journals that metrics derived from
a committee will consistently fail.
▪ Interestingly, observations indicate that executives unwilling to
adapt to the scorecard methodology may lack a genuine interest
in being a team player or may possess more interest in building
their own empire within the organization.
23
Using the Balanced Scorecard
▪ Politics can kill the BSC unless the sponsor eliminates the people
creating political conflict.
▪ The balanced scorecard can contain whatever you need to define.
▪ It is flexible in having three, four, or five perspectives depending
on what your executives decide is needed.

24
Using the Balanced Scorecard

FIGURE 3.5
▪ Balanced scorecard with four perspectives 25
Using the Balanced Scorecard
▪ There are several secrets involved in making the scorecard
generate true results.
▪ Using a BSC will most likely take beginners at least 20–30 failed
attempts, which end in frustration, before it begins to show a
glimmer of success.
▪ Keep trying; the benefits will far outweigh the effort.
▪ Each failed attempt is simply an indicator of an existing
relationship problem or definition problem.
▪ Problems need to be fixed one by one before you can build an
effective linkage.
26
Using the Balanced Scorecard
▪ Often this includes retreating a few steps to adapt for changes as
they are discovered.
▪ That’s part of the magic in using BSC.
▪ The strategy becomes more defined with each pass, forcing each
problem to be fixed before it can effectively function inside the
overall strategy plan.
▪ Every planning exercise brings more clarity as you roll the
linkages forward and backward to fine-tune the details.
▪ It’s like using algebra to solve a problem and then using calculus
to prove you actually did solve the problem by returning to zero.
27
Using the Balanced Scorecard
▪ Now the strategy works forward and backward, with excellent
definitions exploding all the details into specific action items.
▪ Initiatives (projects or programs) are now selected, scoped, and
funded based on which ones generate the highest return on
investment (ROI).
▪ What if your project or program doesn’t generate revenue?
▪ Simply put, it would be linked with a function that is generating
revenue and used to calculate the combined operating costs.
▪ For example, security costs in a bank are coupled with the profits
the bank generates.
28
Using the Balanced Scorecard
▪ The final ROI estimate is used to decide whether that area of the
business is expanded or shut down.
▪ What if you make more money from brokering mortgages? You
may switch from being a full service bank into focusing on
mortgages.
▪ The final goal is to find the highest-earning ROI and quit wasting
resources on marginal or losing activities.
▪ The balanced scorecard fundamentally changes how employees
prioritize and report their work.

29
IT Subset of the BSC

30
IT Subset of the BSC
▪ The IT balanced scorecard should be a subset of the
organization’s overall balanced scorecard.
▪ When properly implemented, the scorecard methodology supports
the highest-level business objectives.
▪ As a CISA, you need to understand how the balanced scorecard
can be applied specifically to information technology.
▪ ISACA describes the scorecard by using three layers that
incorporate the more common four perspectives (customer,
business process, financial, and growth and learning).

31
IT Subset of the BSC
The three layers for IT scoring according to ISACA are as follows:
Mission
▪ Develop opportunities for future needs.
▪ Become the preferred supplier of IT systems to the organization.
▪ Obtain funding from the business for IT investments.
▪ Deliver effective and cost-efficient IT services.
▪ Often the mission statement sounds like an advertising slogan.
▪ In reality, the mission statement should be less of a political
statement and more specific in definition.
▪ Therefore, each mission statement needs supporting details
contained in the strategy definition.
32
IT Subset of the BSC
▪ The goal of the BSC is to convert vague mission statements into
clear-cut action items that the staff can understand and then
implement.
Strategy
▪ Attain IT control objectives. Obtain control over IT expenses.
▪ Deliver business value through IT projects.
▪ Provide ongoing IT training and education.
▪ Support R&D to develop superior IT applications.
▪ All these sound great, but they need significantly more detail
before they can be implemented.
▪ Using the BSC can help define the lower-level initiatives
necessary to make the mission functional. 33
IT Subset of the BSC
▪ Far too many executives fail to provide a well-defined, articulate
strategy.
▪ A definition is needed that maps detailed cross-coordination
rolling across departmental boundaries.
Metrics
▪ Develop and implement meaningful IT metrics based on critical
success factors and key performance indicators.

34