IT Governance, Risk and Compliance (IT GRC)
- Does business understand how IT operates or what it can and cannot do within a certain time frame?
- Is the IT organisation faced with dramatic change following a merger/acquisition?
- Is there adequate view or control over IT spending, or are IT costs perceived to be too high?
- Is there good understanding of IT related risk? Are IT related risks properly managed?
IT GRC ensures that …
- Activities and functions of IT organisation(s) support objectives investments are maximised.
- IT delivers envisioned benefits against the strategy, costs are optimised, and relevant best practises incorporated.
- The optimal investments is made in IT and critical IT resources are responsibly, effectively and efficiently managed and used.
...for embedding IT GRC in the organisation
Some important issues:
- Firms with above-average IT governance performance had more than 20% higher profitability than firms with poor governance
- Effective IT governance is the single most important predictor of the value an organisation generates from IT
Regulatory and industry requirements
- Organisations need to satisfy quality, fiduciary and security requirements for information as for all other assets
- Committee of Sponsoring Organisations of the Treadway Commission (COSO) defines widely accepted control framework for enterprise governance and risk management also requires a framework for control over IT
- Sarbanes-Oxley, Basel II
- Industry specific regulations
- General call for greater transparency
PwC’s IT GRC Capabilities
- IT controls assessment and measurement
- IT governance
- IT risk assessment / IT control benchmarking
- IT audit training
- IT internal audit outsourcing / co-sourcing
- IT policy & procedure manual
- ERP control and assurance
- Data assurance