maximizing return on technology investments (3)
TRANSCRIPT
Maximizing return on technology investments (3) Mario Micallef
0 nternal Audit has the responsi- bility to help ensure that a properly functioning IT Steering Committee exists. Preferably In-
ternal Audit should be represented on the committee, as a nonvoting mem- ber. If the Audit Charter precludes such involvement, consider the follow- ing:
l The risk of wasted mega dollars sunk into improper IT platforms.
l The risk of IT platforms being perceived as the panacea for all current and future problems - i.e. “Don’t you worry about that, she’ll be right. We’re using the latest technology. Wish we’d bad it last year, when we were launch- ing product X”. Internal Audit’s involvement would ensure that:
- complacent attitudes by line management towards resolu- tion of current problems are not fostered;
- balance is maintained between resources sunk into tactical solutions while the long-term strategic solution is delivered; and
l
- audit control issues are given priority.
Windows of opportunity would be forfeited, unless the Internal Audit unit invests time in IT Steering Committee involvement and re- view. It would be futile for the Internal Audit department to raise concerns on the IT platform (whether it is on its adequacy to
support business strategies or fun- damental control issues), after the strategic platform has been se- lected and is either in the process of being, or has already been implemented.
l Should problems materialize, ex- ecutive management will be despe- rately seeking answers - Why did
Computer Audit Update l April 1996 N~I 1996, Elsevier Science Ltd.
this occur? Who was responsible? U’hcre \v;ts Internal Audit? All and sundry will run for cover. including Intermil Audit. Face s;n:ing re- sponscs from Internal Audit like “\K’c told them so”. will not improve Intern;11 Audit’s image within the cqanization. More importantl!~, ln- tcrn:ll Audit would not be adding \ ;tluc
0 I:sprcshing views while on the IT Steering Committw. can be an opportunity for the Internal .Audit unit to cam respect with commit- tee members. Sitting on the com- mittce provides Internal Audit with \xluahle exposure to the organiza- tion’s big picture decision making process.
l Involvement on a steering commit- ICC’ ma!- demand additional skills (i.e. strategic management ), which ma!’ not be readily a~ilablc- within Internal Audit. Internal Audit‘s en- hanccment with these skills is also important to the department’5 m;lnagcment development.
Prerequisites to an effective IT Steering Committee If 311 organization is into-rewed in dc\,eloping an IT Steering Committcc- structure, it should focus on the foundation elements on which to build such a program. There are a number of prerequisites to an effective IT Steer- ing Committee, 3s follows:
Clc-ar charter and mission state- ment for the committee;
N’ell defined project appro\,al pro- CCSS:
F33luation criteria;
\VeII defined business c;lhcs:
Ap[vopriate funding cost rate;
Application of funding cost concept for funds absorbed b)- projects:
Single \*crsus multiple funding points:
Framework for project status antI performance monitoring:
‘l‘ratment of Sunk (Iosts;
Frqucncy of meetings;
Minutes of IT Steering <:om~nittccs;
Independc-nce of IT Steering i l~iii- mittcc Members.
Proper le\xzl of commitment must csist throughout the organilzat ion;
Segregation of rcsponsibilitic~~ hc- tnxwi the IT Steering (Iomntittcc and llsccuti~~c (:ommittcc;
W’ell defined systems de~x?lopmcnt methodology and projcc‘t m;rnagc- mcnt guidelines: and
Internal Audit’s indcpcnden I i-c’- Vice. of s!wcms under c.lc\ clap mc’11t.
Intwwl Audit should ;1s:a5~ the adcquaq~ or othc-mist of thcsc. prc- requisites and ad\& the ;4udit (:om- mittw xcordingly.
Clear Charter und Mission Statement few the Committee The committee‘s charter aid niission statement needs to be clearly defined. cndorscd by, the organization‘s ~:sccw ti\xz m;inagcment and the boxd of directors and its role propc+. rccog- nizrtl throughout the organii:;ltion.
Some clcments of the 1.1‘ conimit- tee’s charter and mission :alcmcnt ;iw:
0 Definition of authorit!~ -- i.c:. Icvcl of authorit)-. and w.lierc llii4 i5 derived from.
0 Definition of its composition -- members by title and dcpartrnent
Computer Audit Update l April 1996 .
( 1996, Eflswher hence Ltd
u
rotation of members, independence of members from topics under re- view, and inclusion of Internal Audit as a nonvoting member.
Frequency of meetings.
Distribution of meeting minutes - executive management should re- ceive copies of minutes.
Decision making methods and cri- teria including:
- Formalized project submission for IT Steering Committee ap- proval.
- Projects qualifying for IT Steer- ing Committee review - ie. minimum revenue, expense and/or capital expenditure lim- its.
- One criterion must be what is best for the organization as a whole, as opposed to what is best for one particular depart- ment but at the expense of others.
Well defined project approval process The primary objective of the IT Steer- ing Committee’s project approval pro- cess is to develop and maintain a disciplined approach to project ap- proval and evaluation which is consis- tent with maximising the value to the organization. The process should:
l Provide a documented decision making process to promote objec- tivity.
l Provide an economic basis for evaluating and selecting among alternatives.
l Provide guidance about how to assemble and analyse the business fact case to support proposed projects.
l Enable the identification of the quantified and nonquantified (i.e. qualitative) impact of the project on the organization.
Enable the identification of bench- marks for future performance eva- luation - i.e. accountabilities of the project sponsor/champion and sta- keholders.
Provide for a formal mechanism to gain organizational support for the final decision.
The organization should clearly define its means (i.e. business case) of documenting cost justification and feasibility of each request. The com- mittee’s time must not be wasted requesting additional information from poorly supported requests. A screen- ing process should be in place to assess whether project proposals are sufftciently detailed and comprehen- sive to enable an informed assessment to be made of the project’s impact on the value of the organization. Poorly documented requests or unsubstan- tiated business case proposals should be sent back to the project champion. Assistance should also be provided to project champions in the course of developing the project proposal.
Evaluation criteria The primary criterion for evaluating IT investments should be the impact on the value to the organization - i.e. the primary focus should be on enhancing shareholders’ wealth. Executive man- agement who let themselves be coaxed by technologists into believing
that IT investment decisions are dif- ferent, run the risk of approving expensive projects without rigorous investment appraisal, castings and sen- sitivity analysis. While recognizing that traditional financial metrics alone no longer work in predicting success or
a q ” Computer Audit Update l April 1996 :Q 1996, Elsevier Science Ltd.
failure for complex IT investments. effective commercial controls are still critical to the evaluation process.
How often have we seen technolo- gists argue that “IT must be subject to continual change if organizations are to remain competitive. that improvc- mcnts to business procedures cannot lx achieved other than through ‘high tech’ solutions and, critically, that cost is not relevant since the issue is survival” (Kimber Jeremy 1’Wi ‘L
A strong relationship between stra tcgic plans. operational plans and projects submitted for IT Steering Committee approval is imperative for IT investment evaluation. It is the viability of the overall business strate- gies, and not the individual IT projects that need to be assessed. The organi- zation‘s macro focus should be on the measurement of the added value of the overall (IT and non-IT) effort needed to achieve business strategies. Conso-
lidation and approval of overall IT budgets within business strategies is important to assess the viability of business strategies. This approach would also demonstrate whether the organization as a whole can absorb infrastructure IT investments.
IT investments should not be as- sessed in isolation. Technology sup- ports rather than drives business strategies. There are risks associated with attempting to establish a direct correlation between IT cxpenditurc on a project by project basis, rather tllan within strategic and/or opera tional plans. The process discourages 17 development which, when assessed in isolation is not perceived to max- imize value to organizations. but is
nevertheless critical to strategically position companies in highly competi- tive and dynamic markets. Most likely the process would restrict investment on those projects returning marginal productivity gains (i.e. transactional type investments) in the short-term.
As IT investments arc made for different reasons, different bench- marks have to be used to measure s~tccess. The classification outlined in Part 1 (CAIJ February 1996 ~ strate- gic, infrastructure etc.) will assist the evaluation process. Each IT investment proposal should pass three tests before being submitted to the IT Steering <k)mniittee:
a. Decision Making Test
On what basis does the project champion justify resource reqii~zst S
b. Capital Allocation Test
Would the project champion invest his/her own money in this project ?
c. Performance Management Test
Will the project champion sign LIP to deliver the planned performance?
The value of a project is measured by calculating a net present value from cash flow estimates for quantitative factors (refer to “Well Defined Busi- ness Cases” in the following section). In addition, the decision model should factor the qualitative impact of the IT investment on the organization - e.g. increased responsiveness, ease of ac- cess to information, flexibility, secur- ity, resilience, and strategic match.
Well decfned business cases The business case should bc clear. convincing, well supported aiid fact based. The IT Steering Committee must be convinced that the iproject will increase the value of the organiza- tion before approving it. In addition. the committee must be in a posItion to
Computer Audit Updote l April 1996
c 1996. E!lsevier Sctence Ltd.
IE
assess all projects submitted for review by a common denominator. To ensure consistency among all projects, a standardized framework needs to be established.
As a minimum, business cases should provide the following informa- tion:
a. IT Investment’s Classification - Projects differ in the way they interact with the overall strategy of the organization. This classification will assist the IT Steering Commit- tee in understanding why the investment is needed.
b. Description of the Project - This should clearly describe the need to undertake the project (i.e. overview of the competitive envir- onment, assessment of competitive position) and the business strategy it relates to.
c. Quantitative Assessment - Costs, Benefits and Net Present Value - An IT investment’s viabi- lity will be primarily determined by the net present value from dis- counted after-tax cash flow esti- mates for quantified costs and benefits.
d.
The impact of taxes on future cash flows needs to be factored into the decision model. Income taxes of- ten have a significant influence on decisions. The post-tax decision model could reject alternatives that are attractive on a pre-tax basis. The role of taxes in capital budgeting should not differ from that of any other investment deci- sion.
The integrity of these estimates has to be challenged. The Steering
Committee and Internal Audit should not take the soft option of accepting the net present value, simply because the project cham- pion is prepared to sign up and be held accountable for the project estimates. The integrity of the whole process could be compro- mised by the inclusion of benefits in cash flow analysis which are highly subjective and difficult to quantify. The business case has to demonstrate that real and sustain- able value will be added to the organization.
Internal Audit could take a more proactive role in reviewing dis- counted cash flows prior to sub- mission to the IT Steering Committee.
Qualitative Assessment - Non- quantified Factors - The suc- cess of an IT investment and its impact on the value of the organi- zation cannot always be measured in the Discounted Cash Flow. The business case should identify and support the project features be- lieved to add value to the organiza- tion, but excluded from the net present value calculation, as they are too difhcult or too costly to quantify. All investment decisions will incorporate quantitative as well as qualitative assessments.
Exactly how a company chooses to classify and evaluate nonquantita- tive factors can be highly variable, and will vary from industry to industry. For example, the follow- ing are considered as critical qua- litative factors, for the respective industries:
Customer service in the service industries - e.g. banking;
Hygiene in the health and cater- ing industries;
Quality in the motor industry;
Reliability in essential utilities - e.g. gas, water, transport;
q Computer Audit Update l April Ltd.
0 Ethics in the legal profession: and
0 Safety in the aviation industq.
Nonquantified factors, while impor- tant, should not compensate for sensi- tivity analysis.
c. Key Alternatives Considered - l’hc proposed project must be demonstrated to be the best option among realistic alternati\,es. All lie! alternatives considered should bc described and substantiated 1,~. corresponding discounted cash flo\vs.
f. Distinction Between Internal & External Costs ~ Given that the success of a project is also depeii- dent on the management of costs, the lT Steering Committee is bct- ter informed if project submissions distinguish between internal and cxtcrnal costs.
For example. following project cancellation, achievable internal development cost savings on re- deployment of IT resources ma!.
not be viable if the firm is bound b!. contractual obligations mAth exter- nal p-tics for the development or customisation of proprietary soft- ware. Such risks should be recog- nized in Bailout Payback analysis.
g. Payback and Internal Rate of Return Analysis ~ Project cham- pions should demonstrate payback and internal rate of return analysis in their project submission. This would ensure that projects which return \ralue to shareholders ear- liar, or otheralse demonstrate a higher rate of return, recei1.c priority treatment.
‘I’he production life of technolog? is becoming shorter. As such, the
11.
i.
i.
longer it will take a projec3 to recoup cash from operations, the higher the risk associated w!th that project. The level of certaint). in estimating project costs and rca- lisation of estimated benefits di- minishes as the measurement period increases.
However. payback analysis sl~oultl
not be viewed in isolation. An investment’s main objecl:i\ c’ ib protitability. not hon. quickly in- vestment dollars arc recoul~cd Project prioritization based solely on payback analysis may place too much emphasis on short term benefits at the expense of long- term strategic projects. In addition. bailout factor needs to be included in the decision model to recqnize the least risky project r.)f the alternatives being considered (i.e the project with the best bailout protection if things go n’rong).
Sensitivity Analysis - It is dan- gerous for business cases to as- sume that the estimated cash tlows will definitely occur. !<ensitivit) analysis will demonstrate lT invest- ments’ sensitivity to variances b) providing management with an immediate measure of thlc financial impact of possible errors in fore- casting.
Sensitivity analysis would assist the lT Steering Committee in rccog- nizing projects which may be more sensitive than others to changes in critical variables. The impact ot standard tolerance le\~ls. if applied to the business case. should also be analysed - e.g. + ,‘- 10% toileranct on accuracy of estimates.
Assumptions - I lnderly ing as- sumptions. facts and analysis sup- porting the quantified costs and benefits used to calculate the net present value.
Time Frames and Measurable Milestones - The project’c; de- velopment and implementation milestones should be laid out to
Computer Audit Update l April t 1996. E:lsevier Scienc
provide a basis for monitoring its progress. Operational goals (i.e. productivity gains, incremental revenue) will be measured follow- ing implementation.
Project proposals should have a prudent assessment of a project’s estimated benefits measured over its minimum economic life. In view of the rapidly changing IT environ- ment, Internal Audit should ques- tion the viability of IT projects with a relatively long measurement period. By extending the expected economic life of projects, it pro- vides project champions with the opportunity to extend the period over which benefits may be fac- tored into DCFs.
The level of certainty in estimating project costs, as well as the realiza- tion of estimated benefits diminish
k.
as the measurement period is extended. The risk associated with long measurement periods needs to be realistically factored into the decision model (i.e. under qualita- tive factors).
The IT Steering Committee is also in a position to note and challenge any inconsistencies in the length of the measurement period for pro- jects utilising similar, if not iden- tical, IT platforms.
Contingencies and Externalities - The success of a project usually depends on a few anticipated key events. The integ- rity of business cases submitted for IT Steering Committee review, may be compromised because contin- gencies and dependencies relating
to other critical business/support units (stakeholders), are not fully recognized in the decision model. For example:
- Overestimation of Benefits - Incremental revenue and/or productivity gains contingent on other business units, but the realization of which may not be deemed to be achievable by those business units.
- Underestimation of Internal Costs - CPU charges which are considered unrealistic by the CIO.
The issue becomes even more complex with key events which are outside the control of the organization. Contingency plans should be included in the business case to demonstrate what would happen if events do not eventuate as anticipated.
1. Overall Project Impact Chart - Projects usually have a diverse range of effects on an organization - either quantifiable or nonquan- tifiable. The project impact chart consolidates all these issues for final evaluation.
Project impact charts are also useful in project prioritization, where all projects could be plotted on the same chart for comparison purposes.
Appropriate funding cost rate
The opportunity funding cost rate used in discounted cash flows should represent the funding opportunities available to the organization. If the rate is set higher, it would penalize future revenue cash flows. Project develop- ment costs precede benefits (incre- mental revenues and productivity gains) which are only derived follow- ing implementation. Using a relatively high discount rate could result in the following negative practices:
Computer Audit Update l April 1996 0 1996, Elsevier Science Ltd.
Risk of forfeiting real valiic- added opportunities for the organization:
Project champions intcntionall) o\westimating project benefits:
Intcgrit), of DCFs for lxnchmark projects becomes questionable; and
Process would mitigate against ob- jecti\,e and realistic estimates.
\‘arious discount rates should be used to recognize that the time value of money varies with different time horizons. If risk is not effective]) assessed under the qualitati\.c factors, then consideration should also IX given to factor risk into the discount rate. Othenvise high risk projects may IX incorrectly perceived as more attractive than less risky projects.
Application of funding cost concept for funds absorbed by projects Project costs should be treated as borrowed funds. Time value of mane! 11as to IX recognized both in the decision model and also in perfor- mance monitoring. This will enforce the discipline and accoun1 abilit!. \\.hich are essential for the SLKWSS~LI~
operation of the entire process.
An!- departure from this practice \vould insulate line management from being accountable for the cost asso- ciated with the use of funds. This ma! encourage project champions to in- clude unrealistic incremental benefits in business cases, as there is no funding cost to the sponsoring division in proceeding with a project where stated benefits are not realized
Single versus multiple funding points Executive management has to detcr- mine whether project sponsorship should adopt single or multiple fund- ing points.
I’nder the single funding point
concept, the project sponsor has to come up with a convincing bilsiness case at the commencement :)f the project’s life cycle. This places the project champion under prcssurc to deliver acceptable estimates to obtain project funding. Project tc:ams are expected to estimate costs prior to defining user requirements, assessing system design alternatives and drawing up system design specil-ications
The recognized difticultits 117 con- structing accurate estimates at such an early phase in the de\4opment life c!.cle. as well as the recognition, albeit reluctant, of project teams’ inahilitv to deliver IT projects within hudget. encourage system de\~elopers to un- derestimate costs. The low-ball figure helps to sell a project to the 1’1 Steering Qmmittee, but the project often turns out to be much hligper and often different from Lvhat was origin- all,: put forward. The more c:osts that are sunk into a project, the less likely it is that further development will be decommissioned. The single funding point method may in fact contribute to, rather than control runaway pro- jects.
A capped project expenditure with several funding points at different stages in the project’s life cycle should be considered. The following ;:.rc’ the percei\.ed benefits:
The project champion is gi\,en the opportunity to discuss the status ot the project and renegotiate the scol~c-, schedule or budget. it appro- priate.
Project scope and deliverables are reassessed in the context of husi- ness/technoloa strategies at the various funding points.
The project’s budget i:s broken down into more managcahlc com- ponents.
Budget over-runs are measured against each phase.
The process is a more objective recognition of runawa!’ projects.
Computer Audit Ulpdclte l April 1996 C’ 1996, Elsevcer Science Ltd. q
Framework for project status and performance monitoring The IT Steering Committee’s responsi- bilities should not be limited to project proposal assessment and prioritization. It shouId determine whether:
l project priorities are being fol- lowed;
l prolects are on track to deliver user requirements on time and within budget; and
l additional resources are needed on projects which are behind sche- dule.
Clear guidelines for monitoring and reporting of projects under develop- ment and following implementation are mandatory. The rationale behind
the monitoring of projects during development is delivery within time and budget, whereas the review pro- cess after implementation determines whether the project delivered the proposed benefits.
The monitoring process must be sufficiently rigorous independently to ensure timely recognition of potential runaway projects to initiate corrective action. The main drawback with any monitoring process is the integrity of reported data - in this case progress reports furnished by project cham- pions. Compliance with guidelines on reporting and monitoring, needs to be independently reviewed to ensure that returns to the IT Steering Committee accurately reflect projects’ status. In- dependent review is essential to avoid any conflicts of interest. Internal Audit
could play a significant role in review- ing the accuracy or otherwise of reported data.
In the absence of independent verification of reported data, project champions could camouflage short deliverables without being challenged or deliberately defer recognition of project cost blow-outs by reporting costs on a cash basis - i.e. nonrecog- nition of expenditure until settlement of invoices. Project champions would assume the latitude, perhaps by de- fault, to defer tough decisions in the firm belief that the more costs that are sunk into a project, the less likely it is that further development would be decommissioned.
Organizations must recognize the benefits of undertaking post imple- mentation reviews. It is unfortunate that the benefits of undertaking PIRs are not frequently embraced by pro- ject champions. Often, project cham- pions see more value in undertaking new development to deliver urgent business requirements, rather than sink more funds and resources in PIRs.
Unless PIRs have been budgeted for within the business case, project champions would prefer to utilize funds in delivering urgent business requirements. Business cases should include the cost of undertaking PIRs.
Finally, no performance monitoring is meaningful unless it incorporates the funding cost concept. This will enforce the discipline and account- ability essential in the utilisation of funds by line management.
Treatment of sunk costs The treatment of sunk costs on IT projects needs to be clearly defined. Costs already incurred on a project cannot be recovered. Value based management principles dictate that, in principle, costs to date be ignored when deciding whether or not to go forward with a project - i.e. the
0 P Computer Audit Update l April 1996 0 1996, Elsevier Science Ltd.
decision model should be based on fixture cash flows.
However. the criteria applied for resubmission of projects for additional budgets to the IT Steering Committee, needs car&l consideration. Project champions should not be given too much latitude regarding the treatment of non recoverable costs. As sunk costs arc’ excluded from subsequent budget rekisions (which are based on future cash tlows) the project champion m.ould be in a position to demonstrate a more favourable net present value, resulting from:
l lower costs. as major costs ah-c-ad! incurred are excluded from cash oLltflo\l~S;
l discounting of benefits at lower compound discount rates. as re\i- sion date is treated :is >‘e;u- 0; and
0 pobsihle extension of tlic tinic horizon ovc’r -9iich benefits arc’ measured.
One \~a)- of addressing this issue is the application of a funding charge against operations, representing a cost for the use of funds. Funding costs \\ould enforce the necessary disciplinc- and accountabilit);, with the following benefits:
l Real cash flow benefits will have to 1~~ realistically assc-ssccl 1,~. the division sponsoring the projcc’, prior to IT Steering (:ommittee submission.
a Since fimds are not free, no intrin- sic gain \vill bc achieved b)r the sponsoring division by inflating project benefi’its.
Sunk costs are not treated as free funds and still have to be repaid.
The impact of project slippage is realistically assessed - i.e. payback will be deferred and project cham- pions will have to cover thr t’x- tended funding period.
A more disciplined and accountable utilisation of organization funds by line management.
I.ine management hvill bc more proactive in the monitoring of their projects.
Provides line management -Ait a more accountable autonomv in runrring their divisions.
Frequency of meetings Frequency of meetings is critIca to ensure timely assessment of project requests. Windows of opportLmit> could be forfeited unless organizations are proactively repositioning them- selves in a competitive market. ‘l’he process should be seen as assisting rather than hindering such ;I process.
Minutes of IT Steering Committee meetings Minutes of IT Steering (Zommittec- meetings are mandatory. Mary consid- cr meeting minutes to bc trllvial, a formalit)-, and a nonvalue added activ- ity. Minutes hold committee members accountable for their decisioLLs and provide documentation of t’hc justifi- cation for their decisions.
Higher bodies, such as the. board of directors can review the minutes 10 gain an overall understanding of the committee’s basis for accepting or rejecting a project proposal. Future committee members. as well :L?> inter- nal and external audit can use the minutes to develop a historic:al assess- ment on an IT operation.
Computer Audit Uipdclte l April 1996 c 1996. Elsedier Science Ltd.
Independence of IT Steer@ Committee members The independence of IT Steering Committee members must be ensured. The integrity of the whole process could be compromised by powerful stakeholders lobbying committee members to push their own hidden agendas.
To this end, Internal Audit should assess the composition of the IT Steering Committee and rotation of its members. It is important to identify any emerging patterns, particularly where the project champions are also committee members.
Segregation of responsibilities between the IT Steering Committee and Executive Committee The role of the IT Steering Committee should not extend to project budget approval, which should rest with high- er authority, such as the Executive Committee.
The primary function of the IT Steering Committee is to review the impact of project proposals on the value of the organization and prepare recommendations for the Executive Committee about the project’s accept- ability. Executive Committee will then review the recommendation of the IT Steering Committee and approve, re- ject, or recommend a modification to the expenditure request.
Proper level of commitment must exist throughout the organization Board of Directors’ Commitment - The board of directors’ awareness of the committee activities is accom- plished through the board receiving copies of IT Steering Committee meet-
ings minutes. The board must be comfortable that the committee is making informed decisions, which will have a significant impact on share- holder wealth.
Project Champions’ Commitment - Project champions must acknowl- edge and believe in the value added by the IT Steering Committee. The integ- rity of the process could otherwise be compromised - i.e. bypassing the committee for IT budgetary approval.
IT Steering Committee’s Commit- ment - Finally, the IT Steering Committee members must be pre- pared to invest time and effort in the process. Significant responsibility and time commitment are demanded of committee members, depending on the size and complexity of the infor- mation system being reviewed.
Well deJined systems development methodology and project management guidelines A well defined systems development methodology and project management guidelines are prerequisites to an effective IT Steering Committee. If these are not in place, then Internal Audit should ensure that their devel- opment and implementation be given high priority by the committee.
Internal Audit’s review of systems under development would be signiti- cantly hampered, unless structured and formalized systems development methodology and project management guidelines are in place.
Internal Audit’s independent review of systems under development Internal Audit should be proactively involved by targeting the development
: P Computer Audit Update l April 1996 0 1996, Elsevier Science Ltd.
ot high risk. critical and strategic computer applications. by conducting independent reviews of new and amended systems. Internal Audit’s cov- crage would focus primaril!, on con- \ crsion effectiveness aimed at ensuring that:
Systems Development Audit groups _ . should work closely with project teams and the relevant Business Unit System Managers to ensure Internal Audit objectikres are satisfied through- out the entire Project Life C!,clc.
cffcctivc internal controls are in- corporated during development;
design, performance and controls meet the Organization’s requirc- ments and those specified in the design specifications to ensure that system and data integrity will be n~aintaincd:
business unit requirements are properly defined, met and acknowl- edged by the users as halring been met;
management information is being delivered to adequately support business unit or section manage- mcnt:
policies, regulations and standards are being followed:
s!xems developed arc consistent with the strategic objectijres of the organization;
valiic Ixwd management principles are applied and benefits are rea- lized:
problems are identified during de- velopment and resolved prior to cutover to live implementation;
systems are properly tested, con- \.erted and implemented to cnsurc oilly suitably controlled systems enter production:
systems and user documentation is complctc and accurate; and
systems provide management trails to support investigation of pro- blems or errors.
Conclusion A\%ilable studies of IT in\,cst ment ;md
its relationship to organizational per- formance have reached con{ radic.ton conclusions. The objecti\-c of- these three articles is to gain insight into the 1’1’ investment process. Four broad topics were analysed as follo~~vs
l New metrics needed l rad- tional financial metrics ;tlonc 110
longer work in predicting succt’ss
or failure for IT investrncnts. as technology is becoming more per- vasive throughout organizations. NL-\Y metrics were required to understand such intangibles as in- creased responsi\,encss. c;tsc of access to information. flexibility, security and resilience. t lows\-cr. effective commercial contrt )Is arc still relevant to the evaluati(ln pro- ccss. Executh-e management n.ho let themselves be coaxed 1~~ tech- nologists into believing that IT investment decisions are dil‘fercnt, run the risk of approving expensive
projects without rigorous itn,cbt- ment appraisal. castings ;~iid scnsi- tivit!’ analysis.
l IT Investment is not homogeneous - IT in\,estments are made for different rcxons and differ in the way they intcrac t \\?th the underlying corporate strategy. The justification and evaluation of the IT investments will \x-\~. as their impact on corporate per&-niance is bound to be assessed differently. I:i\,c classifications are rI:con- mended to assist the im7e~;tment evaluation and pcrformancc~ mea
surement process - Str;itcgic, Strategy Support, Transactional. III-
formationali Infrastructiirc~. xnd Tactical.
Computer Audit Update l April 1996 ( 1996, Elsej,ier Science Ltd.
l Conversion effectiveness of IT investments - Conversion effec- tiveness of IT investments, varies between organizations and different project teams within the same orga- nization. The failure to deliver IT projects is not due to any technol- ogy limitation, but to the conversion effectiveness. Industry studies have demonstrated that progress in tech- nology far outstrips progress in managing the technology. The four primary factors that impact on con- version effectiveness are:
- Previous Experience with IT;
- User Satisfaction with Imple- mented Systems;
- Corporate Political Turbulence; and
- Top Management Commitment.
l Top Management Commitment - This has long been recognized as critical to successful development, implementation and use of compu- ter systems and vital to establish and maintain:
- Business and IT Strategy Align- ment;
- Business Process Reengineering and IT; and
- An effective IT Steering Com- mittee.
Internal Audit has the responsibility to help ensure that their organizations are maximising return on technology investment. As outlined in this serial- ization the process, though complex is manageable. Internal Audit can add value by proactive involvement in the process.
Do not forfeit this window of opportunity. External consultants would otherwise be commissioned, and undoubtedly would utilize your resources.
~$3 Mario Mica&f, 1996
Murio Micallef is head of IT Audit at National Australia Bank’s head office in Melbourne.
References Aschauer D.A., “Is Public Expenditure Productive?“, Journal of Monetary Econom- ics, 1989.
Baatz E.B., Altered Stats, CIO, October 1994.
Baroudi JJ. and Orlikowski W.J., “A Short Form Measure of User Information Satisfac- tion: A Psychometric Evaluation and Notes on Use”, Journal of MIS, 1988.
Bender D., “Financial Impact of Information Processing”, Journal of MIS, Vol 3, No. 2, 1986.
Broadbent Marianne & Samson Danny, I?nprouing the Alignment of Business and Information Strategies, The Graduate School of Management, University of Melbourne, November 1990.
Broadbent Marianne & Weill Peter, De- veloping Business and Information Stratea Alignment: A Study in the Banking Indus- try, The Graduate School of Management, University of Melbourne, September 199 1.
Butler Carey, The Role of Information Technology in Business Process Redisign: Observations from the Literature, The Grad- uate School of Management, University of Melbourne, December 1993.
Butler Cox Foundation, “The Role of Information Technology in Transforming the Business”, BCF Research Report No. 79, London, 1991.
Capuder L.F.Sr., How IS Steering Commit- tees Contribute to a Proper Contro Environ- ment, Auerbach Publications, 1994.
Collin Nick, “Getting Value For Money From IT Investments by Rethinking the Management of Information and Technol- ogy”, Computer Audit Update, February 1995. Computer Science Corp., El Segundo, California Software Magazine, February 1994.
Computing Canada, May 1994.
Cron W. and Sobol M., “The Relationship between Computerization and Performance: A Strateq for Maximizing Benefits of Com- puterization”, Information And Manage- ment, Vol 6, 1983.
Davenport Thomas & Short James, “The New Industrial Engineering: Information Technology and Business Process Redisign”, Sloan Management Review, 1990. DeJarnett L.R., “What is Hot, What the Hot is Not!“, Information Strategy, 1992.
Diamond Sid, “Giving Business an IT AIign- merit”, Software Magazine, February 1994. Ginzberk M.A., “Key Recurrent Issues in the Implementation Process”, MIS Quarterly, 1981.
0 q Computer Audit Update l April 1996 6 1996, Elsevier Science Ltd.
Gulden Gary & Reck Robert, “<.ombining Qit:tlit\. ;tnd Ii~cnginetMng Efforts for Process t-.sc&w~“. IWL.
Hammer ,Michael, “l<txnginwring \\‘ork: I>on‘t ~tttom:tte. Ohlit~txr~“. fir/Yc,rr,.t/ Rllsi- ,,(‘.SS Kc/~ic,lc~ I ‘YJO.
Hammer Michael & Champy James, Ke- c~iigiitt~ei~it/~~ Il~r Corporrrtioi/: .i .2lnnifesto fiw R//sii/c.ss Rer~f~/rrtioi/. New 1.0~k. Iktrper IWin~s4 Prcsz. IW.5.
Ives B Olson M.H. & Baroudi J.J., “~leasurihg lkr Inform;ttion Satisfwrion: A &I&od ;tnd Critiqitc”. Coii/iii//iiic~olioi/s r!f’ tfu, lC.L11. 1’Xi.i
Kerr Monta, “‘l‘ougl~ ‘I‘itncs Ior (110s” ~.oit~j~rrliri~ C’crtlacia, May 19Ot.
Kimber Jeremy, “lf ~‘OLI ‘l’hinh Informarion is lixpensi\ c ‘I‘t-!. Ignotxn~~“. 7%~ ‘l’ivrrsrri~c~i: [)~c’cmkr I90 4. Krass Peter, “l%uilding ;I Hcttvr Moustwtp: Vi’hat Role do hIlS Escctttivcs t’la!. in Dusinc-ss Kccnginccring Projects?“. /i/~i~i~ii/r/tir~ir W’wk. No. 3 t 3. March I99 I
Kwon T.H. & Zmud R.W., “l’t@ing the I:r:tgmrnted hlodels of 1nform;ttion Sl;stems Impl~m~nt;ttion”. Critictrf Iss~re.~ ii/ Ii~fortiir/- tiotr ‘;l’stvttts Research. V’ilcy. I OX-
Lamont Warren Gorham, HOI/, I.\ .\terr’it/g ~‘oittitfiltees Cmh’ibzct~~ to 11 Ptu~~c~i~ Coi/lt~ol /:‘it/~ii~r~iriiieizt. Auerbach Ptthlishers Inc.. I OO-i. Lucas H.C. Jr.. Ittt~?lrti/twt~/tiot/: 7%~ h’cy lo \~rccess~irl li/~iwti/rrtioii .S~)steiiis. (~olumhi:t I nivc&it\, Pr&s: Ncn- \‘ork. 15X-31
Markus M.L.. POLWI-. Politics ciilrl ,111.5
fit~~~lr~~iei~ti~tir~t~. Cott/ti///i/i~r/lic,trs o/‘ 11~~
.Ac.:M I 0x.3.
Markus M.L.. Itt/~tf~tt/~~t~tt/ti~tt/ f’olitics: 70/t .Il~/i/~/~~“ti/“‘I .S//pJ>oi’t r//id ( set fili~tl/~~- ~i/~‘i/t. t 9)x I. Markus M.L. & Pfieffer J., “Pow cr .tnd thr I)csign and Implementation of rkc‘oiinting ;tnc.l <:ontrol Systems”, Accor/t/tiiz~~ Oi;~at/iz~/- fioils cii/d So&f): 1983.
McKay D.T. & Brockway D-W., iiriiltlitzg 17 ItiJtxsftwfr/t~~~ [or the I WOs. Noktn Norton x colllp""~~. 19x9.
Osterman P., “The impact of (:otiipttt~ra on thv 1‘:tivirotimc-nt of Clcrka ;tntl ;\lanatgcr4”. lt/(i/t.s/n’crl r~itrl Lt/ho//r Rc4nlioti.s RriGrc: I ‘ML PIMS Program, ,Cfcwir~gettteill l~r~otlirctii~i~~~ ut/d fi~foritratiotz Tec‘htzofo~q~: The Strategic Pl;tnnitig InstituW. <ktml~ridg~, i\l;t4\. IW.
Porter and Millar, “Ilo\\ Inli)rm;ttio~~ (;t\rs You <:ompetitive r\dvzantage”. ffii~rwtd Hirsi- t2c.s.s Krihw. JLIIY - hitgust 1 OXi.
Raymond L., “0rg;tnizatton ( h;tr.tcrcrt\tics ;tncl XIIS Success in the (:c)ntrxt c 4 \rn;~ll I3ttsincss” _ MI.Y Q/rr/rlri$: Wtrch I W5
Roach Stephen S., “‘l’c-chnolopt an<1 the Scnicv Sector: The Hidden (:orul~~tiri\~r (:hallengc”, 7cchttoloLg~ f~ot~c~c~r/.ctit~Lq (1i//1 .Socir// ~.‘hr/i/gc~. Ikccmbvr I WX
Roach Stephen S.. “t’itl:tlls on th( \<Y\’ /\ssvmhl\ Line.: ( ~111 Scr\ ice\ L.c:;I~II 1rom i\-l:tattf;tctttriii~~“. t’coiroiiric Pc/.s~)l~c.li/~(~s. hlotytn St;tnlr! xnd (:o.. NV\\ 1’orh Ik~x~w her IWO.
Shrisvastava P., & Grant J.H., “t:mlGrt~;~ll! I)vri\crl Xlorlrls of Stratcgi~~ I)C.C.ision-tn;thiilg Proccs”. .Stixtqic .Ilr~i/r/~i~itic~i/~ ,/rwri/~/l. IW5.
Strassmann Paul, 7%~e flrrsiiic5s I~///w c!f Cc~tt//~/r/cl:v. New Cana:tt~. (11‘. ‘l’h~: Ittform;t- tion Economies Press. IWO.
Teng J.T.C., Kettinger W.J, Guha S.. “Husincss Procc.ss Kedcsign 2nd Inform.trion &-chitwtttw: t%t:tMishing the Xlissing Linhb”. Pt~rmwliq~s of‘ thr Tltir?c~~i/lh Ii/t~~t~i/~/lioi/rtl Cot/fkwt/w oii It~~hiw~/ti~~i/ St5tciiis l);t11;1s. TV&. Dc~vmlxr I W1.
Turner J. and Lucas H.C. Jr.. “Ikw:lcq3ng Strxtc-gic Information Systc.ms”. Iltrifflboftk c!f‘
R/rsit/es.s .Str-rftvg): (:h:tptrr 2 1. Warren. (nor- h;tm and I~amont. Boston I Wi
Venkatraman N., “IT-lnclttc~tl lktsinvw tk- confipttrxtion Infr;tsrtuctwcs: I’hc (.orp~br;t- tion of thv 1990s”. li!ff,riiirf/iort 7cd~t/cdrt~yi8 ciirrl Oigrri/i,7~/lioit~/I 7’t-r/it.~~i~i~ii/otic,,,. ( )L- ford I ni\wsit!, Press. 199 I.
Computer Audit Update l April 1996 t 1996. Elievle: Science Ltd.