Information Systems Helping in Better Corporate Governance

8/3/2019 Information Systems Helping in Better Corporate Governance

1/9

ASSIGNMENT NO:4

Information systems helping in better corporate governance

A board needs to understand the overall architecture of its company's IT applications portfolio The

board must ensure that management knows what information resources are out there, what condition

they are in, and what role they play in generating revenue

source:Wikipedia

Corporate governance describes the process

and structure for overseeing the direction and

management of a Crown corporation so that it

effectively fulfils its mandate. Good corporate

governance can contribute to the corporations

achievement of both its public policy and

commercial objectives.

The manner in which a Corporation run-

-Achieving its Objectives-Transparency in its Operations-Accountability & Reporting-Good Corporate Citizenship

Corporate governance has to do with managing the risks of doing business, and thus protecting the stakeholders of the corporation. A comprehensive, enterprise wide riskmanagement is the main purpose of corporate governance. Aside from the inherent riskimplicit in the nature of business, a business firms risks can be identified with its systems,both manual and automated. A corporation comprises many systems, two of which are themost significant: operational system and information system. The two are more like two sidesof the same coin. Operations are supported by information and at the same time, operationsare a source for data.

Use of information technology (IT) in information

management has made a considerable impact on

these corporate governance mechanisms

The developments in Information Technology have a tremendous impact onauditing.Information Technology has facilitated re-engineering of the traditional businessprocesses to ensure efficient operations and improved communication within the organisationand between the organisations and its customers. Auditing in a computerized and networkedenvironment is still at its nascent stage in India and established practices and procedures areevolving. Well planned and structured audit is essential for risk management and monitoringand control of Information Systems in any organisation.

PREPARED BY: TONMOY BORAH 3RD YEAR MBA (PT) Page 1


2/9

ASSIGNMENT NO:4

The developments in Information Technology have a tremendous impact on auditing.

Information Technology has facilitated re-engineering of the traditional business processes toensure efficient operations and improved communication within the organization and betweenthe organizations and its customers. Auditing in a computerized and networked environment isstill at its nascent stage in India and established practices and procedures are evolving. Wellplanned and structured audit is essential for risk management and monitoring and control ofInformation Systemsin any organization.

Top-level Management is responsible for long-term policy decisions on the use oftheInformation Systems in the organisation.

Information Systems Management is responsiblefor planning and controlling the InformationSystems activities in the organisation. It providesassistance to the top management for making long-term policies and translates the long-term policiesinto shortterm goals and objectives.

An information system (written IS) represents all the elements involved in the management,

processing, transport and distribution of information within the organisation.

In practical terms the scope of the term Information System can differ greatly from one

organisation to another and depending on the example may cover all or some of the following

elements:

Company databases,

Integrated management software (ERP),

Client relationship management tool (Customer RelationShip Management),

Supply chain management tool (SCM - Supply Chain Management), Application jobs,

Network infrastructure,

Data servers and storage systems,

Application servers,

Security devices.

The Information System should safeguard its assets and maintain data integrity. It should helpin achieving the organizations goals. A secure information system should have established

comprehensive procedures and controls, which are backed by commitment from theManagement of the organisation. It is required to periodically monitor that these proceduresand controls are in place and operational to effectively ensure that the information stored inthese systems continues to be dependable. Periodical monitoring is achieved by IS audit.

http://en.kioskea.net/contents/bdd/bddintro.php3http://en.kioskea.net/contents/entreprise/erp.php3http://en.kioskea.net/contents/entreprise/crm.php3http://en.kioskea.net/contents/entreprise/crm.php3http://en.kioskea.net/contents/entreprise/scm.php3http://en.kioskea.net/contents/entreprise/scm.php3http://en.kioskea.net/contents/entreprise/erp.php3http://en.kioskea.net/contents/entreprise/crm.php3http://en.kioskea.net/contents/entreprise/scm.php3http://en.kioskea.net/contents/bdd/bddintro.php3


3/9

ASSIGNMENT NO:4

IS audit is a process of collecting and evaluating information to determine whether a computer

system could:

a) safeguard its assets (hardware, software and data) through adoption of adequate securitycontrol measures ;b) maintain data integrity ;c) achieve goals of the organization effectively ; andd) result in efficient use of the available Information System resources.

Risk management is a critical component of corporate governance. Risk management helpsorganisations recognise the wide spectrum of risks that they are exposed to. It aims to helpthem prioritise risks based on their potential impact, put mitigation plans in place, and monitorthem so that they dont become hurdles in achieving corporate objectives. Information

technology is a key support function in any business, and regulation requires the board and themanagement to report key risks, and their assessment of how these risks are being managed.The Chief Information Officer (CIO) needs to play a significant role in supporting boards,audit committees and the management, in first understanding, and then implementing, goodgovernance over IT.Security and disaster recovery used to be major risk factors, but today,

IT risk management covers a range of factors such as runaway projects, global sourcing,regulatory compliance, privacy, trans-border data flow, export control, financial disclosure,certifications, business continuity, fraud detection,protection of intellectual property andshortage of skilled resources. The list is endless, and promises to keep growing. The sourcesproliferating risk are increasing manifold as well. Natural disasters such as fires, floods,

earthquakes and cyclones have always been a risk for IT. To that list of natural



4/9

ASSIGNMENT NO:4

calamities can be added an ever-expanding range of man-made risks viruses, worms,Trojan

horses, phishing, spyware and identity theftmaking the IT risk management job more difficultevery passing day. In addition, globalisation, new technology and attrition rates complicate thetask of managing IT risks.

Technology not only creates new risks, but also plays an important role in mitigating risk. Assuch, IT executives must now work closely with business unit leaders and executive managersto adopt a formalized set of reproducible and scalable risk and compliance managementtechnologies and techniques.

The seven key areas of risk that CIOs need to discuss,strategise and budget for include the

Business Continuity Planning/Disaster Recovery Planning (BCP/DRP)

Every organisation faces the risk of having to deal with known and unknown disasters.Organisations that use IT strategically and need to recover from significant businessinterruptions deploy Business Continuity Planning (BCP) and Disaster Recovery Planning

(DRP) systems. BCP should not only be documented but also tested, updated and validatedregularly to mitigate the threat of the non-availability of IT services disrupting automatedoperations and key business operations. BCP/DRP are not only about infrastructure andplanning, they are also about people. People play a key role in ensuring that the organisationcontinues to function securely at pre-determined acceptable levels. DRP/BCP are likeinsurance and need to be renewed as insurance is done with premium payments.

Information security and data integrity

Security-related incidents have been on the front-burner of organizations for several years.

Security breaches may occur due to the negligence of staffers, third-party access to keyapplications, or lack of appropriate security of information systems. It is essential that allorganizations have information security policies and procedures in place as well as a formalincident response management team that can detect and escalate security breaches. Key riskareas that need to be focused in logical access management include lack of procedures onuser access rights and inadequate review of access rights on a periodic basis. Segregation ofduties amongst users should be addressed to promote tighter control. Physical access risksexist on account of poor awareness levels and training. Investments made by organizationsare for physical goods and not on IT assets, especially data. Physical security functions aretypically not integrated with information systems security.

Data integrity risk encompasses all of the risks associated with the authorization,completeness and accuracy of transactions as they are entered into, processed by,summarized and reported on by various application systems deployed by an organization.These risks pervasively apply to each and every aspect of an application system used insupporting a business process. Integrity can be lost due to programming and processingerrors, and poor management. Adequate preventive controls and detection need to be put inplace to ensure that only valid and complete data are entered into all systems andapplications.



5/9

ASSIGNMENT NO:4

Sourcing and outsourcing

Another complexity relates to global sourcing trends for IT services, and, more broadly,business process outsourcing. Organisations may embark on a relationship with a vendorwhich leads to a marked drop in service standards, and the cost savings are not as expected.Disputes between partners are common where commercial contracts have not been properlyconstructed according to established IT governance principles or are not applied from the start.There should be no room for ambiguity on standards, objectives and responsibilities. Today, allrisk mitigation strategies must be extended to service providers.

There is a need to ensure that adequate IT risk mitigation measures and controls are adopted

by all third parties and the controls need to be tested from time to time.

Performance measurement

With IT theres a choice: you can drive it or be driven. In a business context, risk is not justabout disasters and security attacks, but also about the business risks of costly project failures.Given the significant costs and strategic value of IT, measuring its performance is as importantas any other key business function. Yet many organisations find IT performance measurementchallenging, so they settle for measuring what they can rather than what they want or need to.Most organisations run several IT projects rather than an IT programme. Several of them are infact Project Failures, and this happens due to a number of reasons from poor planning to aweak business case, a lack of involvement from the top management, poor budgeting andinadequate quality control. With a significant amount of investment going into IT projects,failures can have adverse effects which can take months and years to recover from.

Regulatory non-compliance

Many regulations and laws apply to information systemsprivacy, data integrity, systemsavailability, and delivery of accurate financial reporting. Sarbanes-Oxley and the future EUs

8th Directive specifically demand that boards and senior executives understand IT risks.Ignorance is no defence. Violation of licence terms and conditions is common. It may happenunknowingly, but exposes the organisation to legal and reputation-related risks.Organisationscan face legal implications if software licences are not upgraded and regular reviews notconducted for validity of licences.

IT strategy and spends

Sub-optimal spending on IT can worsen the overall risk posture of an organisation. Good ITgovernance includes the understanding of cost drivers and issues in IT, the nature of budgetsand spending, and how spending is monitored. With IT costs increasing as a proportion ofcorporate expenditure, shareholders and other stakeholders expect organisations to be diligentin ensuring that these costs are justified and controlled.IT strategy also includes planning fortechnology obsolescence. Technology that is inadequate for the enterprise or becomesobsolete too soon is a growing concern. This has an adverse effect on productivity, costefficiency as well as on security. Technology is changing at a rapid pace, and unlessorganisations constantly upgrade their IT infrastructure, their business will suffer.

IT management infrastructure



6/9

ASSIGNMENT NO:4

IT management infrastructure plays a key role in IT governance. Often, organisations do not

have an infrastructure to support the requirements of the business in an efficient, cost-effectiveand well- controlled manner. Infrastructure risks are associated with a series of informationtechnology processes used in defining, developing, maintaining and operating an informationprocessing environment and the associated application systems.This normally stems from alack of or weak organisational planning. The use of wireless networks, IT outsourcing, storageof customer data on electronic payment systems, online sales and service channels, remotenetworking and increase in automation of manual processes continue to affect a companys ITrisk exposure and can only be lessened by effective IT management infrastructure.

Some companies choose to delegate board-level oversight to IT steering

committees in

much the same way as they do with audit and compensation. But boards

remain challenged

by such issues as who should sit on these committees, what level of

technology expertise is

required, and how best to use the skills of other business leaders such asnon-executive

directors.

The board has a fiduciary responsibility to shareholders and the organisation, while executivemanagement has an operational responsibility to ensure the continuation of business in theface of systems failure, threats or attacksall of which fall within the realm of proper ITgovernance.

The responsibility of the CEO involves adopting a risk control and governance framework,embedding responsibilities for risk management in the organisation, and monitoring IT risksand accepting residual IT risks.T he responsibility of assessing risks and mitigating them toensure that they are transparent to the stakeholders, implementing an IT control framework,and ensuring that roles critical for managing IT risks are appropriately defined and staffed lieswith the CIO.

Since the user of IT services is the enterprise, it should set the mandate for risk managementand provide the resources to support and monitor the plan designed to protect specificbusiness interests. In todays complex business environment, the IT service provider also

needs to advise its clients to ensure that proper safeguards are in place. Internal and externalauditors need to throw light on inadequate processes or risks that are not being appropriatelyaddressed. They must assure the management that adequate measures have been adoptedand implemented, or even make recommendations for improvement.

Ultimately, individuals across the organisational hierarchy need to be aware of theirresponsibilities towards an effective IT risk management programme. Building a fence aroundIT risk to separate it from the rest of your organisational activity will not work because thealignment of your IT strategy to your business strategy will underline the success and even thesurvival of your organisation.



7/9

ASSIGNMENT NO:4

GOVERNANCE PHILOSOPHY AT BHARTI AIRTEL

At Bharti Airtel, corporate governance practices are based on the following broad principles

with the objective of adhering the highest standard of governance through continuous

evaluation and benchmarking.

Well-experienced and diverse Board of directors, with expertise across global finance,

telecommunication, banking, administrative services and consulting;

Adoption of transparent procedures and practices;

Ensuring compliance with regulatory and fiduciary requirements in letter and spirit;

High levels of disclosures for dissemination of corporate, financial and operational

information to all its stakeholders;

Adoption of policy on tenure of directors, rotation of auditors and a code of conduct for

directors and senior management;

Creation of various committees for audit, senior management compensation HR policy,

employee stock option plans and investor grievance;

Ensuring complete and timely disclosure of relevant financial and operationalinformation to enable the Board to play an effective role in guiding strategy;

Informal meeting of independent directors without the presence of any non-

independent/executive directors to identify areas where they need more clarity or

information, and then put them before the Board or management;

A formal induction schedule for new Board members that enables them to meet

individually with the senior management team;



8/9

ASSIGNMENT NO:4

Reviewing regularly and establishing effective meeting practices that encourage active

participation and contribution from all members;

Independence of directors in reviewing and approving corporate strategy, major

business plans and activities as well as senior management appointments;

Well defined corporate structure that establishes checks and balances and delegates

decision making to appropriate levels in the organisation.

CORPORATE GOVERNANCE RATINGIn 2011, CRISIL has reviewed corporate governance practices adopted by the Company and

has re-affirmed its Governance and Value Creation (GVC) rating viz. CRISIL GVC Level 1.

The rating indicates that Bharti Airtels capability with respect to corporate governance and

value creation for all its stakeholders is the highest.

We acknowledge that standards are a constantly upwardly moving target, and we aim to

establish and benchmark ourselves with the best of companies in India and overseas to

ensure that we continue to maintain the highest rating for our practices.

GOVERNANCE STRUCTURE

Building a culture of integrity in today's complex business environment demands high

standards in every area of operation. Bharti Airtels commitment to total compliance is backed

by an independent and fully informed Board and comprehensive processes and policies to

enable transparency in our functioning. The organisation structure is headed by the Group

Chairman & Managing Director, supported by the CEO (International) & Joint Managing

Director and CEO (India & South Asia). The CEO (International) & Joint Managing Director isresponsible for the international operations of the Company. CEO (India & South Asia) has a

direct responsibility for operations of the Company in India and South Asia region. There is a

clear demarcation of duties and responsibilities amongst the three positions:

The Group Chairman and Managing Director is responsible for providing strategic direction,

leadership and governance, leading transformational initiatives, international strategic alliances

besides effective management of the Company with a focus on enhancing Bhartis global

image;

The CEO (International) and Joint Managing Director is based in Nairobi, Kenya andresponsible for the overall business performance, management and expansion of the

international operations. He is also responsible for employee engagement, customer

satisfaction, outsourcing initiatives and the internal control metrics for the international

operations;

The CEO (India & South Asia) heads the India and South Asia operations and is responsible

for overall business performance in this region. He is also responsible for employee

engagement, customer satisfaction, ensuring success of outsourcing initiatives and

improvements in the internal control metrics for India and South Asia operations.



9/9

ASSIGNMENT NO:4

Ref:

1. The Information Systems Audit Manual, prepared by the Working Group on the

introduction of Information Systems Audit in Reserve Bank of India.

2. Guidelines for Information Systems Audit by the Information Systems Audit and

Control Association & Information Systems Audit and Control Foundation.


Documents

Information Systems Helping in Better Corporate Governance