Management controls in IT overlook many important aspects. To be more effective, we need to do more than just borrow control methods from other areas.
IT is a young subject, and has to draw on experience from other areas. These have made a great contribution, but in some cases they miss what is especially important for IT. This is particularly true of management controls, such as quality management and audit. Because of this, controls are often seen by the IT organisation as irrelevant and unwelcome, rather than helping them do their job.
The predominant quality control model grew up in manufacturing industry. It is based on the idea that quality can not be inspected into the product. The final product was an inevitable outcome of the manufacturing process. To improve quality, you have to manage the quality of the process.
This process view of quality has been taken into IT. Perhaps the best know example is the CMMI framework.
CMMI and similar frameworks are valuable tools but they have limitations. IT systems are not strictly repeatable; if they were why would we ever need more than one of them? IT systems are variable. They change constantly and the environment around them changes constantly. If you only manage the process, and never look at the product, you will miss this variability and change. You will miss the need for ongoing management to prevent decline.
Audit is a well-established part of accountancy. The stuff of accountancy, money, is relatively simple. But it needs very stringent controls to prevent abuse. You need to check that the accounts are correct, and that effective procedures are defined and followed.
These checks passed into IT audit. But IT is not the same as accounting. The stuff of IT is not just a number on a ledger or in a bank account. The stuff of IT, IT systems, is fantastically complicated, almost an organic entity. Even if procedures are perfectly defined and executed, the IT systems can be woefully inadequate.
We need to address this oversimplification of controls in IT. I am not suggesting that we throw away the existing controls, but mix in extra controls that are especially important for IT, such as:
We sometimes include these in controls, but usually along the lines of "Has the system design documentation been filed correctly?", rather than the more direct "Is the system design good?". We need to extend IT controls so that they do not just control processes, but also control the important characteristics of IT systems.
This would make IT controls more relevant and welcome to IT organisations. It would be a way of showing the value of their work, not just beating them up because their procedures are not completely defined, followed and controlled.
This is what system governance is all about. It is an IT control method. It does not ensure procedures are defined and followed. Instead, it focuses on the characteristics of the IT. It brings a much needed balance to IT management controls, and makes controls more relevant and more valuable to the work we do in IT.