ASSIGNMENT NO:4

Information systems helping in better corporate governance

A board needs to understand the overall architecture of its company's IT applications portfolio The board must ensure that management knows what information resources are out there, what condition they are in, and what role they play in generating revenue source:Wikipedia

orporate governance describes the process

and structure for overseeing the direction and management of a Crown corporation so that it effectively fulfils its mandate. Good corporate governance can contribute to the corporations achievement of both its public policy and commercial objectives.

The manner in which a Corporation run-Achieving its Objectives -Transparency in its Operations -Accountability & Reporting -Good Corporate Citizenship Corporate governance has to do with managing the risks of doing business, and thus protecting the stakeholders of the corporation. A comprehensive, enterprise wide risk management is the main purpose of corporate governance. Aside from the inherent risk implicit in the nature of business, a business firms risks can be identified with its systems, both manual and automated. A corporation comprises many systems, two of which are the most significant: operational system and information system. The two are more like two sides of the same coin. Operations are supported by information and at the same time, operations are a source for data.

Use of information technology (IT) in information management has made a considerable impact on these corporate governance mechanisms

The developments in Information Technology have a tremendous impact on auditing.Information Technology has facilitated re-engineering of the traditional business processes to ensure efficient operations and improved communication within the organisation and between the organisations and its customers. Auditing in a computerized and networked environment is still at its nascent stage in India and established practices and procedures are evolving. Well planned and structured audit is essential for risk management and monitoring and control of Information Systems in any organisation.

PREPARED BY: TONMOY BORAH

3RD YEAR MBA (PT)

Page 1

ASSIGNMENT NO:4

The developments in Information Technology have a tremendous impact on auditing. Information Technology has facilitated re-engineering of the traditional business processes to ensure efficient operations and improved communication within the organization and between the organizations and its customers. Auditing in a computerized and networked environment is still at its nascent stage in India and established practices and procedures are evolving. Well planned and structured audit is essential for risk management and monitoring and control of Information Systems in any organization. Top-level Management is responsible for long-term policy decisions on the use of theInformation Systems in the organisation. is responsible for planning and controlling the Information Systems activities in the organisation. It provides assistance to the top management for making longterm policies and translates the long-term policies into shortterm goals and objectives.
Information Systems Management

An information system (written IS) represents all the elements involved in the management, processing, transport and distribution of information within the organisation. In practical terms the scope of the term Information System can differ greatly from one organisation to another and depending on the example may cover all or some of the following elements:

Company databases, Integrated management software (ERP), Client relationship management tool (Customer RelationShip Management), Supply chain management tool (SCM - Supply Chain Management), Application jobs, Network infrastructure, Data servers and storage systems, Application servers, Security devices.

The Information System should safeguard its assets and maintain data integrity. It should help in achieving the organizations goals. A secure information system should have established comprehensive procedures and controls, which are backed by commitment from the Management of the organisation. It is required to periodically monitor that these procedures and controls are in place and operational to effectively ensure that the information stored in these systems continues to be dependable. Periodical monitoring is achieved by IS audit.

PREPARED BY: TONMOY BORAH

3RD YEAR MBA (PT)

Page 2

ASSIGNMENT NO:4

IS audit is a process of collecting and evaluating information to determine whether a computer system could: a) safeguard its assets (hardware, software and data) through adoption of adequate security control measures ; b) maintain data integrity ; c) achieve goals of the organization effectively ; and d) result in efficient use of the available Information System resources.

Risk management is a critical component of corporate governance. Risk management helps

organisations recognise the wide spectrum of risks that they are exposed to. It aims to help them prioritise risks based on their potential impact, put mitigation plans in place, and monitor them so that they dont become hurdles in achieving corporate objectives. Information technology is a key support function in any business, and regulation requires the board and the management to report key risks, and their assessment of how these risks are being managed. The Chief Information Officer (CIO) needs to play a significant role in supporting boards, audit committees and the management, in first understanding, and then implementing, good governance over IT.Security and disaster recovery used to be major risk factors, but today, IT risk management covers a range of factors such as runaway projects, global sourcing, regulatory compliance, privacy, trans-border data flow, export control, financial disclosure, certifications, business continuity, fraud detection,protection of intellectual property and shortage of skilled resources. The list is endless, and promises to keep growing. The sources proliferating risk are increasing manifold as well. Natural disasters such as fires, floods, earthquakes and cyclones have always been a risk for IT. To that list of natural
PREPARED BY: TONMOY BORAH 3RD YEAR MBA (PT) Page 3

ASSIGNMENT NO:4

calamities can be added an ever-expanding range of man-made risks viruses, worms,Trojan horses, phishing, spyware and identity theftmaking the IT risk management job more difficult every passing day. In addition, globalisation, new technology and attrition rates complicate the task of managing IT risks. Technology not only creates new risks, but also plays an important role in mitigating risk. As such, IT executives must now work closely with business unit leaders and executive managers to adopt a formalized set of reproducible and scalable risk and compliance management technologies and techniques.

The seven key areas of risk that CIOs need to discuss, strategise and budget for include the
Business Continuity Planning/Disaster Recovery Planning (BCP/DRP)

Every organisation faces the risk of having to deal with known and unknown disasters. Organisations that use IT strategically and need to recover from significant business interruptions deploy Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) systems. BCP should not only be documented but also tested, updated and validated regularly to mitigate the threat of the non-availability of IT services disrupting automated operations and key business operations. BCP/DRP are not only about infrastructure and planning, they are also about people. People play a key role in ensuring that the organisation continues to function securely at pre-determined acceptable levels. DRP/BCP are like insurance and need to be renewed as insurance is done with premium payments.

Information security and data integrity

Security-related incidents have been on the front-burner of organizations for several years. Security breaches may occur due to the negligence of staffers, third-party access to key applications, or lack of appropriate security of information systems. It is essential that all organizations have information security policies and procedures in place as well as a formal incident response management team that can detect and escalate security breaches. Key risk areas that need to be focused in logical access management include lack of procedures on user access rights and inadequate review of access rights on a periodic basis. Segregation of duties amongst users should be addressed to promote tighter control. Physical access risks exist on account of poor awareness levels and training. Investments made by organizations are for physical goods and not on IT assets, especially data. Physical security functions are typically not integrated with information systems security. Data integrity risk encompasses all of the risks associated with the authorization, completeness and accuracy of transactions as they are entered into, processed by, summarized and reported on by various application systems deployed by an organization. These risks pervasively apply to each and every aspect of an application system used in supporting a business process. Integrity can be lost due to programming and processing errors, and poor management. Adequate preventive controls and detection need to be put in place to ensure that only valid and complete data are entered into all systems and applications.

PREPARED BY: TONMOY BORAH

3RD YEAR MBA (PT)

Page 4

ASSIGNMENT NO:4

Sourcing and outsourcing

Another complexity relates to global sourcing trends for IT services, and, more broadly, business process outsourcing. Organisations may embark on a relationship with a vendor which leads to a marked drop in service standards, and the cost savings are not as expected. Disputes between partners are common where commercial contracts have not been properly constructed according to established IT governance principles or are not applied from the start. There should be no room for ambiguity on standards, objectives and responsibilities. Today, all risk mitigation strategies must be extended to service providers. There is a need to ensure that adequate IT risk mitigation measures and controls are adopted by all third parties and the controls need to be tested from time to time.

Performance measurement

With IT theres a choice: you can drive it or be driven. In a business context, risk is not just about disasters and security attacks, but also about the business risks of costly project failures. Given the significant costs and strategic value of IT, measuring its performance is as important as any other key business function. Yet many organisations find IT performance measurement challenging, so they settle for measuring what they can rather than what they want or need to. Most organisations run several IT projects rather than an IT programme. Several of them are in fact Project Failures, and this happens due to a number of reasons from poor planning to a weak business case, a lack of involvement from the top management, poor budgeting and inadequate quality control. With a significant amount of investment going into IT projects, failures can have adverse effects which can take months and years to recover from.
Regulatory non-compliance

Many regulations and laws apply to information systemsprivacy, data integrity, systems availability, and delivery of accurate financial reporting. Sarbanes-Oxley and the future EUs 8th Directive specifically demand that boards and senior executives understand IT risks. Ignorance is no defence. Violation of licence terms and conditions is common. It may happen unknowingly, but exposes the organisation to legal and reputation-related risks.Organisations can face legal implications if software licences are not upgraded and regular reviews not conducted for validity of licences.

IT strategy and spends

Sub-optimal spending on IT can worsen the overall risk posture of an organisation. Good IT governance includes the understanding of cost drivers and issues in IT, the nature of budgets and spending, and how spending is monitored. With IT costs increasing as a proportion of corporate expenditure, shareholders and other stakeholders expect organisations to be diligent in ensuring that these costs are justified and controlled.IT strategy also includes planning for technology obsolescence. Technology that is inadequate for the enterprise or becomes obsolete too soon is a growing concern. This has an adverse effect on productivity, cost efficiency as well as on security. Technology is changing at a rapid pace, and unless organisations constantly upgrade their IT infrastructure, their business will suffer.
IT management infrastructure
PREPARED BY: TONMOY BORAH 3RD YEAR MBA (PT) Page 5

ASSIGNMENT NO:4

IT management infrastructure plays a key role in IT governance. Often, organisations do not have an infrastructure to support the requirements of the business in an efficient, cost-effective and well- controlled manner. Infrastructure risks are associated with a series of information technology processes used in defining, developing, maintaining and operating an information processing environment and the associated application systems.This normally stems from a lack of or weak organisational planning. The use of wireless networks, IT outsourcing, storage of customer data on electronic payment systems, online sales and service channels, remote networking and increase in automation of manual processes continue to affect a companys IT risk exposure and can only be lessened by effective IT management infrastructure. Some companies choose to delegate board-level oversight to IT steering committees in much the same way as they do with audit and compensation. But boards remain challenged by such issues as who should sit on these committees, what level of technology expertise is required, and how best to use the skills of other business leaders such as non-executive directors.

The board has a fiduciary responsibility to shareholders and the organisation, while executive management has an operational responsibility to ensure the continuation of business in the face of systems failure, threats or attacksall of which fall within the realm of proper IT governance. The responsibility of the CEO involves adopting a risk control and governance framework, embedding responsibilities for risk management in the organisation, and monitoring IT risks and accepting residual IT risks.T he responsibility of assessing risks and mitigating them to ensure that they are transparent to the stakeholders, implementing an IT control framework, and ensuring that roles critical for managing IT risks are appropriately defined and staffed lies with the CIO. Since the user of IT services is the enterprise, it should set the mandate for risk management and provide the resources to support and monitor the plan designed to protect specific business interests. In todays complex business environment, the IT service provider also needs to advise its clients to ensure that proper safeguards are in place. Internal and external auditors need to throw light on inadequate processes or risks that are not being appropriately addressed. They must assure the management that adequate measures have been adopted and implemented, or even make recommendations for improvement. Ultimately, individuals across the organisational hierarchy need to be aware of their responsibilities towards an effective IT risk management programme. Building a fence around IT risk to separate it from the rest of your organisational activity will not work because the alignment of your IT strategy to your business strategy will underline the success and even the survival of your organisation.

PREPARED BY: TONMOY BORAH

3RD YEAR MBA (PT)

Page 6

ASSIGNMENT NO:4

GOVERNANCE PHILOSOPHY AT BHARTI AIRTEL

At Bharti Airtel, corporate governance practices are based on the following broad principles with the objective of adhering the highest standard of governance through continuous evaluation and benchmarking. Well-experienced and diverse Board of directors, with expertise across global finance, telecommunication, banking, administrative services and consulting; Adoption of transparent procedures and practices; Ensuring compliance with regulatory and fiduciary requirements in letter and spirit; High levels of disclosures for dissemination of corporate, financial and operational information to all its stakeholders; Adoption of policy on tenure of directors, rotation of auditors and a code of conduct for directors and senior management; Creation of various committees for audit, senior management compensation HR policy, employee stock option plans and investor grievance; Ensuring complete and timely disclosure of relevant financial and operational information to enable the Board to play an effective role in guiding strategy; Informal meeting of independent directors without the presence of any nonindependent/executive directors to identify areas where they need more clarity or information, and then put them before the Board or management; A formal induction schedule for new Board members that enables them to meet individually with the senior management team;

PREPARED BY: TONMOY BORAH

3RD YEAR MBA (PT)

Page 7

ASSIGNMENT NO:4

Reviewing regularly and establishing effective meeting practices that encourage active participation and contribution from all members; Independence of directors in reviewing and approving corporate strategy, major business plans and activities as well as senior management appointments; Well defined corporate structure that establishes checks and balances and delegates decision making to appropriate levels in the organisation.

CORPORATE GOVERNANCE RATING

In 2011, CRISIL has reviewed corporate governance practices adopted by the Company and has re-affirmed its Governance and Value Creation (GVC) rating viz. CRISIL GVC Level 1. The rating indicates that Bharti Airtels capability with respect to corporate governance and value creation for all its stakeholders is the highest. We acknowledge that standards are a constantly upwardly moving target, and we aim to establish and benchmark ourselves with the best of companies in India and overseas to ensure that we continue to maintain the highest rating for our practices.

GOVERNANCE STRUCTURE

Building a culture of integrity in today's complex business environment demands high standards in every area of operation. Bharti Airtels commitment to total compliance is backed by an independent and fully informed Board and comprehensive processes and policies to enable transparency in our functioning. The organisation structure is headed by the Group Chairman & Managing Director, supported by the CEO (International) & Joint Managing Director and CEO (India & South Asia). The CEO (International) & Joint Managing Director is responsible for the international operations of the Company. CEO (India & South Asia) has a direct responsibility for operations of the Company in India and South Asia region. There is a clear demarcation of duties and responsibilities amongst the three positions: The Group Chairman and Managing Director is responsible for providing strategic direction, leadership and governance, leading transformational initiatives, international strategic alliances besides effective management of the Company with a focus on enhancing Bhartis global image; The CEO responsible international satisfaction, operations; (International) and Joint Managing Director is based in Nairobi, Kenya and for the overall business performance, management and expansion of the operations. He is also responsible for employee engagement, customer outsourcing initiatives and the internal control metrics for the international

The CEO (India & South Asia) heads the India and South Asia operations and is responsible for overall business performance in this region. He is also responsible for employee engagement, customer satisfaction, ensuring success of outsourcing initiatives and improvements in the internal control metrics for India and South Asia operations.
PREPARED BY: TONMOY BORAH 3RD YEAR MBA (PT) Page 8

ASSIGNMENT NO:4

Ref: 1. The Information Systems Audit Manual, prepared by the Working Group on the introduction of Information Systems Audit in Reserve Bank of India. 2. Guidelines for Information Systems Audit by the Information Systems Audit and Control Association & Information Systems Audit and Control Foundation.

PREPARED BY: TONMOY BORAH

3RD YEAR MBA (PT)

Page 9