Having had the opportunity to study, review and apply IT Governance, risk, security, audit and controls in my daily

work, and observing the socio-economic landscape of my beloved country, Zimbabwe, I smiled and yet professionally broken because of the huge task ahead of us. Where do we start in the midst of an after storm, considering the lack of governance over IT, adequate technology investments and IT appreciation by the organisations key stakeholders? It is a journey, we acknowledge as those charged with the responsibility and accountability of governance, control, value addition and protection of information technology and related information assets. However, the objective is to begin with the end in mind and take the ideal and let it manifest in the now. This will result in organisations worrying less about governance and security but instituting security governance and controls on an iterative approach to assist with the protection of technology and information assets in line with acceptable best practice frameworks and standards. Executives may wonder how to respond to advice from either internal or external auditors about the risks pertaining to their organisations technology environment and subsequently the impact it may have on financial reporting and disclosures. The questions is how do we address the risk findings and still focus on sustaining the business to at least above minimum or average operating capital and have a focused and sustained growth in the short to medium term? To put this question into perspective, it is a fact that if IT governance and protection of technology and information assets are not planned for carefully and in detail, it will be costly to an organisation. So much that the business will not realise its return on investment. Poorly designed security framework or standards exhibit potential control weaknesses compromising organisational information and technology or it could be that the technology division may not be meeting the objectives of the business. So what can be a meaningful and sizeable starting point to kick start security in an organisation in light of the Zimbabwean economy and the hunger to return to real profit margins and a healthy balance sheet? Because of independence issues in regards to auditors (internal or external), organisations can take advantage of skilled governance, risk and security professionals to assist them with instituting governance, controls, security and continuity over its information technology investment and related information not limited to financial data. I guess from a simple but informed point of view executives can mandate a risk gap analysis to be conducted on their behalf and this exercise will take into account each past audit report issued by any auditor. The basis of this gap analysis is to identify where the company is, in regards to information security and benchmark against acceptable best practices to assess the gap and the potential risks and impact if risk mitigation plan is put in place. This detailed document provides management with a starting point to then address control weaknesses identified. From the gap analysis, further work may be carried out to qualify and quantify each risk identified, its resolution, cost and benefit, resources and skills required and its potential impact on the technology environment and the business. This vital stage allows the organisation to perform an impact assessment and determine the plan of action, what activities should be conducted and how the plan will be managed and accounted for by those charged with the responsibility. Is this a feasible starting point, an example will be key to bring clarity to this point? Let us take information technology general controls (ITGC) as an example a key area that audit looks at for their audit procedures to determine whether or not to place reliance on IT and information being processed by these systems is it correct, complete and accurate. Taking change management a subcomponent of ITGC, assuming that there were risks identified by the auditors if management reads the findings, potential impact and recommendation carefully, you may find that generally the key

issues that come out are the lack of a clearly defined policy or process. This subsequently results in noncompliance such that reliance may not be placed on the control environment. In addressing the issue a gap analysis will help management identify what the root cause of the problem could be in this case it may be that IT governance or clearly define process have not been put in place or that there may be a lack of qualified skills in house to fully articulate and comply with the IT policy or other reasons but the underlying principle is to then take the root cause and translate it into a workable solution to bridge the gap and mitigate the risks involved. This is just a high level and summarised example but the fact of the matter is that now is the time for executives and management take control over their technology and information assets. Institute security and protect the organisations technology assets and information. Defining, implementing and continuously improving security and control over technology and information for an organisation should not wait till an organisation is in the right standing. Now is the time, hence the awareness initiatives. Let us engage and always remember it can be done.