First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Mitigate the risks associated with IT systems acquisition

IT systemsAny organization which acquires IT systems must do so carefully. Among other reasons, systems may be costly, they may be critical to business operations, and they may create significant risks (for example a risk of security breaches). The following suggestions will help to mitigate some of the risks associated with IT systems acquisition:

  1. Ensure that the system will meet the organization’s needs and is the most cost-effective solution. Quite often organizations acquire and implement IT systems only to discover that the system does not have all the capabilities they expected, or does not meet the basic needs of the relevant user group.
  2. If a new system needs to be compatible with existing equipment or systems, make this determination early and eliminate incompatible systems from consideration.
  3. Preparing a business case is one way to analyse suitability, compatibility, cost and other criteria. A business case will include the following essential steps:
    • Identify the requirements or needs – carefully.
    • Identify and involve users or user departments in the acquisition process.
    • Prioritize the requirements.
    • Identify at least 2 or 3 prospective solutions to evaluate. Prepare a table, listing each solution across the top and listing all the desired features or requirements down the left-most column. Ensure that you list the most important requirements. For each requirement listed, put Xs (or if you prefer, tick-marks) in the grid beneath any solution that delivers on the desired requirements or features. This grid approach makes it easier to visually identify which prospective solution may best meet the organization’s needs.

      Remember to include cloud solutions in your analysis because cloud solutions increase the options available to the organization and may be the most cost-effective option.

    • Identify all costs to acquire the system. For example, if the organization must construct or assemble the system it must identify and quantify all the inputs that will go into its construction.

      If the system is to be acquired from a vendor, ensure that there are no hidden costs or misunderstandings about the features or services included in the acquisition price. For instance, does the cost include vendor support for data migration or other transition activities?

    • Identify all benefits – quantitative (for example reduced production costs) and qualitative (for example improved morale), associated with the acquisition.
    • Evaluate – it is helpful to reduce costs and benefits to a dollar or numeric value where possible, to compare prospective solutions.
    • Choose – Confidently select a system, based on hard numbers and rigorous analysis.
  1. Obtain board approval if necessary, in addition to senior management approval. IT systems are no longer within the sole purview of the IT department and its management. Board involvement may be necessary if the acquisition is a material component of the organization’s total budget because boards have governance oversight of major corporate expenditure.

Additionally, organizations have increasing exposure to risks like privacy breaches and cyber attacks. These and other risks may be a direct consequence of the IT systems which an organization acquires, or fails to acquire. Boards address these risks as part of their oversight.

For more information on IT systems, consult Chapter 2.00 – Systems Acquisition, Maintenance and Disposal in Information Technology PolicyPro. Not a subscriber? Request a free 30–day trial here.

Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons)

Apolone Gentles is a CPA,CGA and Ontario lawyer and editor with over 20 years of business experience. She has held senior leadership roles in non-profit organizations, leading finance, human resources, information technology and facilities teams. She has also held senior roles in audit and assurance services at a “Big Four” audit firm. Apolone has also lectured in Auditing, Economics and Business at post-secondary schools. Read more here

Latest posts by Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons) (see all)

Send to Kindle

, , , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.