COMPANY audit executives need a good translator when overseeing the governance of their information technology departments, according to a new KPMG study.The study confirms a trend that has frequently been noted in this column and by others: non-technical directors tend to shy away from matters they think they may not be expert at overseeing.

Yet if they were to say this of every topic under their direction, they would soon be in charge of nothing. IT is one of the areas executives everywhere need to understand in a framework, and then deal with according to time-tested management techniques. Again, the problem is one of psychology and the fear of language and of being made to look stupid.

"In particular IT risk has become one of audit committees' top oversight priorities, yet most audit committee members say they don't spend adequate time on the issue, a problem compounded by a tech 'language barrier' between audit committee members and technology officers," KPMG said in its new study.

KPMG's Audit Committee Institute (ACI) surveys show that while most audit committee members say oversight of IT risk and IT governance is one of their top priorities for 2007, only nine percent said they are "very satisfied" their committee devotes sufficient agenda time to it.

KPMG explains the difference between need and practice as due to the highly complex nature of Information technology. Many audit committees lack IT expertise.

"Making the problem worse is that management tends to talk about technology rather than information," said KPMG.

With companies making huge IT investments dealing with the issue is essential to running a business.

Boston-based advisory firm AMR Research estimates that US companies spent $9 billion on IT in 2006 and will spend up to $28 billion in 2007.

In fact oversight does not need a knowledge of the nitty gritty details of computing and networking, although it does help if your IT person begins to use it on you as a means of intimidation. Instead, IT oversight is about where management is taking IT, how management is using technology to meet corporate goals, and how it is handling the company's information and related technology risks, said KPMG. At a KPMG roundtable discussion on the issue Kevin Shearan, executive vice president and chief information officer of Pittsburgh-based Mellon Financial, said oversight is a matter of business.

"The language question falls squarely on the back of the executives," he said. "They need to speak in business terms." To address the language barrier issue, audit committees can focus discussions on management information, said Scott Reed, a partner in KPMG's New York office.

"There is a need to manage and oversee the risks to information reliability and security," said Reed. "A question for the audit committee is what is management doing to manage these risks, which are many. They include poor information quality, privacy and security, outsourcing and business continuity."

KPMG's Audit Committee Institute (ACI) said those overseeing IT risks need to answer three questions:

How is management ensuring the information is high quality?

What is management doing to ensure the information is available around the clock, especially if there is a disruption?

And what is being done to protect against unauthorised access?

****

CONGRATULATIONS to the people at QuoVadis for landing a multi-million dollar investment to help the Bermuda-based company expand overseas.\I was around when QuoVadis started up, and got to see them hard at work attempting to take on the big boys in the online security market. It has taken a few years, but now they are on the verge of making themselves known more widely.

Perhaps we might soon be able to list QuoVadis, along with payment processor First Atlantic Commerce, as among Bermuda's first internet exports.

If you have any comments send them to Ahmed at elamin.ahmed@gmail.com.