Exploring differences between large and medium organizations’ Corporate Governance of Information Technology Discussant Comments Christopher O’Connor, Partner, Risk Assurance Saturday, October 3, 2015

PricewaterhouseCoopers LLP Introduction I am a practitioner with historical experience with a broad base of Large Organizations (LOs) and Medium Enterprises (MEs) in Canada and some global entities. My recent experience is more with MEs and Small Entities (SEs) often privately held. I am not a statistician nor researcher  Cannot fully comment on research methods other than as a reader. Comments and observations are my own  Not necessarily those of PwC. Limitations are:  Australian Medium Enterprises and Large Organizations. UW CISA Symp Oct 3 15 – O’Connor – Exploring Differences between LOs and MEs CGIT 2 Oct. 3/15

PricewaterhouseCoopers LLP Summary of Study’s Key Conclusions Both MEs and LOs indicated human engagement as a primary source of challenge, with responsibilities managed in terms of assigned responsibility and commitment rather than control. Whilst prior research has found IT strategic alignment with business objectives as a primary factor in delivering IT value through CGIT, this research provides some indication of the importance of risk management to CGIT, regardless of organizational size. In general, our findings demonstrate that LOs and MEs both acknowledge CGIT as an initiative by which to enhance business value through delivering organizational capabilities. Based on the limitations of the paper, I agree with the conclusion; however, it belies my personal experience in a given geography – but that is beyond the study’s scope. UW CISA Symp Oct 3 15 – O’Connor – Exploring Differences between LOs and MEs CGIT 3 Oct. 3/15

PricewaterhouseCoopers LLP Observations 1. Intended audience of paper May benefit from having the research paper and another more business oriented summary. In its current form, will there may be limited appeal/use to those charges with Governance and CIOs? 2. Research Research methods are literature review/theoretical concepts and survey/response analysis. My personal experience with this inherently makes me desire more substance or corroboration – but that may be a practitioner bias. UW CISA Symp Oct 3 15 – O’Connor – Exploring Differences between LOs and MEs CGIT 4 Oct. 3/15

PricewaterhouseCoopers LLP Observations 3. SE, ME and LO’s Implied presumption of CIO or equivalent in MEs. Experientially, in the last 3 years, my clients (85%+) fit into ME and have at best, a manager of IT – not an equivalent of CIO – no executive air time. 4. Frameworks Higher awareness of Project Management Frameworks than of other governance frameworks from IT – correlates with my experience. ME and LO awareness of C OBI T was the same – not in my personal experience – but may be geographically or industry based. UW CISA Symp Oct 3 15 – O’Connor – Exploring Differences between LOs and MEs CGIT 5 Oct. 3/15

PricewaterhouseCoopers LLP Observations 5. View of CGIT Lowest reliance on ISO standard definition. Reflects my personal experience – often shy away from ISO and use more of COSO, C OBI T or ITGI. 6. Challenges – Human Element Challenges and reports are similar. Might have expected increased challenges in MEs. UW CISA Symp Oct 3 15 – O’Connor – Exploring Differences between LOs and MEs CGIT 6 Oct. 3/15

PricewaterhouseCoopers LLP Random Thoughts and Musings Agree with the need for broader global analysis. SE, ME and LO globally and for individual nations and relevant comparators – possibility and alignment. How is the perceptive information corroborated or enhanced? Are there factors that contribute to the results? – i.e. board members of MEs on LOs – i.e. what is the driver behind the similarity? UW CISA Symp Oct 3 15 – O’Connor – Exploring Differences between LOs and MEs CGIT 7 Oct. 3/15

PricewaterhouseCoopers LLP Summary I am grateful for this research and insights. Based on the limitations disclosed in the research, I agree with the results even though some of my personal experience would result in some adjustments to the findings and conclusion. I think this is a practical element of research that could be used in my day-to-day business and that of other practitioners. UW CISA Symp Oct 3 15 – O’Connor – Exploring Differences between LOs and MEs CGIT 8 Oct. 3/15

Thank you… © 2015 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see for further details. This proposal is protected under the copyright laws of the United States and other countries. This proposal contains information that is proprietary and confidential to PricewaterhouseCoopers LLP, and shall not be disclosed outside the recipient's company or duplicated, used or disclosed, in whole or in part, by the recipient for any purpose other than to evaluate this proposal. Any other use or disclosure, in whole or in part, of this information without the express written permission of PricewaterhouseCoopers LLP is prohibited.