Specific governance issues that link IT directly to board concerns are the risks posed by IT and the systems that are implemented using IT. The 'systems of organizational control' cited in the corporate governance literature and in various legislative enactments typically include substantial IT functionality. Auditors have a key role in examining systems, yet the ability to audit these organizational systems depends upon the ability to be able to audit the underlying IT systems and to identify their weaknesses and limitations. This paper examines some of the limitations of the audit approach to dealing with IT-based systems. This is one dimension of the risks that are posed by IT. Given that board members must have a thorough understanding of the risks facing the organization, it is essential that all the IT-related risks are surfaced. This paper summarizes the findings of research in IT-related areas of risk and then draws together a charter for IT governance that meets the wider needs of corporate governance. IT risks are collated in the form of a portfolio so that risk is dealt with in a positive, systematic manner. Too often risk is 'swept under the carpet'. The portfolio sets out to be exhaustive so that all risk can be brought together under a single managerial role. The IT governance model balances risks with strategic goals and the specific benefits that are intended through the implementation of IT.