BAA-Audit & Information Systems

By
Winston Phethi

What is IT Governance
Why IT Governance
Rationale for IT Governance
Roles, Frameworks and Standards in
IT Governance
Benefits of IT Governance
Effects of ineffective IT Governance
Five Elements of IT Governance
Role of Auditing in IT Governance

IIA Definition
Consists of the leadership, organizational structures and
processes that ensure that the enterprises information
technology supports the organizations strategies and objectives.
ISACA Standards Definition
The responsibility of executives and the board of directors;
consists of the leadership, organizational structures and
processes that ensure that the enterprises IT sustains and
extends the enterprises strategies and objectives.
others
is a set of relationships and processes designed to ensure that
the organizations IT sustains and extends the organizations
strategies and objectives, delivering benefits and maintaining
risks at an acceptable level.

Governance;
is not about what decisions get made that is
management but it is about who makes the
decisions and how they are made.
specifies
the
decision
rights
and
accountability framework to encourage
desirable behaviours in the use of IT.

Organizations have realized that the IT is no longer a

support process

To set up a risk management program that addresses new

risks arising from the usage of IT in business processes

To direct IT endeavors, to ensure that ITs performance

meets the following objectives:
Alignment of IT with the enterprise and realization of the
promised benefits;
Use of IT to enable the enterprise by exploiting
opportunities and maximizing benefits;
Responsible use of IT resources;
Appropriate management of IT-related risks.

The business and IT do not work in conjunction to define IT

objectives
IT and Business objectives are not aligned
IT does not effectively manage costs to meet business
objectives
IT risks are not identified, assessed, or mitigated to meet
business objectives
IT resources are not effectively aligned to meet business
objectives
Internal and external IT systems, processes, and personnel
are not monitored for determine if business needs are being
met
The business does not recognize the value from its IT
investments
Applications are acquired and/or managed without the
involvement of IT personnel

Roles, Frameworks and Standards in IT

Governance

Strengthens the relationship between the

organization and IT
Helps ensure limited IT resources are focused on
the right strategic and tactical activities at the right
time

Synergies with Enterprise Risk Management

(ERM) and other risk management activities
Helps ensure the appropriate IT risk management
processes and activities are in place and operating
effectively

Enhanced visibility into the IT Functions

ability to achieve its both tactical and
strategic objectives
Key Performance Indicators (KPIs) for day-to-day
activities and longer-term/strategic initiatives

Improved adaptability of the IT Function to

organizational and IT environment changes Formality of Governance structure, processes and
activities enables more efficient and effective response
to change

Effective IT governance helps ensure that IT

supports business goals
optimizes business investment in IT
and appropriately manages IT-related risks
and opportunities.

Business losses, damaged reputations or

weakened competitive positions;
Deadlines not met, costs higher than
expected and quality lower than anticipated;
Enterprise efficiency and core processes
negatively impacted by poor quality of IT
deliverables;
Failures of IT initiatives to bring innovation or
deliver the promised benefits.

Source: IT Governance Institute. Five Elements of IT Governance

Objective:

Determine if a relationship exists between IT and business objectives and if

this relationship has been established through participation between both
IT and business management.
Example Review Documents

IT Strategic Plan
Third Party service provider agreements and RFP process

Typical Areas to Assess

Is IT management aware of the overall business strategy?
What is ITs involvement in defining the business strategy?
Do current IT initiatives relate to one or more of the organizations
strategic objectives?
Is there a clear line of communication between IT and business
management?
How do 3rd party service providers support business objectives?
What IT architecturer is necessary to support the business objectives?

Objective:

Determine if activities are conducted relating to the identification and analysis of risks
impacting the achievement of business objectives and the preparation of financial
statements.

Example Review Documents

Business Continuity and Disaster Recovery Plans and Test Results

IT Risk Assessment
3rd Party Service Provider Agreements and Request For Proposal Policies and
Procedures

Typical Areas to Assess

Is a process in place to assess, address, and communicate IT risks to key

stakeholders and executive management during the project, change, and
release management processes?
How does IT select and manage third party vendor relationships?
Does a business continuity and disaster recovery plan exist and is it tested
on a periodic basis?
Does a risk management plan exist and are risk management activities
incorporated into project, change, and release management process?

Do discussions between IT, Business, and Compliance leadership

occur in order to identify ways in which the IT environment can assist in
strengthening the organization's control environment?

Objective:
Determine if the effectiveness of IT systems, processes, and personnel,
internal and external, are being monitored for alignment with business
needs.
Example Review Documents

Performance metrics for services, projects, processes, and systems

Reports of ITs performance against defined metrics to key stakeholders and executive
management
3rd Party Service Level Agreements
Incident and Problem Management Policies and Procedures
Cost Allocation Policies and Procedures

Typical Areas to Assess

Does the IT organization report performance metrics to key stakeholders?

Are processes in place to review key performance metrics and correct items falling below
a reasonable level?
Do performance management activities consider both internal and 3rd party IT
activities?
Is IT performance reported in IT or Business terms? Are the metrics operational,
strategic, or both?
Is a process in place to establish performance metrics based on changing business
needs?
Do the Board of Directors and Executive management have an awareness of IT
performance based on quantifiable data?

Objective:

Determine if adequate activities are being performed to align the use of resources
(applications, information, infrastructure, people) to meet the needs of the business.

Example Review Documents

IT Organization Chart
IT Job Descriptions
Sourcing Strategy for IT projects
IT Segregation of Duties Requirements
IT Asset Management Policies and Procedures

Typical Areas to Assess

Are processes in place to assess and implement IT segregation of duties?

Has an IT sourcing strategy been established that align with business objectives?
Do IT resource dedicate more time to operational or strategic objectives?
Does the IT department have processes in place to facilitate knowledge sharing within
the department and with the business?
Have IT resources (employees, applications, hardware) been optimized to support
business objectives?
Have formal job descriptions and reporting relationships been created and
communicated for all IT positions?
Has an asset management program has been established?

Objective:
Determine if IT is effectively managing costs as they relate to meeting
business objectives and communicating this management to the appropriate
individuals.
Example Review Documents

IT Steering Committee Meeting Minutes

Policies and Procedures for the Development and Management of IT projects
IT Budget

Typical Areas to Assess

Is there a clear relationship between IT project performance indicators and
business objectives?
Has the IT budget been communicated to business leadership? Does business
leadership understand the investments that have been made in IT?
Does IT actively communicate the expected and realized value of IT projects?
Does the business rely on the integrity and accuracy of data captured and
reported by IT systems?
Do IT and business leaders meet on a periodic basis to review the current
and upcoming IT initiatives to reassess alignment with business objectives?

Audit plays a significant role in the successful

implementation of IT governance within an organization.
Audit is well positioned to provide leading practice
recommendations to senior management to help improve
the quality and effectiveness of the IT governance
initiatives implemented.
Audit helps ensure compliance with IT governance
initiatives implemented within an organization.

Standard 2110.A2 The internal audit activity must assess

whether the IT Governance of the organization supports the
organizations strategies and objectives
By?
1.
Providing assurance
2.

Providing consulting

Training
Facilitated workshop on IT Governance best practices

- An auditor should review and assess whether the IS

function aligns with the organization's mission, vision,
values, objectives and strategies.
- The auditor should review whether the IS function has a
clear statement about the performance expected by the
business (effectiveness and efficiency) and assess its
achievement.
- The auditor should review and assess the effectiveness of
IS resource and performance management processes.
- The auditor should review and assess compliance with
legal, environmental and information quality, and fiduciary
and security requirements.
- A risk-based approach should be used by the auditor to
evaluate the IS function.
- The auditor should review and assess the control
environment of the organization.
- The auditor should review and assess the risks that may
adversely affect the IS environment.

IT Governance: The IT and Internal Audit

Perspectives, Pittsburgh ISACA Chapter
Monday, December 5, 2011.
What is IT Governance and why is it important
for the IS auditor? By Richard Brisebois, Greg
Boyd and ZiadShadid, From the Office of the
Auditor General of Canada.
Auditing IT Governance Steve Hunt ,October
11, 2012 from Crowe Horwath