Information Technology Reference
In-Depth Information
When performing an ITGC audit, a number of key areas can be reviewed, such as IT gov-
ernance, IT risk, information security, information systems management, and IT opera-
tions. This is a high-level audit, and the IS auditor does not need to go into detailed invest-
igations. His objective is to have a general understanding of the IT controls environment.
It is also important to know who the IS auditor will be interviewing before kick-starting the
audit. Questions relating to IT governance are best dealt with by senior management or a
member of the board. They should have a good idea of how IT governance is implemented
in the enterprise. IT risk and information security questions may be handled by senior man-
agement. IT operations and information systems management would best be handled by IT
management or system owners.
IT Governance
It is recommended that an ITGC audit starts with IT governance so that the auditor can
have a good understanding of how the board and management are handling IT issues.
Where the board and management are not actively involved in IT issues, it is not likely
that IT governance is properly implemented and that the board has got any significant in-
fluence on the use of IT in the enterprise.
In this section, we will attempt to show how the IS audit team should investigate the level
of IT governance implementation in the enterprise and collect evidence which will enable
them to come up with well-supported findings and conclusions.
a) Have you implemented an IT governance framework in the enterprise?
The IS auditor would expect two responses from the client. One would be a categorical no
or 'We have not implemented any IT governance framework'. Of course, some informal
processes of IT governance might be in place without necessary management declaring that
they have a framework in place. It would be useful for the auditor to make a follow-up by
enquiring how the board and management deal with IT in the enterprise. Such a follow-up
might give the IS auditor a hint of what is happening. If the enterprise has some form of IT
governance system in place though informal, the IS audit team might recommend that man-
agement consider implementing a formal IT governance framework based on frameworks
and standards such as COBIT, ITIL, ISO 38500, or other best practice recommendations.
In a situation where the client answers, 'Yes, we have an IT governance framework', this
would be a good response, and the IS auditor would follow up with a few further questions
to help in collecting additional information and evidence to support the statement from the
Search WWH ::
Custom Search