Information Technology Reference
In-Depth Information
client. The first follow-up question would probably be to find out if the framework docu-
mented was approved by the board or senior management.
At this stage, the IS auditor would be required to request for a copy of the document with
supporting evidence of board approval through minutes of the board or a written letter from
senior management. Other supporting documents the IS auditor would collect as evidence
would include an IT strategy document, IT policy, IT budget, and IT business plan.
You might have noticed that we have so far identified five important documents as evidence
on IT governance from the first question. Other documents to be collected by the IS auditor
would include the corporate governance framework document, IT governance procedure
documents if necessary, and board minutes. A review of the documents would indicate the
level of implementation of IT governance in the enterprise and the standard or framework
which has been adopted by the enterprise.
b) Is the board aware of their responsibilities regarding IT governance?
It is possible that the enterprise could have an approved IT governance framework but the
board might have limited understanding of their responsibilities due to poor implementa-
tion or sensitization of the board members.
If the response is in the affirmative, then the IS auditor should take note and find out if
there are documents indicating an awareness workshop or implementation meeting which
the board members and senior management attended. The IS auditor might also request that
interviews be conducted with one or two board members to confirm this assertion. A re-
view of board minutes might also provide useful evidence.
In this second question, the evidence the IS auditor would have identified and collected is
a workshop attendance list, minutes of the IT governance implementation meeting, board
minutes, and interview notes with board members.
If the response to the question was in the negative, the auditor would further investigate
why this is the situation. Such information will help the IS auditor when making conclu-
sions and recommendations.
c) How do the board and senior management ensure that IT adds value to the en-
terprise?
Assuming that IT governance has been implemented in the enterprise and both the board
and senior management are aware of their roles and responsibilities, we expect the follow-
ing responses from the client.
The response to the above question might be that IT does add value to the enterprise or it
does not. Let's deal with the first possible response. If IT does add value to the enterprise,
the IS auditor might want evidence how this is possible. The evidence which the client
Search WWH ::
Custom Search