Information Technology Reference
In-Depth Information
might point out includes increased efficiency and effectiveness due to implementation of
new IT systems or upgrades. The client might also point to a new IT strategy plan which
the enterprise has implemented. Increased revenue could also be one area indicating value
from implementing IT in the enterprise. The human resource division might be happy to
announce increased motivation in the enterprise and lower staff turnover.
If the response is that IT does not really add value to the enterprise, the IS auditor would
be interested in knowing why it is so. It is possible that there could be no new investment
in IT or the strategy is not appropriate. This finding will help the IS auditor provide to the
client an appropriate recommendation on the way forward.
The IS auditor might collect different forms of evidence to support responses to this ques-
tion. Where the response is increased investment in IT, the IS auditor would be interested in
reviewing the financial statements and management reports for support to such a response.
It could also be possible that a consultant was hired to assess IT service delivery in the en-
terprise after the huge investment in information technology. The consultant's report would
be a valuable document in this case.
d) How do the board and senior management ensure that IT risk governance is
properly implemented and managed in the enterprise?
It is expected that the board and senior management have a risk governance framework and
policy in place which is used to guide implementation of IT risk. This is one way in which
the board and management might ensure that risk is effectively managed in the enterprise.
A risk register would be evidence that the enterprise has a good appreciation of risks the
enterprise is facing. Regular monitoring of IT operations by management is also another
way risk can be effectively managed. The IS auditor might request for monitoring reports
to verify how the enterprise is managing IT risk. Meetings of the risk management com-
mittee would also provide good information on how IT risk is being managed.
Implementation of the enterprise risk policy by management includes executing risk pro-
cedures. Executing and adherence to procedures ensure that risk is effectively managed.
The IS auditor would be collecting the following information from the client: the IT
risk framework, risk policy, risk register, minutes, and monitoring reports. The IS auditor
should be aware that collecting these documents is not enough. Further review of the con-
tent is required to ensure that the information collected represents the correct evidence. IS
auditing is not just a checklist job. It requires analysis of information if the IS auditor is to
add value to the enterprise and enhance its performance.
e) How do the board and senior management ensure that IT controls are properly
implemented and managed?
Search WWH ::
Custom Search