Information Technology Reference
In-Depth Information
The board and senior management should have control over data and information produced
by virtue of operations of the enterprise. Control over data and information is part of gov-
ernance in the enterprise. In order to ensure effective controls, management needs to put
in place a controls framework which will cover all areas of operations in the enterprise.
Information is the lifeline of enterprises, and it is the responsibility of the board and man-
agement to ensure that control over information is effective.
If the response is positive and controls are properly implemented and managed, the IS aud-
itor would request for more information to support this answer, such as checking for exist-
ence of controls, how the board ensures these controls are working through senior manage-
ment, and how these controls are monitored.
As part of evidence-gathering, the IS auditor should have access to controls documentation
and also reports on how the controls are being implemented and take note of weaknesses
in the controls. IS auditors should take interest in investigating IT controls which are not
properly designed and those which are not effective. This would help in coming up with
findings and recommendations on how to improve effectiveness of these controls.
A review of the organisational structure of the enterprise would also help in assessing ef-
fectiveness of the IT controls in the enterprise.
If the answer is not positive, the IS auditor would ask further questions in order to find out
why the board and senior management are not ensuring that IT controls are properly imple-
mented and managed.
f) How do the board and senior management ensure that IT governance is properly
implemented, monitored, and maintained?
The board and senior management should ensure that IT governance has been implemented
at all affected levels. The board should ensure the IT issues are part of their agenda at board
level. Regular reviews should be conducted by the board to ensure that IT adds value to the
organisation. The process of ensuring effective IT governance would require that the board
has effective IT strategies and policies in place and that management has the necessary re-
sources to execute the policies.
Monitoring should be part of the process of ensuring that IT governance is successful and
is adding value to the enterprise. This is achieved by regular monitoring through various
assurances services. Internal IS audits can be regularly conducted to determine how IT gov-
ernance is being implemented.
The board and senior management may also perform self-assessments which may help as-
certain the level of compliance with IT governance processes. Self-assessments are bene-
ficial in that the board is able to determine achievement of their own goals and give them-
selves a fair assessment.
Search WWH ::
Custom Search