Information Technology Reference
In-Depth Information
It is also worth well to consider using external auditors or consultants to review IT gov-
ernance implementation and maintenance. The frequency may not be as regular as internal
IS auditors, but it is necessary to use external parties who might give a different or enriched
opinion on the IT governance implementation processes.
The evidence the IS auditor would collect includes reports from auditors (internal and ex-
ternal), self-assessment reports from the board and senior management, management re-
ports to the board, and reports from various stakeholders.
In order to collect appropriate evidence regarding this question, the IS auditor would be
required to hold extensive discussions with the board and senior management of the enter-
prise in addition to reviewing various documentation.
IT Risk Governance
The board and management should have a good understanding of IT risk and how to mit-
igate these risks. The IS auditor will be required to collect sufficient information and evid-
ence on how the enterprise is managing IT risk. Because enterprises are highly dependent
on the use of information technology, IT risk should be rated as high risk. The questions
used in this section are designed to assess IT risk and review what type of evidence an IS
auditor would collect during an audit.
Assessing IT risk is critical to the operations of an enterprise, and it helps in determining
how risks will be managed through implementing security processes and IT controls. Be-
cause enterprises are always experiencing change due to interaction with other organisa-
tions risk will also always change in various ways.
a) Does the enterprise have an IT risk management policy?
In big and well-established enterprises, the response would likely be in the affirmative. The
IS auditor, as a follow-up question, would request for a copy of the IT risk policy. Other
things to look for in the policy would be to check whether the policy was approved by the
board or senior management and when it was approved. The IS auditor might also be in-
terested in finding out if the risk policy is based on a particular risk standard, such as ISO
31000. This information would be useful when assessing the policy. It is important to note
that in some enterprises, IT risk is implemented as part of the overall risk policy and not a
separate policy.
If the answer is that the enterprise does not have a policy, the IS auditor should take note of
the response so that he can include a recommendation in the report on the need to develop a
risk policy. It would also be important for the IS auditor to find out why the enterprise does
Search WWH ::
Custom Search