Effective governance of IT is critical to organizational success and can transform an organization. While IT-enabled transformation can bring many rewards, poor governance of those projects can cause disruption and unintended consequences.
As an organization evaluates different technology investments, management must ensure the technology is aligned and delivered in accordance with the organization’s strategies and objectives. Internal auditors can help by providing independent assurance on the appropriateness and effectiveness of the governance structure.
IT departments manage the technology supporting business applications, disaster recovery, cloud services, and other mission-critical functions. In many organizations, the IT infrastructure is the foundation for business operations. Yet, new technology often creates new risks ranging from specific control weaknesses to potentially enterprisewide disruptions. Helping the organization assess and address these risks is an opportunity for internal auditors to add value.
According to Standard 2110-A2 of the International Standards for the Professional Practice of Internal Auditing, internal audit must assess whether IT governance supports the organization’s strategies and objectives. Consequently, the challenge for internal auditors is to help assess numerous risks associated with governance of enterprise IT.
Audit programs will be more useful if they differentiate governance risks from risks related to the management of enterprise IT. Internal auditors can leverage a variety of frameworks to develop high-quality, tailored audit programs for IT governance.
Governance frameworks include The Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control–Integrated Framework, ISACA’s COBIT, and the Balanced Scorecard Institute’s Balanced Scorecard. Organizations also can use management frameworks such as ITIL, the U.S. National Institute of Science and Technology’s Cybersecurity Framework, and the International Organization for Standardization’s ISO/IEC 27001: Information Security Management, ISO/IEC 38500: Information Technology — Governance of IT, and ISO 9000: Quality Management. These frameworks explain risks, controls, and other details that can reduce the time required to develop an audit program.
Internal auditors should become familiar with each of the governance frameworks so they can scope the audit engagement to focus on the appropriate risks. Audit programs should identify the impact of IT risk to the organization as well as the potential for compliance failure. During the risk assessment, auditors can determine the current state of risk management practices, assess design gaps, identify improvement opportunities, and recommend actions. They should consider several areas in their audit program.
Strategic Alignment IT strategic alignment continues to be a top priority for most organizations and aligning technology with business strategies can be challenging for management. One of the key governance controls auditors can review is the process and methodology for justifying and prioritizing IT investments. Auditors can verify that the organization has a formal and periodic process for identifying business needs. Audit procedures also should validate that the IT budget cycle is part of the business operations budgeting process. Additionally, auditors can validate corporate objectives and strategic goal alignment by reviewing the decision rights and accountability framework documentation.
Roles and Responsibilities IT executives need to collaborate with business-unit executives to ensure technology helps shape business strategy. Without clearly defined roles and responsibilities for IT management, the organization might risk not aligning IT and enterprise operations. To identify the links between business and IT plans, internal auditors can evaluate the strategic plan for IT-enabled initiatives, policies, presentations to the board that highlight the outcomes of a successful implementation, and third-party agreements. Additionally, auditors should verify IT’s involvement and responsibilities in the sourcing process. Appropriate involvement by IT can ensure new technology fits the organization’s current environment. Additionally, auditors, IT, and the information security group can collaborate to evaluate compliance requirements.
Organizational Structure To enable better governance, the chief information officer should be part of an executive or senior management team and an active participant in setting business-unit-level strategy and goals. With the pace of change in today’s business environment, the IT organization must be agile and responsive, so auditors should review metrics associated with the length of projects as well as service satisfaction.
Auditors should try to identify unauthorized IT projects by business units — known as shadow IT — by reviewing technology acquisition processes, purchasing authority, application inventory, and sourcing processes. They should work with the IT support function to evaluate internet traffic to external sites that may identify unauthorized subscriptions to software as a service applications. Based on a sample, auditors can review IT’s level of participation on the organization’s steering committees and internal advisory boards.
Risk Management Auditors should evaluate whether IT risks are included in the enterprise risk management program. Auditors also can review internal processes that identify, communicate, and manage IT risks. Change controls are a huge risk in this area, so auditors should review risk management activities such as communications planning, change management, and committee oversight. If the organization has a security operations center, auditors should assess how it manages the IT environment and responds to incidents.
Project Management Organizations should have a project management office to provide governance to prioritize IT projects according to business need. Auditors should review program and project management methodology and ensure the organization complies with internal processes to request, evaluate, and approve IT projects. They should examine a sample of completed projects to determine whether those initiatives realized stated benefits. Moreover, auditors should review the process for evaluating and prioritizing projects at the business-unit and enterprisewide levels. Additionally, understanding and reviewing key performance metrics, such as planned vs. actual expenses and requirement backlog would be invaluable.
Management Activities Without an appropriate focus on technology, organizations could mismanage critical IT resources such as the application environment, data, infrastructure, and people. Auditors should evaluate IT’s involvement in key projects, the demand forecasting process, and resource management practices. IT’s involvement and assessment before engaging software providers and consultants will help mitigate the implementation risks associated with large projects. Robust demand and resource management practices can provide the bottom-up approach to gain insights into business requirements, alignment, and priorities. By understanding IT resource commitments, internal audit can assess the organization’s ability to deliver on key initiatives.
Identifying Key Risks
Every organization’s risk profile is unique and depends on the organization’s culture, structure, and mission. Governance and management teams should identify and prioritize key risks for mitigation and formalize risk acceptance. Organizations should leverage internal audit’s knowledge of the business’ environment, IT investments, and internal processes.