Auditing IT Governance

Florin-Mihai Iliescu, CISA, CISSP | Audit | Monday, 18 January 2010

Effective IT governance helps ensure that IT supports business goals, optimizes business investment in IT, and appropriately manages IT-related risks and opportunities. Organizations that realize the IT is no longer a support process and embeds value and risks need a structured approach for better managing Information Technology, enable its capability to deliver added value enterprise wide and for setting up a risk management program to address new risks arising for usage of IT in business processes. In order to assess if IT Governance is in line with industry practices, IT Auditors need a good understanding of processes and applicable standards, particular audit work programs and experience in assessing potential problem indicators.

Auditing IT Governance needs more business knowledge than regular Information Systems (IS) audits because the IS auditor has to evaluate how IT is enabling the business strategy. IT is not longer seen as support process, but because a project is not enough to respond itself to a business outcome, multiple projects should managed together as programs.

The Audit Work Program helps the IS Auditor to conduct his engagements, but each organization and project has its own characteristics and the work program should be tuned accordingly. For organizations that don’t use global standards and frameworks such as CobiT or Val IT within IT Function, most of the topics of the audit work programs might not be applicable. In such cases I recommend to use the Planning and Organization domain practices from CobiT.

Organization’s culture plays a great role in succeeding in managing value from IT enabled Investments. Additional processes, Val IT propose 22 governance processes need to be carried out by executives, requiring good understanding and specific relationships and organizational structures.

Val IT Framework is currently on of the best practices for IT Governance. IT Governance can serve as a vehicle for enhancing the contribution of IT to the organization, can decrease the IT expenditures, can strengthen the internal controls, and can prove if adopted the organization’s interest for continuous performance improvement. In the present context, when most of the organizations don’t have a structured approach for IT management practices, the IS Role should be primarily in educating the organizations and drawing recommendations for adopting a business value perspective for IT enabled investments, programs linked to benefits stated in business cases well documented, and a value governance framework based on an IT strategy, with clear vision and objectives, short and long rage tactical pan, clear responsibilities for managing value across the organization.

In the end, the IS Auditor should answer to three basic questions: Value Governance - Is there in place an organization structure to manage value? Portfolio Management - Are IT enabled investments tracked to benefits? Investment Management - Is performance of IT initiatives managed and monitored?