This website uses cookies. View our cookie policy
Close
United Kingdom
Select regional store:

AUDITING IT GOVERNANCE

The governance of ICT is a key contributor to strategic organisational success. Internal auditors therefore have a key role to play in terms of giving top management assurance that IT governance is effective in their organisation.

The Institute of Internal Auditors (IIA) says that “the internal audit activity must assess whether the information technology governance of the organisation supports the organisation’s strategies and objectives (2110)” and publishes a Global Technology Audit Guide (GTAG® 17) titled Auditing IT Governance.
 

IIA IT Governance Model

The IIA has an IT governance model that incorporates elements of ISO/IEC 38500, and GTAG 17 is heavily based on the ISACA® COBIT® frameworks. While COBIT is not the only control framework used in relation to IT governance, it is one of the most widely deployed, particularly in public sector organisations and large enterprises.

GTAG 17 provides guidance on auditing IT governance under five main headings:

  • Organization and Governance Structures
  • Executive Leadership and Support
  • Strategic and Operational Planning
  • Service Delivery and Measurement
  • IT Organization and Risk Management

IT Governance Audit Assurance

The types of assurances that stakeholders are looking for, in relation to the work of internal auditors, include:

  • Does the board and top management really understand its role in making IT governance effective?
  • Is IT management competent, and is it really a part of the top management team?
  • Is IT genuinely contributing to achievement of organisation’s strategic and tactical objectives?
  • Is there a robust (planned and tested) IT risk management framework in place, specifically including IT projects, DPA compliance, cyber security, ICT continuity?
  • Is IT able to identify and prioritise key technology changes that will enhance organisational performance?
  • Are IT metrics really measuring IT performance in terms of delivering value and resource optimisation and risk reduction?

For more information: