IT governance audits normally have an organizational focus. ‘Organizational-based’ IT governance audits examine deployed frameworks, managerial issues, and departmental activities. However, if during ‘organizational-based’ planning the IT auditor discovers a governance framework is not deployed, the audit planner should utilize the COBIT framework as a minimum basis for setting detail objectives.
Alternatively, IT governance may be within the ambit of other IT audit areas. Under these circumstances, a ‘results-based’ audit may be appropriate. Quantitatively, ‘results-based’ audits can address performance issues utilizing goal and performance indicators as measurement standards. Qualitatively, ‘results-based’ audits can also provide audit area governance knowledge and practices assessments. Whatever ‘results-based’ audit measurement standards utilized, IT governance effectiveness is the primary auditable unit audit objective.
“View Part I of the Auditing IT Governance series here“