Primary drivers for IT governance audit planning are verifying governance existence, adequacy, and risk management. However, as with standard IT audits, a general control environment, information systems, and control procedures understanding should be obtained during engagement planning to comply with ISACA IT audit standards and guidelines.
Theoretically, the control environment (CE) epitomizes management’s attitude, awareness, and actions. Integrity and ethical values, commitment to competence, management’s philosophy and operating style, organisational structure, responsibility and authority assignment, human resource policies and practices, budget formulation and execution, as well as control methods over compliance with laws and regulations are representative CE characteristics. The IT department, normally, is an entity’s subdivision; therefore, the entity’s CE should be replicated within the IT CE.
“View Part I of the Auditing IT Governance series here“