An IT auditor should include in the audit ambit relevant processes for planning, organizing, and monitoring the IT activity. Contextually, the audit ambit should include control systems for the use and protection of the full range of COBIT framework IT resources. Whereby, specifically; people, information, applications, and infrastructure are the IT resources that should be addressed within the IT governance audit ambit’s control systems.
Moreover, critical for a viable IT governance audit plan is the IT audit function’s organizational status. Specifically, internal IT audit organizational status may become a factor in determining whether to proceed with an IT governance audit. For instance, management may consider it inappropriate to grant internal IT auditors access to high-level business documents. Accordingly, organizational status may require hiring an independent third party to manage and perform the IT governance audit.