IT Governance, Risk, and Compliance


February 24, 2012  8:57 PM

Auditing IT Governance – Part V

Robert Davis Robert Davis Profile: Robert Davis

Primary drivers for IT governance audit planning are verifying governance existence, adequacy, and risk management. However, as with standard IT audits, a general control environment, information systems, and control procedures understanding should be obtained during engagement planning to comply with ISACA IT audit standards and guidelines.

Theoretically, the control environment (CE) epitomizes management’s attitude, awareness, and actions. Integrity and ethical values, commitment to competence, management’s philosophy and operating style, organisational structure, responsibility and authority assignment, human resource policies and practices, budget formulation and execution, as well as control methods over compliance with laws and regulations are representative CE characteristics. The IT department, normally, is an entity’s subdivision; therefore, the entity’s CE should be replicated within the IT CE.

View Part I of the Auditing IT Governance series here

February 21, 2012  9:28 PM

Auditing IT Governance – Part IV

Robert Davis Robert Davis Profile: Robert Davis

IT governance audits normally have an organizational focus. ‘Organizational-based’ IT governance audits examine deployed frameworks, managerial issues, and departmental activities. However, if during ‘organizational-based’ planning the IT auditor discovers a governance framework is not deployed, the audit planner should utilize the COBIT framework as a minimum basis for setting detail objectives.

Alternatively, IT governance may be within the ambit of other IT audit areas. Under these circumstances, a ‘results-based’ audit may be appropriate. Quantitatively, ‘results-based’ audits can address performance issues utilizing goal and performance indicators as measurement standards. Qualitatively, ‘results-based’ audits can also provide audit area governance knowledge and practices assessments. Whatever ‘results-based’ audit measurement standards utilized, IT governance effectiveness is the primary auditable unit audit objective.

View Part I of the Auditing IT Governance series here


February 17, 2012  8:50 PM

Auditing IT Governance – Part III

Robert Davis Robert Davis Profile: Robert Davis

To prevent expectation misinterpretation, the IT governance engagement ‘terms of reference’ should minimally address engagement ambit, reporting lines, and IT audit authority. Specifically, IT governance functional areas and issues definitions; identified ‘highest-organization-level’ issues reporting; as well as auditor information access rights should be clearly documented in the audit charter and/or engagement letter.

IT governance can be an individual audit area examination or an auditable unit examination for every IT function audit undertaken. During the IT audit planning process, all or segments of an entity’s deployed governance related frameworks may be selected as auditable units. Furthermore, IT governance audits may cross divisional, functional, or departmental demarcations.

View Part I of the Auditing IT Governance series here


February 17, 2012  8:43 PM

Auditing IT Governance – Part II

Robert Davis Robert Davis Profile: Robert Davis

Reflective of ISACA standards and guidelines, the IT audit process should be replicated within for-profit and not-for-profit entities. “Topics which should be considered are set by COBIT in the IT Governance Management Guidelines.” However, an audit committee’s perceived mandate and mission may affect IT governance audit approach variability. Furthermore, the IT governance audit approach may vary according to ambit and resources applied. For instance, from an internal audit perspective, as noted in The IIA’s International Professional Practice Framework (IPPF) Standard 2110.A2: “The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives.” IT governance audit evaluation criteria may also fluctuate due to audit objectives. For example, the IT governance audit assessment paradigm may be based on performance and/or compliance expectations.

View Part I of the Auditing IT Governance series here


February 10, 2012  9:36 PM

Auditing IT Governance – Part I

Robert Davis Robert Davis Profile: Robert Davis

Governance supports stakeholder expectations related to management’s fiduciary responsibilities. Governance also reflects how an enterprise achieves its stated mission. Specifically, as presented in the Cadbury Committee Report, “…governance is the system by which companies are directed and controlled.” Leadership, stewardship, ethics, security, vision, direction, influence, and values are prominent components within entity-level governance.

Various respected knowledge leaders, practicing professionals as well as professional organizations consider an entity’s oversight committee, executive management, internal audit, and external audit as governance cornerstones. Consequently, since IT is usually integrated into an entity’s processes, IT audit should be considered IT-level governance as well as entity-level governance cornerstones.

Post Note: Auditing IT Governance is a redacted excerpt from Assuring IT Governance.


February 7, 2012  9:57 PM

Auditing IT Service Delivery and Support – Part VIII

Robert Davis Robert Davis Profile: Robert Davis

Audit evidence for elements of an adequate CE may not be available in documentary form. In addition, responsibility for IT governance is often undertaken by the owner/manager where there are no other high-level stakeholders. As a particular for smaller entities, communication between management and other personnel may be informal, yet effective. Under these circumstances, management’s commitment to ethical values and competence are often implemented through the behavior and attitude they demonstrate in managing the entity’s business instead of in a written code of conduct. Consequently, management’s attitudes, awareness and actions are paramount in the design of a smaller entity’s CE.

View Part I of the Auditing IT Service Delivery and Support series here

Post Note: As of January 12, 2012, Robert E. Davis, MBA, CISA, CICA is a Master of Science in IT Auditing and Cyber-Security Program instructor at Temple University.


February 3, 2012  9:29 PM

Auditing IT Service Delivery and Support – Part VII

Robert Davis Robert Davis Profile: Robert Davis

Regarding outsourced services, among other expectations, an IT auditor should obtain and document an understanding of the relationship between the services provided by third parties and the entity’s control environment. An IT auditor should consider reviewing such items as contracts, service level agreements, policies and procedures between TPPs and the entity. Furthermore, an IT auditor should review any previous TPP audit reports prepared for the entity, and plan the IT audit work to address the audit objectives relevant to the service provider’s environment; taking into account the information obtained during planning. Lastly, an IT auditor should plan TPP audit work to comply with applicable professional audit standards, as if the audit were performed in the entity’s own environment.

View Part I of the Auditing IT Service Delivery and Support series here

Post Note: As of January 12, 2012, Robert E. Davis, MBA, CISA, CICA is a Master of Science in IT Auditing and Cyber-Security Program instructor at Temple University.


January 31, 2012  8:41 PM

Auditing IT Service Delivery and Support – Part VI

Robert Davis Robert Davis Profile: Robert Davis

Ordinarily, an IT auditor obtains relevant CE audit evidence through a combination of inquiries and other risk assessment procedures. For example, through management and employee inquiries, an IT auditor may obtain an understanding of how management communicates its views to employees regarding acceptable practices and ethical behavior. Thereafter, an IT auditor should determine whether controls have been implemented by analyzing: whether management has established a formal code of conduct and whether it acts in a manner that supports the code of conduct or condones violations of, or authorizes exceptions to, the code of conduct.

View Part I of the Auditing IT Service Delivery and Support series here

Post Note: As of January 12, 2012, Robert E. Davis, MBA, CISA, CICA is a Master of Science in IT Auditing and Cyber-Security Program instructor at Temple University.


January 27, 2012  9:23 PM

Auditing IT Service Delivery and Support – Part V

Robert Davis Robert Davis Profile: Robert Davis

When acquiring an understanding of control environment (CE) components, IT auditors should consider whether pertinent elements have been implemented for the entity and IT. Assessing how much CE risk is associated with a particular entity may be performed using various techniques and tools, including CE Characteristics – Internal Policies, Maturity Model Assessment and/or Entity Culture/Audit Area Personnel Matrices. For each of the selected audit CE statements, a compliance value needs to be defined, which enables the IT assurance professional to calculate a ‘compliance profile’.

View Part I of the Auditing IT Service Delivery and Support series here

Post Note: As of January 12, 2012, Robert E. Davis, MBA, CISA, CICA is a Master of Science in IT Auditing and Cyber-Security Program instructor at Temple University.


January 24, 2012  8:34 PM

Auditing IT Service Delivery and Support – Part IV

Robert Davis Robert Davis Profile: Robert Davis

Entities may partially or fully delegate some or all of its IT delivery and support activities to a Third Party Provider (TPP). IT activities that may be outsourced include IT functions such as, data center operations, IT security, and application maintenance. Usually, the responsibility for confirming outsourced activity compliance with contracts, agreements, laws as well as regulations resides with the entity. When a TPP is within the IT service delivery and support ambit, IT audit is accountable for determining whether adequate TPP controls exist and are functioning as intended.

View Part I of the Auditing IT Service Delivery and Support series here

Post Note: As of January 12, 2012, Robert E. Davis, MBA, CISA, CICA is a Master of Science in IT Auditing and Cyber-Security Program instructor at Temple University.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: