Page 100 - Courses
P. 100

Governance of Enterprise IT

                 The nature and complexity of the engagement.
                 Time constraints and/or the number of hours budgeted for the engagement.
                 The knowledge, skills, and experience of available resources.

            Internal auditors should also consider whether external resources (e.g., specialists or supplemental
            resources) or technology will be necessary when the internal audit activity does not have
            appropriate or sufficient resources.

            Engagement Planning — Step 7

            The last step of engagement planning is to document the plan. During planning, internal auditors
            document the engagement plan and retain information documented throughout the planning
            process. The gathered information is also documented in workpapers that become part of the
            engagement work program that must be established to achieve the engagement objectives.

            IIA Standard 2240: Engagement Work Program — Internal auditors must develop and document
            work programs that achieve the engagement objectives.

            Engagement Workpapers

            Through the process of planning the engagement, internal auditors may produce any or all of the
            following workpapers:
              Process maps.
              Summary of interviews and brainstorming sessions.
              Preliminary risk assessment (e.g., risk and control matrix and heat map).
              Rationale for decisions regarding which risks to include in the engagement.
              Criteria that will be used to evaluate the area or process under review.
              IIA Standard 2210.A3: Adequate criteria are needed to evaluate governance, risk management,
               and controls. Internal auditors must ascertain the extent to which management and/or the
               board has established adequate criteria to determine whether objectives and goals have been
               accomplished. If adequate, internal auditors must use such criteria in their evaluation. If
               inadequate, internal auditors must identify appropriate evaluation criteria through discussion
               with management and/or the board.

             TOPIC 5: PERFORMING THE ENGAGEMENT

            Fieldwork

            Fieldwork during an IT Governance audit primarily consists of interviewing several key business
            stakeholders. This can include senior business and IT leaders, governance committee members, and
            a subset of department managers. These interviews help with validation and accuracy of the
            enterprise governance framework and IT governance charter, as well as confirm that individuals who
            are members of the governance committee are performing their duties as described in the
            framework and charter.

            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
   95   96   97   98   99   100   101   102   103   104   105