Governance of Enterprise IT


            Great. As the CIO, do you feel the board and senior management have a clear understanding of IT
            costs and how they contribute to the achievement of the organization’s strategic objectives?

            I make sure they do. As part of my involvement in regular senior management meetings and my
            updates to the board, I make sure technology is always a part of the conversation, whether we are
            discussing strategic plans, budgeting, project updates, or service delivery.

            How does senior management measure IT value and deliverables?

            They understand that the success of most of our operations are dependent upon technology;
            therefore,  each department is updated on our service key performance indicators (KPIs). In
            addition, technology costs, including staffing and infrastructure, are allocated to each department
            budget. We believe we are valued as critical partners, given our team is included in the planning
            stages in most of our entity-wide initiatives and major department projects. We also have an IT
            Steering Committee.  Our IT senior management and business owners meet to ensure IT strategic
            alignment.   Our CAE (or a representative from their team) is also invited to the meeting as an
            observer.

            I would like to spend a moment discussing your IT department. How mature are the IT management
            processes?

            We are a mature IT organization with documented standard operating procedures. We also make
            sure our staff members are well trained on our procedures. In addition, we follow the COBIT
            framework, which you are likely familiar with. While there is always room to improve, we are a stable
            and fully staffed function at this time.

            Before we wrap up our conversation, would you please share with me your thoughts on the
            applications being used within the organization?

            For what I would call a medium-sized organization, our systems are actually quite complex. As we
            have grown over the years, we continue to maintain and upgrade our systems as well as perform
            timely patching. Keeping up with software updates takes up a significant amount of some of my
            staff’s time.

            Post-Interview Steps

            After the interview is complete, the internal auditor should write a transcript containing the
            discussion, including the questions and answers, and send a verification memo/email to each
            person they interviewed. The verification validates the internal auditor notated the conversation
            accurately. This is also when the auditor might request additional evidence to substantiate what was
            described during the interview.






            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.