Page 31 - Courses
P. 31

IT Essentials — Introduction to IT























            IT strategies should align to the organization’s business strategies. There should be transparency
            between the organization and IT concerning costs, service levels, options, and optimal choices that
            provide the most value to the business units and to the entire organization.

            Independence and Objectivity

            From an internal audit perspective, involvement in the entirety of key projects — from business case
            development through project monitoring and final delivery — can be a critical success factor and
            add value. However, when involved in a project from start to finish, the internal audit activity must
            maintain its conformance with IIA Standard 1100:  Independence and Objectivity, understanding
            that management is ultimately responsible for decision-making and delivery. This standard states:
            “The internal audit activity must be independent, and internal auditors must be objective in
            performing their work.”

            Governance Risks

            Hi. I’m Sally. Internal auditors should understand that many IT challenges and risks start at the
            governance and strategy levels, followed by ineffective delivery and monitoring of overall service
            and quality levels. Internal auditors should also have a basic understanding of the common IT
            challenges and risks when assessing, evaluating, or reviewing IT governance and business
            relationships. I have asked Roman, our chief risk officer (CRO), to join us for a discussion about some
            risk-related topics.

            Sally: Hello Roman. As our CRO, would you mind discussing enterprise risk registers, and provide
            some information about what is in our organization’s risk register to help us to understand
            governance risk?

            Roman: Hello Sally. I am happy to provide that information. First, the enterprise risk register is a
            repository of all identified risks that have the potential to impact the organization. It contains an
            inventory of exceptions noted from internal and external audits, regulatory reviews, risk
            assessments, and control self-assessments. This may be centralized in a governance or audit tool, or




            Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.
   26   27   28   29   30   31   32   33   34   35   36