Page 96 - Courses
P. 96
Governance of Enterprise IT
The opportunities for making significant improvements to the activity’s governance, risk
management, and control processes.
Key Risks
IT governance does not just impact IT. The positive and negative impacts are felt throughout the
entire organization. Key risks to consider include:
Financial loss due to business disruption.
Higher costs to run business operations.
Poor quality or failure to meet new customer expectations and unsatisfied customers.
Negatively impacted core business processes due to poor delivery of IT services.
Lack of governance over information storage, processing, and reporting.
Unidentified risks and threats that expose the entire organization to security breaches.
Penalties resulting from failing to meet regulatory requirements.
Engagement Planning Steps
To conform with the standards related to planning an engagement, internal auditors may apply the
following steps:
1. Understand the context and purpose of the engagement.
2. Gather information to understand the subject.
3. Conduct a preliminary risk assessment.
4. Form engagement objectives.
5. Establish engagement scope.
6. Allocate Resources.
7. Prepare the work program.
Engagement Planning — Step 1
The first step of engagement planning is to understand the context and purpose of the engagement.
For IT governance, this involves having a thorough understanding of existing organizational and
governance structures.
Assessing IT Governance Effectiveness
Internal audits of IT governance should evaluate the effectiveness of processes to define and
enforce:
Policies, roles, responsibilities, and accountability.
Risk appetite management.
Effective communication.
Tone at the top.
Management of IT value.
When assessing IT governance effectiveness, consider including the following actions:
Define IT governance and concepts, and identify frameworks used within the organization.
Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
