Page 97 - Courses
P. 97

Governance of Enterprise IT

                 Identify the organization’s size, complexity, maturity, lifecycle, stakeholder structure, and
                   legal requirements.
                 Review committee charters, meeting agendas, meeting minutes, and external assessments.
                 Meet with those in key governance roles.
                 Discuss IT governance with senior management and the board.

            The following IT governance processes should be considered for inclusion in an engagement:
                 Aligning IT investments with business objectives.
                 Managing requests for IT services to optimize Return on Investment (ROI).
                 Maintaining responsible use of resources and assets.
                 Clearly defining roles and authority.
                 Ensuring IT delivers on plans.
                 Proactively managing major risks.
                 Improving IT performance.
                 Championing innovation in IT and the organization.

            Engagement Planning — Step 2

            The second step of engagement planning allows you to understand the subject, and document it.
            Internal auditors gather information to build a list of risks relevant to IT governance and to assess
            their significance — this part of planning prepares the internal auditor to decide upon the objectives
            and scope appropriate to this engagement.

            Obtaining and Documenting Information

            This is an ongoing process that must be updated throughout the engagement as new information is
            obtained. Types of information to consider when planning an engagement involving IT governance
            include:
                 Results of any previous engagements that include aspects of IT governance.
                 Results of risk assessments.
                 Results of assessments performed by management.
                 Work of other internal and external assurance providers.
                 Other documented governance issues, such as adverse incidents.
                 Stakeholder interviews.

            Engagement Planning — Step 3

            The third step of engagement planning is to conduct a preliminary risk assessment of the area or
            process under review. Due to time and resource constraints, not all risks can be reviewed during an
            engagement. Therefore, internal auditors must conduct a preliminary risk assessment and prioritize
            risks according to significance, which is measured as a combination of risk factors.

            IIA Standard: 2210.A1 — Internal auditors must conduct a preliminary assessment of the risks
            relevant to the activity under review. Engagement objectives must reflect the results of this
            assessment.
            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
   92   93   94   95   96   97   98   99   100   101   102