Page 109 - ITGC_Audit Guides
P. 109
Performing the Engagement
Scoping decisions determine which control types are relevant to the audit. The following
sections describe common risks and controls for each type.
Technology Planning
High-level planning controls enable the service relationship between IT-IS and other business
units and ensure that business applications are compatible with existing and future technologies
in the organization. Collaboration between technology and other business units typically results
in a technology roadmap, which plots the timeline for introducing upgrades or new component
technologies to a business application, together with plans for introducing other technologies in
the enterprise architecture or hosting environment. An assessment of business applications
should consider whether controls are documented and operating adequately to ensure
alignment with and sufficient support of business strategies. An engagement could also
determine whether the organization incorporates new technologies in a deliberate and
coordinated way, for example, as evidenced with technology roadmaps.
• In COBIT 2019 Framework: Governance and Management Objectives , technology planning
controls are primarily described in the Align, Plan, and Organize domain, especially in
objectives:
o APO02 Managed Strategy.
o APO03 Managed Enterprise Architecture.
o APO04 Managed Innovation.
• NIST SP 800-53r5 covers planning processes throughout the following control families:
o Planning.
o Program Management.
o Personally Identifiable Information Processing and Transparency.
o Risk Assessment.
o System and Services Acquisition.
o System and Communications Protection.
• CIS Controls covers technical planning in subcontrols called “safeguards,” specifically:
o 2.2 Ensure Authorized Software is Currently Supported.
o 16.5 Use Up-to-Date and Trusted Third-Party Software Components.
9 — theiia.org
