Page 14 - ITGC_Audit Guides
P. 14

IT Governance
                   IT must be managed broadly in a way that ensures
                   optimal delivery of services (such as networks,       Resource
                   infrastructure, and applications) to the organization   For more information on the IT
                   and end customer. IT must also create value and       governance process, see The IIA’s
                   support organizational success. Sound IT              GTAG, “Auditing IT Governance.”
                   governance helps deliver on these objectives. Key
                   elements and components of IT governance include:
                      Strategic alignment – providing direction, services, projects, and objectives to support the
                       organization’s business goals and maximize return on investment (ROI).
                      Risk management – determining processes and policies are in place to ensure risks are
                       adequately addressed.
                      Value delivery – ensuring maximum IT service is provided throughout the organization.

                      Resource management – providing high-level direction for sourcing and use of IT resources
                       to ensure adequate capability and overseeing the enterprise level of IT funding.

                      Organizational set-up – addressing the necessary roles, functions, and reporting
                       relationships allowing IT to meet organizational needs while assuring requirements are
                       addressed via formal evaluation and prioritization.
                      Policy setting – ensuring that industry standards, policies, and frameworks are implemented to
                       address the organization’s risk, compliance, and regulatory requirements.


                   IT as a Business

                   IT is not just a cost center, it is an enterprisewide function that serves as an internal business. In
                   most organizations, a CIO and/or chief technology officer (CTO) are responsible for managing
                   and ensuring delivery of IT services and data access across the enterprise. Organizations may
                   also have a chief information security officer (CISO) to oversee IT security, and often a dedicated
                   data protection officer (DPO), chief data officer (CDO), and/or a chief privacy officer (CPO) to
                   oversee the data and compliance aspects. It should be noted that the latter three roles are often
                   outside of the IT organization. The function of these roles is more important than the actual title
                   as organizations may use different titles and/or combine roles.

                   IT management must understand the organization it supports, its critical processes, priorities, and
                   strategic objectives. CIOs should consider their organizational peers and related business units
                   as customers or clients. In many large organizations, IT follows a “partnership” model in which the
                   CIO manages and oversees multiple sources of internal and external service providers that are
                   expected to deliver a seamless experience to the organization.
                   Like any business, IT services should be delivered timely, reliably, securely, and in compliance
                   with legal and regulatory requirements. IT must also protect data and information assets against
                   breaches of confidentiality, integrity, and availability. This can be a challenge as most IT teams










                   6 — theiia.org
   9   10   11   12   13   14   15   16   17   18   19