Page 16 - ITGC_Audit Guides
P. 16

Ongoing Monitoring: Quality and Compliance Needs/Activities

                   IT management should monitor and ensure the appropriate level of quality is delivered to its
                   clients and the organization. This includes not only the design, delivery, and implementation of
                   services that meet regulatory and legal compliance, but also ensuring ongoing operational
                   requirements.
                   IT management must monitor the delivery of quality and compliance needs on an overall basis
                   and ensure continuous improvement and flexibility as business requirements change. While
                   quality and compliance should be built into all IT processes and projects, both should be
                   monitored across the IT enterprise and in partnership with business service level expectations.
                   Monitoring of the quality and reliability of services is imperative in order for management to
                   ensure that processes are being managed to expectations of the board and senior leadership.
                   This assurance cannot be provided without ongoing monitoring and timely resolution of
                   operational and control gaps.


                   Challenges and Risks for IT Governance and the IT and
                   Business Relationship

                   IT requires broad governance, alignment with the organization, and the need to be efficient,
                   reliable, and timely in the delivery of effective services to its clients. Internal auditors should
                   understand that many IT challenges and risks start at the governance and strategy level, followed
                   by effective and competitive delivery and monitoring of overall service and quality levels. Internal
                   auditors should also have a basic understanding of the common IT challenges and risks when
                   assessing, evaluating, or reviewing IT governance and business relationships, which can include
                   but are not limited to:

                      IT strategy and direction are misaligned with the business or organization’s strategy.
                       Often, the technology road map is designed to improve the current business model and
                       operations or is focused on IT infrastructure initiatives, but not to enable or accommodate
                       potential future business objectives or models. If adaptability and flexibility are ignored,
                       competitiveness and innovation may be hindered.

                      IT leadership does not have a “seat at the table” when business strategy is being
                       developed, or is not part of the decision-making process on business direction and
                       options under consideration. IT may be excluded in business strategy development.
                       Failure to engage information security and IT early in planning stages may result in an
                       increased risk for adverse consequences, such as additional costs, reduced performance,
                       regulatory fines and penalties, and even increased threat of inappropriate data/information
                       exposure.

                      The use of “rogue IT.” The concept of rogue IT, also known as “shadow IT,” occurs when
                       anyone in the organization uses technology that is not sanctioned or even known to IT. This
                       is a significant risk when an organization has multiple business units, locations, campuses, or
                       subsidiaries.








                   8 — theiia.org
   11   12   13   14   15   16   17   18   19   20   21