2.  The CIO or equivalent could present business cases to the BoD or chief executive officer (CEO), or
               both, in an ad hoc fashion, and have the project receive approval, be postponed, or be declined.
            The latter process tends to seek funding for each IT project as a stand-alone project without

              necessarily fulfilling due diligence in examining the population of choices,
              aligning projects with strategic plans, and
              giving sufficient consideration of the value of IT.
            The CITP will want to determine the specific method in place. The choice matters because the former
            reduces risk and the latter increases risk. Those risks include the following:

              IT projects will fail to be delivered on time, on budget, and be fully functional.
              IT projects will fail to meet the strategies of the entity.
              The IT function will not develop the most effective technologies and systems because of the results
               of adhocracy.
              The entity will spend more money than necessary, either on an individual project or one that is less
               effective than some alternative not considered.
            The external CITP is interested in this information as it relates to ITGC (IT governance, project
            management, and so on). Any risk here is indirect to the financial statements, but could directly affect the
            ability to rely on tests of controls (ToC) (if ITGC is not reliable, the financial auditors cannot rely on ToC).
            It also could lead to the risk of material misstatements (RMM) through a chain of events that the external
            CITP might have identified (for example, the severe weakness in ITGC or IT governance and project
            management means program development of critical applications might have a high probability of error
            or fraud, and the error or fraud might be material and go undetected because of the absence of
            mitigating controls). The internal CITP would usually be interested regardless of operational reasons.


            Risk management
            Part of the control environment would be a risk assessment, specifically those risks related to IT. The
            outcome should be documentation of IT risk management.

            This aspect of control environment is basically identical with COSO risk assessment (limited to IT here)
                                                                                      10
            and COBIT planning and organizations process of assess risk (known as PO9 ). Those two resources
            provide information in developing an appropriate risk management structure, process, and objectives.


            Specifically, management should have a formal due process of identifying IT-related risks to the business
            operations, goals, objectives, and strategies. That process should conclude in a written document, then
            management should consider taking measures to mitigate the greater risks, or ones they can effectively
            and efficiently mitigate. Those decisions should be documented as well. Risk management of the control
            environment should involve a structure, process, and set of objectives related to IT risk management.







            10
              See www.isaca.org/popup/Pages/PO9-Assess-and-Manage-IT-
            Risks.aspx?utm_referrer=direct%2Fnot%20provided. Last accessed September 10, 2019.


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-12