08.

Auditing IT Governance
CSIE604181 Dasar-Dasar Audit SI | SEMESTER GASAL - 2019/2020
© Fasilkom, Universitas Indonesia
Outline 2

Strategic Alignment
Risk management

Performance Management

Resource Management

Value delivery
IT Governance 3

• IT governance -- consisting of the leadership,

organizational structures, policies, and processes
that ensure that the enterprise’s information
technology supports the organization’s strategies
and objectives
The primary outcomes of
effective IT governance 4

1. IT strategies are aligned with organizational

objectives.
2. Risks are identified and managed properly.
3. IT investments are optimized to deliver value to the
organization.
4. IT performance is defined, measured, and reported
using meaningful metrics.
5. IT resources are managed effectively.
Five Areas to Audit 5

Based on The IT Governance Institute (ITGI), a branch of ISACA

1. Strategic Alignment (1/3) 6

Objective
Determine if a relationship exists between IT and business
objectives and if this relationship has been established through
participation between both IT and business management.
Artifacts/sources:
• Business Strategic Plans
• IT Strategic Plan
• Third Party service provider agreements and Request For
Proposals (RFP) process
• IT Road map
• Executive/IT Steering Committee minutes
• Board minutes
• Interviews with Executive Leaders and IT Leaders
1. Strategic Alignment (2/3) 7

Typical Areas to Assess:

• Is IT management aware of the overall business strategy?
• What is IT’s involvement in defining the business strategy?
• Do current IT initiatives relate to one or more of the
organization’s strategic objectives?
• Is there a clear line of communication between IT and business
management?
• How do 3rd party service providers support business
objectives?
1. Strategic Alignment (3/3) 8

What does good Strategic alignment look like?

• Organizational structure conducive for alignment (steering
committee, Business Partners)
• IT as Business Partner rather than an order taker
• Project prioritization done transparently based on set criteria
that all agree upon.
• Environment that encourages Enterprise initiatives rather than
Division initiatives
• Formal documented strategic plans
• IT Strategic Plan created in conjunction with business strategic
plans(a focused approach on implementing strategic goals)
2. Risk Management (1/3) 9

Objective
Determine if activities are conducted relating to the identification and
analysis of risks impacting the achievement of business objectives and
the preparation of financial statements
Artifacts/sources :
• Business Continuity and Disaster Recovery Plans and Test Results
• IT Risk Assessment
• 3rd Party Service Provider Agreements and Request For Proposal
Policies and Procedures
• Board/Committee minutes evidencing IT Risk Management
communication to board and approval of Information Security
Policies
• Minutes from the Enterprise Risk Management (ERM) committee
and other committees where detailed IT Risk metrics are shared
• Discussions with CISO, Executive and IT Management
2. Risk Management (2/3) 10

Typical Areas to Assess:

• Is a process in place to assess, address, and communicate IT risks
to key stakeholders and executive management during the
project, change, and release management processes?
• How does IT select and manage third party vendor relationships?
• Does a business continuity and disaster recovery plan exist and is
it tested on a periodic basis?
• Does a risk management plan exist and are risk management
activities incorporated into project, change, and release
management process?
• Do discussions between IT, Business, and Compliance leadership
occur in order to identify ways in which the IT environment can
assist in strengthening the organization's control environment?
2. Risk Management (3/3) 11

What does good Strategic alignment look like?

• Formal Information Security Program
• Involvement of Information Security personnel in projects,
changes, attendance in key committees
• Mature Enterprise Risk Management Committee (ERMC)
Processes
• Transparency of IT risk profile to the Board and executive
management
 3. Performance Management (1/3) 12
Objective
Determine if the effectiveness of IT systems, processes, and
personnel, internal and external, are being monitored for alignment
with business needs.
Artifacts/Sources:
• Performance metrics for services, projects, processes, and systems
• Reports of IT’s performance against defined metrics to key
stakeholders and executive management
• 3rd Party Service Level Agreements
• Incident and Problem Management Policies and Procedures
• Cost Allocation Policies and Procedures
3. Performance Management (2/3) 13

Typical Areas to Assess:

• Does the IT organization report performance metrics to key
stakeholders?
• Are processes in place to review key performance metrics and
correct items falling below a reasonable level?
• Do performance management activities consider both internal
and 3rd party IT activities?
• Is IT performance reported in IT or Business terms? Are the
metrics operational, strategic, or both?
• Is a process in place to establish performance metrics based on
changing business needs?
• Do the Board of Directors and Executive management have an
awareness of IT performance based on quantifiable data?
3. Performance Management (3/3) 14

What does good Performance Management look like?

• Board role in monitoring strategic Key Performance
Indicator (KPI) including projects to ensure strategic
goals are getting accomplished and IT is adding
value
• An enterprise framework to measure, collect and
report KPIs in an efficient manner
4. Resource Management (1/3) 15

Objective
Determine if adequate activities are being performed to align the
use of resources (applications, information, infrastructure,
people) to meet the needs of the business.
Example Review Documents:
• IT Organization Chart
• IT Job Descriptions
• Sourcing Strategy for IT projects
• IT Segregation of Duties Requirements
• IT Asset Management Policies and Procedures
• Capacity Planning
4. Resource Management (2/3) 16

Typical Areas to Assess:

• Are processes in place to assess and implement IT segregation of
duties?
• Has an IT sourcing strategy been established that align with
business objectives?
• Do IT resource dedicate more time to operational or strategic
objectives?
• Does the IT department have processes in place to facilitate
knowledge sharing within the department and with the business?
• Have IT resources (employees, applications, hardware) been
optimized to support business objectives?
• Have formal job descriptions and reporting relationships been
created and communicated for all IT positions?
• Has an asset management program has been established?
4. Resource Management (3/3) 17

What does good Resource Management look like?

• A sound and formal IT Demand Management with the
right stakeholders involved (standard prioritization
process across enterprise, rolling 12 month plan of IT
projects, formal approval processes done transparently
etc.)
• Processes to identify any gaps early when supply and
demand do not match.
• Taking a proactive approach to keep IT application and
infrastructure resources current so demands can be met
more efficiently and securely
5. Value Delivery(1/2) 18

Objective
Determine if IT is effectively managing costs as they relate to
meeting business objectives and communicating this
management to the appropriate individuals.
Artifacts/Sources:
• IT Steering Committee Meeting Minutes
• Policies and Procedures for the Development and
Management of IT projects
• IT Budget
• Discussions with Finance & IT Management (IT spend
benchmarking, Analysis on IT Projects spent on business
initiatives vs. Business Support)
5. Value Delivery 19

Typical Areas to Assess:

• Is there a clear relationship between IT project performance
indicators and business objectives?
• Has the IT budget been communicated to business leadership?
Does business leadership understand the investments that have
been made in IT?
• Does IT actively communicate the expected and realized value of
IT projects?
• Does the business rely on the integrity and accuracy of data
captured and reported by IT systems?
• Do IT and business leaders meet on a periodic basis to review
the current and upcoming IT initiatives to reassess alignment
with business objectives?