The risks of information technology (IT) are well known (or so they should be) to executive management, the board and internal auditors. These risks range from information security threats to the risk of investing in the wrong Enterprise Resource planning (ERP) solution, to the cost & time impact of not making proper requirement definitions and understanding what the business needs. It is vital for internal auditors to provide assurance on how management is managing and reporting to the board on IT performance and IT risks. One of the fundamental components that should be covered in this assurance is IT Governance.
What is IT Governance?
Gartner(1) defines IT Governance as “the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.” This also means that IT operations and projects should be aligned with the organization’s strategy. The achievement of an organization’s strategy is of paramount importance to executive management and boards. However, the expectation to provide professional and independent assurance on IT performance and IT risks (including IT Governance) does not just come from executive management and boards; it also comes from the Institute of Internal Auditors (IIA).
The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) set the general requirements regarding IT risks in Attribute Standard 1210.A3 which states that “Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing” (key words have been underlined by the author).
More specifically, and as it relates to IT Governance, Performance Standard 2110. A2 states that “The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives” (key words have been underlined by the author). This means that internal auditors should not only have an understanding of IT Governance but they should be able to carry out an assessment of its alignment to the organization’s strategy.
To build on the Standards and provide guidance to its members, the IIA has developed Strongly Recommended Guidance on how to provide assurance on the management of IT risks. A major aspect of the Strongly Recommended Guidance is the Global Technology Audit Guides (GTAG). The GTAG series addresses technology risks and what internal auditors should consider when undertaking audits into different IT domains. The GTAG series also specifically addresses the requirement of Performance Standard 2110.A2 through GTAG 17: Auditing IT Governance(2).
GTAG 17: Auditing IT Governance is the latest in the GTAG series and was released in July 2012. It aims to provide internal auditors with guidance on what key topics/IT domains to focus on when reporting to executive management and boards. When it comes to the mindset of the executive management and boards (as well as other stakeholders), performance and delivering results is crucial. When it comes to IT investments, the proper alignment of organizational objectives and IT will result in higher returns on IT investments. To get this better alignment working, there needs to be appropriate governance structures and management processes and controls in place.
The IIA Standards define IT governance consisting of “the leadership, organizational structures, and processes that ensure that the enterprise’s information technology supports the organization’s strategies and objectives”. The figure below from GTAG 17: Auditing IT Governance elaborates further on this concept and shows 5 components of the effective IT governance:
In the context of enterprise Governance, executive management and board direct and monitor achievement of the organization’s strategy and evaluate viable alternatives where required. This enables the 5 components of IT Governance to work effectively. A brief description of each component is as follows:
- Executive Leadership & Support: The Tone at The Top is another key control to look for. How the Board and the Executive Management sets a clear vision for IT and how it expects IT to support achieving the objectives of the organisation.
- Organization & Governance Structures: One of the key controls to mitigate IT risks is the appropriate setup of the organisational and governance structures. This includes reporting lines, roles and authorities, adequate segregation of duties and independence where appropriate.
- Strategic & Operational Planning: Strategic and operational planning must include IT, how IT supports and enables achieving objectives for the organisation. Strategic performance management should be an integral component of effective IT governance.
- Service Delivery & Measurement: Proactively managing IT spending and measuring the resulting value increases the likelihood of greater ROI from IT investments. A financial model should be part of performance management used by the organization, which should include IT metrics.
- IT Organization & Risk Management: How are IT risks and resources managed? This relates back to the other four components, depending in particular on the Tone at The Top and how the Board and executive management provides adequate support, setting both the vision and more specific objectives, and gives clear directions based on balanced assessment of risks in relation to performance versus conformance and control.
The 5 components ensure that key IT risks are addressed and that performance vs. conformance is balanced. The analysis of details under the 5 components helps to achieve this balance.
The Link to COBIT 5
Internal auditors can also rely on guidance from ISACA to address the mandatory requirements of IIA Standard 2110.A2. The Control Objectives for Information and Related Technology (COBIT) is ISACA’s framework for IT governance and management3. Similar to GTAG 17, COBIT 5 also emphasizes that IT Governance should evaluate stakeholder requirements, direct IT through prioritization and key decisions and monitor performance(3). The components of GTAG 17 can be mapped against the COBIT 5 enablers and the enabling processes. For some IT auditors, the COBIT 5 approach may be the preferred approach to evaluate IT Governance – but this would take more time and would depend on the maturity of the organization’s IT processes.
The Role of Internal Audit
To describe the role of internal audit in IT Governance, GTAG 17: Auditing IT Governance2 states that “the internal audit activity should address this inherently high-risk area”. However, according to Protiviti’s 3rd Annual IT Audit Benchmarking Survey(4), even though IT governance was named as one of the top technology challenges faced by organizations, only 48% of companies with annual revenues of above $5 Billion had completed an evaluation of IT governance in accordance with Performance Standard 2110.A2.
As mentioned earlier, internal auditors need to provide assurance that IT risk are being managed adequately. Any audit carried out on IT Governance should focus on the 5 components mentioned in GTAG 17: Auditing IT Governance (which also provides detailed guidance on what audit procedures should be carried out). Even before starting the audit, internal auditors need to be confident that they:
1) Have a good understanding of the organization’s strategy and the IT department’s strategy.
2) Possess the knowledge and skills required to carry out IT Governance audits. Specialized certifications such as ISACA’s Certified in the Governance of Enterprise IT (CGEIT)(5) can give internal auditors both skills & credibility when auditing IT Governance, in addition to ISACA’s Certified Information Systems Auditor (CISA) certification.
IT Governance is an essential component to review when providing assurance on IT performance and IT risks. Internal auditors need to understand IT Governance and its components in order to carry out an effective audit. The IIA’s GTAG 17 is a very good tool to use to equip auditors with the required skills and knowledge before they embark on an audit. Similarly, GTAG 17 may be a more practical option for certain companies as compared to the very comprehensive COBIT 5 framework. Regardless of the approach or framework used, internal auditors can tailor the IT Governance evaluation in a way which best suits their organization and meets the requirements of the Standards.
3. COBIT® 5, ISACA (http://www.isaca.org/)
5.http://www.isaca.org/Certification/CGEIT-Certified-in-the- Governance- of-enterprise-it/Pages/default.aspx
STIG J. SUNDE, CISA, CIA, CGAP, CRISC is co-author of the GTAG 17: Auditing IT Governance and is a Senior Internal Auditor with Emirates Nuclear Energy Corporation in Abu Dhabi.