The Institute of Internal Auditors (IIA) says that “the internal audit activity must assess whether the information technology governance of the organisation supports the organisation’s strategies and objectives (2110)” and publishes a Global Technology Audit Guide (GTAG® 17) titled Auditing IT Governance.
IIA IT Governance Model
The IIA has an IT governance model that incorporates elements of ISO/IEC 38500, and GTAG 17 is heavily based on the ISACA® COBIT® frameworks. While COBIT is not the only control framework used in relation to IT governance, it is one of the most widely deployed, particularly in public sector organisations and large enterprises.
GTAG 17 provides guidance on auditing IT governance under five main headings:
- Organization and Governance Structures
- Executive Leadership and Support
- Strategic and Operational Planning
- Service Delivery and Measurement
- IT Organization and Risk Management
IT Governance Audit Assurance
The types of assurances that stakeholders are looking for, in relation to the work of internal auditors, include:
- Does the board and top management really understand its role in making IT governance effective?
- Is IT management competent, and is it really a part of the top management team?
- Is IT genuinely contributing to achievement of organisation’s strategic and tactical objectives?
- Is there a robust (planned and tested) IT risk management framework in place, specifically including IT projects, GDPR compliance, cyber security, ICT continuity?
- Is IT able to identify and prioritise key technology changes that will enhance organisational performance?
- Are IT metrics really measuring IT performance in terms of delivering value and resource optimisation and risk reduction?