IT Governance Audit:

The Role of Internal Auditors

Michael K. H. Chan
Adjunct Professor,
School of Accounting and Finance,
The Hong Kong Polytechnic University

Chief Executive
C&C Advisory Services Limited

CS1 - 5
 Disclaimer
• The materials of this conference are intended to provide general information and
guidance on the subject concerned. Examples and other materials in this
conference are only for illustrative purposes and should not be relied upon for
technical answer. The Institute of Internal Auditors (The IIA), the speaker(s) and
the firm(s) that the speaker(s) is representing take no responsibility for any errors
or omissions in, or for the loss incurred by individuals or companies due to the use
of, the materials of this conference.

• No claims, action or legal proceedings in connection with this conference brought

by any individuals or companies having reference to the materials on this
conference will be entertained by the IIA, the speaker(s) and the firm(s) that the
speaker(s) is representing.
 Contents
• What is IT Governance
- Definition
- IT Governance vs. Corporate Governance and Governance
- Purpose of IT Governance
• Requirements
- Internal --- The 5 Focus Areas
- External Driving Forces
• Concerns and Problems
• Role of Internal Auditors
- Standards and Guidelines
- Approach and Methodology
- Proposed Audit Activities
- Choosing a Framework
• Conclusion
What is IT Governance?
 What is IT Governance?
• IT Governance is a subset discipline of Corporate Governance
focused on information technology (IT) systems and their
performance and risk management.
• The rising interest in IT governance is partly due to
compliance initiatives (e.g. Sarbanes-Oxley and Basel II)
• Acknowledgment that IT projects can easily get out of control
and profoundly affect the performance of an organization.

From Wikipedia
 What is IT Governance?
ITGI definition:

“IT governance is the responsibility of the board of directors

and executive management. It is an integral part of
enterprise governance and consists of the leadership and
organizational structures and processes to ensure that the
organization’s IT sustains and extends its strategies and
objectives.”
 Corporate Governance

“Corporate governance is the set of processes, customs, policies,

laws, and institutions affecting the way a corporation (or company)
is directed, administered or controlled. Corporate governance also
includes the relationships among the many stakeholders involved
and the goals for which the corporation is governed. The principal
stakeholders are the shareholders/members, management, and the
board of directors. Other stakeholders include labour (employees),
customers, creditors (e.g., banks, bond holders), suppliers,
regulators, and the community at large.”

From Wikipedia
 Corporate Governance
“Corporate governance involves a set of relationships between a company’s
management, its board, its shareholders and other stakeholders. Corporate
governance also provides the structure through which the objectives of the
company are set, and the means of attaining those objectives and monitoring
performance are determined. Good corporate governance should provide
proper incentives for the board and management to pursue objectives that
are in the interests of the company and its shareholders and should facilitate
effective monitoring.”

From – “OECD Principles of Corporate Governance 2004”

 Corporate Governance vs IT Governance

Several definitions with common elements:

• Responsibility of the board of directors
• Protects shareholder value
• Ensures risk transparency
• Directs and controls IT investment, opportunity, benefits and risks
• Aligns IT with the business while accepting IT is a critical input to and
component of the strategic plan, influencing strategic opportunities
• Sustains the current operation and prepares for the future
• Is an integral part of a global governance structure
 Governance

“… a process effected by an entity's board of directors, management and

other personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and manage
risks to be within its risk appetite, to provide reasonable assurance regarding
the achievement of entity objectives.”

Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO

 Governance

“the combination of processes and structures implemented by the board to

inform, direct, manage, and monitor the activities of the organization toward
the achievement of its objectives.”

“International Standards for the Professional Practice of Internal Auditing,

The Institute of Internal Auditors”
 What does it mean?

Governance is about deciding the "who, what, when, why, and how" of
decision-making.
• The decisions required by the organization (the "what")
• The roles (the "who") in the organization that are accountable for which
decisions
• Policies that guide how the decisions should be made (the "why")
• The measures that enable informed decision-making (the "how")
• At what point in the governance process is the decision appropriately
made? (the "when")
 Purpose of IT Governance
• Establish and clarify accountability and decision rights (clearly
define roles and authority).
• Manage risks, change and contingency proactively.
• Improve IT organizational performance, compliance, maturity
and staff development.
• Improve customer service and overall responsiveness
 Purpose of IT Governance
• Align IT investments and priorities more closely with the business.
• Manage, evaluate, prioritize, fund, measure and monitor requests for IT
services and the resulting work and deliverables, in a more consistent and
repeatable manner that optimizes returns to the business.
• Manage the responsible utilization of resources and assets.
• Ensure that IT delivers on its plans, budgets and commitments.
The Requirements
IT Governance – the 5 Focus Areas
IT Governance – the 5 Focus Areas
IT Governance – the 5 Focus Areas
IT Governance – the 5 Focus Areas
IT Governance – the 5 Focus Areas
 IT Governance – Driving Forces

Business/IT
Compliance Alignment
ROI

Project
Security Execution

 2007 IT Governance Institute. All rights reserved. www.itgi.org 21

Concerns and Problems
 The Concerns of Audit Committee Members
• Low levels of satisfaction with management’s IT governance
processes
• Little confidence in the board’s/audit committee’s oversight of IT
governance
• The audit committee’s role and responsibilities in oversight of IT
governance, including IT risks
• Concern about IT security
• A need for better reporting on critical IT projects and outsourcing
risks
- KPMG Survey
 Problems in implementing IT Governance

• The three Cs (culture, resistance to change, communications)

• Internal politics – IT Governance often brings a shift in decision rights and
associated power; Resistance to acceptance of standards/policies;
• Resistance to accept accountability – some organizations report strong
resistance by the business in accepting accountability for IT-related
investments as part of newly introduced IT Governance arrangements;
and
• Obtaining sufficient business involvement in governance initiatives.
The Role of Internal Audit
 The Role of Internal Auditors
International Professional Practices Framework (IPPF)
•“Definition of Internal Auditing”
- “….improve the effectiveness of risk management, control and
governance processes”
International Standards for the Professional Practice of Internal Auditing
(Standards)
•Performance Standard 2110 – Governance
- “Ensuring effective organizational performance management and
accountability”
- “Communicating risk and control information to appropriate areas
of the organization”
•2110.A2 – The internal audit activity must assess whether the information
technology governance of the organization sustains and supports the
organization’s strategies and objectives.
 The Role of Internal Auditors
Practice Advisories
•PA 2110-1: Governance: Definition
- “As a consequence of the variation in the design and structure of
governance, the CAE should work with the board and the executive
management team, as appropriate, to determine how governance should
be defined for audit purpose.”
•PA 2110-2: Governance: Relationship With Risk and Control
- “Governance does not exist as a set of distinct and separate processes
and structures. Rather, there are relationships among governance, risk
management, and internal controls”
 The Role of Internal Auditors
Practice Advisories
•2110-3: Governance: Assessment
- “Typically, internal auditors provide independent, objective assessments of
the
design and operating effectiveness of the organization’s governance
processes
. They also may provide consulting services and advice on ways to
improve those
processes.
 The Roles of Internal Auditors

Based on ITGI’s IT Governance Implementation Guide:

• Initiating IT governance programme
• Assessing the current state
• Planning IT governance solution
• Monitoring IT governance initiatives
• Helping make IT governance “business as usual”
 Approach and Methodology

IPPF Standards
• Attribute Standards
- 1200 - Proficiency and Due Professional Care
• Performance Standards
- 2010 - Planning
- 2030 - Resource Management
- 2110 - Governance
- 2220 - Engagement Scope
 Approach and Methodology
CobiT 4.1 (ITGI)
• Four Domains
- Planning and Organization
- Acquisition and Implementation
- Delivery and Support
- Monitoring and Evaluation
IS Auditing Standard (ISACA)
• S10 - IT Governance
IS Auditing Guideline (ISACA)
• G18 – IT Governance
 Proposed Audit Activities
Based on IS Auditing Standard IT Governance S10
1. Review and assess whether the IS function aligns with the organization’s
mission, vision, values, objectives and strategies.
2. Review whether the IS function has a clear statement about the
performance expected by the business (effectiveness and efficiency) and
assess its achievement.
3. Review and assess the effectiveness of IS resource and performance
management processes.
4. Review and assess compliance with legal, environmental and information
quality, and fiduciary and security requirements.
5. Review and assess the control environment of the organization.
6. Review and assess the risks that may adversely effect the IS environment
 Choosing a framework

• COSO
• CobiT
• ISO/IEC 27001:2005
• ISO/IEC 38500:2008
• AS 8015-2005
• ITIL
 Choosing a framework
COSO (Committee of Sponsoring Organizations ) Guidelines on many
functions:
- human resource - risk
- external resources - information technology
- operations - legal affairs
- procurement - marketing and sales
- inbound/outbound logistics - financial functions
- reporting

• COSO is a more business-general framework than IT

 Choosing a framework
CobiT: the most popular
• Basically, it’s a set of guidelines and supporting toolset for IT governance
that is accepted worldwide.
• CobiT is well-suited to organizations focused on risk management and
mitigation.
• CobiT is perceived to be a valuable framework for IT governance (89%
report satisfied).
• The latest version, released in May 2007, is COBIT 4.1.
 ®
The COBIT Framework

 2009 ISACA All Rights reserved. 37

 Choosing a framework
ISO/IEC 38500:2008 Corporate governance of Information Technology
• Provides a framework for effective governance of IT to assist those at the
highest level of organizations to understand and fulfill their legal,
regulatory, and ethical obligations in respect of their organization’s use of
IT
• Six principles of good corporate governance of IT
– responsibility
– strategy
– acquisition
– performance
– conformance
– Human behaviour
 Choosing a framework
ITIL: The Information Technology Infrastructure Library
• eight sets of management procedures
– service delivery
– service support
– service management
– ICT infrastructure management
– software asset management
– business perspective
– security management
– application management
• ITIL is a good fit for organizations concerned about operations
 Conclusion
• IT Governance is an integral part of corporate governance.
• IT governance ensures that IT goals are met and IT risks are mitigated such
that IT delivers value to sustain and grow the organization.
• IT governance drives strategic alignment between IT investment and
services delivery and ensure measurement of performance.
• In order to assist in the development of effective IT governance, Internal
Auditors must:
- Ensure IT Governance is on the Agenda
- Contribute to the development of IT performance metrics
- Promote IT Governance strategies
Questions?
 Resources
Global Technology Audit Guides (GTAG®)
PG GTAG-1: Information Technology Controls
PG GTAG-2: Change and Patch Management Controls: Critical for Organizational Success
PG GTAG-3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment
PG GTAG-4: Management of IT Auditing
PG GTAG-5: Managing and Auditing Privacy Risks
PG GTAG-6: Managing and Auditing IT Vulnerabilities
PG GTAG-7: Information Technology Outsourcing
PG GTAG-8: Auditing Application Controls
PG GTAG-9: Identity and Access Management
PG GTAG-10: Business Continuity Management
PG GTAG-11: Developing the IT Audit Plan
PG GTAG-12: Auditing IT Projects
PG GTAG-13: Fraud Prevention and Detection in an Automated World
PG GTAG-14: Auditing User-developed Applications
PG GTAG-15: Information Security Governance
 Resources

Guide to the Assessment of IT Risk (GAIT)

The GAIT Methodology

GAIT for IT General Control Deficiency Assessment

GAIT for Business and IT Risk

 More Information

 www.theiia.org
 www.itgi.org
 www.isaca.org
Feel free to contact me with questions:

Michael K. H. Chan,
FCPA, FCPA(Aus), FCCA, ACA, CISA, MHKCS, FHKIoD, MHKSI, FLMI

C&C Advisory Services Limited

mkh.chan@candcadvisory.com
THANK YOU !