The internal audit activity is uniquely positioned and staffed within an organization to assess whether the information technology governance of the organization supports the organization’s strategies and objectives and to make recommendations as needed.
Internal audits of IT governance should focus beyond the implementation of governance practices. Internal audit adds value to the organization by assessing the effectiveness of IT governance components, and providing assurance to stakeholders that principles and practices are followed and working as intended. Internal audit assessments will likely include activities such as:
- Assessing the degree to which IT governance activities and standards are consistent with the internal audit activity’s understanding of the organization’s risk appetite.
- Conducting consulting engagements as allowed by the audit charter and approved by the board.
- Ongoing dialogue with senior management and the board to ensure that substantial organizational and risk changes are being addressed in a timely manner.
As the second edition of “Auditing IT Governance,” this GTAG* has been updated to reflect the 2017 International Professional Practices Framework and to be more directly practical to internal auditors. This edition provides tools and techniques to help internal auditors build a work program and perform engagements involving IT governance.
*Under Review: This practice guide contains some outdated material and references. It remains available while a review is underway.