Systems Based Auditing Control Matrices: Series 8 - IT Governance

IT governance is a part of corporate governance that is concerned with IT performance and how the associated risks are managed. IT governance requires that those responsible for making decisions are accountable for their actions and are able to justify the investments they approve.
In order to assess IT governance and performance, a number of standards, frameworks and measures have been developed. These include:

• COBIT (Control Objectives for Information and Related Technology)
• ISO27001 Code of Practice for Information Security Management
• ISO38500 Corporate Governance of Information Technology
• ITIL (IT Infrastructure Library).

These and other sources were referred to in order to devise tests for use by general and specialist IT auditors, as well as those concerned with IT governance, in both the public and private sectors. Undertaking these tests will provide a succinct overview of the extent to which IT governance standards are being met, and provide a gap analysis so that the senior management team and the managing body can be made aware of the areas identified for improvement.

The control matrices are based upon the tried and tested Systems Based Auditing (SBA) methodology. However the authors, Exeter City Council’s internal auditors, have enhanced traditional SBA and devised their Enterprise Risk Management Auditing (ERMA) approach by incorporating risk management techniques, particularly those in COSO’s Enterprise Risk Management – Integrated Framework (September 2004).

Series 8 contains 18 control matrices, the first of which covers the overall top-level direction and management and includes the strategic plan, information architecture and technological direction.

These control matrices are essential tools for all those responsible for auditing, reviewing or involved in IT governance, as they provide a means for adding value to their organisations by enabling them to assess an essential IT service that involves significant spend and faces very high risks.

The control matrices are delivered to you as a zip file containing the PDF and the Word files, to enable flexibility of use and tailoring to local circumstances. The PDF comes with a licence for the purchaser to network the matrices throughout the acquiring organisation.