The primary goal of auditing information systems is to determine whether IT processes support business requirements in the most effective and secure manner. As a starting point, the IS auditor should review the following:
Reviewing an audit client's business plan should be performed before reviewing an organization's IT strategic plan. Strategic PlanningThe goal of strategic planning is to ensure that the organization's long-term (three- to five-year) and short-term (one-year) strategies are defined in writing and that there is a regular review process. The strategic plans make sure that the organization meets its goals and objectives and, if there is a proper review cycle, reflect the current direction of the organization and its business units. Although the strategic objectives are the responsibility of senior management, the planning process should include the senior managers, managers of the business units, and IT managers. An organization's implementation of IT will be less likely to succeed if senior management is not committed to strategic planning. IT management then can align the IS strategy with the business strategy. This sounds like a simple process, but a number of companies create both the business and IS strategy but do not have a process for regular review and update. Above all else, the IS strategy must support the business objectives of the organization. When performing an IS strategy audit, an IS auditor should review both short-term (one-year) and long-term (three- to five-year) IS strategies, interview appropriate corporate management personnel, and ensure that the external environment has been considered. The auditor should not focus on actual procedures during an audit of IS strategy. Policies and procedures define the actual operational implementation of the strategic plan and, like the strategic plan, should have a formal process for creation, communication, and review. As stated earlier, policies and procedures are subject to change more often than the strategic plan as they guide operational activities. An IS auditor not only reviews the policies and procedures, but through interview and observation, the auditor also determines whether the procedures are being followed, aligns them with the strategic plan, and guides current operational activities. In addition to creating a formal process for review and update, the auditor should be able to identify specific ownership for these activities and how often they are performed. Undefined creation, review, and communication or ownership are indicators of the absence of a formal process.
Involving senior management in the development of a strategic plan is critical to planning success. IS Steering CommitteeThe IS steering committee ensures that the IT department's strategy and implementation of the strategy directly align with the business strategy as well as the corporate mission and objectives. The steering committee is composed of senior managers who assist in the selection, approval, prioritization, and ongoing review of major IT projects, planning, and budgets. The IS auditor looks for the existence of a formalized committee with a charter, procedures, and defined responsibilities. The IT steering committee maintains detailed meeting minutes as a part of its ongoing reporting to senior management. This reporting ensures that the board of directors and senior management are informed of major IT projects and the status of ongoing projects in a timely manner. The term "major IT projects" is an important distinction to the IS auditor, evidence that the IT steering committee is getting involved in the day-to-day operations of the IT department. This is an indicator that the committee might not be following the charter or is unclear in its responsibilities. If the committee is providing guidance on day-to-day operations, it will have difficulty determining whether the projects and budgets are aligned with the business objectives, and its reporting to senior management will reflect operational issues instead of overall strategy. This type of review will not ensure alignment or the efficient and effective use of IT resources. The absence of a formal, chartered IT steering committee could indicate that IT projects are not aligned with the organization's strategy. With a lack of external controls (the IT steering committee), some projects might not support the mission of the organization, or projects might not come in on time or within budget.
A primary purpose of the IS steering committee is to ensure efficient use of data-processing resources. |