Question

12) What are the 5 component of effect IT Governance? For one component, identify 2-3 indicators of possible misalignment between the organization and IT as well as the associated risks. Describe at least 3 activities/questions that an internal auditor could perform/ask in order to evaluate controls related to each risk and also describe the associated evidence the auditor would seek

Answer 1

Definition of IT governance

IT governance is an element of corporate governance, aimed at improving the overall management of IT and driving improved value from investment in information and technology.

IT governance frameworks enable organisations to manage their IT risks effectively and ensure that the activities associated with information and technology are aligned with their overall business objectives.

The five domains or elements of IT governance

• Strategic Alignment: Definition, maintenance, and IT value validation, through the alignment of IT operations with other business operations;
• Value Delivery: Ensures the delivery of strategic benefits, with cost optimization and the intrinsic value of IT;
• Resource Management: Investment optimization and management of critical IT resources such as Applications, Information, Infrastructure, and People;
• Risk Management: Understanding the corporate appetite for risk, regulatory compliance requirements, and transparency. Understanding of the significant risks to the business and implementing risk management responsibilities within the organization;
• Performance Measurement: Monitor implementation strategies, project closures, and resource utilization. Perform the process of delivering IT services in a Balanced Scorecard framework that transforms strategy into effective action, for achieving measurable objectives (indicators).

Key risk Indicators:

1 Business interruption. 2 Reputational damage. 3 Breach of customer information. 4 Data or software damage. 5 Extortion or ransomware. 6 Third-party liability resulting from systems breaches. 7 Disruption/interruption of industrial systems or other operational technology. 8 Loss/theft of intellectual property. 9 Contingent business interruption (supply chain). 10 Physical property damage and/or bodily injury.