Chapter 4

Auditing in IS strategies and Management Organization structures, Long term and

short term plans, steering and other committees, HR and IT polices, Segregation of
Duties etc.

The IT Infrastructure Library (ITIL) is so named as it originated as a collection of books

(standards) each covering a specific 'practice' within IT management. After the initial
published works, the number of publications quickly grew (within ITIL v1) to over 30 books.
In order to make ITIL more accessible (and affordable) to those wishing to explore it, one of
the aims of the ITIL v2 project was to consolidate the works into a number of logical 'sets'
that aimed to group related sets of process guidelines for different aspects of the
management of Information Technology systems, applications and services together
The eight ITIL books and their disciplines are:
The IT Service Management sets relating to
1. Service Delivery
2. Service Support
Other operational guidance relating to
3. ICT Infrastructure Management
4. Security Management
5. The Business Perspective
6. Application Management
7. Software Asset Management
To assist with the implementation of ITIL practices a further book was published
providing guidance on implementation (mainly of Service Management)
8. Planning to Implement Service Management
Details of the ITIL Framework
(a) The Service Support ITIL discipline is focused on the User of the ICT services and is
primarily concerned with ensuring that they have access to the appropriate services to
support the business functions. The service desk will try to resolve it, if there is a direct
solution or will create an incident. Incidents initiate a chain of processes: Incident
Management, Problem Management, Change Management, Release Management and
Configuration Management.

(b) The goal of Problem Management is to resolve the root cause of incidents and thus to
minimize the adverse impact of incidents and problems on business that are caused by
errors within the IT infrastructure, and to prevent recurrence of incidents related to these
errors. A `problem' is an unknown underlying cause of one or more incidents, and a
`known error' is a problem that is successfully diagnosed and for which a work-around
has been identified
(c) Configuration Management is a process that tracks all of the individual Configuration
Items (CI) in a system. A system may be as simple as a single server, or as complex as
the entire IT department. Configuration Management includes:

Creating a parts list of every CI (hardware or software) in the system.

Defining the relationship of CIs in the system
Tracking of the status of each CI, both its current status and its history.
Tracking all Requests for Change to the system.
Verifying and ensuring that the CI parts list is complete and correct.

There are five basic activities in configuration management:

. Planning
. Identification
. Control
. Status accounting
. Verification and Audit
(d) Release Management is used for platform-independent and automated distribution of
software and hardware, including license controls across the entire IT infrastructure.
Proper Software and Hardware Control ensure the availability of licensed, tested, and
version certified software and hardware, which will function correctly and respectively
with the available hardware. Quality control during the development and implementation
of new hardware and software is also the responsibility of Release Management. This
guarantees that all software can be conceptually optimized to meet the demands of the
business processes. The goals of release management are:
. Plan to rollout of software
. Design and implement procedures for the distribution and installation of changes to
IT systems
. Effectively communicate and manage expectations of the customer during the

planning and rollout of new releases

. Control the distribution and installation of changes to IT systems
(e) Service Delivery: The Service Delivery discipline is primarily concerned with the
proactive and forward-looking services that the business requires of its ICT provider in
order to provide adequate support to the business users. It is focused on the business as
the Customer of the ICT services (compare with: Service Support). The discipline
consists of the following processes, explained in subsections below:
. Service Level Management
. Capacity Management
. IT Service Continuity Management
. Availability Management
. Financial Management
(f) Service Level Management: Service Level Management provides for continual
identification, monitoring and review of the levels of IT services specified in the Service
Level Agreements (SLAs). Service Level Management ensures that arrangements are in
place with internal IT support providers and external suppliers in the form of Operational
Level Agreements (OLAs) and Underpinning Contracts (UpCs). The process involves
assessing the impact of change upon service quality and SLAs.
(g) Capacity Management: Capacity Management supports the optimum and cost effective
provision of IT services by helping organizations match their IT resources to the business
Information Systems Auditing Standards, Guidelines, Best Practices 8.25
demands. The high-level activities are Application Sizing, Workload Management,
Demand Management, Modelling, Capacity Planning, Resource Management, and
Performance Management
(h) Security Management: The ITIL-process Security Management describes the structured
fitting of information security in the management organization. ITIL Security Management
is based on the code of practice for information security management also known as
ISO/IEC 17799. A basic concept of the Security Management is the information security.
The primary goal of information security is to guarantee safety of the information. Safety
is to be protected against risks. Security is the means to be safe against risks. When
protecting information it is the value of the information that has to be protected. These

values are stipulated by the confidentiality, integrity and availability. Inferred aspects are
privacy, anonymity and verifiability.
(i) ICT Infrastructure Management: ICT Infrastructure Management processes recommend
best practice for requirements analysis, planning, design, deployment and ongoing
operations management and technical support of an ICT Infrastructure. The
Infrastructure Management processes describe those processes within ITIL that directly
relate to the ICT equipment and software that is involved in providing ICT services to
customers.
. ICT Design and Planning
. ICT Deployment
. ICT Operations
. ICT Technical Support
(j) The Business Perspective: The Business Perspective is the name given to the
collection of best practices that is suggested to address some of the issues often
encountered in understanding and improving IT service provision, as a part of the entire
business requirement for high IS quality management. These issues are:
. Business Continuity Management describes the responsibilities and opportunities
available to the business manager to improve what is, in most organizations one of
the key contributing services to business efficiency and effectiveness.
. Surviving Change. IT infrastructure changes can impact the manner in which
business is conducted or the continuity of business operations. It is important that
business managers take notice of these changes and ensure that steps are taken to
safeguard the business from adverse side effects.
. Transformation of business practice through radical change helps to control IT and
to integrate it with the business.
. Partnerships and outsourcing
(k) Application Management: ITIL Application Management set encompasses a set of best
practices proposed to improve the overall quality of IT software development and support
through the life-cycle of software development projects, with particular attention to
gathering and defining requirements that meet business objectives.
(l) Software Asset Management: Organisations rely increasingly on technology in order to
operate profitably and software as such should be treated as a valuable asset. Good

Software Asset Management achieved through Best Practice enables organisations to

save money through effective policies and procedures which are continuously reviewed
and improved. Software Asset Management is a part of overall IT Service Management
best illustrated by the IT Infrastructure Library (ITIL) guides, which is the mostly widely
accepted approach to providing a comprehensive and consistent set of best practices.

Auditing organization
The auditing organization has the regulatory authority or is designated by the regulatory
authority to perform audits, the results of which are evidence of the auditees
compliance or non-compliance with the regulatory requirements for quality management
systems. Associated with this authority are the responsibilities for management and
performance of all audit activities.
The responsibilities of the auditing organization for audit management include:
a)

complying with relevant regulatory requirements for audit management

b)

following the principles of these guidelines

c)

following applicable standards

d)

training, authorizing, selecting and supervising auditors

e)

establishing methods to ensure consistency in the interpretation of the regulatory

requirements

f)

maintaining the means of providing prompt guidance which may be required by the
audit team during the audit

g)

safeguarding the confidentiality of all documents and information obtained in

association with the audit

h)

establishing and complying with a code of ethics

i)

informing the appropriate authority on decisions taken when required by the

regulatory requirements

Audits do not result in a transfer of the responsibility to achieve quality objectives from
the manufacturer to the auditing organization.
In conjunction with the lead auditor, the responsibilities of the auditing organization for
audit performance include:
a)

complying with relevant regulatory requirements for auditing

b)

agreeing on the scope of the audit, including the standards or other documents to
be used, with the manufacturer as necessary to comply with and as permitted by
the regulatory requirements

c)

planning, organizing, evaluating and reporting on the audit

d)

selecting the auditors

e)

agreeing to the language of the audit

f)

decision making with regard to applicable regulatory requirements resulting from

nonconformities discovered during the audit and subsequent verification of
corrections and/or corrective actions

The responsibilities of auditors include:

a)

complying with the applicable regulatory requirements for auditing

b)

helping the auditee understand the regulatory requirements

c)

planning and carrying out assigned responsibilities objectively, effectively and

efficiently within the audit scope and in accordance with a code of ethics for
auditors established and documented by the auditing organization

d)

co-operating with and supporting the lead auditor

e)

collecting, analyzing and, where appropriate, documenting objective evidence

that is relevant and sufficient to permit the establishment of conclusions
regarding compliance of the quality management system with regulatory
requirements and the effectiveness of its implementation in meeting quality
objectives

f)

establishing the extent to which the procedures, documents and other

information describing or supporting the required elements of the quality
management system are known, available, understood and used by the
auditees personnel

g)

remaining alert to any indications or evidence that can influence the audit
results and possibly require more extensive auditing

h)

informing the lead auditor of audit findings in a timely manner

i)

assisting the lead auditor in preparing the report of the audit

j)

informing the lead auditor immediately of any major obstacles encountered in

performing the audit

k)

safeguarding the confidentiality of all documents and information obtained in

association with the audit:
i)

when submitting such documents to the auditing organization through the

lead auditor

ii)
l)

treating privileged information with discretion

verifying that corrective actions have been taken and have been effective:
i)

as a result of a previous audit

ii)

during the audit, as feasible

iii)

based on experience gained with devices on the market (e.g. post market
surveillance)

iv)
m)

based on incidents of a serious nature

minimizing disruption to the auditees personnel and processes during the audit
while attaining the audit's objectives

n)

complying with any health and safety or other applicable requirements of the
auditee

Importance of IT Audit Planning Both Short Term and Long Term

Whether it is IT Audit or General Audit Planning it consist of both short term and long term
planning. Short term audit planning involves risk and issues within that year. Long term
planning is strategic planning involving long term goals of IT planning.
One of the most important aspect is that the IT Auditors should understand the environment
where the audit will be performed. IT Auditor should take into consideration for systems
implementation or upgrade, technologies associated with organization, business process
owners requirements and IT resources limitation of the organization. One should plan for
short term and long term. Especially with so much change in IT organization structure wise
and technology wise, planning is very important.
Today's internal auditors must provide to their audit committees explicit assurance on
organizational governance, as well as meet ever-increasing demands of management and
other stakeholders. They must excel as internal control and risk management experts to
ensure the controls over key systems and business processes are robust and effective. To
meet these high expectations, a solid staffing strategy is essential. It is the responsibility of
the Chief Audit Executive (CAE) to establish an effective program for selecting and
developing the internal audit team.
The skill mix, depth, and size of the audit team should be determined by the services
expected by the audit committee and management in order to meet organizational needs.
The resulting audit plan should be based on an assessment and ranking of risks, critical
systems, and processes across the organization, and should consider the organization's
long-term business objectives, expansion plans, and growth strategies; as well as shortterm changes in the control environment such as M&A activities, major system
implementations, and reengineering of business processes.
Audit Committee:
Audit committees are a key institution in the context of corporate governance because they
help boards of directors fulfill their financial and fiduciary responsibilities to shareholders.
Through their audit committees, boards of directors establish a direct line of communication
between themselves and the internal and external auditors as well as the chief financial
officer. Such an organizational structure and reporting responsibility in an environment of
free and unrestricted access enables full boards of directors not only to gain assurance

about the quality of financial reporting and audit processes, but also to approve of
significant accounting policy decisions. Moreover, strong and effective audit committees,
through their planning, review, and monitoring activities, can recognize problem areas and
take corrective action before such problems impact the company's financial statements and
investors. Thus, audit committees have an important role in helping boards of directors
avoid litigation risk because such committees provide due diligence related to financial
reporting.
Requirement For Audit Committees
Audit committees have long been seen as an important group in assuring greater corporate
accountability in the United States. The value of such committees has been noted by the
U.S. Congress, the U.S. Securities and Exchange Commission, the New York Stock
Exchange, and the American Institute of Certified Public Accountants. Audit committees are
required by the New York Stock Exchange, American Stock Exchange, and National
Association of Securities Dealers (NASDAQ/NMS issuers).
Key recommendations and decisions in the evolution of audit committees in the United
States include the following:
1940
The Securities and Exchange Commission (SEC) recommended the establishment of
audit committees (Accounting Series Release No. 19). Specifically, the SEC
recommended that shareholders elect the auditors at annual meetings and a
committee of nonofficer directors nominate the auditors. Also, the New York Stock
Exchange Board of Governors issued a similar recommendation.
1967
The executive committee of the American Institute of Certified Public Accountants
(AICPA) recommended that publicly held corporations establish audit committees to
nominate the auditors and discuss the audit.
1972
The SEC issued Accounting Series Release No. 123, "Standing Audit Committees
Composed of Outside Directors."
1973
The New York Stock Exchange (NYSE) issued a white paper, "Recommendations and
Comments on Financial Reporting to Shareholders and Related Matters," strongly
recommending that each listed company form an audit committee.
1974

The SEC amended Regulation 14A dealing with the proxy rules. Registrants are
required to disclose in their proxy statements the existence of audit committees and
the names of the committee members.
1977
A NYSE audit committee policy statement required each domestic corporation listed
on the exchange to establish and maintain an audit committee of outside directors
before July 1, 1978.
1987
The National Commission on Fraudulent Financial Reporting recommended that the
SEC require that all public companies have audit committees.
1987
The National Association of Securities Dealers required each NASDAQ/NMS issuer to
establish an audit committee.
1991
Congress passed the Federal Deposit Insurance Corporation Improvement Act. The
law provided for the establishment of audit committees for insured depository
institutions that have total assets of $150,000,000 or more.
1993
American Stock Exchange required its listed companies to establish audit
committees.
1994
The American Law Institute issued Principles of Corporate Governance: Analysis and
Recommendations. The Institute strongly supported and endorsed the concept of
audit committees.
1999
The Independence Standards Board issued its first standard, "Independence
Discussions with Audit Committees," which requires independent auditors to issue an
annual independence confirmation to the audit committee of the company.
1999
The SEC approved changes to its rules to implement several of the recommendations
by the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit
Committees. Registrants are required to disclose information about audit committee
composition and practices.
In addition to the presence of audit committees on U.S. stock exchanges, a number of stock
exchanges in Canada, Europe, Africa, the Middle East, and the Asia/Pacific region have

adopted audit committees. As worldwide financial markets expand and more companies are
listed on major stock exchanges in different countries, the international investing public's
demand for consistent and equal oversight protection through the use of audit committees
will continue. In addition, international investors are concerned about the quality of
corporate governance because of the impact of financial collapses and alleged frauds on
securities markets.
In response, a number of stock exchanges have adopted audit committees to increase
transparency and competence in the management of their listed member companies in
order to deal effectively with attracting foreign equity investment.
Organization and Structure of Audit Committees:
Boards of directors form their audit committees by either passing a board resolution or
amending corporate bylaws. Audit committees' responsibilities should be clearly defined and
documented in their charter. Although the scope of the audit committees' responsibilities is
predetermined by boards, the committees should be allowed to expand their charge with
board approval and investigate significant matters that impact financial reporting
disclosures.
Boards of directors should carefully give consideration to the following points with respect to
their appointments of directors to audit committees:
1. Number of directors: The number of independent directors appointed to audit
committees depends on the nature of the business and industry dynamics, the size
of the company, and the size of the board of directors. The general consensus seems
to be that three to five members are adequate.
2. Composition: Because members of audit committees have varied backgrounds and
occupations, they provide a mix of skills and experience. Although the members have
different levels of expertise, it is strongly advisable to have at least one individual
who has a financial accounting background.
3. Meetings: Audit committees meet from one to four times each year, with three or
four meetings being the most common schedules.

Nature of Audit Committees Responsibilities:

Boards of directors define the role and responsibilities of their audit committees. This
jurisdictional charge is usually disclosed in the audit committees' written charter, which
includes the terms of reference, such as mission statement, membership (size and
composition), term of service, frequency of meetings, scope of responsibilities, and
reporting responsibilities. Audit committees are primarily responsible for the quality related
to such matters as:

External auditing process

Internal auditing process

Internal controls

Conflicts of interest (code of corporate conduct, fraud presentation)

Financial reporting process

Regulatory and legal matters

Other matters (interim reporting, information technology, officers' expense accounts)

Although boards of directors have defined the responsibilities of audit committees, boards
may expand the scope of the audit committees' charter; however, boards should avoid
diluting the committees' charge with information over-load. Recognizing that audit
committees operate on a part-time basis and serve in an advisory capacity to boards, it is
essential that boards place limitations on the scope of the committees' charge. Such a scope
limitation enables boards to evaluate the committees' performance as well as protect the
committees against legal claims for their inactions that are outside their charge. An
illustration of the roles and responsibilities of audit committees is disclosed in the annual
proxy statement of a company.

The duties of the Audit Committee are (a) to recommend to the Board of Directors a firm of
independent accountants to perform the examination of the annual financial statements of
the Company; (b) to review with the independent accountants and with the Controller the
pro posed scope of the annual audit, past audit experience, the Company's internal audit

program, recently completed internal audits and other matters bearing upon the scope of
the audit; (c) to review with the independent accountants and with the Controller significant
matters revealed in the course of the audit of the annual financial statements of the
Company; (d) to review on a regular basis whether the Company's Standards of Business
Conduct and Corporate Policies relating thereto has been communicated by the Company to
all key employees of the Company and its subsidiaries throughout the world with a direction
that all such key employees certify that they have read, understand and are not aware of
any violation of the Standards of Business Con duct; (e) to review with the Controller any
suggestions and recommendations of the independent accountants concerning the internal
control standards and accounting procedures of the Company; (f) to meet on a regular basis
with a representative or representatives of the Internal Audit Department of the Company
and to review the Internal Audit Department's Reports of Operations; and (g) to report its
activities and actions to the Board at least once each fiscal year.
The IS auditor will require to include in the scope of the audit the relevant processes for
planning and organising the information systems activity and the processes for monitoring
that activity. The scope of the audit will also include the internal control system(s) for the
use and protection of the information and the Information Systems, as under :
a) Data
b) Application systems
c) Technology
d) Facilities
e) People
Performance of Audit Work :
The IS auditor should review the following :
a) Minutes of the meetings of the Board of Directors for audit information relating to the
consideration of the matters concerning the information systems and their control and the
supporting materials for any such items.
b) Minutes of the meetings of the Audit Committee reporting to the Board of
Directors for audit information relating to the consideration of the matters
concerning the information systems and their control and the supporting materials
for any such items.
The IS auditor will require to consider whether the information obtained from the above

reviews indicates coverage of the appropriate areas. The various issues / documents /
statements / areas, among others, which the IS auditor will require to examine include as
under :
a) IS mission statement and agreed goals and objectives for information systems activities.
b) Assessment of the risks associated with the organisations use of the information
systems and approach to managing those risks.
c) IS strategy, plans to implement the strategy and monitoring of progress against those
plans.
d) IS budgets and monitoring of variances.
e) High level policies for IS use and the protection and monitoring of compliance with
these policies.
f) Major contract approval and monitoring of suppliers performance.
g) Monitoring of performance against service level agreements.
h) Acquisition of major systems and decisions on implementation.
i) Impact of external influences on IS such as Internet, merger of suppliers or liquidation
etc.
j) Control of self-assessment reports, internal and external audit reports, quality assurance
reports or other reports on IS.
k) Business Continuity Planning, Testing thereof and Test results.
l) Compliance with legal and regulatory requirements.
m) Appointment, Performance Monitoring and Succession Planning for senior IS staff
including internal IS audit Management and Business Process Owners.
Review of Policies and Compliance :
The IS auditor will require to consider whether the policies issued cover all of the
appropriate areas for which board-level direction is necessary in order to provide
reasonable assurance that the business objectives are met. Such policies on board level
direction will require to be documented ones only and such documented policies shall,
among others, include the following :
a) Security Policy
b) Human Resources Policy
c) Data Ownership Policy
d) End-user Computing Policy
e) Copyright Policy

f) Data Retention Policy

g) System Acquisition and Implementation Policy
h) Outsourcing Policy
The IS auditor will require to assess whether the policies issued are appropriate to
the information system needs/requirements of the organisation. Further, the IS auditor will
require to assess whether the policies are being adequately enforced, including the
communication of the policies, existence and awareness of standards, procedures and
methodologies to support the policies, allocation of the responsibility for enforcing the
policies and the system, put in place by the organization, to monitor and report on the
compliance with the policies.

Responsibilities of the Owner of the Business Process :

The IS auditor will require to review the responsibilities of the business process owners, as
under and assess whether these are appropriate to support the policies set at the Board of
Directors level.
a) Assessment of whether the business process owners have the skills, experience and
resources necessary to fulfill this role.
b) Review of the information received by the business process owners and to assess
whether it is appropriate to enable them to discharge their responsibilities and to monitor
compliance with the policies.
Information that may be considered appropriate includes as under:
i) Reports of attempted access to the systems supporting business processes and follow-up
action taken.
ii) Reports of changes to user access rights, including new users and those whose access
rights have been removed.
iii) Reports of the results of business continuity tests and follow-up action taken.
iv) Reports on the results of feasibility studies and tendering processes for systems
acquisition.
v) Reports of the results of user acceptance testing of new systems or changes to the
existing systems.
vi) Reports on performance against agreed service levels.
vii) Statistics on the availability, number of failures, number of system changes requested
and implemented etc.

viii) Status of system changes in progress.

ix) Reports of changes to corporate data dictionary entries.
c) Assessment of the system which produces the above information and its reliability,
integrity and potential for management override.
d) Where the organisation has internal audit resources, which is an important element of
the corporate governance process, assessment whether the appropriate level of the
involvement of the internal audit resources has been provided.
Consideration of External Factors :
Corporate governance of the information systems involves directing as well as controlling.
The industry in which the organisation operates, trends in the IS industry and the social and
political changes may influence the benefits, which the organisation can obtain from the
use of the information systems. The IS auditor will require to verify that the organization
has put in place the procedures to monitor the external factors, which are relevant to the
organization. The IS auditor will require to also verify whether the material issues, which
require all computerised organisations to assess their potential effects well in advance,
current at the time of the audit exercise, are under active consideration at the appropriate
level. The organisation has to plan appropriate actions to avoid the potential material
adverse effects of such issues. In case such issues are not being actively considered at the
appropriate level in the organisation, the IS auditor will require to promptly report this
matter to the designated authority/ies in the organisation.
IS Specialist Staff :
The IS auditor will require to consider the position or functions of the IS specialist staff in
the organisation and assess whether this is appropriate to enable the organisation to make
the best use of IS to achieve its business objectives. The control of the information systems,
even in decentralised and end-user run environments, should include segregation of
conflicting duties. The IS auditor will require to assess whether the management of the IS
specialists and the non-specialists with IS responsibilities is adequate to address the risks to
the organisation from the errors, omissions, irregularities or illegal acts.
Reporting :
The IS auditor will require to address reports on the corporate governance of the
information systems to the Audit Committee/Board of Directors or any other designated
authority in the organisation. In case of detection/identification of failures in corporate

governance, the same will require to be urgently reported to the designated authority in the
organisation. The IS audit report on corporate governance of information systems should,
among others, include the following :
a) A statement that the Board of Directors is responsible for the organisations Information
Systems and formulation and implementation of the system of internal controls.
b) A statement that a system of internal controls can only provide reasonable and not
absolute assurance against material misstatement or loss.
c) A description of the key procedures, which the Board of Directors has
approved/established, to provide effective internal control and the related supporting
documentation presented to the Board of Directors.
d) Information on any non-compliance with the national or industry codes of practice for
corporate governance.
e) Information on any major uncontrolled risks.
f) Information on any ineffective or inefficient control structures or control measures
togetherwith the IS auditors recommendations for improvement.
g) The IS auditors overall conclusion on the corporate governance of the information
systems, as defined in the scope of audit.
Follow-up Activities :
The weaknesses, if any, in the system of corporate governance of information and
information systems can cause wide ranging and high risk effects in the organisation. The
IS auditor will require to, therefore, where appropriate, carry out sufficient, timely followup work to verify that the management action is taken promptly to address such
weaknesses.