IT AUDIT CHECKLIST SERIES

IT Governance
and Strategy
Practical guidance
for managers on
how to prepare for
successful audits

www.ITCinstitute.com
Research Sponsors

Symantec

Tripwire
 √I T AUDIT CHECKLIS T SERIES
IT Governance and Strategy
About the IT Compliance Institute
The IT Compliance Institute (ITCi) strives to be a Table of Contents
global authority on the role of technology in business
governance and regulatory compliance. Through 2 Executive Overview
comprehensive education, research, and analysis
3 Introduction to IT Governance and Strategy
related to emerging government statutes and affected
business and technology practices, we help organizations 4 What Is IT Governance?
overcome the challenges posed by today’s regulatory
6 What Are the Benefits of Sound IT Governance?
environment and find new ways to turn compliance
efforts into capital opportunities. 7 The Auditor’s Perspective on IT Governance
and Strategy
ITCi’s primary goal is to be a useful and trusted resource
for Information Technology professionals seeking to 7 Why Audit?
help businesses meet privacy, security, financial account-
7 Who Is Responsible for IT Governance?
ability, and other regulatory requirements. Targeted at
CIOs, CTOs, compliance managers, and information 10 Management’s Role in the Audit Process
technology professionals, ITCi focuses on regional- and
vertical-specific information that promotes awareness 11 What Auditors Want to See
and propagates best practices within the IT community. 12 Auditors Like...

For more information, please visit: www.itcinstitute.com 12 Auditors Don’t Like...

12 How Companies Help (or Hinder) Auditors

Comments and suggestions to improve the IT Audit
Checklists are always encouraged. Please send your 13 Who Should Talk to the Auditors?
recommendations to editor@itcinsititute.com.
14 IT Governance and Strategy Audit Checklist

14 Audit Planning
All design elements, front matter, and content are copyright © 2007 IT Compliance
Institute, a division of 1105 Media, Inc., unless otherwise noted. All rights are 14 Audit Testing
reserved for all copyright holders.

No part of this publication may be reproduced, stored in a retrieval system, or 15 Processes

transmitted in any form or by any means, electronic, mechanical, photocopying,
recording, scanning, or otherwise, except as permitted under § 107 or 108 of the
1976 United States Copyright Act, without the prior written permission of the
15 Steps
copyright holder.

Limit of Liability/Disclaimer of Warranty: While the copyright holders, publishers, 16 Controls for IT Governance and Strategy
and authors have used their best efforts in preparing this work, they make no
representations or warranties with respect to the accuracy or completeness of
the contents of this book and specifically disclaim any implied warranties of
19 Audit Reporting
merchantability or fitness for a particular purpose. No warranty may be created
or extended by sales representatives or written sales materials. The advice and 20 Preparing for an Audit
strategies contained herein may not be usable for your situation. You should consult
with a professional where appropriate. Neither the publishers nor authors shall be
liable for any loss of profit or any other commercial damages, including, but not 21 Communicating with Auditors
limited to, special, incidental, consequential, or other damages.

All trademarks cited herein are the property of their respective owners. 22 Appendix—Other Resources

www.ITCinstitute.com 1
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

Executive Overview

What Is the IT Audit Checklist Series?

The ITCi IT Audit Checklists are a series of topical This IT Audit Checklist focuses on measurable IT prac-
papers that provide practical guidance for IT, compli- tices that strategically address the growing complexity
ance, and business managers on preparing for successful and risk engendered in IT operations. In addition to
internal audits of various aspects of their operations. In providing general insight into audit goals and processes,
addition to helping managers understand what auditors the paper suggests specific control objectives drawn from
look for and why, the IT Audit Checklists can also help regulatory and best-practices documents.
managers complete proactive self assessments of their
operations, thereby identifying opportunities for system While other papers in ITCi’s Audit Checklist series
and process improvements that can be performed in offer specific guidance on IT functional realms, such as
advance of an audit. information security, this paper explores IT objectives
and practices that allow executives and leaders to form
What Is This Paper About? appropriate governance plans, strategies, purchase deci-
sions, and policies that not only meet compliance goals,
This paper, “IT Audit Checklist: IT Governance and
but enable enterprise risk management and support com-
Strategy,” supports an internal audit of the organization’s
petitive business efforts, as well. Generally, IT governance
IT leadership and high-level planning resources, systems,
controls include, but are not limited to do:
and processes. The paper includes guidance on assess-
ing the completeness, effectiveness, and sustainability • Leadership and operational structures
of existing IT governance and strategy; guidance on
• Measurement and management of IT resources
supporting effective IT leadership; and information on
ensuring continual improvement of governance efforts. • IT architectures and models
The paper is intended to help IT, compliance, business,
• Investment management
and audit managers prepare for an audit of high-level
processes and resources and to provide concrete tools
Audits and reviews of these control areas advance the
managers can use to ensure that the audit experience
goal of IT oversight and promote continuous improve-
and results are as beneficial as possible to both IT leaders
ment and success of technology-enabled business
and the company as a whole.
processes and IT systems and functions. In designing and
meeting corporate objectives, neither auditing nor IT can
Paper Contents afford to be a black box. Both functions must cooperate
According to the IT Governance Institute (ITGI), “IT to recognize their common goals of reducing corporate
governance is the responsibility of the Board of Directors risk, improving IT and business processes, and support-
and Executive Management. It is an integral part of ing ethical, profitable corporate performance.
enterprise governance and consists of the leadership
and organizational structures and processes that ensure Additional resources that complement the content of this
that the organization’s IT sustains and extends the paper are provided in the appendix.
organization’s strategy and objectives.”1
1
Board Briefing on IT Governance (2003). IT Governance Institute. http://www.
isaca.org/Content/ContentGroups/ITGI3/Resources1/Board_Briefing_on_IT_
Governance/26904_Board_Briefing_final.pdf

www.ITCinstitute.com 2
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

Introduction to IT
Governance and Strategy

IT has always played an ambiguous role in business SOX in particular has revolutionized IT auditing. In pre-
success. Is it a mechanism or driving force? Does it paring for their initial audits, corporate executives found
define or merely facilitate business processes? Does it they couldn’t certify the integrity of financial information
warrant top-level consideration at all? The answers to without understanding the applications and systems that
these questions have traditionally depended on corporate stored financial data. SOX’s auditing oversight board,
philosophy and how well IT was integrated into business the PCAOB, explicitly recognized this dependency with
goals and strategies. more than 20 references to information technology in its
primary guidance, “Auditing Standard No. 2.”2 Auditors
But if IT’s role in business gain is ill defined, its culpa- questioned. Few companies could adequately answer. By
bility in business loss is well recognized. Information 2003, it was apparent that almost everyone—from CFOs
systems and processes represent to regulators and even financial
the beating heart of corporate auditors—had underestimated
communications, accounting, Corporate executives how much financial management
manufacturing, supply chain relied on IT underpinnings. In
management, and other critical
cannot certify the integrity 2004, it became clear that finan-
business processes. In many com- of financial information cial auditors lacked the technical
panies, management has learned knowledge necessary to perform
the hard way that failure of IT is
without understanding the effective IT audits. In 2005,
tantamount to business failure; applications and systems the Information Systems Audit
thus, IT has earned its own audit Control Association (ISACA)
discipline. In a business climate
that store financial data. reported that the number of
where risk commands almost as people applying to take its
much managerial mindshare as profit and growth did Certified Information Systems Auditor (CISA) exam
just five years ago, internal audits cannot ignore —and, doubled from the previous year.
in fact, must constantly strive to better understand—IT’s
business role and risk factors. But, as companies and auditors continue to learn,
the challenges of IT auditing go beyond technical
Prior to the spectacular collapse of Enron, WorldCom, competency. Misalignment of communications between
Tyco, and other corporations between 2001 and 2003, auditing, business management, and IT management
financial auditing was relatively perfunctory. Before the plagues many companies. Definition of internal systems
2001 terrorist attacks in the US, customer recognition and controls continues to be a substantial capital and
was merely good business practice. And prior to the resource cost. And appropriate scoping of audits accord-
ChoicePoint security breach in 2004, privacy laws were ing to control impact and risk relevance is an issue
relatively scarce. But these and other corporate scandals endemic to both financial and IT audits, but particularly
and catastrophes loosed a deluge of preventive laws, acute for IT management, which often oversees several
including Sarbanes-Oxley (SOX), US-state and to inter- thousand (or more) policies and processes.
national data protection acts, and the USA Patriot Act
2
(USAPA). Collectively, these new rules have changed Auditing Standard No. 2—An Audit of Internal Control over Financial Reporting
Performed in Conjunction with an Audit of Financial Statements (2004). Public
risk management from a by-product of compliance to Company Accounting Oversight Board (PCAOB). http://www.pcaobus.org/Rules/
a core requirement. Rules_of_the_Board/Auditing_Standard_4.pdf

www.ITCinstitute.com 3
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

As companies have recognized their reliance on IT and With this big picture in mind, IT governance and strat-
the need for appropriate IT oversight, the internal audit egy encompasses the core definitions, structures, and
function has increased the frequency and comprehensive- processes that shape all IT efforts and systems. Auditable
ness of its assessments. Regulatory guidance to improve functions of IT governance include:
the risk relevance of audits has also helped to align audit-
management communications. Neither auditing nor IT 1. Definition of what the IT organization is and does,
can afford to operate as a black box. Both must cooper- including values and goals
ate to recognize their common goals of identifying and
reducing risk, improving processes, and supporting 2. IT risk definition and management
ethical, profitable corporate performance.
3. Definition of roles and responsibilities, including
Successful IT governance audits require definition and leadership structures
balance. Auditors must help management understand
compliance scope, but management is responsible for 4. Strategic planning, monitoring, and
defining the risks and risk materiality that ultimately continual improvement
determine audit scope. Management must work with
auditors to identify risk existence, materiality, and poten- 5. Oversight of standards, policies, and procedures
tial remediation. Auditors should also help management
understand how to demonstrate seemingly intangible 6. Oversight of technical foundations, such as IT
concepts such as leadership and responsibility in terms infrastructure, architectures, a semantic baseline or
of concrete policies and processes. And management glossary, and data management,
must help auditors understand controls and assess
their effectiveness. 7. Asset management, including staff, systems, media,
networks, and content
What Is IT Governance?
8. Resource planning
According to the IT Governance Institute (ITGI), “IT
governance is the responsibility of the Board of Directors
9. Investment management
and Executive Management. It is an integral part of
enterprise governance and consists of the leadership
Every IT practice, program, and procedure is guided
and organizational structures and processes that ensure
by these functions. Information security, business
that the organization’s IT sustains and extends the
continuity, records management, and all other strategic
organization’s strategy and objectives.” 3
initiatives live and die by their effectiveness.

Whereas corporate governance encompasses all organiza-

In general, governance principles, whether in IT or
tional assets and processes, IT governance focuses chiefly
business, are somewhat canonical. However, corporate
on the IT organization. IT managers are answerable to
governance guidance issued by international organiza-
the board for risks and audit findings associated with
tions can provide a foundation for IT governance
their organization. However, as an integrated component
of corporate governance, IT management cannot ignore
the bigger picture. It must consider not only IT goals 3
Board Briefing on IT Governance (2003). IT Governance Institute. http://www.
and responsibilities, but technology’s integrated role in pcaobus.org/Standards/Standards_and_Related_Rules/Auditing_Standard_
corporate processes. No.2.aspx

www.ITCinstitute.com 4
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

principles. Over the past five years, governance research objectives, comprising 215 control objectives in four
groups and standards bodies have increasingly updated domains: planning and organization, acquisition and
their guidance with deference to IT. And IT-specific implementation, delivery and support, and monitor-
frameworks and guidance have been developed ing and evaluation. ISACA also publishes correlative
independently and as a complement to existing corporate audit guidelines, management guidelines, and an
governance documents. implementation toolset.

• “The Principles of Corporate Governance,” issued CobiT is perhaps the most widely used IT control
by the Organisation for Economic Co-operation framework, since it spans the gamut of IT; offers map-
and Development (OECD)4 . Although designed pings to other governance standards; and is supported
for public-company oversight, the principles can be by many published materials, education, and a vast
broadly applied to non-public companies and internal user community.
organizations. In December 2006, the OECD also
issued an audit guide, “Methodology for Assessing Adoption of CobiT as a primary best-practices standard
the Implementation of the OECD Principles on is also facilitated by several mapping documents that
Corporate Governance,” an assessment framework can help IT managers align their processes, governance,
with governance principles. and regulatory response. ISACA’s supporting document
IT Control Objectives for Sarbanes-Oxley, 2nd Edition
• The UK Financial Reporting Council’s “Internal contains a general map of CobiT processes to PCAOB
Control: Revised Guidance for Directors on the Auditing Standard No. 2. In May 2006, ISACA issued
Combined Code,” conventionally called the Turnbull CobiT Mapping, Overview of International IT Guidance,
Guidance, offers a more specific approach to main- 2nd Edition, which provides a general comparison of
taining and reviewing a system of internal control. COSO and CobiT frameworks.

• “Enterprise Risk Management—Integrated In January 2007 ISACA also published a map of CobiT
Framework,” commonly called “COSO,” after its pub- and the IT Infrastructure Library (ITIL) from the UK
lisher, the Committee of Sponsoring Organizations Office of Government Commerce. By aligning the two
of the Treadway Commission (COSO) 5 is similar in UK documents, it is possible to map COSO to ITIL at a
outlook and focus to the Turnbull Guidance, but high level, and therewith compile a framework that aligns
includes a more robust and explicit internal control enterprise risk management principles with IT controls
framework. COSO is recognized by the US SEC and and, finally, fairly narrowly defined IT services. Links to
PCAOB as an approved control framework for SOX. each of these documents is included in the appendix of
this paper.
• “Organizational Governance: Guidance for Internal
Auditors,” a position paper from the Institute for
Internal Auditors (IIA), ties corporate governance
4
principles to audit goals and roles. Much of the Citations and links for the resources mentioned in this section are included in
Appendix A
content can be used as a model for IT governance
5
Since the passage of SOX, Turnbull and COSO have emerged as the major pillars of
and auditing.
compliance and risk management. From an IT perspective, COSO is more accessible
than Turnbull, since it is more widely documented and has been approximately
• CobiT, published by the Information Systems mapped to a an IT control framework, Control Objectives for Information and
related Technology (CobiT), published by the Information Systems Audit and Control
Audit and Control Association (ISACA), is Association (ISACA).
widely considered the leading framework for 6
Although COSO is officially endorsed for SOX compliance, CobiT has received no
IT controls.6 CobiT 4.0 covers 34 high-level official endorsement.

www.ITCinstitute.com 5
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

While most companies had IT governance processes and 5. Lower risk of non-compliance with
some controls in place long before they were required by regulatory requirements
SOX and other regulations, the adoption of frameworks
to organize and round out governance and control 6. Lower risk of serious business disruption from events
efforts is a governance best practice. Frameworks such
as CobiT provide a comprehensive overview of control 7. More healthy organizational relationships and
objectives against which to standardize and align IT reputation with directors, business staff, customers,
governance and auditing efforts. and partner organizations

What Are the Benefits of Sound Recognizing the ROI of IT governance is an important
step in meeting governance goals. Many governance con-
IT Governance? trols such as network mapping, master data management,
Sound IT governance addresses the growing complex- and asset inventories, have substantial costs. While good
ity and threat that are the hallmarks of IT operations. IT governance might be touted as its own reward, the
Compared to just a few years ago, business processes ability to tie its concrete costs to equally concrete returns
are more complicated; technology is more powerful, is itself a good IT governance practice.
functional, and ubiquitous; and attacks on corporate
systems, from within and without, are more frequent
and sophisticated.

In general, IT governance ensures that the company’s

technology assets and the information they contain are
known, available, credible, and protected. Since legisla-
tion seeks the same goals, good IT governance must
be aligned with regulatory compliance. Beyond that,
however, the business benefits of sound IT governance
and strategy include:

1. Better alignment between business and IT strategy

2. More informed, practical decisions about

technology investments

3. Greater agility in meeting shifting business demands,

and a stronger foundation for innovation

4. Better measurement and control of costs related

to information systems and their protection

www.ITCinstitute.com 6
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

The Auditor’s Perspective on

IT Governance and Strategy

Why Audit?
Audits are opportunities for companies to improve, based from project to project, depending on auditor’s focus (for
on auditor analysis and advice. To preserve the integrity example, on various business processes, management
and authority of audits, auditors maintain a delicate dis- controls, and technical controls). Ensuring appropriate
tinction between offering advice and making decisions. audit focus is another reason management should com-
municate with auditors, and vice versa, early and often in
For each organization, the scope of auditor responsibility every audit cycle.
should be documented in the company’s internal audit
charter and be approved by the audit committee. Because Internal auditors should help management assess organi-
every organization has different goals and objectives— zational risks. They must evaluate the audit universe and
and certainly different issues and challenges—there is supporting audit plans at least annually and sometimes
no one-size-fits-all audit process, nor one audit approach, more frequently.7 At the micro level, an audit risk assess-
that fits all situations. ment of the various entities being audited is completed to
support the audit project (sometimes also referred to as
Historically, corporate governance has focused primarily the audit “terms of reference”). Planning for each audit
on broad topics of leadership, management, ethics, and requires serious consideration of the organization’s many
reporting. IT governance audits encompass many of the risks and opportunities. Finally, in many companies,
same issues and can include business plans, documenta- continuous auditing (ongoing audit evaluations) is being
tion and measurement of objectives, organizational implemented for key systems and/or key transactions.
reporting structures, contract management, and indus-
trial and regulatory monitoring. It also has a significant Who Is Responsible for
technology component. For example:
IT Governance?
• Does the organization have an information The board of directors, IT executives, business execu-
architecture model? tives, and internal auditors all have significant roles in IT
• Do hardware and software acquisition plans exist? governance assurance and the auditing of IT governance
and strategies. The big question for many companies is
• How is e-content (including intranets, Web sites, how these stakeholders should work together to ensure
blogs, and wikis) managed? that everything that should be done to protect sensitive
• How are investments and development projects information is being done—and that the company’s
evaluated and do they meet business requirements? information assets are protected appropriately.

• How does the IT organization ensure system 1. The board of directors must provide oversight at a
continuity in case of disruptive contingencies? level above IT executives. The directors’ role in IT
governance is to ask executives the right questions
The size and complexity of various organizations’ audit
efforts differ due to variations in operating environ-
7
For more information, refer to Swanson, Dan. “Ask the Auditor: Business Risk
ments, risk priorities and thresholds, and business and vs. Audit Risk.” IT Compliance Institute (May 2, 2006). http://www.itcinstitute.
audit objectives. In addition, the scope of audits can vary com/display.aspx?id=1673

www.ITCinstitute.com 7
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

and encourage the right results. Directors must set 3. IT managers marshal many of the requirements of
an appropriate tone at the top, making executive IT governance, ensuring internal compliance with
management aware of their oversight and ensuring leadership mandates and drafting policies and pro-
they have adequate information to make intelligent cedures that support strategic goals. IT managers are
decisions about IT strategy and direction. To this also the eyes and ears of the IT organization. They
end, many boards establish IT committees, which are responsible for reporting up to executive man-
include representatives from both IT and business agement. And, when controls fail, IT managers are
organizations. The board also has a role in setting the generally responsible for drafting remediation plans
IT governance culture, which includes organizational that meet governance requirements.
values and attitudes.
4. Business executives must have some insight into and
According to ITGI, boards should guide IT manage- influence on IT governance and programs, since
ment to deliver measurable value by: 1) delivering business managers are ultimately accountable for
solutions and services with the appropriate quality, the results of the business processes enabled by IT
on time and on budget, 2) enhancing reputation, systems. Managers should review IT strategy to ensure
product leadership and cost-efficiency, and 3) provid- it is appropriate, despite ever-changing risks and busi-
ing customer trust and competitive time-to-market.8 ness requirements. This is, in fact, a form of auditing
IT governance. And managers who own business-unit
2. IT executives work with the board to define IT information must also help define their IT require-
identity characteristics. These can include the ments based on business objectives, the significance
IT organization’s business plan and/or model, of the information involved, legal requirements, and
expectations and commitments, and vision. Chief the seriousness of risks associated with data integrity
information officers (CIOs) and chief security officers and security. Especially if the IT organization reports
(CSOs) should understand the business organization to the CEO or other business leader, that office is
well enough to bridge the gap between IT and senior responsible for providing resources and organiza-
business managers or the board. tional structure to support IT strategy.

IT executives look both into and outward from their 5. Internal auditors provide strategic, operational, and
organization to assess the impact on IT of industry tactical value to IT leaders. For example, the internal
norms and trends, regulatory changes, contractual auditing function:
obligations, even environmental threats. Internally,
executives ensure that objectives and strategies are • Informs the board and IT executives as to
supported and understood across the organization. whether business and IT staff understand the
Finally, by subjecting IT processes, resources, and importance of governance objectives and strat-
leadership to audit and board review, IT executives egy. Auditors can tell IT leaders whether staff
advance the goal of corporate oversight and promote is adhering to IT policies, whether key informa-
its continuous improvement and success. tion assets and systems are sufficiently secure,
whether business continuity programs are suf-
ficient, whether governance efforts continually
strengthen IT performance, whether resources
8
Board briefing on IT Governance, p 17 (2003). IT Governance Institute. http://www.
isaca.org/Content/ContentGroups/ITGI3/Resources1/Board_Briefing_on_
are sufficient, and whether policies are reason-
IT_Governance/26904_Board_Briefing_final.pdf able. In brief, internal audits assess the state

www.ITCinstitute.com 8
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

of the IT governance environment and recom-

mend improvements. IT GOVERNANCE AND STRATEGY
• Independently validates that the organization’s RESPONSIBLITIES
governance and strategy are proactive and
effective against fraud, information security BOARD OF DIRECTORS
threats, and business disruption. To provide this
• Provide oversight: ask the right questions,
level of assurance, internal auditors may compare
encourage the right results
current organizational practices with industry
• Set IT strategy and direction with executive input
practices and regulatory guidelines.
• Define IT governance culture
In addition, the auditing function should
complement, but never replace, management’s IT EXECUTIVES
responsibility to ensure IT security controls are
• Work with board to define IT business plan/model
operating effectively. To fulfill an audit’s poten-
• Assess impact on IT from internal and external
tial, internal auditors need to: 1) know what
factors, including industry trends, regulations,
they are doing (have the knowledge and skills contracts, etc.
to perform appropriate audits); 2) understand • Ensure objectives and strategies are supported
both technical and the business environments; and understood across the organization
3) know what to ask for from the board, execu- • Subject IT processes, resources, and leadership
tives, and managers; and 4) complete regular to audit and review to promote continuous
and ongoing training to stay on top of new improvement and success
guidance and standards of practice.
IT MANAGERS
Of course, auditing provides only a reasonable
level of assurance. Auditors cannot provide an • Ensure internal compliance with leadership mandates
insurance policy against any fault or deficiency, via policies and procedures

particularly in regard to activities that cannot • Report to executives regarding success/failure of

implementation of strategic goals
be totally controlled, such as collusion and
management override. • Draft and implement remediation plans to meet
governance requirements

BUSINESS EXECUTIVES

• Understand, review, and help define IT strategy to

ensure it supports business requirements
• Provided resources and organizational structure to
support IT strategy

INTERNAL AUDITORS

• Assess the state of IT governance environment and

recommend improvements
• Validate governance and strategy efforts and
compare current practices to industry standards
• Recommend improvements

www.ITCinstitute.com 9
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

Management’s Role in the Audit Process

An internal audit engagement typically has three phases:
planning, testing, and reporting. Management has an
important role in each phase:

During planning, management should first focus The audit team leader and senior executives of the
on the audit plan (the auditor’s “road map”) and areas being audited should meet regularly throughout
ensure that managers understand and are in general the audit process—usually weekly and at least once
agreement with the audit purpose, focus, and a month—to discuss audit progress, identified issues,
approach. An open, positive discussion with the and potential actions.
audit team regarding these defining factors helps
management and the audit team communicate An open, transparent dialogue between senior
their expectations up front. Audit planning should members of both management and the audit team
focus on critical or sensitive risks, but all risks should can avert many misunderstandings and resolve
be considered. To this end, active involvement by disputed findings before they find their way into an
management in audit planning is vital to the overall audit report. The audit team should communicate
success of an internal audit. critical findings to management as early as possible,
even outside of the established meeting schedule.
Management should also discuss the evaluation These findings may also be reviewed during regular
criteria auditors will use in assessing IT governance. meetings, but prompt notice is necessary and
Finally, managers and auditors should broadly usually appreciated.
discuss audit testing, although auditors must have
the authority and discretion to select tests they During reporting, management receives and reviews
deem appropriate. the findings of auditors, plans and develops corrective
actions, and implements change.
During testing, management facilitates auditors’
access to relevant people and systems. Management
Although most internal audits begin with this cycle,
confirms the audit results, not re-performing the
auditing is often an ongoing, non-linear process. As
actual tests, but verifying processes and data in
PCAOB Auditing Standard No. 4 9 indicates, the discovery
order to gain confidence in the audit findings.
of a material weakness is just the first step in many com-
Where management has deployed alternative or
munications that auditors and management might have
compensating controls, it should show how the
about a particular control. In addition, many companies
controls are adequate to satisfy control objectives.
are moving towards continuous audits through which
Auditors should assess compensating controls
automated control monitoring and reporting test control
according to whether they address identified
effectiveness on an ongoing basis.
risk. Adhering too rigidly to a control “checklist”
or prefabricated audit framework can introduce
9
unnecessary cost and delay into the audit process Auditing Standard No. 4–Reporting on Whether a Previously Reported Material
Weakness Continues to Exist (February 6, 2006). Public Company Accounting
and ultimately undermine the audit’s goals. Oversight Board (PCAOB). http://pcaobus.com/Standards/Standards_and_Related_
Rules/AS4/2006-04-27_2006-003_AS4_Summary.pdf

www.ITCinstitute.com 10
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

What Auditors Want to See

AUDIT COMMUNICATIONS FLOW
Audits exist to assess how well a business unit or program
Audit team develops audit plan
meets the performance goals of the organization, as
and communicates to management
dictated through policy by the CEO, CFO, board, and
A
investors. Accordingly, the managerial goal in auditing is
A M
PLANNING not simply to “make auditors happy,” but to demonstrate
PHASE how well operations, controls, and results meet the needs
of the business. During audit planning, managers help
Management and audit
teams discuss audit
auditors to design an audit process that truly reflects
A M
goals, scope, purpose, business strategies and goals. Thus, the managerial
and criteria response to auditors throughout the audit process—plan-
ning, testing, and reporting—is for the benefit of the
Auditors perform testing business, not its auditors.
A
Managers validate
M testing processes Auditors exist to provide the board and senior manage-
TESTING ment with an objective, independent assessment of a
PHASE business unit or program (such as information security),
Management and audit including what they see as key opportunities for improve-
A M teams meet regularly to ment. To prepare their opinions and conclusions,
discuss audit progress
and issues auditors need to review and assess evidence of sound IT
governance. If auditors can demonstrate performance,
verify the efficacy of policy and policy adherence, and
Audit team issues draft report show that accountability has been established and is
A working, they should produce a positive audit report.

M Management
remits comments Accordingly, auditors and managers should work to
help each other reach common goals—auditors striving
to earnestly, honestly, and completely assess program
A Audit team issues final report effectiveness, and management working to help auditors
make valid assessments. In that vein, there are some
Management reviews
typical program characteristics and managerial processes
findings and
REPORTING M begins planning that auditors do and don’t like to see. As in all aspects of
PHASE
corrective actions audit and risk management programs, auditor likes and
dislikes vary by company; however, the following list item-
Managers and auditors should work together throughout the audit izes typical indicators of good and bad audits.
process to ensure that auditors pursue appropriate goals and have
proper insight into IT and business processes. Good communication
throughout the audit process helps ensure that audit findings are
relevant and can be used to benefit the company.

www.ITCinstitute.com 11
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

Auditors Like... How Companies Help (or

Good governance characteristics, such as an ethical Hinder) Auditors
culture, atmosphere of open dialog, and absence of
fear as a motivator (Not) having requested documentation available
at the prearranged time
Organized, clear, and up-to-date documentation
(Not) meeting deadlines and (not) providing
Regular managerial analysis of operating results needed documentation

Management actions based on facts and actual (Not) communicating at an appropriate

results managerial level

Documentation of the chain of command and roles (Not) having administrative support when it’s needed
and responsibilities, such as up-to-date organization
charts and the related job descriptions (Not) forecasting audit requirements and (not)
responding dispassionately to auditor requests
Timely investigation and clearance of reconciliation
items within key accounts (Not) providing accurate documentation

Supervisory review of critical performance reports (Not) informing relevant staff about the audit
and its goals
Consistent understanding and use of policy and
procedures, from senior management through (Not) having an audit charter for the internal
frontline staff, with no substantial misunderstandings audit function

Good management practices—planning, direction,

monitoring, reporting, etc.

A balance of short- and long-term focus, for both

objectives and results

Staff development, in terms of knowledge, skills,

productivity, and other metrics

An engaged workforce and management team

Auditors Don’t Like ...

Interviewing defensive or uninformed executives

Wading through piles of disorganized documentation

Managers who can’t or won’t comprehend the level

of risk they are incurring

The opposite of the “like” items listed above

www.ITCinstitute.com 12
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

Who Should Talk to the Auditors?

An efficient audit process depends on effective com-
munication between auditors, managers, and workers.
Management and auditors should strive to balance
efficiency (having a minimal number of staff dealing
directly with the auditors) with the need for “open
access” to management and staff by the audit team (when
needed).10 Obviously, it is impractical and unproductive
for both teams to put too many staff in front of auditors.
Instead, management should:

Provide knowledge of operations through several

informed “point” people to interact with auditors.
A “short list” of interviewees within the program
area being audited can more quickly answer auditor
queries and provide better continuity of audit support.

Allow ready access to all management and staff, if

required by the audit team to gain a clearer picture of
overall operations

Work with the audit team to draw up a staff

interview schedule as part of the planning effort.
Update the schedule as necessary during the audit
fieldwork phase, if circumstances change.

In many situations, a single point of contact for

each audited program provides the vast majority of
documentation to the audit team. The role of that
individual—and, indeed, for all auditor contacts—is
to ensure that the audit team receives accurate and
adequate information for the task. Auditors still use
their professional judgment to determine if and when
additional sources of information (other staff interviews)
are required. The audit team also conducts a variety of
audit tests, if necessary, to confirm their audit analysis.

10
The audit team is always expected to ensure all their interactions (with all staff) are
professional and result in a minimal disruption.

www.ITCinstitute.com 13
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

IT Governance and
Strategy Audit Checklist

An audit’s goals, scope, and purpose determine appro- Audit Testing

priate audit procedures and questions. An audit of Management has a responsibility to ensure that audit
information security should determine that key risks to testing is productive. The audit team performs tests to
the organization are being controlled, that key controls independently assess the existence and effectiveness of
are operating effectively and consistently, and that the IT governance program. Although the audit team
management and staff have the ability to recognize and ultimately determines the nature of these tests and the
respond to new threats and risks as they arise. extent of testing, such as documentation and sample
sizes, management should engage auditors in discussions
The following checklist generally describes IT gover- about their testing methods and goals.
nance audit steps that management might follow in
preparation for and during an audit. The list does not In tone, management should try to strike a balance,
attempt to itemize every possible information security neither entirely deferring to the audit team nor micro-
objective, but rather to provide general guidance on managing the internal audit efforts. The key is to provide
defensible controls and a logical control hierarchy. productive input on the evaluation methodology before
audit management signs off on it.
Audit Planning
During the audit planning phase the audit team deter- As the testing phase winds up, the audit team prepares
mines the scope of the audit and develops an initial draft summaries of its key findings. IT executive and managers
of the internal audit plan. Other planning steps include: should be prepared to provide feedback and comments
on audit summaries, prior to the more final, formal
Managers of the information security program and audit report.
other appropriate executives meet with the audit
team to review audit program steps and define key Proactive communication, candor from all parties, and
players and necessary resources thorough documentation can prevent many surprises and
conflicts that might otherwise arise during the testing
Management collects program documentation in phase; however, managers might still disagree from time
preparation for audit to time with audit results. Management should strive
to provide solid evidence—not just argument—that
Management supports a preliminary survey of supports its contrasting position. Facts are the most suc-
the information security program (by the internal cessful tool for swaying an adverse opinion before the
audit team) audit report is finalized.

The audit team drafts the internal audit program plan

Since the audit report often forms the basis of future
security focus and investment, management should
Management and board members provide feedback
ensure that every audit point raised—and its related
on the draft plan
recommendation—is relevant and valid. Likewise, every
action plan proposed by managers or auditors should
be achievable, appropriate, cost effective, and able to
produce lasting effect.

www.ITCinstitute.com 14
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

Audit Testing Processes Audit Testing Steps

The following processes should be repeated for each The following activities may be repeated in each of the
audit cycle: aforementioned audit processes.

Managers and auditors complete a “kick-off” meeting Auditors evaluate information on information security
processes and procedures
Managers support auditors’ high-level assessment of
the information security program with interviews and Managers assist auditors with walkthroughs of
documentation of: selected processes and control documentation

__ Scope and strategy, including how thoroughly the Auditors evaluate the quality of information
program addresses potential risks and compares generated by the information security program;
with industry best practices the ease, reliability, and timeliness of access to
such information by key decision makers; and the
__ Structure and resources, reflecting managerial operational consistency with which such information
commitment to effective information security is generated
management and the program’s robustness
relative to the potential impact of adverse events Auditors assess information security performance
metrics: existence, usefulness, application, monitoring,
__ Management of policies and related procedural and responses to deviation
documentation
Auditors evaluate whether risk management controls
__ Communication of program policies and are sufficiently preventive, as well as detective
expectations to stakeholders
Auditors define tests to confirm the operational
__ Impact of program efforts on effectiveness of information security activities. Tests
organizational culture might include management and staff interviews,
documentation and report review, data analysis, and
__ Internal enforcement processes and consistency
result sampling for recent initiatives.
__ Ongoing improvement efforts
Managers provide requested data, documentation,
and observations
Managers support more detailed audit analysis of
the information security program
Auditors identify and recommend opportunities for
improvement of information security activities
Auditors evaluate design adequacy

Managers and auditors complete an exit meeting to

Auditors evaluate control effectiveness
discuss audit findings, auditor recommendations, and
managerial response

www.ITCinstitute.com 15
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

Controls for IT Governance and Strategy

In general, auditors look at three types of controls: Roles and responsibilities
management, operational, and technical. Within these
categories, auditors may review the controls listed in this __ Roles, responsibilities, and relationships of

section (and potentially others, depending on the audit’s C-level officers (CIO, CTO, CSO, etc.), executives,
purpose and focus). and management are defined, documented,
communicated, and understood
The actual IT governance and strategy controls to be
__ Roles and responsibilities are aligned with the
audited are determined during the audit planning
execution and continuous improvement of short-
phase. Controls are assessed during the audit testing
and long-term plans
phase. Management should determine which controls
are appropriate for each organizational environment, __ An IT organization chart exists and includes
based on the corporate risk profile, and compare the list
management and reporting structures
to the controls in this section, which reflect audit best
practices and government guidance on IT governance __ Accountability for policies and procedures is
and strategy. In the following section, controls reflect documented and acknowledged by management
COSO, Turnbull Guidance, “Enhancing Corporate and staff
Governance in Banking Organisations” from The Bank
for International Settlements (BIS), and other referents External influences
noted in this paper.
__ IT leaders understand and monitor regulatory
definitions and requirements
Management Controls
Management controls to ensure well-run and effective __ IT leaders track industry processes and norms
IT governance:
Planning

IT responsibilities and objectives __ The IT organization maintains short- and long-

term plans. Short-term plans execute the long-
__ A business model exists for the IT organization
term plans

__ Management sets an appropriate “tone at the __ Plans state objectives and performance metrics
top” for IT activities, policies, and processes
__ Plans indicate appropriate budget, timelines, and
__ IT’s organizational commitments and expectations
staff allocations
are documented and communicated
__ Plans are evaluated by stakeholders for
__ The IT organization adheres to corporate values
appropriateness and execution

__ The IT organization enforces a code of conduct __ Strategic plans and changes to long-range plans
are communicated to stakeholders

__ Executive management is involved in critical

decisions regarding information security, records
management, operational management, business
continuity, and other IT regimes

www.ITCinstitute.com 16
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

Management Controls (cont.)

IT investment management 11 Resource management

__ IT management identifies business needs for __ An IT budget is maintained. IT leadership is

new projects accountable to corporate management for
budget adherence
__ IT management evaluates new project proposals
against IT and business objectives __ IT sets appropriate budgets for projects

__ IT management tracks assets associated with __ Appropriate staff, systems, and processes are
new projects dedicated to the IT governance effort

__ IT managers monitor project performance Monitoring and reporting

__ IT evaluates proposed new projects with __ Management monitors and measures

deference to the entire project portfolio organizational performance

__ IT performs investment reviews and analysis to __ Management reviews short- and long-terms
assess project performance versus expectations plans compared to performance

__ IT documents project selection criteria __ Reporting policies and mechanisms are well
defined and understood
__ IT documents authority and alignment of
managers responsible for project selection __ Management receives and reviews project
and oversight standards

__ IT performs post-implementation reviews and __ IT executives review key IT controls for financial
evaluates stakeholder feedback reporting, transaction processing, electronic
messaging, data and database management,
__ IT management annually reviews project portfolios information protection, and e-content
and identifies opportunities for improvement management

__ IT plans and documents system and __ Contingency and failure reporting policies exist,
technology succession escalation processes are documented, and policies
and processes are communicated and understood
__ IT benchmarks the investment process
__ Performance metrics are established and regularly
__ IT uses investment benchmarking to reduce risk
measured against objectives
associated with strategic business change
__ Staff performance appraisals are
completed regularly
11
Information Technology Investment Management: A Framework for Assessing and
Improving Process Maturity; US Government Accountability Office, Exposure Draft
(GAO/AIMD-10.1.23)(May 2000). http://www.gao.gov/special.pubs/10_1_23.pdf

www.ITCinstitute.com 17
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

Management Controls (cont.)

Continuous improvement The IT infrastructure is mapped and inventoried;

infrastructure management documents are regularly
__ Plans and timelines exist to remediate identified updated and reviewed
IT governance control weaknesses
Data management and data stewardship policies and
__ Plans exist to standardize systems, policies, and procedures are documented and enforced
processes across operations
Management sets project scope and requirements
__ Management directs plan improvement based prior to project start
on monitoring results

__ Management attempts to streamline redundant, Technical controls

incompatible, and overly complex processes
Technical controls to ensure that IT governance is effec-
__ Management ensures existence and adequacy tive and efficient:

of training programs
An enterprise architecture model exists and
is enforced
Operational controls
Management ensures that appropriate technical
Operational controls to ensure the effective perfor-
controls exist and are effective for major compliance
mance of the IT governance program:
practice areas, including data protection, content
management and e-discovery, and electronic
Controls exist to meet compliance requirements12
messaging (e-mail, instant messaging, blogs, etc.)
__ Management sets levels and assurance metrics for
Management sets and enforces strategic data-
information security
management best practices, including policies for
__ Management is rapidly notified of security breaches data dictionaries, master data management, and
data integrity and quality controls
Management tracks contractual definitions and
IT automates controls in order to reduce resource
requirements
requirements and ensure consistency and quality
IT maintains an inventory of technology assets, of results
including functions and relation to business processes.
Assets include hardware, software, storage media,
networks, and electronic content.

The IT organization has a standardized semantic

baseline (glossary) for the development of policies
and procedures

12
For a control-by-control comparison of regulatory indications for IT leadership,
see the ITCi Unified Compliance Project, Leadership and High Level Objectives
IT Impact Matrix. http://www.itcinstitute.com/ucp/lhlo

www.ITCinstitute.com 18
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

Audit reporting
During the reporting phase, management and the board
of directors receive formal feedback from the audit team. Auditors debrief management, formally discussing
This knowledge transfer should be an open and transpar- significant audit findings and conclusions before they
ent process. issue the final audit report

Managers receive a written draft report from auditors

Almost every audit identifies opportunities for improve-
ment. The primary goal of management and auditors
__ The report communicates audit results clearly
should be to address critical issues first, followed by
and precisely
important issues. Both management and auditors should
work to ensure that, whatever action plans they set, the __ Results are presented in an unbiased tone,
goals are achievable and beneficial to the organization. noting where management has taken actions
to correct deficiencies and acknowledging
During the reporting phase, management must deter- good performance
mine which corrective actions it will implement and when,
based on audit findings. Mangers will provide oversight Management and auditors discuss the draft report
and support to ensure the timely resolution of found
issues. Although the audit team may make recommenda- Management provides feedback on the draft report
tions based on its assessments of risks and consequences,
Auditors review managerial comments and
it cannot make or dictate managerial decisions.
action plan(s)

The following are typical steps an audit team takes to

Auditors finalize and distribute the final audit report
confirm and release the audit results.13
Auditors close out the internal audit project and
plan any necessary follow-up efforts regarding
management’s action plans

Auditors might also choose to disclose some audit find-

ings that management might be able to use to improve
governance efficiency and effectiveness, but that do not
13
warrant inclusion in the formal report. This type of com-
In organizations with established internal audit functions, there may be standard
operating procedures (SOP) for audit reporting (and other audit activities). If so,
munication should be documented, if only as a note in
these audit SOPs should be reviewed by management. audit findings that the topic has been discussed.

www.ITCinstitute.com 19
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

Preparing for an Audit

A well-managed IT governance program includes robust In selecting documentation, management should not
plans, procedures, goals, objectives, trained staff, perfor- overload the audit team with information, but provide
mance reporting, and ongoing improvement efforts. The genuine insight into how IT governance works and how
internal audit team looks for evidence that the business well it performs.
unit and governance program is well organized and well
managed. The security program must also specifically Other steps management should take prior to the audit:
and traceably mitigate risks related to key business objec-
tives. Managerial preparation should mainly be routine, Learn early and contribute often to the internal audit
day-to-day practices. goals, objectives, purpose, approach, and procedures
(audit tests). In particular, setting an appropriate
Management’s ultimate goal in the audit process is not purpose and the audit approach are the two most
to make auditors happy, but rather to demonstrate that important elements of every successful audit.
IT governance meets the demands of the CEO, board of
directors, regulators, and investors. Likewise, auditors’ Discuss with audit management the evaluation criteria
requests should align with these overarching needs; that and standards and how the audit will actually be
is, to support responsible program performance within a conducted, in order to ensure that you’ll receive a
sound, ethical business environment. quality audit. Ask whether they audit in accordance
with international standards for the professional
While the audit is in the planning phase, management practice of internal auditing.
should proactively work with the audit team to “educate”
Learn who is on the audit team and their
the auditors. As a rule, managers should provide con-
qualifications, talents, and motivations. The audit
structive input on the evaluation methodology before
team exists to help make your operations more
audit management approves it. Expectations are a
efficient and effective, but they are also individuals
two-way street: management must help auditors ensure
with strengths and weaknesses common to many
that audit expectations are aligned and that participants
employees. It pays to know the experience of your
understand each other.
auditors, whether they’re rookies or veterans (and
perhaps to push for the latter). Showing an interest
Prior to the audit, managers should collect the informa-
in their work can also influence and increase the
tion and documentation necessary to demonstrate how
benefits from the audit—within reason. At the end
well they manage their operations in concert with the
of the day, auditors still need to be independent
overall organizational business objectives. They should
and objective.
be prepared to provide auditors with evidence of well-
managed security efforts and results. This might include
documentation of security plans, supporting budgets, Throughout its discussion with the audit team prior to the
policy and procedure manuals, assignments of respon- audit, management should try to strike a balance between
sibilities (such as up-to-date job descriptions), results influence and deference. Managers should neither yield
reporting and other trending information, and finally, any entirely to the audit team nor micromanage its efforts.
other relevant guidance (to management and staff) that
demonstrates a “well-run” and well-performing program.

www.ITCinstitute.com 20
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

Communicating
with Auditors

Like any interaction between people, but particularly in

the work environment, a professional and trusting rela-
tionship is a strong precursor to successful collaboration.

When managers interact with the auditors in a profes-

sional manner, they tell the audit team that its function is
respected and supported. Likewise, lackadaisical efforts
by managers and staff reflect poorly on the business
unit or process, its capabilities, and its performance.
Managers should also expect professional interaction
from the audit team and push back whenever they see an
exception to this practice.

To contribute to a successful and accurate audit report,

managers should be receptive to auditor observations
and the audit team’s recommendations. Managers should
also be firm when discussing anything they see as incor-
rect, in order to ensure there are no misunderstandings.

Finally, always remember: managers, not auditors, are

responsible for defining and implementing solutions to
issues found in the audit. Thus, it is in everyone’s best
interest to have a cooperative, collaborative audit process
that respects the independence and discretion of all par-
ticipants. Auditors should listen to management. And for
its part, management should encourage staff to be open
and honest with auditors.

www.ITCinstitute.com 21
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

APPENDIX:
IT Governance, Strategy, and
Audit Resources
1. Institute of Internal Auditors (IIA) Performance 7. CobiT Mapping: Overview of International IT
Standard 2130 for the Professional Practice of Guidance, 2nd Edition (2006). ISACA. http://www.
Internal Auditing, http://www.theiia.org/index. isaca.org/AMTemplate.cfm?Section=Deliverables&
cfm?doc_id=124 Template=/ContentManagement/ContentDisplay.
cfm&ContentID=24759 (PDF)
2. “The Role of Auditing in Public Sector Governance”
(2006). Institute of Internal Auditors (IIA). http:// 8. CobiT Mapping: Mapping of ITIL With COBIT 4.0
www.theiia.org/download.cfm?file=3512 (PDF) (2007). ISACA. http://www.isaca.org/Template.
cfm?Section=COBIT_Mapping1&Template=/
3. Internal Control: Revised Guidance for Directors on MembersOnly.cfm&ContentFileID=12791 (PDF)
the Combined Code (“Turnbull Guidance”) (2006).
Financial Reporting Council. http://www.frc.org. 9. Global Technology Audit Guide (GTAG): Continuous
uk/documents/pagemanager/frc/Revised%20Turnb Auditing: Implications for Assurance, Monitoring,
ull%20Guidance%20October%202005.pdf (PDF) and Risk Assessment (2005). Information Systems
Security Association (ISSA). http://www.issa.org/
4. COSO Enterprise Risk Management - publications/GTAG3Brochure11.pdf (PDF)
Integrated Framework, COSO (authored by
PricewaterhouseCoopers). http://www.coso.org/ 10. Information Security Management and Assurance:
A Call to Action for Corporate Governance (2001).
5. CobiT 4.0 (2005). ISACA. http://www.isaca. Institute of Internal Auditors (IIA). http://www.
org/AMTemplate.cfm?Section=Overview&Tem theiia.org/index.cfm?doc_id=3061 (PDF)
plate=/ContentManagement/ContentDisplay.
cfm&ContentID=22940 (PDF)

6. IT Control Objectives for Sarbanes-Oxley, 2nd

Edition (2006). ISACA. http://www.isaca.org/
Content/ContentGroups/Research1/Deliverables/
IT_Control_Objectives_for_Sarbanes-Oxley_2nd_
research.pdf (PDF)

www.ITCinstitute.com 22
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

Research Sponsors

Symantec Tripwire
Define, Control, and Govern is Symantec’s approach to Tripwire is the leading provider of configuration audit and
IT policy governance. Our approach reduces the cost and control solutions to over 5,500 enterprises worldwide, enabling
complexity of achieving and sustaining compliance with IT IT to control risk and increase operational efficiency. Tripwire’s
governance frameworks, best practices, and corporate and advanced configuration control solutions detect and analyze
regulatory mandates. Only Symantec can help you simplify all change activity across the IT infrastructure to identify
compliance management and ensure ongoing enforcement of and resolve unauthorized changes, policy discrepancies,
IT policies across your organization through a single view of configuration drift, and security violations. Leading global
multiple standards, comprehensive IT controls coverage, and enterprises rely on Tripwire to strengthen their compliance,
real-time intelligence. security and governance, to reduce unplanned work, increase
availability, and accelerate success with CMDB initiatives.
For more information please visit
www.symantec.com/compliance For more information please visit
www.tripwire.com

www.ITCinstitute.com 23
 I T AU D I T C H E C K L I S T : I T G O V E R N A N C E A N D S T R AT E G Y

ABOUT THE AUTHORS

Dan Swanson, CMA, CIA, CISA, CISSP, CAP Cass Brewer
Dan Swanson is a 24-year internal audit veteran who was Cass Brewer is the editorial and research director for the
most recently director of professional practices at the IT Compliance Institute (ITCi, www.itcinstitute.com),
Institute of Internal Auditors. Prior to his work with the an independent research and media firm committed to
IIA, Swanson was an independent management consul- advancing IT’s leadership role in corporate compliance,
tant for over 10 years. Swanson has completed internal risk management, and governance. Brewer directs ITCi’s
audit projects for more than 30 different organizations, editorial, analytical, and educational initiatives and is the
spending almost 10 years in government auditing at the chief contact for the institute’s member community of
federal, provincial, and municipal levels, and the rest more than 8,000 business managers, regulators, auditors,
in the private sector, mainly in the financial services, consultants, and solution providers from countries and
transportation, and health sectors. The author of more companies around the world. Over the past 13 years,
than 75 articles on internal auditing and other manage- Brewer has issued more than 100 articles, presentations,
ment topics, Swanson is currently a freelance writer and and white papers on IT and data management topics,
independent management consultant. Swanson recently and has provided strategic advice and editorial direction
led the writing of the OCEG internal audit guide for use for hundreds of additional publications and events.
in audits of compliance and ethics programs (http:// Since 2002 she has focused exclusively on IT compliance
www.oceg.org) and participated in the COSO small issues, leading ITCi’s research and analytical efforts
business task force efforts to provide guidance for and presenting at live events, including the “Sustainable
smaller public companies regarding internal control over Sarbanes-Oxley Compliance” Webinar for AIIM in
financial reporting (http://www.coso.org). Swanson is a 2005 and the “Measuring and Monitoring Risks and
regular columnist for ComplianceWeek and also writes Responsibilities” session for the National Compliance
the ITCi “Auditor Answers” column. Conference in Warsaw, November 2006.

If you have ideas for improving ITCi’s IT Audit Checklists, please write editor@itcinstitute.com.

Legal Disclaimer
When assessing any legal matter, do not rely solely on materials published by third parties, including the content in this paper, without additionally seeking legal
counsel familiar with your situation and requirements. The information contained in this IT Audit Checklist is provided for informational and educational purposes and
does not constitute legal or other professional advice. Furthermore, any applicability of any legal principles discussed in this paper will depend on factors specific to
your company, situation, and location. Consult your corporate legal staff or other appropriate professionals for specific questions or concerns related to your corporate
governance and compliance obligations.

ITCi makes every effort to ensure the correctness of the information we provide, to continually update our publications, and to emend errors and outdated facts as
they come to our attention. We cannot, however, guarantee the accuracy of the content in this paper, since laws change rapidly and applicability varies by reader.

The information in this publication is provided on an “as is” basis without warranties of any kind, either expressed or implied. The IT Compliance Institute disclaims
any and all liability that could arise directly or indirectly from the reference, use, or application of information contained in this publication. ITCi specifically disclaims
any liability, whether based in contract, tort, strict liability, or otherwise, for any direct, indirect, incidental, consequential, punitive or special damages arising out of
or in any way connected with access to or use of the information in this paper.

ITCi does not undertake continuous reviews of the Web sites and other resources referenced in this paper. We are not responsible for the content published by other
organizations. Such references are for your convenience only.

www.ITCinstitute.com 24
 IT Compliance Conference
WASHINGTON, DC, MAY 2– 4, 2007

www.ITCinstitute.com/dc07

ITCi invites you to be a part of the IT Compliance Conference

(ITCC), the only education and networking event dedicated
to helping professionals like you solve the complex challenges
of information systems management for corporate governance,
risk control, and compliance.

You’ll Learn Hot Topics Who Should Attend

• Practical ways to reduce compliance • Leadership strategies for stronger • CIOs/CTOs
costs in existing programs IT decisions
• Chief compliance officers
• How to build consensus among • End-to-end identity and access
change-resistant stakeholders management • Chief security officers

• Data management principles for • The impact of SEC and PCAOB • IT directors and managers
efficient enterprise compliance guidance on SOX compliance
• Compliance managers
• How to benefit from difficult • Case studies on enterprise content
• CFOs/financial officers
conversations with IT auditors management and securing mobile
devices

Strategize. Simplify. Connect.