Auditing IT Governance

Nowadays if one entity has desire to hold a reliable reputation at all over the governance habitat of the entity and also to measure the achievement level of the organization’s strategic objectives, top management of the entity is obliged to know efficiency, security and effectiveness levels of the implementation & practices of the designed IT Governance Framework at the entity. For this reason, they need independent audit activities to assure entity’s on-going business performance level and also to support the monitoring & measuring mechanisms of the entity.

When we analyze the effects of IT Governance practices on entity business level, it can have significant negative impacts on the entity both financially and reputationally. Poor level of IT Governance in a company leads to multiplier effect not only on IT asset activities but also all over the governance habitat of the entity.

Some examples of negative impacts of IT Governance activities at the entities are:

 Poor level of information security governance,
 Unsatisfied customers and other stake holders,
 Unsufficient results at core business processes which are delivered by IT services,
 High level of financial losses due to business disruption,
 Higher costs to run business operations,
 Penalties because of poor compliance activities.

We need the audit activity to assess whether the IT governance of the entity supports its strategies and objectives and to make recommendations to make some correction and revisions on the IT related practices in the entity.

Taking in consideration of IIA advises (Implementation Standard No. 2110 A2) our opinion on audit activities to assure the entities on the efficiency and reliability of the IT governance should focus on the points mentioned as below:

 Organizational characteristics and clear IT ownership and accountability norms and practices,
 Tone at the top, ethics and values, corporate culture level within the organization,
 Entity-wide adaptation level of IT assets and HR,
 Compliance level with the related regulations,
 The IT assets management efficiency level,
 Making strategic and operational decisions,
 Risk appetite alignment and overseeing risk management and control,
 The innovation value that IT can offer,
 Information security and effective communication level,
 If the IT performance is monitored and measured effectively.

Auditors will do more than just identify problems when they make analysis on these subjects. They need to present the root causes of the identified weaknesses in IT Governance practices.

Audit activity has an essential function in IT Governance Framework for an entity to present high assurance level at the attention of the top management on safeguarding of IT and related assets, efficiency and effectiveness on operational performance, high compliance level with all norms and regulations, and reliable & on-time reports on financial and non-financial information.


Bülent Hasanefendioğlu
Head of Consultancy