IT governance review objectives
When planning to review or manage a computer system there are some rule of thumb objectives that are worth bearing in mind. For financial auditors the control objectives are set out in the IAS (International Auditing Standards). For IT governance reviewers a better guide is the ISACA (Information System Audit and Control Association) COBIT (Control Objectives for IT). Security audit objectives are covered in COBIT but enhanced in the guidance set out in the CISSP (Certified Information System Security Professional) guidance. For reviewing the management of IT services the generic standards are best enhanced with the guidance set out in the ITIL (IT Infrastructure Library).
Governance is really the key and Senior Management should have identified all the critical infrastructure they need to deliver the services that they are responsible for then planned contingencies to cover events that could reasonably be expected to cause a breach in the delivery or integrity of the services. The result should be documented and compliance enforced and tested.
Governance should cover consideration of
Senior Management should be able to demonstrate an alarm and alert system that would bring a breach of any of the control objectives to their attention and guidance on contingency plans to deal with the threat.
There ought to be a catalogue of threats to services which includes assessment of likelihood, impact and recovery.
Recovery plans are useless unless tested so there ought to be evidence of testing for recovery from simulated threat outcomes and probing of vulnerabilities through penetration testing.
Effective governance requires that the whole board agrees the key services of the organisation, prioritisation of services, assessment of threats, responsibility for carrying out contingency plans and testing organisational resilience.
Much of the testing and some of the control objectives rely on the existence and integrity of transaction level information for a long time. I would suggest that 7 years is not unreasonable. Such evidence is clearly of little use if its integrity and completeness cannot be demonstrated so review of the effectiveness of these aspects of control is a prerequisite for a reviewer.
The reviewer can begin by checking that all the objectives, documentation, testing, alerts and alarms set out above are in place and considering the independence and qualifications of those who documented testing. After that the reviewer should probe weaknesses and help Senior Management identify key areas for improvement.