Government of Canada
Symbol of the Government of Canada

Common menu bar links

Warning This Web page has been archived on the Web.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the Contact Us page.

Audit of Governance of Specialized IT Resources

May 2010

Previous page | Table of Contents | Next page

Annex 1: Audit Criteria

The criteria for this audit have been adapted from the COBIT 4.1 framework for IT governance. Specifically, they relate to control objectives found in the chapter “ME4 – Provide IT Governance” and the “PO Plan and Organize” chapters. The wording of the criteria has been modified as necessary to respect the scope of the audit.

  1. Roles and responsibilities of the players responsible for the governance of specialized IM and IT activities are well articulated and understood.
  2. The extent and nature of IM and IT activity carried out in the program areas is fully transparent:
    1. Value-delivery objectives are assured by demonstrating that decisions about which resources to use for development projects have been clearly articulated and reported to the CIO.
    2. Resource management objectives are assured by demonstrating that expenditures on IM and IT activities and IT acquisitions were fully documented, are aligned with business objectives, and take advantage where possible of pre-existing infrastructure and code.
    3. Resource management objectives are also assured by demonstrating that processes exist to consistently identify and describe the scope and nature of Crown-owned information assets being created or maintained by the Department.
    4. Resource management objectives are further assured by demonstrating that staffing decisions are made following a well-defined logic model and are subject to oversight by the CIO.
    5. Resource management objectives are further assured by demonstrating that succession planning is undertaken for positions requiring specialized skill sets.
    6. Performance measurement and strategic alignment objectives are assured by demonstrating that processes and standards for governing the IM and IT activity were documented and followed.
    7. Performance measurement and strategic alignment objectives are further assured by having a process to establish priorities for IT expenditures that is transparent and involves all stakeholders.
    8. Risk management objectives are assured by demonstrating that: processes exist and are followed to assess the criticality of the applications/solutions that result from specialized IM and IT activity; business continuity plans are created for systems that deliver critical services; and the results of the assessments and the business continuity planning are reported to the CIO.
    9. Risk management objectives are further assured by demonstrating that processes exist to identify and mitigate risks arising from IM and IT activity, and unmitigated risks are documented and accepted by management and reported to the CIO.
    10. Independent assurance objectives are assured by demonstrating that quality assurance processes exist for specialized IM and IT activities.

 

Previous page | Table of Contents | Next page