Audit of Governance of Specialized IT Resources

May 2010

Previous page | Table of Contents | Next page

Annex 1: Audit Criteria

The criteria for this audit have been adapted from the COBIT 4.1 framework for IT governance. Specifically, they relate to control objectives found in the chapter “ME4 – Provide IT Governance” and the “PO Plan and Organize” chapters. The wording of the criteria has been modified as necessary to respect the scope of the audit.

  1. Roles and responsibilities of the players responsible for the governance of specialized IM and IT activities are well articulated and understood.
  2. The extent and nature of IM and IT activity carried out in the program areas is fully transparent:
    1. Value-delivery objectives are assured by demonstrating that decisions about which resources to use for development projects have been clearly articulated and reported to the CIO.
    2. Resource management objectives are assured by demonstrating that expenditures on IM and IT activities and IT acquisitions were fully documented, are aligned with business objectives, and take advantage where possible of pre-existing infrastructure and code.
    3. Resource management objectives are also assured by demonstrating that processes exist to consistently identify and describe the scope and nature of Crown-owned information assets being created or maintained by the Department.
    4. Resource management objectives are further assured by demonstrating that staffing decisions are made following a well-defined logic model and are subject to oversight by the CIO.
    5. Resource management objectives are further assured by demonstrating that succession planning is undertaken for positions requiring specialized skill sets.
    6. Performance measurement and strategic alignment objectives are assured by demonstrating that processes and standards for governing the IM and IT activity were documented and followed.
    7. Performance measurement and strategic alignment objectives are further assured by having a process to establish priorities for IT expenditures that is transparent and involves all stakeholders.
    8. Risk management objectives are assured by demonstrating that: processes exist and are followed to assess the criticality of the applications/solutions that result from specialized IM and IT activity; business continuity plans are created for systems that deliver critical services; and the results of the assessments and the business continuity planning are reported to the CIO.
    9. Risk management objectives are further assured by demonstrating that processes exist to identify and mitigate risks arising from IM and IT activity, and unmitigated risks are documented and accepted by management and reported to the CIO.
    10. Independent assurance objectives are assured by demonstrating that quality assurance processes exist for specialized IM and IT activities.

 

Previous page | Table of Contents | Next page