IT Policies

Policies are highlevel documents which represent the corporate philoshopy of an organization. For policies to be effective, it must be clear and concise.

Manage should review all policies periodically. Policies need to be updated to reflect new technology and significant changes in business processes. Policies formulated must enable the achievement of business objectives and controls implementation.

IS auditors should reach an understanding of policies as part of the audit process and should test these for compliance. Controls should flow from the policies and the IS auditors should use policies as a benchmarking for evaluating compliance. If policies hinder the achievement of business objectives, these must be reported for improvement.

Auditing the Management of IT

As like any other field, management is the most important aspect. Plan, control, direct and act the the most common management term.

In auditing the management of IT, the following aspects should be reviewed:-

• Information Systems Strategy - review of the IT short term and long term plan, IT steering committee
• Policies And Procedures - review of the IT standards, security policy, operation manual
• Information System (IS) Management Practices - IT budget, personnel management, project management, change management
• IS Organisational Structure And Responsibilities - review of the IT organisation chart, job descriptions

The level of controls effectiveness should be assessed to determine whether there is any exposure. For example, if the IT Security Policy is last updated 5 years ago, then, the controls in place might not be highly effective as technology keeps on changing. The controls should also be revised and updated accordingly.