Informatica Economică vol. 14, no.

1/2010 93

Auditing IT Governance

Florin-Mihai ILIESCU
Info-Logica Silverline S.R.L.
[email protected]

Effective IT governance helps ensure that IT supports business goals, optimizes business in-
vestment in IT, and appropriately manages IT-related risks and opportunities. Organizations
that realize the IT is no longer a support process and embeds value and risks need a struc-
tured approach for better managing Information Technology, enable its capability to deliver
added value enterprise wide and for setting up a risk management program to address new
risks arising for usage of IT in business processes. In order to assess if IT Governance is in
line with industry practices, IT Auditors need a good understanding of processes and appli-
cable standards, particular audit work programs and experience in assessing potential prob-
lem indicators.
Keywords: IT Governance, Audit, ISACA, CGEIT, Val IT, Value Governance, Portfolio Man-
agement, Investment Management

1 Introduction
Auditing IT Governance needs more business
knowledge than regular Information Systems (IS)
2 IT Governance
IT Governance is a concept that stared to be de-
veloped in 1998 when ITGI has founded and is a
audits because the IS auditor has to evaluate how set of relationships and processes designed to en-
IT is enabling the business strategy. IT is not sure that the organization’s IT sustains and ex-
longer seen as support process, but because a tends the organization’s strategies and objectives,
project is not enough to respond itself to a busi- delivering benefits and maintaining risks at an
ness outcome, multiple projects should managed acceptable level.
together as programs. The paper makes a brief Some of the IT Governance practices concerns IT
presentation of IT Governance practices, the Val Management, but the term governance is used
IT Framework and the IS Auditor Process in or- because like other governance subjects, is the re-
der to explain the approach and the purpose of sponsibility of the board and executives and it is
the Audit Work Program. not an isolated discipline or activity, and to ascer-
The Audit Work Program helps the IS Auditor to tain that IT should be addressed organization
conduct his engagements, but each organization wide, being integral to enterprise governance.
and project has its own characteristics and the The business units have a responsibility to work
work program should be tuned accordingly. in partnership with IT to ensure that their busi-
For organizations that don’t use global standards ness requirements are met. The purpose of IT go-
and frameworks such as CobiT or Val IT within vernance is to direct IT endeavors, to ensure that
IT Function, most of the topics of the audit work IT’s performance meets the following objectives
programs might not be applicable. In such cases I [1]:
recommend to use the Planning and Organization  Alignment of IT with the enterprise and rea-
domain practices from CobiT lization of the promised benefits;
(http://www.isaca.org/cobit) available for free  Use of IT to enable the enterprise by exploit-
download, to benchmark the organization against ing opportunities and maximizing benefits;
with first, and draw general recommendations for  Responsible use of IT resources;
implementing IT Governance.  Appropriate management of IT-related risks.
Organization’s culture plays a great role in suc- IT governance should start with setting initial ob-
ceeding in managing value from IT enabled In- jectives in terms of delivering desired benefits in
vestments. Additional processes, Val IT propose line with the global strategy, effective and effi-
22 governance processes need to be carried out cient use of resources, and maintaining risk at an
by executives, requiring good understanding and acceptable level. The outcome of this process of
specific relationships and organizational struc- setting the objectives for IT Governance should
tures. be formalized in an IT strategy document. The
board should then set up the initial direction that
94 Informatica Economică vol. 14, no. 1/2010

can be further developed in IT tactical plans in  IT capabilities;

order to set up the IT Activities in line with IT  Cost of current IT;
Strategy, to deliver what the organization is ex-  Past failures and successes.
pecting from IT. Once these issues are clearly understood, the IT
Because of its complexity and because it requires strategy can be translated in:
more technical insight than other disciplines, IT  Business functions: functional requirements
is neglected by most boards in their strategic and need to be delivered by applications and IT
risk management initiatives. But, Ineffective IT services;
governance is likely to be a root cause of the  Application architecture: logical structure of
negative experiences many boards have had with applications and data in order to deliver re-
IT [1]: quired functions
 Business losses, damaged reputations or Value Delivery, another governance area is ad-
weakened competitive positions; dressing issues of how to optimize the costs
 Deadlines not met, costs higher than ex- while delivering the expected benefits. In busi-
pected and quality lower than anticipated; ness terms, this is often translated into: competi-
 Enterprise efficiency and core processes ne- tive advantage, elapsed time for order/service ful-
gatively impacted by poor quality of IT deli- fillment, customer satisfaction, customer wait
verables; time, employee productivity and profitability [1].
 Failures of IT initiatives to bring innovation The value is perceived different at different levels
or deliver the promised benefits. of the company, and is harder to be perceived at
Fundamentally, IT governance is concerned financial level where can be more precisely
about two things: IT’s delivery of value to the measured, therefore is important to have adequate
business and mitigation of IT risks. The first is metrics for each level where IT is a business
driven by strategic alignment of IT with the busi- enabler. To be successful, enterprises need to be
ness. The second is driven by embedding accoun- aware that different strategic contexts require dif-
tability into the enterprise. Both need to be sup- ferent indicators of value. This means that it is
ported by adequate resources and measured to important to establish the value measures in con-
ensure that the results are obtained. [1] cert between the business and IT.
Risk Management should address all the risks re-
3 Domains lated with using information technology in busi-
The main area of interest of IT Governance is IT ness processes. Because IT is critical and has an
and Enterprise alignment. In Romania, most of active role in creating added value, risk should be
the organizations have not developed a strategic managed by the board by:
approach for IT investments. The IT struggled to Defining the accepted level of risk;
support growing businesses with minimum in- Communicating the risk management policies;
vestment. However this is mostly true for private Defining the responsibilities for risk manage-
sector. In public sector many acquisitions in IT ment;
have not been delivered any outcomes, or the ca- Insisting on embedding the risk in operations;
pabilities delivered were far from expected. Dependent on the type of risk and its significance
IT Strategic Alignment has to answer whether an to the business, management and the board may
enterprise’s investment in IT is in line with its choose to:
strategic objectives and thus building the capabil-  Mitigate - Implement controls (e.g., acquire
ities necessary to deliver business value. and deploy security technology to protect the
The IT strategy articulates the enterprise’s inten- IT infrastructure);
tion to use IT, based on business requirements.  Transfer - Share risk with partners or transfer
Linkage to the business aims is essential for IT to to insurance coverage;
deliver recognizable value to the enterprise.  Accept - Formally acknowledge that the risk
When formulating the IT strategy, the enterprise exists and monitor it;
must consider:  Avoid - Deciding not to undertake the initia-
 Business objectives and the competitive envi- tives inducing a specific risks (e.g., not open-
ronment; ing a branch in a war zone);
 Current and future technologies If none of these options are considered for a cer-
 Costs; tain risk, the risk is ignored. A successful risk
 Risks; management program should ensure that all risks
Informatica Economică vol. 14, no. 1/2010 95

are identified and addressed. 4 Global best practices

Resource Management should ensure the optimal IT Governance practices consist of policies, pro-
investment, use and allocation of IT resources cedures, processes recommended for achieving
(people, applications, technology, facilities, data) optimal results. Because they have been widely
in servicing the needs of the enterprise. [1] This used and have proven good results are usually re-
includes good sourcing practices, what should be ferred as global best practices, or general ac-
performed in-house and what is more efficient to cepted practices. The term “global best practice”
be outsourced. Outsourcing ensures most of the is sometimes avoided also because there was a
time effectiveness, accessing from a wide range trademark of Andersen.
of providers, services and skills, but is not always Board should be aware of global best practices in
efficient, cost and dependency on a certain pro- order to set-up a successful IT Governance pro-
vider, also risks with vendor failure, confidential- gram. Such practices have to identify for each IT
ity and protecting intellectual property should be Governance area of interest:
addressed.  IT Strategic Alignment, such as formalized
Performance Measurement concerns tracking business objectives, up to date IT strategy,
project delivery and monitoring IT services. The linkage between business objectives and IT
biggest challenge of measuring the performance initiatives;
of IT the intangible nature of the benefits deli-  Value Delivery: IT tactical plans, clear bene-
vered. Traditional measurement techniques offer fits for each level of the organization: infra-
only a financial perspective, which offer only a structure (systems uptime), applications (de-
limited relevance of IT performance. A system gree of automation), operational (productivi-
downtime, for most of the business, excepting the ty), financial (income);
online services, will not be translated at all in fi-  Risk Management: defined responsibilities
nancial statements. for risk management, risk analysis methodol-
Balanced scorecards is a complex tool that can be ogy, defined strategies for addressing risks,
used to translate strategy into action to achieve continuous monitoring of threats, occurrence
goals with a performance measurement system and impact;
that goes beyond conventional accounting, mea-  Resource Management: sourcing strategies,
suring those relationships and knowledge-based human management practices, user manuals,
assets necessary to compete in the information segregation of duties, time reporting, infra-
age: customer focus, process efficiency and the structure life cycle management, acceptable
ability to learn and grow. usage policies.
Another measuring technique, widely used for  Performance Measurement: relevant and
measuring performance of IT and supporting in- measurable metrics, continuous monitoring
vestments in technology is Applied Information and reporting, follow-up policies, root cause
Economics (AIE). AIE is the practical application analysis and problem management, ben-
of scientific and mathematical methods to the IT chmarking against industry practices and
and business decision process, is a synthesis of proven standards or frameworks.
techniques from a variety of scientific and ma- To address this increasing demand for a practical
thematical fields. The tools of economics, finan- IT investment and management framework, IT-
cial theory, and statistics are all major contribu- GI—working with other thought leaders in the
tors to AIE. But in addition to these more famili- global business and IT community—has underta-
ar fields, AIE includes Decision Theory - the ken the Val IT initiative.
formulation of decisions into a mathematical
framework - and Information Theory - the ma- 5 Val IT Framework
thematical modeling of transmitting and receiv- The Val IT framework is a comprehensive and
ing information. It is important to emphasize, pragmatic organizing framework that enables the
however, that even though AIE is a theoretically creation of business value from IT-enabled in-
well-founded set of techniques, it is a very prac- vestments. Designed to align with and comple-
tical approach. Every proper application of AIE ment COBIT, Val IT integrates a set of practical
keeps the bottom line squarely in mind. All out- and proven governance principles, processes,
put from the AIE project is in support of specific practices and supporting guidelines that help
practical business objectives. [2] boards, executive management teams and other
enterprise leaders optimize the realization of val-
ue from IT investment. [3]
96 Informatica Economică vol. 14, no. 1/2010

The IT governance audit program is going to use sider relationships within the organization (stra-
Val IT Framework as a best practice, therefore is tegically, financially and/or operationally) and
important to have a good understating of key obtain information on the strategic plan, includ-
terms used in Val IT publications: ing the IS strategic plan. [5]
 Project – A structured set of activities con- In order to issue an IT Audit report and to state
cerned with delivering a defined capability an opinion, there should be a proper planning of
(that is necessary but not sufficient to achieve the engagement, appropriate staffing, and rele-
a required business outcome) to the enter- vant evidence to state the findings, proper docu-
prise based on an agreed-upon schedule and mentation of the report and dissemination of find-
budget; ings to the stakeholders.
 Program – A structured grouping of inter- The planning should conclude in an audit pro-
dependent projects that are both necessary gram and procedures. Following steps should be
and sufficient to achieve a desired business followed in order to ensure success of the audit
outcome and create value. These projects engagement:
could involve, but are not limited to, changes  First of all IS Auditor has to gain an under-
in the nature of the business, business standing of the business’s mission, objec-
processes, the work performed by people, as tives, purpose and processes. Knowledge
well as the competencies required to carry about particular industry’s value chain and
out the work, enabling technology and orga- organization’s business model can support
nizational structure. The investment program this understanding critical in IT Governance
is the primary unit of investment within Val auditing.
IT.  Identify organization structure, strategy
 Portfolio – Groupings of ‘objects of interest’ committees and IT oversees responsible;
(investment programs, IT services, IT  Identify IT organization structure, role of
projects, other IT assets or resources) ma- each IT entity and key positions such as: IT
naged and monitored to optimise business Manager/CIO, Information Security Offic-
value. The investment portfolio is of primary es/CISO, Applications Development Team
interest to Val IT. IT service, project, asset or Leader, Infrastructure Team Leader, Third-
other resource portfolios are of primary inter- parties;
est to COBIT.  Identify policies and procedures;
Val IT supports the enterprise goal of creating  Evaluate risk assessment and privacy impact
optimal value from IT-enabled investments at an analysis.
affordable cost, with an acceptable level of risk  Perform a risk analysis. IS auditors should
and is guided by a set of principles applied in use the selected risk assessment techniques in
value management processes that are enabled by developing the overall audit plan and in
key management practices and are measured by planning specific audits. Risk assessment, in
performance against goals and metrics. [3] combination with other audit techniques,
should be considered in making planning de-
6 Information Systems Audit Process cisions such as: The nature, extent and timing
Either is carrying out an internal audit, or an ex- of audit procedures, the areas or business
ternal audit, the audit should be performed fol- functions to be audited, The amount of time
lowing up a formal plan designed to meet the au- and resources to be allocated to an audit. The
dit objectives. For an internal audit function, a IS auditor should consider each of the fol-
plan should be developed/updated, at least an- lowing types of risk to determine their over-
nually, for ongoing activities. The plan should act all level: Inherent risk, Control risk and De-
as a framework for audit activities and serve to tection risk. [6]
address responsibilities set by the audit charter.  Conduct an internal control review. Auditing
For an external IS audit, a plan should normally projects should include consideration of in-
be prepared for each audit or non-audit assign- ternal controls either directly as a part of the
ment. The plan should document the objectives auditing project objectives or as a basis for
of the audit. [4] reliance upon information being gathered as a
An audit plan should take into consideration the part of the auditing project. [6]
objectives of the auditee relevant to the audit area  Set the audit scope and audit objectives;
and its technology infrastructure. When auditing  Develop the audit approach or audit strategy;
IT Governance, the IS auditor should also con-
Informatica Economică vol. 14, no. 1/2010 97

 Assign personnel resources to audit and ad- including: plans to fulfill the organization’s mis-
dress engagement logistics; sion and goals, strategy and plans for IT and sys-
 Develop and document an audit plan; tems to support those plans, approach to setting
 Develop an audit program and procedures. IT strategy, developing plans and monitoring
Scheduling of audit activities should be agreed progress against those plans, approach to change
with management in order not to hinder opera- control of IT strategy and plans, IT mission
tional processes. statement and agreed goals and objectives for IT
This audit program should be documented in a activities and assessments of existing IT activities
manner that will permit the IS auditor to record and systems. [7]
completion of the audit work and identify work The work program uses Val IT Framework as a
that remains to be done. As the work progresses, best practice in order to benchmark the findings.
the IS auditor should evaluate the adequacy of As defined in there aforementioned framework,
the program based on information gathered dur- following domains will be evaluated part of the
ing the audit. When the IS auditor determines that IT Governance Audit:
the planned procedures are not sufficient, the IS  Evaluate Value Governance, having the pur-
Auditor should modify the program accordingly. pose to determine the integration of value
[5] management within the enterprise, whether
strategic directions are clearly set, portfolios
7 IT Governance Audit Work Program required to support new investments and re-
The purpose of the audit work program is to sup- sulting IT services, assets and other resources
port IS auditors in carrying out an engagement are defined, value management is improved
whose purpose is to assess the IT Governance ef- on a continual basis, based on lessons
forts undertaken by an organization to maximize learned;
the IT enabled benefits while maintaining risks  Evaluate Portfolio Management, in order to
under control. assess whether resource profiles are estab-
This section presents a general audit work pro- lished and managed, investment thresholds
gram, therefore to use it, the IS Auditor should be are defined, new investments are evaluated
familiar with IT Governance practices in order to and prioritized, the overall investment portfo-
select and develop audit objectives and tests rele- lio is managed and optimized, portfolio per-
vant for the audited organization and to interpret formance is monitored and reported.
the findings with professionalisms and due care.  Evaluate Investment Management, to deter-
The IS auditor should obtain information on the mine if business requirements are met, in-
IT governance structure, including the levels re- vestment programs are developed and clear
sponsible for: Governing the enterprise, setting understood, alternative approaches to imple-
the enterprise strategic directions, assessing per- menting the programs are analyzed, each
formance of the Chief Executive Offic- program is defined and documented, a de-
er/executive management in implementing enter- tailed business case is maintained, including
prise strategies, assessing the performance of se- the benefits’ details, throughout the full eco-
nior management and subordinates who report on nomic life cycle of the investment, clear ac-
the strategies in operation (including the know- countability and ownership are assigned,
ledge, information and technology involved), de- each program’s performance is monitored
termining whether the enterprise has developed and reported.
the skills and IT infrastructure required to meet The audit program developed below lists specific
the strategic goals set for the enterprise, assessing tasks for evaluating each domain.
the enterprise´s capability to sustain its current
operations. [7] 7.1 Value Governance Audit Tasks
The IS auditor should identify and obtain a gen- Following processes should be evaluated to as-
eral understanding of the processes which enable sess the maturity of Value Governance within an
the IT governance structure to perform the its IT Governance program:
functions, including the communication channels  VG1 Establish informed and committed lea-
used to set goals and objectives to lower levels dership.
(top down) and the information used to monitor  VG2 Define and implement processes.
its compliance (bottom-up). [7]  VG3 Define portfolio characteristics.
The IS auditor should obtain information on the  VG4 Align and integrate value management
organization's information systems strategy, with enterprise financial planning.
98 Informatica Economică vol. 14, no. 1/2010

 VG5 Establish effective governance monitor- the governance requirements to select and ex-
ing. ecute new investments, deliver the resulting IT
 VG6 Continuously improves value manage- services efficiently, and ensure optimal allocation
ment practices. of IT resources, 4 - Managed when there is a
Val IT can be used to benchmark the findings re- shared commitment between the business and the
sulted from performing the tasks presented in Ta- IT function to optimize the contribution of indi-
ble 1, on a six levels maturity scale: 0 - Non- vidual IT investments and services to business
existent: when the enterprise sees the IT function value, 5 - Optimized when value management is
as a supplier and a cost to be minimized, 1 - Ini- part of the corporate culture. The business and IT
tial when the enterprise recognizes that IT is both functions work in partnership to continually op-
a cost and an investment, 2 - Repeatable when timize and report on the portfolios of IT invest-
there is increasing awareness amongst business ments, and resulting services, assets, and other
and IT management of the need for a more for- resources [3].
malized governance framework, 3 - Defined
when the business and IT functions understand

Table 1. Value Governance Audit Tasks

Proc. Audit Tasks Key Control
Ref.
VG1 IT Strategy is documented and incorporates feedback from board. IT Strategy
Leadership commitment is proven by initiatives supporting the IT strategy.
Lesson learned are incorporated in the IT strategy.
Business objectives are linked to IT strategic initiatives.
CIO attends executive board meetings at which IT’s contribution to enterprise
goals is discussed.
Strategic objectives are achieved rather than changed or not met.
VG2 Accountabilities and practices are set up in governance framework. Value Management
The governance framework covered by processes stating activities, owners, and Process
areas of improvement. IT Strategy Organ-
Processes are documented and include goals and metrics. ization
Roles are established, communicated and accepted explicitly for investment de-
cision making, program sponsorship, program management, project manage-
ment, service delivery and associated support roles.
IT strategy committee is set-up.
IT planning committee is established.
IT architecture board is established.
Committees meet regularly and meeting minutes are available.
VG3 All types of portfolio are recognized and defined and categorized. Portfolio categories
Each category is evaluated according to predefined criteria to support fair, trans- and evaluation cri-
parent, repeatable and comparable evaluation. teria
Benefits are determined for each portfolio: degree of strategy alignment, finan-
cial benefits, intangible benefits, risk of non-implementation, risk of not meeting
the expected outcomes.
Requirements for stage-gates and other reviews of each type of portfolio are de-
fined.
Ongoing contribution to value is assessed according to reviewing requirements.
VG4 Practices are defined for setting budgets. Value management
Business cases are documented and sufficiently comprehensive. budgeting require-
IT funding is known for future periods as well as the implications for the enter- ments
prise of costs. Business case de-
Financial planning practices are reviewed regularly. velopment guide-
lines
VG5 Performance indicators are defined, including metrics and benchmarks. Key measurements
Key metrics are reviewed, agreed to, by IT, business functions and stakeholders. monitored
Progress against targets is reported. Reporting require-
Management action are initiated and controlled. ments
VG6 Lessons learned from value management are documented. Lessons learned
Management plan changes.
Informatica Economică vol. 14, no. 1/2010 99

An organization is succeeding in managing value mance.

if the IS auditor finds out that Value Governance Val IT can be used to benchmark the findings re-
processes are effective. Key controls, if forma- sulted from performing the tasks presented in Ta-
lized can be used as starting point of the evalua- ble 2, on a six levels maturity scale: 0 - Non-
tion, however it has to be understood how the existent: when There is no awareness that IT-
thinks are carried out in reality, documented or enabled investments should be managed as a
not. portfolio, 1 – Initial when some business func-
tions apply portfolio management practices in
7.2 Portfolio Management Audit Tasks isolation within their scope of activities, 2 - Re-
Following processes should be evaluated to as- peatable when there is increasing awareness of
sess the maturity of Portfolio Management within the need to manage IT-enabled investments as a
an IT Governance program: portfolio, 3 - Defined when there is a general un-
 PM1 Establish strategic direction and target derstanding of portfolio management practices
investment mix. and business cases are required for all programs,
 PM2 Determine the availability and sources 4 - Managed when board and executive manage-
of funds. ment are fully committed to portfolio manage-
 PM3 Manage the availability of human re- ment and regularly review performance of the
sources. portfolio, 5 - Optimized when portfolio manage-
 PM4 Evaluate and select programs to fund. ment practices are part of the corporate culture.
 PM5 Monitor and report on investment port- The portfolio is continuously monitored and
folio performance. proactively adjusted to optimize its value [3].
 PM6 Optimize investment portfolio perfor-

Table 2. Portfolio Management Audit Tasks

Proc. Audit Tasks Key Control
Ref.
PM1 Opportunities for IT to influence and support the business strategy are unders- IT opportunities
tood and communicated. Investment initiatives
Investment mix is appropriate.
Resources needed to support the business strategy are identified.
PM2 Funding is available and committed. Budget
Actual spend to date is known.
Options for obtaining additional funds are identified.
PM3 Inventory of business and IT human resources. Tactical HR Plan
Current and future demand for business and IT human resources is determined.
Tactical plans for business and IT human resources are maintained.
Resources required, how resources will be reassigned, acquired or developed.
PM4 Each program business case is evaluated and scored. Investment programs
Stage-gates for each individual program’s full economic life cycle are deter-
mined.
PM5 Management reports are provided for review. Management reports
Status reports are performed on objectives achieved, risks mitigated, delive- Status reports
rables and performance.
PM6 Investment portfolio is reviewed on regular basis Portfolio perfor-
Business changes are reflected in investment programs. mance

Management should seek to optimize the perfor- 7.3 Investment Management Audit Tasks
mance of the portfolio, establishing successful Following processes should be evaluated to as-
trends in line with strategy. Organization should sess the maturity of Investment Management
be able to incorporate any external or internal within an IT Governance program:
changes of business environment into the invest-  IM1 Develop and evaluate the initial program
ment portfolio, to manage the performance and concept business case.
adjust it based on new requirements.  IM2 Understand the candidate program and
implementation options.
 IM3 Develop the program plan.
100 Informatica Economică vol. 14, no. 1/2010

 IM4 Develop full life-cycle costs and bene- technology, 2 - Repeatable when there is increas-
fits. ing management awareness of the need to take a
 IM5 Develop the detailed candidate program business value view of IT-enabled investments, 3
business case. - Defined when management understands the
 IM6 Launch and manage the program. need to manage IT-enabled investments as pro-
 IM7 Update operational IT portfolios. grams, and is increasingly aware of the impor-
 IM8 Update the business case. tance of managing organizational change, 4 -
 IM9 Monitor and report on the program. Managed when board and executive management
 IM10 Retire the program. are committed to investment management and
Val IT can be used to benchmark the findings re- there are clear responsibilities and accountabili-
sulted from performing the tasks presented in Ta- ties for all stakeholders, 5 - Optimized when
ble 2, on a six levels maturity scale: 0 - Non- board and executive management are proactive in
existent: when the enterprise sees IT as an end in regularly reviewing program performance and
itself and the focus is on delivery of technology, executive management assigns accountability for
1 – Initial when there is some recognition of the managing full economic life-cycle costs, finan-
need to improve the governance of technology cial and non-financial benefits, and risks.[3]
investments but the focus is usually on costs of

Table 3. Investment Management Audit Tasks

Proc. Audit Tasks Key Control
Ref.
IM1 Investment opportunities are recognized. Conceptual Business Cases
Business outcomes are described in initial program conceptual
business cases.
New ideas adopted are rewarded.
IM2 Analysis of the alternatives to a candidate program is performed. Candidate program documentation
IM3 All resources needed for delivering programme’s expected busi- Program plan
ness outcomes are documented.
Roles and responsibilities are assigned.
IM4 Financial and non-financial benefits are known for the entire life- Benefits realization plan.
cycle of the programme.
Business benefits are specific, measurable, achievable, relevant
and time-bound (SMART).
IM5 Detailed program business cases are developed. Detailed Business Cases
Technical aspects are approved by CIO.
IM6 Program is managed, monitoring its performance against key cri- Resource allocation and status re-
teria. ports.
Remedial actions plans are taken when required.
IM7 Contents of all IT portfolios affected by the investment program Updated of IT portfolios.
are updated.
IM8 Current status of the program is reflected in the business case. Updated Business Case.
IM9 Schedule, funding, completeness and quality of functionality, user Performance reports
satisfaction, and the status of business and IT function internal
controls are monitored.
IM10 Lessons learned are documented. Active investment portfolio
Active investment portfolio does not include completed programs.

Management should understand the importance 8 ISACA and CGEIT

of managing the IT enabled investments as pro- ISACA was founded in 1969, incorporating as
grams, as business benefits might not be tracked the EDP Auditors Association. In 1976 the asso-
at project level. Organizational change has to be ciation formed an education foundation to under-
involved to see IT investments from a business take large-scale research efforts to expand the
value perspective, and business case development knowledge and value of the IT governance and
should be supported by standard modeling tools. control field. Today, ISACA has more than
86,000 members worldwide in more than 160
countries and cover a variety of professional IT-
Informatica Economică vol. 14, no. 1/2010 101

related positions: IS auditor, consultant, educa- 9 Conclusions

tor, IS security professional, regulator, chief in- Val IT Framework is currently on of the best
formation officer and internal auditor. practices for IT Governance. IT Governance can
Since its inception, ISACA has become a pace- serve as a vehicle for enhancing the contribution
setting global organization for information go- of IT to the organization, can decrease the IT ex-
vernance, control, security and audit profession- penditures, can strengthen the internal controls,
als. Its IS auditing and IS control standards are and can prove if adopted the organization’s inter-
followed by practitioners worldwide. Its research est for continuous performance improvement.
pinpoints professional issues challenging its con- In the present context, when most of the organi-
stituents. Its Certified Information Systems Audi- zations don’t have a structured approach for IT
tor (CISA) certification is recognized globally management practices, the IS Role should be
and has been earned by more than 70,000 profes- primarily in educating the organizations and
sionals since inception. The Certified Information drawing recommendations for adopting a busi-
Security Manager (CISM) certification uniquely ness value perspective for IT enabled invest-
targets the information security management au- ments, programs linked to benefits stated in busi-
dience and has been earned by more than 10,000 ness cases well documented, and a value gover-
professionals. The Certified in the Governance of nance framework based on an IT strategy, with
Enterprise IT (CGEIT) designation promotes the clear vision and objectives, short and long rage
advancement of professionals who wish to be tactical pan, clear responsibilities for managing
recognized for their IT governance-related expe- value across the organization.
rience and knowledge and has been earned by In the end, the IS Auditor should answer to three
more than 200 professionals [9]. basic questions: Value Governance - Is there in
The newly released certification, Certified in place an organization structure to manage value?
Risk and Information Systems Control (CRISC) Portfolio Management - Are IT enabled invest-
designation is for IT professionals who identify ments tracked to benefits? Investment Manage-
and manage risks through the development, im- ment - Is performance of IT initiatives managed
plementation and maintenance of information and monitored?
systems (IS) controls. These professionals help
enterprises accomplish business objectives such References
as effective and efficient operations, reliable fi- [1] IT Governance Institute, Board Briefing on IT
nancial reporting, and compliance with regulato- Governance, 2nd Edition, pp. 11, 14, 19, 24,
ry requirements. 28.
ISACA Romania Chapter (www.isaca.ro) has [2] Environmental Protection Agency, Applied
about 250 members that can benefit from ISACA Information Economics (AIE) Analysis Of
global resources, significant discounts to ISA- The Desktop Replacement Policy, pp. 4.
CA’s publications and events and offer the possi- [3] IT Governance Institute, The Val IT Frame-
bility to take any exam for obtaining certifica- work 2.0, pp. 6.
tions issued by ISACA, in Romania. [4] Information Systems Audit and Control As-
CGEIT is intended to recognize a wide range of sociation, IS Auditing Standard, Planning.
professionals for their knowledge and application [5] Information Systems Audit and Control As-
of IT governance principles and practices. It is sociation, IS Auditing Guideline, Planning.
designed for professionals who have manage- [6] Information Systems Audit and Control As-
ment, advisory, or assurance responsibilities. sociation, IS Auditing Guideline, Use of Risk
This certification will benefit the individual, Assessment in Audit Planning.
through recognition of their professional know- [7] Information Systems Audit and Control As-
ledge and competencies; skill-sets; abilities and sociation, IS Auditing Guideline, IT Gover-
experiences, and will enhance their professional nance.
standing. It will also add value to the enterprises [8] Information Systems Audit and Control As-
they support through the demonstration of a visi- sociation, CISA Review Manual, 2009.
ble commitment to excellence in IT governance
practices.
102 Informatica Economică vol. 14, no. 1/2010

Florin-Mihai ILIESCU, CISA, CISSP, has graduated the Faculty of Com-

puter Science, University Politehnica of Bucharest in 1999. He holds a Mas-
ter of Science diploma in Computers’ Architecture and he is Certified Infor-
mation Systems Auditor (CISA) and Certified Information Systems Security
Professional (CISSP). Currently he is General Manager of Info-Logica Sil-
verline SRL (www.infologica.ro) a company he started in 2004 specialized in
IT Audit and Consulting. For his contribution to CISA Review Manual and
CISA Exam Study Materials he has awarded with “ISACA Certificate of Appreciation”. In
2009, Florin has been elected Membership Director of ISACA Romania Chapter.