Provide feedback on this document
Visit the Audit Tools and Techniques Knowledge Center community
Visit the Strategic Planning/Alignment Knowledge Center community
IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the Certified Information Systems Auditor (CISA) designation and/or necessary subject matter expertise to adequately review the work performed.
The objectives of IT strategic management can be twofold:
- A component of an IT general controls review—Many of the processes within the IT strategic management audit/assurance program are defined as entity-level controls or essential management controls.
- Operational audit of the IT function—This objective provides senior management with an understanding and assessment of the efficiency and effectiveness of IT management.
During the audit planning process, the auditor must determine the scope of the audit. A general IT controls review will utilize only a portion of this program, while a more thorough review of IT management practices will require the granular nature of this program.
Recognizing these issues, this document cannot offer a specific objective and scope. It is the responsibility of the auditor to determine the objectives and scope of the audit, based upon risk assessments, requests from the audit/assurance function’s stakeholders, and the audit universe as defined by audit management and the audit committee.