To demonstrate an understanding of key IT governance concepts.

The IT Audit Director has asked you to perform some preliminary research as it relates to an upcoming audit of your company’s approach to IT governance. The Institute of Internal Auditors (IIA) standards have been revised and now require that you consider the role of IT governance when developing your IT audit plan. Write a response back to your IT Audit Director stating the key areas that the team should focus on for the audit. In your answer, consider the following short answer essay prompts:

a. In your own words, what are the key elements of IT governance?

b. How do you know when IT governance is not working? Scan through today’s headlines and provide an example. What aspects of IT governance were lacking?

c. Board versus management – when defining IT governance, why is clearly defining roles and responsibilities, and accountability important?

2. [25 points] ~ Learning Objective: To demonstrate an understanding of the role of risk management in today’s economy, including the importance of establishing a common risk language.

Why does a car have brakes? In class, when I asked this question, the majority of you immediately thought: “To slow the car down.” We emphasized the importance of implementing improved risk management practices to enhance value, and seize business opportunities (i.e., “Make the car go faster, and apply the brakes when needed.”). Consider the following scenario:

Maria Alvarez, the Chief Operating Officer (COO) of a global manufacturing company, recently attended a conference on corporate governance. One of the topics discussed was the subject of Enterprise Risk Management, or ERM for short. She could not believe what she heard … At

lunch, later that day, she spoke to her company’s Chief Compliance Officer (COO): “Mihal,” she said, “this ERM concept is all wrong. Hire a Chief Risk Officer and let that person have responsibility for risk – no way. It’s another example of academics, accounting and consulting firms dreaming up some idea to sell to corporate America. They’re just out to fatten their wallets. Risk management is part of our day-to-day operations – it’s embedded in our daily decision-making. If we set up a separate group to monitor a list of risks, we are only going to cause more troubles. It’s no wonder why only 25% of companies polled in the 2016 AICPA poll on ERM have a complete formal enterprise-risk management process in place.”

Building upon this point-of-view, Bob Kaplan, Senior Fellow and Marvin Bower Professor of Leadership Development, Emeritus at the Harvard Business School, in a recent article titled, Risk Management, the Revealing Hand, states,

“After the global financial crisis, consultants and policy makers reached the conclusion that, as articulated by Ernst & Young Partner Randall Miller, “companies with more mature risk management practices outperform their peers financially.” Consultants offered to show less risk- savvy companies how to reap the “likely profit margin increase” that has accrued to “risk management leaders… over the last three years” and to achieve the spectacular EBITDA- differentials between the “top” and “bottom” of the risk management maturity scale. Despite such claims, academic studies have yet to confirm whether and how risk management practices add value.”

In your answer, consider the following short answer essay prompts:

a. Do you agree or disagree with the Maria Alvarez, the COO? Why? Explain.

b. Often, when we think about risk, we immediately focus on “potential harms” – how can ERM, or more effective risk management practices, focus on value added versus value preserved (i.e., protecting the downside)?

c. Building on the topic of risk management, why is it vitally important for the IT auditor to establish a common risk language with management?

3. [25 points] ~ Learning Objective: To demonstrate an understanding of the differences between internal and external auditing.

How is internal and external auditing similar? How are they different? Include in your answer, a discussion of unique standards, standards-setting bodies, stakeholders, objectives, etc.

4. [25 points] ~ Learning Objective: To demonstrate an understanding of the IT audit process.

In class we discussed the key phases of the IT audit process. Explain the purpose and objectives of each phase (Audit Universe, IT Risk Assessment and Audit Planning). Why is each phase important and how does each fit together into the overall process of identifying IT risk of the organization? Please provide examples of tools/techniques that may be used in each phase.

5. [25 points] ~ Learning Objective: To demonstrate an understanding of the role of the IT auditor in today’s economy.

Technology has evolved throughout the years and plays an ever increasing role in supporting business operations to help companies achieve strategic advantage. You have scheduled a meeting with the Chief Information Officer (CIO) to review your proposed IT audit plan for 2018. Explain how you would use the IT audit function to add value to the organization. In your answer, consider the following short answer essay prompts:

• Why is information assurance needed in today’s business environment?

• What role(s) can the IT auditor play in terms of supporting this need?

• The COSO (2013) framework1 emphasizes the need for companies to implement effective monitoring activities to support its overall system of controls, including “separate valuations” (Principle 162). Explain how internal auditors support this component of the COSO framework thereby providing information assurance.

• How does the 3 lines of defense model3 help, or hinder, efforts to achieve this principle?