Global Technology Audit Guide (GTAG)
Global Technology Audit Guide (GTAG)Written in straightforward business language to address a timely issue related to IT management, control, and security, theGTAG series serves as a ready resource for chief audit executives on different technology-associated risks and recommendedpractices.Information Technology Controls:Topics discussed include IT controlconcepts, the importance of IT controls,the organizational roles andresponsibilities for ensuring effective ITcontrols, and risk analysis andmonitoring techniques.Change and PatchManagement Controls:Critical forOrganizationalSuccessContinuous Auditing:Implications for Assurance,Monitoring, andRisk AssessmentManagement of IT AuditingManagingand AuditingPrivacy RisksManaging and AuditingIT VulnerabilitiesChange and Patch ManagementControls: Describes sources of changeand their likely impact on businessobjectives, as well as how change andpatch management controls helpmanage IT risks and costs and whatworks and doesn’t work in practice.Continuous Auditing: Addresses therole of continuous auditing in today’sinternal audit environment; therelationship of continuous auditing,continuous monitoring, and continuousassurance; and the application andimplementation of continuous auditing.Management of IT Auditing: DiscussesIT-related risks and defines the IT audituniverse, as well as how to execute andmanage the IT audit process.Managing and Auditing Privacy Risks:Discusses global privacy principles andframeworks, privacy risk models andcontrols, the role of internal auditors, top10 privacy questions to ask during thecourse of the audit, and cationControlsIdentity and AccessManagementBusiness ContinuityManagementInformation Technology Outsourcing:Discusses how to choose the right IToutsourcing vendor and key outsourcingcontrol considerations from the client’sand service provider’s operation.Auditing Application Controls:Addresses the concept of applicationcontrol and its relationship with generalcontrols, as well as how to scope a riskbased application control review.Identity and Access Management:Covers key concepts surrounding identityand access management (IAM), risksassociated with IAM process, detailedguidance on how to audit IAM processes,and a sample checklist for auditors.Business Continuity Management:Defines business continuity management(BCM), discusses business risk, andincludes a detailed discussion of BCMprogram requirements.Developing the IT Audit Plan: Providesstep-by-step guidance on how to developan IT audit plan, from understanding thebusiness, defining the IT audit universe,and performing a risk assessment, toformalizing the IT audit plan.Managing and Auditing ITVulnerabilities: Among other topics,discusses the vulnerability managementlife cycle, the scope of a vulnerabilitymanagement audit, and metrics tomeasure vulnerability managementpractices.For more information and resources regarding technology related audit guidance,visit www.theiia.org/technology.
Global Technology Audit Guide (GTAG )12:Auditing IT ProjectsAuthorsKarine Wegrzynowicz, Lafarge SASteven Stein, Hewlett-PackardMarch 2009Copyright 2009 by The Institute of Internal Auditors, 247 Maitland Avenue, Altamonte Springs,Fla.,32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may bereproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical,photocopying, recording, or otherwise — without prior written permission from the publisher.The IIA publishes this document for informational and educational purposes. This document is intendedto provide information, but is not a substitute for legal or accounting advice. The IIA does not providesuch advice and makes no warranty as to any legal or accounting results through its publication of thisdocument. When legal or accounting issues arise, professional assistance should be retained.
Table of ContentsLetter from the IIA’s President . 11. Executive Summary . 22.Introduction. 32.1 What Exactly Is an IT Project?. 32.2 Understanding the Impact. 32.3 Examples of Failed IT Projects. 32.4 Historical Statistics on IT Project Success and Failure. 32.5 Top 10 Factors for Project Success. 42.6 Purpose and Benefits of Internal Audit Involvement. 53. Five Key Focus Areas for Project Audits. 63.1 Business and IT Alignment . 63.2 Project Management . . 63.3 IT Solution Readiness . 113.4 Organizational and Process Change Management . . 123.5 Post Implementation. 134.Project Audit Planning . 144.1 IT Projects and the Annual Internal Audit Plan . . 144.2 Internal Auditing’s Role. 154.3 Types of Project Audits. 164.4 External Auditor Considerations. 17Appendix A – Project Management.18A.1 Project Management Methodologies. 18A.2 Project Management Life Cycle. 18Appendix B – IT Project Stakeholders.19Appendix C – Project Management Offices’ Structure, Roles, and Responsibilities .20Appendix D – Maturity Models.21D.1Capability Maturity Model. 21D.2Project Management Maturity Models. 21D.3Systems Development Maturity Models. 21Appendix E – General Project Management Best Practices.22E.1PMBOK and PRINCE2. 22E.2ISO Standards. 22E.3COBIT Sections That Apply To Project Management. 23E.4VAL IT. 25Appendix f – Internal Auditor’s Questions for Reviewing an IT Project.24About the Authors.34
Letter from The IIA’s PresidentAs is true for most internal auditors of my generation, I have witnessed technology’s remarkable evolution froma ringside seat. When I was a young, newly minted internal auditor directly out of college in the 1970s, the mostcomplex technology I regularly encountered was a 10-key calculator. Today, though, we live and work in quite adifferent world.Thanks to unrelenting IT advancement since I entered the workforce, virtually everything we encounter nowis embedded with technology. Regardless of the industry or enterprise, information technology is critical to maintaining a competitive edge, managing risks, and achieving business objectives; and organizations worldwide areallocating vast resources to vital IT projects.Whether IT projects are developed inhouse or are co-sourced with third-party providers, they are fraught withchallenges that must be considered carefully to ensure success. Less than desirable outcomes can result from suchissues as poorly defined project scope and objectives, lack of senior manager support, insufficient user involvement,incorrect or inappropriate technology choices, or lack of knowledge about changing technologies. Insufficientattention to these and other IT challenges will result in wasted money and resources, loss of trust, and reputationdamage — all of which are huge risks and none of which is acceptable.Inherent in information technology is its cross-functionality. It must involve people and processes throughoutan organization. And because of the internal auditors’ unique perspective and positioning within their organization, their early involvement can help ensure positive results and the accompanying benefits. They can serve as abridge between individual business units and the IT function, point out previously unidentified risks, and recommend controls for enhancing outcomes.For all of these reasons, I am especially pleased with the release of The IIA’s new GTAG: Auditing IT Projects.This timely guidance provides an overview of techniques for effectively engaging with project teams and management to assess the risks related to IT projects. This Practice Guide includes: How to outline a framework for assessing project-related risks. Key project management risks. How the internal audit activity can actively participate in the review of projects while maintainingindependence. Five key components of IT projects for internal auditors to consider when building an audit approach. Top 10 reasons for project success. Types of project audits. A sample audit work program with a suggested list of questions for use in the IT project assessment.The development of this Practice Guide truly was a team effort. We are grateful to The IIA’s AdvancedTechnology Committee for selecting the topic and developing the guidance. We owe a great debt of gratitudeto the two principal authors, Karine Wegrzynowicz, CIA, internal audit director at Lafarge SA, and Steve Stein,CIA, global IT audit manager at Hewlett-Packard, for contributing a great deal of time and effort to the project.I encourage you to use this authoritative guidance to build your working knowledge on IT-related projectmanagement, for it surely will contribute to the success of your organization’s future IT efforts.Sincerely,Richard F. Chambers, CIAIIA PresidentGlobal Headquarters1
GTAG — E xecutive Summary1. Executive Summaryhow the internal audit function can participate actively inthe review of projects while maintaining its independence.The IIA’s International Standards for the Professional Practiceof Internal Auditing provide principle-focused guidance forperforming these engagements.Within the context of this GTAG we have chosen tofocus on five key components of IT projects for which werecommend building an audit approach (see Figure 1):1. Business and IT Alignment2. Project Management3. IT Solution Readiness4. Organizational and Process Change Management5. Post ImplementationOrganizations invest large amounts of capital to fund the implementation of new information systems, enter new markets,develop new products, and manage alliances and acquisitions.Project teams are often created to manage such efforts. Theseinvestments don’t just bring about positive change to theorganization, but also present a high degree of risk. As a result,the success or failure of these investments can be critical to thestrategy of an organization, as well as have an impact on theorganization’s efficiency and reputation.Many projects and investments are focused around information technology (IT). In the past, studies such as “TheCHAOS Report,” conducted by The Standish Group, indicate that for IT projects in particular, the failure rate can beas high as 50 percent1. Project failure often comes down totwo key things: too much optimism from a people aspect,or technology failures from a systems perspective. Given thelevel of risk that projects face, it is essential for the internalaudit department to be aware of the projects taking place inthe organization and to determine at what stage it should beinvolved in order to provide guidance on the controls aspectof the project or an independent assessment of the achievement of desired results.Internal auditing can contribute to the success of IT projects by assessing project-related risks. Auditors can focus onareas such as security and internal controls, and they canplay a role in evaluating the overall project management.By helping project teams respond to risks, internal auditingcan increase the project’s chance of success. As discussed inGTAG 8: Auditing Application Controls, internal auditing canadd value through both traditional assurance and consultative engagements.2In a 2002 Internal Auditor article, Richard B. Lanza wrote:“To be successful , auditors must demonstrate to both seniormanagement and project managers the value that an independent advisor can bring. Senior management can giveauditors access to projects, but auditors can be more effectivewhen the project managers buy into their involvement andgive them greater access.”3The purpose of this GTAG is to provide the chief auditexecutive (CAE) and internal auditors with an overviewof techniques for effectively engaging with project teamsand project management offices (PMOs) to assess the risksrelated to IT projects. The field of project management isquite broad, and as such the purpose of this guide is to outlinea framework for assessing project-related risks, provideexamples of common project management risks, and discussFigure 1 shows that project management is the centralconcept that links all of these areas. When planning theproject audit approach, the auditor should consider all fiveof these areas to ensure that all major risks are addressed.This guide is not intended to be a complete project riskassessment or audit guidance; rather it provides an outline ofkey considerations for auditing IT projects. Auditing projectsis an excellent opportunity for internal auditing to provideassurance on strategic risk. A number of studies have shownthat internal auditing spends a large amount of time auditingoperational risk, but not enough on strategic risk. Projectaudits can provide an opportunity to expand the risk focus.Business& anagementFigure 1: Five Key Focus Areas for AuditorsThe CHAOS Report 2007, The 10 Laws of CHAOS, The StandishGroup, 2007.12ProjectManagementGTAG 8: Auditing Application Controls, p. 5.“Technology Projects: The Riskiest Parts of the Business.” InternalAuditor, May 15, 2002, Richard B. Lanza, CPA, PMP.32IT SolutionReadiness
GTAG — Introduction2. Introductionis no shortage of ideas, articles, and white papers on thesubject. Regardless of the interpretation of the data, there isoverwhelming evidence that projects pose a significant challenge. Ultimately, management is accountable for ensuringthat the project and benefit outcomes are achieved.2.1 What Exactly Is an IT Project?The term IT Project is a bit of a misnomer. In reality, mostsystem implementation or maintenance projects are increasingly complex initiatives that involve or impact more thanjust the IT department and, as such, should be consideredas a business project as well as an IT project. In the mostgeneral sense, a project is a unique set of activities with adiscreet beginning and end, undertaken to achieve a particular purpose within defined constraints of schedule, scope,and resources. It is important to note that this GTAG isintended to focus on projects that include a technologyrelated solution; however the principles are very similar toother types of projects.IT-related investments have been a major source of expenditure for organizations for many years. They tend to comein waves, and all organizations worldwide respond to them.Large IT projects easily can cost tens of millions of dollars.Major waves of IT system-related projects in the last 15 yearsinclude enterprise resource planning (ERP) systems, solvingthe Year 2000 problem, e-commerce/dot-com solutions, andcustomer relationship management (CRM) systems. Suchprojects could include building new infrastructure, newproduct development (commonly referred to as research anddevelopment, or R&D), and the implementation of newbusiness processes or business transformations. In the evaluation of such projects, it is necessary to understand the keyrisks, and to develop a set of criteria to evaluate the projectat various stages.2.3 Examples of Failed IT ProjectsMost large IT project failures will never be publicizedbecause of the negative impact the disclosure would have onan organization’s reputation and shareholders. However, thefollowing are some examples of significant failures that havebeen reported. In August 2005, CIO Magazine reported that a largeU.S. government agency had to scrap a US 170million virtual case file management system development project due to schedule delays, cost overruns,and technical difficulties.4 In 2004, one of the top telecommunications companies in the world experienced a project failure duringa CRM system upgrade. The resulting problemscascaded across the IT environment and led to disruptions in wireless service to customers. The companylost many customers over the incident, and therevenue impact was estimated to be US 100 million.The stock price fell and before it could recover, thecompany was sold to a competitor for less than half ofthe original
Business Continuity Management Business Continuity Management: Defines business continuity management (BCM), discusses business risk, and includes a detailed discussion of BCM program requirements. Developing the IT Audit Plan: Provides step-by-step guidance on how to develop an IT audit plan, from understanding the business, defining the IT .
guide, we also have included a list of common application controls and a sample audit plan. GTAG - Summary for the Chief Audit Executive Summary - 1 1 GTAG 4: Management of IT Auditing, p. 5. 2 GTAG 1: Information Technology Controls, p. 3. 3 GTAG 1: Information Technology Controls, p. 3.
GTAG (Global Technology Audit Guide) The Global Technology Audit Guides are written in straightforward business language to address a timely issue related to information technology (IT) management, control, and security. GTAG-17: Auditing IT Governance (07/12) GTAG-16 Data Analysis Technologies (08/11) GTAG-15 Information Security Governance .
Global Technology Audit Guide (GTAG) Written in straightforward business language to address a timely issue related to IT management, control, and security, the GTAG series serves as a ready resource for chief audit executives on different technology-associated risks and recommended practices. Information Technology Controls:
What is GTAG? GTAG - Global Technology Audit Guide Started in 2005, IIA replaced PA on IT topics To provide easy-to-understand information technology audit guides to Chief Audit Executives, Audit Committees and Executive Management To provide a mechanism to quickly address new IT Issues To produce technical audit guides on a global .
Global Technology Audit Guide (GTAG) Written in straightforward business language to address a timely issue related to IT management, control, and security, the GTAG series serves as a ready resource for chief audit executives on different technology-associated risks and recommended practices. Information Technology Controls: Topics
Global Technology Audit Guide (GTAG) Written in straightforward business language to address a timely issue related to IT management, control, and security, the GTAG series serves as a ready resource for chief audit executives on different technology-associated risks and recommended practices. Information Technology Controls:
2. Configuration Settings for Global Site Tag (gtag.js) Go to Admin Stores Configuration Scommerce Configuration Global Site Tag (gtag.js) General Settings Enabled - Select "Yes" or "No" to enable or disable the module. License Key - Please add the license for the extension which is provided in
GTAG Global Technology Audit Guides HoA Head of Agency HoIA Head of Internal Audit IA Internal Audit / Internal Auditor IA-CM Internal Audit Capability Model IAS Internal Audit Service . Audit, the Code of Ethics for Internal Auditors and the Auditing Standards. The only way
