How to audit IT strategic planning

As with any audit, the first stage is to obtain a business understanding of management’s intentions. This may be complicated by the size and cross-function capability of such systems resulting in the business areas considered covering virtually the whole company. From this understanding, the business objectives and thus the control objectives may be derived. This permits the auditor to identify and evaluate critical controls/processes/apparent exposures within the overall systems and design the appropriate audit procedures. Once these have been agreed, the testing of the critical facets and evaluation of the results becomes routine.

As discussed earlier, another complication arises from the advent of Decision Support Systems. These systems, commonly combined with data warehousing, use the databases in order to assist management in the making of fundamental business decisions. In such cases it is essential that management can place reliance on the accuracy, completeness, integrity, confidentiality, and timeliness of such systems. These systems may, in turn, be extended into the concepts of EIS, which address those aspects of corporate governance that are of specific importance to executive management.

In auditing strategic planning there is a complexity multiplier factor at work where the vulnerability of the organization to inadequacies in internal controls in the development of strategic systems is limited only by the degree of corporate dependency on the system. This factor is normally unevaluated and commonly understated, but it could threaten the ongoing existence of the organization.

Source: Auditor’s guide to information systems auditing, Richard E. Cascarino 2007