As for the job itself, Chapter 5 made the point that information technology, audit, and internal control correlate among themselves and with sound governance. Advanced IT can be instrumental in assisting auditing functions and internal control, but at the same time, IT must be audited for:

Conformity to the company’s strategic plan n Efficiency of its operations n Fraud and other mishappenings n Whether it is ahead of the curve compared with the IT of competitors n

All four bulleted items can serve as guidelines for the IT auditor. A few years ago, in a joint IT policy statement, the four main regulators of U.S. banking-Federal Reserve, Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and Office of rift Supervision (OTS)—stated that internal control, internal audit, and the technology supporting them must be

Correctly monitored and n Properly controlled. n

“Responsibility cannot be transferred to somebody else, even if certain activities are delegated or outsourced,” said two executives of OCC during our meeting. “Whether it is internal control or information technology, whether it is done inhouse or it is outsourced, it is the board’s responsibility to assure quality.” is statement is absolutely right because, in the 21st century, IT has become an efficiency tool that, properly used, can be instrumental in

Enhancing management control, n Promoting business opportunity, and n Helping in making the control of exposure more effective. n

e downside lies in the fact that, as far as the majority of companies are concerned, “enhanced management control” is not a keyword characterizing IT expenditures. Every year, companies are spending billions of pounds, euros, and dollars on information technology, even though few boardrooms know the value of the hardware and software their firms acquire or the contribution that IT investments make to their businesses.