The most challenging aspect of an IT Governance audit for most enterprises is the fact they don’t have a defined IT governance policy, standard, methodology, or practice to use as a target or baseline. Formal audits are generally conducted to assure compliance to corporate mandates or legal/regulatory requirements. IT governance is not a legal or regulatory requirement per se and few enterprises have taken it upon themselves to establish IT governance policy or standards. Given this omission, against what is the audit being conducted? How can it be fair?
The lack of established enterprise IT governance policies is exacerbated (if not caused) by the fact there is not a singular industry-accepted definition of IT governance - despite the fact ISO published a standard in 2008 (ISO/IEC38500). By ISO’s own admission, the standard is a guideline for “directors” – and they don’t even specifically define who the directors are. I have encountered few organizations who embrace ISO38500 as the benchmark for IT governance. And this is a shame, because the standard is very closely aligned to the original academic views of IT Governance published by the IT Governance Institute (an adjunct of ISACA) in 1998. In my opinion, the ITGI documents on IT governance are still the best you can find on the subject. But even though this collateral has been available for more than 15 years, too few enterprises even know it exists, let alone use it.