Risk Assessment -Level 3 Planning and Organisation
KEY
A.
Non Existant: Management processes are not applied at all
B.
The effectiveness of the internal control is POOR (eg the internal control/item/process is seldom or never performed
C.
Intial.Adhoc: Processes are ad hoc and disorganised
D.
Defined Process: Processes are documented and communicated
E.
Managed and Measurable: Processes are monitored and measured
F.
Optimised: Best practises are followed and automated
N/A
Not Applicable: This question is not applicable to this particular staff member
IT INVESTMENT
1) Inadequate Management of IT Investments
A.
B.
C.
D.
E.
F.
N/A
1.1. Annual Operating Budget
1.1.1
Is a formal documented annual IT operating budgeting process in place?
1.1.2
Is the annual IT budget aligned with the following:
a. the organisations long range plans
b. the organisations short range plans
c. the IT long range plans
d the IT short range plans
1.1.3
Is approval/authorisation obtained for the annual IT operating budget?
1.1.4
If required, have alternative sources of funding been investigated prior to finalisation of the budget?
(If this is not applicable please select the button in Column "N/A")
1.1.5
Do those people who are responsible for meeting the I T operating budge participate in its preparation?
1.1.6.
a Does the I T operating budget set measurable objectives i.to of the contractual expenditure?
b Does the I T operating budget set measurable objectives i.t.o company related expenditure?
1.1.7
Is the IT budgeting process consistent with the overall organisations budgeting process?
1.2 Cost Benefit and Management monitoring
1.2.1
Has a management process been established to monitor actual cost against those costs budgeted for?
1.2.2
Are the significant variances between the budgeted and actual costs investigated?
1.2.3
Are the possible benefits to be derived from IT investment opportunity adequately motivated at the time of the purchase?
a. for capital expenditure
b. for service contracts
1.2.4
Are costs associated with the activities of the IT function
a. recorded;
b. processed; and
c reported;
via the organisations accounting system?
1.2.5
Have the IT expense accounts in the accounting records been appropriately and comprehensively classified to assist with monitoring and reporting of IT expenditure?
1.3 Cost Benefit Justification
1.3.1
Are management controls in place to assess where costs motivated & occured by IT on the delivery of service, are justified?
1.3.2
Are the delivery of service costs in line with industry standards (monitored against competitors on an annual basis)?
1.3.3
Are cost/benefit analyses of proposed expenditure performed, and the results thereof reviewed?
1.3.4
Are benefits that are derived from the IT expenditure reviewed by senior management and IT management on a regular basis?
