Assurance and Audit
- Buy now
- Learn more
- Discussions
Information System Auditing Process

Part A: Audit Planning Frameworks and Strategic Foundations
Activity -Emerging Audit Areas
Part B: Audit Execution, Evidence, and Reporting
TY - What is EDI? - An Overview (5 min)
Activity - IS Auditing Process
Governance and Management

Part A: IT Governance
Activity - Read and Reflect
SANS - The Five Must-Haves of an AI Governance Framework [30 min]
Part B: IT Management
Activity - Governance - Management Quiz.
Information Systems Acquisition, Development, and Implementation

Part A: Information Systems Acquisition and Development
Activity - SDLC - part01
Part B: Information Systems Implementation
Activity 2 - SDLC - Part 02
Information Systems Operations and Business Resilience

Part A: Information System Operations
Activity - IS Operations
YB: Database Normalization (5 min)
Part B: Business Resilience
Activity - Business Resilience
YT: Types of databases (16 min)

Part B: IT Management

Part B: Information Technology Management

While IT Governance defines the strategic "what" and the risk-aware "why," IT Management is strictly concerned with executing the "how." It covers applying established policies, deploying and optimising resources, managing external vendor ecosystems, continuously monitoring performance metrics, and ensuring quality across all IT service delivery mechanisms.

IT Resource and Portfolio Management

IT management practices ensure the optimal, cost-effective use of human, technological, and financial resources. IT Portfolio Management (ITPM) is a structured mechanism by which organisations determine whether they are pursuing the optimal mix of IT projects to achieve their enterprise goals and maximise Return on Investment (ROI).

Portfolio Synchronisation and Value Realisation: The academic literature shows that organisations consistently struggle to realise tangible business gains from their IT investments due to immature and fragmented ITPM practices. Research across major corporations indicates that only an estimated 17 per cent of organisations operate at a mature, "synchronised" stage of ITPM, where IT spending is perfectly and dynamically aligned with business objectives. Best practices for reaching this synchronised stage include rigorous business case evaluations, continuously realigning project portfolios in response to market shifts, and—crucially—transferring ultimate accountability for IT value realisation directly to business leaders rather than isolating it within the IT department.
Human Resource Management in IT: Managing human capital is a vital and highly complex component of IT management. This includes aggressive recruitment, mandatory cross-training (to mitigate the severe risk of over-reliance on a single key individual or "key-person dependency"), rigorous succession planning, and continuous performance management. Furthermore, emerging research for 2024–2025 highlights the integration of "Green HRM," in which Artificial Intelligence is used to enhance sustainable IT workforce practices. This optimises workforce efficiency, predicts skill gaps, and significantly reduces the environmental footprint of IT operations, aligning directly with global sustainability mandates.

IT Vendor Management and Cloud Governance

As enterprises rely more on specialised, external cloud services and third-party software to reduce costs and speed innovation, IT vendor management has become one of the most critical areas of modern IT management. Sourcing models have diversified significantly, ranging from complete insourcing to off-site, offshore, and complex hybrid outsourcing models that blend internal staff with managed service providers (MSPs).

The threat landscape associated with third-party vendors has necessitated a radical shift in management practices. The 2025 literature highlights several severe trends and required management responses:

The Shift to Continuous Monitoring: Traditional point-in-time vendor risk assessments (e.g., annual security questionnaires) are widely recognised as insufficient to address the highly dynamic nature of modern cyber threats. Attackers increasingly exploit weaker vendor systems to access larger, more secure target organisations. Consequently, IT management is rapidly shifting toward continuous monitoring, leveraging AI-enabled threat intelligence platforms to track vendor vulnerabilities, detect dark web credential leaks, and identify real-time compliance deviations without waiting for the next audit cycle.
Concentration Risk and Cloud Resilience: The increasing complexity of fourth- and fifth-party supply chains necessitates deep, multi-tier visibility. Furthermore, major outages (such as widespread regional cloud failures) have underscored the severe dangers of overreliance on a single dominant cloud service provider. Organisations are now explicitly advised to diversify their infrastructure, map all critical dependencies, mandate multi-provider redundancy, and rigorously test vendor resilience through structured Business Continuity Planning (BCP) and Disaster Recovery (DR) exercises.
AI Agent Governance and Volatility: With vendors increasingly embedding autonomous AI agents directly into their software platforms, IT managers face the unprecedented challenge of treating these non-human agents as active "insiders." Management protocols now require applying the principle of least privilege to AI tools, conducting strict behavioural monitoring, and binding AI outputs to corporate policies. Additionally, the rapid volatility of third-party AI models (e.g., sudden version deprecations or updates) can disrupt enterprise workflows, forcing IT managers to negotiate contractual support guarantees to prevent migration bottlenecks.
Assurance through Independent Audits: To validate a vendor’s security posture without conducting resource-intensive, invasive direct audits, IT management relies heavily on standardised third-party assurance reports. SSAE 18 SOC 2 reports are important because they provide an independent evaluation of the vendor's internal controls relevant to security, availability, processing integrity, confidentiality, and privacy. Management teams must possess the expertise to critically analyse these reports, identify qualified opinions, and demand remediation for any highlighted control deficiencies.
Strategic Regular Business Reviews (RBRs): Effective vendor management requires moving beyond ad-hoc troubleshooting to structured, strategic engagement. Best practices include setting a formal cadence of Regular Business Reviews, using comprehensive Service Level Agreements (SLAs), standardising agendas around key performance metrics, and involving executive leadership to drive continuous innovation and hold vendors accountable for their contractual obligations.

IT Performance Monitoring and Reporting

Performance optimisation requires continuous, objective measurement to ensure IT services meet established SLAs, justify their cost, and demonstrably advance corporate goals. IT managers achieve this transparency through specific, tiered metrics:

Key Performance Indicators (KPIs): These metrics measure how well an IT process is performing against its strategic targets. They provide quantifiable indicators of whether an ultimate goal will be reached and evaluate the capabilities, practices, and skills of the IT team.
Key Risk Indicators (KRIs): KRIs provide crucial early warning signals of increased exposure to specific risk events. They utilise predetermined thresholds that, when breached, automatically trigger management alerts, enabling proactive intervention before a risk fully materialises.
Key Control Indicators (KCIs): These metrics assess the operational effectiveness and reliability of internal controls designed to mitigate identified risks, ensuring that the theoretical safeguards function in practice in the production environment.

A preeminent framework for synthesising these disparate metrics into a cohesive narrative is the Balanced Scorecard (BSC), originally pioneered by Kaplan and Norton in the early 1990s. Rather than relying solely on lagging financial indicators—which only report past performance—the BSC evaluates performance across four balanced, forward-looking perspectives: Financial (stewardship and resource efficiency), Customer/Stakeholder (satisfaction and value delivery), Internal Processes (operational excellence), and Learning & Growth (future orientation and innovation).

The current literature indicates that the BSC is undergoing a massive digital evolution. By 2026, industry analysts predict that 40 per cent of large enterprises will combine traditional BSC-style dashboards with real-time digital analytics, using Artificial Intelligence to update KPIs based on live operational data dynamically. This shift toward data-centric, agile strategies requires modern scorecards to capture not just output, but adaptability. For example, measuring manager effectiveness in 2025 has moved beyond simple employee satisfaction scores; modern KPIs now place greater weight on a manager's ability to drive AI adoption, navigate hybrid workplace collaboration, and adapt to rapidly shifting productivity demands.

Quality Assurance and Quality Management

Quality management encompasses how the IT department processes are continuously controlled, rigorously measured, and systematically improved to deliver operational excellence. Quality Assurance (QA) is defined as a planned, proactive, and systematic pattern of all actions necessary to provide adequate confidence that an IT product or service will conform to established technical requirements. It is designed to prevent defects before they occur. This is distinct from Quality Control (QC), which consists of the reactive observation techniques and testing activities used to identify defects in the final product after it has been built.

To achieve consistent operational excellence and drive continuous improvement, IT management employs various complementary and sometimes overlapping methodologies:

ITIL 4 (Information Technology Infrastructure Library): ITIL is a comprehensive, globally recognised framework for IT Service Management (ITSM). It emphasises structured processes, organisational governance, rigorous change management, and high reliability in service design, transition, and daily operations. ITIL’s structured approach minimises risks and ensures strict compliance with enterprise policies.
Agile Methodology: Rooted in modern software development, Agile promotes iterative progress, flexibility, and rapid responses to changing customer requirements. It organises work into short development cycles (sprints) and relies heavily on cross-functional team collaboration, continuous feedback loops, and customer-centricity.
The A-ITIL Convergence (ITIL + Agile + DevOps): Historically, these methodologies were viewed as conflicting, with ITIL deemed overly rigid, bureaucratic, and slow, while governance professionals often perceived Agile as unstructured and chaotic. However, recent academic literature overwhelmingly demonstrates the efficacy of hybrid models (often referred to as A-ITIL or integrated DevOps). These advanced models integrate Agile’s rapid delivery and cross-functional teamwork within ITIL’s governance, incident management, and stability frameworks. This fusion allows organisations to achieve high-speed innovation without sacrificing service reliability or regulatory compliance.
Six Sigma and Total Quality Management (TQM): Six Sigma employs a highly quantitative, strictly data-driven approach to identify root causes and eliminate process variability and defects. It primarily utilises the proven DMAIC roadmap (Define, Measure, Analyse, Improve, Control). TQM similarly advocates for enterprise-wide continuous improvement focused entirely on customer satisfaction and defect-free production. Currently, the industry is transitioning toward a new paradigm known as "Quality 4.0." This involves organisations deeply integrating big data analytics, machine learning, and AI directly into their TQM and Six Sigma frameworks. These technologies enable predictive quality management—analysing large datasets to identify hidden patterns and automatically adjusting manufacturing or IT processes in real time, supporting sustainable organisational excellence.