Answer

     IT/IS Audit Report on the Findings and Recommendations Given

IT Assurance involves acts of protecting and managing Information Systems against risks related to the use, storage and transmission of data and information systems. These systems have various components that make them functional (Class, 2015). There are several functions that are assured for data and the IT systems: data integrity – which ensures authorized access and modification of system data, availability – that ensures that information is made ready for those authorized to read it and at correct authorization levels, authentication – which ensures that users are correctly identified before accessing the system, confidentiality – which limits access and plan restrictions on information and finally non repudiation which ensures that someone can mot deny action they have done in an IT system. IT systems are prone to security violations and failures that are caused by errors and vulnerabilities. These are caused by rapidly changing technologies, human errors, poor and incorrect specifications of requirements among others. This brings about the need for IT Assurance which is determined by the evidence that is produced by the assessment process of an entity. This report summarizes the findings and recommendations of the report results from week 1 through week 4. This will be done in sections using a three phase model of IT assurance.

Potential IT-Related Issues Based on Documented Assumptions

Several issues have been brought out which relate to IT basing on the provided documentation. Massachusetts Institute of Technology (MIT) has a comprehensive Information Systems and Technology (IS&T) which forms the basis for all its operation and business strategies. This enables the IS&T to support and align itself to the enterprise goal because it plays a pillar role in the creation of value. It is through IS&T that the stakeholders can Cascade the enterprise goals (Gardner & Dana, 2012). MIT maps the university goals. Despite this, there are several IT related issues that may require more improvement. IT auditing being one of the critical areas, it works to identify weaknesses and loopholes in technology identification and acquisition, implementation and operation (Worstell, 2013). From the sample results of the survey of IS&T audit, there are some partial-adherent and non-adherent findings which will require improvement to ensure high quality. These issues include reputation, believability, relevancy, and completeness, amount of information, concise representation and understandability. The last two have very low adherence in all the audit processes. There also arises the issue of restricted access which should not be an issue during auditing. (Antonio & Manotti, 2016).

Another issue arises when it comes to IS&T Lifecycle. There are areas that require more attention including brand awareness and service satisfaction, system process improvement, quality optimization, and capacity utilization and revenue sources. These are the areas that require more attention to ensure there is consistency throughout the IS&T lifecycle.

Internal controls involves evaluation of an internal control of system management, therefore, focuses on certain and specific operation and control measures tendered on service management (Pathak, 2005). In terms of internal controls evaluation, there are several issues that can be improved as seen from the evaluation of internal control for service management. Considering the internal controls, integrity commitment, competence, auditing committees, organizational structures and human resource management are all better. There are some areas that may require improvement which include client management and auditor risk assessments. Control activities including physical control over assets and records and independent checks on performance should be improved. Maintenance of internal audits independence, and high level reporting to higher authority are also areas that require improvement.

The Scope of IT Assurance Initiative Based on the Targeted Organizational System

The three targeted systems as from the previous section above are IT Auditing, IT&S lifecycle and the internal controls evaluation areas.

With regard to the scope of IT auditing, there are various key stakeholders that can be identified including the chief information officer who directly collaborates with chief technology officer, then we have the IS&T planning and management team. There are several objectives of IT auditing which include extracting and analyzing data regarding various plans which are preliminary, implementation and current project operation plans. Revision of financial reports that include development and acquisition of equipment is also a key objective. Current budget analysis and report of any over expenditures are checked. The software licenses and privacy issues are also addressed during the auditing process among other objectives (John, 2015). They may include security features of the IS&T system like restriction on access, and the availability of the information or data (Lorsch et al., 2019). 

Focusing on IS&T lifecycle processes, there are various stakeholders involved. They include: the vice president IS&T, senior director, director, enabling services director, business operations director and the purchasing agent for the project. This process has various objectives which are achieved through five main phases. These phases include development of the project charter. The project charter outlines the function of the project, the organizational structure of the current project and the strategies put in place to make a successful implementation of the project. It thus describes the project vision, mission scope, objectives and deliverables. All stakeholders are also listed in the project charter with their roles (Massachusetts Institute of Technology, 2013). The second phase (planning) has three main objectives which include project scope statement, work breakdown structure, and Gantt chart. It also involves the use of Key Performance indicators (KPIs) to determine if the project is on the right trajectory (Mohammed, 2009).  The third phase objective includes making forecasts on the project, taking project status, and making project tracking. The fourth phase involves three main objectives which are activity tracking, goal tracking and budget tracking. The final phase covers project analysis and project reports (Berman, 2014).

The last organizational system is the internal controls evaluation. This area has three main objectives that include service management, system management and operations management. Additionally, it is also focused at the achievement of objectives in one or more separate but related domains of organizational operations. Service management involves adoption of a process approach towards management and focuses on the needs and expectations of the customers. It relies on the policies and procedures of the organization whereby it is characterized by the adoption of a process approach towards management of IS&T and thus focusing on customer needs, expectation and IS&T services for customers rather than IS&T systems, and stressing consistent and progressive improvement. System management deals with running of IT systems in an organization’s database which should be effective. It is also useful in hybrid environment where overseeing of the design and day-to-day operations of the data base, as well as the integration of third-party cloud services are key. It is, therefore, an enterprise-wide administration of disseminated systems including IS&T systems (Worstell, 2013). Operations management involves dispensation of practices which create the highest possible levels of efficiency (Changchit & Holsapple, 2004).

Relevant Enablers and Suitable Assessment Criteria to Perform the Assessment of Pertinent Domains, Processes, and Controls.

IS&T auditing has the following enablers: objectivity, believability, reputation, relevancy, completeness, and currency, amount of information, concise representation, consistent representation, interoperability, understandability, manipulation, availability and restricted access. All these have different relevancy levels as shown in the figure 1 below. They are grouped in to sub dimension and goals.

Figure 1: Sample of a result from a survey of IS&T audit, (Antonio & Manotti, 2016)

IS&T lifecycle processes enablers can be obtained from the various phases which include but not limited to: The balanced score card – which shows the clarified strategy for MIT and thus communicating the businesses top strategic priorities is shown in table 1 below. Principally, the strategic framework is divided into 4 perspectives that are key to business. They are financial, customer, internal process and growth and learning.

Table 1. Balanced Scorecard of MIT

We also have the process RACI Matrix which gives a visual representation of all the key people who were involved in a process and their role in the process. The Responsible Accountable, Consulted and Informed (Fagan, 2018) is shown in the table 2 below.

Table 2: RACI Chart for MIT IS&T System Lifecycle process

down

sides,

hen

Results and Conclusion

Through this summary, potential IT-related issues collected throughout the case study of week 1 to week 4 were identified. The Scope of the IT assurance initiative based on the areas selected was covered. These areas are IS&T auditing, IS&T lifecycle processes and issues and internal controls issues. We then defined the various enablers of each of the mentioned processes and highlighted some of the suitable criteria that were used to assess these areas. This provided the summary of the work from week 1 to week 4 briefly.

From the results, a few things can be concluded. Evaluation of internal controls is very essential to management of IS&T in that it ensures that laid down procedures, regulations and laws are observed. This has also revealed that the internal controls of MIT organization are under good performance. Despite this, there is small improvement work that is needed in a few areas of service management, system management and operation management.

With regard to the IS&T lifecycle processes, it can be concluded that it does not vary from other products except for its domain. The domain differs on the size of the organization, the degree of atomization and the adoption of information technology. By rolling out the project in all the stages (initial process, planning, execution, performance monitoring and closure) the project implementation becomes efficient and effective.

IS&T audit is essential in this period of rapidly advancing technological improvements. Most of the functions performed by the management and administration have been moved to Decision Management Systems and Management Information Systems that are computerized. This makes most of the business information to be controlled by IS&T. Vulnerability of these systems to cyber-attacks is one of the major reasons that calls for regular audit checks and security optimization. Therefore, IS&T auditing is an essential and intrinsic requirement to IS&T (Information System and Technologies) system.ce facilitating an effective engagement process.