4. Approach and Methodology
The approach and methodology used for the audit were consistent with Treasury Board Secretariat’s Internal Auditing Standards for the Government of Canada and Policy on Internal Audit.
PCH strives to maintain a control framework for its IT infrastructure that is reflective of central agency requirements and industry leading practices. Consequently, the following control frameworks were leveraged for the audit:
- Control Objectives for Information and related Technology (CobiT 4.1) framework established by the Information Systems Audit and Control Association (ISACA);
- Framework of Core Management Controls and Audit Criteria (CMC) established by the Office of the Comptroller General of Canada (OCG);
- Management Accountability Framework (MAF) that sets out the Treasury Board's expectations of senior public service managers for good public service management; and,
- Other criteria, such as audit criteria used by the Office of the Auditor General in its review of Aging Information Technology Systems.
A risk-based audit program was developed using these control frameworks, and audit criteria were established covering areas related to governance, risk management and internal controls. Audit procedures included:
- Review of IT infrastructure related policies, procedures, standards, assessments and reviews;
- Review of strategic plans, IT investment plans, oversight committees’ terms of reference and meeting minutes;
- Reviews of Business Impact Analysis, Disaster Recovery Plans, and IT infrastructure-related Human Resources plans;
- Interviews with targeted individuals related to specific IT infrastructure-related processes; and,
- Review, on a sample basis, of IT infrastructure monitoring activities.
The application of these procedures was intended to allow the formulation of a conclusion as to whether the audit criteria established for the audit were being met. Evidence was gathered in compliance with Treasury Board policy, directives, and standards on internal audit, and the procedures used meet the professional standards of the Information Systems Audit and Control Association (ISACA). Standards for evidence were followed to ensure that information is sufficient, reliable, relevant, and useful to draw conclusions and meet the objectives of the audit.
- Date modified: