Provide feedback on this document
Visit the Audit Tools and Techniques Knowledge Center community
Visit the Audit Guidelines Knowledge Center community
Shadow IT Primer
Objective: The objective of the Shadow IT Audit/Assurance Program is to provide management with an evaluation of how effectively shadow IT is being governed, monitored and managed. The review will focus on shadow IT governance and response mechanisms as well as supporting IT processes which can help to manage the risk associated with shadow IT. The audit/assurance review will rely upon other IT operational audits of identity and access management, change management, and backup and recovery management processes for the ongoing management of shadow IT solutions.
Scope: In the minds of some, shadow IT fosters creativity and innovation for the enterprise. For others, it presents a significant risk because the solutions are typically not developed and maintained according to the enterprise policies and procedures. This tool will help assess risks and the effectiveness of the related controls.
The Shadow IT Audit/Assurance Program covers the following areas:
- Provide management with an assessment of their shadow IT policies and procedures and their operating effectiveness
- Identify control weaknesses which could result in increased usage of unsanctioned shadow IT solutions and greater likelihood that the solutions are not detected
- Evaluate the effectiveness of the organization’s response to, and ongoing management of shadow IT.
As an IT audit and assurance professional, you are expected to customize this document for your unique assurance process environment. Use it as a review tool or starting point to modify for your purposes, rather than as a checklist or questionnaire. Keep in mind that to use this document for maximum effectiveness, you should hold the Certified Information Systems Auditor (CISA) designation or have the necessary subject matter expertise to conduct your assurance process while under the supervision of a professional who holds the CISA designation.