Surveys have shown that Boards and Audit Committees may not have the skills required to understand and challenge IT risk and that the means of communicating IT risks to the Board may not be effective.
However, there are some high level considerations. Firstly is the aspirations of the function. There are three levels. These are
- Basic
- Central
- World Class
