Certified Information System Auditor (CISA)

Md. Mushfiqur Rahman, CISA, MCT, CEI

CEH, CHFI, MCP,MCTS,MCITP,MCSA,MCSE,SCSA, CCNA, OCP 9i/10g/11g, ITIL-F

3/30/16

[email protected]

Domain - 2

Governance and Management of IT

3/30/16

[email protected]

Exam Relevance

Ensure that the CISA candidate

Provide assurance that the necessary leadership and
organization structure and processes are in place to achieve
objectives and to support the organization's strategy.
The content area in this chapter will represent
approximately
14%
of
the
CISA
examination
(approximately 28 questions)

3/30/16

[email protected]

INTRODUCTION
Task & Knowledge Statements
Task and knowledge statements represent the basis from which
exam items are written.
Tasks: Tasks are the learning objectives that IS auditors/CISA
candidates are expected to know to perform their job duties. It
has 11 task statements.
knowledge statements: In order to perform all of the tasks, the
IS auditor/CISA candidate should have a firm grasp of all the
knowledge statements. There are 16 knowledge statements in
CISA Domain - 2
3/30/16

[email protected]

Tasks/ Objectives
11 Tasks Statements:
2.1 Evaluate the effectiveness of the IT governance structure to
determine whether IT decisions, directions and performance support the
organizations strategies and objectives.
2.2 Evaluate IT organizational structure and human resources
(personnel) management to determine whether they support the
organizations strategies and objectives.
2.3 Evaluate the IT strategy, including the IT direction, and the
processes for the strategys development, approval, implementation and
maintenance for alignment with the organizations strategies and
objectives.

3/30/16

[email protected]

Tasks/ Objectives

2.4 Evaluate the organizations IT policies, standards, and

procedures, and the processes for their development, approval,
implementation, maintenance, and monitoring, to determine whether
they support the IT strategy and comply with regulatory and legal
requirements.
2.5 Evaluate the adequacy of the quality management system to
determine whether it supports the organizations strategies and
objectives in a cost]effective manner.
2.6 Evaluate IT management and monitoring of controls (e.g.,
continuous monitoring, QA) for compliance with the organizations
policies, standards and procedures.
3/30/16

[email protected]

Tasks/ Objectives

2.7 Evaluate IT resource investment, use and allocation

practices, including prioritization criteria, for alignment with the
organizations strategies and objectives.
2.8 Evaluate IT contracting strategies and policies, and
contract management practices to determine whether they
support the organizations strategies and objectives.
2.9 Evaluate risk management practices to determine
whether the organizations ITrelated risks are properly
managed.
3/30/16

[email protected]

Tasks/ Objectives

2.10 Evaluate monitoring and assurance practices to

determine whether the board and executive management receive
sufficient and timely information about IT performance.

2.11 Evaluate the organizations business continuity plan to

determine the organizations ability to continue essential business
operations during the period of an IT disruption.

3/30/16

[email protected]

Knowledge Statements

16 Knowledge Statements
2.1 Knowledge of IT governance, management, security and control
frameworks, and related standards, guidelines, and practices
2.2 Knowledge of the purpose of IT strategy, policies, standards and
procedures for an organization and the essential elements of each
2.3 Knowledge of organizational structure, roles and responsibilities
related to IT
2.4 Knowledge of the processes for the development,
implementation and maintenance of IT strategy, policies, standards and
procedures
3/30/16

[email protected]

Knowledge Statements

2.5 Knowledge of the organizations technology direction and IT

architecture and their implications for setting long ]term strategic
directions
2.6 Knowledge of relevant laws, regulations and industry standards
affecting the organization
2.7 Knowledge of quality management systems
2.8 Knowledge of the use of maturity models
2.9 Knowledge of process optimization techniques
2.10 Knowledge of IT resource investment and allocation practices,
including prioritization criteria (e.g., portfolio management, value
management, project
management)
3/30/16

[email protected]

Knowledge Statements

2.11 Knowledge of IT supplier selection, contract management,

relationship management and performance monitoring processes
including third party outsourcing relationships
2.12 Knowledge of enterprise risk management
2.13 Knowledge of practices for monitoring and reporting of IT
performance
(e.g., balanced scorecards, key performance indicators [KPI])
2.14 Knowledge of IT human resources (personnel) management
practices used to invoke the business continuity plan
2.15 Knowledge of business impact analysis (BIA) related to
business continuity planning
2.16 Knowledge of the standards and procedures for the
development and maintenance of the business continuity plan and
testing methods
3/30/16

[email protected]

Governance

Ethical corporate behavior by directors or others

charged with governance in the creation and
presentation of value for all stakeholders
The distribution of rights and responsibilities among
different participants in the corporation, such as
board,
managers,
shareholders
and
other
stakeholders
Establishment of rules to manage and report on
business risks

3/30/16

[email protected]

Overall concept of governance

Corporate Governance: The Organization for Economic Co

operation and Development (OECD) states: "Corporate
governance involves a set of relationships between a companys
management, its board, its shareholders and other stakeholders.
Corporate governance also provides the structure through
which the objectives of the company are set, and the means of
attaining those objectives and monitoring performance are
determined.

3/30/16

[email protected]

Overall concept of governance

Good Corporate Governance should provide proper

incentives for the board and management to pursue
objectives that are in the interests of the company
and its shareholders and should facilitate effective
monitoring.. (OECD 2004, OECD Principles of
Corporate Governance, p.11)

3/30/16

[email protected]

Overall concept of governance

Public governance, the OECD states: Good,

effective public governance helps to strengthen
democracy and human rights, promote economic
prosperity and social cohesion, reduce poverty,
enhance
environmental
protection
and
the
sustainable use of natural resources, and deepen
confidence in government and public administration.
(OECD
website
on
Public
Governance
and
Management).

3/30/16

[email protected]

Governance

Governance is the framework, principles, structure,

processes and practices to set direction and monitor
compliance and performance aligned with the overall
purpose and objectives of an enterprise.
In the definition, the enablers of governance are
framework, principles, structure, processes and
practices; the activities are set direction, monitor
compliance and performance and align business
processes.
3/30/16

[email protected]

IT Governance

IT Governance is the responsibility of the

board
of
directors
and
executive
management. It is an integral part of
enterprise governance and consists of the
leadership and organizational structures and
processes that ensures that the organizations
IT sustains and extends the organizations
strategies and objectives.
3/30/16

[email protected]

IT Governance Model

3/30/16

[email protected]

Best Practices for IT Governance

3/30/16

[email protected]

IT Governance Focus Area

3/30/16

[email protected]

IT Governance Focus Area

3/30/16

[email protected]

IT Governance Focus Area

3/30/16

[email protected]

IT Governance Focus Area

3/30/16

[email protected]

IT Governance Focus Area

3/30/16

[email protected]

IT Governance Control Cycle

3/30/16

[email protected]

IT Governance Control Cycle

3/30/16

[email protected]

IT Governance Control Cycle

3/30/16

[email protected]

IT Governance Control Cycle

3/30/16

[email protected]

IT Governance Control Cycle

3/30/16

[email protected]

IT Governance Control Cycle

3/30/16

[email protected]

IT Governance Control Cycle

3/30/16

[email protected]

IT Governance Control Cycle

3/30/16

[email protected]

IT Governance Control Cycle

3/30/16

[email protected]

3/30/16

[email protected]

INTRODUCTION

3/30/16

[email protected]

The Role of IT within the Business

3/30/16

[email protected]

Board and CIO/CTO Interaction

3/30/16

[email protected]

INTRODUCTION

3/30/16

[email protected]

IT Governance

3/30/16

[email protected]

Monitoring and Assurance Practices for Board

and Executive Management (continued)
Enterprises are governed by generally accepted good or best
practices, the assurance of which is provided by certain
controls. From these practices flows the organizations
direction, which indicates certain activities using the
organizations resources. The results of these activities are
measured and reported on, providing input to the cyclical
revision and maintenance of controls.
IT is also governed by good or best practices that ensure that
the organizations information and related technology support
its business objectives, its resources are used responsibly, and
its risks are managed appropriately.

3/30/16

[email protected]

Monitoring and Assurance Practices

for Board and Executive Management

Effective enterprise governance focuses individual

and group expertise and experience on specific areas
where they can be most effective
IT governance is concerned with two issues: that IT
delivers value to the business and that IT risks are
managed
IT governance is the responsibility of the board of
directors and executive management

3/30/16

[email protected]

Monitoring and Assurance Practices for Board

and Executive Management

Content to emphasis
Information technology is now regarded as an integral part of that strategy.
Csuite executives agree that strategic alignment between IT and enterprise
objectives is a critical success factor.
Information technology is so critical to the success of enterprises that it cannot
be relegated to either IT management or IT specialists, but must receive the
attention of both, in coordination with senior management.
IT governance is the responsibility of the board of directors and executive
management.
A key element of IT governance is the alignment of business and IT, leading to
the achievement of business value.
The key IT governance practices are IT strategy committee, risk management
and standard IT balanced scorecard.

3/30/16

[email protected]

Best Practices for IT Governance (continued)

IT governance has become significant due to:

Demands for better return from IT investments
Increases in IT expenditures Regulatory
requirements for IT controls
Selection of service providers and outsourcing
Complexity of network security
Adoptions of control frameworks
Benchmarking
3/30/16

[email protected]

Best Practices for IT Governance (continued)

Audit role in IT governance

Audit plays a significant role in the successful
implementation of IT governance within an
organization
Reporting on IT governance involves auditing at the
highest level in the organization and may cross
division, functional or departmental boundaries

3/30/16

[email protected]

Best Practices for IT Governance (continued)

Content to Emphasize:
The IS auditor should confirm that the terms of
reference state the:
Scope of the work
Reporting line to be used
IS auditors right of access to information

3/30/16

[email protected]

Best Practices for IT Governance (continued)

Auditor role in IT governance

In accordance with the defined role of the IS auditor, the following aspects
related to IT governance need to be assessed:
The IS functions alignment with the organization's mission, vision,
values, objectives and strategies
The IS functions achievement of performance objectives established by
the business (effectiveness and efficiency)
Legal, environmental, information quality, and fiduciary and security
requirements
The control environment of the organization
The inherent risks within the IS environment

3/30/16

[email protected]

Best Practices for IT Governance

Content to Emphasize:
The organizational status and skill sets of
the IS auditor should be considered for
appropriateness with regard to the nature
of the planned audit.

3/30/16

[email protected]

IT Strategy Committee

The creation of an IT strategy committee is

an industry best practice
Committee should broaden its scope to
include not only advice on strategy when
assisting the board in its IT governance
responsibilities, but also to focus on IT
value, risks and performance
3/30/16

[email protected]

Standard IT Balanced Scorecard

A process management evaluation technique that

can be applied to the IT governance process in
assessing IT functions and processes
Method goes
evaluation

beyond

the

traditional

financial

One of the most effective means to aid the IT

strategy committee and management in achieving
IT and business alignment
3/30/16

[email protected]

Balanced Scorecard Approach

3/30/16

[email protected]

Standard IT Balanced Scorecard

A process management evaluation technique that

can be applied to the IT governance process in
assessing IT functions and processes
Method goes
evaluation

beyond

the

traditional

financial

One of the most effective means to aid the IT

strategy committee and management in achieving
IT and business alignment
3/30/16

[email protected]

Standard IT Balanced Scorecard

Content to Emphasize:
Discuss the three layered structure used in
addressing the four perspectives for an IT
Balanced Scorecard:
. Mission
. Strategies
. Measures
3/30/16

[email protected]

Information Security Governance

Focused activity with specific value drivers
Integrity of information
Continuity of services
Protection of information assets
Integral part of IT governance
Importance of information security governance

Information security (Infosec) covers all information

processes, physical and electronic, regardless of whether they
involve people and technology or relationships with trading
partners, customers and third parties.
Infosec is concerned with all aspects of information and its
protection at all points of its life cycle within the organization.

3/30/16

[email protected]

Policies

Content to Emphasize:
IS auditors should:
reach an understanding of policies as part of the audit process
test policies for compliance
consider the extent to which the policies apply to third parties
or outsourcers, the extent to which they comply with the
policies, or if the third parties or outsourcers policies are in
conflict with the organizations policies.
3/30/16

[email protected]

Policies (continued)

Information security policies

Communicate a coherent security standard
users, management and technical staff

to

Must balance the level of control with the level of

productivity
Provide management the direction and support for
information security in accordance with business
requirements, relevant laws and regulations
3/30/16

[email protected]

Policies (continued)

Information security policies Document

Definition of information security

Statement of management intent
Framework for setting control objectives
Brief explanation of security policies
Definition of responsibilities
References to documentation
3/30/16

[email protected]

Policies (continued)

Information Policy Groups

Highlevel information security policy

Data classification policy
Acceptable usage policy
End user computing policy
Access control policies

3/30/16

[email protected]

Policies (continued)

Content to Emphasize:
Highlevel Information Security Policy: This policy should include
statements on confidentiality, integrity and availability.
Data Classification Policy: This policy should describe the classifications,
levels of control at each classification and responsibilities of all potential users
including ownership.
Acceptable Usage Policy: There must be a comprehensive policy that includes
information for all information resources (HW/SW, Networks, Internet, etc.) and
describes the organizational permissions for the usage of IT and information
related resources.
End User Computing Policy: This policy describes the parameters and usage
of desktop tools by users.
Access Control Policies: This policy describes the method for defining and
granting access to users to various IT resources
3/30/16

[email protected]

Policies (continued)
Review of the information security policy document

Should be reviewed at planned intervals or when significant

changes occur to ensure its continuing suitability, adequacy
and effectiveness
Should have an owner who has approved management
responsibility for the development, review and evaluation of
the security policy
Review should include assessing opportunities for improvement
to the organizations information security policy

3/30/16

[email protected]

Policies (continued)
Content to Emphasize:
The input to the management review should include:

Feedback from interested parties

Results of independent reviews
Status of preventive and corrective actions
Results of previous management reviews
Process performance and information security policy compliance
Changes that could affect the organizations approach to managing information
security, including changes to the organizational environment; business
circumstances; resource availability; contractual, regulatory and legal
conditions; or technical environment
Usage of the consideration of outsourcers or offshore of IT or business
functions
Trends related to threats and vulnerabilities
Reported information security incidents
Recommendations provided by relevant authorities
3/30/16

[email protected]

Procedures (continued)

Procedures are detailed documents that:

Define and document implementation policies
Must be derived from the parent policy
Must implement the spirit (intent) of the policy
statement
Must be written in a clear and concise manner

3/30/16

[email protected]

Procedures (continued)

Content to Emphasize:
An independent review is necessary to
ensure that policies and procedures have
been properly documented, understood and
implemented

3/30/16

[email protected]

Risk Management (continued)

The process of identifying vulnerabilities and

threats to the information resources used by
an organization in achieving business
objectives.

3/30/16

[email protected]

Developing a Risk Management Program

To develop a risk management program:

Establish the purpose of the risk
management
program
Assign responsibility for the risk management plan

3/30/16

[email protected]

Risk Management Process (continued)

To develop a risk management process:

Identification and classification of information
resources or assets that need protection
Assess threats and vulnerabilities and the likelihood
of their occurrence
Once the elements of risk have been established
they are combined to form an overall view of risk

3/30/16

[email protected]

Risk Management Process(continued)

Content to Emphasize:
Examples of typical assets associated with information and IT include:

Information and data

Hardware
Software
Services
Documents
Personnel

Common classes of threats are:

Errors
Malicious damage/attack
Fraud
Theft
Equipment/software failure
3/30/16

[email protected]

Risk Management Process (continued)

To develop a risk management process:

Evaluate existing controls or design new
controls to reduce the vulnerabilities to an
acceptable level of risk
Residual risk

3/30/16

[email protected]

Risk Management Process(continued)

Content to Emphasize:
Final acceptance of residual risks takes into account:
Organizational policy
Risk identification and measurement
Uncertainty incorporated in the risk assessment
approach
Cost and effectiveness of implementation
3/30/16

[email protected]

Risk Management Process (continued)

IT risk management needs to operate at multiple
Levels including:

OperationalRisks that could compromise the effectiveness

of IT systems and supporting infrastructure
ProjectRisk management needs to focus on the ability to
understand and manage project complexity
StrategicThe risk focus shifts to considerations such as how
well the IT capability is aligned with the business strategy

3/30/16

[email protected]

Risk Analysis Methods (continued)

Qualitative?
Semiquantitative?
Quantitative?
Probability and expectancy?
Annual loss expectancy method?

3/30/16

[email protected]

Risk Analysis Methods (continued)

Management and IS auditors should keep in mind certain considerations:

Risk management should be applied to IT functions throughout

the company
Senior management responsibility
Quantitative RM is preferred over qualitative approaches
Quantitative RM always faces the challenge of estimating risks
Quantitative RM provides more objective assumptions
The real complexity or the apparent sophistication of the
methods or packages used should not be a substitute for
common sense or professional diligence
Special care should be given to very high impact events, even if
the
probability of occurrence over time is very low.
3/30/16

[email protected]

IS Management Practices (continued)

IS management practices reflect the implementation of policies and
procedures developed for various ISrelated management activities. In
most organizations, the IS department is a service (support)
department.
The traditional role of a service department is to help production (line)
departments conduct their operations more effectively and efficiently.
Today, however, IS has become an integral part of every facet of the
operations of an organization.
Its importance continues to grow year after year, and there is little
likelihood of a reversal of this trend. IS auditors must understand and
appreciate the extent to which a well managed IS department is
crucial to achieving the organization's objectives.
3/30/16

[email protected]

Human Resources Management Practices

Management and IS auditors should keep in

mind certain considerations:

Hiring
Employee handbook
Promotion policies
Training
Scheduling and time reporting
Employee performance evaluations
Required vacations
Termination policies

3/30/16

[email protected]

Personnel Management Practices (contd.)

Content to Emphasize:
The IS auditor should be aware of personnel
management issues but this information is not tested
in the CISA exam due to its subjectivity and
organizationalspecific subject matter.

3/30/16

[email protected]

Sourcing Practices (continued..)

Sourcing practices relate to the way an organization

obtains the IS function required to support the
business
Organizations can perform all IS functions in house
or outsource all functions across the globe
Sourcing strategy should consider each IS function
and determine which approach allows the IS function
to meet the organization's goals
3/30/16

[email protected]

Sourcing Practices

Content to Emphasize:

Delivery of IS functions can include:

InsourcedFully performed by the organizations staff
OutsourcedFully performed by the vendors staff
HybridPerformed by a mix of the organizations and vendors staff;
can include joint ventures/supplemental staff IS functions can be
performed across the globe, taking advantage of time zones and
arbitraging labor rates, and can include:
OnsiteStaff work onsite in the IS department
OffsiteAlso known as nearshore, staff work at a remote location in
the same geographical area
OffshoreStaff work at a remote location in a different geographic
region
3/30/16

[email protected]

Sourcing Practices (continued..)

Outsourcing practices and strategies

Contractual agreements under which an
organization hands over control of part or all of the functions of
the IS department to an external party
Becoming increasingly important in many organizations
The IS auditor must be aware of the various forms
outsourcing can take as well as the associated risks

3/30/16

[email protected]

Sourcing Practices (continued)

Content to Emphasize:
Reasons for outsourcing include:
A desire to focus on core activities
Pressure on profit margins
Increasing competition that demands cost savings
Flexibility with respect to both organization and structure
The services provided by a third party can include:
Data entry
Design and development of new systems in the event that the inhouse staff does not
have the requisite skills or is otherwise occupied in higherpriority tasks, or in the event of a
onetime task in which case there is no need to recruit additional inhouse skilled staff
Maintenance of existing applications to free inhouse staff to develop new applications
Conversion of legacy applications to new platforms. For example, a specialist company may
webenable the front end of an old application.
Operating the help desk or the call center
Operations processing
3/30/16
[email protected]

Sourcing Practices (continued..)

Possible advantages:
Commercial outsourcing companies likely to devote more
time and focus more efficiently on a given project than inhouse staff
Outsourcing vendors likely to have more experience with a
wider array of problems, issues and techniques
Possible disadvantages:
Costs exceeding customer expectations
Loss of internal IS experience
Loss of control over IS
Vendor failure
3/30/16

[email protected]

Sourcing Practices (continued..)

Risks can be reduced by:

Establishing measurable, partnership enacted shared goals and

rewards
Using multiple suppliers or withholding a piece of business as an
incentive

Performing
periodic
competitive
reviews
and
benchmarking/bench trending
Implementing short term contracts
Forming a cross functional contract management team
Including contractual provisions to consider as many
contingencies as can reasonably be foreseen
3/30/16

[email protected]

Sourcing Practices (continued)

Content to Emphasize:
SLAs:
are a contractual means of helping the IS department to
manage information resources under the control of a vendor.
stipulate and commit a vendor to a required level of service
and support options.
should serve as an instrument of control. Where the
outsourcing vendor is from another country, the organization
should be aware of cross border legislation.

3/30/16

[email protected]

Sourcing Practices (continued..)

Globalization practices and strategies
Requires management to actively oversee the remote or
offshore locations
The IS auditor can assist an organization in moving IS
functions offsite or offshore by ensuring that IS management
considers the following:
Legal, regulatory and tax issues
Continuity of operations
Personnel
Telecommunication issues
Cross border and cross cultural issues
3/30/16

[email protected]

Sourcing Practices (continued..)

Governance in outsourcing
Mechanism that allows organizations to transfer the
delivery of services to third parties
Accountability remains with the management of the
client organization
Transparency and ownership of the decisionmaking
process must reside within the purview of the client
3/30/16

[email protected]

Sourcing Practices (continued..)

Thirdparty service delivery management

Every organization using the services of third parties should
have a service delivery management system in place to
implement and maintain the appropriate level of information
security and service delivery in line with third party service
delivery agreements
The organization should check the implementation of
agreements, monitor compliance with the agreements and
manage changes to ensure that the services delivered meet all
requirements agreed to with the third party.
3/30/16

[email protected]

Organizational Change Management

What is change management?

Managing IT changes for the organization

3/30/16

Identify
and
apply
technology
improvements at the infrastructure and
application level

[email protected]

Financial Management Practices

Financial management is a critical element of all business
functions.
In a cost intensive computer environment, it is imperative that
sound financial management practices are in place.
Budget: IS management, like all other departments, must
develop a budget.
A budget allows for forecasting, monitoring and analyzing
financial information. The budget allows for an adequate
allocation of funds, especially in an IS environment where
expenses can be cost intensive. The IS budget should be linked
to short and long range IT plans.
3/30/16

[email protected]

Quality Management (continued..)

Software
development,
maintenance
implementation
Acquisition of hardware and software
Daytoday operations
Service management
Security
Human resource management
General administration

3/30/16

and

[email protected]

Information Security Management

Information security management provides the lead role to

ensure that the organization's information and the information
processing resources under its control are properly protected.
This would include leading and facilitating the implementation of
an organization wide IT security program which includes the
development of
Business Impact Analysis (BIA),
Business Continuity Plan (BCPs) and Disaster Recovery Plans
(DRPs) related to lS department functions in support of the
organization's critical business processes.

3/30/16

[email protected]

Performance Optimization (continued)

Process driven by performance indicators

Optimization refers to the process of improving the
productivity of information systems to the highest level
possible without unnecessary, additional investment in
the IT infrastructure

3/30/16

[email protected]

Performance Optimization (continued)

Content to Emphasize:
The broad phases of performance measurement are:
Establishing and updating performance measures
Establishing accountability for performance measures
Gathering and analyzing performance data
Reporting and using performance information
Caveats of performance measurement include:
ModelA model is built or established first to evaluate the performance and alignment with
the business objectives.
Measurement errorConventional measures do not properly account for the true inputs
and outputs.
LagsTime lags between expense and benefit are not properly accounted for in current
measures.
RedistributionIT is used to redistribute the source of costs in firms; there is no difference
in total output, only in the means of getting it.
MismanagementThe lack of explicit measures of the value of information makes resources
vulnerable to misallocation and overconsumption by managers. As a result, proper performance
measurement techniques will play an increasing role for program managers and investment
review boards.
3/30/16

[email protected]

Performance Optimization (continued)

Five ways to use performance measures:

Measure products/services
Manage products/services
Assure accountability
Make budget decisions
Optimize performance
3/30/16

[email protected]

Performance Optimization (continued)

Content to Emphasize:

COBIT management guidelines are primarily designed to meet the needs of

IT management for performance measurement. Goals and metrics and maturity
models are provided for each of the 34 IT processes. These are generic and
action oriented for the purpose of addressing the following types of management
concerns:
Performance measurementWhat are the indicators of good performance?
IT control profilingWhat is important? What are the critical success factors
for control?
AwarenessWhat are the risks of not achieving our objectives?
BenchmarkingWhat do others do? How are they measured and compared?
From a control perspective, the management guidelines address the key issue of
determining the right level of control for IT such that it supports the objectives of
the enterprise.
3/30/16

[email protected]

Organizational Structure

3/30/16

[email protected]

IS Role and Responsibility (continued)

Systems development manager

Help desk
End user
End user support manager

3/30/16

[email protected]

IS Role and Responsibility (continued)

Data management
Quality assurance manager
Vendor and outsourcer management
Operations manager

3/30/16

[email protected]

IS Role and Responsibility (continued)

Content to Emphasize:
Quality assurance manager Responsible for negotiating and
facilitating quality activities in all areas of information technology With the
increase in outsourcing, including the use of multiple vendors, dedicated
staff may be required to manage the vendors and outsourcers, including
performing the following functions:
Act as the prime contact for the vendor and outsourcer within the IS
function.
Provide direction to the outsourcer on issues and escalate internally
within the organization and IS function.
Monitor and report on the service levels to management.
Review changes to the contract due to new requirements and obtain
IS approvals.
3/30/16

[email protected]

IS Role and Responsibility (continued)

Control group
Media management
Data entry
Systems administration
Security administration
Quality assurance
Database administration
Systems analyst
Security architect
Applications development and maintenance
Infrastructure development and maintenance
Network management
3/30/16

[email protected]

Segregation of Duties Within IS (cond)

Avoids
possibility
of
misappropriations
Discourages fraudulent acts
Limits access to data

3/30/16

errors

or

[email protected]

Segregation of Duties within IS

3/30/16

[email protected]

Segregation of Duties Control (cond)

Control measures to enforce segregation of

duties include:
Transaction authorization
Custody of assets
Access to data
Authorization forms
User authorization tables

3/30/16

[email protected]

Segregation of Duties Control (contd)

Compensating controls for lack of segregation of

duties include:

Audit trails
Reconciliation
Exception reporting
Transaction logs
Supervisory reviews
Independent reviews

3/30/16

[email protected]

Auditing IT Governance Structure and Implementation (cond)

Indicators of potential problems include:

Unfavorable enduser attitudes

Excessive costs
Budget overruns
Late projects
High staff turnover
Inexperienced staff
Frequent hardware/software errors

3/30/16

[email protected]

Reviewing Documentation (cond)

The following documents should be reviewed:

IT strategies, plans and budgets

Security policy documentation
Organization/functional charts
Job descriptions
Steering committee reports
System development and program change procedures
Operations procedures
Human resource manuals
Quality assurance procedures
3/30/16

[email protected]

Reviewing Contractual Commitment (cond)

There are various phases to computer hardware,

software and IS service contracts, including:
Development of contract requirements and service
levels
Contract bidding process
Contract selection process
Contract acceptance
Contract maintenance
Contract compliance
3/30/16

[email protected]

Reviewing Contractual Commitment (cond)

Content to Emphasize:
In reviewing a sample of contracts, the IS auditor should
evaluate the adequacy of the following terms and conditions:

Service levels
Right to audit or third party audit reporting
Software escrow
Penalties for noncompliance
Adherence to security policies and procedures
Protection of customer information
Contract change process
Contract termination and any associated penalties

3/30/16

[email protected]

Governance on a Page

3/30/16

[email protected]

Practice Questions (contd.)

Q 1: In order for management to effectively monitor

the compliance of processes and applications, which
of the following would be the MOST ideal?
A. A central document repository
B. A knowledge management system
C. A dashboard
D. Benchmarking

3/30/16

[email protected]

Practice Questions (contd.)

Answer is C, A dashboard provides a set of information to illustrate

compliance of the processes, applications and configurable elements and
keeps the enterprise on course. A central document repository provide a
great deal of data, but not necessarily the specific information that
would be useful for monitoring and compliance. A knowledge
management system provides valuable information, but is generally not
used by management
for compliance purposes. Benchmarking provides information to help
management adapt the organization, in a timely manner, according to
trends and environment.

3/30/16

[email protected]

INTRODUCTION

3/30/16

[email protected]

INTRODUCTION

3/30/16

[email protected]

INTRODUCTION

3/30/16

[email protected]

INTRODUCTION

3/30/16

[email protected]

INTRODUCTION

3/30/16

[email protected]

INTRODUCTION

3/30/16

[email protected]

INTRODUCTION

3/30/16

[email protected]

INTRODUCTION

3/30/16

[email protected]