CourseAgenda

LearningObjectives
DiscussTaskandKnowledgeStatements
Discussspecifictopicswithinthechapter
Casestudies(individualPracticefollowCRM)
Samplequestions(individualPracticefollowCRM)
 ExamRelevance
Ensure that the CISA candidate
Provide assurance that the necessary leadership and
organization structure and processes are in place to achieve
objectives and to support the organization's strategy.
The content area in this chapter will represent
approximately 14% of the CISA examination (approximately 28
questions). (Review Manual Reference Pages: 73

Governance and Management

of IT
Task & Knowledge Statements
Task and knowledge statements represent the basis
from which exam items are written.
Tasks: Tasks are the learning objectives that IS
auditors/CISA candidates are expected to know to
perform their job duties. It has 11 task statements.
knowledge statements: In order to perform all of the
tasks, the IS auditor/CISA candidate should have a
firm grasp of all the knowledge statements. There are
16 knowledge statements contained within the CISA
Review Manual Chapter 2.
Tasks/ Objectives
2.0LearningObjectives(continued)
11 Tasks:
2.1 Evaluate the effectiveness of the IT governance structure to
determine whether IT decisions, directions and performance
support the organizations strategies and objectives.
2.2 Evaluate IT organizational structure and human resources
(personnel) management to determine whether they support the
organizations strategies and objectives.
2.3 Evaluate the IT strategy, including the IT direction, and the
processes for the strategys development, approval,
implementation and maintenance for alignment with the
organizations strategies and objectives.
please refer to Exhibit xxTasks and Knowledge Statements
Mapping
(ReviewManualReferencePages:74
2.0LearningObjectives(continued)
2.4 Evaluate the organizations IT policies, standards, and
procedures, and the processes for their development, approval,
implementation, maintenance, and monitoring, to determine
whether they support the IT strategy and comply with regulatory
and legal requirements.

2.5 Evaluate the adequacy of the quality management system to

determine whether it supports the organizations strategies and
objectives in a costeffective manner.

2.6 Evaluate IT management and monitoring of controls (e.g.,

continuous monitoring, QA) for compliance with the
organizations policies, standards and procedures.
please refer to Exhibit xxTasks and Knowledge
Statements Mapping
2.0LearningObjectives(continued)
2.7 Evaluate IT resource investment, use and allocation
practices, including prioritization criteria, for alignment
with the organizations strategies and objectives.

2.8 Evaluate IT contracting strategies and policies, and

contract management practices to determine whether they
support the organizations strategies and objectives.

2.9 Evaluate risk management practices to determine

whether the organizations ITrelated risks are properly
managed.
please refer to Exhibit xxTasks and Knowledge Statements
Mapping
2.0LearningObjectives
2.10 Evaluate monitoring and assurance practices to
determine whether the board and executive
management receive sufficient and timely information
about IT performance.

2.11 Evaluate the organizations business continuity plan

to determine the organizations ability to continue
essential business operations during the period of an IT
disruption.
please refer to Exhibit xxTasks and Knowledge
Statements Mapping
Knowledge Statements
KnowledgeStatements(continued)
16 Knowledge Statements
2.1 Knowledge of IT governance, management, security and control
frameworks, and related standards, guidelines, and practices
2.2 Knowledge of the purpose of IT strategy, policies, standards and
procedures for an organization and the essential elements of each
2.3 Knowledge of organizational structure, roles and responsibilities
related to IT
2.4 Knowledge of the processes for the development, implementation
and maintenance of IT strategy, policies, standards and procedures

please refer to Exhibit xxTasks and Knowledge Statements

Mapping
(ReviewManualReferencePages:74
KnowledgeStatements(continued)
2.5 Knowledge of the organizations technology direction and IT architecture
and their implications for setting longterm strategic directions

2.6 Knowledge of relevant laws, regulations and industry standards affecting

the organization

2.7 Knowledge of quality management systems

2.8 Knowledge of the use of maturity models

2.9 Knowledge of process optimization techniques

2.10 Knowledge of IT resource investment and allocation practices, including

prioritization criteria (e.g., portfolio management, value management, project
management)

please refer to Exhibit xxTasks and Knowledge Statements Mapping

KnowledgeStatements(continued)
2.11 Knowledge of IT supplier selection, contract management, relationship
management and performance monitoring processes including third party
outsourcing relationships

2.12 Knowledge of enterprise risk management

2.13 Knowledge of practices for monitoring and reporting of IT performance

(e.g., balanced scorecards, key performance indicators [KPI])

2.14 Knowledge of IT human resources (personnel) management practices used

to invoke the business continuity plan

2.15 Knowledge of business impact analysis (BIA) related to business continuity

planning

2.16 Knowledge of the standards and procedures for the development and
maintenance of the business continuity plan and testing methods
please refer to Exhibit xxTasks and Knowledge Statements Mapping
2.2Governance
Ethical corporate behavior by directors or others
charged with governance in the creation and
presentation of value for all stakeholders
The distribution of rights and responsibilities
among different participants in the corporation,
such as board, managers, shareholders and
other stakeholders
Establishment of rules to manage and report on
business risks
 Governance View

Enterprise Governance

Corporate Governance
(corporate legal and regulatory
compliance)

Entity Governance Asset Governance

(Examples: HR/People,
(Examples: Line of Business, Intellectual Property, Data,
Function, Structural Entity) Alliance, IT)
Overallconceptofgovernance
Corporate Governance: The Organization for
Economic Cooperation and Development (OECD)
states: "Corporate governance involves a set of
relationships between a companys management,
its board, its shareholders and other stakeholders.
Corporate governance also provides the structure
through which the objectives of the company are
set, and the means of attaining those objectives and
monitoring performance are determined.
CRM Page: 87
Overallconceptofgovernance
Good Corporate Governance should provide proper
incentives for the board and management to pursue
objectives that are in the interests of the company
and its shareholders and should facilitate effective
monitoring.. (OECD 2004, OECD Principles of
Corporate Governance, p.11)
continued..
Overallconceptofgovernance
Public governance, the OECD states: Good,
effective public governance helps to strengthen
democracy and human rights, promote economic
prosperity and social cohesion, reduce poverty,
enhance environmental protection and the
sustainable use of natural resources, and deepen
confidence in government and public
administration. (OECD website on Public
Governance and Management).
2.2Governance
Governance is the framework, principles, structure,
processes and practices to set direction and monitor
compliance and performance aligned with the
overall purpose and objectives of an enterprise.

In the definition, the enablers of governance are

framework, principles, structure, processes and practices;
the activities are set direction, monitor compliance and
performance and align business processes.
CorporateandKeyAssetGovernance

Other
Shareholders
Stakeholders
Board
Monitoring Disclosure
Senior Executive Team

Strategy Desirable Behavior

Key Assets
Human Financial Physical I/P Information Relationship
Assets Assets Assets Assets and IT Assets Assets
Financial governance
IT governance
mechanisms
mechanisms
 2.3ITGovernance

ITGI, Board Briefing on IT Governance

www.itgi.org
www.isaca.org

ReviewManualReferencePages:87
 ITGovernance View
Enterprise Governance

Corporate Governance
(corporate legal and regulatory
compliance)

Entity Governance Asset Governance

(Examples: Line of Business, (Examples: HR/People,

Function, Structural Entity) Intellectual Property, Data,

Alliance, IT)

IT Function IT Services
Applications, Infrastructure,
Facilities, Resources, etc

Functional Business
Governance of IT Governance of IT
 IT Governance Model
Governance Focus Areas
Value
Delivery

Strategic IT Governance Risk

Alignment Committee Management

Performance Resource
Measurement Management

Provides Direction
Monitors Compliance and Performance
Ensures Alignment with Corporate Goals and Objectives
2.4.1BestPracticesforITGovernance(continued)
ITGovernanceFocusArea

Strategicalignment
Valuedelivery
Riskmanagement
Resourcemanagement
Performancemeasurement

ReviewManualReferencePages:88
 IT Governance Focus Areas

Strategic alignment, focuses on ensuring the linkage of business and IT plan; on

defining, maintaining and validating the IT value proposition; on aligning IT operations
with the enterprise operations; and establishing collaborative solutions to
Add value and competitive positioning to the enterprises products and services
Contain costs while improving administrative efficiency and managerial effectiveness
Link with Business
IT value Proposition
Align with Enterprise
Add Value products and services
Contain Costs efficiency and effectiveness

Source: ITGI
 IT Governance Focus Areas

Value delivery is about executing the value proposition throughout the delivery cycle,
ensuring that IT delivers the promised benefits against the strategy, concentrating on
optimising expenses and proving the value of IT, and on controlling projects and
operational processes with practices that increase the probability of success (quality, risk,
time, budget, cost, etc)

Value Proposition
Deliver Benefits Against Strategy
Optimize Expenses
Controlling IT Projects
Increasing IT Success

Source: ITGI
 IT Governance Focus Areas

Risk management requires risk awareness of senior corporate officers, a clear under-
standing of the enterprises appetite for risk and transparency about the significant risks to
the enterprise; it embeds risk management responsibilities in the operation of the enterprise
and specifically addresses the safeguarding of IT assets, disaster recovery and continuity of
operations

Risk Aware C-Suite

Enterprise Risk Appetite / Transparency
Operational Risk Management Responsibility
Risks Addressed though IT Initiatives
Availability, Continuity, Security
 IT Governance Focus Areas

Resource management covers the optimal investment, use and allocation of IT resources and
capabilities (people, applications, technology, facilities, data) in servicing the needs of the
enterprise, maximising the efficiency of these assets and optimising their costs, and specifically
focuses on optimising knowledge and the IT infrastructure and on where and how to outsource

Optimize IT Investment
Allocation & Use of IT Resources
Cost Effectiveness of Use
Alternate Strategies - Outsourcing
Infrastructure Knowledge
 IT Governance Focus Areas

Performance measurement, tracking project delivery and monitoring IT services,

using balanced scorecards that translate strategy into action to achieve goals
measurable beyond conventional accounting, measuring those relationships and
knowledge-based assets necessary to compete in the information age: customer
focus, process efficiency and the ability to learn and grow.
Tracking and Monitoring
IT project delivery
IT Services
Translate IT Strategy into Actions and Goals
Measure Beyond Accounting
Balanced score cards
Knowledge based assets
Process efficiency
Learn and grow continuous improvement
 IT Governance Control Cycle

Source: ITGI
IT Governance Control Cycle

Assess Environment
Based on COBIT, develop an approach for improved
internal control to meet regulatory requirements that
incorporates business and IT mission, vision, and
strategy
Establish risk management strategy
Formally document existing processes
IT Governance Control Cycle

Maintain IT Controls Framework

Develop controls framework to supports sound
business decisions
Document integration points in the current environment
Create an organizational mechanism to support the
governance of IT
Mitigate identified risks through the IT controls
framework
IT Governance Control Cycle

Develop & Refine Governing Documents

Utilize a central repository for governing documents
Develop a consistent approach for creating governing
documents
Consistently apply processes and procedures
Gain executive commitment for IT governance framework,
structure and guiding principles
IT Governance Control Cycle

Communicate and Train

Provide Tone at the Top (Executive Sponsor)
Develop a strategic communication plan for mission
objectives and overall management direction
Execute strategic communication plan
Implement a standard training program to avoid unnecessary
and redundant training
 IT Governance Control Cycle

Implement and Operate

Align staff responsibilities with IT control objectives
Achieve sustainability of IT controls in the operational
environment
Support continuous improvement of operational effectiveness
and accountability
 IT Governance Control Cycle

Measure and Validate

Revise current metrics program to include newly defined
controls
Verify the sustainability of defined controls
Develop cost effective automated measurements
Measure all processes to include Applications, Databases,
Platforms and Networks
 IT Governance Control Cycle

Monitor and Report

Report on continued effectiveness of controls
Increase transparency to auditors of issues and actions
taken
Accurately attest to ITs compliance with policy, laws, and
regulations
Improve existing processes using metrics trending
 IT Governance Control Cycle

Enforce
Reinforce required policy compliance and standards
conformance
Define a consistent approach for enforcement across
all processes
BoardmembersconsideredIT
importantintheareasof:
Compliance

Customerretention

Managingrisk

Competitivepositioning
 The Role of IT within Business

Where an organization falls within the framework suggests the level of

The big conundrum

Nearly one third of

respondents where IT was
deemed as either a Type 3
or Type 4 had no formal
board involvement with
technology
Only 11% say they are
completely and actively
involved in IT strategy
Board and CIO/CTO Interactions

Only 16% of CIOs/CTOs

interact with the board at
each board meeting
There is a lack of
involvement in IT by
those responsible for
enterprise governance
 Governance

Premier IT
Leaders polled by Strategic
Alignment
Computer World
put these projects
at the top of their Direction
to-do lists for 2008 Monitor
Compliance
Performance

Align
 IT Governance Models

ISO International Organization for Standards

IT Governance Institute
IEC International Electrotechnical Commission
 IT Governance
What is IT Governance?

Guidance Direction Monitoring Enforcement

IT Governance ensures that:

Supply meets demand for IT Services

IT operates effectively and efficiently

IT priorities are business priorities

IT applications are regulatory compliant

IT metrics are true indicators of IT value contribution

Information is based on data quality and integrity and protected

IT will be there when you need it even in a disaster

 2.4MonitoringandAssurancePracticesforBoard
andExecutiveManagement(continued)
Enterprises are governed by generally accepted good or best
practices, the assurance of which is provided by certain
controls. From these practices flows the organizations
direction, which indicates certain activities using the
organizations resources. The results of these activities are
measured and reported on, providing input to the cyclical
revision and maintenance of controls.
IT is also governed by good or best practices that ensure that
the organizations information and related technology
support its business objectives, its resources are used
responsibly, and its risks are managed appropriately.
ReviewManualReferencePages:88
2.4MonitoringandAssurancePractices
forBoardandExecutiveManagement
Effective enterprise governance focuses individual
and group expertise and experience on specific
areas where they can be most effective
IT governance is concerned with two issues: that IT
delivers value to the business and that IT risks are
managed
IT governance is the responsibility of the board of
directors and executive management
2.4MonitoringandAssurancePracticesforBoardand
ExecutiveManagement
Content to emphasis
Information technology is now regarded as an integral part
of that strategy.
Csuite executives agree that strategic alignment between
IT and enterprise objectives is a critical success factor.
Information technology is so critical to the success of
enterprises that it cannot be relegated to either IT
management or IT specialists, but must receive the
attention of both, in coordination with senior management.
IT governance is the responsibility of the board of directors
and executive management.
A key element of IT governance is the alignment of business
and IT, leading to the achievement of business value.
The key IT governance practices are IT strategy committee,
risk management and standard IT balanced scorecard.
2.4.1BestPracticesforITGovernance(continued)
ITgovernancehasbecomesignificantdueto:
DemandsforbetterreturnfromITinvestments
IncreasesinITexpenditures
RegulatoryrequirementsforITcontrols
Selectionofserviceprovidersandoutsourcing
Complexityofnetworksecurity
Adoptionsofcontrolframeworks
Benchmarking
 IT Governance Framework
Governance IT Governance IT Control
Models Models Frameworks

COSO CobiT

COCO IT CG

Cadbury ITIL

King ISO 27000 Security

Carver ISO 25999 Continuity

ISO 38500 ISO 31000 Risk

2.4.1BestPracticesforITGovernance(continued)

Audit role in IT governance

Audit plays a significant role in the successful
implementation of IT governance within an
organization

Reporting on IT governance involves auditing at the

highest level in the organization and may cross
division, functional or departmental boundaries
2.4.1BestPracticesforITGovernance(continued)

Content to Emphasize:
TheISauditorshouldconfirmthatthetermsof
referencestatethe:
Scopeofthework
Reportinglinetobeused
ISauditorsrightofaccesstoinformation
 2.4.1BestPracticesforITGovernance(continued)
Auditor role in IT governance
In accordance with the defined role of the IS auditor,
the following aspects related to IT governance need to
be assessed:
The IS functions alignment with the organizations
mission, vision, values, objectives and strategies
The IS functions achievement of performance
objectives established by the business (effectiveness
and efficiency)
Legal, environmental, information quality, and
fiduciary and security requirements
The control environment of the organization
The inherent risks within the IS environment
2.4.1BestPracticesforITGovernance(continued)

Content to Emphasize:
The organizational status and skill sets of the IS
auditor should be considered for appropriateness
with regard to the nature of the planned audit.
2.4.2ITStrategyCommittee
The creation of an IT strategy committee is an
industry best practice
Committee should broaden its scope to include
not only advice on strategy when assisting the
board in its IT governance responsibilities, but
also to focus on IT value, risks and performance

ReviewManualReferencePages:90
2.4.3StandardITBalancedScorecard
A process management evaluation technique that
can be applied to the IT governance process in
assessing IT functions and processes
Method goes beyond the traditional financial
evaluation
One of the most effective means to aid the IT
strategy committee and management in achieving
IT and business alignment

ReviewManualReferencePages:91
 Balance Scorecard Approach
Financial Perspective

Customer Perspective Internal Process KGI

Learn and Innovate

Goals
Information
criteria profile
Enablers

Corporate Contribution
IT Resources
User Orientation Operational Excellence KPI

CSF
Future Orientation
 Balance Scorecard Approach - Goals
User Orientation
How do users view IT Security
Mission
To offer a preferred and sought after security product
Strategies
Preferred supplier of security products
Preferred operator of security systems and
infrastructure
Proposer of best and most practical solutions
Partnership with user to address security issues
Achieving recognized user satisfaction
Operational Excellence
How effective and efficient is the IT
Security organization
Mission
To deliver effective, efficient and responsive IT security
services
Strategies
Efficient and effective operation of the security function
Rapid responses to security risks and vulnerabilities
Rapid identification and response to security breaches
Proactive identification and implementation of new security
technology and techniques
Business Contribution
How does management view IT Security
Mission
To obtain a positive business contribution from the IT
security
Strategies
Control Information security costs
Balance Information Security costs with risks and
exposures
Proactively position security within the organization
Foster a security conscious culture
Future Orientation
How well is the IT Security organization
positioned to meet future risks, threats,
exposures
Mission
To identify and develop strategies to address emerging
and future risks, threats, and exposures
Strategies
Training, education and awareness if all staff
Experienced Security staff
Monitoring and research of risks threats etc.
Debrief / lessons learned implemented to prevent
recurrences of security reaches or exposures
Excellence
Operational
User Orientation

Bus Contribution
Future Orientation
Networks

Resources
User Admin
Security Organization Operational

Event Monitoring
Security Operations

Event Identification

Event Investigation

Initial Event Reporting

Event Follow-up

Event Report

Final Security Report

Executive Reporting
Balance Scorecard Approach - Performance

Lessons Learned

Planned Revisions
2.4.3StandardITBalancedScorecard

Content to Emphasize:
Discussthethreelayeredstructureusedinaddressing
thefourperspectivesforanITBalancedScorecard:

Mission
Strategies
Measures
2.4.4InformationSecurityGovernance(continued)
Focused activity with specific value drivers
o Integrity of information
o Continuity of services
o Protection of information assets

Integral part of IT governance

Importance of information security governance

o Information security (Infosec) covers all information
processes, physical and electronic, regardless of whether
they involve people and technology or relationships with
trading partners, customers and third parties.
o Infosec is concerned with all aspects of information and
its protection at all points of its life cycle within the
organization.
 Security
Policy Management
Process
Human
Policy & Behaviour
Procedures 2 & Culture
1 3

Network 6 4
IT Security Performance Segregation
5 Application
Security
System
Benchmark Maturity Model Access Control

Tools & Technology

0 1 2 3 4 5
Very Very 100
poor Poor Fair Good good Excel
92 96
1. Policies & procedures 10 88
10 80
2. Security mgt 76
20
3. Human behav. & culture 20
4. Application security 60 64
20
5. System access control 20
48
6. Network segregation 100 40 42
Legend for symbols used Legendforrankingused
Average of best security 20
performers in the financial 5 Excellent: Bestpossible,highlyintegrated
industry (begin 01) 4 Verygood: Advancedlevelofpractice
Company status Feb 03 3 Good: Moderatelygoodlevelofpractice
2 Fair: Someeffortmadetoaddressissues 0
Company. objective for 2009 1 Poor: Recognizetheissues 2003 2004 2005 2006 2007 2008
0 Verypoor: Completelackofgoodpractice
2.8.1Policies(continued)
Content to Emphasize:
IS auditors should:
reach an understanding of policies as part of the audit
process
test policies for compliance
consider the extent to which the policies apply to third
parties or outsourcers, the extent to which they comply
with the policies, or if the third parties or outsourcers
policies are in conflict with the organizations policies.
2.8.1Policies(continued)
Informationsecuritypolicies
Communicate a coherent security standard to users,
management and technical staff
Must balance the level of control with the level of
productivity
Provide management the direction and support for
information security in accordance with business
requirements, relevant laws and regulations
ReviewManualReferencePages:99
2.8.1Policies(continued)
Information security policies Document

Definition of information security

Statement of management intent
Framework for setting control objectives
Brief explanation of security policies
Definition of responsibilities
References to documentation
2.8.1Policies(continued)
Information Policy Groups
Highlevelinformationsecuritypolicy
Dataclassificationpolicy
Acceptableusagepolicy
Endusercomputingpolicy
Accesscontrolpolicies
2.8.1Policies(continued)
Content to Emphasize:
Highlevel Information Security Policy: This policy should
include statements on confidentiality, integrity and
availability.
Data Classification Policy: This policy should describe the
classifications, levels of control at each classification and
responsibilities of all potential users including ownership.
Acceptable Usage Policy: There must be a comprehensive
policy that includes information for all information resources
(HW/SW, Networks, Internet, etc.) and describes the
organizational permissions for the usage of IT and
informationrelated resources.
End User Computing Policy: This policy describes the
parameters and usage of desktop tools by users.
Access Control Policies: This policy describes the method for
defining and granting access to users to various IT resources
2.8.1Policies(continued)
Review of the information security policy
document
Should be reviewed at planned intervals or when
significant changes occur to ensure its continuing
suitability, adequacy and effectiveness
Should have an owner who has approved management
responsibility for the development, review and evaluation
of the security policy
Review should include assessing opportunities for
improvement to the organizations information security
policy
 2.8.1Policies(continued)
Content to Emphasize:
The input to the management review should include:
Feedback from interested parties
Results of independent reviews
Status of preventive and corrective actions
Results of previous management reviews
Process performance and information security policy compliance
Changes that could affect the organizations approach to managing
information security, including changes to the organizational environment;
business circumstances; resource availability; contractual, regulatory and
legal conditions; or technical environment
Usage of the consideration of outsourcers or offshore of IT or business
functions
Trends related to threats and vulnerabilities
Reported information security incidents
Recommendations provided by relevant authorities
2.8.2Procedures(continued)
Procedures are detailed documents that:
Define and document implementation policies
Must be derived from the parent policy
Must implement the spirit (intent) of the policy
statement
Must be written in a clear and concise manner
 2.8.2Procedures(continued)

Content to Emphasize:
An independent review is necessary to ensure that
policies and procedures have been properly
documented, understood and implemented
2.9RiskManagement(continued)
The process of identifying vulnerabilities and
threats to the information resources used by an
organization in achieving business objectives

ReviewManualReferencePages:101
2.9.1DevelopingaRiskManagementProgram
(continued)

To develop a risk management program:

Establish the purpose of the risk management
program

Assign responsibility for the risk management

plan
2.9.2RiskManagementProcess(continued)
To develop a risk management process:

Identification and classification of information

resources or assets that need protection
Assess threats and vulnerabilities and the
likelihood of their occurrence
Once the elements of risk have been
established they are combined to form an
overall view of risk
2.9.2RiskManagementProcess(continued)
Content to Emphasize:
Examplesoftypicalassetsassociatedwithinformationand
ITinclude:
Informationanddata
Hardware
Software
Services
Documents
Personnel

Commonclassesofthreatsare:
Errors
Maliciousdamage/attack
Fraud
Theft
Equipment/softwarefailure
2.9.2RiskManagementProcess(continued)

To develop a risk management

process:
Evaluateexistingcontrolsordesignnew
controlstoreducethevulnerabilitiestoan
acceptablelevelofrisk
Residualrisk
2.9.2RiskManagementProcess(continued)
Content to Emphasize:
Final acceptance of residual risks takes into account:
Organizational policy
Risk identification and measurement
Uncertainty incorporated in the risk assessment
approach
Cost and effectiveness of implementation
2.9.2RiskManagementProcess(continued)
IT risk management needs to operate at multiple
Levels including:
OperationalRisks that could compromise the
effectiveness of IT systems and supporting
infrastructure
ProjectRisk management needs to focus on the
ability to understand and manage project complexity
StrategicThe risk focus shifts to considerations such
as how well the IT capability is aligned with the
business strategy
2.9.3RiskAnalysisMethods(continued)

Qualitative?
Semiquantitative?
Quantitative?
o Probability and expectancy?
o Annual loss expectancy method?
2.9.3RiskAnalysisMethods(continued)
Management and IS auditors should keep in mind
certain considerations:
Risk management should be applied to IT functions throughout
the company
Senior management responsibility
Quantitative RM is preferred over qualitative approaches
Quantitative RM always faces the challenge of estimating risks
Quantitative RM provides more objective assumptions
The real complexity or the apparent sophistication of the methods
or packages used should not be a substitute for common sense or
professional diligence
Special care should be given to very high impact events, even if the
probability of occurrence over time is very low.
2.10ISManagementPractices(continued)
IS management practices reflect the implementation of policies
and procedures developed for various ISrelated management
activities. In most organizations, the IS department is a service
(support) department.
The traditional role of a service department is to help
production (line) departments conduct their operations more
effectively and efficiently.
Today, however, IS has become an integral part of every facet of
the operations of an organization.
Its importance continues to grow year after year, and there is
little likelihood of a reversal of this trend. IS auditors must
understand and appreciate the extent to which a well managed
IS department is crucial to achieving the organization's
objectives.
ReviewManualReferencePages:105
2.10.1HumanResourcesManagementPractices
Management and IS auditors should keep in mind
certain
considerations:
Hiring
Employeehandbook
Promotionpolicies
Training
Schedulingandtimereporting
Employeeperformanceevaluations
Requiredvacations
Terminationpolicies
2.10.1PersonnelManagementPractices(contd.)

Content to Emphasize:
The IS auditor should be aware of personnel
management issues but this information is not
tested in the CISA exam due to its subjectivity
and organizationalspecific subject matter.
2.10.2SourcingPractices(continued..)

Sourcing practices relate to the way an organization

obtains the IS function required to support the business
Organizations can perform all IS functions inhouse or
outsource all functions across the globe
Sourcing strategy should consider each IS function and
determine which approach allows the IS function to
meet the organizations goals
2.10.2 Sourcing Practices
Content to Emphasize:
Delivery of IS functions can include:
InsourcedFully performed by the organizations staff
OutsourcedFully performed by the vendors staff
HybridPerformed by a mix of the organizations and vendors
staff; can include joint ventures/supplemental staff IS
functions can be performed across the globe, taking advantage
of time zones and arbitraging labor rates, and can include:
OnsiteStaff work onsite in the IS department
OffsiteAlso known as nearshore, staff work at a remote
location in the same geographical area
OffshoreStaff work at a remote location in a different
geographic region
2.10.2SourcingPractices(continued..)
Outsourcing practices and strategies
Contractual agreements under which an
organization hands over control of part or all of
the functions of the IS department to an external
party
Becoming increasingly important in many
organizations
The IS auditor must be aware of the various
forms outsourcing can take as well as the
associated risks
2.10.2 Sourcing Practices (continued)
Content to Emphasize:
Reasons for outsourcing include:
A desire to focus on core activities
Pressure on profit margins
Increasing competition that demands cost savings
Flexibility with respect to both organization and structure

The services provided by a third party can include:

Data entry
Design and development of new systems in the event that the inhouse staff does
not have the requisite skills or is otherwise occupied in higherpriority tasks, or in
the event of a onetime task in which case there is no need to recruit additional
inhouse skilled staff
Maintenance of existing applications to free inhouse staff to develop new
applications
Conversion of legacy applications to new platforms. For example, a specialist
company may webenable the front end of an old application.
Operating the help desk or the call center
Operations processing
2.10.2SourcingPractices(continued..)
Possible advantages:
Commercial outsourcing companies likely to devote
more time and focus more efficiently on a given project
than inhouse staff
Outsourcing vendors likely to have more experience with
a wider array of problems, issues and techniques

Possible disadvantages:
Costs exceeding customer expectations
Loss of internal IS experience
Loss of control over IS
Vendor failure
2.10.2SourcingPractices(continued..)
Riskscanbereducedby:
Establishing measurable, partnershipenacted
shared goals and rewards
Using multiple suppliers or withholding a piece of
business as an incentive
Performing periodic competitive reviews and
benchmarking/bench trending
Implementing shortterm contracts
Forming a crossfunctional contract management
team
Including contractual provisions to consider as
many contingencies as can reasonably be foreseen
2.10.2 Sourcing Practices (continued)
Content to Emphasize:
SLAs:
are a contractual means of helping the IS department to
manage information resources under the control of a
vendor.
stipulate and commit a vendor to a required level of
service and support options.
should serve as an instrument of control. Where the
outsourcing vendor is from another country, the
organization should be aware of crossborder legislation.
2.10.2SourcingPractices(continued..)
Globalizationpracticesandstrategies
Requires management to actively oversee the remote or
offshore locations
The IS auditor can assist an organization in moving IS
functions offsite or offshore by ensuring that IS management
considers the following:

o Legal, regulatory and tax issues

o Continuity of operations
o Personnel
o Telecommunication issues
o Crossborder and crosscultural issues
2.10.2SourcingPractices(continued..)
Governanceinoutsourcing
Mechanism that allows organizations to transfer the
delivery of services to third parties
Accountability remains with the management of the
client organization
Transparency and ownership of the decisionmaking
process must reside within the purview of the client
2.10.2SourcingPractices(continued..)
Thirdpartyservicedeliverymanagement
Every organization using the services of third parties
should have a service delivery management system
in place to implement and maintain the appropriate
level of information security and service delivery in
line with thirdparty service delivery agreements
The organization should check the implementation
of agreements, monitor compliance with the
agreements and manage changes to ensure that the
services delivered meet all requirements agreed to
with the third party.
2.10.3OrganizationalChangeManagement

What is change management?

Managing IT changes for the organization
o Identify and apply technology improvements at the
infrastructure and application level
2.10.4FinancialManagementPractices
Financial management is a critical element of all business
functions.
In a costintensive computer environment, it is imperative
that sound financial management practices are in place.

Budget: IS management, like all other departments, must

develop a budget.
A budget allows for forecasting, monitoring and analyzing
financial information. The budget allows for an adequate
allocation of funds, especially in an IS environment where
expenses can be costintensive. The IS budget should be
linked to short and longrange IT plans.
2.10.5QualityManagement(continued..)
Software development, maintenance and
implementation
Acquisition of hardware and software
Daytoday operations
Service management
Security
Human resource management
General administration
2.10.6InformationSecurityManagement
Information security management provides the lead role to
ensure that the organization's information and the
information processing resources under its control are
properly protected. This would include leading and
facilitating the implementation of an organization wide IT
security program which includes the development of

o Business Impact Analysis (BIA),

o Business Continuity Plan (BCPs) and Disaster Recovery
Plans (DRPs) related to lS department functions in
support of the organization's critical business processes.
2.10.7Performance Optimization(continued)
Process driven by performance indicators
Optimization refers to the process of improving the
productivity of information systems to the highest level
possible without unnecessary, additional investment in
the IT infrastructure
2.10.7Performance Optimization(continued)
Content to Emphasize:
The broad phases of performance measurement are:
Establishing and updating performance measures
Establishing accountability for performance measures
Gathering and analyzing performance data
Reporting and using performance information

Caveats of performance measurement include:

ModelA model is built or established first to evaluate the performance and
alignment with the business objectives.
Measurement errorConventional measures do not properly account for the true
inputs and outputs.
LagsTime lags between expense and benefit are not properly accounted for in
current measures.
RedistributionIT is used to redistribute the source of costs in firms; there is no
difference in total output, only in the means of getting it.
MismanagementThe lack of explicit measures of the value of information makes
resources vulnerable to misallocation and overconsumption by managers. As a result,
proper performance measurement techniques will play an increasing role for program
managers and investment review boards.
2.10.7Performance Optimization(continued)

Fivewaystouseperformancemeasures:
Measureproducts/services
Manageproducts/services
Assureaccountability
Makebudgetdecisions
Optimizeperformance
2.10.7Performance Optimization(continued)
Content to Emphasize:
COBIT management guidelines are primarily designed to meet the needs
of IT management for performance measurement. Goals and metrics
and maturity models are provided for each of the 34 IT processes. These
are generic and actionoriented for the purpose of addressing the
following types of management concerns:
Performance measurementWhat are the indicators of good
performance?
IT control profilingWhat is important? What are the critical success
factors for control?
AwarenessWhat are the risks of not achieving our objectives?
BenchmarkingWhat do others do? How are they measured and
compared? From a control perspective, the management guidelines
address the key issue of determining the right level of control for IT such
that it supports the objectives of the enterprise.
2.11OrganizationalStructure&Overview
OrganizationalStructure

ReviewManualReferencePages:114
2.11.1ISRoleandResponsibility(continued)
Systemsdevelopmentmanager
Helpdesk
Enduser
Endusersupportmanager2
2.11.1ISRoleandResponsibility(continued)
Datamanagement
Qualityassurancemanager
Vendorandoutsourcermanagement
Operationsmanager
 2.11.1ISRoleandResponsibility(continued)
Content to Emphasize:
Quality assurance managerResponsible for negotiating and facilitating
quality activities in all areas of information technology

With the increase in outsourcing, including the use of multiple vendors,

dedicated staff may be required to manage the vendors and outsourcers,
including performing the following functions:
Act as the prime contact for the vendor and outsourcer within the IS
function.
Provide direction to the outsourcer on issues and escalate internally
within the organization and IS function.
Monitor and report on the service levels to management.
Review changes to the contract due to new requirements and obtain IS
approvals.
2.11.1ISRoleandResponsibility(continued)
Controlgroup
Mediamanagement
Dataentry
Systemsadministration
Securityadministration
Qualityassurance
Databaseadministration
Systemsanalyst
Securityarchitect
Applicationsdevelopmentandmaintenance
Infrastructuredevelopmentandmaintenance
Networkmanagement
2.11.2SegregationofDutiesWithinIS(cond)
Avoidspossibilityoferrorsormisappropriations
Discouragesfraudulentacts
Limitsaccesstodata
2.11.2SegregationofDutiesWithinIS(cond)
2.11.3SegregationofDutiesControl(cond)
Controlmeasurestoenforcesegregationofduties
include:
Transactionauthorization
Custodyofassets
Accesstodata
Authorizationforms
Userauthorizationtables
2.11.3SegregationofDutiesControl(cond)
Compensatingcontrolsforlackofsegregationof
dutiesinclude:
Audittrails
Reconciliation
Exceptionreporting
Transactionlogs
Supervisoryreviews
Independentreviews
2.12AuditingITGovernanceStructureand
Implementation(cond)
Indicatorsofpotentialproblemsinclude:
Unfavorableenduserattitudes
Excessivecosts
Budgetoverruns
Lateprojects
Highstaffturnover
Inexperiencedstaff
Frequenthardware/softwareerrors
ReviewManualReferencePages:120
2.12.1ReviewingDocumentation(cond)
The following documents should be reviewed:
IT strategies, plans and budgets
Security policy documentation
Organization/functional charts
Job descriptions
Steering committee reports
System development and program change procedures
Operations procedures
Human resource manuals
Quality assurance procedures
2.12.2ReviewingContractualCommitment(cond)
There are various phases to computer hardware,
software and IS service contracts, including:
Development of contract requirements and service levels
Contract bidding process
Contract selection process
Contract acceptance
Contract maintenance
Contract compliance
 2.12.2ReviewingContractualCommitment(cond)
Content to Emphasize:
Inreviewingasampleofcontracts,theISauditorshould
evaluatetheadequacyofthefollowingtermsandconditions:
Servicelevels
Righttoauditorthirdpartyauditreporting
Softwareescrow
Penaltiesfornoncompliance
Adherencetosecuritypoliciesandprocedures
Protectionofcustomerinformation
Contractchangeprocess
Contractterminationandanyassociatedpenalties
GovernanceonaPage
 IT Governance Institute
Information Systems Audit and Control Association

IT Governance Institute IT Governance Institute

 IT Governance Institute
Information Systems Audit and Control Association
www.itgi.org www.isaca.org

IT Governance Institute
 IT Governance Institute
Information Systems Audit and Control Association
www.isaca.org www.itgi.org
 IT Governance Institute
Information Systems Audit and Control Association

www.isaca.org

www.itgi.org
Information Referenced and Provided By
Practice Question
PracticeQuestions(contd.)
1. In order for management to effectively monitor the
compliance of processes and applications, which of the
following would be the MOST ideal?
A. Acentraldocumentrepository
B. Aknowledgemanagementsystem
C. Adashboard
D. Benchmarking
Answer
1. C: A dashboard provides a set of information to
illustrate compliance of the processes, applications and
configurable elements and keeps the enterprise on
course. A central document repository provide a great
deal of data, but not necessarily the specific information
that would be useful for monitoring and compliance. A
knowledge management system provides valuable
information, but is generally not used by management
for compliance purposes. Benchmarking provides
information to help management adapt the organization,
in a timely manner, according to trends and
environment.
PracticeQuestions(contd.)
2. Which of the following would be included in an IS
strategic plan?
A. Specificationsforplannedhardwarepurchases
B. Analysisoffuturebusinessobjectives
C. Targetdatesfordevelopmentprojects
D. AnnualbudgetarytargetsfortheISdepartment
Answer
2. B: IS strategic plans must address the
needs of the business and meet future
business objectives. Hardware purchases may
be outlined, but not specified, and neither
budget targets nor development projects are
relevant choices. Choices A, C and D are not
strategic items.
PracticeQuestions(contd.)
3. Which of the following BEST describes IT department's strategic
an

planning process
A. The IT department will either shortrange or long rangeplans
have

depending on the organization's broader plans and objectives.

B. The IT department's strategic plan must be time and project
oriented, but not so detailed as to address and help determine
priorities to meet business need
C. Longrange planning for the IT department should recognize
organizational goals, technological advances and regulatory
requirements.
D. Shortrange planning for theIT department does not need to be
integrated into the shortrange plans of the organization since
technological advances will drive the IT department plans much
quicker than organizational plans.
Answer
3. C: Longrange planning for the IT department
should recognize organizational goals, technological
advances and regulatory requirements. Typically, the
IT department will have longrange and shortrange
plans that are consistent and integrated with the
organization's plans. These plans must be time and
projectoriented and address the organization's
broader plans toward attaining its goals.
PracticeQuestions(contd.)
4. The MOST important responsibility of a
data security officer in an organization is:
A. recommending and monitoring data security
policies.
B. promoting security awareness within the
organization.
C. establishing procedures for IT security policies.
D. administering physical and logical access
controls.
Answer
4. A: A data security officer's prime responsibility
is recommending and monitoring data security
policies. Promoting security awareness within the
organization is one of the responsibilities of a data
security officer, but it is not as important as
recommending and monitoring data security policies
The IT department, not the data security officer, is
responsible for establishing procedures for IT
security policies recommended by the data security
officer and for the administration of physical and
logical access controls.
PracticeQuestions(contd.)
5. What is considered the MOST critical element for
the successful implementation of an information
security (IS) program?
A. An effective enterprise risk management (ERM)
framework
B. Senior management commitment
C. An adequate budgeting process
D. Meticulous program planning
Answer
5 B: Commitment from senior management
provides the basis to achieve success in
implementing an information security program. An
effective ERM framework is not a key success factor
for an IS program. Although an effective IS budgeting
process will contribute to success" senior
management commitment is the key ingredient.
Program planning is important, but will not be
sufficient without senior management commitment.
PracticeQuestions(contd.)
6. An IS auditor should ensure that IT governance
performance measures:
A. evaluate the activities of IT oversight committees.
B. provide strategic IT drivers.
C. adhere to regulatory reporting standards and
definitions
D. evaluate the IT department.
Answer
6. A: Evaluating the activities of boards and
committees providing oversight is an important
"aspect of governance and should be measured.
Choices B, C and D are irrelevant to the evaluation of
IT governance performance measures.
PracticeQuestions(contd.)
7. Which of the following tasks may be performed
by the same person in a wellcontrolled
information processing computer center?
A. Security administration and change management
B. Computer operations and system development
C. System development and change management
D. System development and systems maintenance
Answer
7. D: It is common for system development and
maintenance to be undertaken by the same person. In both,
the programmer requires access to the source code in the
development environment, but should not be allowed access
in the production environment. Choice A is incorrect because
the roles of security administration and change management
are incompatible functions. The level of security
administration access rights could allow changes to go
undetected. Computer operations and system development
(choice B) are incompatible since it would be possible for an
operator to run a program that he/she had amended. Choice
C is incorrect because the combination of system
development and change control would allow program
modifications to bypass change control approvals.
PracticeQuestions(contd.)
8. Which of the following is the MOST critical
control over database administration?
A. Approval of DBA activities
B. Segregation of duties
C. Review of access logs and activities
D. Review of the use of database tools
Answer
8. B: Segregation of duties will prevent
combination of conflicting functions. This is a
preventive control and it is the most critical control
over database administration. Approval of DBA
activities does not prevent the combination of
conflicting functions. Review of access logs and
activities is a detective control. If DBA activities are
improperly approved review of access logs and
activities may not reduce the risk. Reviewing the use
of database tools does not reduce the risk since this is
only a detective control and does not prevent
combination of conflicting functions.
PracticeQuestions(contd.)
9. When a complete segregation of duties cannot be
achieved in an online system environment, which
of the following functions should be separated
from the others?
A. Origination
B. Authorization
C. Recording
D. Correction
Answer
9. B: Authorization should be separated from all
aspects of record keeping (origination, recording and
correction). Such a separation enhances the ability to
detect the recording of unauthorized transactions.
PracticeQuestions
10. In a small organization where segregation of
duties is not practical, an employee performs the
function of computer operator and application
programmer. Which of the following controls
should the IS auditor recommend?
A. Automated logging of changes to development
libraries
B. Additional staff to provide segregation of duties
C. Procedures that verify that only approved program
changes are implemented
D. Access controls to prevent the operator from making
program modifications
Answer
10. C: In smaller organizations it generally is not
appropriate to recruit additional staff to achieve a strict
segregation of duties. The IS auditor must look at
alternatives. Of the choices, C is the only practical one
that has an impact. The IS auditor should recommend
processes that detect changes to production source and
object code, such as code comparisons, so the changes
can be reviewed by a third party on a regular basis. This
would be a compensating control process. Choice A,
involving logging of changes to development libraries,
would not detect changes to production libraries. Choice
D is in effect requiring a third party to do the changes,
which may not be practical in a small organization.
Conclusion
QUITTING TIME
Any Query