10/20/2014

2014 CISA REVIEW COURSE

Chapter 2: IT Governance and Management of IT

Course Agenda
Learning Objectives
Discuss Task and Knowledge Statements
Discuss specific topics within the chapter
Case studies
Sample questions

Exam Relevance
Ensure that the CISA
candidate
Understands and can provide
assurance that the necessary
leadership and organizational
structures and processes are in
place to achieve the objectives
and to support the enterprises
strategy.

% of Total Exam Questions

Chapter 5
30%

Chapter 1
14%
Chapter 2
14%

Chapter 4
23%

Chapter 3
19%

The content area in this chapter

will represent approximately
14% of the CISA examination
(approximately 28 questions).

10/20/2014

Learning Objectives

The objective of this domain is:

To understand and provide assurance that the
necessary leadership and organizational
structures and processes are in place to achieve
the objectives and to support the enterprises
strategy.

Domain 2 Task Statements

There are
T2.1 Evaluate the effectiveness of the IT governance
structure to determine whether IT decisions,
eleven tasks
directions and performance support the
within this
organizations strategies and objectives.
domain that
a CISA must T2.2 Evaluate IT organizational structure and human
resources (personnel) management to
know how to
determine whether they support the
perform:
organizations strategies and objectives.

T2.3

Evaluate the IT strategy, including the IT

direction, and the processes for the strategys
development, approval, implementation and
maintenance for alignment with the
organizations strategies and objectives.
5

Domain 2 Task Statements

T2.3

T2.4

T2.5

Evaluate the IT strategy, including the IT direction, and the

processes for the strategys development, approval,
implementation and maintenance for alignment with the
organizations strategies and objectives.
Evaluate the organizations IT policies, standards and
procedures, and the processes for their development,
approval, implementation, maintenance and monitoring,
to determine whether they support the IT strategy and
comply with regulatory and legal requirements.
Evaluate the adequacy of the quality management
system to determine whether it supports the
organizations strategies and objectives in a cost-effective
manner.

10/20/2014

Domain 2 Task Statements

T2.6

T2.7

T2.8

Evaluate IT management and monitoring of controls

(e.g., continuous monitoring, quality assurance [QA]) for
compliance with the organizations policies, standards
and procedures.
Evaluate IT resource investment, use and allocation
practices, including prioritization criteria, for alignment
with the organizations strategies and objectives.
Evaluate IT contracting strategies and policies, and
contract management practices to determine whether
they support the organizations strategies and
objectives.

Domain 2 Task Statements

Evaluate risk management practices to determine

whether the organizations IT-related risks are properly
managed.
T2.10 Evaluate monitoring and assurance practices to
determine whether the board and executive
management receive sufficient and timely information
about IT performance.
T2.11 Evaluate the organizations business continuity plan to
determine the organizations ability to continue
essential business operations during the period of an IT
disruption.

T2.9

Domain 2 Knowledge Statements

There are 16 KS2.1
knowledge
statements
within the
KS2.2
domain
covering the
governance
and
management KS2.3
of IT:
KS2.4

Knowledge of IT governance, management,

security and control frameworks, and related
standards, guidelines, and practices
Knowledge of the purpose of IT strategy,
policies, standards and procedures for an
organization and the essential elements of
each
Knowledge of organizational structure, roles
and responsibilities related to IT
Knowledge of the processes for the
development, implementation and
maintenance of IT strategy, policies,
standards and procedures
9

10/20/2014

Domain 2 Knowledge Statements

KS2.7

Knowledge of the organizations technology direction

and IT architecture and their implications for setting
long-term strategic directions
Knowledge of relevant laws, regulations and industry
standards affecting the organization
Knowledge of quality management systems

KS2.8

Knowledge of the use of maturity models

KS2.9

Knowledge of process optimization techniques

KS2.10

Knowledge of IT resource investment and allocation

practices, including prioritization criteria (e.g.,
portfolio management, value management, project
management)

KS2.5

KS2.6

Domain 2 Knowledge Statements

KS2.11

KS2.12
KS2.13

KS2.14

KS2.16

11

Knowledge of IT supplier selection, contract

management, relationship management and
performance monitoring processes including third
party outsourcing relationships
Knowledge of enterprise risk management
Knowledge of practices for monitoring and reporting
of IT performance (e.g., balanced scorecards, key
performance indicators [KPI])
Knowledge of IT human resources (personnel)
management practices used to invoke the business
continuity plan

Domain 2 Knowledge Statements

KS2.15

10

12

Knowledge of business impact analysis (BIA) related to

business continuity planning
Knowledge of the standards and procedures for the
development and maintenance of the business
continuity plan and testing methods

10/20/2014

2.2 Corporate Governance

13

Ethical corporate behavior by directors or others charged with

governance in the creation and presentation of value for all
stakeholders
The distribution of rights and responsibilities among different
participants in the corporation, such as board, managers,
shareholders and other stakeholders
Establishment of rules to manage and report on business risks

2.3 Governance of Enterprise IT

Comprises the body of
issues addressed in
considering how IT is
applied within the
enterprise.

GEIT is concerned with two

issues:

Effective governance of
enterprise IT focuses on:

2. IT risks are managed

1. IT delivers value to the

business

Individual and group

expertise
Experience in specific areas

Key element: alignment of

business and IT
14

2.3.1 Best Practices for Governance of

Enterprise IT

15

10/20/2014

2.3.1 Best Practices for Governance of

Enterprise IT (cont.)

16

Governance of Enterprise IT (GEIT) has become significant due

to:
Demands for better return from IT investments
Increases in IT expenditures
Regulatory requirements for IT controls
Selection of service providers and outsourcing
Complexity of network security
Adoptions of control frameworks
Benchmarking

2.3.1 Best Practices for Governance of

Enterprise IT (cont.)

17

Audit role in governance of enterprise IT:

Audit plays a significant role in the successful implementation
of IT governance within an organization
Reporting on IT governance involves auditing at the highest
level in the organization and may cross division, functional or
departmental boundaries

2.3.1 Best Practices for Governance of

Enterprise IT (cont.)

18

In accordance with the defined role of the IS auditor, the

following aspects related to IT governance need to be assessed:
How enterprise governance and GEIT are aligned
Alignment of the IS function with the organizations mission,
vision, values, objectives and strategies
Achievement of performance objectives established by the
business (e.g., effectiveness and efficiency) by the IS function
Legal, environmental, information quality, fiduciary, security,
and privacy requirements
The control environment of the organization
The inherent risks within the IS environment
IT investment/expenditure

10/20/2014

2.3.2 IT Governing Committees

19

The creation of an IT strategy committee is an industry best

practice
Committee should broaden its scope to include not only
advice on strategy when assisting the board in its IT
governance responsibilities, but also to focus on IT value, risks
and performance

2.3.2 IT Governing Committees

Level

Responsibility

Authority

Membership

20

Exhibit 2.4Analysis of Steering Committee Responsibilities

IT Strategy Committee
IT Steering Committee
Decides the overall level of IT spending and how costs will be allocated
Provides insight and advice to the board on topics such as:
The relevance of developments in IT from a business perspective
Aligns and approves the enterprises IT architecture
The alignment of IT with the business direction
Approves project plans and budgets, setting priorities and milestones
The achievement of strategic IT objectives
Acquires and assigns appropriate resources
The availability of suitable IT resources, skills and infrastructure to
Ensures projects continuously meet business requirements, including
meet the strategic objectives
reevaluation of the business case
Optimization of IT costs, including the role and value delivery of
Monitors project plans for delivery of expected value and desired
outcomes, on time and within budget
external IT sourcing
Risk, return and competitive aspects of IT investments
Monitors resource and priority conflict between enterprise divisions and
Progress on major IT projects
the IT function as well as between projects
Makes recommendations and requests for changes to strategic plans
The contribution of IT to the business (i.e., delivering the promised
business value)
(priorities, funding, technology approaches, resources, etc.)
Exposure to IT risks, including compliance risks
Communicates strategic goals to project teams
Containment of IT risks
Is a major contributor to managements IT governance responsibilities
Direction to management relative to IT strategy
and governance practices
Drivers and catalysts for the boards IT
Advises the board and management on IT strategy
Is delegated by the board to provide input to the strategy and prepare its
approval
Focuses on current and future strategic IT issues
Board members and specialist nonboard members

Assists the executive in the delivery of the IT strategy

Oversees day-to-day management of IT service delivery and IT projects
Focuses on implementation

Sponsoring executive
Business executive (key users)
CIO
Key advisors as required (IT, audit, legal, finance)

2.3.3 IT Balanced Scorecard

21

A process management evaluation technique that can be

applied to the IT governance process in assessing IT functions
and processes
Method goes beyond the traditional financial evaluation
One of the most effective means to aid the IT strategy
committee and management in achieving IT and business
alignment

10/20/2014

2.3.4 Information Security Governance

22

Focused activity with specific value drivers

Integrity of information
Continuity of services
Protection of information assets

Integral part of governance of enterprise IT

Importance of information security governance

2.3.4 Information Security Governance (cont.)

23

Importance of information security governance

Information security (Infosec) covers all information
processes, physical and electronic, regardless of whether they
involve people and technology or relationships with trading
partners, customers and third parties.
Infosec is concerned with all aspects of information and its
protection at all points of its life cycle within the organization.

2.3.4 Information Security Governance (cont.)

24

Effective information security can add significant value to an

organization by:
Providing greater reliance on interactions with trading
partners
Improving trust in customer relationships
Protecting the organizations reputation
Enabling new and better ways to process electronic
transactions

10/20/2014

2.3.4 Information Security Governance (cont.)

Enablers of security governance:

Outcomes of effective security

governance:

Performance measurement
measure, monitor and report
on information security
processes

Strategic alignmentalign
with business strategy
Risk managementmanage
and execute appropriate
measures to mitigate risks

Resource management
utilize information security
knowledge and infrastructure
efficiently and effectively

Value deliveryoptimize
security investments

Process integration
integration of management
assurance processes for
security
25

2.3.4 Information Security Governance (cont.)

26

Effective information security governance

To achieve effective information security governance,
management must establish and maintain a framework to
guide the development and management of a comprehensive
information security program that supports business
objectives
This framework provides the basis for the development of a
cost-effective information security program that supports the
organizations business goals.

2.3.4 Information Security Governance (cont.)

27

Information security governance requires strategic direction and

impetus from:

Boards of directors / senior management

Senior management
Steering committee
Chief information security officers

10/20/2014

28

2.3.5 Enterprise Architecture

Involves documenting an organizations IT assets in a
structured manner to facilitate understanding, management
and planning for IT investments
Often involves both a current state and optimized future
state representation

29

2.3.5 Enterprise Architecture (cont.)

The Zachman Framework for Enterprise Architecture
Data

Functional

Network

People

Process

(Application)

(Technology)

(Organization)

(Workflow)

Strategy

Scope
Enterprise
model
Systems model
Technology
model
Detailed
representation

2.3.5 Enterprise Architecture (cont.)

30

The Federal Enterprise Architecture (FEA) hierarchy:

Performance
Business
Service component
Technical
Data

10

10/20/2014

31

2.4.1 Strategic Planning

From an IS standpoint, strategic planning relates to the longterm direction an organization wants to take in leveraging
information technology for improving its business processes
Effective IT strategic planning involves a consideration of the
organizations demand for IT and its IT supply capacity

2.4.1 Strategic Planning

(cont.)

32

The IS auditor should pay attention to the importance of IT

strategic planning
Focus on the importance of a strategic planning process or
planning framework
Consider how the CIO or senior IT management are involved
in the creation of the overall business strategy

2.4.2 Steering Committee

33

An organizations senior management should appoint a

planning or steering committee to oversee the IS function and
its activities
A high-level steering committee for information technology is
an important factor in ensuring that the IS department is in
harmony with the corporate mission and objectives

11

10/20/2014

2.5 Maturity and Process Improvement Models

34

COBIT Process Assessment Model (PAM)

IDEAL model
Capability Maturity Model Integration (CMMI)

2.6 IT Investment and Allocation Practices

35

Financial benefits impact on budget and finances

Nonfinancial benefits impact on operations or mission
performance and results

2.7 Policies and Procedures

36

Reflect management guidance and direction in developing

controls over:
Information systems
Related resources
IS department processes

12

10/20/2014

2.7.1 Policies

37

High level documents

Must be clear and concise
Set tone for organization as a whole (top down)
Lower-level policies defined by individual divisions and
departments

2.7.1 Policies (cont.)

38

Information Security Policy

Defines information security, overall objectives and scope
Is a statement of management intent
Is a framework for setting control objectives including risk
management
Defines responsibilities for information security management
Acceptable Use Policy
Defines a set of guidelines and/or rules to control how its
information system resources will be used

2.7.2 Procedures

39

Procedures are detailed documents that:

Document and define steps for achieving policy objectives
Must be derived from the parent policy
Must implement the spirit (intent) of the policy statement
Must be written in a clear and concise manner

13

10/20/2014

2.8 Risk Management

40

The process of identifying vulnerabilities and threats to the

information resources used by an organization in achieving
business objectives.
Avoid
Mitigate
Transfer
Accept

2.8.1 Developing a Risk Management Program

41

To develop a risk management program:

Establish the purpose of the risk management program
Assign responsibility for the risk management plan

2.8.2 Risk Management Process

42

Identification and collection of relevant data to enable

effective IT-related risk identification, analysis and reporting
Assess threats and vulnerabilities and the likelihood of their
occurrence
Once the elements of risk have been established they are
combined to form an overall view of risk
Evaluate existing controls or design new controls to reduce
the vulnerabilities to an acceptable level of risk
Residual risk

14

10/20/2014

2.8.2 Risk Management Process (cont.)

43

IT risk management needs to operate at multiple levels

including:
The operational level
The project level
The strategic level

2.8.3 Risk Analysis Methods

44

Qualitative
Semiquantitative
Quantitative
Probability and expectancy
Annual loss expectancy method

2.8.3 Risk Analysis Methods (cont.)

45

Management and IS auditors should keep in mind certain

considerations:
Risk management should be applied to IT functions
throughout the company
Senior management responsibility
Quantitative RM is preferred over qualitative approaches
Quantitative RM always faces the challenge of estimating risks
Quantitative RM provides more objective assumptions
The real complexity or the apparent sophistication of the
methods or packages used should not be a substitute for
commonsense or professional diligence
Special care should be given to very high impact events, even
if the probability of occurrence over time is very low.

15

10/20/2014

2.9.1 Human Resource Management

46

Hiring
Employee handbook
Promotion policies
Training
Scheduling and time reporting
Employee performance evaluations
Required vacations
Termination policies

2.9.2 Sourcing Practices

47

Sourcing practices relate to the way an organization obtains

the IS function required to support the business
Organizations can perform all IS functions in-house or
outsource all functions across the globe
Sourcing strategy should consider each IS function and
determine which approach allows the IS function to meet the
organizations goals

2.9.2 Sourcing Practices (cont.)

48

Outsourcing practices and strategies

Contractual agreements under which an organization hands
over control of part or all of the functions of the IS
department to an external party
Becoming increasingly important in many organizations
The IS auditor must be aware of the various forms outsourcing
can take as well as the associated risks

16

10/20/2014

2.9.2 Sourcing Practices (cont.)

49

2.9.2 Sourcing Practices (cont.)

50

Globalization practices and strategies

Requires management to actively oversee the remote or
offshore locations
The IS auditor can assist an organization in moving IS
functions offsite or offshore by ensuring that IS management
considers the following:

Legal, regulatory and tax issues

Continuity of operations
Personnel
Telecommunication issues
Cross-border and cross-cultural issues

2.9.2 Sourcing Practices (cont.)

51

Governance in outsourcing
Mechanism that allows organizations to transfer the delivery
of services to third parties
Accountability remains with the management of the client
organization
Transparency and ownership of the decision-making process
must reside within the purview of the client

17

10/20/2014

2.9.2 Sourcing Practices (cont.)

52

Third-party service delivery management

Every organization using the services of third parties should
have a service delivery management system in place to
implement and maintain the appropriate level of information
security and service delivery in line with third-party service
delivery agreements
The organization should check the implementation of
agreements, monitor compliance with the agreements and
manage changes to ensure that the services delivered meet
all requirements agreed to with the third party.

2.9.3 Organizational Change Management

53

What is change management?

Managing IT changes for the organization
Identify and apply technology improvements at the
infrastructure and application level

2.9.4 Financial Management Practices

54

User-pays scheme chargeback

IS budgets

18

10/20/2014

2.9.5 Quality Management

55

Software development, maintenance and implementation

Acquisition of hardware and software
Day-to-day operations
Service management
Security
Human resource management
General administration

2.9.7 Performance Optimization

56

Performance is not how well a system works; performance is

the service perceived by users and stakeholders.
Performance optimization is the process of improving
information system productivity to the highest level possible
without unnecessary, additional investment in the IT
infrastructure.

2.9.7 Performance Optimization (cont.)

57

Effective performance measurement depends on two key

aspects being addressed:
The clear definition of performance goals
The establishment of effective metrics to monitor
achievement of goals

19

10/20/2014

2.9.7 Performance Optimization (cont.)

58

Methodologies and Tools

A variety of improvement and optimization methodologies are
available that complement simple, internally developed
approaches. These include:
Continuous improvement methodologies, such as the
PDCA cycle
Comprehensive best practices, such as ITIL
Frameworks, such as COBIT

2.9.7 Performance Optimization (cont.)

59

Tools and Techniques

Tools and techniques that facilitate measurements, good
communication and organizational change include:
Six Sigma
IT balanced scorecard (BSC)
Key performance indicators (KPIs)
Benchmarking
Business process reengineering (BPR)
Root cause analysis
Life cycle cost-benefit analysis

2.10 IS Organizational Structure and

Responsibilities

60

20

10/20/2014

61

2.10.1 IS Roles and Responsibilities

Systems development manager
Project management
Service Desk (help desk)
End user
End user support manager
Data management
Quality assurance manager
Information security manager

2.10.1 IS Roles and Responsibilities

(cont.)

62

Vendor and outsourcer management

Infrastructure operations and maintenance
Media management
Data entry
Systems administration
Security administration
Quality assurance

2.10.1 IS Roles and Responsibilities (cont.)

63

Database administration
Systems analyst
Security architect
Applications development and maintenance
Infrastructure development and maintenance
Network management

21

10/20/2014

2.10.2 Segregation of Duties Within IS

64

Avoids possibility of errors or misappropriations

Discourages fraudulent acts
Limits access to data

2.10.2 Segregation of Duties Within IS (cont.)

65

2.10.3 Segregation of Duties Controls

66

Control measures to enforce segregation of duties include:

Transaction authorization
Custody of assets
Access to data
Authorization forms
User authorization tables

22

10/20/2014

2.10.3 Segregation of Duties Controls (cont.)

67

Compensating controls for lack of segregation of duties include:

Audit trails
Reconciliation
Exception reporting
Transaction logs
Supervisory reviews
Independent reviews

2.11 Auditing IT Governance Structure and

Implementation

68

Indicators of potential problems include:

Unfavorable end-user attitudes
Excessive costs
Budget overruns
Late projects
High staff turnover
Inexperienced staff
Frequent hardware/software errors

2.11.1 Reviewing Documentation

69

The following documents should be reviewed:

IT strategies, plans and budgets
Security policy documentation
Organization/functional charts
Job descriptions
Steering committee reports
System development and program change procedures
Operations procedures
Human resource manuals
Quality assurance procedures

23

10/20/2014

2.11.2 Reviewing Contractual Commitments

70

There are various phases to computer hardware, software and IS

service contracts, including:
Development of contract requirements and service levels
Contract bidding process
Contract selection process
Contract acceptance
Contract maintenance
Contract compliance

2.12 Business Continuity Planning

71

Business continuity planning (BCP) is a process designed to

reduce the organizations business risk
A BCP is much more than just a plan for the information
systems

2.12 Business Continuity Planning (cont.)

72

Corporate risks could cause an organization to suffer

Inability to maintain critical customer services
Damage to market share, reputation or brand
Failure to protect the company assets including intellectual
properties and personnel
Business control failure
Failure to meet legal or regulatory requirements

24

10/20/2014

2.12.1 IS Business Continuity Planning

73

IS processing is of strategic importance

Critical component of overall BCP
Most key business processes depend on the availability of
key systems and infrastructure components

2.12.2 Disasters and Other Disruptive Events

74

Disasters are disruptions that cause critical information

resources to be inoperative for a period of time
Good BCP will take into account impacts on IS processing
facilities

2.12.3 Business Continuity Planning Process

75

25

10/20/2014

2.12.4 Business Continuity Policy

76

Defines the extent and scope of business continuity for both

internal and external stakeholders
Should be proactive

2.12.5 Business Continuity Planning Incident

Management

77

All types of incidents should be categorized

Negligible
Minor
Major
Crisis

2.12.5 Business Continuity Planning

Incident Management

78

26

10/20/2014

2.12.6 Business Impact Analysis

79

Critical step in developing the business continuity plan

Three main questions to consider during BIA phase:
What are the different business processes?
What are the critical information resources related to an
organizations critical business processes?
What is the critical recovery time period for information
resources in which business processing must be resumed before
significant or unacceptable losses are suffered?

2.12.6 Business Impact Analysis (cont.)

80

2.12.6 Business Impact Analysis (cont.)

81

What is the systems risk ranking?

Critical
Vital
Sensitive
Non-sensitive

27

10/20/2014

2.12.7 Development of Business Continuity

Plans

82

Factors to consider when developing the plans:

Predisaster readiness covering incident response
management to address all relevant incidents affecting
business processes
Evacuation procedures
Procedures for declaring a disaster (escalation procedures)
Circumstances under which a disaster should be declared.
The clear identification of the responsibilities in the plan

2.12.7 Development of Business Continuity

Plans (contd.)

83

Factors to consider when developing the plans:

The clear identification of the persons responsible for each
function in the plan
The clear identification of contract information
The step-by-step explanation of the recovery process
The clear identification of the various resources required for
recovery and continued operation of the organization

2.12.8 Other Issues in Plan Development

84

Management and user involvement is vital to the success of

BCP
Essential to the identification of critical systems, recovery times
and resources
Involvement from support services, business operations and
information processing support

Entire organization needs to be considered for BCP

28

10/20/2014

2.12.9 Components of a Business Continuity

Plan

85

A business continuity plan may consist of more than one plan

document
Continuity of operations plan (COOP)
Disaster recovery plan (DRP)
Business resumption plan
Continuity of support plan/IT contingency plan
Crisis communications plan
Incident response plan
Transportation plan
Occupant emergency plan (OEP)
Evacuation and emergency relocation plan

2.12.9 Components of a Business Continuity

Plan (cont.)

86

Components of the plan

Key decision-making personnel
Backup of required supplies
Insurance

IS equipment and facilities

Media (software) reconstruction
Extra expense
Business interruption
Valuable papers and records
Errors and omissions
Fidelity coverage
Media transportation

2.12.10 Plan Testing

87

Schedule testing at a time that will minimize disruptions to

normal operations
Test must simulate actual processing conditions
Test execution:
Documentation of results
Results analysis
Recovery / continuity plan maintenance

29

10/20/2014

2.12.11 Summary of Business Continuity

88

Business continuity plan must:

Be based on the long-range IT plan
Comply with the overall business continuity strategy

2.12.11 Summary of Business Continuity

and Disaster Recovery (cont.)

89

Process for developing and maintaining the BCP/DRP

Conduct risk assessment
Prepare business impact analysis
Choose appropriate controls and measures for recovering IT
components to support the critical business processes
Develop the detailed plan for recovering IS facilities (DRP).
Develop a detailed plan for the critical business functions to
continue to operate at an acceptable level (BCP).
Test the plans
Maintain the plans as the business changes and systems develop.

2.13 Auditing Business Continuity

90

Understand and evaluate business continuity strategy

Evaluate plans for accuracy and adequacy
Verify plan effectiveness
Evaluate offsite storage
Evaluate ability of IS and user personnel to respond
effectively
Ensure plan maintenance is in place
Evaluate readability of business continuity manuals and
procedures

30

10/20/2014

2.13.1 Reviewing the Business Continuity

Plan

91

IS auditors should verify that basic elements of a well-developed

plan are evident including:
Currency of documents
Effectiveness of documents
Interview personnel for appropriateness and completeness

2.13.2 Evaluation of Prior Test Results

92

IS auditors must review the test results to:

Determine whether corrective actions are in the plan
Evaluate thoroughness and accuracy
Determine problem trends and resolution of problems

2.13.3 Evaluation of Offsite Storage

93

An IS auditor must:
Evaluate presence, synchronization and currency of media
and documentation
Perform a detailed inventory review
Review all documentation
Evaluate availability of facility

31

10/20/2014

2.13.4 Interviewing Key Personnel

94

Key personnel must have an understanding of their

responsibilities
Current detailed documentation must be kept

2.13.5 Evaluation of Security at Offsite

Facility

95

An IS auditor must:
Evaluate the physical and environmental access controls
Examine the equipment for current inspection and
calibration tags

2.13.6 Reviewing Alternative Processing

Contract

96

An IS auditor should obtain a copy of the contract with the

vendor
The contract should be reviewed against a number of
guidelines
Contract is clear and understandable
Organizations agreement with the rules

32

10/20/2014

2.13.7 Reviewing Insurance Coverage

97

Insurance coverage must reflect actual cost of recovery

Coverage of the following must be reviewed for adequacy
Media damage
Business interruption
Equipment replacement
Business continuity processing

Case Study A Scenario

98

An IS auditor has been asked to review the draft of an

outsourcing contract and SLA and recommend any changes or
point out any concerns prior to these being submitted to senior
management for final approval. The agreement includes
outsourcing support of Windows and UNIX server administration
and network management to a third party.
Servers will be relocated to the outsourcers facility that is
located in another country, and connectivity will be established
using the Internet. Operating system software will be upgraded
on a semiannual basis, but it will not be escrowed. All requests
for addition or deletion of user accounts will be processed within
three business days.

Case Study A Scenario (cont.)

99

Intrusion detection software will be continuously monitored by

the outsourcer and the customer notified by e-mail if any
anomalies are detected. New employees hired within the last
three years were subject to background checks. Prior to that,
there was no policy in place.
A right to audit clause is in place, but 24-hour notice is required
prior to an onsite visit. If the outsourcer is found to be in
violation of any of the terms or conditions of the contract, it will
have 10 business days to correct the deficiency. The outsourcer
does not have an IS auditor, but it is audited by a regional public
accounting firm.

33

10/20/2014

Case Study A Question - A1

100

Which of the following should be of MOST concern to the IS

auditor?
A. User account changes are processed within three business
days.
B. Twenty-four hour notice is required prior to an onsite visit.
C. The outsourcer does not have an IS audit function.
D. Software escrow is not included in the contract.

Case Study A Question A2

101

Which of the following would be the MOST significant issue to

address if the servers contain personally identifiable customer
information that is regularly accessed and updated by end users?
A. The country in which the outsourcer is based prohibits the
use of strong encryption for transmitted data.
B. The outsourcer limits its liability if it took reasonable steps
to protect the customer data.
C. The outsourcer did not perform background checks for
employees hired over three years ago.
D. System software is only upgraded once every six months.

Case Study B Scenario

102

An organization has implemented an integrated application for

supporting business processes. It has also entered into an
agreement with a vendor for application maintenance and
providing support to the users and system administrators. This
support will be provided by a remote vendor support center
using a privileged user ID with O/S level super user authority
having read and write access to all files. The vendor will use this
special user ID to log on to the system for troubleshooting and
implementing application updates (patches). Due to the volume
of transactions, activity logs are only maintained for 90 days.

34

10/20/2014

Case Study B Question C1

103

Which of the following is a MAJOR concern for the IS auditor?

A. User activity logs are only maintained for 90 days.
B. The special user ID will access the system remotely.
C. The special user ID can alter activity log files.
D. The vendor will be testing and implementing patches on
servers.

Case Study B Question C2

104

Which of the following actions would be MOST effective in

reducing the risk that the privileged user account may be
misused?
A. The special user ID should be disabled except when
maintenance is required.
B. All usage of the special user account should be logged.
C. The agreement should be modified so that all support is
performed onsite.
D. All patches should be tested and approved prior to
implementation.

Case Study C Scenario

105

An IS auditor was asked to review alignment between IT and business

goals for a small financial institution. The IS auditor requested various
information including business goals and objectives and IT goals and
objectives. The IS auditor found that business goals and objectives
were limited to a short bulleted list, while IT goals and objectives were
limited to slides used in meetings with the CIO (the CIO reports to the
CFO). It was also found in the documentation provided that over the
past two years, the risk management committee (composed of senior
management) only met on three occasions, and no minutes of what
was discussed were kept for these meetings. When the IT budget for
the upcoming year was compared to the strategic plans for IT, it was
noted that several of the initiatives mentioned in the plans for the
upcoming year were not included in the budget for that year.

35

10/20/2014

Case Study C Question C1

106

Which of the following should be of GREATEST concern to the IS

auditor?
A. Strategy documents are informal and incomplete.
B. The risk management committee seldom meets and does
not keep minutes .
C. Budgets do not appear adequate to support future IT
investments.
D. The CIO reports to the CFO.

Case Study C Question C2

107

Which of the following would be the MOST significant issue to

address?
A. The prevailing culture within IT.
B. The lack of information technology policies and
procedures.
C. The risk management practices as compared to peer
organizations.
D. The reporting structure for IT.

Case Study D Scenario

108

An IS Auditor is auditing the IT governance practices for an

organization. During the course of the work, it is noted that the
organization does not have a full time chief Information officer
(CIO). The organization chart of the entity provides for an
information systems manager reporting to the chief financial
officer (CFO), who in turn reports to the board of directors. The
board plays a major role in monitoring IT initiatives in the entity
and the CFO communicates on a frequent basis the progress of
IT initiatives.

36

10/20/2014

Case Study D Scenario (contd)

109

From reviewing the segregation of duties matrix, it is apparent

that application programmers are only required to obtain
approval from the data base administrator (DBA) to directly
access production data. It is also noted that the application
programmers have to provide the developed program code to
the program librarian, who then migrates it to production.
Information systems audits are carried out by the internal audit
department, which reports to the CFO at the end of every
month, as part of business performance review process; the
financial results of the entity are reviewed in detail and signed
off by the business managers for correctness of data contained
therein.

Case Study D Question D1

110

Given the circumstances described, what would be of GREATEST

concern from an IT governance perspective?
A. The organization does not have a full-time CIO.
B. The organization does not have an IT steering committee.
C. The board of the organization plays a major role in
monitoring IT initiatives.
D. The information systems manager reports to the CFO.

Case Study D Question D2

111

Given the case, what would be of GREATEST concern from a

segregation of duties perspective?
A. Application programmers are required to obtain approval
only from the DBA for direct write access to data.
B. Application programmers are required to turn over the
developed program code to the program librarian for
migration to production.
C. The internal audit department reports to the CFO.
D. Business performance reviews are required to be signed
off only by the business managers.

37

10/20/2014

Case Study D Question D3

112

Which of the following would BEST address data integrity from a

mitigating control standpoint?
A. Application programmers are required to obtain approval
from DBA for direct access to data.
B. Application programmers are required to hand over the
developed program codes to the program librarian for
transfer to production.
C. The internal audit department reports to the CFO.
D. Business performance results are required to be reviewed
and signed off by the business managers.

Case Study E Scenario

113

An organization is developing revised business continuity (BCPs) and

disaster recovery plans (DRPs) for its headquarters facility and network
of 16 branch offices. The current plans have not been updated in more
than eight years, during which time the organization has grown by over
300 percent. At the headquarters facility, there are approximately 750
employees. These individuals connect over a local area network to an
array of more than 60 application, database and file print servers
located in the corporate data center and over a frame relay network to
the branch offices. Traveling users access corporate systems remotely
by connecting over the Internet using virtual private networking. Users
at both headquarters and the branch offices access the Internet
through a firewall and proxy server located in the data center. Critical
applications have a recovery time objective (RTO) of between three
and five days. Branch offices are located between 30 and 50 miles
from one another, with none closer to the headquarters facility than
25 miles.

Case Study E Scenario (contd)

114

Each branch office has between 20 and 35 employees plus a mail

server and a file/print server. Backup media for the data center are
stored at a third-party facility 35 miles away. Backups for servers
located at the branch offices are stored at nearby branch offices using
reciprocal agreements between offices. Current contracts with a third
party hot site provider include 25 servers, work area space equipped
with desktop computers to accommodate 100 individuals, and a
separate agreement to ship up to two servers and 10 desktop
computers to any branch office declaring an emergency. The contract
term is for three years, with equipment upgrades occurring at renewal
time.
The hot site provider has multiple facilities throughout the country in
case the primary facility is in use by another customer or rendered
unavailable by the disaster. Senior management desires that any
enhancements be as cost effective as possible.

38

10/20/2014

Case Study E Question E1

115

On the basis of the above information, which of the following

should the IS auditor recommend concerning the hot site?
A. Desktops at the hot site should be increased to 750.
B. An additional 35 servers should be added to the hot site
contract.
C. All backup media should be stored at the hot site to
shorten the RTO.
D. Desktop and server equipment requirements should be
reviewed quarterly.

Case Study E Question E2

116

Based on the case study, which of the following should the IS

auditor recommend concerning branch office recovery?
A. Add each of the branches to the existing hot site contract.
B. Ensure branches have sufficient capacity to back each
other up.
C. Relocate all branch mail and file/print servers to the data
center.
D. Add additional capacity to the hot site contract equal to
the largest branch.

Practice Question 2-1

117

In order for management to effectively monitor the compliance

of processes and applications, which of the following would be
the MOST ideal?
A. A central document repository
B. A knowledge management system
C. A dashboard
D. Benchmarking

39

10/20/2014

Practice Question 2-2

118

Which of the following would be included in an IS strategic plan?

A. Specifications for planned hardware purchases
B. Analysis of future business objectives
C. Target dates for development projects
D. Annual budgetary targets for the IS department

Practice Question 2-3

119

Which of the following BEST describes an IT departments strategic

planning process?
A. The IT department will have either short-range or long-range
plans depending on the organizations broader plans and
objectives.
B. The IT departments strategic plan must be time- and projectoriented, but not so detailed as to address and help determine
priorities to meet business needs.
C. Long-range planning for the IT department should recognize
organizational goals, technological advances and regulatory
requirements.
D. Short-range planning for the IT department does not need to
be integrated into the short-range plans of the organization
since technological advances will drive the IT department plans
much quicker than organizational plans.

Practice Question 2-4

120

The MOST important responsibility of a data security officer in

an organization is:
A. recommending and monitoring data security policies.
B. promoting security awareness within the organization.
C. establishing procedures for IT security policies.
D. administering physical and logical access controls.

40

10/20/2014

Practice Question 2-5

121

What is considered the MOST critical element for the successful

implementation of an information security (IS) program?
A. An effective enterprise risk management (ERM)
framework
B. Senior management commitment
C. An adequate budgeting process
D. Meticulous program planning

Practice Question 2-6

122

An IS auditor should ensure that IT governance performance

measures:
A. evaluate the activities of IT oversight committees.
B. provide strategic IT drivers.
C. adhere to regulatory reporting standards and definitions.
D. evaluate the IT department.

Practice Question 2-7

123

Which of the following tasks may be performed by the same

person in a well-controlled information processing computer
center?
A. Security administration and change management
B. Computer operations and system development
C. System development and change management
D. System development and systems maintenance

41

10/20/2014

Practice Question 2-8

124

Which of the following is the MOST critical control over database

administration?
A. Approval of DBA activities
B. Segregation of duties
C. Review of access logs and activities
D. Review of the use of database tools

Practice Question 2-9

125

When a complete segregation of duties cannot be achieved in an

online system environment, which of the following functions
should be separated from the others?
A. Origination
B. Authorization
C. Recording
D. Correction

Practice Question 2-10

126

In a small organization, where segregation of duties is not

practical, an employee performs the function of computer
operator and application programmer. Which of the following
controls should an IS auditor recommend?
A. Automated logging of changes to development libraries
B. Additional staff to provide segregation of duties
C. Procedures that verify that only approved program
changes are implemented
D. Access controls to prevent the operator from making
program modifications

42

10/20/2014

Questions

QUESTIONS

Thanks
Sanjiv Arora
sa@tech-controls.com
+91 9810293733
www.tech-controls.com

43