Professional Documents
Culture Documents
Auditing
IT Governance
IS Audit-Week-8
Overview
Corporate Governance
IT Governance
Information Systems Strategy
Policies and Procedures
Risk Management
Information Systems Management Practices
IS Organizational Structure and
Responsibilities
Auditing the Management, Planning
and Organization of IS
1
Objective
Summary
2
2.1 Corporate Governance
Corporate Governance
3
Corporate Governance
4
Chapter 2 Question
Chapter 2 – Question 8
5
Monitoring and Assurance Practices for
Board and Executive Management
IT Value
Delivery
Performance
Measurement
11
6
Monitoring and Assurance Practices for
Board and Executive Management
IT Strategy committee
Is a mechanism for incorporating IT
governance into enterprise governance
As a committee of the board, it assists the
board on overseeing the enterprise‟s IT
related matters by ensuring that the board has
the internal and external information IT
requires for effective IT governance decision
making
Organizations have had steering committees
at an executive level to deal with IT issues
that are relevant organizationwide. There
should be a clear understanding of both the IT
strategy and steering levels. The ITGI issued a
document where a clear analysis is made
between them. 13
Risk Management
14
7
Monitoring and Assurance Practices for
Board and Executive Management
15
Mission
– Become the preferred supplier of information systems.
– Deliver effective and efficient IT applications and
services.
– Obtain a reasonable business contribution of IT
investments.
– Develop opportunities to answer future challenges.
16
8
Monitoring and Assurance Practices for
Board
and Executive Management
17
18
9
Monitoring and Assurance Practices
for Board and Executive Management
19
20
10
Monitoring and Assurance Practices
for Board and Executive Management
Importance of Information Security
Governance
Effective information security can add significant value to
the organization by:
• Providing greater reliance on interactions with trading
partners
• Improved trust in customer relationships
• Protecting the organization’s reputation
• Enabling new and better ways to process electronic
transactions
21
22
11
Monitoring and Assurance Practices
for Board and Executive Management
23
24
12
Monitoring and Assurance Practices
for Board and Executive Management
Enterprise Architecture
25
Enterprise Architecture
Basic Zachman Frameworks
Systems Model
Technology
Model
Detailed
Representation
13
Monitoring and Assurance Practices
for Board and Executive Management
Enterprise Architecture
27
Strategic Planning
28
14
Information Systems Strategy
Steering Committee(s)
The organization‟s senior management
should appoint a planning or steering
committee to oversee the information
systems function and its activities. A
high-level steering committee for
information technology is an important
factor in ensuring that the information
systems department is in harmony with
the corporate mission and objectives.
29
• Steering Committee
30
15
Chapter 2 Question 9
31
Chapter 2 Question 10
Which of the following BEST describes an IT
department’s strategic planning process?
A. The IT department will have either short-range or
long-range plans depending on the organization‟s
broader plans and objectives.
B. The IT department‟s strategic plan must be time-
and project-oriented, but not so detailed as to address
and help determine priorities to meet business needs.
C. Long-range planning for the IT department should
recognize organizational goals, technological advances
and regulatory requirements.
D. Short-range planning for the IT department does
not need to be integrated into the short-range plans of
the organization, since technological advances will drive
the IT department plans much quicker than
organizational plans.
32
16
2.4 Policies and Procedures
Policies
• High level
• Low level
33
Policies
17
Policies and Procedures
36
18
Policies and Procedures
37
38
19
Policies and Procedures
Procedures
Procedures are detailed documents. They must
be derived from the parent policy and must
implement the spirit (intent) of the policy
statement. Procedures must be written in a
clear and concise manner, so they may be
easily and properly understood by those
governed by them.
39
40
20
Risk Management
41
Risk Management
Risk Management Process
• Identification and classification of information resources or
assets that need protection
• Assess threats and vulnerabilities and the likelihood of
their occurrence Identification and classification of
information resources or assets that need protection
• Assess threats and vulnerabilities and the likelihood of
their occurrence
42
21
Risk Management
43
Risk Management
Risk Analysis Methods:
Qualitative and Quantitative
Are the simplest and most frequently used
Are based on checklist and subjective risk ratings
Semiquantitative Analysis Methods
the descriptive rankings are associated with a numerical scale.
Such methods are frequently used when it is not possible to utilize
a quantitative method or to reduce subjectivity in qualitative
methods.
Quantitative Analysis Methods
it uses numerical values to describe the likelihood and impacts of
risks, using data from several types of sources, such as historic
records, past experiences, industry practices and records,
statistical theories, testing, and experiments.
Probability and expectancy
Are based on classical statistical theories of probability and
expectancy
Annual loss expectancy method
Simplifies the assigment of value and probability in a
manner that is easier to quantify.
44
22
Risk Management
Management and IS auditors should
keep in mind certain considerations:
45
Personnel Management
• Hiring practices
• Employee handbook
• Promotion policies
• Training
46
23
IS Management Practices
Personnel Management
• Scheduling and time reporting
• Required vacations
• Termination policies
47
IS Management Practices
• Possible advantages
• Audit/security concerns
48
24
IS Management Practices
49
IS Management Practices
50
25
IS Management Practices
51
IS Management Practices
52
26
IS Management Practices
53
IS Management Practices
Quality Management
• Software development, maintenance and
implementation
• Acquisition of hardware and software
• Day-to-day operations
• Security
• Human resource management
• General administration
54
27
IS Management Practices
55
IS Management Practices
Performance Optimization
The broad phases of performance measurement:
Establishing and updating performance measures
Establishing accountability for performance measures
Gathering and analyzing performance data
Reporting and using performance information
56
28
2.7 IS Organizational Structure and
responsibilities
IS Organizational Structure
and Responsibilities
58
29
IS Organizational Structure
and Responsibilities
• Media management
• Data entry
• Systems administration
• Security administration
• Quality assurance
• Database administration
59
IS Organizational Structure
and Responsibilities
• Security Architect
• Application programming
• Systems programming
• Network management
60
30
IS Organizational Structure
and Responsibilities
61
62
31
Chapter 2 Question 2
63
Chapter 2 Question 3
64
32
Chapter 2 Question 4
Chapter 2 Question 5
66
33
Chapter 2 Question 6
Chapter 2 Question 7
68
34
IS Organizational Structure
and Responsibilities
69
IS Organizational Structure
and Responsibilities
70
35
2.8 Auditing IT Governance Structure
and Implementation
include:
Unfavorable end-user attitudes
Excessive costs
Budget overruns
Late projects
High staff turnover
Inexperienced staff
Frequent hardware/software errors
An excessive backlog of user requests
Slow computer response time
71
include (cont.):
Numerous aborted or suspended development projects
Unsupported or unauthorized hardware/software
purchases
Frequent hardware/software upgrades
Extensive exception reports
Exception reports that were not followed up on
Poor motivation
Lack of succession plans
A reliance on one or two key personnel
Lack of adequate training
72
36
Auditing IT Governance Structure
and Implementation
Reviewing Documentation
73
Reviewing Documentation
• IT strategies, plans and budgets
• Security policy documentation
• Organization / functional charts
• Job descriptions
• Steering committee reports
• Systems development and program change procedures
• Operations procedures
• Human resource manuals
• Quality assurance procedures
74
37
Auditing IT Governance Structure
and Implementation
• Contract compliance
75
38
Chapter 2: Case study Question 1
Which of the following should be of MOST concern
to the IS auditor?
77
78
39