2012 CISA Review Coursebook

Auditing
IT Governance

IS Audit-Week-8

Overview

Corporate Governance
IT Governance
Information Systems Strategy
Policies and Procedures
Risk Management
Information Systems Management Practices
IS Organizational Structure and
Responsibilities
Auditing the Management, Planning
and Organization of IS

1
Objective

Ensure that whoever want to be an

auditor…

“understands and can provide

assurance
that the organization has the structure,
policies, accountability mechanisms
and monitoring practices in place to
achieve the requirements of
corporate governance of IT.”
3

Summary

According to the CISA Certification

Board, this Content Area will represent
approximately 15% of the CISA examination.
(approximately 30 questions)

2
2.1 Corporate Governance

• Ethical corporate behavior by directors or others charged

with governance in the creation and presentation for all
stakeholders
• Establishment of rules in managing and reporting
business risks
• IT governance

Corporate Governance

Corporate governance is a set of

responsibilities and practices used by an
organization‟s management to provide
strategic direction, thereby ensuring
that goals are achievable, risks are
properly addressed and organizational
resources are properly utilized.

3
Corporate Governance

ITGI Best Practices for Corporate

Governance
IT governance is the responsibility of the
board of directors and executive management.
It is an integral part of enterprise governance
and consists of the leadership and
organizational structures and processes that
ensure that the organization‟s IT sustains and
extends the organization‟s strategy and
objectives

2.2 Monitoring and Assurance

Practices for Board and
Executive Management
IT Governance encompasses:
• Information systems
• Technology
• Communication
IT Governance helps ensure the alignment of IT and
enterprise objectives.
Fundamentally IT governance is concerned with two
issues
• IT delivers value to the business
• driven by strategic alignment of IT with the business
• IT risks are mitigated
• driven by embedding accountability into the enterprise
IT Governance is the responsibility of the board of
directors and executive management

4
Chapter 2 Question

IT governance ensures that an organization

aligns its IT strategy with:
A. enterprise objectives.
B. IT objectives.
C. audit objectives.
D. control objectives.

Chapter 2 – Question 8

An IS auditor should ensure that IT

governance performance measures,:

A. evaluate the activities of IT oversight

committees.

B. provide strategic IT drivers.

C. adhere to regulatory reporting standards

and definitions.

D. evaluate the IT department.

10

5
Monitoring and Assurance Practices for
Board and Executive Management

IT governance is a structure of relationships:

IT Value
Delivery

Strategic Stakeholders Risk

Alignment Value Drivers Management

Performance
Measurement

11

Monitoring and Assurance Practices for

Board and Executive Management

Audit Role in IT Governance:

 Audit plays a significant role in a successful
implementation of IT governance. Audit is best
positioned to provide leading practice
recommendations to help improve the quality
and effectiveness of the IT governance
initiatives implemented.
 Audit helps ensure compliance with IT
governance initiatives implemented within an
organization. IT governance initiatives
requires an independent and balanced view to
ensure a qualitative assessment that
subsequently facilitates the qualitative
improvement of IT processes and associated
IT governance initiatives.
12

6
Monitoring and Assurance Practices for
Board and Executive Management

IT Strategy committee
 Is a mechanism for incorporating IT
governance into enterprise governance
 As a committee of the board, it assists the
board on overseeing the enterprise‟s IT
related matters by ensuring that the board has
the internal and external information IT
requires for effective IT governance decision
making
 Organizations have had steering committees
at an executive level to deal with IT issues
that are relevant organizationwide. There
should be a clear understanding of both the IT
strategy and steering levels. The ITGI issued a
document where a clear analysis is made
between them. 13

Monitoring and Assurance Practices for

Board and Executive Management

Risk Management

Dependent on the type of risk and its

significance to the business,
management and the board may
choose between:
Mitigate
Transfer
Accept

14

7
Monitoring and Assurance Practices for
Board and Executive Management

Standard IT Balanced Score Card:

Is a process management evaluative

technique that can be applied to the IT
business governance process in
assesing IT functions and processes

15

Monitoring and Assurance Practices for

Board and Executive Management

Standard IT Balanced Score Card

To apply to IT, a three-layered structure

is used in addressing the perspectives

 Mission
– Become the preferred supplier of information systems.
– Deliver effective and efficient IT applications and
services.
– Obtain a reasonable business contribution of IT
investments.
– Develop opportunities to answer future challenges.

16

8
Monitoring and Assurance Practices for
Board
and Executive Management

Standard IT Balanced Score Card

three-layered structure ( cont.)

Strategies
Develop superior applications and operations.
Develop user partnerships and greater customer services.
Provide enhanced service levels and pricing structures.
Control IT expenses.
Provide business value to IT projects.
Provide new business capabilities.
Train and educate IT staff and promote excellence.
Provide support for research and development.
Measures
Provide a balanced set of metrics (i.e., KPIs) to guide business-
oriented IT decisions.

17

Monitoring and Assurance Practices

for Board and Executive Management

Standard IT Balanced Score Card

Use of an IT Balanced Score Card is one

of the most effective means to aid the
IT Strategy committee and
management in achieving IT and
business alignment

18

9
Monitoring and Assurance Practices
for Board and Executive Management

Information Security Governance

• Focused activity with specific value drivers:
• Integrity of information
• Continuity of services
• Protection of information assets
• Integral part of IT governance

19

Monitoring and Assurance Practices

for Board and Executive Management

Importance of Information Security

Governance
• Information security (infosec) covers all information
processes, physical and electronic, regardless of whether
they involve people and technology or relationships with
trading partners, customers and third parties. Information
security is concerned with all aspects of information and
its protection at all points of its life cycle within the
organization.

20

10
Monitoring and Assurance Practices
for Board and Executive Management
Importance of Information Security
Governance
Effective information security can add significant value to
the organization by:
• Providing greater reliance on interactions with trading
partners
• Improved trust in customer relationships
• Protecting the organization’s reputation
• Enabling new and better ways to process electronic
transactions

21

Monitoring and Assurance Practices

for Board and Executive Management

Outcomes of Security Governance

 Strategic alignment with business strategy
 Manage and execute appropriate measures to
mitigate risks
 Value delivery - optimize security investments
 Resource management - utilize information
security knowledge and infrastructure
efficiently and effectively
 Performance measurement - measure,
monitor and report on information security
processes to ensure objectives

22

11
Monitoring and Assurance Practices
for Board and Executive Management

Effective Information Security Governance

 Information security governance is a subset of
corporate governance that provides strategic
direction for security activities and ensures
objectives are achieved. It ensures that
information security risks are appropriately
managed and enterprise information resources
are used responsibly.

23

Monitoring and Assurance Practices

for Board and Executive Management

Information Security Governance –

roles and resposibilities

 Boards of Directors/Senior Management

 Executive Management
 Steering Committee
 CISO

24

12
 Monitoring and Assurance Practices
for Board and Executive Management

Enterprise Architecture

Involves documenting an organization‟s

IT assets in a structured manner to
facilitate understanding, management
and planning for IT investments

25

Monitoring and Assurance Practices

for Board and Executive Management

Enterprise Architecture
Basic Zachman Frameworks

Data Functional Network People Process Strategy

Scope
Enterprise Model

Systems Model

Technology
Model
Detailed
Representation

13
Monitoring and Assurance Practices
for Board and Executive Management

Enterprise Architecture

The Federal Enterprise Arquitecture

(FEA) has a hierarchy of five reference
models
Performance
Business
Service component
Technical
Data

27

2.3 Information Systems Strategy

Strategic Planning

 From an information systems

standpoint it relates to the long-term
direction an organization wants to take
in leveraging information technology for
improving its business processes.
 Effective IT strategic planning involves
a consideration of the organization‟s
demand for IT and its IT supply
capacity.

28

14
Information Systems Strategy

Steering Committee(s)
The organization‟s senior management
should appoint a planning or steering
committee to oversee the information
systems function and its activities. A
high-level steering committee for
information technology is an important
factor in ensuring that the information
systems department is in harmony with
the corporate mission and objectives.

29

Information Systems Strategy

Planning / Steering Committee

• Review Board for major IS projects

• Steering Committee

30

15
Chapter 2 Question 9

Which of the following would be included

in an IS strategic plan?
A. Specifications for planned hardware
purchases
B. Analysis of future business
objectives
C. Target dates for development
projects
D. Annual budgetary targets for the IS
department

31

Chapter 2 Question 10
Which of the following BEST describes an IT
department’s strategic planning process?
A. The IT department will have either short-range or
long-range plans depending on the organization‟s
broader plans and objectives.
B. The IT department‟s strategic plan must be time-
and project-oriented, but not so detailed as to address
and help determine priorities to meet business needs.
C. Long-range planning for the IT department should
recognize organizational goals, technological advances
and regulatory requirements.
D. Short-range planning for the IT department does
not need to be integrated into the short-range plans of
the organization, since technological advances will drive
the IT department plans much quicker than
organizational plans.

32

16
2.4 Policies and Procedures

Policies
• High level

• Low level

• Information security policy

Procedures

33

Policies and Procedures

Policies

 Policies are high-level documents.

They represent the corporate
philosophy of an organization and the
strategic thinking of senior
management and the business process
owners. To be effective, they must be
clear and concise.
 Policies are „rule of the road‟ – They are
part of the fundamental documentation
for internal control systems.
34

17
Policies and Procedures

Information Security Policy

Information security policy provides
management the direction and support
for information security in accordance
with business requirements and
relevant laws and regulations.
Management should set a clear policy
direction in line with business objectives
and demonstrate support for and
commitment to information security
through the issuance and maintenance
of an information security policy for the
organization.
35

Policies and Procedures

Information Security Policy Document

 Definition of information security
 Statement of management intent
 Framework for setting control objectives
 Brief explanation
 Definition of responsibilities
 References to documentation

36

18
Policies and Procedures

Review of Information Security Policy

Input of management review
Feedback from interested parties
Results of independent reviews
Status of preventive and corrective actions
Results of previous management reviews
Process performance and information security policy compliance
Changes that could affect the organization’s approach to managing
information security, including changes to the organizational
environment; business circumstances; resource availability;
contractual, regulatory and legal conditions; or technical
environment
Trends related to threats and vulnerabilities
Reported information security incidents
Recommendations provided by relevant authorities

37

Policies and Procedures

Review of Information Security Policy

Output from management review
Improvement of the organization’s approach to managing
information security and its processes
Improvement of control objectives and controls
Improvement in the allocation of resources and/or
responsibilities

38

19
Policies and Procedures

Procedures
Procedures are detailed documents. They must
be derived from the parent policy and must
implement the spirit (intent) of the policy
statement. Procedures must be written in a
clear and concise manner, so they may be
easily and properly understood by those
governed by them.

39

2.5 Risk Management

The process of identifying vulnerabilities

and threats to the information
resources used by an organization in
achieving business objectives
A summary of this concept is shown in
the following equation:
Total risk = Threats x Vulnerability x
Asset value

40

20
Risk Management

Developing a Risk Management

Program
• Establish the purpose of the risk management program
• Assign responsibility for the risk management plan

41

Risk Management
Risk Management Process
• Identification and classification of information resources or
assets that need protection
• Assess threats and vulnerabilities and the likelihood of
their occurrence Identification and classification of
information resources or assets that need protection
• Assess threats and vulnerabilities and the likelihood of
their occurrence

42

21
Risk Management

IT risk management needs to operate

at multiple levels including:
 Operation: risks that could compromise the
effectiveness of IT systems and supporting
infrastructure
 Project: risks management needs to focus on
the ability to understand and manage project
complexity
 Strategic: the risk focus shifts to
considerations such as how well the IT
capability is aligned with the business strategy

43

Risk Management
 Risk Analysis Methods:
Qualitative and Quantitative
Are the simplest and most frequently used
Are based on checklist and subjective risk ratings
Semiquantitative Analysis Methods
the descriptive rankings are associated with a numerical scale.
Such methods are frequently used when it is not possible to utilize
a quantitative method or to reduce subjectivity in qualitative
methods.
Quantitative Analysis Methods
it uses numerical values to describe the likelihood and impacts of
risks, using data from several types of sources, such as historic
records, past experiences, industry practices and records,
statistical theories, testing, and experiments.
Probability and expectancy
Are based on classical statistical theories of probability and
expectancy
Annual loss expectancy method
Simplifies the assigment of value and probability in a
manner that is easier to quantify.
44

22
Risk Management
Management and IS auditors should
keep in mind certain considerations:

 Should be applied to IT functions company wide

 Is a senior management responsibility
 Quantitative RM is preferred over qualitative approaches
 Quantitative RM always face the challenge of estimating
risks
 Quantitative RM provides more objective assumptions
 The real complexity or the apparent sophistication of
the methods or packaged used should not be a
substitute commonsense or professional diligence
 Special care should be given to very high impact events,
even if there probability of occurrence over time is very
low.

45

2.6 IS Management Practices

Personnel Management
• Hiring practices

• Employee handbook

• Promotion policies

• Training

46

23
IS Management Practices

Personnel Management
• Scheduling and time reporting

• Employee performance evaluations

• Required vacations

• Termination policies

47

IS Management Practices

Outsourcing Practices (Service Level

Agreements)
• Reasons for embarking on outsourcing

• Services provided by a third party

• Possible advantages

• Possible disadvantages and business risks

• Means of reduction of business risks

• Service Level Agreements

• Audit/security concerns

48

24
IS Management Practices

Strategies in Audit of Outsourcing

• Third Party Audit Report

• Periodic Reviews by the User’s Auditor

49

IS Management Practices

Capacity and growth planning

Given the strategic importance of IT in

companies and the constant change in
technology, capacity and growth
planning are essential. This activity
must be reflective of the long- and
short-range business plans and must be
considered within the budgeting
process.

50

25
IS Management Practices

Third-party Service Delivery

Management
Service delivery
Monitoring and review
Managing changes
Service improvement and user satisfaction
Industry Standards/Benchmarking

51

IS Management Practices

Organizational Change management

Change management is managing IT changes
for the organization, where a defined and
documented process exists to identify and
apply technology improvements at the
infrastructure and application(s) level that are
beneficial to the organization and involving all
levels of the organization impacted by the
changes.

52

26
IS Management Practices

Financial Management Practices

Financial management is a critical element of
all business functions. In a cost-intensive
computer environment, it is imperative that
sound financial management practices be in
place.
user-pays scheme
chargeback
IS Budgets

53

IS Management Practices

Quality Management
• Software development, maintenance and
implementation
• Acquisition of hardware and software
• Day-to-day operations
• Security
• Human resource management
• General administration

54

27
IS Management Practices

Standards to Assist the Organization

• ISO standard interpretation

• Capability maturity model

55

IS Management Practices

Information Security Management

Performance Optimization
The broad phases of performance measurement:
Establishing and updating performance measures
Establishing accountability for performance measures
Gathering and analyzing performance data
Reporting and using performance information

56

28
2.7 IS Organizational Structure and
responsibilities

IS Organizational Structure
and Responsibilities

IS Roles & Responsibilities

• Systems Development Manager
• Help Desk
• End user
• End user support manager
• Data management
• Quality assurance manager
• Vendor and outsourcer management

58

29
IS Organizational Structure
and Responsibilities

IS Roles & Responsibilities

• Control group

• Media management

• Data entry

• Systems administration

• Security administration

• Quality assurance

• Database administration

59

IS Organizational Structure
and Responsibilities

IS Roles & Responsibilities

• Systems analysis

• Security Architect

• Application programming

• Systems programming

• Network management

60

30
IS Organizational Structure
and Responsibilities

Segregation of Duties Within IS

• Avoids possibility of errors or misappropriations

• Discourages fraudulent acts

• Limits access to data

61

IS Organizational Structure and

Responsibilities

62

31
Chapter 2 Question 2

Which of the following tasks may be performed

by the same person in a well-controlled
information processing computer center?
A. Security administration and change
management
B. Computer operations and system
development
C. System development and change
management
D. System development and systems
maintenance

63

Chapter 2 Question 3

Which of the following is the MOST critical

control over database administration?
A. Approval of DBA activities
B. Segregation of duties
C. Review of access logs and activities
D. Review of the use of database tools

64

32
Chapter 2 Question 4

The MOST important responsibility of a

data security officer in an organization
is:
A. recommending and monitoring data
security policies.
B. promoting security awareness within
the organization.
C. establishing procedures for IT
security policies.
D. administering physical and logical
access controls.
65

Chapter 2 Question 5

When a complete segregation of duties

cannot be achieved in an online system
environment, which of the following
functions should be separated from the
others?
A. Origination
B. Authorization
C. Recording
D. Correction

66

33
Chapter 2 Question 6

In a small organization, where segregation of

duties is not practical, an employee performs the
function of computer operator and application
programmer. Which of the following controls
should the IS auditor recommend?
A. Automated logging of changes to
development libraries
B. Additional staff to provide segregation of
duties
C. Procedures that verify that only approved
program changes are implemented
D. Access controls to prevent the operator from
making program modifications
67

Chapter 2 Question 7

Which of the following is MOST likely to be

performed by the security administrator?
A. Approving the security policy
B. Testing application software
C. Ensuring data integrity
D. Maintaining access rules

68

34
IS Organizational Structure
and Responsibilities

Segregation of Duties Controls

• Transaction authorization
• Custody of assets
• Access to data
• Authorization forms
• User authorization tables

69

IS Organizational Structure
and Responsibilities

Compensating controls for Lack of

Segregation of Duties
Audit trails
Reconciliation
Exception reporting
Transaction logs
Supervisory reviews
Independent reviews

70

35
2.8 Auditing IT Governance Structure
and Implementation

Indicators of potential problems

include:
 Unfavorable end-user attitudes
 Excessive costs
 Budget overruns
 Late projects
 High staff turnover
 Inexperienced staff
 Frequent hardware/software errors
 An excessive backlog of user requests
 Slow computer response time
71

Auditing IT Governance Structure

and Implementation

Indicators of potential problems

include (cont.):
 Numerous aborted or suspended development projects
 Unsupported or unauthorized hardware/software
purchases
 Frequent hardware/software upgrades
 Extensive exception reports
 Exception reports that were not followed up on
 Poor motivation
 Lack of succession plans
 A reliance on one or two key personnel
 Lack of adequate training
72

36
Auditing IT Governance Structure
and Implementation

Reviewing Documentation

Reviewing Contractual Commitments

73

Auditing IT Governance Structure

and Implementation

Reviewing Documentation
• IT strategies, plans and budgets
• Security policy documentation
• Organization / functional charts
• Job descriptions
• Steering committee reports
• Systems development and program change procedures
• Operations procedures
• Human resource manuals
• Quality assurance procedures

74

37
 Auditing IT Governance Structure
and Implementation

Reviewing Contractual Commitments

• Development of contract requirements

• Contract bidding process

• Contract selection process

• Contract acceptance
• Contract maintenance

• Contract compliance

75

2.9 Case Study

IS Auditor review draft of outsourcing contract and SLA and
recommend changes prior ti thees being sent to senior
management approval
• Agreement includes outsourcing support of windows and unix server
administration and network management to third party
• Server will be relocated to outsourcer facility in another country, Internet
connect
• Operating software will be upgraded on a semiannual basis, but not escrowed
• Requests for change user account will be processed within three business
days
• Intrusion detection software will be continously monitored by outsourcer,
customer notified anomalies by e_mail
• New employees hired within last three years, prior no policy present
• Right to audit clause is in place, 24-hour notice is required to onsite visit
• If Outsorcer found to be in violation of contract, it will have 10 business days
to correct deficiency
• Outsorcer does not have IS auditor, but audited by regional public accounting
firm
76

38
Chapter 2: Case study Question 1
Which of the following should be of MOST concern
to the IS auditor?

A. User account changes are processed within three

business days.

B. Twenty-four hour notice is required prior to an onsite

visit.

C. The outsourcer does not have an IS audit function.

D. Software escrow is not included in the contract.

77

Chapter 2: Case study Question 2

Which of the following would be the MOST significant issue to
address if the servers contain personally identifiable customer
information that is regularly accessed and updated by end
users?

A. The country in which the outsourcer is based prohibits the

use of strong encryption for transmitted data.

B. The outsourcer limits its liability if it took reasonable steps

to protect the customer data.

C. The outsourcer did not perform background checks for

employees hired over three years ago.

D. System software is only upgraded once every six months.

78

39