AIS 5131 - Managing Information and ● Objective setting, objective attainment,

Technology and monitoring performance

● Purpose: help build trust, transparency,
Chapter 1 - IT Governance and IT Strategy and accountability for fostering
long-term investment, financial stability,
Topics Covered - Chapter 1 Part A and business integrity
● Introduction - Ex. Enron - does not have trust,
● IT Governance and Strategy transparency, and accountability
● Enterprise Governance of Information and - Corporate social responsibility,
Technology (EGIT) subsidies,
● Good Practices for EGIT - SDGs - part of companies to be
● Audit’s Role in EGIT more inclusive

Introduction: Corporate Governance Framework

IT Governance: ● Purpose: (1) reduce inaccurate financial
● Not an isolated discipline reporting, and (2) provide greater
● Integral part transparency and accountability
● Strategic direction, objectives, ● Government regulations: (a) require a
management of risks, and use of senior management to sign-off internal
resources controls, and (b) include an assessment
○ When we speak of strategy – on the internal controls over financial
long term reports
○ Governance - whole company
○ Risk - uncertainty, danger, - SOX of 2002 - regulations on publicly
negative - opposite: certainty traded companies
○ You need to properly manage - Listed under US-SEC - under ng
risk SOX
● Setting of objectives, measure - Section 302 - disclosure controls
performance, benchmark against - CEO - pinakamataas
objectives, move forward or change na executive
direction - CFO - IT
○ You always start with objectives
○ You compare your performance ❖ SOX SEC 302 - CEO and CFO should
with objectives attest the accuracy and reliability of the
○ Move forward - naachieve mo financial information of the company
yung objective
○ Change direction - di mo - SOX SEC 404 - include an assessment
naachieve yung objective on the internal controls over financial
reports
IT Governance and IT Strategy ➢ Controls, testing, assessing
● Corporate governance practices: be ➢ The company should test and
implemented for ethical issues, decision look at the design
making and overall practices; ➢ Important aspect: have an
● Who is responsible for governance? independent external auditor to
BOD check the internal controls
● IT governance: consists of leadership
and organizational structures and ❖ SOX SEC 404 - companies should
processes annually assess and test their internal
controls; independent external auditor
- Control - an activity to address the risk should inspect the internal controls
- Proper risk management - implement
good controls ❖ SOX SEC 406 - pertains to the code of
ethics to senior financial officers
Corporate Governance
● Management, BOD, shareholders, and Components of Enterprise Governance
stakeholders Framework

1

Enterprise Governance of Information and
Technology (EGIT)
● EGIT: system in which all stakeholders
provide input to IT-decision making
process
● EGIT: responsibility of the BOD and
executive management; “Stewardship”
of IT resources
● Management: implement systems and
IT controls
● EGIT’s purpose: direct IT endeavors to
ensure:
○ (1) alignment of IT with
enterprise objectives, and
○ (2) achievement of promised
benefits
● IT must exploit opportunities and
maximize benefits
● IT resources must be used responsible
and IT-related risks must be managed
properly
❖ All Stakeholders
1. BOD
2. Senior management
3. Internal customers
4. Departments
Processes/Practices in Implementing an EGIT
Framework
a) IT resource management: maintaining
inventory IT resources and risk
management process
b) Performance measurement: ensuring IT
resources perform as expected to deliver
value, and identification of risks early on
c) Compliance management: implementing
processes that address legal and
regulatory policies and contractual
compliance requirements
Governance vs. Management
● ISACA: Information Systems Audit and
Control Association
● COBIT: Control Objectives for Information
and Related Technology
- Parang debit and credit yung
ISACA and COBIT
2
- CISA - made by ISACA
- Framework for manual controls -
COSO (Committee Of
Sponsoring Organizations of the
Treadway Commission)
● COBIT framework makes a clear
distinction between governance and
management, as follows:
○ Governance: ensures
stakeholder needs, conditions
and options are evaluated;
prioritization and decision
making; monitoring of
performance and compliance
○ Management: plans, builds,
runs and monitors activities to
achieve objectives
❖ Governance - under the responsibility of
the BOD (chairperson)
❖ Management - under the responsibility of
the executive management (CEO)
Effective Enterprise Governance
● Individual and group expertise
● Before: IT is enabler; Now: IT is integral
part
● Alignment of IT and enterprise
objectives: a critical success factor;
cannot simply be seen as either IT
management or IT specialist operations;
● IT needs guidance and supervision from
the senior management and oversight
from BOD
● Key element: alignment of business and
IT to achieve business value
● 2 issues: 1) IT delivers value to the
business (strategic alignment) and 2) IT
risk is managed (accountability)
Good Practices for EGIT
● Purpose of an IT Governance System:
satisfy stakeholder needs and generate
value
● Value: balance of benefits, risk and
resources
Factors which made EGIT significant:
a. Demand of business managers and BOD
for better return from IT investments
b. Increasing level of IT expenditure
c. Need to meet regulatory requirements
for IT controls in areas such as in privacy
and financial reporting, and in specific
sectors
 ● Monitoring, analysis and evaluation of
❖ Basel accords - banking regulation metrics: require an independent and
agreements to ensure that financial balanced view for qualitative
institutions have enough capital on assessment and qualitative
account to absorb unexpected losses improvement
❖ European Union (EU) General Data
Protection Regulation (GDPR) - aims to ❖ Audit improves the:
regulate the processing of personal data ➢ Quality
of the European Union (EU) Citizens ➢ Effectiveness
➢ Equivalent ng data privacy act ❖ Of the IT Governance initiatives
sa’tin
● Auditing at the highest level of the
d. Selection of service providers and enterprise; crossing divisional,
management of service outsourcing and functional or departmental boundaries
acquisition ● The IS auditor should confirm that the
e. IT Governance initiatives: adoption of terms of references state the:
control frameworks and good practices ○ a) Scope of work
to help monitor and improve critical IT ○ b) Reporting line to be used
activities ○ c) IS auditor’s right to access
f. Need to optimize costs information
- Standardized approach - less
cost ❖ Terms of references
g. Acceptance of well-regarded a) Scope (functional areas and
frameworks issues to be covered)
h. Need to assess performance against b) Reporting line (EGIT issues
generally accepted standards should be identified to the
highest level of the organization)
● Integration with governance: Evaluate, c) IS auditor’s right to access
direct and monitor processes information (within the
● Evaluation, direction, and monitoring of: organization and from TP
○ 1) Conformance and service providers)
performance
○ 2) The system of internal ● Organizational status and skill sets of
controls the IS auditor: should be considered for
○ 3) Compliance with external appropriateness; if found insufficient,
requirements consider third party to perform audit
● Aspects related to EGIT that need to be
Audit’s Role in EGIT assessed:
● Establishment of internal controls: ○ 1. Alignment of enterprise
ensures good practices governance and EGIT
● Good practices: guide to use resources ○ 2. Alignment of IT function
● Measurement and reporting of results: with the enterprise’s mission,
provide input to the cyclical revision and vision, values, objectives and
maintenance of controls strategies
● IT is also governed by good practices ○ 3. Achievement of performance
which ensure that IT supports the objectives
business objectives, delivers value, uses ○ 4. Legal, environmental,
resources responsibly, manages risk information quality, fiduciary,
appropriately and measures performance security and privacy
requirements
● Audit: has very important role ○ 5. Control environment
● Audit: provides recommendations to ○ 6. Inherent risk within the IS
senior management to help improve the environment
IT governance initiatives ○ 7. IT investment/expenditure
● Audit: helps ensure compliance

3
Topics Covered – Chapter 1 Part B
● Information Security Governance
● Effective Information Security Governance
● Information Systems Strategy
● Strategic Planning
Information Security Governance
● Strategic direction: defined by business
goals and objectives
● Information security: support business
activities to be of value
● Information security governance
○ Subset of corporate governance
○ Provides strategic direction for
security activities
○ Ensures achievement of
objectives;
○ Ensures information security risk
is appropriately managed and
enterprise information resources
are used responsibly
● According to the US National Institute of
Standards and Technology (NIST) Special
Publication 800-100, Information Security
Handbook: A Guide for Managers:
● Information security governance can be
defined as the process of establishing and
maintaining a framework and supporting
management structure and processes to
provide assurance that information
security strategies are aligned with and
support business objectives, are
consistent with applicable laws and
regulations through adherence to policies
and internal controls, and provide
assignment of responsibility, all in an effort
to manage risk.
Information Security Governance Framework
● Thru establishment and maintenance of a
framework
● Framework:
○ Guide for comprehensive
information security program
○ Basis for cost-effective
information security program
● Information security program: provides
assurance that information assets are
given protection commensurate with their
value or the risk poses to the organization
Elements of An Information Security
Governance Framework
a. Security strategy
b. Security policies
4
c. Set of standards for each policy
d. Security organizational structure
e. Monitoring processes
Effective Information Security Governance
● Information security governance: one of
the highest levels of focused activity; its
specific drivers are:
○ confidentiality, integrity and
availability (CIA) of information
○ continuity of services
○ protection of information assets
● Security has become a significant
governance issue as a result of: global
networking, rapid technological innovation
and change, increased dependence on IT,
increased sophistication of threat agents
and exploits, and an extension of the
enterprise beyond its traditional
boundaries.
● Negligence of information security:
diminish capacity to mitigate risk and take
advantage of opportunities
● BOD and CEOs: accountable and
responsible
● CEO:
○ Accountable to the BOD for
information security governance
○ Responsible for its discharge
through the executive
management and the
organization and resources
under his/her charge
● Senior management: should come from
varied operations and staff functions; to
ensure fair representation
● Purpose: minimize leaning toward a
specific business priority or technology
overhead or security concerns
● The board-level committee approving
security policies may include:
○ Directors
○ CEO
○ Chief Operating Officer (COO)
○ Chief Financial Officer (CFO)
○ Chief Risk Officer (CRO)
○ Chief Information Officer (CIO)
○ Chief Technology Officer (CTO)
○ Head of Human Resources (HR)
○ Chief of Audit
○ Chief Compliance officer (CCO)
○ Legal
● Policy approval: consensus
● Information: key resource
● Technology: important from the time
information is created until destroyed
 ● IT: pervasive; in enterprises and in social, ○ 2. Measurement process to
public and business environments identify shortcomings and
● Because IT has become pervasive, provide feedback
enterprises now strive to: ○ 3. Independent assurance
○ a. Maintain high-quality
information b) Resource Management
○ b. Generate business value from ● Efficient and effective use of information
IT-enabled investments security knowledge and infrastructure
○ c. Achieve operational ● To be considered:
excellence 1. Ensure knowledge is captured
○ d. Maintain IT-related risk at an and available
acceptable level 2. Document security processes
○ e. Optimize the cost of IT and practices
services and technology 3. Develop security architecture(s)
○ f. Comply with relevant laws,
regulations, contractual c) Process Integration
agreements and policies ● Focus: integration of management
● Protection efforts: currently focused on the assurance processes for security
information system rather than the ● Security activities: fragmented and
information itself segmented in silos with different reporting
● Above approach: narrow, to accomplish structures
the needed security ● Process integration: improve overall
● Information security: broader view; data, security and operational efficiencies
as well as the information and knowledge
based on them, must be protected Information Systems Strategy
● Applicable situations: data are shared ● Information systems: crucial for
easily over the Internet enterprises
● Protection efforts: both on the process ○ Crucial in the support,
and information resulting from the process sustainability, and the growth of
● Major trends globally: outsourcing and enterprises
cloud computing ● Before: minimal involvement of governing
● Information security coverage: extend boards and senior management
beyond geographic boundary of the executives on IS strategy; decisions left to
enterprise’s premises functional management
● Basic outcomes of effective information ● Now: above approach no longer
security governance include: acceptable due to dependency on IS for
○ Strategic alignment operations and growth
○ Risk management ● Internal and external threats: IS
○ Compliance resource abuse, cybercrime, fraud, and
○ Value delivery errors and omissions
● IS strategic processes: integral
● Basic outcomes are enabled through the components; provide assurance that goals
development of: and objectives will be attained for
○ a) Performance Measurement competitive advantage
○ b) Resource Management
○ c) Process Integration Strategic Planning
● Strategic planning: long-term direction on
a) Performance Measurement IT to improve business processes
● Measurement, monitoring and reporting; ● Factors to consider in strategic planning
ensure that SMART objectives are include:
achieved ○ identifying IT solutions to
● To be accomplished: address problems and
○ 1. Set of metrics aligned with opportunities
strategic objectives ○ developing action plans

5
 ● Enterprises should ensure plans are
aligned and consistent with the goals and
objectives
● IT department management, IT steering
committee, Strategy committee: play a
key role in the development and
implementation of the plans
● Effective IS strategic planning involves a
consideration of:
○ Enterprise’s requirements for
information systems,
○ IT’s capacity to deliver new
functionality
● Determining requirements for information
systems involves:
○ Consideration of the strategic
intentions
○ How these intentions translate
into objectives and initiatives
○ IT capabilities to support
objectives and initiatives
● Existing system’s portfolio: be reviewed in
terms of functional fit, cost and risk
● Assessing IT’s capacity to deliver:
involves review of the technical IT
infrastructure and key support processes
to determine whether expansion or
improvement is necessary
● Strategic planning process:
○ Encompass the delivery of new
systems and technology
○ Consider return on investment
(ROI) on existing IT and the
decommissioning of legacy
systems
● Strategic IT plan: balance cost of
maintaining existing systems against the
cost of new systems

IS Auditors
1) Should pay attention to the importance of
IS strategic planning
2) Must importance to strategic planning
process or planning framework
3) Should consider how the CIO or senior IT
management is involved in the creation of
the overall business strategy