AIS 5131 - MANAGING INFORMATION AND TECHNOLOGY

Chapter 6 IT Resource Management – Part ➔ Classification: Financial, strategic, or tactical

A ➔ Must be comprehensive and must be able
to change or be flexible as the organization
Introduction strategy changes
● Limited resources: the challenge faced by the ● First practical and necessary step for
enterprise; another challenge includes limited implementation: to standardize terminology to
people and money reduce misunderstandings
● Opportunity cost: inability to pursue other ● Other start-up tasks:
efforts - Ensure management commitment and
● The Role of IS auditor is to understand agreed-upon targets
investment (and allocation) practices to - Plan the portfolio management model in line
determine if the greatest value from the with the organization’s management
investment will be achieved process
➔ ROI of IT Investment (Traditionally) - - Specify portfolio inclusion criteria
about financial benefits, including impact on - Describe roles, tasks and decisions of those
the budget and finances; Includes cost involved
reductions and increase in revenues - Organize the required tools, support and
➔ ROI of IT Investment (Today) - considers instructions
nonfinancial benefits, including impact on ● Implementation methods include
operations/mission performance and - risk profile analysis;
results; both financial (budget and finance), - diversification of projects, infrastructure and
and nonfinancial (operations and results) are technologies;
discussed - continuous alignment with business goals;
● Nonfinancial benefits: must be made tangible and
using algorithms that transform the to monetary - continuous improvement.
units. Understands impact and improves ● Some projects are discretionary while others are
analysis. mandatory; either situation, documented business
case should be REQUIRED
● Completed programs must not to be deleted from
Value of IT
the portfolio; status must be changed; results be
● IT Project Selection: based on the perceived
evaluated versus (against) original plans
value of investment
● IT’s value: depends on the costs and benefits;
Implementing IT Portfolio Management: IT
the larger the benefit over the cost, the greater
Portfolio Management Versus Balance Scorecard
the value.;
● Balanced scorecard (BSC)
● IT Portfolio Management: differs from IT
➔ Used to help in strategic management in
financial management in that it has a directive;
organizations;
strategic goal in what to invest versus what to
➔ Anchored on four perspectives;
divest.
- Financial
- Business process
Implementing IT Portfolio Management:
- Customer
Introduction - Organizational capacity
● IT portfolio management: a method used to ➔ Enables to discover shortcomings and
determine if organization pursues the best come-up with strategies to overcome them
IT-related projects to achieve its goals ➔ While the BSC emphasize on vision and
● Portfolio criteria strategy in any investment decision, the
 oversight and control of operations budget
is not its goal
● IT Portfolio management
➔ Biggest advantage: agility in adjusting
investment
➔ Allows adjustment of investments based on
feedback mechanism
IT Management Practices
● IT-management practices: reflect the
implementation of policies and procedures
developed for various IT-related management
activities
● In most organizations, IT department: service
(support) department
● Traditional role of Service department: helps
production departments to conduct operations
more effectively and efficiently
● IT: an integral part of every facet of the
organization’s operations
● Role of IS auditor: should understand and
appreciate how well-managed IT department is
crucial to achieve the organization’s objectives
● Management activities includes organizational
change management, financial management
practices, information security management, and
HR management to review policy, procedures,
formulation and their effectiveness within the IT
Department
Organizational Change Management
● Organizational change management
➔ Involves the use of a documented process
to identify and apply technology
improvements at the infrastructure and
application levels which are beneficial to
organization
➔ Involves all levels impacted by the changes
● Purpose of involvement
➔ Ensures that IT department understand
users’ expectations
➔ Ensures changes are not resisted or ignored
by users after they are implemented
● IT department: focal point of changes -
leads/facilitates change in the organization
● How to lead/facilitate change?
- Be updated of technology changes leading to
business process improvements
- Obtain senior management commitment for
the changes or projects that would be
required at the user-level
● After obtaining senior management support for
changes: IT department works with the functional
areas to obtain their support
● Additional tasks of the IT department:
- Develop communication process for end
users to update them of changes, their impact
and benefit
- Provide method for user feedback and
involvement
● User feedback: should be obtained throughout
the project and includes validation of business
requirements, training, and testing of
new/changed functionality.
Financial Management Practices: Introduction
● Financial management: critical element of all
business functions
● In a cost-intensive computer environment, Sound
financial management practices: should be in
place
● User-pays scheme
➔ A chargeback method
➔ Improves application and monitoring of IS
expenses and available resources
➔ IS services costs including staff time,
computer time, and other relevant costs are
charged back to end users based on a
standard (uniform) formula or calculation
● Chargeback: provides “marketplace” measure of
the effectiveness and efficiency of IS services
● Chargeback policy: set forth by the Board and
jointly implemented by CFO, user management
and IS management
Financial Management Practices: IS Budgets
● IS management: must develop a budget
● Budget
➔ Allows forecasting, monitoring and analyzing
financial information
➔ Allows adequate allocation of funds especially
in an IS environment where expenses can be
cost intensive.
● IS budget: must be linked to short and long-range
IT plans
Financial Management Practices: Software
Development
● Accounting standards: requires companies to
have a detailed understanding of their
development efforts
➔ Time spent on specific projects and activities
● Role of IS auditor: must understand requirements
and practices to track software development
costs
● IAS 38: outlines six (6) criteria to be to capitalize
development costs
● IAS 38.57.d: “How intangible asset will generate
probable economic benefits”
● Intangible assets: include websites and software
➔ If passed the criterion: interpretations of
“usefulness of intangible asset” may vary
● Role of IS auditor: need to obtain guidance from
accountants for financial reporting
Information Security Management
● Ensures protection of the organization’s
information and information processing resources
under its control are properly protected
● Includes leading the implementation
organization-wide information security program
that includes the development of:
➢ Business Impact Analysis (BIA)
➢ Business Continuity Plan (BCP)
➢ Disaster Recovery Plan (DRP) related to IT
department functions in support of the
organization’s critical business processes
● Major component of information security
program: application of risk management
principles to assess risk of IT assets, to mitigate
risk at a level determined by management and to
monitor residual risk
Chapter 6 IT Resource Management – Part
B
Human Resource Management (HRM)
Introduction
● HR Management relays policies and procedures
about staff (recruiting, training, promoting,
measuring performance, disciplining, planning
for succession, retaining)
● Effectiveness of HRM activities impacts staff
quality and performance of IT duties
➔ IS Auditor should know of HRM issues, but
this is not tested in CISA
Hiring
● Hiring practices ensure choosing the most
effective and efficient employees and
compliance with legal recruitment requirements
● Common Controls:
➢ Background checks
➢ Confidentiality or non-disclosure
agreements (NDA); may include provision
on following the policy of the previous
employer
➢ Employment bond which protects from
of losses due to theft, mistakes, and neglect
➢ Conflict-of-Interest Agreements
➢ Code of Professional Conduct/Ethics
➢ Noncompete Agreements
● Control Risks:
➢ Employees not suitable for the position
➢ Reference checks not done
➢ Uncontrolled risk from temporary staff and
third-party contractors
➢ Lack of Awareness of confidentiality
requirements
Employee Handbook
● Should explain
➢ Security policies and procedures
➢ Acceptable and unacceptable conduct
➢ Organizational values and ethics code
➢ Company expectations
➢ Employee benefits
➢ Vacation (holiday) policies
➢ Overtime rules
 ➢ Outside Employment
➢ Performance evaluations
➢ Emergency procedures
➢ Disciplinary actions (excessive absence,
breach of confidentiality, noncompliance
with policies)
● Published code of conduct should be in place, it
shall specify responsibilities
Promotion Policies
● Should be fair and equitable, understood, based
on objective criteria, consider performance,
education, experience and responsibility
● The IS Auditor must ensure that well defined
policies and procedures for promotion are in
place and adhere to
Training
● Be provided regularly to all employees
● Important to IT professionals, due to rapid
change in technology
● Assures more effective and efficient use of IT
resources and strengthens employee morale
● Be provided when there is new
hardware/software
● Must include relevant management, project
management and technical training
● Cross-training
➔ More than one individual trained to perform
task
➔ Has advantage of decreasing dependence
on one employee
➔ Provides backup for personnel in case of
absence
➔ Before using this, assess first the risk of
any person knowing all and the related
exposure
Schedule and Time Reporting
● Proper scheduling: provides more efficient
operation and use of computing resources
● Time reporting: allows management to monitor
scheduling process
● Management: can determine adequacy of
staffing and efficiency of operation
● Information entered in the system: should be
accurate
● Time reporting: excellent source of information
for IT governance purposes
● Time
➔ Scarce resource in IT
➔ It’s proper reporting helps better manage
this finite resource
● Input from time reporting: useful for cost
allocation, invoicing, chargeback, key goal
indicator (KGI) and KPI measurement, and
activities analysis
Terms and Conditions of Employment
● Should be agreed-upon and signed by
employees, contractors and third-party users
● Should state the responsibilities for information
security
● Should reflect the organization’s security policy
Terms of conditions of employment should
clarify and state the:
➔ Signing of confidentiality or nondisclosure
agreement for all employees, contractors
and third-party users given access to
sensitive information, prior to giving
access to the IPFs
➔ Legal responsibilities and rights of the
employee, contractor and any other user
➔ Responsibilities for the classification of
information and management of
organizational assets associated with
information systems and services handled
by the employee, contractor or third-party
user
➔ Responsibilities for the handling of
information received from other
companies or external parties by the
employee, contractor or third-party user
➔ Responsibilities for the handling of
personal information by the organization
➔ Responsibilities extended outside the
premises and outside normal working
hours
➔ Actions to be taken if the employee,
contractor or third-party user disregards
the security requirements
● Organization: should ensure that employees,
contractors and third-party users agree to terms
 and conditions related to information security Required Vacations
appropriate to the access they will have to the ● Ensures someone other than the regular
assets related with information systems and employee performs a job, at least once a year
services ● Reduces opportunity to commit improper acts
● Responsibilities in the terms and conditions ● During this time, it’s possible to discover
of employment: should continue for a defined fraudulent activities as long as there is no
time after employment ends collusion
● Job rotation
During Employment ➔ Additional control to reduce risk of
● Management: should require employees, fraudulent acts
contractors and third party-users to apply ➔ Provides opportunity for another individual,
security other than the regular one, to perform the
job
Approved job descriptions:
➔ Guards against risk of overdependence on
- Include documentation of responsibilities
key staff by spreading the experience;
- Ensure employees, contractors and third
absence of job rotation leads to vulnerability
party-users are aware of information
if the key staff is unavailable
security threats, and their responsibilities
❖ Note: Mandatory leave is a control
and liabilities
- Ensure they are equipped to support the
Termination Policies
security policy in the course of their work
● Written termination policies
and to reduce risk of human error
➔ Should be established for clear steps on
- Management responsibilities: should be
employee separation
defined to ensure security is applied
➔ Should be structured to provide protection
throughout an individual’s employment
on computer assets and data
- Adequate awareness, education and
● Termination practices: should cover voluntary
training in security procedures and
and involuntary terminations
correct use of IPFs: should be provided
● Documented procedures for escorting
to all employees, contractors and
terminated employee: should be in place, for
third-party users
certain situations
- Formal disciplinary process: should be
● Control procedures
established
➔ Return of all devices, access keys, ID cards
and badges
Employment Performance Evaluations
➔ Deletion/revocation of assigned logon IDs
● Employee assessment/performance
and passwords
evaluation: standard feature for IT staff
➔ Notification
● HR department: ensures that IT managers and
➔ Arrangement of the final pay routines
employees set agreed-on goals
➔ Performance of a termination interview
● Assessment: can be set against goals, if
❖ Note: Change in job role may need
process is objective
the revocation and reissuance of
● Salary increments, bonuses, and promotions:
access rights similar to termination
based on performance
procedures
● Performance as basis of compensation: can
be used to gauge aspirations and satisfaction,
and identify problems
 Chapter 7 Enterprise Risk Management
Introduction
Risk Management includes:
● process of identifying vulnerabilities and threats
to the information resources used by an
organization in achieving business objectives
● deciding what countermeasures (safeguards or
controls), if any, to take in reducing risk to an
acceptable level (i.e., residual risk), based on the
value of the information resource to the
organization.
➔ Effective risk management: begins with a
clear understanding of the organization’s
appetite for risk.
● Risk appetite: drives risk management efforts
and impacts future investments in technology,
the extent to which IT assets are protected and
the level of assurance required.
● Risk Management: encompasses identifying,
analyzing, evaluating, treating, monitoring and
communicating the impact of risk on IT
processes
➔ Strategies for managing risk can be set and
responsibilities clarified.
Depending on the type of risk and its significance
to the business, management and the board may
choose to:
a) Avoid: eliminate the risk by eliminating the cause
➢ where feasible, choose not to
implement certain activities or
processes that would incur risk
b) Mitigate: lessen the probability or impact of the
risk by defining, implementing and monitoring
appropriate controls.
c) Share/Transfer: share risk with partners or
transfer via insurance, contractual agreement,
etc.
d) Accept: acknowledge and monitor risk
➔ Reject risk: can be chosen by organization
by ignoring risk, but dangerous and should
be considered a red flag by the IS auditor.
Developing a Risk Management Program
Steps to developing a risk management
program include:
1) Establish the purpose of the risk management
program
● First step: determine the purpose for the risk
management program
● Purpose: to reduce the cost of insurance or the
number of injuries
● Determine first the intention: can help define KPIs
and evaluate the results to determine
effectiveness
➔ Senior management, with the board of
directors: sets the tone and goals.
2) Assign responsibility for the risk management
plan
● Second step: designate an individual or team
responsible for developing and implementing the
risk management program
● Integration within all levels of the organization:
required, for a successful program
➔ Operations staff and board members:
should assist the risk management
committee in identifying risk and developing
suitable loss control and intervention
strategies.
Risk Management Process
● Repeatable process to manage IT risk: should be
identified and established
Step 1: Asset Identification
● First step: identification and collection of
relevant data for effective IT-related risk
identification, analysis and reporting
● This will help to identify information resources or
assets that need protection because they are
vulnerable to threats
● Threat: circumstance/event with potential to
cause harm to an information resource
● Purpose of the classification
 - To prioritize investigation and identify
protection
- To enable standard model of protection to
be applied
● Typical assets associated with information
and IT
- information and data
- hardware
- software
- documents,
- personnel
● More traditional business assets
- buildings
- stock of goods
- cash and intangible assets
Step 2: Evaluation of Threats
Vulnerabilities to Assets
● Second step: assess threats and vulnerabilities
associated with the information resource and the
likelihood of their occurrence
● Common threats
- Errors (less damage, human error)
- Malicious damage/attack
- Fraud
- Theft
- Equipment/software failure (less damage,
human error)
● IT risk: due to threats (or predisposing
conditions) with potential to exploit vulnerabilities
on information resources
● Vulnerabilities: characteristics that can be
exploited by a threat to cause harm
● Examples of vulnerabilities
- Lack of user knowledge
➢ poor choice of password
- Lack of security functionality
- Inadequate user awareness/ education
- Untested technology
- Transmission of unprotected
communications
● Human or environmental threat: should be
present for a vulnerability to be realized
● Typical human threat actors
- Novices (kiddie scripters): someone who
uses existing software to launch an
attack. uses a program without even
knowing how it works.
➢ ex. a kid who watched something
about hacking and tries it.
- Hacktivists: political activists. usually
directed to corporate or government
systems.
➔ difference between hackers and
hacktivists: intent
- Criminal
- Terrorists
- Nation-states: group of people who have
the same beliefs that form a state.
➢ ex. they want to claim a land
- Riots and civil unrest deface
● Environmental threats
and - Floods
- Lightning
- Tornados
- Hurricanes
- Earthquakes
Step 3: Evaluation of the Impact
● Impact
➔ Result of threat agent exploiting vulnerability
➔ Varies in magnitude, affected by severity and
duration
● Direct financial loss (short term) and/or indirect
financial loss (long term. ex. image sira): results
of threat
● Examples of losses
- Direct loss of money (ex theft, loss of
customer)
- Breach of legislation
- Loss of reputation/goodwill
- Endangering of staff or customers
- Breach of confidence
- Loss of business opportunity
- Reduction in operational
efficiency/performance
- Interruption of business activity
Step 4: Calculation of Risk
● Elements of risk: combined to form an overall
view of risk
● Calculate the probability × impact Multiple Levels of IT Risk Management
➔ Common method
➔ Gives a measure of overall risk A. Operational Level
● Risk
● Concerned with risk that could
➔ Proportional to likelihood of threat and
compromise:
value of the loss/damage
➢ Effectiveness and efficiency of IT
➔ Can be shown risk matrix or risk map
systems and supporting infrastructure
➢ Ability to bypass system controls
Step 5: Evaluation of and Response to Risk
➢ Possibility of loss or unavailability of key
● Evaluate existing controls or design new resources
controls: be done after risk identification, to ➢ Failure to comply with laws and
reduce the vulnerabilities to an acceptable level regulations
● Controls
B. Project Level
- Countermeasures or safeguards
- Include actions, devices, procedures, or ● Focus: ability to understand and manage
techniques project complexity; if not done effectively,
● Strength of a control measurement project objectives will not be met
- Design
- Effectiveness C. Strategic Level
● Characteristics of controls
● Risk focus shifts to considerations such as:
- Preventive, detective or corrective
➢ Alignment of IT capability with business
- Manual or automated
strategy
- Formal or ad hoc
➢ Comparability of IT capability with
● Residual risk:
competitors
- Remaining risk after applying control
➢ Threats and opportunities of
- Can be further reduced by identifying
technological change
areas in which more control is required
● Acceptable level of risk: can be established by
Risk Management Process Summary
management.
● Should achieve a cost-effective balance between
● Risk in excess of acceptable level: should be
the application of security controls as
reduced by implementing more stringent
countermeasures and the significant threats
controls.
● Some of the threats are related to security issues
● Risk below the acceptable level: should be
that can be extremely sensitive for some
evaluated, to know if there are excessive controls
industries
and if excessive controls can be removed for
cost savings.
Risk Analysis Methods
Final acceptance of residual risk considers:
- Organizational policy ● Most common risk analysis methods:
- Risk appetite - Qualitative Analysis Method
- Risk identification and measurement - Semiquantitative Analysis Method
- Uncertainty incorporated in the risk - Quantitative Analysis Method
assessment approach ● The use of these methods depends on the needs
- Cost and effectiveness of implementation of the organization as each has its own
- Cost of control vs. benefit advantages and limitations.
 A. Qualitative Analysis Methods ● For technology assets, cost of asset, cost of
replacement and value of information processed
● Use word or descriptive rankings to describe the by the assets should be considered.
impacts or likelihood
➔ no numerical value; descriptive label
● Simplest and most frequently used methods,
where the risk level is low
● Normally based on checklists and subjective risk
ratings (high, medium or low)
● Less complicated and less time-consuming but
lack the rigor that is customary for accounting
and management

B. Semiquantitative Analysis Methods

● Descriptive rankings are associated with a

numeric scale
● These methods are frequently used when it is not
possible to use a quantitative method or to
reduce subjectivity in qualitative methods
➢ Example: “high” is 5, “medium” is 3 and
“low” is 1
● Total weight for the subject area that is evaluated
may be aggregate of the weights derived for the
factors being considered

C. Quantitative Analysis Methods

● These methods use numeric (e.g., monetary)

values to describe the likelihood and impacts of
risk, using data from several types of sources
such as:
- Historic records
- Past experiences
- Industry practices and records
- Statistical theories
- Testing
- Experiments
● Benefit: provide measurable results
● Currently used by military, nuclear, chemical and
financial entities, as well as other areas
● Generally performed during a business impact
analysis (BIA)
● Main problem: valuation of information assets
● Different individuals may assign different values
to the same asset, depending on the relevance of
information to the individuals.
 SHORT ASSESSMENT:

1. ROI of IT Investment (Traditionally) considers already both the financial and nonfinancial benefits
such as the cost reductions and increases in revenues. ROI of IT Investment (Today) only considers
the financial benefits for the corporation.
a) Only the first statement is true.
b) Only the second statement is true.
c) Both statements are true.
d) Both statements are false.

2. In implementing IT Portfolio Management, standardizing terminology is an impractical and

unnecessary step to reduce misunderstanding. The implementation methods of IT Portfolio
Management include risk profile analysis, homogeneity of projects, infrastructure and technologies,
continuous alignment with business goals, and continuous improvement.
a) Only the first statement is true.
b) Only the second statement is true.
c) Both statements are true.
d) Both statements are false.

3. These practices are developed for various IT-related management activities to reflect the
implementation of policies and procedures.
a) Financial management practices
b) IT-management practices
c) Corporate governance practices
d) Operational management practices

4. How should the IT department lead/facilitate change in an organization?

a) Being updated of technology changes that could lead to significant business process
improvements
b) Obtaining senior management for the changes or projects that will be required at the user
level.
c) A only
d) Both A and B
5. Which of the following statements about the user-pays scheme is most correct?
a) It is not a form of chargeback.
b) It can improve application and monitoring of IS expenses and available resources
c) The cost of IS services – including staff time, computer time, and other relevant costs – are
not charged back to the end users based on a standard (uniform) formula or calculation
d) Where implemented, the chargeback policy should be set forth by the IS management and
jointly implemented by the Board, CFO, and user management

6. Which of the following statements about Information Security Management is most correct?
a) It requires companies to have a detailed understanding of their development efforts.
b) It must be able to develop a budget.
c) It ensures protection of information processing resources.
d) It involves the use of documented processes to identify and apply technology
improvements at the infrastructure and application levels which are beneficial to the
organization.

7. Some of the common controls in Hiring include the following, except:

a) Confidentiality agreements
b) Reference checks
c) Background checks
d) Non-compete agreements

8. The employee handbook should explain:

a) Conflict-of-Interest Agreements
b) Overtime rules
c) Code of Professional Conduct/Ethics
d) Non-disclosure Agreements

9. Proper scheduling provides more efficient operation and use of computing resources. It is also an
excellent source of information for IT governance purposes.
a) Only the first statement is true.
b) Only the second statement is true.
c) Both statements are true.
d) Both statements are false.
10. Which of the following is not a function of training?
a) It assures more effective and efficient use of IT resources.
b) It is important to IT professionals, due to rapid change in technology.
c) It has the advantage of decreasing dependence on one employee.
d) It includes relevant management, project management, and technical training.

11. Statement 1: Adequate awareness, education and training in security procedures and correct use
of IPFs should be provided to all employees alone.
Statement 2: Using performance as a basis of compensation cannot be used to gauge aspirations
and identify problems
a) Only Statement 1 is true
b) Only Statement 2 is true
c) Both statements are true
d) Both statements are false

12. The following are identified as control procedures in termination except:

a) Conducting a termination interview
b) Arrangement of the final pay routines
c) Retain the ownership of ID cards and badges
d) Notification

13. This drives risk management efforts and, in an IT context, impacts future investments in
technology, the extent to which IT assets are protected and the level of assurance required.
a) Risk management
b) Risk Appetite
c) Effective risk management
d) None of the above

14. All of the following are examples of sharing or transferring risk, except for one:
a) Share risk with partners
b) Transfer via insurance
c) Contractual agreement
d) Acknowledge and monitor risk
15. This step will help the organization in identifying what resources need protection from threats
because of their vulnerability.
a) Asset Identification
b) Evaluation of Threats and Vulnerabilities to Assets
c) Evaluation of the Impact
d) Calculation of Risk

16. Threats are usually a result of a direct financial loss in the short term or an ultimate (indirect)
financial loss in the long term. The following are examples of such losses, except:
a) Loss of goodwill
b) Loss of money
c) Loss of investors
d) Loss of business opportunities

17. Project level focuses on the ability to understand and manage project complexity; if not done
effectively, project objectives will not be met. Strategic Level is concerned with the risk that could
compromise the ability to bypass system controls.
a) Only the first statement is true.
b) Only the second statement is true.
c) Both statements are true.
d) Both statements are false.

18. This should be evaluated, to know if there are excessive controls and if excessive controls can be
removed to save costs.
a) Acceptable level of risk
b) Risk below acceptable level
c) Risk in excess of acceptable level
d) Residual risk

19. This method is frequently used when it is impossible to use a quantitative method or reduce
subjectivity in qualitative methods.
a) Semiqualitative Analysis Method
b) Semiquantitative Analysis Method
c) Quasi-qualitative Analysis Method
d) Quasi-quantitative Analysis Method
20. Different individuals may assign the same values to different assets, depending on the relevance of
the information to the individuals. The risk management process should achieve a cost-effective
imbalance between the application of security controls as countermeasures and the significant
threats.
a) Only the first statement is true.
b) Only the second statement is true.
c) Both statements are true.
d) Both statements are false.
 ANSWER KEY:

1. D 6. C 11. D 16. C

2. D 7. B 12. C 17. A

3. B 8. B 13. B 18. B

4. D 9. A 14. D 19. B

5. B 10. C 15. A 20. D

REFERENCES:
ISACA. (2019). CISA review manual (27th ed.).

PREPARED BY:
Aira Krishten J. Catibayan
Justine Angela G. Cureg
Marian Martina E. Firme
Kate Loushayne M. Gatapia
Jyruenth C. Llausas Sheila Mae DP. Tan
Julia J. Manlapaz Jenny Rose M. Villegas
Kimberly R. Perez Nicole D. Vinuya
April Bernadette Samantha B. Santia