chapter 2 is audit

Module 2IT Governance

2012 CISA Review Course

• IT governance, one or the domains of enterprise governance, comprises the body of issues addressed in considering how IT is applied within the enterprise.

• Fundamentally, IT governance is concerned with two issues: that IT delivers value to the business and that IT risks are managed. The first is driven by strategic alignment of IT with the business. The second is driven by embedding accountability into the enterprise.

IT Governance

IT governance has become significant due to:• Business demands for better return from IT investments• Concern over increasing level of IT expenditures• Need to meet regulatory requirements for IT controls in areas

such as privacy and financial reporting.• Selection of service providers and outsourcing.• Complexity of network security• Adoptions of control frameworks• Benchmarking

2.4.1 Best Practices for IT Governance (continued)

Audit role in IT governance• Audit plays a significant role in the successful

implementation of IT governance within an organization• Reporting on IT governance involves auditing at the

highest level in the organization and may cross division, functional or departmental boundaries

2.4.1 Best Practices for IT Governance (continued)

2.4.2 IT Strategy Committee

• The creation of an IT strategy committee is an industry best practice

• Committee should broaden its scope to include not only advice on strategy when assisting the board in its IT governance responsibilities, but also to focus on IT value, risks and performance

• Focused activity with specific value drivers– Confidentiality , Integrity and Availability of information– Continuity of services – Protection of information assets

• Integral part of IT governance• Importance of information security governance

2.4.4 Information Security Governance

Importance of information security governance

• Information security (Infosec) covers all information processes, physical and electronic, regardless of whether they involve people and technology or relationships with trading partners, customers and third parties.

• Infosec is concerned with all aspects of information and its protection at all points of its life cycle within the organization.

2.4.4 Information Security Governance (continued)

Effective information security can add significant value to an organization by:

• Providing greater reliance on interactions with trading partners

• Improving trust in customer relationships• Protecting the organization’s reputation• Enabling new and better ways to process electronic

transactions

2.3.4 Information Security Governance (continued)

Information security governance requires strategic direction and impetus from:• Boards of directors / senior management• Executive management• Steering committees• Chief information security officers

2.4.4 Information SecurityGovernance (continued)

2.4.5 Enterprise Architecture

• Involves documenting an organization’s IT assets in a structured manner to facilitate understanding, management and planning for IT investments

• From an IS standpoint, strategic planning relates to the long-term direction an organization wants to take in leveraging information technology for improving its business processes

• Effective IT strategic planning involves a consideration of the organization’s demand for IT and its IT supply capacity

2.5.1 Strategic Planning

2.5.1 Strategic Planning(continued)

• The IS auditor should pay attention to the importance of IT strategic planning

• Focus on the importance of a strategic planning process or planning framework

• Consider how the CIO or senior IT management are involved in the creation of the overall business strategy

2.5.2 Steering Committee

• An organization’s senior management should appoint a planning or steering committee to oversee the IS function and its activities

• A high-level steering committee for information technology is an important factor in ensuring that the IS department is in harmony with the corporate mission and objectives

2.8.1 Policies

• High-level documents• Represent the corporate philosophy of an organization• Must be clear and concise to be effective

2.8.1 Policies (continued)

• Management should review all policies carefully• Policies need to be updated to reflect new technology and

significant changes in business processes• Policies formulated must enable achievement of business

objectives and implementation of IS controls

Information security policies • Communicate a coherent security standard to users,

management and technical staff• Must balance the level of control with the level of productivity• Provide management the direction and support for

information security in accordance with business requirements, relevant laws and regulations


Information security policy document• Definition of information security• Statement of management intent• Framework for setting control objectives• Brief explanation of security policies• Definition of responsibilities• References to documentation



Policy groups to be addressed• High-level information security policy• Data classification policy• Acceptable usage policy• End user computing policy• Access control policies


Review of the information security policydocument• Should be reviewed at planned intervals or when significant

changes occur to ensure its continuing suitability, adequacy and effectiveness

• Should have an owner who has approved management responsibility for the development, review and evaluation of the security policy

• Review should include assessing opportunities for improvement to the organization’s information security policy

2.8.2 Procedures

Procedures are detailed documents that:• Define and document implementation policies• Must be derived from the parent policy• Must implement the spirit (intent) of the policy statement• Must be written in a clear and concise manner

The process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives

2.9 Risk Management

2.9.1 Developing a Risk Management Program

To develop a risk management program:• Establish the purpose of the risk management program• Assign responsibility for the risk management plan

• Identification and classification of information resources or assets that need protection

• Assess threats and vulnerabilities and the likelihood of their occurrence

• Once the elements of risk have been established they are combined to form an overall view of risk

2.9.2 Risk Management Process

2.10.1 HR Management

• Hiring• Employee handbook• Promotion policies• Training• Scheduling and time reporting• Employee performance evaluations• Required vacations• Termination policies

• Sourcing practices relate to the way an organization obtains the IS function required to support the business

• Organizations can perform all IS functions in-house or outsource all functions across the globe

• Sourcing strategy should consider each IS function and determine which approach allows the IS function to meet the organization’s goals

2.10.2 Sourcing Practices

What is change management?• Managing IT changes for the organization– Identify and apply technology improvements at the

infrastructure and application level

2.10.3 OrganizationalChange Management

What is financial management?• Financial management is a critical element of all

business functions In a cost-intensive computer environment, it is imperative that sound financial management practices are in place.

2.10.4 FINANCIAL MANAGEMENT PRACTICES

• Software development, maintenance and implementation

• Acquisition of hardware and software

• Day-to-day operations

• Service management

• Security

• Human resource management

• General administration

2.10.5 Quality Management

2.10.7 Performance Optimization

• Process driven by performance indicators• Optimization refers to the process of improving the

productivity of information systems to the highest level possible without unnecessary, additional investment in the IT infrastructure

2.11 IS Organizational Structure and Responsibilities

• Systems development manager• Help desk• End user• End user support manager

2.11.1 IS Roles and Responsibilities

2.11.1 IS Roles and Responsibilities (continued)

• Data management• Quality assurance manager• Vendor and outsourcer management• Operations manager

• Media management• Data entry• Systems administration


• Security administration• Quality assurance• Database administration


• Systems analyst• Applications development and maintenance• Infrastructure development and maintenance• Network management


• Avoids possibility of errors or misappropriations• Discourages fraudulent acts• Limits access to data

2.11.2 Segregation of Duties Within IS

2.11.3 Segregation of Duties Controls

Control measures to enforce segregation of duties include:

• Transaction authorization• Custody of assets• Access to data– Authorization forms– User authorization tables

2.11.3 Segregation of DutiesControls (continued)

Compensating controls for lack of segregation of duties include:

• Audit trails• Reconciliation• Exception reporting• Transaction logs• Supervisory reviews• Independent reviews

2.12 Auditing IT GovernanceStructure and Implementation

Indicators of potential problems include:• Unfavorable end-user attitudes• Excessive costs• Budget overruns• Late projects• High staff turnover• Inexperienced staff• Frequent hardware/software errors

2.12.1 Reviewing Documentation

The following documents should be reviewed:• IT strategies, plans and budgets• Security policy documentation• Organization/functional charts• Job descriptions• Steering committee reports• System development and program change procedures• Operations procedures• Human resource manuals• Quality assurance procedures

2.13 Business Continuity Planning

• Business continuity planning (BCP) is a process designed to reduce the organization’s business risk

• A BCP is much more than just a plan for the information systems

Corporate risks could cause an organization to suffer• Inability to maintain critical customer services• Damage to market share, reputation or brand• Failure to protect the company assets including intellectual

properties and personnel• Business control failure• Failure to meet legal or regulatory requirements

2.13 Business Continuity Planning (Continued)

IS processing is of strategic importance• Critical component of overall BCP• Most key business processes depend on the availability of key

systems and infrastructure components

6.13.1 IS Business Continuity

• Disasters are disruptions that cause critical information resources to be inoperative for a period of time

• Good BCP will take into account impacts on IS processing facilities

6.13.2 Disasters and Other Disruptive Events

Phases of the business continuity planning process• Creation of a business continuity and disaster recovery policy• Business impact analysis• Classification of operations and criticality analysis• Development of a business continuity plan and disaster recovery

procedures • Training and awareness program• Testing and implementation of plan• Monitoring

6.13.3 Business Continuity Planning Process

• A business continuity policy is a document approved by top management that defines the extent and scope or the business continuity effort (a project or an ongoing program) within the organization.

2.13.4 Business Continuity Policy

All types of incidents should be categorized• Negligible• Minor• Major• Crisis

6.13.5 Business Continuity Planning Incident Management

• Critical step in developing the business continuity plan• Three main questions to consider during BIA phase:

1. What are the different business processes?

2. What are the critical information resources related to an organization’s critical business processes?

3. What is the critical recovery time period for information resources in which business processing must be resumed before significant or unacceptable losses are suffered?

6.13.6 Business Impact Analysis

A business continuity plan may consist of more than one plan document• Continuity of operations plan (COOP)• Disaster recovery plan (DRP)• Business resumption plan• Continuity of support plan / IT contingency plan• Crisis communications plan• Incident response plan• Transportation plan• Occupant emergency plan (OEP)

6.13.9 Components of a Business Continuity Plan

Components of the plan • Key decision-making personnel• Backup of required supplies • Telecommunication networks disaster recovery methods• Insurance

6.13.9 Components of a Business Continuity Plan (continued)

• Schedule testing at a time that will minimize disruptions to normal operations• Test must simulate actual processing

conditions• Test execution:– Documentation of results– Results analysis – Recovery / continuity plan maintenance

6.13.10 Plan Testing

• Business continuity plan must:– Be based on the long-range IT plan– Comply with the overall business continuity strategy

6.13.11 Summary of Business Continuity and Disaster Recovery

• Process for developing and maintaining the BCP/DRP– Business impact analysis– Identify and prioritize systems– Choose appropriate strategies– Develop the detailed plan for IS facilities– Develop the detailed BCP– Test the plans– Maintain the plans

6.13.11 Summary of Business Continuity and Disaster Recovery (continued)

• Understand and evaluate business continuity strategy• Evaluate plans for accuracy and adequacy• Verify plan effectiveness• Evaluate offsite storage• Evaluate ability of IS and user personnel to respond

effectively• Ensure plan maintenance is in place • Evaluate readability of business continuity manuals and

procedures

2.14 Auditing Business Continuity

IS auditors should verify that basic elements of a well-developed plan are evident including:• Currency of documents• Effectiveness of documents• Interview personnel for appropriateness and completeness

2.14.1 Reviewing the BusinessContinuity Plan

IS auditors must review the test results to:• Determine whether corrective actions are in the plan• Evaluate thoroughness and accuracy• Determine problem trends and resolution of problems

2.14.2 Evaluation of PriorTest Results

An IS auditor must:• Evaluate presence, synchronization and currency of media

and documentation• Perform a detailed inventory review• Review all documentation• Evaluate availability of facility

2.14.3 Evaluation of Offsite Storage

• Key personnel must have an understanding of their responsibilities

• Current detailed documentation must be kept

2.14.4 Interviewing Key Personnel

An IS auditor must:• Evaluate the physical and environmental access controls• Examine the equipment for current inspection and calibration

tags

2.14.5 Evaluation of Security atOffsite Facility

• An IS auditor should obtain a copy of the contract with the vendor

• The contract should be reviewed against a number of guidelines– Contract is clear and understandable

– Organization’s agreement with the rules

2.14.6 Reviewing AlternativeProcessing Contract

• Insurance coverage must reflect actual cost of recovery• Coverage of the following must be reviewed

for adequacy– Media damage– Business interruption– Equipment replacement– Business continuity processing

2.14.7 Reviewing Insurance Coverage

chapter 2 is audit

Science