Home > Articles > Software Development & Management

Certified Information Systems Auditor Exam Prep: Understanding the Role of IT Governance

  • Print
  • + Share This
IT governance, the belief that the managers, directors, and others in charge of the organization must understand the role of IT in the organization and not treat it simply as a black box, is established by creating an IT strategy committee, developing policies and procedures, defining job roles, executing good HR practices, and performing risk assessments and periodic audits. This chapter discusses each of these topics.
This chapter is from the book

This chapter helps you prepare for the Certified Information Systems Auditor (CISA) exam by covering the following ISACA objectives, which includes understanding the role IT governance plays in providing assurance. The assurance structure starts at the top with senior management and continues downward through the organization. This includes items such as the following:

Tasks

Evaluate the effectiveness of IT governance structure to ensure adequate board control over the decisions, directions, and performance of IT so that it supports the organization's strategies and objectives.

Evaluate the IT organizational structure and human resources (personnel) management to ensure that they support the organization's strategies and objectives.

Evaluate the organization's IT policies, standards, and procedures; and the processes for their development, approval, implementation, and maintenance to ensure that they support the IT strategy and comply with regulatory and legal requirements.

Evaluate the IT strategy and the process for its development, approval, implementation, and maintenance to ensure that it supports the organization's strategies and objectives.

Evaluate monitoring and assurance practices to ensure that the board and executive management receive sufficient and timely information about IT performance.

Evaluate management practices to ensure compliance with the organization's IT strategy, policies, standards, and procedures.

Evaluate the IT resource investment, use, and allocation practices to ensure alignment with the organization's strategies and objectives.

Evaluate IT contracting strategies and policies, and contract management practices to ensure that they support the organization's strategies and objectives.

Evaluate the risk management practices to ensure that the organization's IT related risks are properly managed.

Knowledge Statements

Knowledge of IT governance frameworks

Knowledge of quality management strategies and policies

Knowledge of the purpose of IT strategies, policies, standards, and procedures for an organization and the essential elements of each

Knowledge of organizational structure, roles, and responsibilities related to the use and management of IT

Knowledge of generally accepted international IT standards and guidelines

Knowledge of the processes for the development, implementation, and maintenance of IT strategies, policies, standards, and procedures (e.g., protection of information assets, business continuity and disaster recovery, systems and infrastructure lifecycle management, IT service delivery and support)

Knowledge of enterprise IT architecture and its implications for setting long-term strategic directions

Knowledge of IT resource investment and allocation practices (e.g., portfolio management return on investment [ROI])

Knowledge of risk management methodologies and tools

Knowledge of the use of control frameworks (e.g., CobiT, COSO, ISO 17799)

Knowledge of the use of maturity and process improvement models (e.g., CMM, CobiT)

Knowledge of the contracting strategies, processes, and contract management practices

Knowledge of practices for monitoring and reporting of IT performance (e.g., balanced score cards, key performance indicators [KPI])

Knowledge of relevant legislative and regulatory issues (e.g., privacy, intellectual property, corporate governance requirements)

Knowledge of IT human resources (personnel) management

Outline

Introduction

67

Best Practices for Senior Management

67

Audit's Role in Governance

69

IT Steering Committee

70

Measuring Performance

71

Information Security Governance

72

The Role of Strategy, Policies, Planning, and Procedures

74

Policy Development

75

Policies and Procedures

76

Risk Identification and Management

79

The Risk-Management Team

80

Asset Identification

81

Threat Identification

81

Risk-Analysis Methods

83

Management Practices and Controls

88

Employee Management

89

Sourcing

93

Change Management and Quality Improvement Techniques

95

Understanding Personnel Roles and Responsibilities

99

Employee Roles and Duties

100

Segregation of Duties

101

Chapter Summary

104

Key Terms

104

Apply Your Knowledge

105

Exercises

105

Exam Questions

107

Answers to Exam Questions

109

Need to Know More?

110

Study Strategies

This chapter discusses IT governance, which involves control. This control includes items that are strategic in nature. Senior management and the IT steering committee help provide the long-term vision. Control is also implemented on a more tactical level that includes personnel management, organizational change management, and segregation of duties. The following are the primary topics a CISA candidate should review for the exam:

  • Understand the way IT governance should be structured
  • Know the methods of risk management
  • Describe how tools such as CobiT and the capability maturity model are used
  • Detail proper separation of duty controls
  • Describe good HR management practices
  • List methods for measuring and reporting IT performance

Introduction

IT governance is a subset of corporate governance and focuses on the belief that the managers, directors, and others in charge of the organization must understand the role of IT in the organization and not treat it simply as a black box. Management must implement rules and regulations to control the IT infrastructure and develop practices to distribute responsibilities. Not only does this prevent a single person or department from shouldering responsibility, but it also sets up a framework of control. Changes in laws and new regulations, such as Sarbanes-Oxley and Basel II, have increased the need for such control.

IT governance is established by creating an IT strategy committee, developing policies and procedures, defining job roles, executing good HR practices, and performing risk assessments and periodic audits. This chapter discusses each of these topics.

  • + Share This
  • 🔖 Save To Your Account