Sie sind auf Seite 1von 41

CISA Review Course 26 th Edition

Domain 2 Governance and Management of IT ©Copyright 2016 ISACA. All rights reserved.
Domain 2
Governance and
Management of IT
©Copyright 2016 ISACA. All rights reserved.
Domain 2 The focus of Domain 2 is the knowledge of IT governance, which is
Domain 2
The focus of Domain 2 is the knowledge of IT
governance, which is fundamental to the work of
the IS auditor and for the development of sound
control practices and mechanisms for
management oversight and review.
3 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Domain 2 Provide assurance that the necessary leadership and organizational structures and processes are in
Domain 2
Provide assurance that the necessary
leadership and organizational structures
and processes are in place to achieve the
objectives and to support the
strategy.
2 © Copyright 2016 ISACA. All rights reserved.
Domain Objectives The objective of this domain is to ensure that the CISA candidate is
Domain Objectives
The objective of this domain is to ensure that the
CISA candidate is prepared for the role of
completing a review in the following areas to
ensure that IT governance requirements are
met:
o
Organizational structure
o
Management policies
o
Accountability mechanisms
o
Monitoring practices
4 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

On the CISA Exam Domain 2 represents 16% of the questions on the CISA exam
On the CISA Exam
Domain 2 represents 16% of the questions on
the CISA exam (approximately 24 questions).
Domain 2 incorporates 10 tasks related to the
management of IT governance.
5 © Copyright 2016 ISACA. All rights reserved.
Domain 2.4 and procedures and the processes for their development, approval, release/publishing, implementation and
Domain
2.4
and procedures and the processes for their
development, approval, release/publishing,
implementation and maintenance to determine whether
they support the IT strategy and comply with regulatory
and legal requirements.
2.5 Evaluate IT resource management, including
investment, prioritization, allocation and use, for
objectives.
7 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Domain Tasks 2.1 Evaluate the IT strategy, including the IT direction, approval, implementation and maintenance
Domain Tasks
2.1 Evaluate the IT strategy, including the IT direction,
approval, implementation and maintenance for alignment
2.2 Evaluate the effectiveness of the IT governance
structure to determine whether IT decisions, directions
and objectives.
2.3 Evaluate IT organizational structure and human
resources (personnel) management to determine
objectives.
6 © Copyright 2016 ISACA. All rights reserved.
Domain 2.6 Evaluate IT portfolio management, including investment, prioritization and allocation, for alignment 2.7
Domain
2.6 Evaluate IT portfolio management, including
investment, prioritization and allocation, for alignment
2.7 Evaluate risk management practices to determine
-related risks are identified,
assessed, monitored, reported and managed.
2.8 Evaluate IT management and monitoring of controls
(e.g., continuous monitoring and quality assurance [QA])
and procedures.
8 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

2.9 Evaluate monitoring and reporting of IT key performance indicators (KPIs) to determine whether management
2.9 Evaluate monitoring and reporting of IT key
performance indicators (KPIs) to determine whether
management receives sufficient and timely information.
2.10
(BCP), including the alignment of the IT disaster
recovery plan (DRP) with the BCP, to determine the
operations during the period of an IT disruption.
9 © Copyright 2016 ISACA. All rights reserved.
Key Terms Key Term Definition Strategic The process of deciding on the planning these objectives,
Key Terms
Key Term
Definition
Strategic
The process of deciding on the
planning
these objectives, and the policies to
govern their acquisition and use
IT strategic
plan
A long-term plan (i.e., three- to five-year
horizon) in which business and IT
management cooperatively describe how
IT resources will contribute to the
11 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Task 2.1 Evaluate the IT strategy, including the IT direction, and the processes for the
Task 2.1
Evaluate the IT strategy, including the IT
direction, and the processes for the
implementation and maintenance for
strategies and objectives.
10 © Copyright 2016 ISACA. All rights reserved.
Task to Knowledge Statements How does Task 2.1 relate to each of the following knowledge
Task to Knowledge Statements
How does Task 2.1 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.1 Knowledge of the purpose of IT
strategy, policies, standards and
procedures for an organization and
the essential elements of each
The IS auditor must understand
purpose of strategies, policies
directing the implementation of these
strategies and standards for desired
performance of the enterprise.
technology direction and IT
architecture and their implications for
setting long-term strategic directions
Based on the organization goals and
objectives, the IS auditor must
understand how the organization
develops and aligns technology and
architecture planning and acquisitions
to meet today and long-term
organizational goals and objectives.
12 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

How does Task 2.1 relate to each of the following knowledge statements? Knowledge Statement Connection
How does Task 2.1 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.6 Knowledge of the processes for
the development, implementation and
maintenance of IT strategy, policies,
standards and procedures
The governance life cycle for an
organization is a living process that
existing and emerging objectives and
goals.
13 © Copyright 2016 ISACA. All rights reserved.
GEIT Implementation The GEIT framework is implemented through practices that provide feedback regarding two fundamental
GEIT Implementation
The GEIT framework is implemented through
practices that provide feedback regarding two
fundamental issues:
o
That IT delivers value to the enterprise
o
That IT risk is properly managed
15 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Governance of Enterprise IT Corporate governance is a set of responsibilities and provide strategic direction.
Governance of Enterprise IT
Corporate governance is a set of responsibilities and
provide strategic direction.
Governance of enterprise IT (GEIT) implies a
system in which all stakeholders provide input into
the decision-making process.
GEIT is concerned with the stewardship of IT
resources on behalf of these stakeholders.
14 © Copyright 2016 ISACA. All rights reserved.
Broad processes in GEIT implementation include: o IT resource management Focuses on maintaining updated inventory
Broad processes in GEIT implementation include:
o
IT resource management
Focuses on
maintaining updated inventory of IT resources;
addresses risk management process
o
Performance measurement
Ensures that all IT
resources perform to deliver value to the
enterprise
o
Compliance management
Addresses legal,
regulatory and contractual compliance
requirements
16 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

GEIT Good Practices GEIT is a structure of relationships and processes used to direct and
GEIT Good Practices
GEIT is a structure of relationships and
processes used to direct and control the
enterprise toward achievement of its
goals.
The topics that management must address
to govern IT within the enterprise are each
concerned with value creation.
17 © Copyright 2016 ISACA. All rights reserved.
The Role of Audit in GEIT Audit plays a significant role in the implementation of
The Role of Audit in GEIT
Audit plays a significant role in the implementation of
GEIT.
It offers these benefits:
o
Provides leading practice recommendations to senior
management
o
Helps ensure compliance with GEIT initiatives
o
Provides independent and balanced view to facilitate
quantitative improvement of IT processes
19 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Business Needs Governance Evaluate Management Direct Monitor Feedback Management Plan Build Run Monitor (APO)
Business Needs
Governance
Evaluate
Management
Direct
Monitor
Feedback
Management
Plan
Build
Run
Monitor
(APO)
(BAI)
(DSS)
(MEA)
Source: ISACA, COBIT 5, USA, 2012, figure 15
18 © Copyright 2016 ISACA. All rights reserved.
Areas of GEIT Audit In accordance with the define role of the IS auditor, the
Areas of GEIT Audit
In accordance with the define role of the IS auditor, the
following aspects of GEIT must be assessed:
o
Alignment of enterprise governance and GEIT
o
Alignment of the IT function with the organizational
mission, vision, values, objectives and strategies
o
Achievement of performance objectives
o
Compliance with legal, environmental, fiduciary,
security and privacy requirements
20 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

The control environment of the organization, the inherent risk present, and IT investment and expenditure
The control environment of the organization, the
inherent risk present, and IT investment and
expenditure must also be assessed.
21 © Copyright 2016 ISACA. All rights reserved.
Enterprise Architecture Enterprise architecture (EA) is a practice assets in a structured manner. EA facilitates
Enterprise Architecture
Enterprise architecture (EA) is a practice
assets in a structured manner.
EA facilitates the understanding of, management
of, and planning for IT investments through
comparison of the current state and an
optimized future state.
23 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

GEIT Frameworks Several frameworks provide standards for GEIT, including: o COBIT 5 o ISO/IEC 27001
GEIT Frameworks
Several frameworks provide standards for GEIT,
including:
o
COBIT 5
o
ISO/IEC 27001
o
Information Technology Infrastructure Library
o
IT Baseline Protection Catalogs or
IT-Grundschutz Catalogs
22 © Copyright 2016 ISACA. All rights reserved.
EA can be approached from one of two differing perspectives, as follows: o Technology-driven EA
EA can be approached from one of two differing
perspectives, as follows:
o
Technology-driven EA
Seeks to clarify the
complex technology choices faced by an
organization in order to provide guidance on
the implementation of various solutions.
o
Business-driven EA
Attempts to understand
the organization in terms of its core
processes, and derive the optimum mix of
technologies needed to support these
processes.
24 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

In the Big Picture The Big Task 2.1 Picture Evaluate the IT strategy, including the
In the Big Picture
The Big
Task 2.1
Picture
Evaluate the IT strategy, including the
IT direction, and the processes for the
implementation and maintenance for
The IS auditor provides
critical evaluation
feedback as to the
effective maintenance of
strategies and objectives.
alignment with stated
goals and objectives.
25 © Copyright 2016 ISACA. All rights reserved.
Discussion Question As an outcome of information security governance, strategic alignment provides: A. security
Discussion Question
As an outcome of information security governance,
strategic alignment provides:
A. security requirements driven by enterprise
requirements.
B. baseline security following good practices.
C. institutionalized and commoditized solutions.
D. an understanding of risk exposure.
27 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Discussion Question Which of the following choices is the PRIMARY benefit of requiring a steering
Discussion Question
Which of the following choices is the PRIMARY benefit of
requiring a steering committee to oversee IT investment?
A. To conduct a feasibility study to demonstrate IT
value
B. To ensure that investments are made according to
business requirements
C. To ensure that proper security controls are enforced
D. To ensure that a standard development methodology
is implemented
26 © Copyright 2016 ISACA. All rights reserved.
Task 2.2 Evaluate the effectiveness of the IT governance structure to determine whether IT decisions,
Task 2.2
Evaluate the effectiveness of the IT
governance structure to determine
whether IT decisions, directions and
strategies and objectives.
28 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Key Terms Key Term Definition Governance Ensuring that stakeholder needs, conditions and options are evaluated
Key Terms
Key Term
Definition
Governance
Ensuring that stakeholder needs,
conditions and options are evaluated to
determine balanced, agreed-on enterprise
objectives to be achieved; setting direction
through prioritization and decision making;
and monitoring performance and
compliance against agreed-on direction
and objectives
29 © Copyright 2016 ISACA. All rights reserved.
How does Task 2.2 relate to each of the following knowledge statements? Knowledge Statement Connection
How does Task 2.2 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.4 Evaluate
IT policies, standards and
procedures, and the processes for
their development, approval,
release/publishing, implementation
and maintenance to determine
whether they support the IT
strategy and comply with
regulatory and legal requirements.
Without processes in place to
develop and maintain an
policies, standards
and procedures, these guiding
documents will not remain in
alignment with existing and
emerging strategy goals, and
objectives and regulatory
requirements.
31 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Task to Knowledge Statements How does Task 2.2 relate to each of the following knowledge
Task to Knowledge Statements
How does Task 2.2 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.2 Knowledge of IT governance,
management, security and control
frameworks and related standards,
guidelines and practices
The IS auditor must understand
goals and
objectives flow down to senior
management for the development
of strategies, policies directing the
implementation of these
strategies, and standards for the
desired performance of the
enterprise.
30 © Copyright 2016 ISACA. All rights reserved.
IT Governing Committees Organizations often have executive-level strategy and steering committees to handle
IT Governing Committees
Organizations often have executive-level
strategy and steering committees to handle
organization-wide IT issues.
The IS auditor should know the responsibilities
of, authority possessed by and membership of
such committees.
32 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

IT Committee Analysis Level IT Strategy Committee IT Steering Committee Responsibility Provides insight and advice
IT Committee Analysis
Level
IT Strategy Committee
IT Steering Committee
Responsibility
Provides insight and
advice to the board across
Decides the level and allocation
of IT spending, aligns and
a
range of IT topics
architecture, and other
oversight functions.
Authority
Advises the board and
management on IT
strategy, focusing on
current and future strategic
Assists the executive in the
delivery of IT strategy,
overseeing management of IT
service delivery, projects and
IT
issues
implementation
Membership
Includes board members
and specialist non-board
members
Includes sponsoring executive,
business executive (key users),
chief information officer (CIO)
and key advisors, as required
Source: ISACA, CISA Review Manual 26 th Edition, figure 2.4
33 © Copyright 2016 ISACA. All rights reserved.
Information Security Information security governance is the responsibility of the board of directors and executive
Information Security
Information security governance is the responsibility of
the board of directors and executive management.
Information security governance is a subset of corporate
governance, providing strategic direction for security
activities and ensuring that objectives are achieved.
An information security program comprises the
leadership, organizational structures and the processes
that safeguard information.
35 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Security: A Governance Issue Information security has become a significant governance issue due to: o
Security: A Governance Issue
Information security has become a significant
governance issue due to:
o
Global networking
o
Rapid technological innovation and change
o
Increase in threat agent sophistication
o Extension of organizations beyond their traditional
boundaries
As a result of these, negligence in the area of
to take advantage of IT opportunities while also
mitigating risk.
34 © Copyright 2016 ISACA. All rights reserved.
The information security governance framework will generally consist of: o A security strategy linked with
The information security governance framework will
generally consist of:
o
A security strategy linked with business objectives
o
Security policies that address strategy, controls and
regulation
o
Standards to ensure that procedures and guidelines
comply with policies
o
An effective security organizational structure without
conflicts of interest
o
Monitoring procedures to ensure compliance and
provide feedback on effectiveness
36 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Sourcing Practices Sourcing practices relate to the way in which the enterprise obtains the IT
Sourcing Practices
Sourcing practices relate to the way in which the
enterprise obtains the IT functions required to support
the business.
These functions may be performed:
o
-
o
o
By a mix of both insourced and outsourced methods
37 © Copyright 2016 ISACA. All rights reserved.
Cloud Computing Cloud-based computing brings specific issues, including: o A lack of agreed-upon definitions. o
Cloud Computing
Cloud-based computing brings specific issues, including:
o
A lack of agreed-upon definitions.
o
Various models describing cloud computing result in
differing risk and benefits.
o Additional legal requirements may pertain to cloud
storage.
Several service models and deployment methods are
applied to cloud computing; each of these raise specific
considerations.
39 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

The functions may be performed across the globe in a variety of arrangements, including: o
The functions may be performed across the globe in a
variety of arrangements, including:
o
Onsite
Staff works onsite in the IT department.
o
Offsite
Staff works at a remote location in the same
geographical region.
o
Offshore
Staff works at a remote location in a
different geographical region.
38 © Copyright 2016 ISACA. All rights reserved.
Issues in Service Models Infrastructure as a Service (IaaS) Options to minimize the impact if
Issues in Service Models
Infrastructure as a Service (IaaS)
Options to minimize the impact if the cloud provider has a service interruption
Platform as a Service (PaaS)
Availability, confidentiality
Privacy and legal liability in the event of a security breach
Data ownership
Concerns regarding e-discovery
Software as a Service (SaaS)
Who owns the applications?
Where do the applications reside?
Source: ISACA, CISA Review Manual 26 th Edition, figure 2.9
40 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Issues in Deployment Models Private cloud Operated solely for an organization Provides cloud services with
Issues in Deployment Models
Private cloud
Operated solely for an organization
Provides cloud services with minimum risk, but may not provide the scalability and agility of
public cloud services
Community cloud
Shared by several organizations
Same as private cloud services, plus data may be stored with the data of competitors
Public cloud
Owned by an organization selling cloud services
Data may be stored with the data of competitors
Data may be stored in unknown locations
Data may not be easily retrievable
Hybrid cloud
Binding of two or more cloud deployment types
Data labeling and classification beneficial to ensure assignment to correct cloud type
Aggregate risk of merging different deployment models
Source: ISACA, CISA Review Manual 26 th Edition, figure 2.10
41 © Copyright 2016 ISACA. All rights reserved.
Discussion Question An IS auditor is evaluating the IT governance framework of an organization. Which
Discussion Question
An IS auditor is evaluating the IT governance framework of
an organization. Which of the following would be the
GREATEST concern?
A. Senior management has limited involvement.
B. Return on investment (ROI) is not measured.
C. Chargeback of IT cost is not consistent.
D. Risk appetite is not quantified.
43 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

In the Big Picture The Big Task 2.2 Picture Evaluate the effectiveness of the IT
In the Big Picture
The Big
Task 2.2
Picture
Evaluate the effectiveness of the IT
governance structure to determine
whether IT decisions, directions and
strategies and objectives.
The governance structure
enables the organization
to remain agile and in
alignment with current and
emerging goals and
objectives.
42 © Copyright 2016 ISACA. All rights reserved.
Discussion Question Which of the following IT governance good practices improves strategic alignment? A. Supplier
Discussion Question
Which of the following IT governance good practices
improves strategic alignment?
A. Supplier and partner risk is managed.
B. A knowledge base on customers, products, markets
and processes is in place.
C. A structure is provided that facilitates the creation
and sharing of business information.
D. Top management mediates between the imperatives
of business and technology.
44 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Task 2.3 Evaluate IT organizational structure and human resources (personnel) management to determine whether they
Task 2.3
Evaluate IT organizational structure and
human resources (personnel)
management to determine whether they
objectives.
45 © Copyright 2016 ISACA. All rights reserved.
Task to Knowledge Statements How does Task 2.3 relate to each of the following knowledge
Task to Knowledge Statements
How does Task 2.3 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.3 Knowledge of organizational
structure, roles and responsibilities
related to IT, including segregation
of duties (SoD)
IS auditors must understand how
assignment of duties could lead to
vulnerabilities within the enterprise
due to individuals gaining
privileges that could lead to
uncontrolled and/or unauthorized
access, creation, modification and
destruction of data and systems.
47 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Key Terms Key Term Definition IT architecture Description of the fundamental underlying design of the
Key Terms
Key Term
Definition
IT architecture
Description of the fundamental underlying design
of
the IT components of the business, the
relationships among them, and the manner in
Segregation
A
basic internal control that prevents or detects
(separation) of
duties (SoD)
errors and irregularities by assigning to separate
individuals the responsibility for initiating and
recording transactions and for the custody of
assets
46 © Copyright 2016 ISACA. All rights reserved.
How does Task 2.3 relate to each of the following knowledge statements? Knowledge Statement Connection
How does Task 2.3 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.9 Knowledge of IT resource
investment and allocation
practices, including prioritization
criteria (e.g., portfolio
management, value management,
personnel management)
During evaluation of the
governance of enterprise IT, the IS
auditor must focus on how critical
IT resource investments and
allocations delivered the required
value and are in alignment with
organizational goals and
objectives.
48 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

HR Management Recruiting Selecting Training Measuring Promoting Discipline performance Staff Mandatory
HR Management
Recruiting
Selecting
Training
Measuring
Promoting
Discipline
performance
Staff
Mandatory
Succession
retention
leave
planning
49 © Copyright 2016 ISACA. All rights reserved.
IT Functions Generally, the following IT functions should be reviewed by the IS auditor: o
IT Functions
Generally, the following IT functions should be reviewed
by the IS auditor:
o
Systems development management
o
Project management
o
Help or service desk administration
o
End-user activities and their management
o
Data management
o
Quality assurance management
o
Information security management
51 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

IT Organizational Structure Within an organization, the IT department can be structured in a variety
IT Organizational Structure
Within an organization, the IT department can be
structured in a variety of ways.
An organizational chart provides a clear definition of a
The IS auditor should compare observed roles and
responsibilities with formal organizational structures and
job descriptions.
50 © Copyright 2016 ISACA. All rights reserved.
Additionally, these functions should be reviewed by the IS auditor: o Vendor and outsourcer management
Additionally, these functions should be reviewed by the IS
auditor:
o
Vendor and outsourcer management
o
Infrastructure operations and maintenance
o
Removable media management
o
Data entry
o
Supervisory control and data acquisition
o
Systems and security administration
o
Database administration
o
Applications and infrastructure development and
maintenance
o
Network management
52 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Segregation of IT Duties While actual job titles and organizational structures vary across enterprises, an
Segregation of IT Duties
While actual job titles and organizational structures vary
across enterprises, an IS auditor must obtain enough
information to understand and document the
relationships among various job functions,
responsibilities and authorities.
The IS auditor must also assess the adequacy of SoD.
SoD limits the possibility that a single person will be
responsible for functions in such a way that errors or
misappropriations could occur undetected.
SoD is an important method to discourage and prevent
fraudulent or malicious acts.
53 © Copyright 2016 ISACA. All rights reserved.
SoD If adequate SoD does not exist, the following may occur with a lower likelihood
SoD
If adequate SoD does not exist, the following may occur
with a lower likelihood of detection:
o
Misappropriation of assets
o
Misstated financial statements
o
Inaccurate financial documentation (due to errors or
irregularities)
o
Improper use of funds or modification of data
o
Unauthorized or erroneous modification of programs
55 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

SoD Guidelines Duties that should be segregated include: o Asset custody o Authorization capability o
SoD Guidelines
Duties that should be segregated include:
o
Asset custody
o
Authorization capability
o
Transaction recording
Both IS and end-user departments should be organized
to meet SoD policies.
54 © Copyright 2016 ISACA. All rights reserved.
Change Management Organizational change management uses a defined and documented process to identify and apply
Change Management
Organizational change management uses a defined and
documented process to identify and apply technology
improvements at both the infrastructure and application
levels.
The IT department is the focal point for such changes
and leads or facilitates the changes with senior
management support.
Communication is an important component of change
management, and end-users must be informed of the
impact and benefits of changes.
56 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

In the Big Picture The Big Picture Task 2.3 Evaluate IT organizational structure and human
In the Big Picture
The Big Picture
Task 2.3
Evaluate IT organizational structure
and human resources (personnel)
management to determine whether
strategies and objectives.
The IS auditor must
understand the need to
derive the greatest value
from IT resources and at
the same time ensure
controls are in place to
prevent loss and maximize
use of IT resources.
57 © Copyright 2016 ISACA. All rights reserved.
Discussion Question Which of the following controls would an IS auditor look for in an
Discussion Question
Which of the following controls would an IS auditor look for
in an environment where duties cannot be appropriately
segregated?
A. Overlapping controls
B. Boundary controls
C. Access controls
D. Compensating controls
59 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Discussion Question An IS auditor reviewing an organization that uses cross- training practices should assess
Discussion Question
An IS auditor reviewing an organization that uses cross-
training practices should assess the risk of:
A. dependency on a single person.
B. inadequate succession planning.
C. one person knowing all parts of a system.
D. a disruption of operations.
58 © Copyright 2016 ISACA. All rights reserved.
Task 2.4 standards and procedures and the processes for their development, approval, release/publishing, implementation
Task 2.4
standards and procedures and the processes
for their development, approval,
release/publishing, implementation and
maintenance to determine whether they
support the IT strategy and comply with
regulatory and legal requirements.
60 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Key Terms Key Term Definition Policy 1. Generally, a document that records a high-level principle
Key Terms
Key Term
Definition
Policy
1.
Generally, a document that records a
high-level principle or course of action that
has been decided on.
2.
An overall intention and direction as
formally expressed by management.
Procedure
A
document containing a detailed description
of
the steps necessary to perform specific
operations in conformance with applicable
standards. Procedures are defined as part of
processes.
61 © Copyright 2016 ISACA. All rights reserved.
Task to Knowledge Statements How does Task 2.4 relate to each of the following knowledge
Task to Knowledge Statements
How does Task 2.4 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.1 Knowledge of the purpose of IT
strategy, policies, standards and
procedures for an organization and
the essential elements of each
The IS auditor needs to understand
the key differences between strategy,
policies, procedures and standards
and how all of these are integrated
into the methods to provide
reasonable assurance that business
objectives will be attained.
63 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Key Term Definition Process Generally, a collection of activities influenced that takes inputs from a
Key Term
Definition
Process
Generally, a collection of activities influenced
that takes inputs from a number of sources
(including other processes), manipulates the
inputs and produces outputs
Regulatory
requirements
Rules or laws that regulate conduct and that
the enterprise must obey to become compliant
62 © Copyright 2016 ISACA. All rights reserved.
How does Task 2.4 relate to each of the following knowledge statements? Knowledge Statement Connection
How does Task 2.4 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.3 Knowledge of organizational
structure, roles and responsibilities
related to IT, including segregation of
duties (SoD)
In-line with understanding strategy,
policies, standards and procedures,
the IS auditor must understand how
these governance structures affect the
organizational structures, especially
the required roles and responsibilities
related to IT.
64 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

How does Task 2.4 relate to each of the following knowledge statements? Knowledge Statement Connection
How does Task 2.4 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.6 Knowledge of the processes for
the development, implementation and
maintenance of IT strategy, policies,
standards and procedures
The IS auditor must understand the
life cycle of organizational IT
strategies, policies, standards and
procedures.
65 © Copyright 2016 ISACA. All rights reserved.
Policies Corporate policies are high-level documents that set the tone for an organization as a
Policies
Corporate policies are high-level documents that set the
tone for an organization as a whole.
Departmental or division-level policies define lower-level
goals and directives.
Policies are part of the IS audit scope and should be
tested for compliance.
67 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

IS Strategy Information systems support, sustain and help to grow enterprises. IS strategic processes can
IS Strategy
Information systems support, sustain and help to grow
enterprises.
IS strategic processes can be seen as:
o
Integral components of the organizational governance
structure
o
Methods to provide reasonable assurance that
business objectives may be attained
o
A facilitator for the enhancement of competitive
advantage
66 © Copyright 2016 ISACA. All rights reserved.
auditors should use the policies as a benchmark for evaluating compliance. The IS auditor must
auditors should use the policies as a benchmark for
evaluating compliance.
The IS auditor must also consider whether and to what
extent policies pertain to third parties and outsourcers,
whether these parties comply with the policies and
whether the policies of these parties conflict with those of
the organization.
68 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Standards Corporate standards are documents that set the specific criteria to which items conform. Departmental
Standards
Corporate standards are documents that set the specific
criteria to which items conform.
Departmental or division-level IT system standards
define the specific level of configuration and
performance benchmarks.
Standards are part of the IS audit scope and should be
tested for compliance.
69 © Copyright 2016 ISACA. All rights reserved.
Procedures The documented, defined steps in procedures aid in achieving policy objectives. Procedures documenting
Procedures
The documented, defined steps in procedures aid in
achieving policy objectives.
Procedures documenting business and aligned IT
processes and their embedded controls are formulated
by process owners.
To be effective, procedures must:
o
Be frequently reviewed and updated
o
Be communicated to those affected by them
An IS auditor examines procedures to identify and
evaluate controls to ensure that control objectives are
met.
71 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

IS hardening and service levels should be in alignment with applicable standards, and auditors should
IS hardening and service levels should be in alignment
with applicable standards, and auditors should use the
standards as a benchmark for evaluating compliance.
Like policies, the IS auditor must also consider whether
and to what extent standards pertain to third parties and
outsourcers, whether these parties comply with the
standards and whether the standards of these parties
conflict with those of the organization.
70 © Copyright 2016 ISACA. All rights reserved.
Information Security Policy A security policy for information and related technology is a first step
Information Security Policy
A security policy for information and related technology is
a first step toward building the security infrastructure for
technology-driven organizations.
It communicates a coherent security standard to users,
management and technical staff.
This policy should be used by IS auditors as a reference
framework for performing audit assignments.
The adequacy and appropriateness of the policy is also
an area of review during an IS audit.
72 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Policy Components The information security policy may comprise a set of policies, generally addressing the
Policy Components
The information security policy may comprise a set of policies,
generally addressing the following concerns:
o
High-level information security policy
Includes
statements on confidentiality, integrity and availability
o
Data classification policy
Provides classifications and
levels of control at each classification
o
End-user computing policy Identifies the parameters
and usage of desktop, mobile and other tools
o
Access control policy
Describes methods for defining
and granting access to users of various IT resources
o
Acceptable use policy (AUP)
Controls the use of
information system resources through defining how IT
resources may be used by employees
73 © Copyright 2016 ISACA. All rights reserved.
Discussion Question When auditing the IT governance framework and IT risk management practices that exist
Discussion Question
When auditing the IT governance framework and IT risk
management practices that exist within an organization, the
IS auditor identified some undefined responsibilities
regarding IT management and governance roles. Which of
the following recommendations is the MOST appropriate?
A. Review the strategic alignment of IT with the
business.
B. Implement accountability rules within the
organization.
C. Ensure that independent IS audits are conducted
periodically.
D. Create a chief risk officer (CRO) role in the
organization.
75 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

In the Big Picture Task 2.4 The Big Picture standards and procedures and the processes
In the Big Picture
Task 2.4
The Big
Picture
standards and procedures and the
processes for their development,
approval, release/publishing,
implementation and maintenance to
determine whether they support the IT
strategy and comply with regulatory
and legal requirements.
The IS auditor must
understand the lifecycle
and construct of IT
strategies, policies,
standards and
procedures.
74 © Copyright 2016 ISACA. All rights reserved.
Discussion Question communications, the IS auditor should pay the MOST attention to: A. the existence
Discussion Question
communications, the IS auditor should pay the MOST
attention to:
A. the existence of a data retention policy.
B. the storage capacity of the archiving solution.
C. the level of user awareness concerning email use.
D. the support and stability of the archiving solution
manufacturer.
76 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Task 2.5 Evaluate IT resource management, including investment, prioritization, allocation and use, for alignment with
Task 2.5
Evaluate IT resource management,
including investment, prioritization,
allocation and use, for alignment with the
77 © Copyright 2016 ISACA. All rights reserved.
Task to Knowledge Statements How does Task 2.5 relate to each of the following knowledge
Task to Knowledge Statements
How does Task 2.5 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
technology direction and IT
architecture and their implications for
setting long-term strategic directions
The IS auditor must understand and
evaluate the effective alignment of IT
technology and acquisition planning
with organizational goals and
objectives.
79 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Key Terms Key Term Definition IT resources IT resources consist of the hardware, software, firmware,
Key Terms
Key Term
Definition
IT resources
IT resources consist of the hardware,
software, firmware, services and human
capital.
78 © Copyright 2016 ISACA. All rights reserved.
How does Task 2.5 relate to each of the following knowledge statements? Knowledge Statement Connection
How does Task 2.5 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.9 Knowledge of IT resource
investment and allocation practices,
including prioritization criteria (e.g.,
portfolio management, value
management, personnel
management)
The IS auditor must understand and
evaluate the effective management
and alignment of the IT resource
portfolio to ensure these resources
deliver value and remain aligned with
organizational goals and objectives.
80 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

) How does Task 2.5 relate to each of the following knowledge statements? Knowledge Statement
)
How does Task 2.5 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.10 Knowledge of IT supplier
selection, contract management,
relationship management and
performance monitoring processes,
including third-party outsourcing
relationships
IT vendor and contract statement of
work, and respective terms and
conditions must be evaluated to
ensure required value and technical
performance measures are attained.
81 © Copyright 2016 ISACA. All rights reserved.
How does Task 2.5 relate to each of the following knowledge statements? Knowledge Statement Connection
How does Task 2.5 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.14 Knowledge of practices for
monitoring and reporting of IT
performance (e.g., balanced
scorecards [BSCs] and key
performance indicators [KPIs])
The IS auditor will evaluate and use
the key performance indicators
established and maintained that
become the basis for reporting during
continuous monitoring feedback on IT
governance effectiveness.
83 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

How does Task 2.5 relate to each of the following knowledge statements? Knowledge Statement Connection
How does Task 2.5 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.12 Knowledge of practices for
monitoring and reporting of controls
performance (e.g., continuous
monitoring and quality assurance
[QA])
The IS auditor will find that successful
IT governance relies on continuous
feedback processes to ensure
organizational goals and objectives
are being met.
82 © Copyright 2016 ISACA. All rights reserved.
IT Balanced Scorecard The IT balanced scorecard (BSC) is a management evaluation technique that can
IT Balanced Scorecard
The IT balanced scorecard (BSC) is a management
evaluation technique that can be applied to the GEIT
process.
It goes beyond traditional financial evaluation by
measuring:
o
Customer (or user) satisfaction
o
Internal operational processes
o
The ability to innovate
84 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

IT BSC objectives serve to: o Establish a method for management reporting to the board.
IT BSC objectives serve to:
o
Establish a method for management reporting to the
board.
o
Foster consensus among stakeholders about IT
strategic aims.
o
Demonstrate the effectiveness of IT.
o
Facilitate communication about the performance, risk
and capabilities of IT.
85 © Copyright 2016 ISACA. All rights reserved.
Return on IT Investment and allocation practices to determine whether the enterprise is positioned to
Return on IT Investment
and allocation practices to determine whether the enterprise is
positioned to achieve the greatest value from the investment
of its resources.
The return on investment (ROI) for IT is both financial and
nonfinancial.
o
Financial benefits can include impacts on the
reductions or revenue increases.
o
Nonfinancial benefits can include impacts on
organizational operations or mission performance, in
addition to results, such as improved customer
satisfaction, better information and shorter cycle times.
87 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Example of an IT BSC Generic IT Balanced Scorecard User Orientation How do users view
Example of an IT BSC
Generic IT Balanced Scorecard
User Orientation
How do users view the IT department?
Mission
To be the preferred supplier of
information systems
Objectives
Preferred supplier of applications and
operations
Partnership with users
User satisfaction
Business Contribution
How does management view the IT
department?
Mission
To obtain a reasonable business
contribution from IT investments
Objectives
Business/IT alignment
Value Delivery
Cost management
Risk management
Cause
Effect
IT BSC
Future Orientation
How well is IT positioned to meet future
needs?
Mission
To develop opportunities to answer
future challenges
Objectives
Training and education of IT staff
Expertise of IT staff
Research into emerging technologies
Operational Excellence
How effective and efficient are the IT
processes?
Mission
To deliver effective and efficient IT
applications and services
Objectives
Efficient and effective developments
Efficient and effective operations
Maturity level of IT processes
Source: ISACA, IT Governance Domain Practices and Competencies: Measuring and Demonstrating the Value of IT , USA, 2005, figure 7
86 © Copyright 2016 ISACA. All rights reserved.
Software Development An IS auditor should understand the requirements associated with accounting for the costs
Software Development
An IS auditor should understand the requirements associated
with accounting for the costs of software development.
These requirements are outlined by the International
Accounting Standards Board (IASB) and the AICPA, and
dictate the circumstances under which development costs
must be capitalized.
There is some variation in the interpretations of such rules, so
the IS auditor is advised to obtain guidance from the
chartered accountants responsible for financial reporting.
88 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

In the Big Picture The Big Task 2.5 Picture Evaluate IT resource management, including investment,
In the Big Picture
The Big
Task 2.5
Picture
Evaluate IT resource management,
including investment, prioritization,
allocation and use, for alignment with
objectives.
IS auditors must
understand the
development and use of
measures needed to
evaluate IT resource
portfolio management
activities.
89 © Copyright 2016 ISACA. All rights reserved.
Discussion Question Which of the following is the MOST important IS audit consideration when an
Discussion Question
Which of the following is the MOST important IS audit
consideration when an organization outsources a customer
credit review system to a third-party service provider? The
provider:
A. claims to meet or exceed industry security standards.
B. agrees to be subject to external security reviews.
C. has a good market reputation for service and
experience.
D. complies with security policies of the organization.
91 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Discussion Question Which of the following situations is addressed by a software escrow agreement? A.
Discussion Question
Which of the following situations is addressed by a
software escrow agreement?
A. The system administrator requires access to
software to recover from a disaster.
B. A user requests to have software reloaded onto a
replacement hard drive.
C. The vendor of custom-written software goes out of
business.
D. An IS auditor requires access to software code
written by the organization.
90 © Copyright 2016 ISACA. All rights reserved.
Task 2.6 Evaluate IT portfolio management, including investment, prioritization and allocation, for alignment with the
Task 2.6
Evaluate IT portfolio management,
including investment, prioritization and
allocation, for alignment with the
92 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Key Terms Key Term Definition IT portfolio A grouping of "objects of interest" (investment programs,
Key Terms
Key Term
Definition
IT portfolio
A grouping of "objects of interest" (investment
programs, IT services, IT projects, other IT assets
or resources) managed and monitored to optimize
business value. (The investment portfolio is of
primary interest to Val IT. IT service, project, asset
and other resource portfolios are of primary
interest to COBIT.)
93 © Copyright 2016 ISACA. All rights reserved.
How does Task 2.6 relate to each of the following knowledge statements? Knowledge Statement Connection
How does Task 2.6 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.9 Knowledge of IT resource
investment and allocation practices,
including prioritization criteria (e.g.,
portfolio management, value
management, personnel
management)
Awareness of current practices in IT
investment and resource allocation,
role of financial management practices
and HR processes and policies on IT
governance in IT portfolio
management
K2.10 Knowledge of IT supplier
selection, contract management,
relationship management and
performance monitoring processes,
including third-party outsourcing
relationships
Relationship between vendor
management and IT governance of
the outsourcing entity to meet and
stay aligned with goals and objectives
95 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Task to Knowledge Statements How does Task 2.6 relate to each of the following knowledge
Task to Knowledge Statements
How does Task 2.6 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.7 Knowledge of the use of
capability and maturity models
The IS auditor must understand
maturity model concepts, use and
capabilities in order to provide an
aggregated measure of IT portfolio
performance.
K2.8 Knowledge of process
optimization techniques
From scoping through reporting, the IS
auditor will use the knowledge of
quality standards, such as quality
management and performance
management, to drive value from the
IS audit process.
94 © Copyright 2016 ISACA. All rights reserved.
How does Task 2.6 relate to each of the following knowledge statements? Knowledge Statement Connection
How does Task 2.6 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.12 Knowledge of practices for
monitoring and reporting of controls
performance (e.g., continuous
monitoring and quality assurance
[QA])
Adoption of good practices for control
performance monitoring and reporting
to include balanced scorecard and
KPIs in driving performance
optimization
K2.14 Knowledge of practices for
monitoring and reporting of IT
performance (e.g., balanced
scorecards [BSCs] and key
performance indicators [KPIs])
Concepts related to establishing,
monitoring and reporting processes
needed by the governance team to
evaluate performance and provide
direction to senior management
96 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

IT Portfolio Management IT portfolio management is distinct from IT financial management. It has a
IT Portfolio Management
IT portfolio management is distinct from IT financial
management.
It has a strategic goal in determining IT direction toward:
o
What the enterprise will begin to invest in
o
What the enterprise will continue to invest in
o
What the enterprise will divest
Key governance practices in IT portfolio management
include the evaluation, direction and monitoring of value
optimization.
97 © Copyright 2016 ISACA. All rights reserved.
In the Big Picture The Big Task 2.6 Picture Evaluate IT portfolio management, including investment,
In the Big Picture
The Big
Task 2.6
Picture
Evaluate IT portfolio management,
including investment, prioritization and
allocation, for alignment with the
objectives.
The IS auditor must
understand the key
toolsets an organization
must employ to ensure
value delivery on the IT
portfolio.
99 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

The most significant advantage of IT portfolio management is agility in adjusting investments based on
The most significant advantage of IT portfolio
management is agility in adjusting investments based on
built-in feedback mechanisms.
Implementation methods include:
o
Risk profile analysis
o
Diversification of projects, infrastructure and
technologies
o
Continuous alignment with business goals
o
Continuous improvement
98 © Copyright 2016 ISACA. All rights reserved.
Discussion Question After the merger of two organizations, multiple self-developed legacy applications from both
Discussion Question
After the merger of two organizations, multiple self-developed
legacy applications from both organizations are to be replaced
by a new common platform. Which of the following would be the
GREATEST risk?
A. Project management and progress reporting is combined in a
project management office which is driven by external
consultants.
B. The replacement effort consists of several independent
projects without integrating the resource allocation in a
portfolio management approach.
C. The resources of each of the organizations are inefficiently
allocated while they are being familiarized with the other
D. The new platform will force the business areas of both
organizations to change their work processes, which will
result in extensive training needs.
100 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Discussion Question To gain an understanding of the effectiveness of an IT assets, an IS
Discussion Question
To gain an understanding of the effectiveness of an
IT assets, an IS auditor should review the:
A. enterprise data model.
B. IT balanced scorecard (BSC).
C. IT organizational structure.
D. historical financial statements.
101 © Copyright 2016 ISACA. All rights reserved.
Key Terms Key Term Definition IT risk The business risk associated with the use, ownership,
Key Terms
Key Term
Definition
IT risk
The business risk associated with the use, ownership,
operation, involvement, influence and adoption of IT
within an enterprise.
Risk management
1. The coordinated activities to direct and control an
enterprise with regard to risk.
2. One of the governance objectives. Entails
recognizing risk; assessing the impact and likelihood
of that risk; and developing strategies, such as
avoiding the risk, reducing the negative effect of the
risk and/or transferring the risk, to manage it within
103 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Task 2.7 Evaluate risk management practices to IT-related risks are identified, assessed, monitored, reported and
Task 2.7
Evaluate risk management practices to
IT-related risks are identified, assessed,
monitored, reported and managed.
102 © Copyright 2016 ISACA. All rights reserved.
Task to Knowledge Statements How does Task 2.7 relate to each of the following knowledge
Task to Knowledge Statements
How does Task 2.7 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.11 Knowledge of enterprise risk
management (ERM)
Risk management process and
applying various risk analysis
methods.
K2.15 Knowledge of business impact
analysis (BIA)
An IS auditor must be able to
determine whether a BIA and BCP are
suitably aligned.
104 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Risk Management The process of risk management focuses on an To be effective, the process
Risk Management
The process of risk management focuses on an
To be effective, the process must begin with an
105 © Copyright 2016 ISACA. All rights reserved.
Risk Management Program Asset Identification Identify resources or assets that are vulnerable to threats. Objective:
Risk Management Program
Asset Identification
Identify resources or assets that are
vulnerable to threats.
Objective:
A cost-
Threat Assessment
Determine threats and vulnerabilities
associated with the asset.
effective
balance
between
Impact Evaluation
Describe what will happen should a
vulnerability be exploited.
significant
threats and
the
Risk Calculation
Form an overall view of risk, based on the
probability of occurrence and the magnitude
of impact.
application
of controls
to those
Risk Response
Evaluate existing controls and implement
new controls designed to bring residual risk
into alignment with enterprise risk appetite.
threats.
107 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Four possible responses to risk are: o Avoidance elimination of the cause of the risk
Four possible responses to risk are:
o
Avoidance
elimination of the cause of the risk
o
Mitigation
occurrence or of its impact
o
Transfer
sharing of risk with partners, such as
through insurance or joint ventures
o
Acceptance
formal acknowledgment of the
presence of risk with a commitment to monitor it
A fifth response, rejection of risk through choosing to
ignore it, is not considered effective risk management.
The presence of this risk response should be a red flag
for the IS auditor.
106 © Copyright 2016 ISACA. All rights reserved.
Risk Analysis Methods Risk analysis is defined as a process by which frequency and magnitude
Risk Analysis Methods
Risk analysis is defined as a process by which frequency and
magnitude of IT risk scenarios are estimated.
Three methods may be employed during risk analysis:
o
Qualitative analysis methods
Descriptive rankings are used to
describe risk likelihood and impact.
o
Semi-quantitative analysis methods
associated with numeric values.
Descriptive rankings are
o
Quantitative analysis methods
Numeric values, for example,
in the form of financial costs, are used to describe risk likelihood
and impact.
Each of the three methods offers a perspective on risk, but it is
important to acknowledge the assumptions incorporated into each
risk analysis.
108 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Business Impact Analysis BIA is a process used to determine the impact of losing the
Business Impact Analysis
BIA is a process used to determine the impact of losing the support
of any resource.
It is an important adjunct to the risk analysis, often uncovering vital
but less visible components that support critical processes.
Three primary questions must be considered during a BIA process:
o
What are the different business processes?
o
What are the critical information resources related to an
o In the event of an impact on critical business processes, under
what time frame will significant or unacceptable losses be
sustained?
The IS auditor should be able to evaluate the BIA, requiring a
knowledge of BIA development methods.
109 © Copyright 2016 ISACA. All rights reserved.
Discussion Question Which of the following factors should an IS auditor PRIMARILY focus on when
Discussion Question
Which of the following factors should an IS auditor
PRIMARILY focus on when determining the appropriate
level of protection for an information asset?
A. Results of a risk assessment
B. Relative value to the business
C. Results of a vulnerability assessment
D. Cost of security controls
111 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

In the Big Picture The Big Task 2.7 Picture Evaluate risk management practices to IT-related
In the Big Picture
The Big
Task 2.7
Picture
Evaluate risk management practices to
IT-related risks are identified,
assessed, monitored, reported and
managed.
Critical to any IS audit is
maintaining a clear
understanding of the
enterprise risks associated
with the IT governance
through day-to-day
operations.
110 © Copyright 2016 ISACA. All rights reserved.
Discussion Question reciprocal agreement, which of the following risk treatment approaches is being applied? A.
Discussion Question
reciprocal agreement, which of the following risk treatment
approaches is being applied?
A. Transfer
B. Mitigation
C. Avoidance
D. Acceptance
112 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Task 2.8 Evaluate IT management and monitoring of controls (e.g., continuous monitoring and quality assurance
Task 2.8
Evaluate IT management and monitoring
of controls (e.g., continuous monitoring
and quality assurance [QA]) for
policies, standards and procedures.
113 © Copyright 2016 ISACA. All rights reserved.
Task to Knowledge Statements How does Task 2.8 relate to each of the following knowledge
Task to Knowledge Statements
How does Task 2.8 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.6 Knowledge of the processes for
the development, implementation and
maintenance of IT strategy, policies,
standards and procedures
Impact of legislative requirements on
procedures and processes
K2.7 Knowledge of the use of
capability and maturity models
Understanding management
techniques to continuously improve IT
performance
K2.8 Knowledge of process
optimization techniques
Role of quality management in
bridging the gap between current
state and desired state
115 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Key Terms Key Term Definition Continuous auditing approach This approach allows IS auditors to monitor
Key Terms
Key Term
Definition
Continuous auditing
approach
This approach allows IS auditors to monitor system
reliability on a continuous basis and to gather selective
audit evidence through the computer.
Control
The means of managing risk, including policies,
procedures, guidelines, practices or organizational
structures, which can be of an administrative, technical,
management or legal nature. Also used as a synonym
for safeguard or countermeasure.
Quality assurance
A planned and systematic pattern of all actions
necessary to provide adequate confidence that an item
or product conforms to established technical
requirements. (ISO/IEC 24765)
114 © Copyright 2016 ISACA. All rights reserved.
How does Task 2.8 relate to each of the following knowledge statements? Knowledge Statement Connection
How does Task 2.8 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.13 Knowledge of quality
management and quality assurance
(QA) systems
Understanding of structures, roles and
responsibilities of the QA function with
the enterprise and the use of key
performance indicators (KPIs) in
driving performance optimization for
effective IT governance
K2.14 Knowledge of practices for
monitoring and reporting of IT
performance (e.g., balanced
scorecards [BSCs] and key
performance indicators [KPIs])
Concepts related to establishing,
monitoring and reporting processes
needed by the governance team to
evaluate performance and provide
direction to senior management
116 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Process Maturity Frameworks Maintaining consistency, efficiency and effectiveness of IT processes requires the
Process Maturity Frameworks
Maintaining consistency, efficiency and effectiveness of IT
processes requires the implementation of a process maturity
framework.
Several different models may be encountered in
organizations, including:
o
COBIT Process Assessment Model (PAM) defines the
minimum requirements for conducting an assessment to
ensure reliable results
o
IDEAL model
designed to guide the planning and
implementation of effective software improvement
o
CMMI
provides the essential elements of effective
processes; used as a guide to process improvement
across a project, division or organization
117 © Copyright 2016 ISACA. All rights reserved.
Quality Management The development and maintenance of defined and documented IT quality management processes is
Quality Management
The development and maintenance of defined and
documented IT quality management processes is
evidence of effective GEIT.
Quality management defines a set of tasks that produce
desired results when properly performed.
Various standards provide guidelines for the governance
of quality management, including those in ISO/IEC
27000.
The IS auditor should be aware of quality management.
However, the CISA exam does not test specifics on any
ISO standards.
119 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

The PDCA Method Do Act Establish objectives and processes needed to deliver desired results. Study
The PDCA Method
Do
Act
Establish
objectives and
processes
needed to deliver
desired results.
Study results
Implement the
plan, collecting
data for charting
and analysis.
Analyze
step, looking for
deviations from
desired results.
deviations and
request corrective
actions.
Plan
Check
118 © Copyright 2016 ISACA. All rights reserved.
Indicators of Problems Unfavorable end-user Excessive costs Budget overruns attitudes High staff Inexperienced
Indicators of Problems
Unfavorable
end-user
Excessive costs
Budget overruns
attitudes
High staff
Inexperienced
Late payments
turnover
staff
Frequent
Slow computer
hardware or
response time
software errors
Excessive
backlog of user
requests
120 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Indicators of Problems Numerous Unsupported Frequent suspended hardware/ hardware/ development software software
Indicators of Problems
Numerous
Unsupported
Frequent
suspended
hardware/
hardware/
development
software
software
projects
purchases
purchases
Extensive
Low follow-up
exception
on exception
Poor motivation
reports
reports
Absence of
Lack of
succession
adequate
plans
Overreliance on
one or two key
people
training
121 © Copyright 2016 ISACA. All rights reserved.
Reviewing Contracts Each of the various phases of computer hardware, software and IT service contracts
Reviewing Contracts
Each of the various phases of computer hardware,
software and IT service contracts should be supported
by service contracts.
The IS auditor should:
o
Verify management participation in the contracting
process.
o
Ensure the presence of timely contract compliance
review.
o
Evaluate the adequacy of various contract terms and
conditions.
o
Be familiar with the request for proposal (RFP)
process.
123 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Reviewing Documentation During an IS audit, these documents should be reviewed: o IT strategies, plans
Reviewing Documentation
During an IS audit, these documents should be reviewed:
o
IT strategies, plans and budgets
o
Security policy documentation
o
Organization/functional charts and job descriptions
o
IT steering committee reports
o
System development and program change procedures
o
Operations procedures
o
HR manuals
o QA procedures
It should be determined whether these documents:
o
Were created as management authorized and intended
o
Are current and up to date
122 © Copyright 2016 ISACA. All rights reserved.
In the Big Picture The Big Task 2.8 Picture Evaluate IT management and monitoring of
In the Big Picture
The Big
Task 2.8
Picture
Evaluate IT management and
monitoring of controls (e.g., continuous
monitoring and quality assurance [QA])
policies, standards and procedures.
As a foundation to proper
governance of enterprise
IT, the IS auditor needs to
see how management is
measuring compliance
with policies and
regulations.
124 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Discussion Question An IS auditor is performing a review of the software quality management process
Discussion Question
An IS auditor is performing a review of the software quality
management process in an organization. The FIRST step
should be to:
A. verify how the organization follows the standards.
B. identify and report the controls currently in place.
C. review the metrics for quality evaluation.
D. request all standards that have been adopted by the
organization.
125 © Copyright 2016 ISACA. All rights reserved.
Task 2.9 Evaluate monitoring and reporting of IT key performance indicators (KPIs) to determine whether
Task 2.9
Evaluate monitoring and reporting of IT
key performance indicators (KPIs) to
determine whether management receives
sufficient and timely information.
127 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Discussion Question When developing a formal enterprise security program, the MOST critical success factor (CSF)
Discussion Question
When developing a formal enterprise security program, the
MOST critical success factor (CSF) would be the:
A. establishment of a review board.
B. creation of a security unit.
C. effective support of an executive sponsor.
D. selection of a security process owner.
126 © Copyright 2016 ISACA. All rights reserved.
Key Terms Key Term Definition Key performance indicator (KPI) A measure that determines how well
Key Terms
Key Term
Definition
Key performance
indicator (KPI)
A measure that determines how well the process is
performing in enabling the goal to be reached. A
lead indicator of whether a goal will likely be
reached, and a good indicator of capabilities,
practices and skills. It measures an activity goal,
which is an action that the process owner must
take to achieve effective process performance.
128 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Task to Knowledge Statements How does Task 2.9 relate to each of the following knowledge
Task to Knowledge Statements
How does Task 2.9 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.10 Knowledge of IT supplier
selection, contract management,
relationship management and
performance monitoring
processes, including third-party
outsourcing relationships
Relationship between vendor
management and contractual
terms and their impact on driving
IT governance of the outsourcing
entity
K2.11 Knowledge of enterprise
risk management (ERM)
Risk analysis methods used in
aligning ERM with the results from
monitoring and reporting of IT
KPIs
129 © Copyright 2016 ISACA. All rights reserved.
Financial Management The IS budget allows for an adequate allocation of funds and for forecasting,
Financial Management
The IS budget allows for an adequate allocation of funds
and for forecasting, monitoring and analyzing financial
information.
The budget should be linked to short- and long-range IT
plans.
-
monitoring of IS expenses and resources.
o
In this arrangement, end users are charged for costs
of IS services they receive.
o
These charges are based on a standard formula and
include such IS services as staff time, computer time
and other relevant costs.
131 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

How does Task 2.9 relate to each of the following knowledge statements? Knowledge Statement Connection
How does Task 2.9 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.14 Knowledge of practices for
monitoring and reporting of IT
performance (e.g., balanced
scorecards [BSCs] and key
performance indicators [KPIs])
Understanding and using concepts
and techniques related to
establishing, monitoring and
reporting processes needed by the
governance team to evaluate
performance and provide direction
to senior management
130 © Copyright 2016 ISACA. All rights reserved.
Performance Optimization Performance optimization is the process of improving both perceived service performance while
Performance Optimization
Performance optimization is the process of improving
both perceived service performance while bringing IS
productivity to the highest level possible.
Ideally, this productivity will be gained without excessive
additional investment in the IT infrastructure.
Effective performance measures are used to create and
facilitate action to improve both performance and GEIT.
These depend upon:
o
The clear definition of performance goals
o
The establishment of effective metrics to monitor goal
achievement
132 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Tools and Techniques Several tools and techniques can be employed to facilitate performance measurement, ensure
Tools and Techniques
Several tools and techniques can be employed to
facilitate performance measurement, ensure good
communication and support organizational change.
These include:
o
Six Sigma
o
IT BSC
o
KPIs
o
Benchmarking
o
Business process reengineering (BPR)
o
Root cause analysis
o
Life cycle cost-benefit analysis
133 © Copyright 2016 ISACA. All rights reserved.
In the Big Picture The Big Task 2.9 Picture Evaluate monitoring and reporting of IT
In the Big Picture
The Big
Task 2.9
Picture
Evaluate monitoring and reporting of IT
key performance indicators (KPIs) to
determine whether management
receives sufficient and timely
information.
Only through timely,
objective measurement
processes can the IS
auditor truly determine if
management has the
relevant information to
manage GEIT.
135 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

A quantitative process analysis, defect reduction and Six Sigma improvement approach A process management evaluation
A quantitative process analysis, defect reduction and
Six Sigma
improvement approach
A process management evaluation technique that can be
IT BSC
effectively applied to assess IT functions and processes
A measure that determines how well a process is
KPI
performing in enabling a goal to be reached
A systematic approach to comparing enterprise
Benchmarking
performance against competitors to learn methods
The thorough analysis and redesign of business processes
BPR
to establish a better performing structure with cost savings
Root Cause Analysis
The process of diagnosis to establish the origins of events
so that controls can be developed to address these causes
Assessment of life cycle, life cycle cost and benefit analysis
Life Cycle Cost-benefit
to determine strategic direction for IT systems
134 © Copyright 2016 ISACA. All rights reserved.
Discussion Question While reviewing a quality management system (QMS) the IS auditor should PRIMARILY focus
Discussion Question
While reviewing a quality management system (QMS) the
IS auditor should PRIMARILY focus on collecting evidence
to show that:
A. quality management systems (QMSs) comply with
good practices.
B. continuous improvement targets are being
monitored.
C. standard operating procedures of IT are updated
annually.
D. key performance indicators (KPIs) are defined.
136 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Discussion Question Before implementing an IT balanced scorecard (BSC), an organization must: A. deliver effective
Discussion Question
Before implementing an IT balanced scorecard (BSC), an
organization must:
A. deliver effective and efficient services.
B. define key performance indicators.
C. provide business value to IT projects.
D. control IT expenses.
137 © Copyright 2016 ISACA. All rights reserved.
Key Terms Key Term Definition Business continuity Preventing, mitigating and recovering from disruption. be used
Key Terms
Key Term
Definition
Business continuity
Preventing, mitigating and recovering from disruption.
be used in this context. They focus on recovery aspects
should also be taken into account.
Business continuity
plan (BCP)
A plan used by an enterprise to respond to disruption of
critical business processes; depends on the contingency
plan for restoration of critical systems.
Disaster recovery
plan (DRP)
A set of human, physical, technical and procedural
resources to recover, within a defined time and cost, an
activity interrupted by an emergency or disaster.
139 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Task 2.10 continuity plan (BCP), including the alignment of the IT disaster recovery plan (DRP)
Task 2.10
continuity plan (BCP), including the
alignment of the IT disaster recovery plan
(DRP) with the BCP, to determine the
essential business operations during the
period of an IT disruption.
138 © Copyright 2016 ISACA. All rights reserved.
Task to Knowledge Statements How does Task 2.10 relate to each of the following knowledge
Task to Knowledge Statements
How does Task 2.10 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.11 Knowledge of enterprise risk
management (ERM)
Understanding both the organizational
risk appetite and cost-benefit analysis,
where the risk appetite is not
exceeded and the benefits derived
from the risk mitigation do not exceed
the cost of the control
K2.15 Knowledge of business impact
analysis (BIA)
Understanding the BIA as a key driver
of the BCP/disaster recovery process
140 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

How does Task 2.10 relate to each of the following knowledge statements? Knowledge Statement Connection
How does Task 2.10 relate to each of the following
knowledge statements?
Knowledge Statement
Connection
K2.16 Knowledge of the standards
and procedures for the development,
maintenance and testing of the
business continuity plan (BCP)
Understanding the life cycle of
BCP/DRP development and
maintenance
K2.17 Knowledge of procedures used
to invoke and execute the business
continuity plan and return to normal
operations
Understanding how the BIA defines
the triggers to initiate the various
actions within the BCP/DRP
141 © Copyright 2016 ISACA. All rights reserved.
Information security management programs include the development of the following, as related to IT department
Information security management programs include the
development of the following, as related to IT department
functions in support of critical business processes:
o
BIA
o
BCP
o
DRP
143 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Policy Management The management of information security ensures that an process the information are properly
Policy Management
The management of information security ensures that an
process the information are properly protected.
An information security program is established through:
o
Assessing the risk to IT assets
o
Mitigating the risk to a level determined by
management
o
Monitoring remaining residual risk
142 © Copyright 2016 ISACA. All rights reserved.
Business Continuity Planning In the event of a disruption of normal business operations, BCP and
Business Continuity Planning
In the event of a disruption of normal business
operations, BCP and DRP can allow critical processes to
carry on.
Responsibility for the BCP rests with senior
management, but its execution usually lies with business
and supporting units.
The plan should address all functions and assets that will
be required to continue as a viable operation
immediately after encountering an interruption and while
recovery is taking place.
144 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Disaster Management An IT DRP is a structured collection of processes and procedures designed to
Disaster Management
An IT DRP is a structured collection of processes and
procedures designed to speed response and ensure
business continuity in the event of a disaster.
Various roles and responsibilities for teams are defined
in the DRP.
The IS auditor should have knowledge of team
responsibilities, which are likely to vary from organization
to organization.
145 © Copyright 2016 ISACA. All rights reserved.
IT BCP IT service continuity is often critical to the organization, and developing and testing
IT BCP
IT service continuity is often critical to the
organization, and developing and testing an
information system BCP/DRP is a major component
of enterprise-wide continuity planning.
Points of vulnerability are identified and considered
during the risk assessment process.
The potential for harm from these can be quantified
through a BIA.
147 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

The BCP and DRP The DRP is a part of the BCP. It outlines the
The BCP and DRP
The DRP is a part of the BCP.
It outlines the restoration plan that will be used to return
operations to a normal state.
In general, a single integrated plan is recommended to
ensure that:
o
Coordination between various plan components
supports response and recovery.
o
Resources are used in the most effective way.
o
Reasonable confidence can be maintained that the
enterprise will survive a disruption.
146 © Copyright 2016 ISACA. All rights reserved.
BCP Process The BCP process can be divided into life cycle phases, as shown here.
BCP Process
The BCP process can be divided into life cycle phases, as shown here.
Business Continuity Planning Life Cycle
Project Planning
(BC Policy, Project
Scope)
BC Plan Monitoring,
Maintenance and
Updating
BC
Plan
Testing
BC
Awareness
Training
Risk Assessment
and Analysis
BC
Plan
Development
Business
BC Strategy
Impact
Development
Strategy
Analysis
Execution (Risk
Countermeasures
Implementation)
Source: ISACA, CISA Review Manual 26 th Edition, figure 2.14
148 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Disasters and Disruptions Disasters are likely to require recovery efforts to restore the operational status
Disasters and Disruptions
Disasters are likely to require recovery efforts to
restore the operational status of information resources.
Categories of disasters include:
o
Natural calamities
o
Pandemics, epidemics or other infectious outbreaks
o
Utility disruptions
o
Actions by humans, whether intentionally harmful or
through error
o
Hardware or software malfunctions
o Incidents causing damage to image, reputation or
brand
Some events are unforeseeable. These are referred to
149 © Copyright 2016 ISACA. All rights reserved.
Incident Mitigation Incident and Impact Relationship Diagram Reduce the Likelihood Mitigate the Consequences
Incident Mitigation
Incident and Impact Relationship Diagram
Reduce the Likelihood
Mitigate the Consequences
Infrastructure
Monitoring
Backup and
Capacity
Detective
Recovery
Management
Controls
Incident
Management (Help
BCP or IT
Desk)
DRP
Controls (Risk
Corrective
Countermeasure)
Controls
Special Clauses
in
Spare Processing
Vendor/Supplier
Site
Contracts
Risk
Preventive
Management
Controls
UPS or Power
Generator
Configuration
Management
Source: ISACA, CISA Review Manual 26 th Edition, figure 2.15
151 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Business Continuity Policy A business continuity policy should be proactive, delivering the message that all
Business Continuity Policy
A business continuity policy should be proactive,
delivering the message that all possible controls to both
detect and prevent disruptions should be used.
The policy is a document approved by top management;
it serves several purposes:
o
It carries a message to internal stakeholders that the
organization is committed to business continuity.
o
As a statement to the organization, it empowers those
who are responsible for business continuity.
o
It communicates to external stakeholders that
obligations, such as service delivery and compliance,
are being taken seriously.
150 © Copyright 2016 ISACA. All rights reserved.
BCP Incident Management By their nature, incidents and crises often unfold dynamically and rapidly in
BCP Incident Management
By their nature, incidents and crises often unfold dynamically
and rapidly in unforeseeable directions.
Management of such situations requires a proactive approach
and supporting documentation.
All incidents should be classified at one of the following levels:
o
Negligible
causing no perceptible damage
o
Minor
producing no negative financial or material impact
o
Major
causing a negative material impact on business
processes; possible effects on other systems, departments
or outside stakeholders
o
Crisis
resulting in serious material impact on the
continued functioning of the enterprise and its
stakeholders
Note that the classification of an incident can change as
events proceed.
152 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

BCP Plan Components The BCP should include: Continuity of Disaster recovery Business operations plan plan
BCP Plan Components
The BCP should include:
Continuity of
Disaster recovery
Business
operations plan
plan
resumption plan
It may also include:
Crisis
IT contingency
Incident
Transportation
communications
plan
response plan
plan
plan
Occupant
Emergency
Evacuation plan
emergency plan
relocation plan
153 © Copyright 2016 ISACA. All rights reserved.
Auditing Business Continuity When auditing business continuity, the IS auditor must complete a number of
Auditing Business Continuity
When auditing business continuity, the IS auditor must
complete a number of tasks, for example:
o
Understanding the connections between BCP and
business objectives
o
Evaluating the BCP and determining its adequacy
and currency
o
Verifying BCP effectiveness through a review of plan
testing
o
Evaluating cloud-based mechanisms and offsite
storage
o
Assessing the ability of personnel to respond
effectively in the event of an incident
155 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Plan Testing The critical components of a BCP should be tested under simulated conditions to
Plan Testing
The critical components of a BCP should be tested
under simulated conditions to accomplish objectives
such as these:
o
Verify the accuracy of the BCP.
o
Evaluate the performance of involved personnel.
o
Evaluate coordination among response team
members and external parties.
o Measure the ability and capacity of any backup site to
perform as expected.
Assessing the results and value of the BCP tests is an
important responsibility for the IS auditor.
154 © Copyright 2016 ISACA. All rights reserved.
BCP Audit Review 1. Review the BCP document. 2. Review the applications covered by the
BCP Audit Review
1. Review the BCP document.
2. Review the applications covered by
the BCP.
3. Review the business continuity
teams.
4. Test the plan.
156 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

BCP Audit Evaluation Evaluate offsite Evaluate key Evaluate prior storage facilities, personnel test results
BCP Audit Evaluation
Evaluate offsite
Evaluate key
Evaluate prior
storage facilities,
personnel
test results
including
through
security controls
interviews
Evaluate the
Evaluate
alternative
insurance
processing
coverage
contract
157 © Copyright 2016 ISACA. All rights reserved.
Discussion Question During a review of a business continuity plan, an IS auditor noticed that
Discussion Question
During a review of a business continuity plan, an IS auditor
noticed that the point at which a situation is declared to be
a crisis has not been defined. The MAJOR risk associated
with this is that:
A. assessment of the situation may be delayed.
B. execution of the disaster recovery plan could be
impacted.
C. notification of the teams might not occur.
D. potential crisis recognition might be delayed.
159 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

In the Big Picture The Big Task 2.10 Picture continuity plan (BCP), including the alignment
In the Big Picture
The Big
Task 2.10
Picture
continuity plan (BCP), including the
alignment of the IT disaster recovery
plan (DRP) with the BCP, to determine
essential business operations during
the period of an IT disruption.
The IS auditor needs to
only evaluate the content
of the DRP and BCP to
determine if these
processes will return the
business to normal
operations.
158 © Copyright 2016 ISACA. All rights reserved.
Discussion Question disaster in which not all the critical data needed to resume business operations
Discussion Question
disaster in which not all the critical data needed to resume
business operations were retained. Which of the following
was incorrectly defined?
A. The interruption window
B. The recovery time objective (RTO)
C. The service delivery objective (SDO)
D. The recovery point objective (RPO)
160 © Copyright 2016 ISACA. All rights reserved.

CISA Review Course 26 th Edition

Domain 2 Summary Evaluation of the IT strategy life cycle Evaluation of the effectiveness of
Domain 2 Summary
Evaluation of the IT strategy life cycle
Evaluation of the effectiveness of the IT governance
structure
Evaluation of the IT organizational structure and
human resources (personnel) management
Evaluation of
and procedures life cycle
Evaluation of IT resource management
161 © Copyright 2016 ISACA. All rights reserved.
Discussion Question When auditing the IT governance framework and IT risk management practices that exist
Discussion Question
When auditing the IT governance framework and IT risk
management practices that exist within an organization, the
IS auditor identified some undefined responsibilities
regarding IT management and governance roles. Which of
the following recommendations is the MOST appropriate?
A. Review the strategic alignment of IT with the business.
B. Implement accountability rules within the organization.
C. Ensure that independent IS audits are conducted
periodically.
D. Create a chief risk officer (CRO) role in the organization.
163 © Copyright 2016 ISACA. All rights reserved.

Domain 2: Governance and Management of IT

Evaluation of IT portfolio management Evaluation of risk management practices Evaluation of IT management and
Evaluation of IT portfolio management
Evaluation of risk management practices
Evaluation of IT management and monitoring of
controls
Evaluation of monitoring and reporting of IT KPIs
Evaluation of
plan
The importance of a BCP, including the alignment of
the IT DRP with the BCP
162 © Copyright 2016 ISACA. All rights reserved.
Discussion Question To optimize an an IS auditor should recommend a BIA to determine: A.
Discussion Question
To optimize an
an IS auditor
should recommend a BIA to determine:
A. the business processes that generate the most
financial value for the organization and,
therefore, must be recovered first
B. the priorities and order for recovery to ensure
strategy
C. the business processes that must be recovered
survival
D. the priorities and order of recovery, which will
recover the greatest number of systems in the
shortest time frame
164 © Copyright 2016 ISACA. All rights reserved.