Beruflich Dokumente
Kultur Dokumente
• Learning Objectives
• Discuss Task and Knowledge Statements
• Discuss specific topics within the chapter
• Case studies
• Sample questions
Exam Relevance
Ensure that the CISA candidate…
Understands and can provide assurance that the
organization has the structure, policies,
accountability mechanisms and monitoring practices
in place to achieve the requirements of corporate
governance of IT.
Chapter 2
14% of the CISA examination 14%
• Two issues:
1. IT delivers value to the business
2. IT risks are managed
Practice Question
2-1 In order for management to effectively monitor the
compliance of processes and applications, which of
the following would be the MOST ideal?
A. A central document repository
B. A knowledge management system
C. A dashboard
D. Benchmarking
2.4 Information Technology
Monitoring and Assurance Practices
for Management
Scope
Enterprise Model
Systems Model
Technology
Model
Detailed
Representation
2.4.5 Enterprise
Architecture (continued)
The Federal Enterprise Architecture (FEA)
hierarchy:
• Performance
• Business
• Service component
• Technical
• Data
2.5.1 Strategic Planning
• IDEAL model
• Capability Maturity Model Integration (CMMI)
• Team Software Process (TSP)
• Personal Software Process (PSP)
2.7 IT Investment and
Allocation Practices
Governance in outsourcing
• Mechanism that allows organizations to transfer
the delivery of services to third parties
• Accountability remains with the management of the
client organization
• Transparency and ownership of the decision-
making process must reside within the purview of
the client
2.10.2 Sourcing Practices
(continued)
• Project management
• End user
• Data management
• Audit trails
• Reconciliation
• Exception reporting
• Transaction logs
• Supervisory reviews
• Independent reviews
Practice Question
2-9 When a complete segregation of duties cannot be
achieved in an online system environment, which of
the following functions should be separated from
the others?
A. Origination
B. Authorization
C. Recording
D. Correction
Practice Question
2-10 In a small organization, where segregation of duties
is not practical, an employee performs the function
of computer operator and application programmer.
Which of the following controls should an IS auditor
recommend?
A. Automated logging of changes to development libraries
B. Additional staff to provide segregation of duties
C. Procedures that verify that only approved program
changes are implemented
D. Access controls to prevent the operator from making
program modifications
2.12 Auditing IT Governance
Structure and Implementation
Indicators of potential problems include:
• Unfavorable end-user attitudes
• Excessive costs
• Budget overruns
• Late projects
• High staff turnover
• Inexperienced staff
• Frequent hardware/software errors
2.12.1 Reviewing
Documentation
The following documents should be reviewed:
• IT strategies, plans and budgets
• Security policy documentation
• Organization/functional charts
• Job descriptions
• Steering committee reports
• System development and program change procedures
• Operations procedures
• Human resource manuals
• Quality assurance procedures
2.12.2 Reviewing Contractual
Commitments
There are various phases to computer hardware,
software and IS service contracts, including:
• Development of contract requirements and service
levels
• Contract bidding process
• Contract selection process
• Contract acceptance
• Contract maintenance
• Contract compliance
2.13 Business Continuity
Planning
An IS auditor must:
• Evaluate the physical and environmental access
controls
• Examine the equipment for current inspection and
calibration tags
2.14.6 Reviewing Alternative
Processing Contract