2. Course Agenda
American Academy of Auditing
2
âĸ Learning Objectives
âĸ Discuss Task and Knowledge Statements
âĸ Discuss specific topics within the chapter
âĸ Case studies
âĸ Sample questions
3. âĸ Evaluate the effectiveness of IT governance structure to
ensure adequate board control over the decisions,
directions and performance of IT, so it supports the
organization's strategies and objectives
âĸ Evaluate IT organizational structure and human
resources (personnel) management to ensure that they
support the organization's strategies and objectives
âĸ Evaluate the IT strategy and process for their
development, approval, implementation and
maintenance to ensure that they support the
organization's strategies and objectives
Learning Objectives
American Academy of Auditing
3
4. Learning Objectives (continued)
American Academy of Auditing
4
âĸ Evaluate the organization's IT policies, standards,
procedures and processes for their development,
approval, implementation and maintenance to ensure that
they support the IT strategy and comply with regulatory
and legal requirements
âĸ Evaluate management practices to ensure compliance
with the organization's IT strategy, policies, standards and
procedures
âĸ Evaluate IT resource investment, use and allocation
practices to ensure alignment with the organization's
strategies and objectives
5. Learning Objectives (continued)
ī¨ Evaluate IT contracting strategies and policies and contract
management practices to ensure that they support the
organization's strategies and objectives
ī¨ Evaluate risk management practices to ensure that the
organization's IT-related risks are properly managed
ī¨ Evaluate monitoring and assurance practices to ensure that the
board and executive management receive sufficient and timely
information about IT performance
American Academy of Auditing
5
6. Corporate Governance
ī¨ Ethical corporate behavior by directors or others charged with
governance in the creation and presentation of value for all
stakeholders
ī¨ The distribution of rights and responsibilities among different
participants in the corporation, such as board, managers,
shareholders and other stakeholders
ī¨ Establishment of rules to manage and report on business risks
American Academy of Auditing
6
7. Monitoring and Assurance Practices
for Board and Executive Management
ī¨ Enterprises are governed by generally accepted good or best
practices, the assurance of which is provided by certain controls. From
these practices flows the organizationâs direction, which indicates
certain activities using the organizationâs resources. The results of
these activities are measured and reported on, providing input to the
cyclical revision and maintenance of controls.
ī¨ IT is also governed by good or best practices that ensure that the
organizationâs information and related technology support its
business objectives, its resources are used responsibly, and its risks
are managed appropriately.
American Academy of Auditing
7
8. Monitoring and Assurance Practices for
Board and Executive Management
(continued)
ī¨ Effective enterprise governance focuses individual and group
expertise and experience on specific areas where they can be
most effective
ī¨ IT governance is concerned with two issues: that IT delivers
value to the business and that IT risks are managed
ī¨ IT governance is the responsibility of the board of directors
and executive management
American Academy of Auditing
8
9. Practice Question
American Academy of Auditing
9
2-1 IT governance ensures that an organization
aligns its IT strategy with:
A. enterprise objectives.
B. IT objectives.
C. audit objectives.
D. control objectives.
11. Best Practices for IT Governance
(continued)
IT governance has become significant due to:
ī¨ Demands for better return from IT investments
ī¨ Increases in IT expenditures
ī¨ Regulatory requirements for IT controls
ī¨ Selection of service providers and outsourcing
ī¨ Complexity of network security
ī¨ Adoptions of control frameworks
ī¨ Benchmarking
American Academy of Auditing
11
12. Best Practices for IT Governance
(continued)
Audit role in IT governance
ī¨ Audit plays a significant role in the successful implementation
of IT governance within an organization
ī¨ Reporting on IT governance involves auditing at the highest
level in the organization and may cross division, functional or
departmental boundaries
American Academy of Auditing
12
13. Best Practices for IT Governance
(continued)
ī¨ In accordance with the defined role of the IS auditor, the
following aspects related to IT governance need to be
assessed:
ī¤ The IS functionâs alignment with the organizationâs mission, vision, values,
objectives and strategies
ī¤ The IS functionâs achievement of performance objectives established by
the business (effectiveness and efficiency)
ī¤ Legal, environmental, information quality, and fiduciary and security
requirements
ī¤ The control environment of the organization
ī¤ The inherent risks within the IS environment
American Academy of Auditing
13
14. IT Strategy Committee
ī¨ The creation of an IT strategy committee is an industry best
practice
ī¨ Committee should broaden its scope to include not only advice
on strategy when assisting the board in its IT governance
responsibilities, but also to focus on IT value, risks and
performance
American Academy of Auditing
14
15. Standard
IT Balanced Scorecard
ī¨ A process management evaluation technique that can be
applied to the IT governance process in assessing IT functions
and processes
ī¨ Method goes beyond the traditional financial evaluation
ī¨ One of the most effective means to aid the IT strategy
committee and management in achieving IT and business
alignment
American Academy of Auditing
15
17. Information
Security Governance
ī¨ Focused activity with specific value drivers
ī¤ Integrity of information
ī¤ Continuity of services
ī¤ Protection of information assets
ī¨ Integral part of IT governance
ī¨ Importance of information security governance
American Academy of Auditing
17
18. Information Security
Governance (continued)
Importance of information security governance
ī¨ Information security (Infosec) covers all information processes,
physical and electronic, regardless of whether they involve people
and technology or relationships with trading partners, customers and
third parties.
ī¨ Infosec is concerned with all aspects of information and its protection
at all points of its life cycle within the organization.
American Academy of Auditing
18
19. Information Security
Governance (continued)
Effective information security can add significant value to an
organization by:
âĸ Providing greater reliance on interactions with trading
partners
âĸ Improving trust in customer relationships
âĸ Protecting the organizationâs reputation
âĸ Enabling new and better ways to process electronic
transactions
American Academy of Auditing
19
20. Information Security
Governance (continued)
Outcomes of security governance
âĸ Strategic alignmentâalign with business strategy
âĸ Risk managementâmanage and execute appropriate measures to
mitigate risks
âĸ Value deliveryâoptimize security investments
âĸ Performance measurement â measure, monitor and report on
information security processes
âĸ Resource managementâutilize information security knowledge and
infrastructure efficiently and effectively
âĸ Process integration â integration of management assurance
processes for security
American Academy of Auditing
20
21. Information Security
Governance (continued)
Effective information security governance
ī¨ To achieve effective information security governance,
management must establish and maintain a framework to
guide the development and management of a comprehensive
information security program that supports business objectives
ī¨ This framework provides the basis for the development of a
cost-effective information security program that supports the
organizationâs business goals.
American Academy of Auditing
21
22. Information Security
Governance (continued)
Information security governance requires strategic
direction and impetus from:
âĸ Boards of directors / senior management
âĸ Executive management
âĸ Steering committees
âĸ Chief information security officers
American Academy of Auditing
22
23. Enterprise Architecture
ī¨ Involves documenting an organizationâs IT assets in a structured
manner to facilitate understanding, management and planning
for IT investments
ī¨ Often involves both a current state and optimized future state
representation
American Academy of Auditing
23
24. Enterprise
Architecture (continued)
Data Functional Network People Process Strategy
Scope
Enterprise Model
Systems Model
Technology Model
Detailed
Representation
American Academy of Auditing
24
The Basic Zachman Framework
25. Enterprise
Architecture (continued)
The Federal Enterprise Architecture (FEA) hierarchy:
âĸ Performance
âĸ Business
âĸ Service component
âĸ Technical
âĸ Data
American Academy of Auditing
25
26. Strategic Planning
ī¨ From an IS standpoint, strategic planning relates to the long-
term direction an organization wants to take in leveraging
information technology for improving its business processes
ī¨ Effective IT strategic planning involves a consideration of the
organizationâs demand for IT and its IT supply capacity
American Academy of Auditing
26
27. Strategic Planning
(continued)
ī¨ The IS auditor should pay attention to the importance of IT
strategic planning
ī¨ Focus on the importance of a strategic planning process or
planning framework
ī¨ Consider how the CIO or senior IT management are involved in
the creation of the overall business strategy
American Academy of Auditing
27
28. Practice Question
American Academy of Auditing
28
2-2 Which of the following would be included in
an IS strategic plan?
A. Specifications for planned hardware
purchases
B. Analysis of future business objectives
C. Target dates for development projects
D. Annual budgetary targets for the IS
department
29. Practice Question
American Academy of Auditing
29
2-3 Which of the following BEST describes an IT departmentâs
strategic planning process?
A. The IT department will have either short-range or long-range plans
depending on the organizationâs broader plans and objectives.
B. The IT departmentâs strategic plan must be time- and project-oriented, but
not so detailed as to address and help determine priorities to meet business
needs.
C. Long-range planning for the IT department should recognize organizational
goals, technological advances and regulatory requirements.
D. Short-range planning for the IT department does not need to be integrated
into the short-range plans of the organization since technological advances
will drive the IT department plans much quicker than organizational plans.
30. Steering Committee
ī¨ An organizationâs senior management should appoint a
planning or steering committee to oversee the IS function and
its activities
ī¨ A high-level steering committee for information technology is
an important factor in ensuring that the IS department is in
harmony with the corporate mission and objectives
American Academy of Auditing
30
31. Policies
ī¨ High-level documents
ī¨ Represent the corporate philosophy of an organization
ī¨ Must be clear and concise to be effective
American Academy of Auditing
31
32. Policies (continued)
ī¨ Management should review all policies carefully
ī¨ Policies need to be updated to reflect new technology and
significant changes in business processes
ī¨ Policies formulated must enable achievement of business
objectives and implementation of IS controls
American Academy of Auditing
32
33. Policies (continued)
Information security policies
ī¨ Communicate a coherent security standard to users,
management and technical staff
ī¨ Must balance the level of control with the level of productivity
ī¨ Provide management the direction and support for information
security in accordance with business requirements, relevant
laws and regulations
American Academy of Auditing
33
34. Policies (continued)
Information security policy document
ī¨ Definition of information security
ī¨ Statement of management intent
ī¨ Framework for setting control objectives
ī¨ Brief explanation of security policies
ī¨ Definition of responsibilities
ī¨ References to documentation
American Academy of Auditing
34
35. Policies (continued)
Policy groups to be addressed
ī¨ High-level information security policy
ī¨ Data classification policy
ī¨ Acceptable usage policy
ī¨ End user computing policy
ī¨ Access control policies
American Academy of Auditing
35
36. Policies (continued)
Review of the information security policy
document
ī¨ Should be reviewed at planned intervals or when significant
changes occur to ensure its continuing suitability, adequacy and
effectiveness
ī¨ Should have an owner who has approved management
responsibility for the development, review and evaluation of
the security policy
ī¨ Review should include assessing opportunities for improvement
to the organizationâs information security policy
American Academy of Auditing
36
37. Procedures
Procedures are detailed documents that:
ī¨ Define and document implementation policies
ī¨ Must be derived from the parent policy
ī¨ Must implement the spirit (intent) of the policy statement
ī¨ Must be written in a clear and concise manner
American Academy of Auditing
37
38. Risk Management
The process of identifying vulnerabilities and threats to the
information resources used by an organization in achieving
business objectives
American Academy of Auditing
38
39. Developing a Risk Management
Program
To develop a risk management program:
ī¨ Establish the purpose of the risk management program
ī¨ Assign responsibility for the risk management plan
American Academy of Auditing
39
40. Risk Management Process
ī¨ Identification and classification of information resources or
assets that need protection
ī¨ Assess threats and vulnerabilities and the likelihood of their
occurrence
ī¨ Once the elements of risk have been established they are
combined to form an overall view of risk
American Academy of Auditing
40
41. Risk Management Process (continued)
ī¨ Evaluate existing controls or design new controls to reduce the
vulnerabilities to an acceptable level of risk
ī¨ Residual risk
American Academy of Auditing
41
42. Risk Management Process (continued)
IT risk management needs to operate at
multiple levels including:
ī¨ OperationalâRisks that could compromise the effectiveness of
IT systems and supporting infrastructure
ī¨ ProjectâRisk management needs to focus on the ability to
understand and manage project complexity
ī¨ StrategicâThe risk focus shifts to considerations such as how
well the IT capability is aligned with the business strategy
American Academy of Auditing
42
43. Risk Analysis Methods
ī¨ Qualitative
ī¨ Semiquantitative
ī¨ Quantitative
ī¤ Probability and expectancy
ī¤ Annual loss expectancy method
American Academy of Auditing
43
44. Risk Analysis
Methods (continued)
Management and IS auditors should keep in
mind certain considerations:
ī¨ Risk management should be applied to IT functions throughout the company
ī¨ Senior management responsibility
ī¨ Quantitative RM is preferred over qualitative approaches
ī¨ Quantitative RM always faces the challenge of estimating risks
ī¨ Quantitative RM provides more objective assumptions
ī¨ The real complexity or the apparent sophistication of the methods or
packages used should not be a substitute for commonsense or professional
diligence
ī¨ Special care should be given to very high impact events, even if the
probability of occurrence over time is very low.
American Academy of Auditing
44
45. Personnel Management
ī¨ Hiring
ī¨ Employee handbook
ī¨ Promotion policies
ī¨ Training
ī¨ Scheduling and time reporting
ī¨ Employee performance evaluations
ī¨ Required vacations
ī¨ Termination policies
American Academy of Auditing
45
46. Sourcing Practices
ī¨ Sourcing practices relate to the way an organization obtains
the IS function required to support the business
ī¨ Organizations can perform all IS functions in-house or
outsource all functions across the globe
ī¨ Sourcing strategy should consider each IS function and
determine which approach allows the IS function to meet the
organizationâs goals
American Academy of Auditing
46
47. Sourcing Practices (continued)
Outsourcing practices and strategies
ī¨ Contractual agreements under which an organization hands
over control of part or all of the functions of the IS department
to an external party
ī¨ Becoming increasingly important in many organizations
ī¨ The IS auditor must be aware of the various forms outsourcing
can take as well as the associated risks
American Academy of Auditing
47
48. Sourcing Practices (continued)
American Academy of Auditing
48
Possible advantages:
ī¨ Commercial outsourcing companies likely to devote more time
and focus more efficiently on a given project than in-house staff
ī¨ Outsourcing vendors likely to have more experience with a wider
array of problems, issues and techniques
Possible disadvantages:
ī¨ Costs exceeding customer expectations
ī¨ Loss of internal IS experience
ī¨ Loss of control over IS
ī¨ Vendor failure
49. Sourcing Practices (continued)
Risks can be reduced by:
ī¨ Establishing measurable, partnership-enacted shared goals and rewards
ī¨ Using multiple suppliers or withholding a piece of business as an incentive
ī¨ Performing periodic competitive reviews and benchmarking/bench trending
ī¨ Implementing short-term contracts
ī¨ Forming a cross-functional contract management team
ī¨ Including contractual provisions to consider as many contingencies as can
reasonably be foreseen
American Academy of Auditing
49
50. Sourcing Practices (continued)
Globalization practices and strategies
ī¨ Requires management to actively oversee the remote or offshore locations
ī¨ The IS auditor can assist an organization in moving IS functions offsite or
offshore by ensuring that IS management considers the following:
ī¤ Legal, regulatory and tax issues
ī¤ Continuity of operations
ī¤ Personnel
ī¤ Telecommunication issues
ī¤ Cross-border and cross-cultural issues
American Academy of Auditing
50
51. Sourcing Practices (continued)
Governance in outsourcing
ī¨ Mechanism that allows organizations to transfer the delivery of
services to third parties
ī¨ Accountability remains with the management of the client
organization
ī¨ Transparency and ownership of the decision-making process
must reside within the purview of the client
American Academy of Auditing
51
52. Sourcing Practices (continued)
Third-party service delivery management
ī¨ Every organization using the services of third parties should
have a service delivery management system in place to
implement and maintain the appropriate level of information
security and service delivery in line with third-party service
delivery agreements
ī¨ The organization should check the implementation of
agreements, monitor compliance with the agreements and
manage changes to ensure that the services delivered meet all
requirements agreed to with the third party.
American Academy of Auditing
52
53. Organizational
Change Management
What is change management?
ī¨ Managing IT changes for the organization
ī¤ Identify and apply technology improvements at the
infrastructure and application level
American Academy of Auditing
53
54. Quality Management
ī¨ Software development, maintenance and implementation
ī¨ Acquisition of hardware and software
ī¨ Day-to-day operations
ī¨ Service management
ī¨ Security
ī¨ Human resource management
ī¨ General administration
American Academy of Auditing
54
55. Practice Question
American Academy of Auditing
55
2-4 The MOST important responsibility of a data
security officer in an organization is:
A. recommending and monitoring data security
policies.
B. promoting security awareness within the
organization.
C. establishing procedures for IT security
policies.
D. administering physical and logical access
controls.
56. Practice Question
American Academy of Auditing
56
2-5 Which of the following is MOST likely to be
performed by the security administrator?
A. Approving the security policy
B. Testing application software
C. Ensuring data integrity
D. Maintaining access rules
57. Performance Optimization
ī¨ Process driven by performance indicators
ī¨ Optimization refers to the process of improving the
productivity of information systems to the highest level possible
without unnecessary, additional investment in the IT
infrastructure
American Academy of Auditing
57
58. Performance Optimization (continued)
Five ways to use performance measures:
âĸ Measure products/services
âĸ Manage products/services
âĸ Assure accountability
âĸ Make budget decisions
âĸ Optimize performance
American Academy of Auditing
58
59. Practice Question
American Academy of Auditing
59
2-6 An IS auditor should ensure that IT
governance performance measures:
A. evaluate the activities of IT oversight
committees.
B. provide strategic IT drivers.
C. adhere to regulatory reporting standards and
definitions.
D. evaluate the IT department.
60. American Academy of Auditing
60
Organizational Structure and
Responsibilities
61. IS Roles and Responsibilities
ī¨ Systems development manager
ī¨ Help desk
ī¨ End user
ī¨ End user support manager
American Academy of Auditing
61
62. IS Roles and Responsibilities
(continued)
ī¨ Data management
ī¨ Quality assurance manager
ī¨ Vendor and outsourcer management
ī¨ Operations manager
American Academy of Auditing
62
63. IS Roles and Responsibilities (continued)
ī¨ Control group
ī¨ Media management
ī¨ Data entry
ī¨ Systems administration
American Academy of Auditing
63
64. IS Roles and Responsibilities
(continued)
ī¨ Security administration
ī¨ Quality assurance
ī¨ Database administration
American Academy of Auditing
64
65. IS Roles and Responsibilities (continued)
ī¨ Systems analyst
ī¨ Security architect
ī¨ Applications development and maintenance
ī¨ Infrastructure development and maintenance
ī¨ Network management
American Academy of Auditing
65
66. Segregation of Duties Within IS
ī¨ Avoids possibility of errors or misappropriations
ī¨ Discourages fraudulent acts
ī¨ Limits access to data
American Academy of Auditing
66
68. Practice Question
American Academy of Auditing
68
2-7 Which of the following tasks may be
performed by the same person in a well-
controlled information processing computer
center?
A. Security administration and change management
B. Computer operations and system development
C. System development and change management
D. System development and systems maintenance
69. Practice Question
American Academy of Auditing
69
2-8 Which of the following is the MOST critical
control over database administration?
A. Approval of DBA activities
B. Segregation of duties
C. Review of access logs and activities
D. Review of the use of database tools
70. Segregation of Duties Controls
Control measures to enforce segregation of duties
include:
âĸ Transaction authorization
âĸ Custody of assets
âĸ Access to data
â Authorization forms
â User authorization tables
American Academy of Auditing
70
71. Segregation of Duties
Controls (continued)
Compensating controls for lack of segregation of
duties include:
âĸ Audit trails
âĸ Reconciliation
âĸ Exception reporting
âĸ Transaction logs
âĸ Supervisory reviews
âĸ Independent reviews
American Academy of Auditing
71
72. Practice Question
American Academy of Auditing
72
2-9 When a complete segregation of duties
cannot be achieved in an online system
environment, which of the following
functions should be separated from the
others?
A. Origination
B. Authorization
C. Recording
D. Correction
73. Practice Question
American Academy of Auditing
73
2-10 In a small organization, where segregation of duties
is not practical, an employee performs the function
of computer operator and application programmer.
Which of the following controls should an IS auditor
recommend?
A. Automated logging of changes to development
libraries
B. Additional staff to provide segregation of duties
C. Procedures that verify that only approved program
changes are implemented
D. Access controls to prevent the operator from making
program modifications
74. Auditing IT Governance
Structure and Implementation
Indicators of potential problems include:
ī¨ Unfavorable end-user attitudes
ī¨ Excessive costs
ī¨ Budget overruns
ī¨ Late projects
ī¨ High staff turnover
ī¨ Inexperienced staff
ī¨ Frequent hardware/software errors
American Academy of Auditing
74
75. Reviewing Documentation
The following documents should be reviewed:
âĸ IT strategies, plans and budgets
âĸ Security policy documentation
âĸ Organization/functional charts
âĸ Job descriptions
âĸ Steering committee reports
âĸ System development and program change procedures
âĸ Operations procedures
âĸ Human resource manuals
âĸ Quality assurance procedures
American Academy of Auditing
75
76. Reviewing Contractual Commitments
There are various phases to computer hardware,
software and IS service contracts, including:
ī¨ Development of contract requirements and service levels
ī¨ Contract bidding process
ī¨ Contract selection process
ī¨ Contract acceptance
ī¨ Contract maintenance
ī¨ Contract compliance
American Academy of Auditing
76
77. American Academy of Auditing
77
Case Study A Scenario
An IS auditor has been asked to review the draft of an
outsourcing contract and SLA and recommend any changes or
point out any concerns prior to these being submitted to senior
management for final approval. The agreement includes
outsourcing support of Windows and UNIX server administration
and network management to a third party.
Servers will be relocated to the outsourcerâs facility that is located
in another country, and connectivity will be established using the
Internet. Operating system software will be upgraded on a
semiannual basis, but it will not be escrowed. All requests for
addition or deletion of user accounts will be processed within
three business days.
78. American Academy of Auditing
78
Case Study A Scenario
(continued)
Intrusion detection software will be continuously monitored by the
outsourcer and the customer notified by e-mail if any anomalies
are detected. New employees hired within the last three years
were subject to background checks. Prior to that, there was no
policy in place.
A right to audit clause is in place, but 24-hour notice is required
prior to an onsite visit. If the outsourcer is found to be in violation
of any of the terms or conditions of the contract, it will have 10
business days to correct the deficiency. The outsourcer does not
have an IS auditor, but it is audited by a regional public
accounting firm.
79. Case Study A Question
American Academy of Auditing
79
1. Which of the following should be of MOST
concern to the IS auditor?
A. User account changes are processed within three business
days.
B. Twenty-four hour notice is required prior to an onsite visit.
C. The outsourcer does not have an IS audit function.
D. Software escrow is not included in the contract.
80. Case Study A Question
American Academy of Auditing
80
2. Which of the following would be the MOST significant
issue to address if the servers contain personally
identifiable customer information that is regularly
accessed and updated by end users?
A. The country in which the outsourcer is based prohibits the
use of strong encryption for transmitted data.
B. The outsourcer limits its liability if it took reasonable steps to
protect the customer data.
C. The outsourcer did not perform background checks for
employees hired over three years ago.
D. System software is only upgraded once every six months.