CISA Examination Preparation

Section 2: IT Governance
Governance
Risk Identification and Management
Management Practices and
Controls
COBIT
The Capability Maturity Model

© 2017 Precise Thinking TCT. All rights reserved.

Section Objectives 2-2
After completing this section, you will be able to:

Define governance

Explain risk identification and management

Describe management practices and controls

Define COBIT

Explain the capability maturity model

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Introduction 2-3

This section discusses IT governance, which

involves control of items that are strategic in
nature.
Senior management and the IT steering committee
help provide the long-term vision.
Control is also implemented on a more tactical level
including:
Personnel management
Organizational change management
Segregation of duties

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Introduction (cont.) 2-4

The primary topics a CISA candidate should review

for the exam include:
The way IT governance should be structured
The methods of risk management
How tools, such as COBIT and the capability
maturity model, are used
Proper separation of duty controls
Good Human Resources’ management practices
Methods for measuring and reporting IT
performance

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Governance 2-5

IT governance:
Is a subset of corporate governance
Focuses on the belief that the managers, directors, and
others in charge of the organization must understand the
role of IT in the organization
Management must:
Implement rules and regulations to control IT
infrastructure
Develop practices to distribute responsibilities
These practices:
Prevent a single person or department from shouldering
responsibility
Set up a framework of control
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Best Practices for Senior
2-6
Management
IT governance best practices require the company
to meet two specific goals:

Align the goals of IT to the goals of the company:

Both must focus on and work for the common good
of the company

Establish accountability requiring that individuals

be held responsible for their actions:
Accountability can be seen as a pyramid
Responsibility starts with lowest level employees and
builds up to top management

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Best Practices for Senior
2-7
Management (cont.)
Organization and IT alignment:
Overall
goals
IT purpose
Marketing
IT
Customer requirements
needs
Required
Sales and
service levels
delivery
IT controls and
Fulfillment change management

Accounting and
audit
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Audit’s Role in Governance 2-8

The auditor’s primary role in IT governance is

to:
make recommendations
provide guidance to senior management.

The objective:
improve quality
Improve effectiveness

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Audit’s Role in Governance (cont.) 2-9

Auditors should:

Understand the company’s goals and

objectives
Review the IT strategic plan
Analyze organizational charts
Study job descriptions
Evaluate existing policies and procedures

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
The Auditor’s Role 2-10

Auditors:
Play a significant role in the organization’s success
Must be independent from
management and have the
authority to cross over
departmental boundaries
Usually report governance
issues to the highest
level of management and
must have the proper set
of skills

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
IT Steering Committee (1) 2-11

Consists of members of high-level management

within the company
Is managed by the CEO or a personally appointed
and instructed representative
Representatives include:
IT Management:
Represented by the CIO or a CIO representative
Legal:
Represented by an executive from the legal
department
Finance:
Represented to provide financial guidance
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
IT Steering Committee (2) 2-12

Sales and Marketing:

Represented to ensure the organization has the
technology needed to convert shoppers into buyers
Quality Control:
Represented to ensure products meet required
standards and consumers view products favorably
R&D (Research and Development):
Represented because IT must meet the needs of new
product development
HR (Human Resources):
Represented because the technology needed to be
successful is as complex as managing employees

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
IT Steering Committee (3) 2-13

The committee is responsible for reviewing major IT

projects, budgets, and plans.
These duties and responsibilities should be defined
in a formal audit charter.
Members must have authority to make a management
decision in the area they represent.
The main role is to ensure efficient use of information
resources.
If an organization is lacking a charter or steering
committee, IT and business may NOT be closely
aligned.
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Measuring Performance 2-14

Includes activities to ensure the organization’s

goals are consistently being met in an effective
and efficient manner

Was historically measured only by financial

means

Was developed by Robert Kaplan and David Norton

Was named the balanced scorecard

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Balanced Scorecard 2-15

Gathers input from the following four

perspectives:
1. Customer perspective: Includes the importance the
company places on meeting customer needs
2. Internal operations: Includes metrics managers use
to measure how well the organization is performing
and how closely its products meet customer needs
3. Innovation and learning: Includes corporate culture
and attitudes toward learning, growth, and training
4. Financial evaluation: Includes timely and accurate
financial data

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Balanced Scorecard… 2-16

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Information Security Governance 2-17

Has become a much more important activity

during the last decade

Focuses on:

Availability of services
Integrity of information
Protection of data confidentiality

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Enterprise Architecture (1) 2-18

EA is the practice of organizing and documenting

a company’s IT assets to enhance:

Planning
Management
Expansion

The primary purpose of using EA is to ensure

that business strategy and IT investments are
aligned.

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Enterprise Architecture (2) 2-19

Federal law requires government agencies to set up an

EA and a structure for its governance via the FEA
(Federal Enterprise Architecture) reference model.

The FEA is designed to use five models:

Performance to measure performance of major IT
investments
Business to provide an organized, hierarchical model for
day-to-day business operations
Service to classify service components based on how
they support business or performance objectives

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Enterprise Architecture (3) 2-20

Technical to categorize the standards, specifications, and

technologies that support delivery of service components
and capabilities

Data to provide standards by which data may be

described, categorized, and shared

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Enterprise Architecture (4) 2-21

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Determining Who Pays 2-22

The three most common methods include:

Shared cost: All departments of the

organization share the cost

Chargeback: Individual departments are

directly charged for the services they use

Sponsor pays: Project sponsors pay all costs

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
The Role of Strategy, Policies,
2-23
Planning, and Procedures
Policies should exist to cover organizational
control.
Companies have legal and business requirements to
establish policies and procedures.
Law dictates who is responsible and what
standards must be upheld to meet minimum
corporate governance requirements.
Management is responsible for dividing the
company into smaller subgroups that control
specific functions.
Policies and procedures dictate how activities
occur in each functional area.
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Strategic Goals and Security Policy 2-24

Security policy: General statement

Produced by senior management
Dictates the role security plays in the organization
Organizational
Laws Strategic
Regulations
Liabilities Tactical

Issue-specific
Operational
System-specific

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Goals and Documents 2-25

Standards: Specify how hardware and software

products are to be used

Baselines: Specify a minimum level of

performance, level or security

Guidelines: Specify recommended actions when

specific standards do not exist

Procedures: Provide detailed step-by-step

instructions for achieving a certain task
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Standards, Baselines, and Guidelines 2-26

Standards are much more specific than

policies.
These tactical documents lay out specific steps
or processes required to meet a certain
requirement.

Level/Document Policy Standard Procedure

Strategic 
Tactical 
Operational 

© 2009
2017 Global
PreciseKnowledge Training
Thinking TCT. LLC.reserved.
All rights All rights reserved.
Policy Development 2-27

The policy process can be driven top-down or

bottom-up.

Top-down policy development means that

policies are pushed down from the top of the
company.

Bottom-up policy development starts with

input from operational employees.

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Policy Types 2-28

Policies are designed to address specific

concerns:
Regulatory: Ensure that the organization’s
standards are in accordance with requirements

Industries that frequently

use these documents include:
Health care
Public utilities
Refining
Federal government

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Policy Types (cont.) 2-29

Advisory: Ensures that all employees know the

consequences of certain behavior and actions.
Policy stating how employees can use the Internet
during the course of business; if violated, could lead
to disciplinary action or dismissal

Informative: Designed for teaching NOT enforcement.

The goal is to inform employees and/or customers.
Return policy on goods bought on the business’
website

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Reviewing Policies, Procedures, and
2-30
Documentation
Per ISACA, the following items should be examined
as part of the AUDIT:
Human resources’ documents
Quality-assurance procedures
Process and operation manuals
Change-management documentation
IT forecasts and budgets
Security policies and procedures
Organizational charts and functional diagrams
Job details and descriptions
Steering committee reports
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Reviewing Policies, Procedures, and
2-31
Documentation (cont.)
During the review of policies, procedures, and
documentation, any of the following might indicate
potential problems:
Excessive costs
Budget overruns
Late projects
A high number of
aborted projects
Lack of documentation
Out-of-date documentation
Employees unaware or unknowledgeable about
documentation

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Risk Identification and Management 2-32
The first step in the risk-management process is to
identify and classify the organization’s assets.

Information and systems must have value to

determine their worth.

When asset identification and valuation is

completed, the organization can start the risk-
identification process.

Risk identification involves identifying potential

risks and threats to the organization’s assets.
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Risk-Management Team 2-33

A risk-management team is tasked with

identifying the threats to the organization’s
assets.
The team then can examine the impact of the
identified threats.

This process can be based on real dollar

amounts or on a gut feeling or hunch.

When the impact is analyzed, the team can look

at alternatives for handling the potential risks.
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Asset Identification 2-34

Task of identifying all the organization’s assets

Can be both tangible and intangible

Assets commonly examined:

Hardware
Software
Employees
Services
Reputation
Documentation

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Asset Value 2-35

The risk-management team must think about

replacement cost of an item before assigning value.
The value should be considered more than just the
cost to create or purchase. Key considerations
include:
What did the asset cost to acquire or create?
What is the liability if the asset is compromised?
What is the production cost if the asset is unavailable?
What is the value of the asset to competitors and
foreign governments?
How critical is the asset, and how would its loss affect
the company?

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Threat Identification 2-36

The risk-management team can gather input from a

range of sources to help identify threats.
The following sources should be consulted to help
identify current and emerging threats:
Business owners and senior managers
Legal counsel
HR representatives
IS auditors
Network administrators
Security administrators
Operations
Facility records
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Threats 2-37

Any circumstance or event that has the potential to

negatively impact an asset by means of:
Unauthorized access
Destruction
Disclosure
Modification

Identifying all potential

threats is a huge responsibility.

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Threats (cont.) 2-38

A somewhat easier approach is to categorize

the common types of threats:

Physical threat/theft
Human error
Application error/buffer overflow
Equipment malfunction
Environmental hazards
Malicious software/covert channels

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Threats and Losses 2-39

A threat coupled with a vulnerability can lead

to a loss.

Examples of losses or impacts include:

Financial loss
Loss of reputation
Danger or injury to staff, clients, or customers
Loss of business opportunity
Breach of confidence or violation
of law

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Risk-Analysis Methods 2-40

Two basic risk-analysis methods:

Quantitative:
Deals with dollar amounts
Attempts to assign a cost (monetary value) to
elements of risk assessment and assets and
threats of a risk analysis

Qualitative:
Ranks threats by non-dollar values
Is based more on scenario, intuition, and
experience
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Quantitative Risk Assessment 2-41

Includes six steps:

1. Determine AV (asset value) Threat
for each information asset
2. Identify threats to each asset
3. Determine EF (exposure Vulnerability
factor) for each information
asset in relation to each Impact or
threat Loss
4. Calculate SLE (single loss
expectancy) Single Loss Annualized
Expectancy Risk
5. Calculate ARO (annualized
rate of occurrence)
6. Calculate ALE (annualized Reduce Accept Assign
loss expectancy) Risk Risk Risk

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Qualitative Risk Analysis 2-42

Qualitative risk assessment:

Is scenario based

Examines asset, threat, and exposure or

potential for loss that would occur if the
threat were realized on the IT asset

Requires the risk analysis team to ask,

“What if?” regarding specific threat
conditions on IT assets
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Qualitative Risk Analysis (cont.) 2-43

Purpose:

Provide a consistent and subjective

assessment of risk to specific IT assets

Risk analysis team task:

Develop real scenarios that describe a threat

and potential losses to organizational assets

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Qualitative Analysis (6 Steps) (1) 2-44

1. List critical assets in a spreadsheet

2. Specify critical threats and vulnerabilities for each
asset
May be more than one critical threat or vulnerability
for a given asset
3. Develop a consistent exposure severity scale for
each asset, based on its known threats and
vulnerabilities, to:
Cover critical, high, medium, and low exposure
Be assigned according to asset and specific threat
that can be exploited

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Qualitative Analysis (6 Steps) (2) 2-45

Score Probability Impact Detectability

Determined after
Highly likely or very
4 Critical impact has been
probable (76-100%)
realized
Realized upon trigger
3 Likely (51-75%) Severe
event
Realized immediately
Somewhat likely prior to trigger event,
2 Moderate
(26-50%) potential to mitigate if
monitored
Known well in
Unlikely or
1 Minor advance of event or
improbable (0-25%)
triggered event

© 2009
2017 Global
PreciseKnowledge Training
Thinking TCT. LLC.reserved.
All rights All rights reserved.
Qualitative Analysis (6 Steps) (3) 2-46

4. Organize and prioritize risk assessment results

Most critical to least
5. Prioritize funds for security controls and security
countermeasures for assets:
With the greatest importance to the organization
With the greatest exposure to risk
6. Ensure that the organization's critical assets
achieve appropriate goals and objectives for:
Confidentiality
Integrity
Availability

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Qualitative Analysis: Results 2-47

Asset Threat Exposure

Facility
Loss of power Critical
power
Customer
Software vulnerability Severe
database

E-mail server Virus attack Moderate

File server Loss of data Minor

© 2009
2017 Global
PreciseKnowledge Training
Thinking TCT. LLC.reserved.
All rights All rights reserved.
Qualitative Risk Analysis Techniques 2-48
Qualitative risk analysis techniques include:

Delphi technique

Brainstorming

Story boarding

Surveys, questionnaires, checklists

One-on-one meetings and interviews

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Qualitative Risk Analysis Techniques
2-49
(cont.)
Policy
Regulation
Checklist
Interview
Delphi
Qualitative

FRAP
Accounting
Statistical

Quantitative

Analysis Methods
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Quantitative vs. Qualitative 2-50

Property Quantitative Qualitative

Financial hard costs 
Can be automated 
Little guesswork 
No complex 
calculations
Low volume of 
information required
Short time and 
easier work load
Easy to 
communicate results

© 2009
2017 Global
PreciseKnowledge Training
Thinking TCT. LLC.reserved.
All rights All rights reserved.
Management Practices and Controls 2-51

Management is tasked with the guidance and

control of the organization; they are the
individuals responsible for the organization.

Although companies heavily depend on

technology, many management duties depend
on people skills, including interaction with
employees and with people outside the
traditional organizational boundaries.

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Employee Management 2-52

Employee management deals with the policies

and procedures that detail how people are
hired, promoted, retained, and terminated.

Employees can have a considerable impact on

the security of the company.

54% of instances of lost data or security

breaches are contributed to employees and
only 34% to outside hackers.

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Pre-Employment Checks 2-53

Some basic common controls should be

used during the hiring practice:
Background checks
Educational checks
Reference checks
Confidentiality agreements
Non-compete agreements
Conflict-of-interest agreements

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Current Employee Controls 2-54

Per ISACA, an Employee Handbook should address

the following issues:
Security practices, policies, and procedures
Employee package of benefits
Paid holiday and vacation policy
Work schedule and overtime policy
Moonlighting and outside employment
Employee evaluations
Disaster response and emergency procedures
Disciplinary action process for noncompliance

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Employee Training 2-55

Common training methods include:

In-house training
Classroom training
Vendor training
On-the-job training
Apprenticeship programs
Degree programs
Continuing education programs
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Employee Termination 2-56

Exit interviews

Change control

Return of stuff equipment

Resetting accounts

Restricting access

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Sourcing 2-57

Functions can occur at a wide range of

locations, inside and outside the
company:
Onsite: Employees and contractors
work at the company’s facility
Offsite: Staff and contractors work at a
remote location
Offshore: Staff and contractors work at
a separate geographic region
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Right-to-Audit 2-58

Outsourcing partners face the same

risks, threats, and vulnerabilities as
the client.

Every outsourcing agreement should

contain a right-to-audit.

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Service Level Agreement 2-59

If the outsourcing provider will provide a time-

sensitive service, an SLA can guarantee the
level of service the outsourcing partner is
agreeing to provide.

The SLA should specify the agreed upon:

Uptime
Response time
Maximum outage time to which they are
agreeing
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Quality Management 2-60

Quality management is:

An ongoing effort to provide IS services that meet or
exceed customer expectations
A philosophy to strive for continuous improvement

Auditors should be knowledgeable in:

Hardware and software requisitioning
Software development
Information systems operations
Human resources management
Information & IT Security

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Capability Maturity Model 2-61

CMM is used by many organizations to identify best

practices useful in helping them enhance the
maturity of their processes.

The CMM is replaced with the CMMI (Capability

Maturity Model Integration).

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Five Maturity Levels 2-62

Five maturity levels are used:

1. Initial

2. Repeatable

3. Defined

4. Managed

5. Optimized
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
1. Initial 2-63

Ad-hoc or even chaotic development

process

No effective management procedures and

plans

No assurance of consistency and

predictable quality

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
2. Repeatable 2-64

Formal management structure, change

control, and quality assurance are in
place.

Company can properly repeat processes

throughout each project.

Company does not have formal process

models defined.
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
3. Defined 2-65

Formal procedures are in place that

outline and define processes that are
carried out in each project.

Defined processes allow for quantitative

process improvement.

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
4. Managed 2-66

Formal processes are in place to

collect and analyze qualitative data.

Metrics are defined and fed into the

process-improvement program.

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
5. Optimized 2-67

The organization has budgeted and

integrated plans for continuous
process improvement.

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Capability Maturity Model 2-68

Maturity
Name Description
Level
An ad-hoc process is used with no
1 Initial
assurance of repeatability.
Change control and quality assurance are in
2 Repeatable place and controlled by management,
although a formal process is not defined.
Defined processes and procedures are in
3 Defined place and used. Qualitative process
improvement is in place.
Qualitative data is collected and analyzed. A
4 Managed
process-improvement program is used.
Continuous process improvement is in place
5 Optimized
and has been budgeted.
© 2009
2017 Global
PreciseKnowledge Training
Thinking TCT. LLC.reserved.
All rights All rights reserved.
Control Objectives for Information
2-69
and Related Technology
COBIT:
A framework that can be used to better
control processes

Considered a system of best practices

Created by the ISACA and the ITGI (IT

Governance Institute) in 1992

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Control Objectives for Information
2-70
and Related Technology (cont.)
Auditors can use COBIT.

COBIT can help IT users and managers design

controls and optimize processes.

COBIT is designed around 34-key processes which

address the following:
Performance concerns
IT control profiling
Awareness
Benchmarking
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Enterprise Resource Planning ERP 2-71

Integrates all organization’s processes into a single

system to service the needs of people in:
Finance
Human resources
Manufacturing
Warehouse

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Understanding Personnel Roles and 2-72
Responsibilities
The Auditor should review each
employee’s area to see how the job
description compares to actual
activities.

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Employee Roles and Duties (1) 2-73

An Auditor should be concerned with roles within the

IS structure:

Librarian: Responsible for all types of media,

including tapes, cartridges, CDs, DVDs, etc:
Track, store, and recall media as needed
Document when data is stored and retrieved, and
who accessed it
Track when data moves offsite, where it was sent,
and when it returns
May assist in an audit to verify what type of media is
still being held at a vendor’s site
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Employee Roles and Duties (2) 2-74
Data-entry employee:

Most data-entry activities are now outsourced

In the not-too-distant past, activities were performed

in-house at an IPF (information processing facility):
Full-time data-entry person was assigned task of
entering all data

Bar codes, scanning, and web entry forms have

reduced the demand for these services

If this role is still active, key verification is one of the

primary means of control
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Employee Roles and Duties (3) 2-75

Systems administrator: Responsible for operation

and maintenance of LAN and associated systems:
Small organizations might have only one
Larger organizations have many

Quality-assurance employee: Fills one of two roles:

Quality assurance: ensure programs and documentation

adhere to standards
Quality control: Perform tests at various stages of product
development to make sure they are free of defects

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Employee Roles and Duties (4) 2-76
Database administrator: Responsible for the
organization’s data and maintenance of data
structure:
Usually a senior information systems employee
Has control over physical data definition, implementing
data definition controls, and defining and initiating
backup and recovery
Detective controls and supervision of duties must be
observed closely

Systems analyst: Involved in the SDLC process:

Responsible for determining users’ needs and
developing requirements and specifications for design
of needed software programs
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Employee Roles and Duties (5) 2-77

Network administrator: Responsible for

maintenance and configuration of network
equipment, such as:
Routers
Switches
Firewalls
Wireless access points

Security architect: Examines the security

infrastructure of the organization’s network
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Segregation of Duties 2-78

Segregation of duties usually falls into four areas

of control:
Authorization: Verifying cash, approving
purchases, and approving changes

Custody: Accessing cash, merchandise, or

inventories

Record-keeping: Preparing receipts,

maintaining records, and posting payments

Reconciliation: Comparing dollar amounts,

counts, reports, and payroll summaries
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Compensating Controls 2-79

Separation of duties is required to provide

accountability and control.
When it cannot be used, compensating controls
should be considered:
Job rotation: No one person in one position for too
long which Prevents a single employee from having
too much control

Audit trail: Follow actions specific individuals

performed; provide accountability
Audit trails are a popular item after a security breach,
they should be examined more frequently.
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Compensating Controls (cont.) 2-80
Reconciliation: Type of audit in which records are
compared to make sure they balance
Primarily used in financial audits
Also useful for computer batch processing and other
areas in which totals should be compared
Exception report: Notes errors or exceptions
Helps managers and supervisors track errors and
other problems
Transaction log: Tracks transactions and the time of
occurrence:
Help managers track specific activities
Supervisor review: Performed through observation,
inquiry, or remotely using software tools
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Summary 2-81

In this domain we:

Defined governance
Explained risk identification and
management
Described management practices and
controls
Defined CobIT
Explained Capability Maturity Model
2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.
Q&A 2-82

QUESTIONS?

2017 Global
© 2009 PreciseKnowledge
Thinking TCT. All rights
Training LLC.reserved.
All rights reserved.