Domain-2 Governance & Management of IT

Part Section Description

Part A: Governance EGIT (Enterprise Governance of IT): Covers the overarching governance
of IT 2.1 framework for IT.
2.2 IT Related Frameworks: Various frameworks related to IT governance.
IT Standards, Policies & Procedures: Standards, policies, and procedures for IT
2.3 operations.
Information Security Policy: Importance of having a robust information security
2.4 policy.
Organizational Structure: How organizational structure supports effective IT
2.5 governance.
2.6 Enterprise Architecture: Design and structure of the enterprise architecture.
Enterprise Risk Management (ERM): Identification, assessment, and management
2.7 of IT risks.
Laws, Regulations & Industry Standards Affecting the Organization: Legal,
2.8 regulatory, and industry standards impacting IT.
Part B: Management
of IT 2.9 IT Resource Management: Efficient and effective management of IT resources.
2.10 Outsourcing: Management and governance of outsourcing IT services.
IT Performance Monitoring & Reporting: Monitoring and reporting IT
2.11 performance.
Quality Assurance & Quality Management in IT: Ensuring IT services and products
2.12 meet standards.

This table provides a clear and concise overview of the key components
involved in the governance and management of IT as per the CISA certification
requirements.
 2.1 EGIT ( Enterprise Governance of IT )

I Alignment Concepts II. Difference Between Governance

and Management + EGIT Good
1. Main Purpose: Practices

 The main purpose of the alignment 1. Governance:

concept is to provide value to the
business.  Evaluate options, direct
management, and monitor (EDM -
2. IT Objectives and Business Objectives: Evaluate, Direct, Monitor).
 Focuses on strategic plans.
 IT objectives must align with business
objectives and not vice versa. 2. Management:

3. Consistency with Business Plan:  Plan, build, run, and monitor (PBRM -
Plan, Build, Run, Monitor).
 IT plans should be consistent with the
organization’s business plan.  Focuses on tactical plans.

4. IT Investments: 3. Delegation:

 IT investments should be driven by  The governing body can delegate

enterprise requirements. work to management but cannot
delegate its responsibility.
5. Information Security Policy:
4. Involvement:
 Business objectives drive the information
security policy.  The Board of Directors (BOD) and
senior officials must be involved in IT
6. IT Strategy: governance.

 IT strategy extends the organization’s 5. Compliance:

strategy and objectives.
 Ensure compliance with legal
7. Responsibility: requirements.

 The Board of Directors (BOD) is

responsible for EGIT (Enterprise
Governance of IT).
 2.1 EGIT ( Enterprise Governance of IT )

III. EGIT Success Factors IV. Information Security Governance

1. Stakeholder Involvement: 1. Integral Part:

 Involvement of all stakeholders is  It is an integral part of overall IT

crucial. governance.

2. Accountability: 2. Policies:

 Define accountability for each critical  Governance cannot take place

function. COBIT framework can assist without policies, so an information
with this. security policy should be in place.

3. IS Auditor Role: 3. Responsibility:

 IS auditors need to review the  The Board of Directors (BOD) and

organization’s chart to understand senior management are responsible.
roles and responsibilities.
 IS auditors should determine whether 4. Formation of Committees:
IT and business requirements are
integrated and heading in the same  The BOD generally forms committees
direction. due to a lack of expertise. Therefore,
an information security governance
4. Senior Management Involvement: committee should be formed.
 BOD representatives along with the
 Senior management involvement is CIO, CTO, CRO, CFO, and CEO, etc.,
very important for alignment. should be involved.

5. IT Plans:

 Strategic IT plans talk about vision and

mission, while short-term plans focus
on effective implementation and
alignment strategies. Plans should be
consistent with business goals.
 2.2 IT Related Frameworks

Disclaimer:
Key Aspects of COBIT:
 No direct questions are asked on any specific
framework as different exams focus on  Covers end-to-end IT processes.
different frameworks.
 Provides solutions for every business process
including finance, HR, production, sales,
COBIT-5:
marketing, etc.
 Released in 2012 by ISACA.  Ensures each top management person is
given accountability and responsibility.
 COBIT 2019: The latest version of COBIT.
 Helps align IT goals with enterprise goals.
 COBIT is a GEIT (Governance of Enterprise IT)
framework.  Transforms business by teaching
accountability, responsibility, and how to
 It encompasses 37 processes, 206 practices,
turn a business effectively.
1116 tasks, etc.
 Examples of frameworks included are ISMS (ISO Illustrations :
27001), Val IT Framework, IT Service
Management (ITIL).  COBIT is depicted as a comprehensive
governance framework that aligns IT goals
Governance vs Management: with stakeholders' needs and enterprise
goals.
 Governance involves Evaluate, Direct, Monitor
 It is likened to a rocket engine that
(EDM).
accelerates the organization’s journey
 Management involves Plan, Build, Run, Monitor towards achieving its objectives.
(PBRM).
 When COBIT processes are implemented, it's
as if fixing up the rocket engine to accelerate
COBIT's Value:
into the sky.
 COBIT integrates all best practices and
Key Concepts:
frameworks into a one-stop solution.
 It helps ensure IT investments bring appropriate  COBIT principles focus on meeting
results. stakeholder needs and transforming
 Customization is available in COBIT for various unstructured needs into structured
industries. enterprise goals and objectives.

 COBIT principles aim to meet stakeholders'  By incorporating processes, COBIT helps in

needs and address unstructured needs by achieving IT goals aligned with enterprise
creating standard enterprise goals and goals.
objectives.  The framework helps top management
 Without COBIT, IT investments may not bring understand their roles and the importance of
the expected results. their involvement in IT governance.
 2.3 IT Standards, Policies & Procedures ( For EGIT Implementation )

Standards Key Concepts

 Definition: Standards specify uniform use of  Policies: Represent the goals and overall
specific technologies or methodologies across directions.
the organization.  Standards: Provide specific, uniform
 Purpose: Ensure consistency and compliance methodologies to achieve the goals.
with a given framework or certification.  Procedures: Offer detailed steps to
 Requirement: Standards are compulsory implement the policies.
requirements that must be followed to achieve  Guidelines: Provide general instructions and
compliance. recommendations.

Policies Implementation and Review

 Definition: High-level statements or directions  Multiple Levels: Policies can exist at both
given by top management. the corporate and departmental levels.
 Nature: Formal statements of rule or intent  Consistency: Departmental policies should
without specific details. align with corporate policies.
 Frequency: Should not be updated too  Periodic Review: Policies should be updated
frequently. or reviewed periodically to include new
 Goal Example: All information assets of an technology and regulatory requirements.
organization should be protected.  Version History: Proper version history
 Purpose: Provide a goal for the organization to should be maintained.
strive towards.  IS Auditors: Should review policies to
evaluate and verify compliance.
Procedures
 Definition: Detailed steps of actions that assist Additional Considerations
in implementing policies.  Applicability: IS auditors should consider
 Nature: Can be updated frequently as it is more the applicability of policies to third-party
dynamic. vendors and service providers.
 Documentation: Procedures are formal  Adherence: Ensure vendors and service
documents that need to be communicated and providers adhere to said policies.
followed.
 Example: Washing hands before preparing food
as part of food safety standards. Summary

Guidelines This detailed overview covers the essential components

 Definition: General instructions to implement and functions of IT standards, policies, procedures, and
procedures. guidelines within the context of EGIT implementation.
 Nature: Guidelines are not as strict as Standards ensure consistency, policies provide high-
level direction, procedures offer detailed steps for
standards or procedures but provide
implementation, and guidelines give general
suggestions and examples.
instructions. Regular updates and reviews are crucial to
 Purpose: Ensure systems should not be idle
maintain relevance and compliance, involving all levels
without being signed out and passwords are
of the organization from corporate to departmental,
kept confidential.
and extending to third-party interactions.
 2.4 Information Security Policy

1 Introduction & Auditor’s Role 3. Uses of ISP

o Introduction: Policy Circulation:

 ISP Definition: Information Security Policy (ISP)  End Users: The policy should be circulated to all
is a statement of intent by management on end users. Relevant portions of security
how to protect a company’s information assets. requirements should be provided to third-party
suppliers.
 Auditor’s Role:  Sign-off: Obtain sign-off from all employees and
third parties, indicating their preparedness to
 Accessibility: Ensure that the policy is readily comply with the ISP.
accessible to all employees and that all  Termination Action: The most important action
employees are aware of its contents. when terminating an employee is disabling all
 Approval: Ensure the policy is approved by their logical access rights.
senior management, not lower-level staff.
 Awareness: Third-party suppliers should also 4. ISP Audit & Alignment
be aware of the policy.
 Review Frequency: ISP should be reviewed at Revision Considerations:
least annually or during significant changes.
 Ownership: Ensure the policy has an owner  Audit Findings: Review and consider audit
responsible for its maintenance and updates. findings.
 Reported Incidents: Include reported incidents
2 Hierarchy of ISP in the review.
 Legal & Statutory Requirements: Align with
ISP Overview: legal and statutory requirements.

 ISP Components: Advantages of Approaches:

o User Security Policy:
 Top-Down Approach: The biggest
 Acceptable Usage Policy advantage is consistency across the
o Organizational Conditions of organization.
Connections:  Bottom-Up Approach: The biggest
advantage is that risk assessment is
 Data Classification Policy considered.
 Network & System Security Summary -The detailed summary outlines the
Policy. structure and importance of an Information Security
Policy (ISP), the auditor's role in maintaining and
ensuring compliance, and the hierarchical structure of
the ISP. It emphasizes the need for clear communication
and regular review, including alignment with business
objectives and legal requirements. The policy must be
accessible and approved by senior management, with
third-party suppliers also being aware. Regular updates
and audits are essential for maintaining the relevance
and effectiveness of the ISP.
 2.5 Organizational Structure

 Overview: The organizational structure for

effective governance and management of IT  IT Organizational Structure and
includes various committees and roles that Responsibilities
ensure alignment with business objectives and
proper implementation of IT strategies. o Defined roles and responsibilities
Key Components: within the IT department.
o Optimizes IT costs and resources.
 Board of Directors (BOD)
o Ensures overall responsibility for IT
o Primarily responsible for Enterprise projects.
Governance of IT (EGIT).
 Segregation of Duties within IT
o Takes actual decisions and provides
overall direction for IT strategies. o Ensures that different roles and
responsibilities are clearly separated
 Strategy Committee to avoid conflicts of interest and
enhance internal control.
o Advises the Board on IT strategies.
o Consists of both Board and Non-Board  Segregation of Duties - Controls
members.
o Responsible for aligning IT and business o Additional controls to ensure duties
objectives, setting goals, and are properly segregated to maintain
establishing the IT roadmap. the integrity and security of IT
processes.
 IT Steering Committee

o Responsible for the implementation of IT

strategies.
o Ensures IT projects meet business
requirements.
o Monitors the progress of IT projects,
approves project plans and budgets,
ensures efficient use of IT resources, and
drives IT-related projects.
o Includes members such as the CEO, CIO,
key members of IT, and top executives
from various business functions like
finance, marketing, etc.
o Has overall responsibility for system
development projects, monitoring
project milestones, and prioritizing IT
projects based on business needs.
 2.5 Organizational Structure

Summary
Function of Committees:
The organizational structure for IT governance and
 IT Strategy Committee: Advises the Board on IT management involves the Board of Directors,
strategy and ensures alignment with business Strategy Committee, and IT Steering Committee.
objectives. Takes high-level decisions on IT The Board of Directors provides overall direction
policies and strategies. and decision-making for IT strategies. The Strategy
 IT Steering Committee: Responsible for the Committee advises the Board and ensures
implementation of IT strategies, ensuring alignment with business goals, while the IT Steering
projects meet business needs, approving plans Committee oversees the implementation of these
and budgets, and driving IT initiatives. strategies, ensuring projects meet business
requirements and are efficiently executed. The
Involvement of Executive-Level Officers: structure emphasizes the segregation of duties and
the involvement of executive-level officers to
 CEO, CIO, and other Key Executives: Involved in optimize IT resources and align IT projects with
the IT Steering Committee to ensure business business needs.
alignment and resource optimization.

MCQ Clarification:

 MCQ: Members of the Board generally are not

involved in the day-to-day implementation but
provide strategic oversight and decision-
making.
 2.6 Enterprise Architecture ( EA)

Definition and Objective:

Strategic and Tactical Plans:
 Enterprise Architecture (EA) is one of the
processes described in COBIT. It involves the  IT strategy and tactical plans are determined
study and design of enterprises, much like by the difference between the present
architecture involves designing buildings. (current) state and the future state.
 The primary objective of EA is to determine how  Business Requirements: IT must align with
an organization can achieve its current and business requirements and adapt to
future objectives. changing environments.

Key Points: Approaches to EA:

 Holistic View: EA must include the entire  Technology-Driven EA: Focuses on

outcome of the future; otherwise, it is technology as the main driver for business
incomplete. processes.
 Adoption of Technologies: EA ensures that the  Business-Process Driven EA: Emphasizes
organization adopts the most successful business processes as the main driver for
technologies. technology adoption.
 Technology Facilitation: EA facilitates the
selection and adoption of technology. Challenges and Solutions:

Transformation:  Addressing Challenges: Completing an EA

helps organizations address challenges from
 Current to Future State: EA involves creating a either a technology perspective or a business
roadmap to transform the organization from its process perspective.
current state to a desired future state.  Both IT and Business: In both approaches, IT
 Walmart CEO Quote: Doug McMillon must dance to the tune of business
highlighted the importance of frequent requirements.
strategic adjustments, stating, "Once
companies made big strategy choices annually. Advantages:
Today, strategy is daily."
 EA helps in ensuring the organization adopts
Continuous Change: successful technologies and aligns IT
strategies with business goals.
 EA must adapt to a continuously changing  It also facilitates the integration of new
environment, including: technologies and supports the organization's
o Increasing customer expectations ability to adapt to external changes.
o Cut-throat competition
o Changing regulations
 2.6 Enterprise Architecture ( EA)

Summary
EA is a crucial process within COBIT that
involves designing and structuring enterprises
to meet both current and future objectives. It
provides a comprehensive view that ensures the
organization adopts successful technologies
and aligns IT strategies with business goals. EA
supports the transformation from the current
state to a desired future state by addressing
challenges from both technology and business
perspectives. Continuous adaptation to
changing environments, customer expectations,
competition, and regulations is essential for
successful EA implementation. The ultimate
goal of EA is to facilitate technology selection Space intentionally left blank-
and adoption, ensuring that IT strategies are in
harmony with business requirements.
 2.7 Enterprise Risk Management ( ERM)

I Risk Management Process Steps

Step 1: Asset Identification  Step 5: Response to Risk

 Identify Critical Assets: These can include  Evaluate Existing Controls: Determine if
hardware, software, information, documents, existing controls are adequate.
etc.  Design New Controls: If necessary, design
new controls.
Step 2: Identify Threats & Vulnerabilities  Residual Risk vs. Acceptable Risk: Compare
residual risk to acceptable risk (risk
 Threats: External factors generally not under appetite).
control that can harm the organization (e.g., o Response:
floods, earthquakes, thieves, viruses).
 Vulnerabilities: Internal weaknesses that can  If Residual Risk (R.R.) >
be controlled (e.g., no CCTV, no security Acceptable Risk (A.R.): Apply
guards). more controls.
 If R.R. < A.R.: Consider
Step 3: Evaluation of Impact withdrawing controls for cost
savings.
 Impact of Vulnerability: When a threat exploits
 II. Risk Analysis Methods
a vulnerability, it will have an impact.
 Qualitative Analysis
 Financial Losses: Threats may result in financial
losses such as loss of money or goodwill.
 Terminology: Uses terms like high, medium,
Step 4: Calculation of Risk low, severe, moderate, likely, occasional,
rare.
 Time Consumption: Simple and less time-
 Risk Formula: Risk = Threat x Vulnerability x
consuming compared to quantitative
Impact or Probability.
analysis.
o Risk Event Example: Consider a risk
event with a probability of 1 and an  Semi-Quantitative Analysis
impact score of 4; the risk score would
be 4.  Probability & Impact Scores: Uses
o Example Calculation: (0.75 x 1000) = probability and impact scores.
750.  Quantification: Some quantification for
scores, making it better than qualitative but
less detailed than quantitative.
 Time Consumption: More time-consuming
than qualitative but less than quantitative
analysis.
 2.7 Enterprise Risk Management ( ERM)

Summary
3. Quantitative Analysis
The Enterprise Risk Management (ERM) process
 Detailed Analysis: Uses detailed numerical involves several key steps, starting with the
values for probability, impact, and risk. identification of critical assets and moving through
the identification of threats and vulnerabilities,
o Example: Probability of 80%, Impact of
evaluation of impacts, calculation of risk, and
$10,000, resulting in a risk score of
response to risk. Different methods can be used for
$8,000.
risk analysis, including qualitative, semi-
 Time Consumption: Very difficult and time- quantitative, and quantitative approaches, each
consuming due to the detailed analysis with varying levels of detail and time consumption.
required. The goal is to ensure that risks are properly
identified, evaluated, and managed to align with
Process of Risk Analysis the organization's risk appetite and ensure
 Maintain Risk Register: Keep a record of effective control measures are in place.
identified risks.
 Perform Qualitative Analysis: Assess risks
using qualitative methods.
 Select High Risk Items: Identify high-risk items
from the qualitative analysis.
 Perform Semi-Quantitative Analysis: Further
analyze high-risk items using semi-quantitative
methods.
 Compute Quantitative Analysis: For critical
risks, perform a detailed quantitative analysis.
 2.8 Laws & Regulations

General Compliance:
Importance of Compliance:
 Focuses on the protection of information assets,
including privacy, intellectual property, and  Compliance with laws is crucial to avoid non-
other rights. compliance, which can affect the
organization's going concern.
Industry-Specific Compliance:
 It should be given top priority within the
organization to ensure smooth operation
 Some compliance requirements are specific to and avoid legal repercussions.
certain industries and must be adhered to
accordingly. Considerations for Cloud Services:
Multi-Jurisdictional Compliance:
 The use of offshore or cloud services
introduces additional considerations for
 Organizations operating in multiple jurisdictions data protection and privacy laws.
must determine and comply with the laws of all
relevant areas.  Key concerns include:
o Compliance with regulations and
Responsibility Assignment: laws.
o Confidentiality of information.
 Compliance responsibility should be assigned to
specific individuals or groups from top
Summary
management. This includes adherence to
standards, policies, and procedures. Compliance with laws and regulations is
essential for protecting information assets,
Communication: ensuring privacy, and safeguarding
intellectual property. Organizations must
 Standards, policies, procedures, and guidelines adhere to both general and industry-specific
(SPPG) must be communicated through proper compliance requirements and must ensure
documentation and training. that they comply with the laws of all
 Proper monitoring of compliance should be in jurisdictions in which they operate.
place. Responsibility for compliance should be
clearly assigned, and communication of
Disciplinary Actions: standards, policies, procedures, and
guidelines should be thorough and well-
 Appropriate disciplinary actions should be taken documented. Monitoring compliance and
against offenders to enforce compliance. taking appropriate disciplinary actions
against offenders are necessary steps to
Fraud Reporting: enforce these regulations. Reporting fraud
and ensuring compliance with cloud services
 Any instances of fraud should be reported to add further complexity to the compliance
relevant authorities or law enforcement and landscape. Overall, prioritizing compliance
documented by Information Systems (IS) helps maintain the organization's integrity
auditors. and operational stability.
 2.9 IT Resource Management

Resource Limitation:
Training and Cross-Training:
 Resources, including people and money, are
limited and essential for achieving business  Cross-Training: More than one person is
goals. trained for specific jobs.
 Optimal utilization of resources is necessary.  Advantages: Reduces dependency on
a single employee, facilitates
Human Resource (HR) Management: succession planning.
 Disadvantages: Single person
 Recruitment, Selection, Training, Performance: knowing all parts of the system could
Includes managing hiring processes, be risky; proper risk assessment is
performance reviews, succession planning, and needed.
more.
 Background Checks: Conduct checks during the Vacation Policy:
hiring phase for criminal records, qualifications,
financial issues, etc.  Mandatory Vacation: Ensures employees
 Non-Disclosure Agreements: Ensure employees take time off, reducing the risk of fraud and
do not disclose confidential information. dependency on specific employees.
 Bonding Agreements: Protection against losses
due to theft, carelessness, or job tenure. Note: Termination Policies:
This may not be accepted in some countries.
 Conflict of Interest Agreements: Prevent  Written Policy: Must have a documented
conflicts of interest. termination policy.
 Code of Conduct/Professional Ethics: Establish  Notification: Notify staff and security
standards for behavior and ethics. personnel appropriately upon termination.
 Non-Compete Agreements: Some employees  Voluntary/Involuntary Termination:
may sign agreements not to compete with the Address both types of terminations.
organization post-employment.  Access Removal: Revoke physical and logical
access (keys, ID cards, logon IDs, passwords)
upon termination.
 Employee Handbook: Distribute to all
 Payroll Removal: Remove the employee
employees at the time of hire, including:
from active payroll files.
 Standard Policies & Procedures
 Termination Interview: Gather feedback
 Code of Conduct
from the employee about their experience
 Performance Evaluation
and thoughts on management.
 Emergency Procedures
 Transfers: Apply termination procedures in
case of employee transfers to different
departments.
 2.9 IT Resource Management

Summary
Organizational Change Management:
IT Resource Management focuses on the optimal
 Top Management Approval: Obtain approval utilization of limited resources, including people
before moving forward with changes or and money. This involves a comprehensive HR
projects. management process that includes recruitment,
 IT Department Support: Provide full support for training, performance reviews, background checks,
effective implementation. and adherence to ethical standards through
 Training and Feedback: Ensure proper training, agreements and codes of conduct. Cross-training
involvement, and feedback for successful employees reduce dependency risks and enhance
change management. succession planning. Mandatory vacation policies
help prevent fraud and over-dependence on specific
employees. Termination policies ensure orderly
removal of access and gather feedback during exit
interviews. Organizational change management
requires top management approval and robust
support from the IT department, including proper
training and feedback mechanisms. This holistic
approach ensures that IT resources are managed
effectively to meet business goals.
 2.10 Outsourcing

Reasons for Outsourcing:

Steps for Outsourcing:
 Cost Savings: Reducing operational costs.
 Expert Services: Accessing better or specialized  Define IT Functions: Clearly define the IT
services. functions to be outsourced.
 Service-Level Agreements (SLAs): Define
Types of Outsourcing: and describe the SLAs.
 Cost Comparison: Compare in-house costs
 Insourced: Activities performed by the vs. third-party bids.
organization’s own staff.  Due Diligence: Check the service provider’s
 Outsourced: Activities carried out by vendor’s market credibility and financial stability.
staff.  Legal and Regulatory Compliance: Confirm
 Hybrid: A mix of insourced and outsourced compliance with laws and regulations
activities. relevant to outsourcing.
 Onsite: Staff working within the IT
Requirements for Reducing Risks in
department.
Outsourcing:
 Offsite: Staff working at a remote
location within the same geographical  Proper SLAs: Ensure clear and enforceable
area. SLAs.
 Offshore: Staff working in a different  Escrow Agreements: Use escrow
geographical area. agreements for critical services.
 Multiple Suppliers: Engage multiple
 Choosing the Right Outsourcing Option: suppliers to lower dependency risks.
Consider the following questions:  Periodic Performance Review: Regularly
review performance against agreed metrics.
 Is the activity a core function of your company?  Accountability: Even when outsourced, the
organization retains accountability.
 Does it require expert, specific knowledge?
 Strategic Decision: The decision to
 Consider cost and quality factors, experience, outsource should be strategic, not merely a
and compliance with laws (e.g., restrictions on procurement choice.
outsourcing to offshore locations).  Vendor Compliance: Vendors should comply
with the organization’s information security
policy unless they have equivalent policies.
 Approval for Subcontracting: The
organization should approve any
subcontracting or significant changes in the
vendor’s operations.
 2.10 Outsourcing

Summary
Role of IS Auditors:
Outsourcing is driven by cost savings and accessing
 Contract Review: Regularly review contracts specialized services. It can be insourced,
and service levels to ensure compliance. outsourced, or a hybrid approach, including onsite,
 Process and Performance Monitoring: Conduct offsite, and offshore options. Choosing the right
periodic checks of processes and performance. option requires considering the core function,
 Deviation Handling: Identify and address any expertise needed, cost, quality, and compliance
deviations from agreed service levels. with laws. The outsourcing process involves
defining IT functions, establishing SLAs, comparing
Considerations for Offshore Outsourcing: costs, conducting due diligence, and ensuring legal
compliance. Proper SLAs, multiple suppliers,
 Legal and Regulatory Issues: Ensure periodic reviews, and vendor compliance are crucial
compliance with international laws. to managing outsourcing risks. IS auditors play a
 Continuity: Plan for continuity of service in key role in monitoring and ensuring compliance.
different time zones. Offshore outsourcing adds complexities, including
 Telecommunication Problems: Address legal, continuity, and communication challenges,
potential communication issues across different which must be carefully managed.
geographies.
 2.11 IT Performance Monitoring & Reporting

I Introduction III. Methodologies & Tools

 Increased IT Expenditure/Investment: There is Performance Improvement Methodologies:
a growing investment in IT, which comes with
high expectations from stakeholders for  PDCA Cycle: Plan, Do, Check, Act. A
optimal use and alignment with business goals. continuous improvement cycle.
 Need for Monitoring: Monitoring IT
 Plan: Establish objectives.
performance is crucial to ensure it meets these
expectations and delivers value. This involves  Do: Execute the implementation
defining performance indicators, regularly plan.
checking them, and taking prompt action on  Check: Study actual results.
deviations or issues.
 Act: Take corrective actions.
 Developing Performance Metrics:
 Step 1: Establish critical processes (staff Tools for Process Improvement:
and customer needs).
 Step 2: Identify the required output.  Six Sigma: Focuses on defect reduction and
meeting customer specifications.
 Step 3: Set small, achievable targets to
 IT Balanced Scorecard: A tool for IT
measure results.
governance and alignment.
II Auditor’s Role  Management Evaluation Techniques:
 Ensure Performance Metrics Cover: Assess IT functions and processes with the
help of Key Performance Indicators (KPIs).
 Compliance with regulations and laws.
 Contribution to business goals. Key Concepts:
 Meeting stakeholder needs.
 KPI (Key Performance Indicators): Focus on
 Key IT processes. indicators that measure whether goals will
 Goals and Metrics: be reached, covering good practices and
capability indicators.
 Goals should be set from top to bottom
 Benchmarking: Comparing performance
(alignment).
with peers and competitors to learn the best
 Metrics should also be established from ways of conducting business.
the bottom up for achieving objectives.  Root Cause Analysis: Identifying the origin
 Lifecycle Cost: Auditors will ensure lifecycle of events and issues to develop necessary
cost estimation and benefits analysis, including controls.
maintenance, updates, failure rates, and  BPR (Business Process Reengineering):
throughout life cycle. Redesigning processes for performance
improvement.
 2.11 IT Performance Monitoring & Reporting

Summary -

IT Performance Monitoring & Reporting is essential

for ensuring that increased IT investments deliver
expected value and align with business goals. It
involves developing performance metrics through a
structured approach, with auditors playing a key
role in ensuring compliance, alignment, and
lifecycle cost estimation. Methodologies like the
PDCA cycle and tools such as Six Sigma, IT
Balanced Scorecard, and various management
evaluation techniques help in continuous process
improvement. KPIs, benchmarking, root cause
analysis, and BPR are critical components in
monitoring, evaluating, and enhancing IT Space intentionally left blank-
performance.
 2.12 Quality Assurance & Quality Management in IT

QA vs QC Quality Management (QM)

Quality Assurance (QA): Overview:

 Purpose: The main purpose of QA is to provide  QM involves monitoring, measuring,

confidence that IT products or services conform tracking, and enhancing IT department
to required processes. processes to ensure continuous
 Approach: Proactive, focusing on defect improvement.
prevention.
 Focus: Ensures that issues should never occur. Areas of Focus:
 Nature: QA is process-oriented.
 Role: Develops and maintains standards to  Software Development, Maintenance, and
ensure that products meet specified criteria. Implementation: Ensuring software is
developed and maintained to meet quality
Quality Control (QC): standards.
 Hardware and Software Purchase: Ensuring
 Purpose: QC is concerned with testing that the purchased hardware and software meet
specific product is free from defects. required quality standards.
 Approach: Reactive, identifying defects.  Operational Activities: Ensuring daily
 Focus: Addresses issues when they occur. operations adhere to quality standards.
 Nature: QC is product-oriented.
 Role: QC must be performed in various stages, Primary Objective:
especially before application systems are
moved into production, to ensure they adhere  Continuous improvement of processes and
to standards. products within the IT department.

Example of QA and QC in Practice: Summary

Quality Assurance (QA) and Quality Control

 QA: Ensuring processes are designed to
(QC) are critical components of quality
prevent defects.
management in IT. QA is proactive and
 QC: Inspecting end products to identify any
process-oriented, focusing on preventing
defects.
defects and ensuring adherence to
standards through established processes.
Importance of Independence in QA:
QC is reactive and product-oriented,
focusing on identifying and addressing
 Independence: QA should be an independent
defects in products before they reach
function to ensure unbiased quality checks. In
production. Quality Management (QM)
smaller firms, this might not always be possible,
ensures continuous improvement by
leading to a maker-checker role division.
monitoring and enhancing IT processes,
including software development, hardware
and software purchases, and operational
activities. The primary objective of QM is to
achieve continuous improvement and
ensure that IT services and products meet
high-quality standards.