CISA REVIEW The material provided in this slide

  • Slides: 63
Download presentation
CISA REVIEW The material provided in this slide show came directly from Certified Information

CISA REVIEW The material provided in this slide show came directly from Certified Information Systems Auditor (CISA) Review Material 2010 by ISACA.

CISA REVIEW Chapter 2 – Governance Learning Objectives • • Evaluate the effectiveness of

CISA REVIEW Chapter 2 – Governance Learning Objectives • • Evaluate the effectiveness of IT governance structure to ensure adequate board control over the decisions, directions and performance of IT, so it supports the organization's strategies and objectives Evaluate IT organizational structure and human resources (personnel) management to ensure that they support the organization's strategies and objectives Evaluate the IT strategy and process for their development, approval, implementation and maintenance to ensure that they support the organization's strategies and objectives Evaluate the organization's IT policies, standards, procedures and processes for their development, approval, implementation and maintenance to ensure that they support the IT strategy and comply with regulatory and legal requirements Evaluate management practices to ensure compliance with the organization's IT strategy, policies, standards and procedures Evaluate IT resource investment, use and allocation practices to ensure alignment with the organization's strategies and objectives Evaluate risk management practices to ensure that the organization's IT-related risks are properly managed Evaluate monitoring and assurance practices to ensure that the board and executive management receive sufficient and timely information about IT performance

CISA REVIEW Chapter 2 – Governance • IT governance is used to ensure that

CISA REVIEW Chapter 2 – Governance • IT governance is used to ensure that an organization's IT objectives are in alignment with its enterprise objectives. To ensure successful implementation of IT governance, an IS auditor needs to make certain that the organization's IS strategies are in alignment with the organization's business strategies. The IS auditor must also ensure that IS strategies comply with all local, regional and federal laws and regulations. • Other critical elements of an IS auditor's role in IT governance is to ensure that IS policies exist and adequately reflect the approved IS strategies, and that IS standards and procedures effectively enforce and communicate IS policies.

CISA REVIEW Chapter 2 – Governance • IT governance implies a system in which

CISA REVIEW Chapter 2 – Governance • IT governance implies a system in which all stakeholders, including the board, internal customers and related areas such as finance, have the necessary input into the decision making process. This prevents a single stakeholder, typically IT, being blamed for poor decisions. It also prevents users from later complaining that the system does not behave or perform as expected. • The best way to implement IT governance so it has the most positive impact is to have collaborative senior management sponsorship between the business and IT operations. Lower management levels may have some success but when governance is departmental only, problems arise with projects that transcend departments that are not consistently managed using the same guidance.

CISA REVIEW Chapter 2 – Governance IT governance encompasses: • Information systems • Technology

CISA REVIEW Chapter 2 – Governance IT governance encompasses: • Information systems • Technology and communication • Business, legal and other issues such as regulatory compliance and security • All concerned stakeholders, directors, senior management, process owners, IT suppliers, users and auditors

CISA REVIEW Chapter 2 – Governance Chief executive officers (CEOs), chief financial officers (CFOs)

CISA REVIEW Chapter 2 – Governance Chief executive officers (CEOs), chief financial officers (CFOs) and chief information officers (CIOs) agree that the strategic alignment between IT and enterprise objectives is a critical success factor for an organization.

CISA REVIEW Chapter 2 – Process Improvement IT governance is concerned that IT delivers

CISA REVIEW Chapter 2 – Process Improvement IT governance is concerned that IT delivers value to the business and that IT risks are managed. The first is driven by strategic alignment of IT with the business. The second is driven by embedding accountability into the enterprise, which cannot be accomplished without effective measuring and reporting.

CISA REVIEW Chapter 2 – Governance • • • An IS auditor should assess

CISA REVIEW Chapter 2 – Governance • • • An IS auditor should assess the following organizational IT governance elements: Alignment of the IT function with the organization's mission, vision, values, objectives and strategies Achievement of IT function performance objectives established by the business (effectiveness and efficiency) including the measures used to determine success Legal, environmental, information quality, and fiduciary and security requirements The control environment of the organization The inherent risks within the IT environment The organization's documentation and contractual commitments

CISA REVIEW Chapter 2 – IT Strategy Committee As an industry best practice, all

CISA REVIEW Chapter 2 – IT Strategy Committee As an industry best practice, all organizations should create an IT strategy committee. To incorporate IT governance into enterprise governance, a successful IT strategy committee must assist the board by: • Providing advice on strategy, IT value, risks and performance • Overseeing the enterprise's IT-related matters by ensuring that the board has the internal and external information it requires for effective IT governance decision-making

CISA REVIEW Chapter 2 – IT Steering Committee In addition to the IT strategy

CISA REVIEW Chapter 2 – IT Steering Committee In addition to the IT strategy committee, an organization's senior management should appoint an IT planning or steering committee. The responsibilities and duties of this committee should be defined in a formal charter and include overseeing the IT function and its activities, and ensuring that the IT department is in agreement with the organization's mission and objectives.

CISA REVIEW Chapter 2 – IT Steering Committee The primary functions of the IT

CISA REVIEW Chapter 2 – IT Steering Committee The primary functions of the IT steering committee include the following: • Review the long- and short-range plans of the IT department to ensure that they are in accordance with the organization's objectives. • Review and approve major acquisitions of hardware and software within the limits approved by the board of directors. • Approve and monitor major projects and the status of IT plans and budgets; establish priorities; approve standards and procedures; and monitor overall IT performance. • Review and approve sourcing strategies for select, or all, IT activities, including insourcing or outsourcing, and the globalization or offshoring of functions. • Review adequacy of resources and allocation of resources in terms of time, personnel and equipment. • Make decisions regarding centralization vs. decentralization and assignment of responsibility. • Support development and implementation of an enterprisewide information security management program. • Report to the board of directors on IT activities.

CISA REVIEW Chapter 2 – IT Steering Committee • • • In order to

CISA REVIEW Chapter 2 – IT Steering Committee • • • In order to effectively coordinate and monitor an organization's IT resources and IT steering committee must: Receive the appropriate management information from IT departments, user departments and audits Monitor performance and institute appropriate action to achieve desired results Meet regularly and report to senior management Maintain formal minutes to document the committee's activities and decisions Serve as a general review board for major IT projects and avoid becoming involved in routine operations

CISA REVIEW Chapter 2 – Strategic Planning An important element of strategic planning is

CISA REVIEW Chapter 2 – Strategic Planning An important element of strategic planning is to make sure that business and IT management work together toward a common goal. To do this: • IT management needs to have a better understanding of business issues and business unit management should also have a solid understanding of the reality of IT constraints. • All parties involved should have the ability to understand relate strategic plans between business needs and IT. Strategic plans should address how IT resources will addvalue to the business. IT resources add-value by mitigating risk and delivering and protecting information and allocating resources accordingly.

CISA REVIEW Chapter 2 – Strategic Planning Instructions: Match each IT governance outcome to

CISA REVIEW Chapter 2 – Strategic Planning Instructions: Match each IT governance outcome to its corresponding description. Outcomes Strategic alignment Risk management Value delivery Resource management Performance measurement Descriptions Measures, monitors and reports on information security processes to ensure objectives are achieved Aligns information security with business strategy to support organizational objectives Optimizes security investments in support of business objectives Utilizes information security knowledge and infrastructure efficiently and effectively Manages and executes appropriate measures to mitigate risks and reduce potential impacts on information resources to an acceptable level

CISA REVIEW Chapter 2 – Strategic Planning Answers: Each term is followed by the

CISA REVIEW Chapter 2 – Strategic Planning Answers: Each term is followed by the appropriate description. • Strategic alignment Aligns information security with business strategy to support organizational objectives • Risk management Manages and executes appropriate measures to mitigate risks and reduce potential impacts on information resources to an acceptable level • Value delivery Optimizes security investments in support of business objectives • Resource management Utilizes information security knowledge and infrastructure efficiently and effectively • Performance measurement Measures, monitors and reports on information security processes to ensure objectives are achieved

CISA REVIEW Chapter 2 – Policies and Procedures IT governance also includes overseeing the

CISA REVIEW Chapter 2 – Policies and Procedures IT governance also includes overseeing the policies and procedures developed to guide and control information systems and related resources.

CISA REVIEW Chapter 2 – Information Security Policy Information security policies should guide the

CISA REVIEW Chapter 2 – Information Security Policy Information security policies should guide the organization by defining what needs to be protected, responsibilities for protection, and the strategy that will be followed for protection. Information security policies should be developed in accordance with business requirements, and relevant laws and regulations. An organization's management should demonstrate support for and commitment to information security by issuing and maintaining information security policies that contain a clear direction.

CISA REVIEW Chapter 2 – Information Security Policy An organization's information security policy should

CISA REVIEW Chapter 2 – Information Security Policy An organization's information security policy should be approved by management and: • Define the overall objective and scope of the organization's information security • Align the goals and principles of information security with the business strategy and objectives • Set the framework for risk assessment and risk management

CISA REVIEW Chapter 2 – Information Security Policy After an information security policy is

CISA REVIEW Chapter 2 – Information Security Policy After an information security policy is approved by management, it should be published and communicated. The communication of this policy must be: • Communicated to all users in the organization, including internal and external workers, third parties and outsourcers • Provided in a form that is accessible and understandable to the intended reader

CISA REVIEW Chapter 2 – Information Security Management • • Information security management involves

CISA REVIEW Chapter 2 – Information Security Management • • Information security management involves leading and facilitating the implementation of an organization wide IT security program to assure that the organization's information and the information-processing resources under its control are properly protected. This includes but is not limited to: Developing business continuity and disaster recovery plans (BCP and DRP) related to IT department functions in support of the organization's critical business processes Applying risk management principles to assess the risks to IT assets Mitigate risks to an appropriate level as determined by management Monitor the remaining residual risks

CISA REVIEW Chapter 2 – Information Security Management Instructions: Here are three items and

CISA REVIEW Chapter 2 – Information Security Management Instructions: Here are three items and descriptions. Match each item to its corresponding description. Items Information access policy Sourcing practices Information security management practices Descriptions Leading and facilitating the implementation of an organizationwide IT security program Grants access to only those resources at or below a specific level of sensitivity Asks "can this function be performed by another party or in another location for the same or lower price, with the same or higher quality, and without increasing risk? "

CISA REVIEW Chapter 2 – Information Security Management Answers: Each term is followed by

CISA REVIEW Chapter 2 – Information Security Management Answers: Each term is followed by the appropriate description. Information access policy Grants access to only those resources at or below a specific level of sensitivity Sourcing practices Asks "can this function be performed by another party or in another location for the same or lower price, with the same or higher quality, and without increasing risk? " Information security management practices Leading and facilitating the implementation of an organization wide IT security program

CISA REVIEW Chapter 2 – Information Security Management Real-World Example An organization is using

CISA REVIEW Chapter 2 – Information Security Management Real-World Example An organization is using human resources (HR) management software that it had developed by a vendor several years ago. The software maintains confidential information typically kept in personnel files, such as salary levels and management reviews. On performing a review, the IS auditor found that there were no written policies or guidelines indicating the type of authentication necessary for accessing the information in the software and that the organization typically used a fourcharacter password for all items requiring access controls. Think About It: What is the risk associated with this situation?

CISA REVIEW Chapter 2 – Information Security Management Answer: The lack of sufficient access

CISA REVIEW Chapter 2 – Information Security Management Answer: The lack of sufficient access controls poses a serious risk to an organization's information integrity. Think About It: What do you, as an IS audit expert, think could have been done proactively to prevent this organization from being in this situation?

CISA REVIEW Chapter 2 – Information Security Management Answer: To prevent a situation like

CISA REVIEW Chapter 2 – Information Security Management Answer: To prevent a situation like this from occurring, an organization should have proper access control policies, process, and strategies in place. This would involve performing regularly scheduled reviews and/or audits on all information assets requiring security and updating the organization's information security directive as appropriate. Additional proactive controls could also include addenda and reviews to the vendor contract with specific security requirements and requiring complexity-enabled password requirements.

CISA REVIEW Chapter 2 – Information Access • • • Typical information security policies

CISA REVIEW Chapter 2 – Information Access • • • Typical information security policies addressing information access include the following: Individuals are granted access to only those resources at or below a specific level of sensitivity. Labels are used to indicate the sensitivity level of electronically stored documents. Policy-based controls may be characterized as either mandatory or discretionary. Controls should not disrupt the usual work flow more than necessary or place too much burden on administrators, auditors or authorized users. Access controls must adequately protect all the organization's resources.

CISA REVIEW Chapter 2 – Segregation of Duties • The purpose of segregating duties

CISA REVIEW Chapter 2 – Segregation of Duties • The purpose of segregating duties is to aid an organization in reducing some of its business risks through the identification of compensating controls. • For example, when duties are segregated, access to the computer, the production data library, the production programs, the programming documentation, and the operating system and associated utilities can be limited, and potential damage from the actions of any one person is, therefore, reduced.

CISA REVIEW Chapter 2 – Segregation of Duties Several control mechanisms can be used

CISA REVIEW Chapter 2 – Segregation of Duties Several control mechanisms can be used to enforce segregation of duties. Examples of these controls are: • Transaction authorization • Assets/data ownership • Access to data Proper segregation prevents misappropriation of assets, misstated financial statements, inaccurate financial documentation (i. e. , errors or irregularities), and improper use of funds or not detecting data modifications.

CISA REVIEW Chapter 2 – Segregation of Duties Transaction authorization is the responsibility of

CISA REVIEW Chapter 2 – Segregation of Duties Transaction authorization is the responsibility of the data owner. Authorization is delegated to the degree that it relates to the particular level of responsibility of the authorized individual in the department. Periodic checks must be performed by management and audit to determine that adequate authorization policies and procedures exist and are implemented.

CISA REVIEW Chapter 2 – Segregation of Duties Ownership of assets/data must be determined

CISA REVIEW Chapter 2 – Segregation of Duties Ownership of assets/data must be determined and assigned appropriately. The data owner usually is assigned to a particular user department, and his/her duties should be specific and in writing. The owner of the data has responsibility for determining authorization levels required to limit the exposure of data being accessed by people without a justification to see, modify or use it.

CISA REVIEW Chapter 2 – Segregation of Duties Controls over access to data are

CISA REVIEW Chapter 2 – Segregation of Duties Controls over access to data are provided by a combination of physical, system, and application security and personnel controls in the user area and the information process facility.

CISA REVIEW Chapter 2 – Segregation of Duties Information technology and end-user departments should

CISA REVIEW Chapter 2 – Segregation of Duties Information technology and end-user departments should be organized so any single individual does not have too much control or responsibility over critical functions. With segregation of duties, the misuse of data or fraud can be detected in a timely manner and in the normal course of business processes.

Segregation of Duties Exercise

Segregation of Duties Exercise

Segregation of Duties Exercise - Answer

Segregation of Duties Exercise - Answer

CISA REVIEW Chapter 2 – Compensating Controls Of course there will be situations were

CISA REVIEW Chapter 2 – Compensating Controls Of course there will be situations were weaknesses exist with segregation of duties (e. g. smaller organizations with fewer staff). In these situations, compensating controls can be used. Compensating controls include: • Audit trails • Reconciliation • Exception reporting • Transaction logs • Supervisor reviews • Independent reviews

CISA REVIEW Chapter 2 – Compensating Controls Audit trails are an essential component of

CISA REVIEW Chapter 2 – Compensating Controls Audit trails are an essential component of all welldesigned systems. Audit trails enable the user departments and IS auditor to re-create the actual transaction flow from the point of origination to its existence on an updated file. In the absence of adequate segregation of duties, good audit trails may be an acceptable compensating control. The IS auditor should be able to determine who initiated the transaction, the time of day and date of entry, the type of entry, what fields of information it contained, and what files it updated.

CISA REVIEW Chapter 2 – Compensating Controls Audit trails are an essential component of

CISA REVIEW Chapter 2 – Compensating Controls Audit trails are an essential component of all welldesigned systems. Audit trails enable the user departments and IS auditor to re-create the actual transaction flow from the point of origination to its existence on an updated file. In the absence of adequate segregation of duties, good audit trails may be an acceptable compensating control. The IS auditor should be able to determine who initiated the transaction, the time of day and date of entry, the type of entry, what fields of information it contained, and what files it updated.

CISA REVIEW Chapter 2 – Compensating Controls Reconciliation is ultimately the responsibility of the

CISA REVIEW Chapter 2 – Compensating Controls Reconciliation is ultimately the responsibility of the user department. In some organizations, limited reconciliation of applications may be performed by the data control group with the use of control totals and balancing sheets. This type of independent verification increases the level of confidence that the application processed successfully and the data are in proper balance.

CISA REVIEW Chapter 2 – Compensating Controls Exception reporting should be handled at the

CISA REVIEW Chapter 2 – Compensating Controls Exception reporting should be handled at the supervisory level and should require evidence, such as initials on a report, noting that the exception has been handled properly. Management should also ensure that exceptions are resolved in a timely manner.

CISA REVIEW Chapter 2 – Compensating Controls A transaction log may be manual or

CISA REVIEW Chapter 2 – Compensating Controls A transaction log may be manual or automated. An example of a manual log is a record of transactions (grouped or batched) before they are submitted for processing. An automated transaction log or journal provides a record of all transactions processed, and it is maintained by the computer system.

CISA REVIEW Chapter 2 – Compensating Controls Supervisory reviews may be performed through observation

CISA REVIEW Chapter 2 – Compensating Controls Supervisory reviews may be performed through observation and inquiry or remotely.

CISA REVIEW Chapter 2 – Compensating Controls Independent reviews are carried out to compensate

CISA REVIEW Chapter 2 – Compensating Controls Independent reviews are carried out to compensate for mistakes or intentional failures in following prescribed procedures. These are particularly important when duties in a small organization cannot be appropriately segregated. Such reviews will help detect errors or irregularities.

CISA REVIEW Chapter 2 – Compensating Controls Instructions: Here are two categories and nine

CISA REVIEW Chapter 2 – Compensating Controls Instructions: Here are two categories and nine descriptions. Determine the appropriate category for each item. Categories Compensating controls Segregated Duties Items Audit trails Authorization Custody of the assets Exception reporting Independent reviews Reconciliation Recording transactions Supervisor reviews Transaction logs

CISA REVIEW Chapter 2 – Compensating Controls Answers Each category is followed by the

CISA REVIEW Chapter 2 – Compensating Controls Answers Each category is followed by the appropriate items. Compensating Controls: Audit trails Reconciliation Exception reporting Transaction logs Supervisor reviews Independent reviews Segregated Duties: Custody of the assets Authorization Recording transactions

CISA REVIEW Chapter 2 – Risk Management Effective IT governance will enable an organization

CISA REVIEW Chapter 2 – Risk Management Effective IT governance will enable an organization to manage and execute appropriate measures to mitigate risks and reduce potential impacts on information resources to an acceptable level. To achieve this level of risk management, an organization must maintain: • A collective understanding of the organizations threat, vulnerability and risk profile consistent with the management's risk philosophy and position • An understanding of risk exposure and potential consequences of compromise including the regulatory, legal, operational and brand impacts • An awareness of risk management priorities based on potential consequences • Risk mitigation sufficient to achieve acceptable consequences from residual risk • Risk acceptance/deference based on an understanding of the potential consequences of residual risk

CISA REVIEW Chapter 2 – Risk Management Risk management is the process an organization

CISA REVIEW Chapter 2 – Risk Management Risk management is the process an organization must go through to: • Identify any vulnerabilities and threats to its information resources • Decide on the countermeasures to take which may reduce any risk to an acceptable level An organization must define its risk appetite and its identified risk exposure before it can develop effective risk management strategies or determine what roles and responsibilities are necessary.

CISA REVIEW Chapter 2 – Risk Management When an organization finds risk, depending on

CISA REVIEW Chapter 2 – Risk Management When an organization finds risk, depending on the type of risk and its significance to the business, management and the board have five options: • Avoid the risk • Mitigate the risk • Transfer the risk • Accept the risk • Eliminate the risk

CISA REVIEW Chapter 2 – Risk Management Once risks have been identified, an organization

CISA REVIEW Chapter 2 – Risk Management Once risks have been identified, an organization must evaluate existing controls or develop new controls to reduce the vulnerabilities to an acceptable level of risk. The strength of a control can be measured in terms of its inherent or design strength and the likelihood of its effectiveness. Elements of controls that should be considered when evaluating control strength include whether the controls are: • Preventive or detective • Manual or programmed • Formal or ad hoc

CISA REVIEW Chapter 2 – Risk Management Once controls have been applied, any remaining

CISA REVIEW Chapter 2 – Risk Management Once controls have been applied, any remaining risk is called residual risk. Residual risks can be used by management to identify those areas where they can reduce risk even further or where more control is required.

CISA REVIEW Chapter 2 – Risk Management Real World Example A small, growing bank

CISA REVIEW Chapter 2 – Risk Management Real World Example A small, growing bank was cited for noncompliance by a regulatory agency because its information security program did not have an independent review. It seems that although a review was performed, it was conducted by an operations officer because he had network administrative access and was the only individual with the expertise to complete the review. Think About It: Where is the lapse in effective IT governance in this situation?

CISA REVIEW Chapter 2 – Risk Management Answer: The actual risk here is the

CISA REVIEW Chapter 2 – Risk Management Answer: The actual risk here is the lack of segregation of duty. The operations officer with network administrative access is, by default, not independent because he or she has regular access to the system. Think About It What do you, as an IS audit expert, think could have been done to prevent this bank from being in this situation?

CISA REVIEW Chapter 2 – Risk Management Answer: If the bank had the proper

CISA REVIEW Chapter 2 – Risk Management Answer: If the bank had the proper IT organizational structure and resource management in place, including proper segregation of duties and duty controls, this situation may not have occurred.

CISA REVIEW Chapter 2 – Process Improvement Typically, organizations need to measure where they

CISA REVIEW Chapter 2 – Process Improvement Typically, organizations need to measure where they are and where improvement is required, and continuously monitor this improvement. Cost-benefit also needs to be considered along with the following questions: • What are industry peers doing, and how is your organization placed in relation to them? • How is your organization placed with regard to industry good practices? • Based on these comparisons, can your organization be said to be doing enough? • How can your organization identify what is required to be done to reach an adequate level of management and control over its IT processes?

CISA REVIEW Chapter 2 – Process Improvement An organization has different levels of process

CISA REVIEW Chapter 2 – Process Improvement An organization has different levels of process maturity when compared to their peers. In order to assess their maturity level the organization should provide: • A set of requirements and the enabling aspects at the different maturity levels • A scale where the difference can be made measurable • A scale that lends itself to comparison • The basis for setting as-is and to-be positions • Support for gap analysis to determine what needs to be done to achieve a chosen level • Taken together, a view of how IT is managed in the enterprise

CISA REVIEW Chapter 2 – IT Balanced Scorecard Goals and metrics that comprise the

CISA REVIEW Chapter 2 – IT Balanced Scorecard Goals and metrics that comprise the IT balanced scorecard can be defined at three levels: • IT goals and metrics that define what the business expects from IT and how to measure it • Process goals and metrics that define what the IT process must deliver to support IT's objectives and how to measure it • Activity goals and metrics that establish what needs to happen inside the process to achieve the required performance and how to measure it

CISA REVIEW Chapter 2 – IT Balanced Scorecard Think About It: Why are measures

CISA REVIEW Chapter 2 – IT Balanced Scorecard Think About It: Why are measures so important? Answer: The value of metrics is in their ability to provide a factual basis for defining: • Strategic feedback to show the present status of the organization from many perspectives for the decision maker • Diagnostic feedback into various processes to guide improvements on a continuous basis • Trends in performance over time as the metrics are tracked • Feedback around the measurement methods themselves, and which metrics should be tracked • Quantitative inputs to forecasting methods and models for decision support systems

CISA REVIEW Chapter 2 – IT Balanced Scorecard Think About It: Why do you

CISA REVIEW Chapter 2 – IT Balanced Scorecard Think About It: Why do you think measuring of IT performance should be a dynamic process? It has to be a dynamic process because an organization must consider and account for the complex and changing business environments organizations have today. Accordingly, it can be misleading to program managers if they try and use traditional measurement to assess information technology's contribution to the organization's mission.

CISA REVIEW Chapter 2 – HR All organizations should have a variety of policies

CISA REVIEW Chapter 2 – HR All organizations should have a variety of policies regarding human resource issues. Examples of these policies are training, scheduling and time reporting, employee performance evaluations, and required vacations. • Training • Scheduling and Time Reporting • Employee Performance Evaluations • Vacations Organizations should also have a published code of conduct that specifies all employees' responsibilities to the organization.

CISA REVIEW Chapter 2 – HR An IS auditor has several responsibilities when evaluating

CISA REVIEW Chapter 2 – HR An IS auditor has several responsibilities when evaluating elements of IT human resource management and how it affects an organization's IT governance. These responsibilities include looking for indicators of potential staffing weaknesses or problems such as: • High staff turnover • Inexperienced staff • Lack of succession plans • Lack of adequate training Additionally, an IS auditor reviewing an organization's IT resource management should verify that job descriptions, human resource manuals, and organizational charts are in place, accurate and updated regularly.

CISA REVIEW Chapter 2 – HR Think About It: What are some reasons that

CISA REVIEW Chapter 2 – HR Think About It: What are some reasons that HR and IT must work together in an organization seeking to achieve effective IT governance? HR provides the link for the staffing and training component of the organization. This directly impacts the quality of the staff and the performance of IT duties. In order for HR personnel to effectively and accurately fill positions, they need to communicate closely with the IT department to obtain a clear understanding of ITs needs. Additionally, there is an ongoing need for HR involvement in the overall management of IT resources such as employee education and training, termination, compliance, and of course, overall IT governance.

CISA REVIEW Chapter 2 – IT Resource Allocation When developing an IS strategic plan,

CISA REVIEW Chapter 2 – IT Resource Allocation When developing an IS strategic plan, senior management is responsible for identifying cost-effective IT solutions to address the organization's problems and opportunities. It is important that the strategic planning process encompasses not just the delivery of new systems and technology, but considers the returns being achieved from investments in existing technology. This can be done using the following: • Considering the return on investment (ROI) and total cost of ownership for all endeavors • Understanding allocation practices • Effective budgeting • Change management

CISA REVIEW Chapter 2 – IT Resource Allocation What are the strategic issues that

CISA REVIEW Chapter 2 – IT Resource Allocation What are the strategic issues that need to be addressed relative to value? • A clear and shared understanding of the expected benefits • Clear accountability for realizing the benefits • Relevant metrics • An effective benefits realization process

CISA REVIEW Chapter 2 – IT Resource Allocation How do post implementation reviews impact

CISA REVIEW Chapter 2 – IT Resource Allocation How do post implementation reviews impact value? A post implementation review is a review of the implementation process against the methodology and budgeting of the project, and measuring the expected results against the success metrics. The IS auditor and the IT project team need to review results and develop steps for improvement.