Cisa review
This presentation is the property of its rightful owner.
Sponsored Links
1 / 63

CISA REVIEW PowerPoint PPT Presentation


  • 205 Views
  • Uploaded on
  • Presentation posted in: General

CISA REVIEW. The material provided in this slide show came directly from Certified Information Systems Auditor (CISA) Review Material 2010 by ISACA. CISA REVIEW Chapter 2 – Governance Learning Objectives.

Download Presentation

CISA REVIEW

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Cisa review

CISA REVIEW

The material provided in this slide show came directly from Certified Information Systems Auditor (CISA) Review Material 2010 by ISACA.


Cisa review chapter 2 governance learning objectives

CISA REVIEWChapter 2 – Governance Learning Objectives

  • Evaluate the effectiveness of IT governance structure to ensure adequate board control over the decisions, directions and performance of IT, so it supports the organization's strategies and objectives

  • Evaluate IT organizational structure and human resources (personnel) management to ensure that they support the organization's strategies and objectives

  • Evaluate the IT strategy and process for their development, approval, implementation and maintenance to ensure that they support the organization's strategies and objectives

  • Evaluate the organization's IT policies, standards, procedures and processes for their development, approval, implementation and maintenance to ensure that they support the IT strategy and comply with regulatory and legal requirements

  • Evaluate management practices to ensure compliance with the organization's IT strategy, policies, standards and procedures

  • Evaluate IT resource investment, use and allocation practices to ensure alignment with the organization's strategies and objectives

  • Evaluate risk management practices to ensure that the organization's IT-related risks are properly managed

  • Evaluate monitoring and assurance practices to ensure that the board and executive management receive sufficient and timely information about IT performance


Cisa review chapter 2 governance

CISA REVIEWChapter 2 – Governance

  • IT governance is used to ensure that an organization's IT objectives are in alignment with its enterprise objectives. To ensure successful implementation of IT governance, an IS auditor needs to make certain that the organization's IS strategies are in alignment with the organization's business strategies. The IS auditor must also ensure that IS strategies comply with all local, regional and federal laws and regulations.

  • Other critical elements of an IS auditor's role in IT governance is to ensure that IS policies exist and adequately reflect the approved IS strategies, and that IS standards and procedures effectively enforce and communicate IS policies.


Cisa review chapter 2 governance1

CISA REVIEWChapter 2 – Governance

  • IT governance implies a system in which all stakeholders, including the board, internal customers and related areas such as finance, have the necessary input into the decision making process. This prevents a single stakeholder, typically IT, being blamed for poor decisions. It also prevents users from later complaining that the system does not behave or perform as expected.

  • The best way to implement IT governance so it has the most positive impact is to have collaborative senior management sponsorship between the business and IT operations. Lower management levels may have some success but when governance is departmental only, problems arise with projects that transcend departments that are not consistently managed using the same guidance.


Cisa review chapter 2 governance2

CISA REVIEWChapter 2 – Governance

IT governance encompasses:

  • Information systems

  • Technology and communication

  • Business, legal and other issues such as regulatory compliance and security

  • All concerned stakeholders, directors, senior management, process owners, IT suppliers, users and auditors


Cisa review chapter 2 governance3

CISA REVIEWChapter 2 – Governance

Chief executive officers (CEOs), chief financial officers (CFOs) and chief information officers (CIOs) agree that the strategic alignment between IT and enterprise objectives is a critical success factor for an organization.


Cisa review chapter 2 process improvement

CISA REVIEWChapter 2 – Process Improvement

IT governance is concerned that IT delivers value to the business and that IT risks are managed. The first is driven by strategic alignment of IT with the business. The second is driven by embedding accountability into the enterprise, which cannot be accomplished without effective measuring and reporting.


Cisa review chapter 2 governance4

CISA REVIEWChapter 2 – Governance

An IS auditor should assess the following organizational IT governance elements:

  • Alignment of the IT function with the organization's mission, vision, values, objectives and strategies

  • Achievement of IT function performance objectives established by the business (effectiveness and efficiency) including the measures used to determine success

  • Legal, environmental, information quality, and fiduciary and security requirements

  • The control environment of the organization

  • The inherent risks within the IT environment

  • The organization's documentation and contractual commitments


Cisa review chapter 2 it strategy committee

CISA REVIEWChapter 2 – IT Strategy Committee

As an industry best practice, all organizations should create an IT strategy committee. To incorporate IT governance into enterprise governance, a successful IT strategy committee must assist the board by:

  • Providing advice on strategy, IT value, risks and performance

  • Overseeing the enterprise's IT-related matters by ensuring that the board has the internal and external information it requires for effective IT governance decision-making


Cisa review chapter 2 it steering committee

CISA REVIEWChapter 2 – IT Steering Committee

In addition to the IT strategy committee, an organization's senior management should appoint an IT planning or steering committee. The responsibilities and duties of this committee should be defined in a formal charter and include overseeing the IT function and its activities, and ensuring that the IT department is in agreement with the organization's mission and objectives.


Cisa review chapter 2 it steering committee1

CISA REVIEWChapter 2 – IT Steering Committee

The primary functions of the IT steering committee include the following:

  • Review the long- and short-range plans of the IT department to ensure that they are in accordance with the organization's objectives.

  • Review and approve major acquisitions of hardware and software within the limits approved by the board of directors.

  • Approve and monitor major projects and the status of IT plans and budgets; establish priorities; approve standards and procedures; and monitor overall IT performance.

  • Review and approve sourcing strategies for select, or all, IT activities, including insourcing or outsourcing, and the globalization or offshoring of functions.

  • Review adequacy of resources and allocation of resources in terms of time, personnel and equipment.

  • Make decisions regarding centralization vs. decentralization and assignment of responsibility.

  • Support development and implementation of an enterprisewide information security management program.

  • Report to the board of directors on IT activities.


Cisa review chapter 2 it steering committee2

CISA REVIEWChapter 2 – IT Steering Committee

In order to effectively coordinate and monitor an organization's IT resources and IT steering committee must:

  • Receive the appropriate management information from IT departments, user departments and audits

  • Monitor performance and institute appropriate action to achieve desired results

  • Meet regularly and report to senior management

  • Maintain formal minutes to document the committee's activities and decisions

  • Serve as a general review board for major IT projects and avoid becoming involved in routine operations


Cisa review chapter 2 strategic planning

CISA REVIEWChapter 2 – Strategic Planning

An important element of strategic planning is to make sure that business and IT management work together toward a common goal. To do this:

  • IT management needs to have a better understanding of business issues and business unit management should also have a solid understanding of the reality of IT constraints.

  • All parties involved should have the ability to understand and relate strategic plans between business needs and IT. Strategic plans should address how IT resources will add-value to the business. IT resources add-value by mitigating risk and delivering and protecting information and allocating resources accordingly.


Cisa review chapter 2 strategic planning1

CISA REVIEWChapter 2 – Strategic Planning

Instructions: Match each IT governance outcome to its corresponding description.

Outcomes

Strategic alignmentRisk managementValue deliveryResource managementPerformance measurement

Descriptions

Measures, monitors and reports on information security processes to ensure objectives are achieved

Aligns information security with business strategy to support organizational objectives

Optimizes security investments in support of business objectives

Utilizes information security knowledge and infrastructure efficiently and effectively

Manages and executes appropriate measures to mitigate risks and reduce potential impacts on information resources to an acceptable level


Cisa review chapter 2 strategic planning2

CISA REVIEWChapter 2 – Strategic Planning

Answers: Each term is followed by the appropriate description.

  • Strategic alignmentAligns information security with business strategy to support organizational objectives

  • Risk managementManages and executes appropriate measures to mitigate risks and reduce potential impacts on information resources to an acceptable level

  • Value deliveryOptimizes security investments in support of business objectives

  • Resource managementUtilizes information security knowledge and infrastructure efficiently and effectively

  • Performance measurementMeasures, monitors and reports on information security processes to ensure objectives are achieved


Cisa review chapter 2 policies and procedures

CISA REVIEWChapter 2 – Policies and Procedures

IT governance also includes overseeing the policies and procedures developed to guide and control information systems and related resources.


Cisa review chapter 2 information security policy

CISA REVIEWChapter 2 – Information Security Policy

Information security policies should guide the organization by defining what needs to be protected, responsibilities for protection, and the strategy that will be followed for protection. Information security policies should be developed in accordance with business requirements, and relevant laws and regulations. An organization's management should demonstrate support for and commitment to information security by issuing and maintaining information security policies that contain a clear direction.


Cisa review chapter 2 information security policy1

CISA REVIEWChapter 2 – Information Security Policy

An organization's information security policy should be approved by management and:

  • Define the overall objective and scope of the organization's information security

  • Align the goals and principles of information security with the business strategy and objectives

  • Set the framework for risk assessment and risk management


Cisa review chapter 2 information security policy2

CISA REVIEWChapter 2 – Information Security Policy

After an information security policy is approved by management, it should be published and communicated. The communication of this policy must be:

  • Communicated to all users in the organization, including internal and external workers, third parties and outsourcers

  • Provided in a form that is accessible and understandable to the intended reader


Cisa review chapter 2 information security management

CISA REVIEWChapter 2 – Information Security Management

Information security management involves leading and facilitating the implementation of an organization wide IT security program to assure that the organization's information and the information-processing resources under its control are properly protected. This includes but is not limited to:

  • Developing business continuity and disaster recovery plans (BCP and DRP) related to IT department functions in support of the organization's critical business processes

  • Applying risk management principles to assess the risks to IT assets

  • Mitigate risks to an appropriate level as determined by management

  • Monitor the remaining residual risks


Cisa review chapter 2 information security management1

CISA REVIEWChapter 2 – Information Security Management

Instructions: Here are three items and descriptions. Match each item to its corresponding description.

Items

Information access policySourcing practicesInformation security management practices

Descriptions

Leading and facilitating the implementation of an organizationwide IT security program

Grants access to only those resources at or below a specific level of sensitivity

Asks "can this function be performed by another party or in another location for the same or lower price, with the same or higher quality, and without increasing risk?"


Cisa review chapter 2 information security management2

CISA REVIEWChapter 2 – Information Security Management

Answers: Each term is followed by the appropriate description.

Information access policyGrants access to only those resources at or below a specific level of sensitivity

Sourcing practicesAsks "can this function be performed by another party or in another location for the same or lower price, with the same or higher quality, and without increasing risk?"

Information security management practicesLeading and facilitating the implementation of an organization wide IT security program


Cisa review chapter 2 information security management3

CISA REVIEWChapter 2 – Information Security Management

Real-World Example

An organization is using human resources (HR) management software that it had developed by a vendor several years ago. The software maintains confidential information typically kept in personnel files, such as salary levels and management reviews. On performing a review, the IS auditor found that there were no written policies or guidelines indicating the type of authentication necessary for accessing the information in the software and that the organization typically used a four-character password for all items requiring access controls.

Think About It: What is the risk associated with this situation?


Cisa review chapter 2 information security management4

CISA REVIEWChapter 2 – Information Security Management

Answer:

The lack of sufficient access controls poses a serious risk to an organization's information integrity.

Think About It: What do you, as an IS audit expert, think could have been done proactively to prevent this organization from being in this situation?


Cisa review chapter 2 information security management5

CISA REVIEWChapter 2 – Information Security Management

Answer:

To prevent a situation like this from occurring, an organization should have proper access control policies, process, and strategies in place. This would involve performing regularly scheduled reviews and/or audits on all information assets requiring security and updating the organization's information security directive as appropriate. Additional proactive controls could also include addenda and reviews to the vendor contract with specific security requirements and requiring complexity-enabled password requirements.


Cisa review chapter 2 information access

CISA REVIEWChapter 2 – Information Access

Typical information security policies addressing information access include the following:

  • Individuals are granted access to only those resources at or below a specific level of sensitivity.

  • Labels are used to indicate the sensitivity level of electronically stored documents.

  • Policy-based controls may be characterized as either mandatory or discretionary.

  • Controls should not disrupt the usual work flow more than necessary or place too much burden on administrators, auditors or authorized users.

  • Access controls must adequately protect all the organization's resources.


Cisa review chapter 2 segregation of duties

CISA REVIEWChapter 2 – Segregation of Duties

  • The purpose of segregating duties is to aid an organization in reducing some of its business risks through the identification of compensating controls.

  • For example, when duties are segregated, access to the computer, the production data library, the production programs, the programming documentation, and the operating system and associated utilities can be limited, and potential damage from the actions of any one person is, therefore, reduced.


Cisa review chapter 2 segregation of duties1

CISA REVIEWChapter 2 – Segregation of Duties

Several control mechanisms can be used to enforce segregation of duties. Examples of these controls are:

  • Transaction authorization

  • Assets/data ownership

  • Access to data

    Proper segregation prevents misappropriation of assets, misstated financial statements, inaccurate financial documentation (i.e., errors or irregularities), and improper use of funds or not detecting data modifications.


Cisa review chapter 2 segregation of duties2

CISA REVIEWChapter 2 – Segregation of Duties

Transaction authorization is the responsibility of the data owner. Authorization is delegated to the degree that it relates to the particular level of responsibility of the authorized individual in the department. Periodic checks must be performed by management and audit to determine that adequate authorization policies and procedures exist and are implemented.


Cisa review chapter 2 segregation of duties3

CISA REVIEWChapter 2 – Segregation of Duties

Ownership of assets/data must be determined and assigned appropriately. The data owner usually is assigned to a particular user department, and his/her duties should be specific and in writing. The owner of the data has responsibility for determining authorization levels required to limit the exposure of data being accessed by people without a justification to see, modify or use it.


Cisa review chapter 2 segregation of duties4

CISA REVIEWChapter 2 – Segregation of Duties

Controls over access to data are provided by a combination of physical, system, and application security and personnel controls in the user area and the information process facility.


Cisa review chapter 2 segregation of duties5

CISA REVIEWChapter 2 – Segregation of Duties

Information technology and end-user departments should be organized so any single individual does not have too much control or responsibility over critical functions. With segregation of duties, the misuse of data or fraud can be detected in a timely manner and in the normal course of business processes.


Cisa review

Segregation of Duties Exercise


Cisa review

Segregation of Duties Exercise - Answer


Cisa review chapter 2 compensating controls

CISA REVIEWChapter 2 – Compensating Controls

Of course there will be situations were weaknesses exist with segregation of duties (e.g. smaller organizations with fewer staff). In these situations, compensating controls can be used.

Compensating controls include:

  • Audit trails

  • Reconciliation

  • Exception reporting

  • Transaction logs

  • Supervisor reviews

  • Independent reviews


Cisa review chapter 2 compensating controls1

CISA REVIEWChapter 2 – Compensating Controls

Audit trails are an essential component of all well-designed systems. Audit trails enable the user departments and IS auditor to re-create the actual transaction flow from the point of origination to its existence on an updated file. In the absence of adequate segregation of duties, good audit trails may be an acceptable compensating control. The IS auditor should be able to determine who initiated the transaction, the time of day and date of entry, the type of entry, what fields of information it contained, and what files it updated.


Cisa review chapter 2 compensating controls2

CISA REVIEWChapter 2 – Compensating Controls

Audit trails are an essential component of all well-designed systems. Audit trails enable the user departments and IS auditor to re-create the actual transaction flow from the point of origination to its existence on an updated file. In the absence of adequate segregation of duties, good audit trails may be an acceptable compensating control. The IS auditor should be able to determine who initiated the transaction, the time of day and date of entry, the type of entry, what fields of information it contained, and what files it updated.


Cisa review chapter 2 compensating controls3

CISA REVIEWChapter 2 – Compensating Controls

Reconciliation is ultimately the responsibility of the user department. In some organizations, limited reconciliation of applications may be performed by the data control group with the use of control totals and balancing sheets. This type of independent verification increases the level of confidence that the application processed successfully and the data are in proper balance.


Cisa review chapter 2 compensating controls4

CISA REVIEWChapter 2 – Compensating Controls

Exception reporting should be handled at the supervisory level and should require evidence, such as initials on a report, noting that the exception has been handled properly. Management should also ensure that exceptions are resolved in a timely manner.


Cisa review chapter 2 compensating controls5

CISA REVIEWChapter 2 – Compensating Controls

A transaction log may be manual or automated. An example of a manual log is a record of transactions (grouped or batched) before they are submitted for processing. An automated transaction log or journal provides a record of all transactions processed, and it is maintained by the computer system.


Cisa review chapter 2 compensating controls6

CISA REVIEWChapter 2 – Compensating Controls

Supervisory reviews may be performed through observation and inquiry or remotely.


Cisa review chapter 2 compensating controls7

CISA REVIEWChapter 2 – Compensating Controls

Independent reviews are carried out to compensate for mistakes or intentional failures in following prescribed procedures. These are particularly important when duties in a small organization cannot be appropriately segregated. Such reviews will help detect errors or irregularities.


Cisa review chapter 2 compensating controls8

CISA REVIEWChapter 2 – Compensating Controls

Instructions: Here are two categories and nine descriptions. Determine the appropriate category for each item.

Categories

Compensating controlsSegregated Duties

Items

Audit trails

Authorization

Custody of the assets

Exception reporting

Independent reviews

Reconciliation

Recording transactions

Supervisor reviews

Transaction logs


Cisa review chapter 2 compensating controls9

CISA REVIEWChapter 2 – Compensating Controls

Answers

Each category is followed by the appropriate items.

Compensating Controls:Audit trails

Reconciliation

Exception reporting

Transaction logs

Supervisor reviews

Independent reviews

Segregated Duties:Custody of the assets

Authorization

Recording transactions


Cisa review chapter 2 risk management

CISA REVIEWChapter 2 – Risk Management

  • Effective IT governance will enable an organization to manage and execute appropriate measures to mitigate risks and reduce potential impacts on information resources to an acceptable level.

  • To achieve this level of risk management, an organization must maintain:

  • A collective understanding of the organizations threat, vulnerability and risk profile consistent with the management's risk philosophy and position

  • An understanding of risk exposure and potential consequences of compromise including the regulatory, legal, operational and brand impacts

  • An awareness of risk management priorities based on potential consequences

  • Risk mitigation sufficient to achieve acceptable consequences from residual risk

  • Risk acceptance/deference based on an understanding of the potential consequences of residual risk


Cisa review chapter 2 risk management1

CISA REVIEWChapter 2 – Risk Management

  • Risk management is the process an organization must go through to:

  • Identify any vulnerabilities and threats to its information resources

  • Decide on the countermeasures to take which may reduce any risk to an acceptable level

  • An organization must define its risk appetite and its identified risk exposure before it can develop effective risk management strategies or determine what roles and responsibilities are necessary.


Cisa review chapter 2 risk management2

CISA REVIEWChapter 2 – Risk Management

  • When an organization finds risk, depending on the type of risk and its significance to the business, management and the board have five options:

  • Avoid the risk

  • Mitigate the risk

  • Transfer the risk

  • Accept the risk

  • Eliminate the risk


Cisa review chapter 2 risk management3

CISA REVIEWChapter 2 – Risk Management

  • Once risks have been identified, an organization must evaluate existing controls or develop new controls to reduce the vulnerabilities to an acceptable level of risk.

  • The strength of a control can be measured in terms of its inherent or design strength and the likelihood of its effectiveness. Elements of controls that should be considered when evaluating control strength include whether the controls are:

  • Preventive or detective

  • Manual or programmed

  • Formal or ad hoc


Cisa review chapter 2 risk management4

CISA REVIEWChapter 2 – Risk Management

Once controls have been applied, any remaining risk is called residual risk. Residual risks can be used by management to identify those areas where they can reduce risk even further or where more control is required.


Cisa review chapter 2 risk management5

CISA REVIEWChapter 2 – Risk Management

Real World Example

A small, growing bank was cited for noncompliance by a regulatory agency because its information security program did not have an independent review. It seems that although a review was performed, it was conducted by an operations officer because he had network administrative access and was the only individual with the expertise to complete the review.

Think About It: Where is the lapse in effective IT governance in this situation?


Cisa review chapter 2 risk management6

CISA REVIEWChapter 2 – Risk Management

Answer:

The actual risk here is the lack of segregation of duty. The operations officer with network administrative access is, by default, not independent because he or she has regular access to the system.

Think About It

What do you, as an IS audit expert, think could have been done to prevent this bank from being in this situation?


Cisa review chapter 2 risk management7

CISA REVIEWChapter 2 – Risk Management

Answer:

If the bank had the proper IT organizational structure and resource management in place, including proper segregation of duties and duty controls, this situation may not have occurred.


Cisa review chapter 2 process improvement1

CISA REVIEWChapter 2 – Process Improvement

  • Typically, organizations need to measure where they are and where improvement is required, and continuously monitor this improvement. Cost-benefit also needs to be considered along with the following questions:

  • What are industry peers doing, and how is your organization placed in relation to them?

  • How is your organization placed with regard to industry good practices?

  • Based on these comparisons, can your organization be said to be doing enough?

  • How can your organization identify what is required to be done to reach an adequate level of management and control over its IT processes?


Cisa review chapter 2 process improvement2

CISA REVIEWChapter 2 – Process Improvement

  • An organization has different levels of process maturity when compared to their peers. In order to assess their maturity level the organization should provide:

  • A set of requirements and the enabling aspects at the different maturity levels

  • A scale where the difference can be made measurable

  • A scale that lends itself to comparison

  • The basis for setting as-is and to-be positions

  • Support for gap analysis to determine what needs to be done to achieve a chosen level

  • Taken together, a view of how IT is managed in the enterprise


Cisa review chapter 2 it balanced scorecard

CISA REVIEWChapter 2 – IT Balanced Scorecard

  • Goals and metrics that comprise the IT balanced scorecard can be defined at three levels:

  • IT goals and metrics that define what the business expects from IT and how to measure it

  • Process goals and metrics that define what the IT process must deliver to support IT's objectives and how to measure it

  • Activity goals and metrics that establish what needs to happen inside the process to achieve the required performance and how to measure it


Cisa review chapter 2 it balanced scorecard1

CISA REVIEWChapter 2 – IT Balanced Scorecard

  • Think About It: Why are measures so important?

  • Answer: The value of metrics is in their ability to provide a factual basis for defining:

  • Strategic feedback to show the present status of the organization from many perspectives for the decision maker

  • Diagnostic feedback into various processes to guide improvements on a continuous basis

  • Trends in performance over time as the metrics are tracked

  • Feedback around the measurement methods themselves, and which metrics should be tracked

  • Quantitative inputs to forecasting methods and models for decision support systems


Cisa review chapter 2 it balanced scorecard2

CISA REVIEWChapter 2 – IT Balanced Scorecard

Think About It: Why do you think measuring of IT performance should be a dynamic process?

It has to be a dynamic process because an organization must consider and account for the complex and changing business environments organizations have today. Accordingly, it can be misleading to program managers if they try and use traditional measurement to assess information technology's contribution to the organization's mission.


Cisa review chapter 2 hr

CISA REVIEWChapter 2 – HR

  • All organizations should have a variety of policies regarding human resource issues. Examples of these policies are training, scheduling and time reporting, employee performance evaluations, and required vacations.

  • Training

  • Scheduling and Time Reporting

  • Employee Performance Evaluations

  • Vacations

  • Organizations should also have a published code of conduct that specifies all employees' responsibilities to the organization.


Cisa review chapter 2 hr1

CISA REVIEWChapter 2 – HR

  • An IS auditor has several responsibilities when evaluating elements of IT human resource management and how it affects an organization's IT governance. These responsibilities include looking for indicators of potential staffing weaknesses or problems such as:

  • High staff turnover

  • Inexperienced staff

  • Lack of succession plans

  • Lack of adequate training

  • Additionally, an IS auditor reviewing an organization's IT resource management should verify that job descriptions, human resource manuals, and organizational charts are in place, accurate and updated regularly.


Cisa review chapter 2 hr2

CISA REVIEWChapter 2 – HR

Think About It: What are some reasons that HR and IT must work together in an organization seeking to achieve effective IT governance?

HR provides the link for the staffing and training component of the organization. This directly impacts the quality of the staff and the performance of IT duties. In order for HR personnel to effectively and accurately fill positions, they need to communicate closely with the IT department to obtain a clear understanding of ITs needs.

Additionally, there is an ongoing need for HR involvement in the overall management of IT resources such as employee education and training, termination, compliance, and of course, overall IT governance.


Cisa review chapter 2 it resource allocation

CISA REVIEWChapter 2 – IT Resource Allocation

  • When developing an IS strategic plan, senior management is responsible for identifying cost-effective IT solutions to address the organization's problems and opportunities.

  • It is important that the strategic planning process encompasses not just the delivery of new systems and technology, but considers the returns being achieved from investments in existing technology. This can be done using the following:

  • Considering the return on investment (ROI) and total cost of ownership for all endeavors

  • Understanding allocation practices

  • Effective budgeting

  • Change management


Cisa review chapter 2 it resource allocation1

CISA REVIEWChapter 2 – IT Resource Allocation

  • What are the strategic issues that need to be addressed relative to value?

  • A clear and shared understanding of the expected benefits

  • Clear accountability for realizing the benefits

  • Relevant metrics

  • An effective benefits realization process


Cisa review chapter 2 it resource allocation2

CISA REVIEWChapter 2 – IT Resource Allocation

How do post implementation reviews impact value?

A post implementation review is a review of the implementation process against the methodology and budgeting of the project, and measuring the expected results against the success metrics. The IS auditor and the IT project team need to review results and develop steps for improvement.


  • Login