Domain 1 readies the auditor for planning, performing and reporting an audit, and that knowledge is now put into practice by evaluating an organization’s governance and management controls.
ISACA describe the role of the auditor in this area as ‘Assuring that the necessary leadership and organizational structures and processes are in place to achieve the objectives and to support the enterprise strategy,’ and candidates to understand how to evaluate that:
- the IT strategy and delivery portfolio support the organization’s business objectives,
- resource allocation supports the IT strategy,
- an effective IT governance structure is being used, and
- a robust Business Continuity Plan (BCP) is in place
The domain is closely related to the ISACA CGEIT Certification, and candidates who have a working knowledge of its content will be a step ahead.
IT Strategy and portfolio management
Candidates need to understand how an organization develops, implements and maintains an IT strategy that supports its strategic objectives. Doing so requires knowledge of the strategic planning process and how strategy, policy, processes, procedures, and standards are integrated to deliver business objectives.
The IT strategy is delivered through a portfolio of activities and IT portfolio management is an ongoing process that responds to continuous feedback from activities like risk assessments, revised business goals, new regulations and business improvement initiatives. Tools such as the IT Capability Management Framework provide a structured approach to the creation of an effective IT strategy and its decomposition into a delivery portfolio.
Direction must come from the top: board members and senior managers need to give clear direction and have an ongoing responsibility to ensure business objectives are defined, an IT strategy prepared, and its execution effectively governed. Typically, they will use a strategy committee to help shape its content and a steering committee to make decisions on portfolio content, prioritization, funding and issue management.
Candidates should understand portfolio management techniques including investment, prioritization and resource allocation and be able to evaluate the fit of the portfolio against the IT strategy.
Aligning resources to the IT strategy
Auditors must understand how resource – people, money, time – is being applied, and evaluate whether or not they are supporting the IT strategy and business objectives.
The organization structure, roles, and responsibilities for IT-related functions should be documented, and job descriptions and RACI matrices used to ensure there is no misunderstanding or overlap. The auditor should review org charts and job descriptions and, through observation and interview, confirm they reflect actual practice. Typical functions the auditor needs to consider are infrastructure operations and maintenance, network management, security, data, and systems development.
The exam might test your knowledge of segregation of duties (SoD) which ISACA define as ‘A basic internal control that prevents or detects errors and irregularities by assigning to separate individuals the responsibility for initiating and recording transactions and for the custody of assets.‘
Auditors must understand the principle behind this, i.e., if SoD is not applied it could mean individuals acquire privileges that lead to unauthorized access of data and systems and should look for evidence of SoD compliance in the organization. Creating an SoD matrix might help with this evaluation, and you can find an example here.
While many people focus on the people element, IT resources also include software, hardware, services, time and money, and candidates should know how to evaluate their performance in delivering the IT strategy. Resource effectiveness can be measured using tools such as return on investment models and the IT balanced scorecard.
The IT Balanced Scorecard is a variation of the original Balanced Scorecard developed to help firms measure business performance using both financial and non-financial data. The IT variant has four dimensions – business contribution, user orientation, future orientation and operational excellence – and is a useful way for an auditor to structure their review.
Governance and control arrangements
The purpose of IT governance is to ensure there a mechanism is in place that determines whether IT decisions, delivery and performance support the organization’s business objectives. Good IT governance will ensure the organization monitors the effectiveness of its IT strategy and flexes it when needed.
To be effective, it requires the implementation of an approach that addresses:
strategic alignment: IT and business plans are linked and remain so,
value delivery: IT delivers the promised benefits cost-effectively,
risk management: regular risk assessments and mitigation actions when required.
Ethical Hacking Training – Resources (InfoSec)
Candidates must understand how industry standard frameworks can be used to establish good practice governance arrangements and should familiarize themselves with examples such as COBIT (control objectives for information and related technology), ISO 27001 (international standard for information security management systems) and ITIL.
This element of the domain also covers information security which has taken on an even greater importance for auditors given the number of cyber-attacks and the attention paid by regulators. For this reason, candidates should understand how an information security strategy is developed and implemented.
IT sourcing is also included, in recognition of the importance many organizations apply to outsourced resourcing, the use of a wide range of IT vendors and service providers and cloud computing as the primary delivery mechanism for enterprise applications.
Auditors must have a good understanding of the day-to-day risks associated with the use of IT and be familiar with the risk management process – risk assessment, impact evaluation and risk response determination – and the use of a business impact assessment (BIA) to quantify the effect of business disruption. Both of these tools are used to inform the business continuity plan (BCP).
Finally, the organization will only know if its IT Governance and management processes are effective if it has a regular, objective, measurement process to evaluate their performance and report the outcome to senior management. Management should have a steady flow of reports that demonstrate progress against targets and performance against key performance indicators (KPIs) and auditors should satisfy themselves this is the case.
Business continuity management
A key element of IT Governance arrangements is having a BCP that ensures the business can continue operating, possibly at a reduced capacity, and return to normal operation quickly in the event of an incident.
The BCP should contain the IT Disaster recovery plan since keeping both together makes sure there is continued alignment between business and IT activities.
Auditors don’t need to pore through every page of the BCP but should satisfy themselves that the arrangements documented will return the business to normal operations quickly.
Candidates must understand how a BCP is created and its link to other governance documentation, such as the IT Strategy and BIA, which will define triggers for the initiation of activities contained in the plan.