IT Governance, Risk Management, and Control Frameworks


Organizations continue to increase their dependency on information systems and invest heavily in the acquisition, development, and maintenance of those systems. These systems support mission-critical business functions and should maximize the organization's return on investment. The combination of a solid governance framework and risk-management process creates a control infrastructure that reduces risk and ensures that IT infrastructure supports the business functions.

IS auditors should look for evidence of a structured approach to the management of systems and applications, and defined life-cycle phases and progression points. The presence of a structured approach provides advantages to the auditor:

  • The IS auditor's influence is increased when there are formal procedures and guidelines identifying each phase in the business application life cycle and the extent of auditor involvement.

  • The IS auditor can review all relevant areas and phases of the systems-development project, and can report independently to management on the adherence to planned objectives and company procedures.

The risks associated with improper planning are varied, but the lack of a planning and review process or organization structures are indicators of a lack of controls. The IS auditor must advise the project-management team and senior management of the deficiencies. As stated earlier, the IT department should have proper project-planning procedures that follow a standard system-development life cycle. This project-planning process, combined with change control, ensures proper control over the production IT infrastructure.

In Chapter 1, we defined the different types of risks, such as business risk, continuity risk, and so on. As a part of ongoing IT procedures, a formal risk-management process must be incorporated into the planning, acquisition, development, testing, and deployment of information systems. The IT organization and project managers should use proper risk-management techniques to assess risk, take steps to reduce risk to an acceptable level (mitigation), and maintain that level of risk.

The objectives of an effective risk-management program should enable the organization to realize its business objectives:

  • Better secure IT systems that store, process, or transmit organizational information

  • Enable management to make well-informed risk-management decisions to justify expenditures that are part of the IT budget

Proper risk management enables IT managers and senior leadership to balance the operational and economic costs of protective measures and to achieve gains in mission objectives by protecting the IT systems and data that support their organizations' objectives.



Exam Cram 2. CISA
Cisa Exam Cram 2
ISBN: B001EEFNHG
EAN: N/A
Year: 2005
Pages: 146

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net