Case Study ?| IT & business goals GREATEST Concern (Governace & MGMT) | 2.14.3 - C

coffeeisgoodcoffeeisgood CISSP, CISA, CISMCISSP, CISA, CISMMember Posts: 136 ■■■□□□□□□□
2.14.3 Case Study C
An IS auditor was asked to review alignment between IT and business goals for a small financial institution. The IS auditor requested various information including business goals and objectives and IT goals and objectives. The IS auditor found that business goals and objectives were limited to a short bulleted list, while IT goals and objectives were limited to slides used in meeting with the CIO (the CIO reports to the CFO). It was also found in the documentation provided that over the past two years, the risk management committee (composed of senior management) only met on three occasion, and no minutes of what was discussed were kept for these meetings. When the IT budget for the upcoming year was compared to the strategic plans for IT, it was noted that several of the initiatives mentioned in the pass for the upcoming year were not included in the budget for that year.

C1. Which of the following should be of GREATEST concern to the IS auditor?

A. Strategy documents are informal and incomplete.
B. The risk management committee seldom meets and does not keep minutes.
C. Budgets do not appear adequate to support future IT investments.
D. The CIO reports to the CFO

page 133
CISA Review Manual 26th Edition
Failed to load the poll.

Comments

  • coffeeisgoodcoffeeisgood CISSP, CISA, CISM CISSP, CISA, CISMMember Posts: 136 ■■■□□□□□□□
    Try to answer this question without looking up the answer in the book.

    I got it wrong, hence why I want some discussion on this question / case study. I am stumped on why ISACA answer should be the GREATEST concern based on my reading of the case.
  • dustervoicedustervoice Member Posts: 877 ■■■■□□□□□□
    I would go for A:
  • coffeeisgoodcoffeeisgood CISSP, CISA, CISM CISSP, CISA, CISMMember Posts: 136 ■■■□□□□□□□
    nobody has got it right yet (at least according to the book answer)
  • RaystafarianRaystafarian Member Posts: 87 ■■■□□□□□□□
    That's the thing about ISACA, IMO. They are asking you to look at the problem through the "lens" of governance. Given that governance is all about alignment between IT and the entire organization, we can eliminate C. D is also not a governance related risk, it's an auditor independence risk - it won't effect the alignment of goals.

    Now we know it's A or B. If you look at it from an auditor's perspective, in a general audit, it's of course A. But we're not looking at it that way, we're looking at it from the governance only lens - it doesn't matter if the documents are informal or incomplete because that doesn't affect what the actual strategy is (as absurd as that really is). So we know it's B - the risk management committee is responsible for knowing the strategy and assessing the risk of mis-alignment and we have no idea if they are doing that or just playing paper football in a conference room.

    That's ISACA and their "lenses" for you.

    I struggled with that through the CISM, they can ask pretty much the same basic question and depending on the domain in which they are drawing a conclusion from, the answer can be different.
    Hit me up on LinkedIn - just mention you're from techexams.
  • coffeeisgoodcoffeeisgood CISSP, CISA, CISM CISSP, CISA, CISMMember Posts: 136 ■■■□□□□□□□
    That's the thing about ISACA, IMO. They are asking you to look at the problem through the "lens" of governance. Given that governance is all about alignment between IT and the entire organization, we can eliminate C. D is also not a governance related risk, it's an auditor independence risk - it won't effect the alignment of goals.

    Now we know it's A or B. If you look at it from an auditor's perspective, in a general audit, it's of course A. But we're not looking at it that way, we're looking at it from the governance only lens - it doesn't matter if the documents are informal or incomplete because that doesn't affect what the actual strategy is (as absurd as that really is). So we know it's B - the risk management committee is responsible for knowing the strategy and assessing the risk of mis-alignment and we have no idea if they are doing that or just playing paper football in a conference room.

    That's ISACA and their "lenses" for you.

    I struggled with that through the CISM, they can ask pretty much the same basic question and depending on the domain in which they are drawing a conclusion from, the answer can be different.

    interesting explanation of ISACA thought process

    I would have went with follow the money... & C (no money in the budget / how can it happen?)
    but this is a question from the governance chapter / domain (unfortunately I am sure the test will not be that clear)

    so I am starting to see why this is B

    Domain / Chapter 3 is on my agenda this Saturday afternoon. At least I can read/study out by a pool... my skin needs some color
  • naclh2onaznaclh2onaz Member Posts: 69 ■■□□□□□□□□
    I'm working on Domain 3 this weekend as well. Are you taking the exam in September?
    2017 Goals:
    CISSP [X]
    2018 Goals:
    CRISC [ ]
  • 636-555-3226636-555-3226 Member Posts: 976 ■■■■■□□□□□
    Strategy comes before risk. Have to know where you're going before you can evaluate the likelihood & impact of something going wrong on the road you're traveling down.

    although there is an argument for determining the risk of going down Path A before you go down it, so risk can inform strategy.

    budgets come and go and a 5-year strategy can take a **** for a year when the economy turns south.

    who cares where the CIO reports to as long as it's where the business wants
  • coffeeisgoodcoffeeisgood CISSP, CISA, CISM CISSP, CISA, CISMMember Posts: 136 ■■■□□□□□□□
    Strategy comes before risk. Have to know where you're going before you can evaluate the likelihood & impact of something going wrong on the road you're traveling down.

    although there is an argument for determining the risk of going down Path A before you go down it, so risk can inform strategy.

    it is amazing how many are picking A over B (B is the book answer)

    if strategy comes before risk, why is ISACA pushing risk over strategy?


    & yes I am taking the exam in September - San Jose, CA
  • 636-555-3226636-555-3226 Member Posts: 976 ■■■■■□□□□□
    Need a CGEIT to weigh in (I'm not one).

    FWIW, CISM & CRISC are fairly unified in their approach to governance. CISA takes a slightly tweaked stance on some things compared to CISM/CRISC. My guess is the CISA materials are bit older and haven't been unified to 100% match the other ISACA certs. I recently took the CISA and noticed this disparity which was a bit aggravating considering I know the CISM/CRISC material well and had to try to remember what CISA considers right but would be considered the "wrong" answer on CISM/CRISC

    At the end of the day I suppose the book answer is B because you don't decide on what strategy to take until you've weighed the pros & cons (ie, risk) of doing
Sign In or Register to comment.