CISA Case Study D Governance & MGMT of IT | Greatest concern IT governance perpective
coffeeisgood
Member Posts: 136 ■■■□□□□□□□
in CISA
2.14.4 CASE STUDY D
An IS auditor is auditing the IT governance practices for an organization. During the course of the work, it is noted that the organization does not have a full time CIO. The organization chart of the entity provides for an IS manager reporting directly to the CFO, who in turn reports to the board of directors. The board plays a major role in monitoring IT initiatives in the entity and the CFO communicates on a fequent basis the progress of IT initiatives. From reviewing the SoD matrix, it is apparent that application programmers are only required to obtain approval from the DBA to directly access production data. It is also noted that the application programmers have to provide the developed program code to the program librarian, who then migrates it to production. IS audits are carried out by the internal audit department, which reports to the CFO at the end of every month, as part of business performance review process; the financial results of the entity are reviewed in detail and signed off by the business managers for correctness of data contained therein.
D1. Given the circumstances described, what would be of GREATEST concern from an IT governance perspective?
CISA Review Manual 26th Edition
(Chapter 2)
page 133
An IS auditor is auditing the IT governance practices for an organization. During the course of the work, it is noted that the organization does not have a full time CIO. The organization chart of the entity provides for an IS manager reporting directly to the CFO, who in turn reports to the board of directors. The board plays a major role in monitoring IT initiatives in the entity and the CFO communicates on a fequent basis the progress of IT initiatives. From reviewing the SoD matrix, it is apparent that application programmers are only required to obtain approval from the DBA to directly access production data. It is also noted that the application programmers have to provide the developed program code to the program librarian, who then migrates it to production. IS audits are carried out by the internal audit department, which reports to the CFO at the end of every month, as part of business performance review process; the financial results of the entity are reviewed in detail and signed off by the business managers for correctness of data contained therein.
D1. Given the circumstances described, what would be of GREATEST concern from an IT governance perspective?
CISA Review Manual 26th Edition
(Chapter 2)
page 133
Failed to load the poll.
Comments
-
coffeeisgood Member Posts: 136 ■■■□□□□□□□This case study question where the book answer philosophy (IMHO) seems to be different from what we have discussed in these forums.
Try to answer the poll before looking up the answer in the book. -
636-555-3226 Member Posts: 975 ■■■■■□□□□□B or C. I voted C.
A - Who cares if they have a full-time CIO. Someone's doing the job, regardless of their title.
D - Who cares who the IT mgr reports to as long as it's what the business wants
B - Probably a big deal. You really should have an IT steering committee to help oversee ops. I suppose I discount this answer since a strategy committee would be more important than a steering committee???
C - Board should be more hands-off, high-level. Shouldn't be getting into the nitty-gritty
Guess I'll have to wait to see the answer. -
coffeeisgood Member Posts: 136 ■■■□□□□□□□******
PLEASE VOTE on what you thought the answer was.
******
BOOK ANSWER
******
Case Study D
D1.
D. The information systems manager reports to the CFO.
"The information systems manager should ideally report to the board of directors or the CEO to provide a sufficient degree of independence. The reporting structure that requires the information systems manager to report to the CFO is not a desirable situation and could lead to the compromise of certain controls."
page 135
CISA Review Manual 26th edition -
coffeeisgood Member Posts: 136 ■■■□□□□□□□ok? I went with B over D but I am struggling a bit on why D.
it has to do something with the "circumstances described"?
Has anyone read anything in chapter 2, that could help? (please reference a page maybe?) -
636-555-3226 Member Posts: 975 ■■■■■□□□□□OK so I actually read the scenario this time (I just looked at the question before, not the underlying facts). I think this is just a bad question. Best guess (2nd time around) is that the problem is Internal Audit reports to the CFO. IA should report directly to the board. Somehow I think the question/scenario is tying in that IA reports to the IS manager who reports to the CFO, and that's a conflict of interest as IA should be independent of the business. Pretty sure this is the "why" of the answer considering the end of the official answer mentions "could lead to the compromise of certain controls" and controls = IA.
I think the question is worded poorly and that's the cause for confusion. The question could be better worded to specifically call out IA reports to the IS manager who reports to the CFO and/or also to have choice D read "IA reports to the IS manager (or the CFO by hierarchy?)"