Cisa Exam Cram 2

The IT department should have a clear process for developing IS strategy. This process should include the development, communication, and implementation of the strategy. If this process does not exist, the auditor will find indicators throughout the review of strategy, policy/procedures, and observations. The lack of an IS strategy or a strategy that is outdated or not communicated indicates that IT might not be aligned with the business strategy and that a change in business strategy might not be reflected in the IT department's policy. An IS auditor should recognize key development risk indicators, including these:

  • Development projects that are not aligned with the strategic plan

  • Feasibility studies that do not consider the following areas:

    • Technical feasibility

    • Financial feasibility

    • Cultural feasibility

  • Senior management and users who are not involved

  • Business process analyses that are not performed

The IT strategy should align with the business strategy, ensure efficient use of IT resources, and serve as the basis for IT policy and procedures. Although the development of IT strategy is an IT function, it should include stakeholders in the organization, as well as senior management. The participation of stakeholders (such as senior managers of business functions) helps ensure that the strategy meets the goals of the organization and business functions, and helps keep the strategy aligned when the business strategy changes. When performing an audit of IS strategic planning, it is unlikely that the IS auditor would assess specific security procedures. During an IS strategy review, overall goals and business plans would be reviewed to determine whether the organization's plans are consistent with its goals.

Категории