Corporate Governance
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
7 hours 15 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
>> Now let's begin our first lesson,
00:00
which is corporate governance.
00:00
In this lesson, we will cover IT governance,
00:00
what it is, etc.
00:00
We'll look at what governance versus
00:00
management is and we'll cover
00:00
enterprise governance of information technology
00:00
or the abbreviation EGIT.
00:00
We'll look at some good practices of
00:00
EGIT and also the audit role
00:00
of EGIT and some of
00:00
the specifics around auditing with EGIT.
00:00
I'm ready so let's get all excited and let's begin.
00:00
IT governance, we're
00:00
talking about the enterprise governance of
00:00
information technology or EGIT.
00:00
Now, I'll be honest with you,
00:00
I've spent 20 years working in this industry
00:00
and this is the first time
00:00
I have come across this abbreviation.
00:00
That's not to mean to say that it's not used
00:00
somewhere out there in the world, but certainly,
00:00
it is something that the exam wants you to
00:00
know and if you use this in your environment,
00:00
then you're probably very familiar with it.
00:00
But just bear in mind that this might be something that's
00:00
more of an exam thing than a real-world thing.
00:00
Basically IT governance is really defined as
00:00
just the stewardship of
00:00
IT resources on behalf of all stakeholders.
00:00
IT resources in companies today are massive investments.
00:00
They're essentially big money and
00:00
quite a significant investment for
00:00
most companies and so ensuring that
00:00
they're governed correctly is
00:00
a failure central activity and
00:00
what governance will do is basically direct IT to
00:00
ensure that it's aligned with the enterprise objectives.
00:00
In other words, IT has all its ducks in a row to
00:00
make sure that it's ready to
00:00
meet the business objectives.
00:00
Now there are three main areas.
00:00
We're looking at IT resource management.
00:00
This is very simply just maintaining an inventory of
00:00
IT resources in a very large organization.
00:00
This may not be a very simple matter.
00:00
We could have IT resources spreading
00:00
across multiple sites or even multiple countries.
00:00
The key thing with the resource management is
00:00
addressing the risk of the management process.
00:00
We need to make sure that the systems
00:00
that the enterprise relies on to achieve
00:00
their business objectives are managed appropriately
00:00
and are actually working
00:00
and functioning when they need to be.
00:00
Another aspect of it is performance measurement.
00:00
We need to ensure that the investment
00:00
in IT resources perform as expected.
00:00
The system's running as fast as what they need to be,
00:00
the processing of the transactions through
00:00
the enterprise system at
00:00
a level that supports the business.
00:00
Basically, we're looking to make sure
00:00
that value is delivered to the business
00:00
and ensure that basically
00:00
the IT resources are being well used.
00:00
Now, this is also bringing in the area of risk which is
00:00
a very key feature throughout
00:00
the Certified Information Systems Auditor
00:00
if you haven't picked up on this already.
00:00
Basically, performance measurement will obviously
00:00
be an element of risk measurement as well.
00:00
It determines if there is any risk
00:00
to the IT resources not performing
00:00
as they should be and this will be
00:00
based on a set goal of performance indicators.
00:00
There'll be SLys or there'll be OLys that
00:00
will determine exactly how
00:00
the IT resources are meant to perform.
00:00
Finally, we also have compliance management.
00:00
In a lot of organizations,
00:00
as we've covered in a few other modules so far,
00:00
there is a large legal and regulatory policy
00:00
and compliance area which
00:00
some businesses need to adhere to.
00:00
Part of governance is ensuring that if there is
00:00
a legislative or regulatory approach
00:00
that needs to be followed,
00:00
that the IT resources follow that approach.
00:00
The governance versus management.
00:00
Sometimes you'll often see these used tangibly but
00:00
from ISACA's perspective at least
00:00
and certainly for my experience,
00:00
they are two fairly different things.
00:00
In terms of looking at
00:00
ISACA's COBIT Framework and this is
00:00
a good reference for you to use for your sizer exam.
00:00
Governance will ensure that
00:00
the stakeholders' needs, conditions,
00:00
and options are evaluated to determine
00:00
balanced, agreed-upon enterprise objectives.
00:00
That basically means that governance ensure that
00:00
all the stakeholders in
00:00
the enterprise are basically being looked after.
00:00
Management, on the other hand,
00:00
will plan, build, run,
00:00
and monitor the activities to ensure that
00:00
they align with the direction set by the governance body.
00:00
In other words, governance will determine what you
00:00
do and management will basically determine how you do it.
00:00
Enterprise governance or information technology.
00:00
In essence, it basically delivers value to the business.
00:00
That's pretty much one of the key factors and
00:00
the other key factor is it manages risk.
00:00
It's often really as simple as that value for money and
00:00
ensuring that business risk is mitigated and managed.
00:00
A little bit on the good practice for EGIT.
00:00
Return on investment is probably a key thing.
00:00
The organization needs to ensure that basically,
00:00
the money that they invest in
00:00
their IT infrastructure is
00:00
providing them with good business value.
00:00
The other aspect of good practice is ensuring
00:00
that the levels of IT expenditure
00:00
are monitored and maintained.
00:00
Certainly, achieving your business goals could be
00:00
maintained and certainly exceeded if you
00:00
spend millions and millions of dollars
00:00
on IT infrastructure.
00:00
However, that may not necessarily be
00:00
good for other parts of the business,
00:00
particularly within budget.
00:00
This is an aspect of monitoring,
00:00
ensuring that the return on
00:00
investment is suitable and the level of
00:00
the IT expenditure is also suitable
00:00
for the business requirements.
00:00
Also again, we'll touch upon regulatory requirements.
00:00
In the US, we've got
00:00
some things like the Sarbanes-Oxley Act.
00:00
The EU has the general data protection regulation.
00:00
In every country and even in Australia basically,
00:00
you have a number of
00:00
privacy legislation's that you need to adhere to.
00:00
Every country without exception will have
00:00
their own local laws and legislation and
00:00
regulations that will need to be adhered to
00:00
in terms of the governance of information technology.
00:00
Another aspect which is very common today
00:00
is outsourcing and a lot of
00:00
organizations these days you
00:00
will find that basically there's
00:00
this number of different stakeholders under the hood.
00:00
In other words, having
00:00
the information technology infrastructure
00:00
entirely in-house
00:00
is becoming a little bit less common and so you'll
00:00
see outsourcing to other third-party providers.
00:00
A very notable aspect of this is the Cloud computing
00:00
where a lot of services can be outsourced to the Cloud.
00:00
This is another important aspect of ensuring
00:00
good practice for governance in information technology.
00:00
We also have control frameworks that are adopted to
00:00
increase business value and reduce business risk.
00:00
Things like COVID, for example.
00:00
We have a standardization of approaches so
00:00
across all the organization.
00:00
There could be multiple different standards
00:00
used across different parts of the organization.
00:00
In showing that these are all aligned is fairly key and
00:00
ensuring that a basically
00:00
a benchmark is managed and adhered to.
00:00
The audit role of
00:00
enterprise governance and information technology.
00:00
Basically, very simple.
00:00
It's ensure that recommendations are made to
00:00
basically improve the aspects of compliance,
00:00
risk management, regulation,
00:00
etc and to also ensure that those compliance's are met.
00:00
It's a very simple thing.
00:00
Recommendations and ensure compliance.
00:00
Basically, this should all feed into one another.
00:00
Recommendations should may help make compliance.
00:00
Compliance should be monitored, analyzed,
00:00
and evaluated, which then will feed into recommendations.
00:00
This is essentially a cycle that will continue
00:00
throughout the governance life-cycle of an organization.
00:00
Let's drill down into
00:00
some enterprise governance in
00:00
the information technology order specifics.
00:00
Ultimately the first specific
00:00
that you need to look at is the alignment
00:00
of the enterprise governance and
00:00
the IT governance alignment.
00:00
We basically need to ensure that
00:00
these two governance areas are
00:00
working together in harmony with one another.
00:00
Also, there is basically the alignment of
00:00
the IT function with the enterprise goals and objectives.
00:00
We need to ensure that the IT is supporting
00:00
the business and we also need to look
00:00
at achieving the performance objectives.
00:00
We need to make sure that
00:00
the right number of transactions are
00:00
processed on a given period and
00:00
we need to ensure that the services that are being
00:00
provided at the level that's suitable for the business.
00:00
Again, let's not forget about
00:00
the legal and regulatory compliance
00:00
and also the control environment,
00:00
risk management, and ensuring that the IT investment
00:00
and expenditure is appropriate for the business itself.
00:00
We've reached the end of our lesson.
00:00
We've covered IT governance,
00:00
we have covered what governance is versus what management
00:00
is and we've covered the abbreviation, EGIT,
00:00
enterprise governance in information technology
00:00
which is essentially the governance
00:00
that you'll be basically looking at in
00:00
your role as a CISA auditor.
00:00
We've looked at the role, what role within EGIT,
00:00
and a few of the specifics within EGIT for auditing.
00:00
Hope you enjoyed this lesson
00:00
and I will see you at the next one.
Up Next
