Did you know Cybrary's video training is FREE? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
This lesson focuses on governance, which is managing the organization as a whole. If an organization is not managed carefully, then there could be issues. IS auditors must familiarize themselves with various policies and rules within organizations. [toggle_content title="Transcript"] When we think about governance, we think about the fact that it's managing the organization as a whole, and when that's done properly that is, in effect, showing leadership. So it's an important connection to make between governance and leadership to think about. For instance, if you were part of an organization that is known for having very high ethical standards, then the governance of that organization is probably responsible for that. To institute a culture where the management respects the employees, and vice versa, and the customers are treated fairly and lawfully. If your organization is not governed properly, now you've got different issues. For instance, if there are not well-defined consequences for misbehavior, or if the process for making decisions at levels below the highest level: if that's not managed carefully then you might end up with people in middle management, or even lower levels of management, making decisions that have an adverse effect on the organization and it wasn't their intention to cause a problem but a problem happened anyway because their management decision wasn't approved. And there was no need to have it approved. Examples might be things like a manager decides to change the way they do things or they decide that certain changes to a system don't require a formalized change control process. I've seen this in organizations that I've worked for. And sometimes people say, 'Oh, that person's being a cowboy.' They're just kind of shooting from the hip, doing what they think is best without getting approval and that might work well in certain environments, but, ultimately, if you've got people making decisions in an uncoordinated fashion that's going to cause issues at a later time. And the issues could be catastrophic. There could be, you know, civil lawsuits accidental destruction of data, or leaking of customer information because it wasn't properly protected and someone didn't go through an assessment and authorization process for their system and now it's not secure and is vulnerable to hackers. These are all different scenarios that might unfold if we don't have correct governance to demonstrate leadership for the organization. So, it's one thing to govern the organization correctly, but we still have to think about discovering problems in the way that that's done. So, that's where auditing comes into its own - We know that the auditor needs to be familiar with what the organization does, all of the policies that are created to manage its processes, the business logic involved, maybe even some lower level details about how certain transactions are handled within the organization. So once the auditor understands those things, then they can make the connection between proper governance and results-based testing to show that the governance is effective. [/toggle_content]