Evaluate Data Governance Structures
Help Questions
CPA Information Systems and Controls (ISC) › Evaluate Data Governance Structures
Data governance is best described as:
A regulatory requirement applicable only to financial institutions.
A framework of policies, processes, roles, and standards that ensure data is managed as a strategic asset with appropriate quality, security, and compliance throughout its lifecycle.
The IT department's responsibility to manage database performance and storage.
The technical process of backing up and restoring organizational data.
Explanation
Data governance is an enterprise-wide discipline encompassing policies, roles, accountability, and processes to ensure data is accurate, available, secure, and used appropriately. Answer A is correct. Backup and restore (B) is a technical IT function. Database performance (C) is IT operations. Data governance applies across all industries (D).
Which of the following represents a key principle of effective data governance?
Data governance requires clear accountability - defined roles, responsibilities, and ownership for each data domain across the organization.
Data governance is a one-time initiative that is completed when initial policies are published.
Data governance policies should be kept confidential to prevent misuse.
Data governance should be managed exclusively by the IT department to ensure technical consistency.
Explanation
Effective data governance requires clear, defined accountability for each data domain - who owns it, who stewards it, and who is responsible for its quality and appropriate use. Answer C is correct. Governance requires business and IT collaboration (A). Policies must be communicated to be followed (B). Governance is an ongoing program, not a one-time project (D).
A financial institution discovers that the same customer has five different records across its CRM, loan origination, and core banking systems with inconsistent addresses and account information. This problem is best addressed through:
A master data management (MDM) initiative that establishes a single authoritative customer record (golden record) synchronized across all systems.
Restricting access to customer data to senior staff only.
Deleting duplicate records without investigation.
Encrypting all customer records to prevent further data corruption.
Explanation
MDM creates a single trusted version of key data entities (customers, products) that all systems reference, eliminating the inconsistencies caused by siloed data. Answer D is correct. Encryption (A) protects confidentiality but does not fix data quality. Deleting duplicates without investigation (B) risks losing valid data. Access restriction (C) does not resolve inconsistency.
Under a data governance framework, the 'data custodian' role is primarily responsible for:
Approving changes to data governance policies.
Defining which employees are permitted to access specific data domains.
Implementing the technical controls for data storage, backup, security, and availability as directed by the data owner.
Classifying all organizational data and assigning sensitivity levels.
Explanation
The data custodian (often IT) implements and maintains the technical infrastructure - storage systems, backups, access controls, encryption - that protects and makes data available, acting on the data owner's direction. Answer B is correct. Access decisions (A) are made by data owners. Classification (C) is the data owner's responsibility. Policy approval (D) is a governance committee function.
An organization's data governance framework includes a data quality scorecard that measures accuracy, completeness, and timeliness for each major data domain. The primary purpose of this scorecard is to:
Satisfy external audit requirements for data quality reporting.
Provide ongoing visibility into data quality performance, enabling data owners and stewards to identify and remediate issues before they impact business processes.
Determine which employees require additional data management training.
Justify the cost of the data governance program to senior management.
Explanation
A data quality scorecard is a management tool providing continuous measurement of quality metrics, enabling proactive issue identification and remediation. Answer A is correct. External audit requirements (B) are a secondary consideration. Cost justification (C) is a governance activity but not the scorecard's primary purpose. Training needs (D) may be identified but are not the primary purpose.
A data governance framework's 'data lineage' capability provides which of the following benefits?
It documents the origin, movement, transformation, and consumption of data across systems, enabling impact analysis and root cause investigation of data quality issues.
It encrypts data as it flows between source and target systems.
It restricts data movement to approved pathways based on classification level.
It automatically corrects data quality errors as data moves through systems.
Explanation
Data lineage maps how data flows from source through transformations to final consumption, enabling organizations to trace data quality issues to their source and understand the downstream impact of data changes. Answer D is correct. Automatic error correction (A) is a data quality tool function. Encryption (B) and access control (C) are security functions unrelated to lineage.
Which of the following best describes a 'business glossary' in the context of data governance?
A regulatory compliance checklist for data-related laws and standards.
A technical data dictionary that documents database table names, column definitions, and data types.
A list of all software applications that store business data.
A centralized, authoritative repository of agreed-upon business term definitions, ensuring consistent understanding and use of data across the organization.
Explanation
A business glossary establishes standard definitions for key business terms (e.g., 'revenue,' 'active customer,' 'headcount'), ensuring everyone in the organization uses data consistently and interprets reports the same way. Answer B is correct. A technical data dictionary (A) documents database structure, not business meaning. Application inventories (C) and compliance checklists (D) are separate artifacts.
Which of the following is a key indicator that data governance structures are operating effectively?
The CIO has delegated all data governance responsibilities to the IT department.
The organization has purchased data governance software from a leading vendor.
Data quality metrics show improvement over time, data issues are resolved within defined SLAs, and business users report increased confidence in data for decision-making.
The data governance committee has not needed to meet for six months.
Explanation
Effective data governance produces measurable outcomes: improving data quality, timely issue resolution, and increased user trust in data. Answer C is correct. Software purchase (A) is an input. IT-only governance (B) lacks business accountability. No governance committee meetings (D) suggests inactivity, not effectiveness.
A company's data governance policy requires that all requests for access to confidential data domains must be approved by the data owner. An auditor finds that 40% of access approvals were granted by IT administrators without data owner involvement. This represents:
A control deficiency - access approval authority was not followed, bypassing the data owner accountability required by the governance policy.
A minor finding since the data owner policy applies only to external requests.
An efficient process improvement reducing approval delays.
An acceptable deviation since IT administrators understand data security requirements.
Explanation
The governance policy requires data owner approval specifically because the data owner is accountable for appropriate use. IT administrators approving access without data owner involvement bypasses this accountability structure. Answer D is correct. Efficiency (A) does not justify bypassing governance controls. Technical knowledge (B) does not replace business accountability. The policy applies to all access requests (C).
What is the primary difference between data governance and data management?
Data governance applies only to structured data; data management applies to all data types.
Data governance establishes the policies, roles, and accountability framework; data management executes the operational activities of collecting, storing, processing, and using data within that framework.
Data governance is an external audit function; data management is an internal IT function.
Data governance focuses on database administration; data management focuses on strategic direction.
Explanation
Data governance sets the 'rules of the road' - policies, roles, and oversight. Data management is the operational execution - the day-to-day activities of actually working with data following those rules. Answer B is correct. Governance is strategic, not database administration (A). Both apply to all data types (C). Governance is an internal business function (D).