Evaluate IT Governance Structures And Responsibilities
Help Questions
CPA Information Systems and Controls (ISC) › Evaluate IT Governance Structures And Responsibilities
The board of directors' primary IT governance responsibility is to:
Approve individual IT project budgets and review technical specifications.
Develop and implement the organization's cybersecurity policies.
Provide oversight of IT strategy and risk, ensuring IT is aligned with organizational objectives and that IT risks are managed appropriately.
Manage the daily operations of the IT department and resolve technical issues.
Explanation
The board's IT governance role is strategic oversight - ensuring IT is directed toward organizational goals and that IT-related risks are understood and managed at the enterprise level. Answer A is correct. Individual project approvals (B) are management decisions. Daily operations (C) and policy development (D) are management responsibilities.
Which of the following organizational structures best supports strong IT governance?
IT governance responsibilities are handled exclusively by the internal audit function.
The IT department operates independently with no business unit involvement in technology decisions.
An IT steering committee with cross-functional business and IT leadership provides oversight of IT investments, priorities, and risk.
All IT decisions are delegated to the CIO without board or executive oversight.
Explanation
A cross-functional IT steering committee brings business context to technology decisions, ensuring alignment between IT priorities and business needs - the hallmark of effective IT governance. Answer D is correct. IT-only decision-making (A, B) lacks business alignment. Internal audit provides assurance, not governance (C).
Which of the following IT governance responsibilities belongs to the audit committee of the board?
Developing the organization's IT security policies and standards.
Selecting and managing IT vendors and service providers.
Overseeing IT risks related to financial reporting, reviewing IT audit findings, and monitoring remediation of significant IT control deficiencies.
Approving the annual IT capital expenditure budget.
Explanation
The audit committee's IT governance role focuses on financial reporting integrity, internal controls, and audit findings - including IT risks and controls relevant to financial reporting. Answer A is correct. Capital budget approval (B) is an executive or full board function. Vendor management (C) and security policy development (D) are management activities.
An organization's IT governance framework lacks a formal IT investment prioritization process. The most likely consequence is:
External auditors will automatically identify this as a material weakness.
IT investments may not align with strategic priorities, resulting in wasted resources and missed opportunities to support key business objectives.
Regulators will impose fines for inadequate IT governance.
The IT department will have insufficient budget to operate effectively.
Explanation
Without a prioritization process, IT resources may be allocated to lower-value projects while high-priority strategic initiatives go unfunded - misaligning IT with business needs. Answer C is correct. Budget sufficiency (A) and regulatory fines (B) are not direct consequences. Missing prioritization processes are not automatically material weaknesses (D).
An organization implements key performance indicators (KPIs) to measure IT governance effectiveness. Which of the following KPIs would be most directly relevant?
Total IT department headcount compared to industry benchmarks.
Percentage of IT projects aligned to strategic business objectives, IT-related risk metrics, and ITGC control deficiency trends.
Number of IT staff certifications earned during the year.
Speed of IT helpdesk ticket resolution.
Explanation
IT governance KPIs measure strategic alignment, risk management, and control effectiveness - the core objectives of governance. Answer A is correct. Staff certifications (B), headcount benchmarks (C), and helpdesk speed (D) are operational metrics that do not directly measure governance effectiveness.
A company's board of directors receives no formal IT reporting. Senior management handles all IT decisions without board visibility. This governance gap most significantly risks:
The IT department purchasing unapproved software.
IT staff receiving insufficient performance reviews.
IT vendors charging higher rates due to lack of oversight.
Material IT risks going unrecognized at the governance level, leading to inadequate oversight and potential strategic and financial consequences.
Explanation
Without board-level IT visibility, significant risks (cyberattacks, technology failures, strategic misalignment) may not receive the governance attention they require - a fundamental oversight gap. Answer C is correct. Software approvals (A) and performance reviews (B) are management matters. Vendor pricing (D) is a procurement issue.
An organization's IT governance maturity is assessed using a model similar to CMMI. The organization is found to be at a 'repeatable' level. This means:
IT governance processes are optimized and continuously improving.
IT governance processes are ad hoc with no formal structure.
IT governance processes are fully defined, documented, and standardized with quantitative performance metrics.
Basic IT governance processes exist and are followed consistently, but they may not be formally documented or standardized across the organization.
Explanation
The 'Repeatable' level (Level 2 in CMMI-based models) indicates processes are established and followed consistently but may lack the formal documentation and standardization of higher maturity levels. Answer B is correct. Optimized (A) is Level 5. Fully defined and measured (C) is Level 3-4. Ad hoc (D) is Level 1.
Which of the following represents a key characteristic of a well-functioning IT steering committee?
It operates independently of the business and makes all technology decisions without business input.
It functions primarily as a reporting body that reviews IT department performance metrics.
It is composed exclusively of external technology advisors with no internal members.
It includes both senior business leaders and IT leadership, meets regularly, and makes decisions on IT priorities, budgets, and risk based on strategic business alignment.
Explanation
An effective IT steering committee is cross-functional (business + IT), operates regularly, and makes substantive decisions about IT investments and priorities aligned to business strategy. Answer A is correct. IT-only decision-making (B) lacks alignment. A reporting-only body (C) is not a governance committee. External-only composition (D) lacks organizational context.
Which of the following IT governance activities most directly supports the board's oversight of cybersecurity risk?
Regular board-level reporting on the cybersecurity risk posture, significant incidents, and the organization's key security metrics and improvement plans.
IT staff completing annual cybersecurity awareness training.
The IT department conducting annual penetration testing of production systems.
The CISO implementing a new security operations center.
Explanation
Board oversight of cybersecurity requires regular, meaningful reporting on risk posture, incidents, and improvement - enabling the board to fulfill its governance responsibility. Answer B is correct. Penetration testing (A), SOC implementation (C), and staff training (D) are management/operational activities that support security but are not board governance activities.
An auditor evaluating an organization's IT governance finds that IT-related risks are managed within the IT department but are not included in the enterprise risk management (ERM) framework. The primary concern is:
The IT department will have insufficient authority to manage its own risks.
IT risks may not be considered alongside other enterprise risks, creating a siloed view that prevents integrated risk management and potentially understates the organization's overall risk profile.
The internal audit function will be unable to assess IT risks independently.
Regulatory agencies will require immediate integration of IT risks into the ERM framework.
Explanation
Siloed IT risk management prevents the organization from understanding how IT risks interact with operational, financial, and strategic risks - a critical gap in enterprise governance. Answer A is correct. IT authority (B) is not the issue. Regulatory requirements (C) vary. Internal audit independence (D) is unrelated.