Audit CIS

Case 1

An information system (IS) auditor was asked to review the alignment between information technology (IT)

and business goals for Cachero, a small but rapidly growing financial institution. The IS auditor requested

information including business and IT goals and objectives; however, these were limited to a short, bulleted

list for business goals and PowerPoint slides used in reporting meetings for IT goals.

It was also found in the documentation provided that over the past two (2) years, the risk management

committee (composed of senior management) met on only three (3) occasions, and no minutes of what

was discussed were kept for these meetings. When the IT budget for the upcoming year was compared to

the strategic plans for IT, it was noted that several of the initiatives mentioned in the plans for the upcoming

year were not included in the budget for that year.

The IS auditor also discovered that Cachero does not have a full-time chief information officer (CIO). The

organizational chart of the entity denotes an IS manager reporting to the chief financial officer (CFO), who,

in turn, reports to the board of directors. The board plays a major role in monitoring IT initiatives in the entity,

and the CFO frequently communicates the progress of IT initiatives.

When the IS auditor reviewed the segregation of duties (SoD) matrix, it was apparent that application

programmers are only required to obtain approval from the database administrator (DBA) to directly access

the production data. It was also noted that the application programmers must provide the developed

program code to the librarian, who then migrates it to production. IS audits are carried out by the internal

audit department, which reports to the CFO at the end of every month, as part of the business performance

review process; the financial results of the entity are reviewed in detail and signed off by the business

managers for the correctness of data contained therein.

Questions:

1. In no more than five (5) sentences, discuss what should an IS auditor suggest regarding the

governance structure of Cachero.

2. The IS budgeting process should be integrated with business processes and aligned with

organizational budget cycles. What advice would the IS auditor give to the organization to ensure

the budget covers all aspects and can be accepted by the board? Discuss your answer in no more

than five (5) sentences