EXERCISES

Exercise: Complete each statement by choosing one of the four terms below.
 A business case
A feasibility study
An impact assessment
A value analysis

 [Blank] looks at how to achieve the organization's essential functions at the lowest life
cycle cost consistent with requirements.
 [Blank] includes decision criteria, comparisons of potential solutions and a proposed
solution.
 [Blank] looks at the potential effects of a proposed development project on current
projects and resources.

 [Blank] for a new system should identify both intangible benefits and return on
investment.
Answer:

■ A value analysis looks at how to achieve the organization's essential functions at the
lowest life cycle cost consistent with requirements.

■ A feasibility study includes decision criteria, comparisons of potential solutions and

a proposed solution.

■ An impact assessment looks at the potential effects of a proposed development

project on current projects and resources.

■ A business case for a new system should identify both intangible benefits and return
on investment.
Exercise: Match each role to its corresponding responsibility.

Key Roles
 Project sponsor
 Project steering committee
 Quality assurance
 Senior management
 User management
Responsibilities
■ Works with project manager to define CSFs,
■ Retains ultimate responsibility for all deliverables, project costs and schedules,
■ Confirms compliance with requirements,
■ Approves the resources to undertake and complete the project,
■ Assumes ownership of the project and resulting system.
Answer:

■ Project sponsor
Works with project manager to define CSFs
■ Project steering committee
Retains ultimate responsibility for all deliverables, project costs and schedules
■ Quality assurance
Confirms compliance with requirements
■ Senior management
Approves the resources to undertake and complete the project
■ User management
Assumes ownership of the project and resulting system
■ Exercise: Determine if each statement pertains to the Requirements, Design, or Development
stage of the project.
ANSWER:
MANAGING THE IT
FUNCTION
■ An IT organization is defined by considering requirements for staff, skills,
functions, accountability, authority, roles and responsibilities, and
supervision. This organization is embedded into an IT process framework
that ensures transparency and control as well as the involvement of
senior executives and business management. A strategy committee
ensures board oversight of IT, and one or more steering committees in
which business and IT participate determine the prioritization of IT
resources in line with business needs. Processes, administrative policies
and procedures are in place for all functions, with specific attention to
control, quality assurance, risk management, information security, data
and systems ownership, and segregation of duties. To ensure timely
support of business requirements, IT is to be involved in relevant decision
processes.
Define the IT Processes, Organization and Relationships that satisfies the business
requirement for IT:
■ being agile in responding to the business strategy whilst complying with governance
requirements and providing defined and competent points of contact by focusing on
■ establishing transparent, flexible and responsive IT organizational structures and
defining and implementing IT processes with owners, roles and responsibilities
integrated into business and decision processes
is achieved by:
Defining an IT process framework
Establishing appropriate organizational bodies
and structure
Defining roles and responsibilities
and is measured by:

Percent of roles with documented position and

authority descriptions
Number of business units/processes not supported by
the IT organization that should be supported,
according to the strategy
Number of core IT activities outside of the IT
organization that are not approved or are not subject
to IT organizational standards
Define the IT Processes, Organization and
Relationships that satisfies the business requirement for IT
of being agile in responding to the business strategy whilst
complying with governance requirements and providing
defined and competent points of contact is:
1 .Non-existent
2 .Initial/Ad Hoc
3 .Repeatable but Intuitive
4 .Defined
5 .Managed and Measurable
6 .Optimized
Benchmarks/Guidelines for Scoring
1. Non-existent when
The IT organization is not effectively established to focus on the achievement of business objectives.

2. Initial/Ad Hoc when

IT activities and functions are reactive and inconsistently implemented. IT is involved in business projects
only in later stages. The IT function is considered a support function, without an overall organization
perspective. There is an implicit understanding of the need for an IT organization; however, roles and
responsibilities are neither formalized nor enforced.

3. Repeatable but Intuitive when

The IT function is organized to respond tactically, but inconsistently, to customer needs and vendor
relationships. The need for a structured organisation and vendor management is communicated, but
decisions are still dependent on the knowledge and skills of key individuals. There is an emergence of
common techniques to manage the IT organization and vendor relationships.

4. Defined when
Defined roles and responsibilities for the IT organization and third parties exist. The IT organization is
developed, documented, communicated and aligned with the IT strategy. The internal control environment
is defined. There is formalization of relationships with other parties, including steering committees,
internal audit and vendor management. The IT organization is functionally complete. There are definitions
of the functions to be performed by IT personnel and those to be performed by users. Essential IT staffing
requirements and expertise are defined and satisfied. There is a formal definition of relationships with
users and third parties. The division of roles and responsibilities is defined and implemented.
5. Managed and Measurable when
The IT organization proactively responds to change and includes all roles necessary to meet
business requirements. IT management, process ownership, accountability and responsibility
are defined and balanced. Internal good practices have been applied in the organisation of
the IT functions. IT management has the appropriate expertise and skills to define,
implement and monitor the preferred organization and relationships. Measurable metrics to
support business objectives and user-defined critical success factors (CSFs) are
standardized. Skill inventories are available to support project staffing and professional
development. The balance between the skills and resources available internally and those
needed from external organizations is defined and enforced. The IT organizational structure
appropriately reflects the business needs by providing services aligned with strategic
business processes, rather than with isolated technologies.

6.Optimized when
The IT organizational structure is flexible and adaptive. Industry good practices are deployed.
There is extensive use of technology to assist in monitoring the performance of the IT
organization and processes. Technology is leveraged in line to support the complexity and
geographic distribution of the organization. There is a continuous improvement process in
place.
HUMAN RESOURCE
All organizations should have a variety of policies
regarding human resource issues. Examples of these
policies are training, scheduling and time reporting,
employee performance evaluations, and required
vacations.
•Training
•Scheduling and Time Reporting
•Employee Performance Evaluations
•Vacations
Organizations should also have a published code of
conduct that specifies all employees' responsibilities to
the organization.
HUMAN RESOURCE
An IS auditor has several responsibilities when evaluating
elements of IT human resource management and how it affects an
organization's IT governance. These responsibilities include
looking for indicators of potential staffing weaknesses or problems
such as:
•High staff turnover
•Inexperienced staff
•Lack of succession plans
•Lack of adequate training
Additionally, an IS auditor reviewing an organization's IT resource
management should verify that job descriptions, human resource
manuals, and organizational charts are in place, accurate and
updated regularly.
HUMAN RESOURCE
Think About It: What are some reasons that HR and IT must work
together in an organization seeking to achieve effective IT
governance?

HR provides the link for the staffing and training component of the
organization. This directly impacts the quality of the staff and the
performance of IT duties. In order for HR personnel to effectively
and accurately fill positions, they need to communicate closely
with the IT department to obtain a clear understanding of ITs
needs.
Additionally, there is an ongoing need for HR involvement in the
overall management of IT resources such as employee education
and training, termination, compliance, and of course, overall IT
governance.