Information systems and data management
The Governance Mandate
Governance sets direction and keeps accountability: management still owns outsourced controls, and incompatible IT duties stay split.
How the exam words it
- -The stem asks which body aligns IT with business strategy or approves and funds IT projects, pointing to the IT steering committee or the board.
- -It names frameworks and asks which one governs enterprise IT, contrasting COBIT with COSO, ISO 9001, or GAAP.
- -It moves a system to a cloud or third-party provider and asks who remains responsible for the control objectives.
- -It describes one person who both writes and deploys code, or mixes programming, operations, and security, and asks which principle is violated.
The playbook
- 1Match the governing body to its job: the board and IT steering committee set strategy, prioritize, and fund, while operations and administration merely execute.
- 2Pick COBIT for the governance and management of enterprise IT; COSO is the broader internal control framework and ISO 9001 is quality management.
- 3Remember that outsourcing transfers the activity, not the accountability: management retains the control objective and monitors the provider through SLAs and SOC reports.
- 4Keep incompatible IT duties separate: a developer must not migrate his own code, and programming, operations, and security administration belong to different people.
The trap
Assuming a cloud or outsourcing arrangement shifts responsibility to the provider. Management always retains accountability for the control objective and must monitor the provider.
How the exam varies it
The same pattern, re-skinned along these axes:
Which governing body: board, IT steering committee, or an execution roleFramework identification: COBIT versus COSO, ISO, or GAAPRetained responsibility for outsourcing versus segregation of IT duties
Drill this pattern
8 questions of The Governance Mandate from across the AUD topics. Clear it by getting 5 right with a streak of 3.