CPA Exam Lab
All patterns
Information systems and data management

The Governance Mandate

Governance sets direction and keeps accountability: management still owns outsourced controls, and incompatible IT duties stay split.

How the exam words it

The playbook

  1. 1Match the governing body to its job: the board and IT steering committee set strategy, prioritize, and fund, while operations and administration merely execute.
  2. 2Pick COBIT for the governance and management of enterprise IT; COSO is the broader internal control framework and ISO 9001 is quality management.
  3. 3Remember that outsourcing transfers the activity, not the accountability: management retains the control objective and monitors the provider through SLAs and SOC reports.
  4. 4Keep incompatible IT duties separate: a developer must not migrate his own code, and programming, operations, and security administration belong to different people.

The trap

Assuming a cloud or outsourcing arrangement shifts responsibility to the provider. Management always retains accountability for the control objective and must monitor the provider.

How the exam varies it

The same pattern, re-skinned along these axes:

Which governing body: board, IT steering committee, or an execution roleFramework identification: COBIT versus COSO, ISO, or GAAPRetained responsibility for outsourcing versus segregation of IT duties

Drill this pattern

8 questions of The Governance Mandate from across the AUD topics. Clear it by getting 5 right with a streak of 3.

Shows up in 1 ISC topic