| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
Organizational Structure, IT Governance & IT Strategy (Part 2 of 2)
This episode continues the ISACA Certified Information Systems Auditor (CISA) exam prep series coverage of IT governance structures. It examines the committees that steer technology decisions, the accountability boards and senior leaders carry for security, how IT departments are organized, who owns and protects data, and why separation of duties is a cornerstone of sound governance.
What this episode covers
- Strategy vs. steering committees — how each body differs in focus, membership, and relationship to the board and executives.
- Board and senior management security obligations — what accountability looks like at the highest levels and how a security standards committee operates.
- IT department structure — the broad functions from applications and infrastructure through operations, user support, and specialist roles.
- Vendor and industrial control system management — the role of dedicated vendor managers and the unique risks of internet-connected operational technology.
- Data ownership roles — how data owners, custodians, security administrators, and users each carry distinct accountability.
- Separation of duties — why splitting custody, authorization, and recording across different roles prevents fraud and error.
- Compensating controls and governance warning signs — what auditors look for when separation cannot be achieved or when organizational structure is failing.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What is the difference between a strategy committee and a steering committee?
A strategy committee advises the board and looks forward at how technology fits the long-term business direction; its members are board members plus outside specialists. A steering committee assists executives by overseeing day-to-day delivery of projects and services, deciding spending levels, and setting priorities, with membership drawn from sponsoring executives, key users, and the technology chief.
What are the different data roles in an IT department?
Data owners are managers who decide classification and access, authorize who gets in, and remain responsible for their data across its whole life. Data custodians store and safeguard the data, security administrators provide physical and logical protection, and data users simply work with the data they have been granted while following security policies.
Why does separation of duties matter in IT governance?
Separation of duties prevents any single person from controlling an entire sensitive process, which could allow errors or fraud to go undetected. Key duties are split so that custody of assets, authorization of transactions, and recording of those transactions are each handled by a different role.
What compensating controls can replace separation of duties in a small team?
When duties cannot be split, organizations add audit trails, reconciliation, exception reports signed off at the supervisor level, transaction logs, supervisory reviews, and independent reviews. These controls reduce the risk that separation of duties is meant to address, but they do not fully replace it.
📚 Master the ISACA CISA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA CISA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in Organizational Structure, IT Governance & IT Strategy (Part 2 of 2).