IT Governance and Control: Policies, Standards, Audit Trail and Controls (Basics) Questions

Question 1

Define IT governance.

Accepted Answer

**IT governance** is the system of leadership, policies and processes that ensures IT supports business objectives and risks are controlled.

Question 2

What is an IT policy?

Accepted Answer

An **IT policy** is a high-level rule/statement of intent that guides how IT should be used and controlled (e.g., password policy).

Question 3

What is an IT standard?

Accepted Answer

An **IT standard** is a specific mandatory requirement that must be followed to meet an IT policy (e.g., password length ≥ 12).

Question 4

What is an audit trail?

Accepted Answer

An **audit trail** is a record/log that shows **who** did **what**, **when**, and (often) **from where** in an information system.

Question 5

What is a preventive control?

Accepted Answer

A **preventive control** stops errors/fraud before they occur (e.g., role-based access control).

Question 6

Write any one example of a detective control.

Accepted Answer

Example: reviewing **audit logs/exception reports** to detect unauthorized activities.

Question 7

Explain objectives of IT governance (any three).

Accepted Answer

Objectives of **IT governance** (any three):
- align IT projects and services with **business strategy**
- manage IT **risk** (security, downtime, fraud, data loss)
- ensure **accountability** and clear roles/responsibilities
- improve compliance with policies, standards and regulations
- optimize IT investments and performance (KPIs/SLAs)

Thus, IT governance ensures IT delivers value while controlling risks.

Question 8

Differentiate between policy, standard and procedure (any three points).

Accepted Answer

Policy vs Standard vs Procedure:
- **Policy**: high-level rule/intent (what should be done).
- **Standard**: specific mandatory requirement (how much/how exactly).
- **Procedure**: step-by-step instructions to implement policy/standard.

Example:
- Policy: use strong passwords.
- Standard: minimum 12 characters + complexity.
- Procedure: steps to change password in the system.

Hence, policy guides, standards define measurable rules, and procedures tell how to execute.

Question 9

Explain preventive, detective and corrective controls with examples.

Accepted Answer

**Preventive controls** (stop before):
- **role-based access** and authorization
- segregation of duties (SoD)

**Detective controls** (detect after):
- audit log review
- exception reports/alerts

**Corrective controls** (fix and recover):
- backup and restore
- incident response and patching

Thus, organizations use a combination to prevent, detect and correct IT problems.

Question 10

Differentiate between general IT controls and application controls (any three).

Accepted Answer

General IT controls vs Application controls:
- **Scope**: ITGC apply to overall IT environment; application controls apply to one application/system.
- **Examples**: ITGC = access admin, change management, backups; application = input validation, authorization, output checks.
- **Purpose**: ITGC ensure reliable platform; application controls ensure correct processing within the application.

Therefore, both are needed for overall system reliability and accurate information.

Question 11

Explain the importance of audit trail in MIS (any four points).

Accepted Answer

Importance of **audit trail** (any four):
- provides **accountability** (who changed what and when)
- helps detect **fraud** and unauthorized activities
- supports investigations and troubleshooting of errors
- improves compliance and supports internal/external audits
- discourages misuse because actions are recorded

Hence, audit trail improves control and trust in MIS reports and transactions.

Question 12

Explain the role of IT policies and standards in controlling IT risk (any three points).

Accepted Answer

Role of **IT policies** and **standards** in risk control:
- they set clear **rules and expectations** (acceptable use, access, data handling), reducing misuse.
- standards convert policy into measurable requirements (e.g., **MFA**, password length, log retention), improving consistency.
- they support compliance and make audits easier because controls are defined and documented.
- they reduce operational errors by standardizing procedures across teams.

Thus, policies guide behaviour and standards enforce uniform controls to reduce IT risk.

Question 13

Explain IT governance and control framework with a neat flowchart and key points (exam-style).

Accepted Answer

### **IT Governance and Controls (Framework)**

**IT governance** ensures IT supports business goals and risks are controlled using policies, standards, controls, monitoring and audit.

```text
Business objectives
   ↓
IT strategy & policies
   ↓
Standards & procedures
   ↓
Controls (Preventive / Detective / Corrective)
   ↓
Monitoring (logs, KPIs, exception reports)
   ↓
Audit & compliance review
   ↓
Improvements / corrective actions
```

**Key points**:
- Policies and standards define what is acceptable.
- Controls reduce risk of fraud, errors and downtime.
- Monitoring and audit ensure controls are working.
- Continuous improvement strengthens governance over time.

Question 14

Differentiate preventive, detective and corrective controls with a comparison table and examples.

Accepted Answer

### **Preventive vs Detective vs Corrective Controls**

| Control type | Purpose | Examples |
|---|---|---|
| **Preventive** | stop errors/fraud before occurrence | access control, SoD, input validation |
| **Detective** | identify issues after occurrence | audit logs, exception reports, alerts |
| **Corrective** | fix and recover | backup/restore, patching, rollback |

**Conclusion**: A strong control system uses all three—prevention reduces incidents, detection finds issues early, and correction restores normal operations.

Question 15

Explain access control and segregation of duties (SoD) with a small diagram/table (exam-style).

Accepted Answer

### **Access Control and Segregation of Duties (SoD)**

**Access control** ensures only authorized users can access or modify data.
- **Authentication**: verifies identity (password/OTP/biometric)
- **Authorization**: grants permissions (roles)
- **Least privilege**: minimum access needed

**Segregation of duties (SoD)** divides critical tasks among different people to reduce fraud and errors.

| Activity | Example role |
|---|---|
| Create vendor/customer | Data entry user |
| Approve vendor/customer | Manager/approver |
| Make payment | Accounts/payments user |

```text
Create vendor (User A) → Approve vendor (User B) → Pay vendor (User C)
```

**Conclusion**: Access control prevents unauthorized access, while SoD prevents one person from controlling all steps of a sensitive process.

IT Governance and Control: Policies, Standards, Audit Trail and Controls (Basics)

8 more questions to unlock