Question 1. Case study An IS auditor was asked to review alignment between IT and business goals for a small financial institution. The IS auditor requested various information including business goals and objectives and IT goals and objective. The IS auditor found that business goals and objectives were limited to a short-bulleted list, while IT goals and objectives were limited to slides used in meetings with the CIO (the CIO reports to the CFO). It was also found in the documentation provided that over the past two years, the risk management committee (composed of senior management) only met on three occasions, and no minutes of what was discussed were kept for these meetings. When the IT budget for the upcoming year was compared to the strategic plans for IT, it was noted that several of the initiatives mentioned in the plans for the upcoming year were not included in the budget for the year. CASE STUDY A QUESRIONS Al. Which of the following should be of GREATEST concern to the IS auditor regarding risk? A. Strategy documents are informal and incomplete. B. The risk management committee seldom meets and does not keep minutes. C. Budgets do not appear adequate to support future IT investments. D. The CIO reports to the CFO. Answer Justification A2. Which of the following would be the MOST significant issue to address? A. The prevailing culture within IT. B. The lack of information technology policies and procedures. C. The reporting structure for IT. Answer Justification