Chapter 13
IT GOVERNANCE
AND GENERAL
CONTROLS
IT Architecture —
Multi-User Systems
Centralized systems
Centralized systems with
distributed data entry
Decentralized systems
Distributed systems
Controlling the IT
Environment
Workflow controls:
 Segregation of duties
 Use of information from
prior events to control
activities
 Required sequence of
events
 Follow-up on events
Controlling the IT
Environment
Workflow controls:
 Sequence of
prenumbered documents
 Recording of internal
agent(s) accountable for
an event in a process
 Limitation of access to
assets and information
 Reconciliation of records
with physical evidence of
assets
Controlling the IT
Environment
Input controls:
 Drop-down or look-up
menus
 Record checking of data
entered
 Confirmation of data
entered
 Referential integrity
controls
 Format checks to limit data
 Validation rules to limit the
data
Controlling the IT
Environment
Input controls:
 Defaults from data
entered in prior sessions
 Computer-generated
values entered in records
 Batch control totals taken
before data entry
compared to printouts
after data entry
 Review for errors before
posting
 Exception reports
Controlling the IT
Environment
General controls:
 Information systems (IS)
planning
 Organizing the IT
function
 Identifying and
developing IS solutions
 Implementing and
operating accounting
systems
Controlling the IT
Environment
Performance reviews:
 Establish budgets,
forecasts, standards, or
prior-period results
through file maintenance
 Use reports to compare
actual results to budgets,
forecasts, standards, or
prior-period results
 Take corrective action by
modifying appropriate
reference data in a
master table
General Controls:
Information Systems
Planning
Develop IS strategy
Plan the IT infrastructure:
 Legacy systems
 Platforms
 Multi-user processing

Systems integration
General Controls:
Information Systems
Planning

Plan the IT function and
systems development
process:
Outsourcing
General Controls:
Organizing the IT
Function
Locate the IT function
appropriately
Segregate incompatible
functions:
 Separating users from
computer operations
 Separating systems
development and computer
operations
 Separating systems
development and
maintenance
 Separating components of
systems development
General Controls:
Organizing the IT
Function





Corporate IT services and
controls over decentralized
information systems:
Help desk
Information center
Standard setting
Hardware/software
acquisition
Personnel review
General Controls:
Organizing the IT
Function



Implement personnel
control plans:
Hiring controls
Personnel development
Personnel termination
plans
General Controls:
Identifying and
Developing IS Solutions
Adopt appropriate
systems development
methodology
Implement procedures
for program development
and testing
Ensure adequate
documentation
General Controls:
Implementing and
Operating Accounting
Systems
Ensure security of resources:
 4 main types of controls to
control access to computer
resources
 Use of passwords
 Use of an access control
matrix
 Controls over physical
access
 Restricted access to
programs, data files, and
documentation
General Controls:
Implementing and
Operating Accounting
Systems
Ensure continuity of service:
 Backups and recovery
 Planned redundancy
 Protection from power
failures
Disaster recovery planning
KEYTERMS
Centralized systems
 Centralized systems
with distributed data
entry
 Cold site
 Decentralized systems
 Disaster recovery
plans
 Distributed systems
 General controls

KEYTERMS







Hot site
Identifying and
developing IS solutions
Implementing and
operating accounting
systems
Information systems (IS)
planning
Legacy Systems
Organizing the IT
function
Outsourcing