CHAPTER 2
IT (INFORMATION TECHNOLOGY) GOVERNANCE
new subset of corporate governance that focuses
on the management and assessment of strategic IT
resources.
- Key Objectives:
1. Reduce Risk
2. Ensure that investments in IT resources add
value to the corporation
-
IT GOVERNANCE CONTROLS
IT governance issues that are addressed by SOX and
the COSO internal control framework:
1. Organizational structure of the IT function
2. Computer center operations
3. Disaster recovery planning
STRUCTURE OF THE INFORMATION TECHNOLOGY
FUNCTION
Two extreme organizational models:
 Centralized Approach
 Distributed Approach
1. Centralized Data Processing
- all data processing is performed by one or more
large computers
- IT services function - treated as a cost center
Primary Service Areas:
a. Database Administration- responsible for the
security and integrity of the database.
b. Data Processing - manages the computer
resources used to perform the day to-day
processing of transactions.
Consists of organizational functions:
 Data Control - transcribes transaction
data from hard-copy source documents
into computer input.
 Computer Operations - The electronic
files produced in data conversion are
later processed by the central computer.
 Data Library - Provides safe storage for
the off-line data files.
Data Librarian - responsible for the
receipt, storage, retrieval, and custody of
data files
c. Systems development and maintenance
a. Systems Development

systems professionals – gather facts
about the user’s problem
 end users – for whom the system is built
 stakeholders – individuals inside or
outside the firm who have an interest in
the system.
b. Systems Maintenance
SEGREGATION OF INCOMPATIBLE FUNCTIONS
A. Separating Systems Development from Computer
Operations
- The relationship between these groups should be
extremely formal and their responsibilities should
not be commingled.
B. Separating Database Administration from Other
Functions
- Delegating these responsibilities to others who
perform incompatible tasks threatens database
integrity
C. Separating New Systems Development from
Maintenance
 Systems analysis group – works with the users
to produce detailed designs of the new systems
 Programming group - codes the programs
according to these design specifications
Two types of control problems:
1. Inadequate Documentation
2. Program Fraud - involves making unauthorized
changes to program modules for the purpose of
committing an illegal act.
D. A Superior Structure for Systems Development
The systems development function is separated into two
different groups:
1. New systems development group - responsible
for designing, programming, and implementing
new systems projects.
2. Systems maintenance group – responsible for
the system’s ongoing maintenance.
2. The Distributed Model “Distributed Data
Processing (DDP)”
- involves reorganizing the central IT function into
small IT units that are placed under the control of
end users.
Risks Associated with DDP
A. Inefficient Use of Resources
- The risk of mismanagement of organizationwide IT resources by end users
B. Destruction of Audit Trails
- Audit trail provides the linkage between a
company’s financial activities and the financial
statements that report on those activities.
C. Inadequate Segregation of Duties
- may result in the creation of small independent
units that do not permit the desired separation of
incompatible functions.
D. Hiring Qualified Professionals
- The risk of programming errors and system
failures increases directly with the level of
employee incompetence.
Downloaded by Glaiza Czarina
Gleabo
(glaizaczarinagleabo0719@gmail.com)
lOMoAR cPSD| 32116449
E. Lack of Standards
- risks associated with the design and operation of
a DDP system are made tolerable only if such
standards are consistently applied.
Advantages of DDP
A. Cost reduction
B. Improved Cost Control Responsibility
C. Improved User Satisfaction
D. Backup Flexibility
Controlling the DDP Environment
1. Implement a Corporate IT Function
2. Central Testing of Commercial Software and
Hardware
3. User Services
–
valuable feature of the corporate group is its user
services function.
– provides technical help to users during the
installation of new software
4. Standard-Setting Body - establishing some central
guidance.
5. Personnel Review
Audit Objective
- To verify that the structure of the IT function is
such that individuals in incompatible areas are
segregated in accordance with the level of
potential risk and in a manner that promotes a
working environment.
THE COMPUTER CENTER
Objectives: mitigate risk and create a secure environment
Areas of potential exposure
1. Physical Location – directly affects the risk of
destruction to a natural or man-made disaster.
2. Construction
3. Access – access to the computer center
should be limited to the operators and other
employees who work there.
4. Air Conditioning
5. Fire Suppression – Fire is the most serious
threat to a firm’s computer equipment.
6. Fault Tolerance – is the ability of the system
to continue operation when part of the system
fails.
Two examples of fault tolerance:
 Redundant Arrays of Independent Disks
(RAID). It involves using parallel disks that contain
redundant elements of data and applications
 Uninterruptible Power Supplies. Commercially
provided electrical power presents several
problems that can disrupt the computer center
operations
Audit Objectives
To evaluate the controls governing computer center
security.
Audit Procedures
1. Tests of Physical Construction - obtain
architectural plans and assess the physical
location of the computer center
2. Tests of the Fire Detection System - the auditor
should establish that fire detection and
suppression equipment
3. Tests of Access Control - must establish that
routine access to the computer center is
restricted to authorized employees.
4. Tests of Raid - most systems that employ RAID
provide a graphical mapping of their redundant
disk storage
5. Tests of the Uninterruptible Power Supply perform periodic tests of the backup power supply
to ensure that it has sufficient capacity to run the
computer and air conditioning.
6. Tests for Insurance Coverage - annually review
the organization’s insurance coverage on its
computer hardware, software, and physical
facility
Disaster Recovery Planning
- comprehensive statement of all actions to be
taken before, during, and after disaster.
Four Common Features:
1. Identify Critical Applications
- Recovery efforts must concentrate on restoring
those applications that are critical to the shortterm survival of the organization
- short-term survival requires the restoration of
those functions that generate cash flows
sufficient to satisfy short-term obligations.
2. Creating a Disaster Recovery Team
- To avoid serious omissions or duplication of
effort during implementation of the contingency
plan, task responsibility must be clearly defined
and communicated to the personnel involved
3. Providing Second-Site Backup
- provides for duplicate data processing facilities
following a disaster
3.1 Mutual Aid Pact – agreement between two or
more organizations to aid each other
3.2 Empty Shell (cold site) – arrangement wherein
the company buys or leases a building that will
serve as data center
3.3 Recovery Operations Center – or hot site is a
fully equipped backup data center that many
companies share.
lOMoAR cPSD| 32116449
3.4 Internally Provided Backup – permits to
develop standardized hardware and software
configurations
4. Backup and Off-Site Storage Procedures
4.1 Operating System Backup
4.2 Application Backup
4.3 Backup Data Files
4.4 Backup Documentation
4.5 Backup Supplies and Source
4.6 Testing the DRY
Audit Objectives
- Auditor should verify that management’s
disaster recovery plan is adequate and feasible
for dealing with a catastrophe that could deprive
the organization of its computing resources.
Audit Procedures
1. Site Backup
2. Critical Application List
3. Software Backup
4. Data Backup
5. Backup Supplies, Documents, and
Documentation
6. Disaster Recover Team – should clearly list the
name, addresses, and emergency number.
1. Software-as-a-Service – a software distribution
model in which service providers host application
for client organizations over a private network
2. Infrastructure-as-a-Service – provision of
computing power and disk space to client firms
3. Platform-as-a-Service – enable client firms to
develop and deploy onto the cloud infrastructure
consumer-generated application
Virtualization
- Multiplies the effectiveness of the physical
system by creating virtual versions of the
computer with separating operating systems
- Types:
1.
Network virtualization – increases effective
network bandwidth by dividing it into
independent channels
2.
Storage Virtualization – pooling of physical
storage from multiple network storage
devices into what appears to be a single
virtual storage device.
Risks:
1.
2.
3.
4.
5.
OUTSOURCING THE IT FUNCTION
Benefits:
1. Improved core business performance
2. Improved IT performance
3. Reduced costs
Core Competency Theory
- Argues that an organization should focus
exclusively on its core business competencies
 Commodity IT assets – not unique to a
particular organization and thus easily
acquired in market place
 Specific IT assets – Unique to organization
and support its strategic objectives
Transaction Cost Economics (TCE) Theory
- in conflict with the core competency theory school
by suggesting that firms should retain certain
specific non-core IT assets in-house.
Cloud Computing
- location-independent computing
- model for enabling convenient, on-demand
network access to a shared pool configurable
computing service
Primary classes:
Failure to perform
Vendor Exploitation
Outsourcing cost exceeds benefits
Reduced Security
Loss of strategic advantage
Audit Implications of IT Outsourcing
 Statement on Standards for Attestation
Engagements No. 16 – internationally recognized
third party attestation report designed for service
organization
Two types of SSAE No. 16 report:
a. Type 1 report
b. Type 2 report

SSAE 16 attest report – provides a description of the
service provider’s system
Two reporting Techniques:
a. Carve-out Method – exclude the subservice
organization’s relevant control objectives
b. Inclusive Method – include the services
performed by the subservice organization