Professional Documents
Culture Documents
Governance Controls
Corporate Governance
• system of rules, practices and processes by
which a company is directed and controlled
• balance the interests of a
company's stakeholders - shareholders,
management, customers, suppliers,
financiers, government and the community
• encompasses every sphere of management,
from action plans and internal controls to
performance measurement and
corporate disclosure
• Influenced primarily by BoD
Information Technology (IT) Governance
• subset of corporate governance
• focuses on the management and
assessment of strategic IT resources
• reduce risk and ensure that
investments in IT resources add value
to the corporation
How to plan an IT strategy
1. Outline your business goals and high-
level objectives.
2. Define your scope, stakeholders and
schedule
3. Review your existing infrastructure
4. Create a roadmap for resource
allocation and architecture
5. Define your metrics
IT Governance Issues
1. Organizational structure of the IT
function – centralized/distributive
2. Computer center operations – Physical
location, construction, access, air
conditioning, fire suppression, fault
tolerance
3. Disaster recovery planning – natural,
human-made, system failure
Organizational Structure of the IT function
Centralized data processing
- All data processing is performed by one or
more large computers housed at a central
site that serves users throughout the
organization.
- IT services activities are consolidated and
managed as a shared organization resource
- The IT Services function is usually treated
as a cost center whose operating costs are
charged back to the end users
Centralized Data Processing Approach
Organizational Chart of Centralized
Data Processing Approach
Centralized Data Processing Approach
Primary Service Areas
1. Database Administration
▪ Data resources is shared by all end users
▪ Database administrator – responsible for
the security and integrity of database
2. Data Processing
▪ Management of computer resources used
to perform day-to-day processing of
transactions
▪ Data conversion - Computer operations -
Data library
3. Systems Development and Maintenance
Centralized Data Processing Approach
Systems Development
▪ responsible for analyzing user needs and for
designing new systems to satisfy those needs.
▪ Systems professionals
• systems analysts, database designers,
and programmers
• design and build the system
• gather facts about the user’s problem,
analyze the facts, and formulate a
solution
• new information system
Centralized Data Processing Approach
Systems Development
▪ responsible for analyzing user needs and for
designing new systems to satisfy those needs.
▪ End users – managers and operations
personnel
▪ Stakeholders
Systems Maintenance
▪ Keeps the new system updated/ current with
user needs – makes changes to program logic,
etc.
Segregation of Incompatible IT Functions
▪ Systems Development and Computer
Operations
▪ Database Administration and Operations,
Systems Development and Maintenance
▪ New Systems Development and Maintenance
Segregation of Incompatible IT Functions
Control Issues
▪ Inadequate Documentation
▪ Not as interesting as designing, testing, and
implementing the systems
▪ Job security
▪ Program Fraud
Distributed Data Processing
▪ Reorganizing the central IT function into small
IT units that are placed under the control of
end users.
▪ Business function
▪ Geographic location
Distributed Data Processing Approaches
Risks Associated with DDP
▪ Inefficient Use of Resources
▪ Mismanagement of organization-wide IT
resources by end users
▪ Operational inefficiencies due to redundant
tasks performed by end-users
▪ Incompatible hardware and software among
end-user functions
▪ Destruction of Audit Trails
▪ Inadequate Segregation of Duties
▪ Hiring Qualified Professionals
▪ Lack of Standards
Advantages of DDP
▪ Cost reduction
▪ Improved cost control responsibility
▪ Improved user satisfaction
▪ Backup Flexibility
Controlling the DDP Environment
▪ Services Provided by Corporate IT Group
▪ Central Testing of Commercial Software and
Hardware
▪ User Services
▪ Standard-Setting Body
▪ Personnel Review
DDP Environment Organizational Chart
Risks Associated with DDP
▪ Inefficient Use of Resources
▪ Mismanagement of organization-wide IT
resources by end users
▪ Operational inefficiencies due to redundant
tasks performed by end-users
▪ Incompatible hardware and software among
end-user functions
▪ Destruction of Audit Trails
▪ Inadequate Segregation of Duties
▪ Hiring Qualified Professionals
▪ Lack of Standards
The Computer Center
▪ Physical location
• Avoid human-made hazard, system failure
and natural hazards
▪ Construction
• Ideally: single-story, underground utilities,
windowless. air filtration system
• If multi-storied building, use middle floor
(away from traffic flows, and potential
flooding in a basement)
▪ Access
• Physical: Locked doors, cameras
• Manual: Access log of visitors
Data Center Contruction
The Computer Center
▪ Air conditioning
• Best in temperature range of 70-75
Fahrenheit
• Relative humidity 50%
▪ Fire suppression
• Placed in strategic locations
• Automatic fire extinguishing system:
• Sprinklers (using water)
• halon gas (removing oxygen)
• FM200-TM (Safe fire suppression)
• Strong construction building
• Fire exits should be clearly marked and
illuminated during a fire
The Computer Center
▪ Fault Tolerance
▪ Redundant Arrays of Independent Disks
(RAID)
▪ Using parallel disks
▪ Power supply
▪ Need for clean power
▪ Backup power: uninterrupted power
supply
Audit Objectives: The Computer Center
▪ Physical security controls are adequate to
reasonably protect the organization from
physical exposures
▪ Insurance coverage on equipment is adequate
to compensate the organization for damage to
the computer center
Audit Procedures: The Computer Center