Definition of IT governance
security governance to manage the risks
Information technology governance is an
element of corporate governance that is
aimed at improving the overall
management of IT and deriving improved
value from investment in information and
technology. Corporate governance, as
defined by The Governance Institute, is:
“a toolkit that enables management and the
board to deal more effectively with the
challenges of running a company. Corporate
governance ensures that businesses have
appropriate decision-making processes and
controls in place so that the interests of all
stakeholders are balanced.”
Establishing a framework for corporate
governance of information technology can
help an organization comply with
requirements of laws and regulations for
business, such as the DPA (Data Protection
Act) 2018 and the GDPR. IT governance
planning in an organization will help you to
define and maintain appropriate policies
and procedures that will help you to meet
these requirements for data security and
privacy.
It can also help to maximize the return on
your investment in IT. It does this by helping
you to evaluate, prioritize, and select which
investments are most likely to give you the
best returns, and ensuring that and ensure
that IT purchases and activities are aligned
with overall business objectives.
Planning coupled with the proper structure
can help to ensure that IT is operated in an
effective, efficient, safe, and regulatory
compliant way. Establishing a framework
can also help with the management of IT-
related risks, for example, through using IT
from cyber-attacks.
Technology governance as a part of IT
governance can reduce the costs of IT
support by encouraging the use of a
standard set of technologies. Through the
application of frameworks such as COBIT, it
can also be used to standardize all IT-
related processes, reducing costs, and
improving customer service. Other benefits
include:
 Demonstrating measurable results
arising from the use of IT.
 Assuring stakeholders that they can
have confidence in your IT services.
 Facilitating increased returns on IT
investment.
 Complying with any corporate
governance requirements.
Components of IT governance
There are typically five components of IT
governance models. The detail within each
of these components will vary between
each organization’s implementation, but
the overall structure is likely to contain
these common components:
Governance framework: A framework for
the governance of IT should include all the
processes, responsibilities, policies,
guidelines, metrics, and activities necessary
for effective governance. This will help to
ensure that a standardized governance
approach is used throughout the
organization, which is well known by all
employees and delivers consistent results.
This critical component of IT governance
will define the ‘who’ and ‘how’ elements of
the operating model, providing the
framework for how decisions are made and
communicated.
Business Benefits: A key component is
understanding what business benefits are
expected from the governance of IT. These
benefits can take many forms. They can
include tangible benefits such as regulatory
compliance or reduced costs of wasted
investments. They can also include
intangible benefits such as improved
employee satisfaction. But unless these
benefits are quantified and communicated,
there is a risk that the governance activities
will not achieve the desired goals, as
employees see them as unnecessary to the
future of the organization.
Management: The other components are
useless without effective management. That
includes management of the governance
activities themselves, benefits
management, strategic management, and
portfolio management. It should be an
inherent component of all management
activities conducted within the
organization. It should never be seen as
something that is only the IT manager’s
responsibility or the internal audit team.
Optimizing Risks: Good models for risk
management include both IT and business
continuity planning, alignment to any legal
and regulatory requirements for managing
risks, and an approach that includes a risk
appetite and tolerance methodology that
can assist with making risk-based decisions
about IT systems and services.
Role of IT governance
IT governance provides an organization with
a structure of relationships and processes
that direct and control how IT is provided
and operated. Using this type of governance
helps the enterprise to achieve its goals by
adding value from IT whilst balancing the
risk versus reward of IT investments and
processes. It provides the structure that
links IT processes, IT resources, and
information to enterprise strategies and
objectives.
IT projects should also be in the scope of
governance. The organization might have
separate governance arrangements for
projects, but where this is the case, there
must be a strong link with the approach
used to govern IT; otherwise, there a risk
that projects may be delivered on time but
not align with the necessary requirements
for governing IT. This is key when
considering what is project governance and
why is it important.
Disaster Recovery Planning
discussion
Disasters such as earthquakes, floods,
sabotage, and even power failures can be
catastrophic to an organization’s computer
center and information systems.
Three categories of disaster that can rob an
organization of its IT resources:
 natural disasters
 human-made disasters
 system failure
To survive such an event, companies
develop recovery procedures and formalize
them into a disaster recovery plan (DRP).
This is a comprehensive statement of all
actions to be taken before, during, and after Accountants routinely examine the physical
any type of disaster. Although the details of environment of the computer center as part
each plan are unique to the needs of the of their annual audit. The objective of this
organization, all workable plans possess section is to present computer center risks
four common features: and the controls that help to mitigate risk
and create a secure environment. The
1. Identify critical applications
following are areas of potential exposure
2. Create a disaster recovery team that can impact the quality of information,
accounting records, transaction processing,
3. Provide site backup
and the effectiveness of other more
4. Specify backup and off-site storage conventional internal controls.
procedures
Things to consider:
Take away from Sync class  Physical Location
SEGREGATION OF INCOMPATIBLE IT  Construction
FUNCTIONS  Access
 Air Conditioning
The previous chapter stressed the
 Fire Suppression
importance of segregating incompatible
 Fault Tolerance
duties within manual activities. Specifically,
 Audit Objectives
operational tasks should be segregated to:
 Audit Procedures
1. Separate transaction authorization from
transaction processing.
2. Separate record keeping from asset
custody.
3. Divide transaction-processing tasks
among individuals such that short of
collusion between two or more individuals’
fraud would not be possible.
Examples are the following:

 Separating Systems Development

from Computer Operations
 Separating Database Administration
from Other Functions
 Separating New Systems
Development from Maintenance
THE COMPUTER CENTER