Definition of IT governance related risks, for example, through using IT
security governance to manage the risks
Information technology governance is an from cyber-attacks. element of corporate governance that is aimed at improving the overall Technology governance as a part of IT management of IT and deriving improved governance can reduce the costs of IT value from investment in information and support by encouraging the use of a technology. Corporate governance, as standard set of technologies. Through the defined by The Governance Institute, is: application of frameworks such as COBIT, it can also be used to standardize all IT- “a toolkit that enables management and the related processes, reducing costs, and board to deal more effectively with the improving customer service. Other benefits challenges of running a company. Corporate include: governance ensures that businesses have appropriate decision-making processes and Demonstrating measurable results controls in place so that the interests of all arising from the use of IT. stakeholders are balanced.” Assuring stakeholders that they can have confidence in your IT services. Establishing a framework for corporate Facilitating increased returns on IT governance of information technology can investment. help an organization comply with Complying with any corporate requirements of laws and regulations for governance requirements. business, such as the DPA (Data Protection Act) 2018 and the GDPR. IT governance Components of IT governance planning in an organization will help you to There are typically five components of IT define and maintain appropriate policies governance models. The detail within each and procedures that will help you to meet of these components will vary between these requirements for data security and each organization’s implementation, but privacy. the overall structure is likely to contain It can also help to maximize the return on these common components: your investment in IT. It does this by helping Governance framework: A framework for you to evaluate, prioritize, and select which the governance of IT should include all the investments are most likely to give you the processes, responsibilities, policies, best returns, and ensuring that and ensure guidelines, metrics, and activities necessary that IT purchases and activities are aligned for effective governance. This will help to with overall business objectives. ensure that a standardized governance Planning coupled with the proper structure approach is used throughout the can help to ensure that IT is operated in an organization, which is well known by all effective, efficient, safe, and regulatory employees and delivers consistent results. compliant way. Establishing a framework This critical component of IT governance can also help with the management of IT- will define the ‘who’ and ‘how’ elements of the operating model, providing the IT governance provides an organization with framework for how decisions are made and a structure of relationships and processes communicated. that direct and control how IT is provided and operated. Using this type of governance Business Benefits: A key component is helps the enterprise to achieve its goals by understanding what business benefits are adding value from IT whilst balancing the expected from the governance of IT. These risk versus reward of IT investments and benefits can take many forms. They can processes. It provides the structure that include tangible benefits such as regulatory links IT processes, IT resources, and compliance or reduced costs of wasted information to enterprise strategies and investments. They can also include objectives. intangible benefits such as improved employee satisfaction. But unless these IT projects should also be in the scope of benefits are quantified and communicated, governance. The organization might have there is a risk that the governance activities separate governance arrangements for will not achieve the desired goals, as projects, but where this is the case, there employees see them as unnecessary to the must be a strong link with the approach future of the organization. used to govern IT; otherwise, there a risk that projects may be delivered on time but Management: The other components are not align with the necessary requirements useless without effective management. That for governing IT. This is key when includes management of the governance considering what is project governance and activities themselves, benefits why is it important. management, strategic management, and portfolio management. It should be an Disaster Recovery Planning inherent component of all management discussion activities conducted within the organization. It should never be seen as Disasters such as earthquakes, floods, something that is only the IT manager’s sabotage, and even power failures can be responsibility or the internal audit team. catastrophic to an organization’s computer center and information systems. Optimizing Risks: Good models for risk management include both IT and business Three categories of disaster that can rob an continuity planning, alignment to any legal organization of its IT resources: and regulatory requirements for managing natural disasters risks, and an approach that includes a risk human-made disasters appetite and tolerance methodology that system failure can assist with making risk-based decisions about IT systems and services. To survive such an event, companies develop recovery procedures and formalize Role of IT governance them into a disaster recovery plan (DRP). This is a comprehensive statement of all actions to be taken before, during, and after Accountants routinely examine the physical any type of disaster. Although the details of environment of the computer center as part each plan are unique to the needs of the of their annual audit. The objective of this organization, all workable plans possess section is to present computer center risks four common features: and the controls that help to mitigate risk and create a secure environment. The 1. Identify critical applications following are areas of potential exposure 2. Create a disaster recovery team that can impact the quality of information, accounting records, transaction processing, 3. Provide site backup and the effectiveness of other more 4. Specify backup and off-site storage conventional internal controls. procedures Things to consider: Take away from Sync class Physical Location SEGREGATION OF INCOMPATIBLE IT Construction FUNCTIONS Access Air Conditioning The previous chapter stressed the Fire Suppression importance of segregating incompatible Fault Tolerance duties within manual activities. Specifically, Audit Objectives operational tasks should be segregated to: Audit Procedures 1. Separate transaction authorization from transaction processing. 2. Separate record keeping from asset custody. 3. Divide transaction-processing tasks among individuals such that short of collusion between two or more individuals’ fraud would not be possible. Examples are the following:
Separating Systems Development
from Computer Operations Separating Database Administration from Other Functions Separating New Systems Development from Maintenance THE COMPUTER CENTER