Professional Documents
Culture Documents
IT Governance – subset of corporate governance that focuses on the management and assessment of strategic IT
resources.
Key objects:
- Reduce risk
- Ensure investments in IT resources add value to the corporation.
Three IT Governance issues addressed by SOX and COSO internal control framework
1. Organizational structure of the IT function
2. Computer center operations
3. Disaster recovery planning
Structure of the Information Technology Function
1. Centralized Data Processing
- all data processing is performed by one or more large computers housed at a central site that serves users
throughout the organization
- treated as the cost center whose operating costs are charged back to the end users.
- Primary service areas: database administrator, data processing, and system development and maintenance.
Database administration – an independent group headed by the database administrator is responsible for
the security and integrity of the database.
Data Processing – manages the computer resources used to perform the day-to-day processing of
transactions. It consists of the following organizational functions:
data conversion – transcribes transaction data from hard-copy source documents into computer
input.
Computer operations – electronic files produced in data conversion are later processed by the
central computer, which is managed by the computer operations group.
Data library – a room adjacent to the computer center that provides safe storage for the off-line
data files. It is used to store original copies of commercial software and their licenses for
safekeeping. A data librarian controls access to the library.
System Development and Maintenance
System development – responsible for analyzing user needs and for designing new systems to
satisfy those need.
Systems maintenance – assumes responsibility for keeping it current with user needs
Audit objective
- to verify that the structure of the IT function is such that individuals in incompatible areas are segregated in accordance
with the level of potential risk and in a manner that promotes a working environment. This is an environment in which
formal, rather than casual, relationships need to exist between incompatible tasks
The following are areas of potential exposure that can impact the quality of information, accounting records, transaction
processing, and the effectiveness of other more conventional internal controls:
A. Physical Location - The physical location of the computer center directly affects the risk of destruction to a
natural or man-made disaster. To the extent possible, the computer center should be away from human-made and
natural hazards.
B. Construction - a computer center should be located in a single-story building of solid construction with
controlled access. Utility (power and telephone) lines should be underground. The building windows should not
open and an air filtration system should be in place that is capable of extracting pollens, dust, and dust mites.
C. Access - Access to the computer center should be limited to the operators and other employees who work there.
To achieve a higher level of security, access should be monitored by closed-circuit cameras and video recording
systems
D. Air Conditioning - Computers function best in an air-conditioned environment and providing adequate air
conditioning is often a requirement of the vendor’s warranty.
E. Fire Suppression
F. Fault Tolerance - the ability of the system to continue operation when part of the system fails because of
hardware failure, application program error, or operator error.
Audit Objectives (regarding computer center security)
Physical security controls are adequate to reasonably protect the organization from physical exposures
Insurance coverage on equipment is adequate to compensate the organization for the destruction of, or
damage to, its computer center.
Audit procedures (test of physical security controls)
- This is a comprehensive statement of all actions to be taken before, during, and after any type of disaster.
MAJOR IC CONCERNS
- help the business to help the business to focus what is really their goal.
Benefits
Risks
- Failure to perform
- Vendor Exploitation
- Costs exceed benefits
- Reduced security
- Loss of strategic advantage
Audit implication of IT outsourcing