Suello, Sheva Mae T.

BSA 2 Group MW 6:00-7:30

AA 3101

IT Governance – subset of corporate governance that focuses on the management and assessment of strategic IT
resources.
Key objects:

- Reduce risk
- Ensure investments in IT resources add value to the corporation.

Three IT Governance issues addressed by SOX and COSO internal control framework
1. Organizational structure of the IT function
2. Computer center operations
3. Disaster recovery planning
Structure of the Information Technology Function
1. Centralized Data Processing
- all data processing is performed by one or more large computers housed at a central site that serves users
throughout the organization
- treated as the cost center whose operating costs are charged back to the end users.
- Primary service areas: database administrator, data processing, and system development and maintenance.
 Database administration – an independent group headed by the database administrator is responsible for
the security and integrity of the database.
 Data Processing – manages the computer resources used to perform the day-to-day processing of
transactions. It consists of the following organizational functions:
 data conversion – transcribes transaction data from hard-copy source documents into computer
input.
 Computer operations – electronic files produced in data conversion are later processed by the
central computer, which is managed by the computer operations group.
 Data library – a room adjacent to the computer center that provides safe storage for the off-line
data files. It is used to store original copies of commercial software and their licenses for
safekeeping. A data librarian controls access to the library.
 System Development and Maintenance
 System development – responsible for analyzing user needs and for designing new systems to
satisfy those need.
 Systems maintenance – assumes responsibility for keeping it current with user needs

2. Segregation of Incompatible IT Functions

 Operational Tasks should be segregated to:
a. Separate transaction authorization from transaction processing.
b. Separate record keeping from asset custody.
c. Divide transaction-processing tasks among individuals such that short of collusion between two or
more individual fraud would not be possible.
 Separating systems development from computer operation
 Separating database administration from other functions
 Separating new systems development from maintenance
 3. The Distributed Model
- Involves reorganizing the central IT functions into small IT units that are placed under the control of end users.
The IT units may be distributed according to business function, geographical location, or both.
Risk Associated with Distributed Data Processing (DPP)
a. Inefficient use of resources
 Risk of mismanagement of organization-wide IT resources by end users.
 DDP can increase the risk of operational inefficiencies because of redundant tasks being performed
within the end user committee.
b. Destruction of audit trail
c. Inadequate segregation of duties
d. Hiring qualified professionals
e. Lack of standard
Advantages of DDP
a. Cost reductions
b. Improved cost control responsibility
c. Improved user satisfaction
d. Back-up flexibility

4. Controlling the DPP Environment

a. Implement a corporate IT function – the corporate IT group provides systems development and data base
management for entity-wide system in addition to technical advice and expertise to the distributed IT
community.
b. Central testing of commercial software and hardware – it can evaluate systems features, controls, and
compatibility with industry and organizational standards. Test results are distributed to user areas which
allows the organization to effectively centralize acquisition, testing, and implementation of software and
hardware and avoid many problems.
c. User Services – provides technical help to users during the installation of new software and troubleshooting
hardware and software problems.
d. Standard-setting body – relatively poor central environment imposed by the DDP model can be improved by
establishing some central guidance.
e. Personnel review – evaluate the technical and credentials of prospective systems professional.

Audit objective
- to verify that the structure of the IT function is such that individuals in incompatible areas are segregated in accordance
with the level of potential risk and in a manner that promotes a working environment. This is an environment in which
formal, rather than casual, relationships need to exist between incompatible tasks

Audit Procedures (Centralized IT Function)

Centralized IT Function
a. Review relevant documentation
b. Review systems documentation and maintenance records for a sample of applications
c. Verify that computer operators do not have access to the operational details of a system’s internal logic.
d. Through observation, determine that segregation policy is being followed in practice.
Audit Procedure (Distributed IT Function)
a. Review the current organizational chart, mission statement, and job descriptions for key functions to determine if
individuals or groups are performing incompatible duties.
b. Verify that corporate policies and standards for systems design, documentation, and hardware and software
acquisition are published and provided to distributed IT units.
c. Verify that compensating controls, such as supervision and management monitoring, are employed when
segregation of incompatible duties is economically infeasible.
d. Review systems documentation to verify that applications, procedures, and databases are designed and
functioning in accordance with corporate standards.

THE COMPUTER CENTER

The following are areas of potential exposure that can impact the quality of information, accounting records, transaction
processing, and the effectiveness of other more conventional internal controls:
A. Physical Location - The physical location of the computer center directly affects the risk of destruction to a
natural or man-made disaster. To the extent possible, the computer center should be away from human-made and
natural hazards.
B. Construction - a computer center should be located in a single-story building of solid construction with
controlled access. Utility (power and telephone) lines should be underground. The building windows should not
open and an air filtration system should be in place that is capable of extracting pollens, dust, and dust mites.
C. Access - Access to the computer center should be limited to the operators and other employees who work there.
To achieve a higher level of security, access should be monitored by closed-circuit cameras and video recording
systems
D. Air Conditioning - Computers function best in an air-conditioned environment and providing adequate air
conditioning is often a requirement of the vendor’s warranty.
E. Fire Suppression
F. Fault Tolerance - the ability of the system to continue operation when part of the system fails because of
hardware failure, application program error, or operator error.
Audit Objectives (regarding computer center security)

 Physical security controls are adequate to reasonably protect the organization from physical exposures
 Insurance coverage on equipment is adequate to compensate the organization for the destruction of, or
damage to, its computer center.
Audit procedures (test of physical security controls)

 Test of physical construction

 Test of the fire detection system
 Tests of access control
 Test of raid
 Tests of the uninterruptable power supply
 Tests for insurance coverage
DISASTER RECOVERY PLANNING

- This is a comprehensive statement of all actions to be taken before, during, and after any type of disaster.

Disaster Recovery Plan

1. Identify critical applications - The first essential element of a DRP is to identify the firm’s critical
applications and associated data files. Recovery efforts must concentrate on restoring those applications that are
critical to the short-term survival of the organization.
 2. Create a disaster recovery team - Select team members, write job descriptions, describe recovery process in
terms of who does what. It’s more effective to have the original recovery team because they are already familiar
with the plans.
3. Provide site backup - a backup site facility including appropriate furniture, housing, computers, and
telecommunications. Another valid option is a mutual aid pact where a similar business or branch of same
company swap availability when needed
4. Hardware back-up - Some vendors provide computers with their site – known as a hot site or Recovery
Operations Center. Some do not provide hardware – known as a cold site (leasing). When not available, make
sure plan accommodates compatible hardware (e.g., ability to lease computers).
5. System Software Backup – Some hot sites provide the operating system. If not included in the site plan, make
sure copies are available at the backup site.
6. Application Software Backup – Make sure copies of critical applications are available at the backup site
7. Data Backup – One key strategy in backups is to store copies of data backups away from the business
campus, preferably several miles away or at the backup site. Another key is to test the restore function of data
backups before a crisis.
8. Supplies – A modicum inventory of supplies should be at the backup site or be able to be delivered quickly.
9. Documentation – An adequate set of copies of user and system documentation.
10. TEST – The most important element of an effective Disaster Recovery Plan is to test it before a crisis occurs,
and to test it periodically (e.g., once a year).

MAJOR IC CONCERNS

- Second site back-up

- Critical applications and databases including supplies and documentation
- Back-up and off suet storage procedures
- Who is part of the disaster recovery team?
- Testing the DRP regularly

DRP Audit Procedures

- Evaluate second site back up arrangements

- Review list of critical applications fir completeness and currency
- Verify that procedures are in place for storing off-site copies of applications and data
- Verify back-ups and copies of check stock, invoices, Pos and special purpose forms exist in a secure location

OUTSOURCING THE IT FUNCTION

- help the business to help the business to focus what is really their goal.

Benefits

- Improved core business processes

- Improved IT performance
- Reduced IT costs

Risks

- Failure to perform
- Vendor Exploitation
- Costs exceed benefits
- Reduced security
- Loss of strategic advantage
Audit implication of IT outsourcing

- Management retains SOX responsibilities.

- Management may outsource its organization’s IT functions, but it cannot outsource its management responsibilities under
SOX for ensuring adequate IT internal controls. lo
- SAS No. 70 report or audit of vendor will be required

TAKEAWAYS FROM SYNCH CLASS

IT governance is crucial to every entity since it aligns their organizations and efforts to support business strategy and
create shareholder value. Moreover, proper segregation of duties is very important in order avoid any fraudulent activities
inside a company. Incompatible IT functions or duties must be check from time to time since if this is ignored, there are
many risks involved such as manipulation of data. Furthermore, it is also very essential for an entity to have back-up plans
in case of any unfortunate events that could happen to destroy all the data and important information. That is why, it is
highly recommended to have a disaster recovery plan to prepare for anything that could possibly harm the company.
Lastly, we should keep in mind the right things to do regarding an entity’s computer center in order to avoid impacting or
destroying quality of information, accounting records, transaction processing, and the effectiveness of other more
conventional internal controls