1.

IT Controls - SOX and IT Governance: Discuss the five elements of internal control (the
integrated framework of internal control-COSO Framework) as emphasized to comply with
Sarbanes Oxley Act of 2002.  (10 pts) 
           Control Environment – describes a set of standards, processes, and structures that serve as
the foundation for implementing internal control throughout the organization. In the video, it says there
that control environment is the attitude of management and employees about the importance of
internal controls. It strives achieve its strategic objectives, provide reliable financial reporting to
internal and external stakeholders, operate its business efficiently and effectively, comply with all
applicable laws and regulations, and safeguard its assets. Control environment often includes
personnel policies, how detailed are those the management’s philosophy and operating style, and the
business’s organizational structure.
           Control Activities – are those things that we do to try to make sure that our company is
meeting our internal control objectives. It can be preventive or detect in nature, and they can be
carried out at all levels of the organization.
           Risk Assessment – The risk assessment serves as the foundation for deciding how risks will
be managed: were those areas in which a company might lose money, were the risks that the
business information is going to be inaccurate, and were the areas that employees may not comply
with laws and regulations. It requires management considering the impact of potential changes in the
internal and external environments, as well as potentially taking action to minimize the impact. Risk
assessment includes competition, regulation, economic factors, and needs of customers.
           Information and communication – Management obtains or generates information from both
internal and external sources to support internal control components. If there are things that needs to
change, if there are things that need to be concerned about, the employees should communicate it to
the right authorities, to the right people in the company. So that we can learn and improve and make
sure those objectives continue to be met.
           Monitoring – are periodic or ongoing assessments to ensure that each of the five internal
control components, including the controls that affect the principles within each component, is present
and functioning. Once the control activities put in place, the company have to look at the people,
monitor them, and see if they are making any progress. We need to see if we are accomplishing the
objectives or not. Controls don’t do any good if we aren’t monitoring the results. Monitoring is just
making sure that those control activities are being done.
REFERENCE: https://www.coso.org/Documents/COSO-CROWE-COSO-Internal-Control-Integrated-
Framework.pdf
2. Enumerate at least six (6)risks that the company may be exposed of for non-complying with
IT Governance. Explain in 3 to 4 sentences (10 points)
 Loss of Shareholder Confidence – An organization that don’t follow IT governance
strategy risks lower the trust of its shareholders. It can happen if the shareholders think
that they were fooled about the company’s strategy.
 Difficulty Raising Capital - When the value of a corporation's stock falls, it becomes more
difficult for the company to raise capital. This is due, in part, to a negative perception of
the company caused by a failure to follow its corporate governance strategies.
 No Risk Management - Noncompliance with IT governance may result in no risk
management. This may lead to a company making bad investments, like extending credit
to those who may be unable to repay debt.
 Increased Government Oversight - A corporation with a reputation for failing to follow
corporate governance strategies may face increased government scrutiny from
 departments looking to ensure that the company is operating within the law's
parameters. Oversight may include audits of business practices such as employee pay
and relations, manufacturing facility quality, environmental impact of business practices,
legality of all investments, and honest reporting of all profits, debts, and losses.
 Technical and Privacy Risks - such as software bugs, a computer crash or the complete
failure of a computer component. A technical failure can be catastrophic if, for example, you
cannot retrieve data on a failed hard drive and no backup copy is available. In privacy risks,
people aim to compromise the business information like the hackers.
 Human error risks- is a major threat. Example, someone might accidentally delete
important data, or fail to follow security procedures properly.

REFERENCE: https://bizfluent.com/info-8019695-corporate-governance-effects.html
3. IT Controls- User Acceptance Test
From the video as shown below, who are those involved in User Acceptance Test (UAT) and
why?  (10 points)
- User Acceptance Testing or UAT is a process of verifying that the solution works for the users.
It focused on ensuring that the software does not crash and meets documented requirements.
Users and Developer are those involved in UAT. User of a software product is either the end
user of the software or the individual who requested it to be built for client. UAT determines
whether or not software is accepted by users. The user is the most important entity in this case
because they will be the only ones who will use the product on a regular basis.
REFERENCE: https://youtu.be/ws7KS39jMBU
Discuss the processes of UAT and relevance prior to the implementation of the developed
system. (10 pts)

- Software testing is critical in the software product development process because it ensures
and maintains the quality of the software product. UAT, or User Acceptance Testing, is the
final stage of software testing. This UAT process is important because it validates whether or
not all of the business requirements have been met before releasing the actual product.

- Here is the process of UAT according in the video: First and foremost, plan. This section
outlines proper planning and execution strategy. It also describes the main areas of focus,
entry and exit. The second and third steps are to design the UA Test Scripts and to select the
team that will execute the UAT test scripts. The UAT cases assist the test team (user
personnel, system professionals, and internal auditors) in thoroughly testing the application.
The fourth step is for the test team to execute the test cases. The fifth step will be team
feedback and evaluation during testing. The sixth step is to resolve bugs and issues
discovered during testing, which should be discussed with the Project Team, SME, and
business analyst. The final step will be the formal "sign-off" on UAT after it has been
successfully completed. When the user accepts the delivered software, they will indicate that it
meets all of the requirements. Prior to system implementation, the system's individual modules
must be formally and rigorously tested as a whole.
REFERENCE: https://youtu.be/J1E2M0e6Ti4