General Controls: IT Governance Controls

IT governance is a broad concept relating to the decision rights and accountability for encouraging
desirable behavior in the use of IT.

Three governance issues:

1. Organizational structure of the IT function,
2. Computer center operations
3. Disaster recovery planning.

Organizational Structure Controls

• The tendency in an IT environment is to consolidate activities. A single application may

authorize, process, and record all aspects of transactions.
• The focus of segregation control shifts from the operational level to higher-level organizational
relationships within the IT function.
• Organizational control issues within the context of two generic models:
o Centralized model
o Distributed model
CENTRALIZED DATA PROCESSING

• Centralized data processing - data processing support is provided by one or a cluster of

computers located in a central data processing facility.
SEGREGATION OF DUTIES WITHIN THE CENTRALIZED FIRM

• Separating systems development from computer operations it personnel (programmer) and for ex. payroll clerk
• database administrator is responsible for the security and
Separating the database administrator from other functions integrity of the database
• Separating new systems development from systems maintenance okay, pero costly since pag develop lang naman talaga gawain
nung new systems development
- Alternative approach: systems analyst and programmer. The programmer who codes the
original programs also maintains them during the maintenance phase. This approach promotes
two potential problems: inadequate documentation and fraud.
Two Potential Problems

• INADEQUATE DOCUMENTATION
- Poor-quality systems documentation is a chronic IT problem. There are at least two explanations
for this phenomenon. documentation involves a lot of narratives kaya boring unlike talagang pag gawa ng prpgram
- First, documenting systems is not as interesting as designing, testing, and implementing them. -
The second possible reason for poor documentation is job security. people will not document the program so that the company
will not have a choice but to continue working with the
• PROGRAM FRAUD programmer kasi sya lang yung may alam.
- Program fraud involves making unauthorized changes to program modules for the purpose of
committing an illegal act. for example imamanipulate nya yung program to increase the rate of their salary more than what they should receive
- When the original programmer of a system is also assigned maintenance responsibility, the
potential for fraud is increased. hawak nya yung buong system
ORGANIZATIONAL CHART OF A CENTRALIZED IT FUNCTION THE DISTRIBUTED
MODEL

• DDP model consolidates some computer functions that are traditionally separated and distributes
some activities that are consolidated under the centralized model
THE DISTRIBUTED MODEL
IT control implications in DDP model:

• Incompatibility possibility of different programs per different branches

• Redundancy yung data from one branch, mauulit sa data ng isa pang branch
• Consolidating Incompatible Activities
• Acquiring Qualified Professionals
• Lack of Standards
INFORMATION PROCESSING UNIT (IPU)
CORPORATE IT FUNCTION ORGANIZATIONAL

• The control problems associated with DDP can, to some extent, be overcome by implementing a
corporate IT function.
• The corporate IT function is a leaner unit with a different mission than that of the centralized IT
function.
• This group provides technical advice and expertise to the various distributed IT functions:
1. Central Testing of Commercial Software and Hardware
2. User Services
3. Standard-Setting Body
4. Personnel Review

Audit Objectives Relating to Organizational Structure

• The auditor’s objective is to verify that individuals in incompatible areas are segregated in
accordance with the level of potential risk and in a manner that promotes a working environment.
Audit Procedures Relating to Organizational Structure
1. Obtain and review the corporate policy on computer security
2. Review relevant documentation
3. Review systems documentation and maintenance records for a sample of application
4. Determine that segregation policy is being followed in practice
5. Review user rights and privileges
COMPUTER CENTER CONTROLS

• The objective of computer center controls is to help create a secure environment.

• The controls must be designed to prevent and detect threats to the computer center.
1. Physical location
2. Construction
3. Access
4. Air conditioning
5. Fire suppression
6. Fault Tolerance Controls
• Fault tolerance is the ability of the system to continue operation when part of the system fails
because of hardware failure, application program error, or operator error
o REDUNDANY ARRAY OF INDEPENDENT DISKS (RAID)
o UNINTERRUPTIBLE POWER SUPPLY (UPS)
Audit Objectives Relating to Computer Center Security

• The auditor’s objective is to evaluate the controls governing computer center security.
1) Physical security controls are adequate to reasonably protect the organization from
physical exposures.
2) Insurance coverage on equipment is adequate to compensate the organization for the
destruction of, or damage to, its computer center.
3) Operator documentation is adequate to deal with routine operations as well as system
failures.
Audit Procedures Relating to Computer Center Security

• Tests of physical security controls:

a) Tests of Physical Construction
b) Tests of the Fire Detection System
c) Tests of Access Control
• Tests of Fault Tolerance Controls:
a) Determine if the level of RAID in place is adequate for the organization.
b) Verify from test records that computer center personnel perform periodic tests of the
backup power supply.
Audit Procedures Relating to Computer Center Security

• Audit Procedures for Verifying Insurance Coverage.

o Annually review the organization’s insurance coverage on its computer hardware,
software, and physical facility.
• Audit Procedures for Verifying Adequacy of Operator Documentation.
o Computer operators use documentation called a run manual to run certain aspects of the
system.
o The auditor should review the run manual for completeness and accuracy.
Disaster Recovery Planning

• A disaster recovery plan (DRP) is a comprehensive statement of all actions to be taken before,
during, and after a disaster, along with documented, tested procedures that will ensure the
continuity of operations.
• Control issues:
a) Providing second-site backup,
b) Identifying critical applications
 c) Performing backup and off-site storage procedures
d) Creating a disaster recovery team
e) Testing the DRP.
PROVIDING SECOND-SITE BACKUP
1) The empty shell or cold site
- An arrangement wherein the company buys or leases a building that will serve as a data center.
- In the event of a disaster, the shell is available and ready to receive whatever hardware the temporary
user needs to run essential systems.
2) The Recovery Operations Center (ROC) or hot site
- Fully equipped backup data center that many companies share.
- In addition to hardware and backup facilities, ROC service providers offer a range of technical services
to their clients, who pay an annual fee for access rights.
3) Internally Provided Backup
- Larger organizations with multiple data processing centers often prefer the self-reliance that creating
internal excess capacity provides.
- Mirrored Data Center - All transactions that the main system processes are transmitted in real time
along fiber-optic cables to the remote backup facility. At any point in time, the mirrored data center
reflects current economic events of the firm.
IDENTIFYING CRITICAL APPLICATIONS

• Another essential element of a DRP involves procedures to identify the critical applications and
data files.
• For most organizations, short-term survival requires the restoration of those functions that
generate cash flows sufficient to satisfy short-term obligations.
PERFORMING BACKUP AND OFF-SITE STORAGE PROCEDURES

• All data files, application documentation, and supplies needed to perform critical functions should
be specified in the DRP.
• Data processing personnel should routinely perform backup and storage procedures to safeguard
these critical resources.
a) Backup Data Files
b) Backup Documentation
c) Backup Supplies and Source Documents
AUDIT OBJECTIVE FOR ASSESSING DISASTER RECOVERY PLANNING

• The auditor should verify that management’s disaster recovery plan is adequate and feasible for
dealing with a catastrophe that could deprive the organization of its computing resources.
AUDIT PROCEDURES FOR ASSESSING DISASTER RECOVERY PLANNING
a. Second-Site Backup
The auditor should evaluate the adequacy of the backup site arrangement.
b. Critical Application List
The auditor should review the list of critical applications and ensure that it is current and
complete.
c. Backup Critical Applications and Critical Data Files
The auditor should verify that the organization has procedures in place to back up stored
off-site copies of critical applications and data.
d. Backup Supplies, Source Documents, and Documentation
The auditor should verify that the types and quantities of items specified in the DRP exist in a
secure location.
e. The Disaster Recovery Team
The auditor should verify that members of the team are current employees and are aware of their
assigned responsibilities.
OUTSOURCING THE IT FUNCTION

• Many executives have opted to outsource their IT functions to third-party vendors.

• Often-cited benefits of IT outsourcing include:
a) Improved core business performance
b) Improved IT performance (because of the vendor’s expertise)
 c) Reduced IT costs.
Theories on IT Outsourcing

• Core competency theory

o Argues that an organization should focus exclusively on its core business competencies,
while allowing outsourcing vendors to efficiently manage the non–core areas such as the
IT functions.
o This premise, however, ignores an important distinction between commodity and specific
IT assets.
a) Commodity IT assets are not unique to a particular organization and are thus
easily acquired in the marketplace.
b) Specific IT assets are unique to the organization and support its strategic
objectives.
• Transaction Cost Economics (TCE) theory
o In conflict with the core competency school by suggesting that firms should retain certain
specific non–core IT assets in-house.
Risks Inherent to IT Outsourcing
1) Failure to Perform - Cost-cutting effort of third party service provider may impact its ability to serve
other clients.
2) Vendor Exploitation - The vendor may exploit its clients’ dependency by raising service rates to an
exorbitant level.
3) Outsourcing Costs Exceed Benefits - Unexpected costs may arise and the full extent of expected
benefits may not be realized.
4) Reduced Security - Raises unique and serious questions regarding internal control and the protection of
sensitive personal data.
5) Loss of Strategic Advantage - IT outsourcing may affect incongruence/ misalignment between a firm’s
IT strategic planning and its business planning functions.
Audit Implication of IT Outsourcing

• PSA 402 (Revised and Redrafted) – Audit Considerations Relating to Entities Using Service
Organizations
o This Philippine Standard on Auditing (PSA) deals with the user auditor’s responsibility to
obtain sufficient appropriate audit evidence when a user entity uses the services of one or
more service organizations.
o Services provided by a service organization are relevant to the audit of a user entity’s
financial statements when those services, and the controls over them, are part of the user
entity’s information system, including related business processes, relevant to financial
reporting.
o Although most controls at the service organization are likely to relate to financial
reporting, there may be other controls that may also be relevant to the audit, such as
controls over the safeguarding of assets.