Information technology (IT) governance - a relatively new subset of corporate governance

that focuses on the management and assessment of strategic IT resources.

IT governance issues that are addressed by SOX and the COSO internal control framework.
These are:
1. Organizational structure of the IT function
2. Computer center operations
3. Disaster recovery planning

Centralized data processing model - all data processing is performed by one or more large
computers housed at a central site that serves users throughout the organization.

Centralized IT services structure and shows its primary service areas

● database administration,
● data processing, and
● systems development and maintenance.

data processing group consists of the following organizational functions:

● data control/data entry,
● computer operations, and
● the data library.

operational tasks should be segregated to:

1. Separate transaction authorization from transaction processing.
2. Separate record keeping from asset custody.
3. Divide transaction-processing tasks among individuals such that short of collusion
between two or more individuals fraud would not be possible.

Separating New Systems Development from Maintenance this approach is associated with
two types of control problems:
● inadequate documentation and
● the potential for program fraud.

Risks Associated with DDP

● inefficient use of resources,
● the destruction of audit trails,
● inadequate segregation of duties,
● hiring qualified professionals
● lack of standards.

potential advantages of DDP, including

● cost reductions,
● improved cost control,
● improved user satisfaction, and
● backup.

audit procedures with a centralized IT function:

• Review relevant documentation,
• Review systems documentation and maintenance records
• Verify that computer operators do not have access to the operational details of a system’s
internal logic
• Through observation, determine that segregation policy is being followed in practice.

The following audit procedures with a distributed IT function:

• Review the current organizational chart, mission statement, and job descriptions
• Verify that corporate policies and standards
• Verify that compensating controls,
• Review systems documentation

areas of potential exposure that can impact the quality of information, accounting records,
transaction processing, and the effectiveness of other more conventional internal controls.
● Physical Location
● Construction
● Access
● Fire suppression
● Air conditioning
● Fault tolerance

The following are tests of physical security controls.

● Tests of Physical Construction.

● Tests of Fire Detection System
● Tests of Access Control
● Tests of Redundant Arrays of Independent Disks
● Tests of Uninterruptible Power Supply
● Tests of Insurance Coverage

disaster recovery plan (DRP). possess four common features:

1. Identify critical applications

2. Create a disaster recovery team
3. Provide site backup
4. Specify backup and off-site storage procedures