CHAPTER 2

1
is a relatively new subset of corporate governance
that focuses on the management and assessment
of strategic IT resources
IT Governance Controls
1. Organizational structure of the IT function
2. Computer center operations
3. Disaster recovery planning
2
Centralized Data Processing
3
Centralized Data Processing
Database Administration
Data Processing
Systems Development and Maintenance
Data Conversion
Computer Operations
Data Library
Systems professionals
End users
Stakeholders
4
Segregation of Incompatible IT Functions
Separating Systems Development from
Computer Operations
Separating Database Administration from
Other Functions
Separating New Systems Development from
Maintenance
Inadequate Documentation
Program Fraud
5
A Superior Structure for Systems
Development
Documentation standards are improved because the
maintenance group requires documentation to perform
its maintenance duties
Denying the original programmer future access to the
program deters program fraud
Segregation of Incompatible IT Functions
6
The Distributed Model
Distributed Data Processing (DDP)
7
Risks Associated with DDP
The Distributed Model
Inefficient Use of Resources
Risk of mismanagement of organization-wide IT resources by end
users
Risk of operational inefficiencies
Risk of incompatible hardware and software among end-user
functions
Destruction of Audit Trails
Inadequate Segregation of Duties
Hiring Qualified Professionals
Lack of Standards
8
The Distributed Model
Advantages of DDP
Cost Reductions
Improved Cost Control Responsibility
Improved User Satisfaction
Backup Flexibility
Users desire to control the resources that influence their
profitability

Users want systems professionals to be responsive to their
specific situation

Users want to become more actively involved in developing and
implementing their own systems
9
Controlling the DDP Environment
Implement a Corporate IT Function
Central Testing of Commercial Software and Hardware

User Services

Standard-Setting Body

Personnel Review
10
Controlling the DDP Environment
Audit Objective
verify that the structure of the IT function is such that
individuals in incompatible areas are segregated in accordance
with the level of potential risk and in a manner that promotes
a working environment.
Audit Procedures
Centralized
Review relevant documentation, including the current
organizational chart, mission statement, and job descriptions for
key functions.
Review systems documentation and maintenance records for a
sample of applications.
Verify that computer operators do not have access to the
operational details of a systems internal logic.
Through observation, determine that segregation policy is being
followed in practice.



Distributed
Review the current organizational chart, mission statement, and job
descriptions for key functions to determine if individuals or groups are
performing incompatible duties.
Verify that corporate policies and standards for systems design, documentation,
and hardware and software acquisition are published and provided to distributed
IT units.
Verify that compensating controls, such as supervision and management
monitoring, are employed when segregation of incompatible duties is
economically infeasible.
Review systems documentation to verify that applications, procedures, and
databases are designed and functioning in accordance with corporate standards.

11
Physical Location Construction Access Air Conditioning
12
Fire Suppression
1. Automatic and manual alarms should be placed in
strategic locations around the installation
2. There must be an automatic fire extinguishing
system that dispenses the appropriate type of
suppressant for the location
3. Manual fire extinguishers should be placed at
strategic locations
4. The building should be of sound construction to
withstand water damage caused by fire
suppression equipment
5. Fire exits should be clearly marked and
illuminated during fire
13
Fault Tolerance
Redundant arrays of independent disks
(RAID)

Uninterruptible power supplies
14
Audit Procedures
Tests of Physical Construction

Tests of the Fire Detection System

Tests of Access Control

Tests of Raid

Tests of the Uninterruptible Power Supply

Tests for Insurance Coverage
Audit Objectives
Physical security controls are adequate to reasonably
protect the organization from physical exposures
Insurance coverage on equipment is adequate to
compensate the organization for the destruction of, or
damage to, its computer center
15
Identify Critical Applications Creating a Disaster Recovery Team Providing Second-Site Backup
Mutual Aid Pact

Empty Shell

Recovery Operations Center

Internally Provided Backup
16
Backup and Off-Site Storage Procedures
Operating System Backup

Application Backup

Backup Data Files

Backup Documentation

Backup Supplies and Source Documents

Testing the DRY
17
Audit Objective Audit Procedures
Site Backup

Critical Application List

Software Backup

Data Backup

Backup Supplies, Documents, and
Documentation

Disaster Recovery Team
verify that managements disaster recovery plan is adequate
and feasible for dealing with a catastrophe that could
deprive the organization of its computing resources.
18
Core Competency Theory
An organization should focus exclusively on its core
business competencies, while allowing outsourcing vendors to
efficiently manage the non-core areas such as the IT functions.
Commodity IT Assets
Specific IT Assets
Transaction Cost Economics (TCE)
Firms should retain certain non-core IT assets in-house
19
Risks Inherent to IT Outsourcing
Failure to Perform

Vendor Exploitation

Outsourcing Costs Exceed Benefits

Reduced Security

Loss Strategic Advantage
Audit of IT Outsourcing
Statement on Auditing Standard No. 70 (SAS 70)
20