Академический Документы
Профессиональный Документы
Культура Документы
Defining IT Governance
● Information Technology (IT) Governance a relatively new subset of corporate governance that focuses on the management and
assessment of strategic IT resources.
Key Objectives: to reduce risk and ensure that investments in IT resources add value to the corporation.
IT Governance Controls
(Three IT Governance issues that are addressed by SOX & COSO internal control framework)
Organizational Structure of the IT Function
1. Centralized Data Processing model - all data processing is performed by one or more large computers housed at a central
site that serves users throughout the organization.
a) Database Administration - the data resources maintained in the central location that is shared by all end users are
headed by the database administrator (DBA)- an independent group responsible for the security and integrity of
the database.
b) Data Processing - group that manages the computer resources used to perform the day-to-day processing of the
transactions.
i. Data Conversion - transcribes transaction data from hard-copy source documents into computer input.
ii. Computer Operations - Computer Operations Groups managed the electronic files produced in data conversion
and are later processed by the central computer.
iii. Data Library - is a room adjacent to the computer center that provides safe storage for the off-line data files. A
data librarian is the one responsible for the receipt, storage, retrieval, and custody of all data files, control access
to the library.
i. Systems Development is responsible for analyzing user needs and for designing new systems to satisfy those
needs.
Participants:
Systems professionals - gather facts about the user;s problem, analyze the facts, and formulate a solution.
(includes: systems analysts, database designers, and programmers)
End users - those for whom the system is build. (includes: managers and operations personnel)
Stakeholders - individuals inside or outside the firm who have an interest in the system but are not end
users. (includes: accountants, internal and external auditors, others who oversee systems development)
ii. Systems Maintenance - assumes responsibility for keeping the system current with the users
3. Divide transaction-processing tasks among individuals such that short of collusion between or more individuals fraud
would not be possible
Systems development and maintenance professionals should create and maintain systems for users, and should have no
involvement in entering data or running applications. Operations staff should run these systems and have no involvement
in their design.
5. Separating database administration from other functions
The DBA function is responsible for a number of critical tasks pertaining to database security, delegating these
responsibilities to others who perform incompatible tasks threatens database integrity.
Systems analysis group works with the users to produce detailed designs of the new systems.
2. The Distribute Data Processing (DDP) - involves reorganizing the central IT function into small IT units that are placed
under the control of end users.
a) Alternative A - variant of the centralized model; the difference is that terminals are distributed to end users for
handling input and output.
b) Alternative B - a significant departure from the centralized model; distributes all computer services to the end users,
where they operate a standalone units. The connections represent a networking arrangement that permits
communications and data transfers between the units.
DDP environment poses a risk of incompatible hardware and software among end-user functions
Audit Trails - provides linkage between a company’s financial activities (transactions) and the financial statements
that report on those activities.
Hiring qualified professionals - the risk of programming errors and system failures increases directly with the level of
employee incompetence
Lack of Standards - environment standards for developing and documenting systems, choosing programming languages,
acquiring hardware and software, and evaluating performance may be unevenly applied or even nonexistent.
Advantages of DDP
Cost Reduction
Data can be edited and entered by the end user, thus eliminating the centralized task of data preparation
Application complexity can be reduced, which in turn reduces systems development and maintenance costs
Improved Cost Control responsibility - end-user manager carry the responsibility for the financial success of their
operations
Improved User Satisfaction - distributing system to end users improves three areas of need that too often go unsatisfied in
centralized model:
Users want to become more actively involves in developing and implementing their own systems
Backup Flexibility - the ability to back up computing facilities to protect against potential disasters
Controlling the DDP Environment - Many DDP initiatives have proven to be ineffective , and even counterproductive, because
decision makers saw these systems virtues that were more symbolic than real.
Implement a Corporate IT Function - the corporate IT group provides systems development and database management for
entity-wide systems in addition to technical advice and expertise to the distributed IT community. Some services are:
Central Testing of Commercial Software and Hardware - can evaluate systems features, controls, and compatibility
with industry and organizational standards
User Services - provides technical help to users during the installation of new software and in troubleshooting
hardware and software problems
Standard-Setting Body - establishing and distributing t user areas appropriate standards for systems development,
programming, and documentation
Personnel Review - the corporate group is often better equipped than users to evaluate the technical credentials of
prospective systems professionals
Audit Objective : auditor’s objective is to verify that structure of the IT function is such that individuals in incompatible areas
are segregated in accordance with the level of potential risk and in a manner that promotes a working environment
Audit Procedures
Verify that computer operators do not have access to the operational details of a system’s internal logic
Review the current organizational chart, mission statement, and job descriptions for key functions to determine of
individuals/groups are performing incompatible duties
Verify that corporate policies and standards for systems design, documentation, and hardware and software acquisition
are published and provided to distributed I units
Verify that compensating controls, such as supervision and management monitoring, are employed when segregation of
incompatible duties is economically infeasible
Review systems documentation to verify that applications, procedures, and databases are designed and functioning in
accordance with corporate standards
1. Physical Location - directly affects the risk of destruction to a natural or man-made disasters. Computer centers should:
2. Construction - should be located in a single-story building of solid construction with controlled access; Utility should be
underground; Building windows should not open and air filtration system should be placed
3. Access - to the computer center should be limited to the operators and other employees who work there. Physical Controls:
locked doors, keypad or swipe card, monitored by closed-circuit cameras & video recording systems
4. Air Conditioning - computers function best in an air-conditioned environment, and providing adequate air conditioning is often
a requirement of the vendor’s warranty.
5. Fire Suppression
Effective Fire Suppression System:
Fire exits
6. Fault Tolerance - ability of the system to continue operation when part of the system fails because of hardware failure,
application program error, or operator error.
Redundant arrays of independent disks (RAID) - involves using parallel disks that contain redundant elements of data and
applications
Uninterrupted power supplies - in the event of a power outage, these devices provides backup power for a reasonable
period to allow commercial power service restoration (e.g., voltage regulators, surge protectors, generators, and backup
batteries)
Physical security controls must be adequate to reasonably protect the organization from physical exposures
Insurance coverage on equipment must be adequate to compensate the organization for the destruction of, or damage to,
its computer center
Tests of raid
Types of Disasters:
1. Natural Disasters - most devastating because they can simultaneously impact many organizations within the affected
geographic area
2. Human-made Disasters - e.g., sabotage or errors, van be destructive to an individual organization but tend tend to be
limited in their scope of impact
3. System Failure - e.g., power outages or hard-drive failure are generally less severe, but most likely to occur
1. Identify critical applications - recovery efforts must concentrate on restoring applications that are critical to the
short-term survival of the organization.
a) Mutual Aid Pact - agreement between two or more organizations to aid each other with their data processing needs
in the event of a disaster
b) Empty Shell/Cold Site Plan - an arrangement wherein the company buys or leases a building that will serve as a data
center.
c) Recovery Operations Center/Hot Site - a fully equipped backup data center that many companies share
d) Internally Provided Backup - larger organizations often prefer the self-reliance that creating internal excess capacity
provides
a) Operating System Backup - the company uses a cold site or other method of site backup that does not include a
compatible operating system, procedures for obtaining a current version of the operating system need to be clearly
specified.
b) Application Backup - DRP should include procedures to create copies of current versions of critical applications
c) Backup Data Files - remote mirrored site provides complete data currency
d) Backup Documentation - system documentation for critical applications should be backed up and stored off-site
along with the application
e) Backup supplies and source documents - organizations should create backup inventories of supplies and source
documents used in processing critical transactions
Audit Objective: The auditor should verify that management’s disaster recovery plan is adequate and feasible for dealing with a
catastrophe that could deprive the organization of its computing resources
Audit Procedures:
Site Backup
Software backup
Data backup
IT outsourcing - where third-party vendors take over the responsibility for the management of IT assets and staff and for
delivery of IT services, such as data entry, data center operations, applications development, applications maintenance, and
network management.
Core Competency Theory - argues that organization should focus exclusively on its core business competencies, while allowing
outsourcing vendors to efficiently manage the non-core areas such as IT functions.
Commodity IT assets - include things such as network management, systems operations, server maintenance, help-desk
function
Specific IT assets - unique to the organization and support its strategic objectives
Transaction Cost Economics (TCE) theory - is in conflict with the core competency school by suggesting that firms should retain
certain specific non-core IT assets in-house
Failure to perform
Vendor exploitation
Reduced security
“The definitive standard by which client organization’ auditors can gain knowledge that controls at the third-party vendor are
adequate to prevent or detect material errors that could impact the client’s financial statements.” -Statement on Auditing Standards No.
70(SAS 70)