Ch2 [AD30].pdf

8 Pages
Unlock Document

Management (MGH)
Julie Mc Carthy

Lecture :__________ CHAPTER 2: AUDITING IT GOVERNANCE CONTROLS This chapter presents risks, controls and test of controls related to IT governance. You should: • Understand the risks of incompatible functions and how to structure the IT function. • Be familiar with the controls and precautions required to ensure the security of an organization’s computer facilities. • Understand the key elements of a disaster recovery plan. • Be familiar with the benefits, risks, and audit issues related to IT outsourcing. ----------------------------------------------------------------------------------------------------------------------------------- INFORMATION TECHNOLOGY GOVERNANCE Overview: Key objectives of IT governance are to reduce risk and ensure that investments in IT resources add value to the corporation. Modern IT governance, however, follows the philosophy that all corporate stakeholders be active participants in key IT decisions. Such broad-based involvement reduces risk and increases the likelihood that IT decisions will be in compliance with user needs, corporate policies, strategic initiatives, and internal control requirements under SOX. 3 IT governance issues exist: 1. Organizational structure of the IT function Structure of the Information Technology Function 37 2. Computer center operations 3. Disaster recovery planning organization. Figure 2.1 illustrates this approach, in which IT services activities are con- -----------------------------------------------------------------------------------------------------------------------------------e for these resources on the basis of need. The IT services function is usually treated as a cost center whose operating costs are charged back to the end users. Figure 2.2 illustrates a central- STRUCTURE OF IT FUNCTION ized IT services structure and shows its primary service areas: database administration, Centralized Data Processing: all data FIGURE 2.1 Centralized Marketing processing is performed by Data Processing one or more large Approach Finance computers housed at a central site that serves all IT Services Production users. IT services activities are consolidated and Distribution managed as a shared Data organization resource. Accounting Information Class Notes: Cost Chargeback ________________________________________________________________________________________________________ ________________________________________________________________________________________________________ ________________________________________FIGURE 2.2______________________________________________________ ______________________________________Organizational__________________________________President_________ Chart of a Centralized Information Technology IT Primary Services: • Data Administration: an independent group responsible for the security and integrity of the database. • Data Processing: processing group manages the computer resources used to perform the day- to-day processing of transactions. • System Development and Maintenance: responsible for analyzing user needs and for designing new systems to satisfy those needs. The systems maintenance group assumes responsibility for keeping it current with user needs. The term maintenance refers to making changes to program logic to accommodate shifts in user needs over time. Segregation of Incompatible IT Functions: • Separating Systems Development from Computer Operations - Systems development and maintenance professionals should create (and maintain) systems for users, and should have no involvement in entering data, or running applications. Operations staff should run these systems and have no involvement in their design. These functions are inherently incompatible, and consolidating them invites errors and fraud. • Separating Database Administration from Other Functions - Segregation of the database administrator (DBA) from other computer center functions. The DBA function is responsible for a number of critical tasks pertaining to database security, including creating the database schema and user views, assigning database access authority to users, monitoring database usage, and planning for future expansion. • Separating New Systems Development from Maintenance - potential issues: 1. Inadequate Documentation - this results because programmers are not interested in documenting, and job security (the programmer becomes indispensable) 2. Program Fraud - audit trails can be covered up The Distribution Model: DDP involves reorganizing the central IT function into small IT units that are placed under the control of end users. The IT units may be distributed according to business function, geographic location, or both. The degree to which they are distributed will vary depending upon the philosophy and objectives of the organization’s management. In alternative A, terminals (or microcomputers) are distributed to end users for handling input and output. Under this model, however, systems development, computer operations, and database administration remain centralized. In alternative B, connections represent a networking arrangement that permits communication and data transfers between the units. Class Notes: ________________________________________________________________________________________________________ ________________________________________________________________________________________________________ ________________________________________________________________________________________________________ ________________________________________________________________________________________________________ 42 Chapter 2: Auditing IT Governance Controls FIGURE 2.4 Two Distributed Data Accounting Centralized Marketing Processing Function Function Computer Approaches Services Database Systems Development Processing Finance Production Function Function A Accounting Marketing Function Function Finance Production Function Function B Risk Associated with DDP: 1. Inefficient Use of Resources. A. The risk of mismanagement of organization-wide IT resources by end users. Risks Associated with DDP B. The risk of operational inefficiencies because of redundant tasks being performed within theen imple- menting DDP. The discussion focuses on important issues that carry control implica- end-user committee. tions that auditors should recognize. Potential problems include the inefficient use of C. Risk of incompatible hardware and software among end-user functions. Distributing theuties, increased potential for programming errors and systems failures, and the lack of standards. responsibility for IT purchases to end users may result in uncoordinated and poorly conceived decisions. Inefficient Use of Resources. DDP can expose and organization to three types of 2. Destruction of Audit Trailsociated with inefficient use of organizational resources. These are outlined below. 3. Inadequate Segregation of Duties - Within a single unit the same person may write application First, is the risk of mismanagement of organization-wide IT resources by end users. programs, perform program maintenance, enter transaction data into the computer, andold amount, for example 5 percent of the total operations budget, effective IT governance requires central operate the computer equipment. Such a situation would be a fundamental violation of internal management and monitoring of such resources. For many organizations, IT services in- control. cluding computer operations, programming, data conversion, and database management meet or exceed this threshold. Second, DDP can increase the risk of operational inefficiencies because of redundant tasks being performed within the end-user committee. Autonomous systems develop- Class Notes: ment initiatives distributed throughout the firm can result in each user area reinventing ________________________________________________________________________________________________________ Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. ________________________________________________________________________________________________________ ________________________________________________________________________________________________________ ________________________________________________________________________________________________________ 4. Hiring Qualified Professionals - If the organizational unit into which a new employee is entering is small, the opportunity for promotion may be limited. Therefore, managers may experience difficulty attracting highly qualified personnel. The risk of programming errors and system failures increases directly with the level of employee incompetence. 5. Lack of Standards - Because of the distribution of responsibility in the DDP environment, standards for developing and documenting systems, choosing programming languages, acquiring hardware & software, and evaluating performance may be unevenly applied or even nonexistent. Advantages of DDP: 1. Cost Reduction - (1) reduce the cost of running and supporting complex centralized systems, (2) data can be edited and entered by the end user, thus eliminating the centralized task of data preparation; and (3) application complexity can be reduced, which in turn reduces systems development and maintenance costs. 2. Improved Cost Control Responsibility - End-user managers carry the responsibility for the financial success of their operations. 3. Improved User Satisfaction - DDP proponents claim that distributing system to end users improves three areas of need that too often go unsatisfied in the centralized model: (1) as previously stated, users desire to control the resources that influence their profitability; (2) users want systems professionals (analysts, programmers, and computer operators) to be responsive to their specific situation; and (3) users want to become more actively involved in developing and implem
More Less

Related notes for MGHB02H3

Log In


Join OneClass

Access over 10 million pages of study
documents for 1.3 million courses.

Sign up

Join to view


By registering, I agree to the Terms and Privacy Policies
Already have an account?
Just a few more details

So we can recommend you notes for your school.

Reset Password

Please enter below the email address you registered with and we will send you a link to reset your password.

Add your courses

Get notes from the top students in your class.