CHAPTER 2: AUDITING IT GOVERNANCE CONTROLS
This chapter presents risks, controls and test of controls related to IT governance. You should:
• Understand the risks of incompatible functions and how to structure the IT function.
• Be familiar with the controls and precautions required to ensure the security of an
organization’s computer facilities.
• Understand the key elements of a disaster recovery plan.
• Be familiar with the beneﬁts, risks, and audit issues related to IT outsourcing.
INFORMATION TECHNOLOGY GOVERNANCE
Overview: Key objectives of IT governance are to reduce risk and ensure that investments in IT
resources add value to the corporation. Modern IT governance, however, follows the philosophy that
all corporate stakeholders be active participants in key IT decisions. Such broad-based involvement
reduces risk and increases the likelihood that IT decisions will be in compliance with user needs,
corporate policies, strategic initiatives, and internal control requirements under SOX. 3 IT governance
1. Organizational structure of the IT function
Structure of the Information Technology Function 37
2. Computer center operations
3. Disaster recovery planning organization. Figure 2.1 illustrates this approach, in which IT services activities are con-
-----------------------------------------------------------------------------------------------------------------------------------e for these
resources on the basis of need. The IT services function is usually treated as a cost center
whose operating costs are charged back to the end users. Figure 2.2 illustrates a central-
STRUCTURE OF IT FUNCTION ized IT services structure and shows its primary service areas: database administration,
Processing: all data FIGURE 2.1
processing is performed by Data
one or more large Approach Finance
computers housed at a
central site that serves all IT
users. IT services activities
are consolidated and
managed as a shared
organization resource. Accounting
Class Notes: Cost Chargeback
Chart of a
Technology IT Primary Services:
• Data Administration: an independent group responsible for the security and integrity of the
• Data Processing: processing group manages the computer resources used to perform the day-
to-day processing of transactions.
• System Development and Maintenance: responsible for analyzing user needs and for designing
new systems to satisfy those needs. The systems maintenance group assumes responsibility for
keeping it current with user needs. The term maintenance refers to making changes to program
logic to accommodate shifts in user needs over time.
Segregation of Incompatible IT Functions:
• Separating Systems Development from Computer Operations - Systems development and
maintenance professionals should create (and maintain) systems for users, and should have no
involvement in entering data, or running applications. Operations staff should run these systems
and have no involvement in their design. These functions are inherently incompatible, and
consolidating them invites errors and fraud.
• Separating Database Administration from Other Functions - Segregation of the database
administrator (DBA) from other computer center functions. The DBA function is responsible for a
number of critical tasks pertaining to database security, including creating the database schema
and user views, assigning database access authority to users, monitoring database usage, and
planning for future expansion.
• Separating New Systems Development from Maintenance - potential issues:
1. Inadequate Documentation - this results because programmers are not interested in
documenting, and job security (the programmer becomes indispensable)
2. Program Fraud - audit trails can be covered up
The Distribution Model: DDP involves reorganizing the central IT function into small IT units that are
placed under the control of end users. The IT units may be distributed according to business function,
geographic location, or both. The degree to which they are distributed will vary depending upon the
philosophy and objectives of the organization’s management. In alternative A, terminals (or
microcomputers) are distributed to end users for handling input and output. Under this model,
however, systems development, computer operations, and database administration remain
centralized. In alternative B, connections represent a networking arrangement that permits
communication and data transfers between the units.
________________________________________________________________________________________________________ 42 Chapter 2: Auditing IT Governance Controls
Data Accounting Centralized Marketing
Processing Function Function
Risk Associated with DDP:
1. Inefﬁcient Use of Resources.
A. The risk of mismanagement of organization-wide IT resources by end users.
Risks Associated with DDP
B. The risk of operational inefﬁciencies because of redundant tasks being performed within theen imple-
menting DDP. The discussion focuses on important issues that carry control implica-
tions that auditors should recognize. Potential problems include the inefficient use of
C. Risk of incompatible hardware and software among end-user functions. Distributing theuties, increased
potential for programming errors and systems failures, and the lack of standards.
responsibility for IT purchases to end users may result in uncoordinated and poorly
Inefficient Use of Resources. DDP can expose and organization to three types of
2. Destruction of Audit Trailsociated with inefficient use of organizational resources. These are outlined
3. Inadequate Segregation of Duties - Within a single unit the same person may write application
First, is the risk of mismanagement of organization-wide IT resources by end users.
programs, perform program maintenance, enter transaction data into the computer, andold amount, for
example 5 percent of the total operations budget, effective IT governance requires central
operate the computer equipment. Such a situation would be a fundamental violation of internal
management and monitoring of such resources. For many organizations, IT services in-
control. cluding computer operations, programming, data conversion, and database management
meet or exceed this threshold.
Second, DDP can increase the risk of operational inefficiencies because of redundant
tasks being performed within the end-user committee. Autonomous systems develop-
Class Notes: ment initiatives distributed throughout the firm can result in each user area reinventing
Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
________________________________________________________________________________________________________ 4. Hiring Qualiﬁed Professionals - If the organizational unit into which a new employee is entering
is small, the opportunity for promotion may be limited. Therefore, managers may experience
difﬁculty attracting highly qualiﬁed personnel. The risk of programming errors and system
failures increases directly with the level of employee incompetence.
5. Lack of Standards - Because of the distribution of responsibility in the DDP environment,
standards for developing and documenting systems, choosing programming languages,
acquiring hardware & software, and evaluating performance may be unevenly applied or even
Advantages of DDP:
1. Cost Reduction - (1) reduce the cost of running and supporting complex centralized systems,
(2) data can be edited and entered by the end user, thus eliminating the centralized task of data
preparation; and (3) application complexity can be reduced, which in turn reduces systems
development and maintenance costs.
2. Improved Cost Control Responsibility - End-user managers carry the responsibility for the
ﬁnancial success of their operations.
3. Improved User Satisfaction - DDP proponents claim that distributing system to end users
improves three areas of need that too often go unsatisﬁed in the centralized model: (1) as
previously stated, users desire to control the resources that inﬂuence their proﬁtability; (2) users
want systems professionals (analysts, programmers, and computer operators) to be responsive
to their speciﬁc situation; and (3) users want to become more actively involved in developing