MGHB02H3 Study Guide - Disaster Recovery Plan, Cengage Learning, Database Administrator

55 views8 pages
user avatar
Published on 18 Apr 2014
School
UTSC
Department
Management (MGH)
Course
MGHB02H3
Page:
of 8
Lecture :__________
CHAPTER 2: AUDITING IT GOVERNANCE CONTROLS
This chapter presents risks, controls and test of controls related to IT governance. You should:
Understand the risks of incompatible functions and how to structure the IT function.
Be familiar with the controls and precautions required to ensure the security of an
organization’s computer facilities.
Understand the key elements of a disaster recovery plan.
Be familiar with the benefits, risks, and audit issues related to IT outsourcing.
-----------------------------------------------------------------------------------------------------------------------------------
INFORMATION TECHNOLOGY GOVERNANCE
Overview: Key objectives of IT governance are to reduce risk and ensure that investments in IT
resources add value to the corporation. Modern IT governance, however, follows the philosophy that
all corporate stakeholders be active participants in key IT decisions. Such broad-based involvement
reduces risk and increases the likelihood that IT decisions will be in compliance with user needs,
corporate policies, strategic initiatives, and internal control requirements under SOX. 3 IT governance
issues exist:
1. Organizational structure of the IT function
2. Computer center operations
3. Disaster recovery planning
-----------------------------------------------------------------------------------------------------------------------------------
STRUCTURE OF IT FUNCTION
Centralized Data
Processing: all data
processing is performed by
one or more large
computers housed at a
central site that serves all
users. IT services activities
are consolidated and
managed as a shared
organization resource.
Class Notes:
________________________________________________________________________________________________________
________________________________________________________________________________________________________
________________________________________________________________________________________________________
________________________________________________________________________________________________________
organization. Figure 2.1 illustrates this approach, in which IT services activities are con-
solidated and managed as a shared organization resource. End users compete for these
resources on the basis of need. The IT services function is usually treated as a cost center
whose operating costs are charged back to the end users. Figure 2.2 illustrates a central-
ized IT services structure and shows its primary service areas: database administration,
FIGURE 2.1
IT
Services
Finance
Marketing
Production
Distribution
Accounting
Data
Information
Cost Chargebac
k
Centralized
Data
Processing
Approach
FIGURE 2.2
VP
IT Services
Systems Development
Manager
Database
Administrator
New Systems
Development
Systems
Maintenance
Data
Conversion
Computer
Operations Data Library
Data Processing
Manager
VP
Finance
VP
Administration
VP
Operations
VP
Marketing
President
Organizational
Chart of a
Centralized
Information
Technology
Function
Structure of the Information Technology Function 37
Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
IT Primary Services:
Data Administration: an independent group responsible for the security and integrity of the
database.
Data Processing: processing group manages the computer resources used to perform the day-
to-day processing of transactions.
System Development and Maintenance: responsible for analyzing user needs and for designing
new systems to satisfy those needs. The systems maintenance group assumes responsibility for
keeping it current with user needs. The term maintenance refers to making changes to program
logic to accommodate shifts in user needs over time.
Segregation of Incompatible IT Functions:
Separating Systems Development from Computer Operations - Systems development and
maintenance professionals should create (and maintain) systems for users, and should have no
involvement in entering data, or running applications. Operations staff should run these systems
and have no involvement in their design. These functions are inherently incompatible, and
consolidating them invites errors and fraud.
Separating Database Administration from Other Functions - Segregation of the database
administrator (DBA) from other computer center functions. The DBA function is responsible for a
number of critical tasks pertaining to database security, including creating the database schema
and user views, assigning database access authority to users, monitoring database usage, and
planning for future expansion.
Separating New Systems Development from Maintenance - potential issues:
1. Inadequate Documentation - this results because programmers are not interested in
documenting, and job security (the programmer becomes indispensable)
2. Program Fraud - audit trails can be covered up
The Distribution Model: DDP involves reorganizing the central IT function into small IT units that are
placed under the control of end users. The IT units may be distributed according to business function,
geographic location, or both. The degree to which they are distributed will vary depending upon the
philosophy and objectives of the organization’s management. In alternative A, terminals (or
microcomputers) are distributed to end users for handling input and output. Under this model,
however, systems development, computer operations, and database administration remain
centralized. In alternative B, connections represent a networking arrangement that permits
communication and data transfers between the units.
Class Notes:
________________________________________________________________________________________________________
________________________________________________________________________________________________________
________________________________________________________________________________________________________
________________________________________________________________________________________________________
Risks Associated with DDP
This section discusses the organizational risks that need to be considered when imple-
menting DDP. The discussion focuses on important issues that carry control implica-
tions that auditors should recognize. Potential problems include the inefficient use of
resources, the destruction of audit trails, inadequate segregation of duties, increased
potential for programming errors and systems failures, and the lack of standards.
Inefficient Use of Resources. DDP can expose and organization to three types of
risks associated with inefficient use of organizational resources. These are outlined
below.
First, is the risk of mismanagement of organization-wide IT resources by end users.
Some argue that when organization-wide IT resources exceed a threshold amount, for
example 5 percent of the total operations budget, effective IT governance requires central
management and monitoring of such resources. For many organizations, IT services in-
cluding computer operations, programming, data conversion, and database management
meet or exceed this threshold.
Second, DDP can increase the risk of operational inefficiencies because of redundant
tasks being performed within the end-user committee. Autonomous systems develop-
ment initiatives distributed throughout the firm can result in each user area reinventing
FIGURE 2.4
Accounting
Function
Finance
Function
Accounting
Function
Finance
Function
Marketing
Function
Production
Function
Marketing
Function
Production
Function
A
B
Centralized
Computer
Services
Database
Systems
Development
Processing
Two Distributed
Data
Processing
Approaches
42 Chapter 2: Auditing IT Governance Controls
Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
Risk Associated with DDP:
1. Inefficient Use of Resources.
A. The risk of mismanagement of organization-wide IT resources by end users.
B. The risk of operational inefficiencies because of redundant tasks being performed within the
end-user committee.
C. Risk of incompatible hardware and software among end-user functions. Distributing the
responsibility for IT purchases to end users may result in uncoordinated and poorly
conceived decisions.
2. Destruction of Audit Trails
3. Inadequate Segregation of Duties - Within a single unit the same person may write application
programs, perform program maintenance, enter transaction data into the computer, and
operate the computer equipment. Such a situation would be a fundamental violation of internal
control.
Class Notes:
________________________________________________________________________________________________________
________________________________________________________________________________________________________
________________________________________________________________________________________________________
________________________________________________________________________________________________________

Document Summary

This chapter presents risks, controls and test of controls related to it governance. Understand the risks of incompatible functions and how to structure the it function. Be familiar with the controls and precautions required to ensure the security of an organization"s computer facilities. Understand the key elements of a disaster recovery plan. Be familiar with the bene ts, risks, and audit issues related to it outsourcing. Overview: key objectives of it governance are to reduce risk and ensure that investments in it resources add value to the corporation. Modern it governance, however, follows the philosophy that all corporate stakeholders be active participants in key it decisions. Such broad-based involvement reduces risk and increases the likelihood that it decisions will be in compliance with user needs, corporate policies, strategic initiatives, and internal control requirements under sox. 37: organizational structure of the it function, computer center operations, disaster recovery planning.