Textbook Notes (368,448)
Canada (161,882)
MGAD30H3 (5)
Peter (4)
Chapter 2

Chapter 2 _ Auditing IT Governance Controls.docx

5 Pages
Unlock Document

Financial Accounting

Chapter 2 – Auditing IT Governance Controls Overview  IT governance with IC and financial reporting implications  Computer threats and controls  Disaster recovery plan, backup  IT outsourcing IT Governance  IT governance are to reduce risk and ensure that investments in IT resources add value to corporation  Stakeholders, BoD, management are active participants in key IT decisions IT Governance Controls  3 issues regarding SOX and COSO IC framework o Organizational structure of the IT function o Computer center operations o Disaster recovery planning Structure of the information technology function  Two types of IT structures: centralized and distributed approach Centralized data processing  Centralized data processing model: all data processing is performed by one or more large computers housed at a central site that serves users throughout the organization  When information is shared, the database administrator (DBA) is responsible for the security and integrity of the database  Data processing group has 3 functions: data conversion, computer operations, and data library o Transcribe transaction data from hard-copy source documents into computer input o Data converted are processed by the central computer which is managed by the computer operations group o Safe storage for the off-line data  System development analyzes user needs and designs systems to satisfy those needs  System maintenance assumes responsibility for keeping it current with user needs Segregation of incompatible IT functions  3 operational tasks that should be segregated: o Separate transaction authorization from transaction processing o Record keeping from asset custody o Transaction-processing tasks among individuals such that short of collusion between 2+ individuals is not possible  Separating systems development from computer operations o Systems development and maintenance professionals should create systems for users, and should have no involvement in entering data, or running applications o Operations staff should run systems and have no involvement in their design. With detailed knowledge of application’s logic and control parameters and access to the computer’s operating system and utilities, an individual could make unauthorized changes to the application during its execution  Separating database administration from other functions o Database administrator (DBA) should be separate from other computer center functions o DBA are responsible for database security, creating database schema, and user views, assigning database access authority to users, monitoring database usage, and planning for future expansion.  Separating new systems development from maintenance o Systems development into 2 groups: systems analysts and programming o Systems analysts work to produce detailed designs of the new systems. They code the programs according to design specs. The programmer who codes the program also maintains the system. This causes 2 control problems: inadequate documentation and program fraud:  Documenting systems is not fun; prefer to work on next project. Also, this raises concerns re job security  makes them more valuable  Original programmer may conceal fraudulent code. The programmer may disable fraud during inspection o Superior structure for systems development  Systems development function is divided into 2 groups: new systems development and systems maintenance  Designing, programming and implementation  Upon successful implementation, ongoing maintenance falls to the systems maintenance group  Documentation standards improve as maintenance group requires documentation to perform their tasks  Denying programmer future access to the program deters program fraud The distributed Model  Distributed data processing (DDP) involves reorganizing the central IT function into small IT units. There are two ways o Terminals are distributed to end users for handling input and output o Distributes all computer services to the end users  Risks o Inefficient use of resources – risk of mismanagement of organization-wide IT resources by end users, increase risk of operational inefficiencies because of redundant tasks being performed within the end-user committee, and incompatible hardware and software among end-user functions o Destruction of audit trails o Inadequate segregation of duties o Hiring qualified professionals o Lack of standards  Advantages of DDP o Cost reductions – (1) data c
More Less

Related notes for MGAD30H3

Log In


Join OneClass

Access over 10 million pages of study
documents for 1.3 million courses.

Sign up

Join to view


By registering, I agree to the Terms and Privacy Policies
Already have an account?
Just a few more details

So we can recommend you notes for your school.

Reset Password

Please enter below the email address you registered with and we will send you a link to reset your password.

Add your courses

Get notes from the top students in your class.