Information Technology Governance Controls

PRESENTED BY :

DEL MUNDO, GIAH DAVYN

ELEAZAR, JESSA MARIE

GONZALES, TYRON RYAN

GUILLERMO, MAUREEN

VERZOSA, LEVY

Information Technology Governance

Management and assessment of Information technology resources

How organizations align IT strategy with business strategy, ensuring that companies stay on track to achieve their strategies and goals, and implementing good ways to measure IT’s performance.

Defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.

Objectives of Information Technology Governance

Reduce riskEnsure that IT resources

increases the value of the firm

Issues addressed by SOX and COSO

(a) Organizational structure of the IT function

(b) Computer center operations

(c) Disaster recovery planning

Structure of the IT function

Models:

a.) Centralized data processing

b.) The Distributed model

Processing is performed in one computer or in a cluster of coupled computers in a single location.

A. Centralized Data Processing

It services

Systems development and design

Database administratio

n

Data Processing

Database Administration

Data administration is the process by which data is monitored, maintained and managed by a data administrator and/or an organization. Data administration allows an organization to control its data assets, as well as their processing and interactions with different applications and business processes.

Database Processing

Data Conversion – transcribing data into a computer readable format

Computer Operations – processing of the data after it has been transcribed

Data library – Storage of offline data that is used to back up current data and information

System Development and Maintenance

System development - analyzing user needs for designing new systems

Maintenance - making changes to the program to accommodate user needs over time

Segregation of duties

System development from computer operations

Data administration from other functions New system Development and

Maintenance Inadequate documentation Program Fraud

B. The Distributed Model

The DDP (distributed data processing) reorganizes the IT function to small units that are distributed to and managed by end users.

Distribution may be by business function, geographic location, or both.

Risks of DDP

🚥 Inefficient Use of Resources

🔹 Risk of Mismanagement of Resources

🔹 Risk of Operational Inefficiencies

👉 Data Redundancy

🔹 Risk of Incompatible Hardware and Software

🚥 Destruction of Audit Trails

🚥 Inadequate Segregation of Duties

🚥 Hiring Qualified Professionals

🚥 Lack of Standards

Advantages of DDP

🚥 Cost Reduction

👉Data can be edited and entered by end users

👉Application complexity can be reduced

🚥 Improved Cost Control Responsibility

🚥 Backup Flexibility

👉 Requires coordination among end user managers

Improving/Controlling DDP

🚄 Implement Corporate IT Function

A corporate IT function alleviates potential problems associated with distributed IT organizations by providing:

🚥 Central testing of Commercial Software and Hardware

🚥 User Services Staff

🔹 Technical help

🔹 Electronic Bulletin Board

🔹 Chat rooms

🔹 Help desk

🔹 Technical courses

🚥 Standard-Setting Body

🚥 Personnel Review

🔹Employment decisions and reviewing technical credentials

Distributed Organization

with Corporate Information Technology

Function

Audit Objective

Verify that the structure of the IT function is that individuals in incompatible areas are segregated in accordance with the level of potential risk and in a manner that promotes a working environment.

Audit Procedures

🚥 Review the corporate policy regarding computer security

🔹 Verify whether policy is communicated to employees

🚥 Review documentation to determine incompatible functions

🚥 Review systems documentation and maintenance records

🔹 Verify that maintenance programmers are not also design programmers

🚥 Observe if segregation policies are followed in practice.

🔹 For example, check operations room access logs to determine if programmers enter for reasons other than system failures

🚥 Review user rights and privileges 🔹 Verify programmers’ access privileges that are consistent with their job

descriptions

Computer center

COMPUTER CENTER

Physical Location Construction

COMPUTER CENTER

AccessAir ConditioningFire SuppressionFault Tolerance

COMPUTER CENTER

Audit Objectives: verify that (1) physical controls and (2) insurance coverage are adequate

Audit Procedures Tests of Physical

Construction

Tests of the Fire Detection System

Tests of Access Control

Tests of Raid

Tests of Uninterruptible Power Supply

Tests of Insurance Coverage

Disaster Recovery Plan

IDENTIFY CRITICALAPPLICATIONS

Customer sales and service Fulfillment of legal obligations Accounts receivable maintenance

and collection Production and distribution

services Purchasing Functions Cash disbursements

CREATE A DISASTER RECOVERY TEAM

Second-site Facilities Group Program and Data Backup

Group Data Conversion and Data

Control Group

Providing Second-Site Backup

Mutual Aid Pact Empty Shell (Cold Site) Recovery Operations Center (Hot Site) Internally Provided Backup

BACKUP AND OFF-SITE STORAGE

PROCEDURES Operating System

Backup Application Backup Backup Data Files

Backup Documentation

Backup Supplies and Source Documents

Testing the Dry

Audit Procedures

Evaluate Site Backup Review Critical Application List Verify the copies of Software Backup Verify Data Backup Verify the types and quantities of Backup

Supplies, Documents and Documentation Verify the members of Disaster Recovery

Team

IT Outsourcing

Benefits of IT Outsourcing

Improved core business processes

Improved IT performance

Reduced IT costs

Risks of IT Outsourcing

Failure to perform Vendor exploitation Costs exceed benefits Reduced security Loss of strategic

advantage

Audit Implications of IT Outsourcing

Management retains SOX responsibilities

SAS No. 7 report or audit of vendor will be required