Upload
tyron-gonzales
View
35
Download
1
Embed Size (px)
DESCRIPTION
IT Governance Controls
Citation preview
Information Technology Governance Controls
PRESENTED BY :
DEL MUNDO, GIAH DAVYN
ELEAZAR, JESSA MARIE
GONZALES, TYRON RYAN
GUILLERMO, MAUREEN
VERZOSA, LEVY
Information Technology Governance
Management and assessment of Information technology resources
How organizations align IT strategy with business strategy, ensuring that companies stay on track to achieve their strategies and goals, and implementing good ways to measure IT’s performance.
Defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.
Objectives of Information Technology Governance
Reduce riskEnsure that IT resources
increases the value of the firm
Issues addressed by SOX and COSO
(a) Organizational structure of the IT function
(b) Computer center operations
(c) Disaster recovery planning
Processing is performed in one computer or in a cluster of coupled computers in a single location.
A. Centralized Data Processing
Database Administration
Data administration is the process by which data is monitored, maintained and managed by a data administrator and/or an organization. Data administration allows an organization to control its data assets, as well as their processing and interactions with different applications and business processes.
Database Processing
Data Conversion – transcribing data into a computer readable format
Computer Operations – processing of the data after it has been transcribed
Data library – Storage of offline data that is used to back up current data and information
System Development and Maintenance
System development - analyzing user needs for designing new systems
Maintenance - making changes to the program to accommodate user needs over time
Segregation of duties
System development from computer operations
Data administration from other functions New system Development and
Maintenance Inadequate documentation Program Fraud
B. The Distributed Model
The DDP (distributed data processing) reorganizes the IT function to small units that are distributed to and managed by end users.
Distribution may be by business function, geographic location, or both.
Risks of DDP
🚥 Inefficient Use of Resources
🔹 Risk of Mismanagement of Resources
🔹 Risk of Operational Inefficiencies
👉 Data Redundancy
🔹 Risk of Incompatible Hardware and Software
🚥 Destruction of Audit Trails
🚥 Inadequate Segregation of Duties
🚥 Hiring Qualified Professionals
🚥 Lack of Standards
Advantages of DDP
🚥 Cost Reduction
👉Data can be edited and entered by end users
👉Application complexity can be reduced
🚥 Improved Cost Control Responsibility
🚥 Backup Flexibility
👉 Requires coordination among end user managers
Improving/Controlling DDP
🚄 Implement Corporate IT Function
A corporate IT function alleviates potential problems associated with distributed IT organizations by providing:
🚥 Central testing of Commercial Software and Hardware
🚥 User Services Staff
🔹 Technical help
🔹 Electronic Bulletin Board
🔹 Chat rooms
🔹 Help desk
🔹 Technical courses
🚥 Standard-Setting Body
🚥 Personnel Review
🔹Employment decisions and reviewing technical credentials
Audit Objective
Verify that the structure of the IT function is that individuals in incompatible areas are segregated in accordance with the level of potential risk and in a manner that promotes a working environment.
Audit Procedures
🚥 Review the corporate policy regarding computer security
🔹 Verify whether policy is communicated to employees
🚥 Review documentation to determine incompatible functions
🚥 Review systems documentation and maintenance records
🔹 Verify that maintenance programmers are not also design programmers
🚥 Observe if segregation policies are followed in practice.
🔹 For example, check operations room access logs to determine if programmers enter for reasons other than system failures
🚥 Review user rights and privileges 🔹 Verify programmers’ access privileges that are consistent with their job
descriptions
COMPUTER CENTER
Audit Objectives: verify that (1) physical controls and (2) insurance coverage are adequate
Audit Procedures Tests of Physical
Construction
Tests of the Fire Detection System
Tests of Access Control
Tests of Raid
Tests of Uninterruptible Power Supply
Tests of Insurance Coverage
IDENTIFY CRITICALAPPLICATIONS
Customer sales and service Fulfillment of legal obligations Accounts receivable maintenance
and collection Production and distribution
services Purchasing Functions Cash disbursements
CREATE A DISASTER RECOVERY TEAM
Second-site Facilities Group Program and Data Backup
Group Data Conversion and Data
Control Group
Providing Second-Site Backup
Mutual Aid Pact Empty Shell (Cold Site) Recovery Operations Center (Hot Site) Internally Provided Backup
BACKUP AND OFF-SITE STORAGE
PROCEDURES Operating System
Backup Application Backup Backup Data Files
Backup Documentation
Backup Supplies and Source Documents
Testing the Dry
Audit Procedures
Evaluate Site Backup Review Critical Application List Verify the copies of Software Backup Verify Data Backup Verify the types and quantities of Backup
Supplies, Documents and Documentation Verify the members of Disaster Recovery
Team
Benefits of IT Outsourcing
Improved core business processes
Improved IT performance
Reduced IT costs
Risks of IT Outsourcing
Failure to perform Vendor exploitation Costs exceed benefits Reduced security Loss of strategic
advantage