Information Technology

Governance Controls
PRESENTED BY :
DEL MUNDO, GIAH DAVYN
ELEAZAR, JESSA MARIE
GONZALES, TYRON RYAN
GUILLERMO, MAUREEN
VERZOSA, LEVY

Information Technology
Governance

Management and assessment of Information

technology resources

How organizations align IT strategy with

business strategy, ensuring that companies
stay on track to achieve their strategies and
goals, and implementing good ways to
measure ITs performance.

Defined as the processes that ensure the

effective and efficient use of IT in enabling an
organization to achieve its goals.

Objectives of Information
Technology Governance

Reduce
Ensure

risk

that IT resources
increases the value of the
firm

Issues addressed by
SOX and COSO
(a) Organizational structure of
the IT function
(b) Computer center
operations
(c) Disaster recovery planning

Structure of the
IT function
Models:
a.) Centralized data processing
b.) The Distributed model

A. Centralized Data
Processing

Processing is
performed in one
computer or in a
cluster of coupled
computers in a
single location.

It services

Systems
development
and design

Database
administratio
n

Data
Processing

Database
Administration

Data administration is the process by which

data is monitored, maintained and
managed by a data administrator and/or an
organization. Data administration allows an
organization to control its data assets, as
well as their processing and interactions
with different applications and business
processes.

Database Processing

Data Conversion transcribing data into a computer

readable format

Computer Operations processing of the data after

it has been transcribed

Data library Storage of offline data that is used to

back up current data and information

System Development
and Maintenance

System development - analyzing user needs for

designing new systems

Maintenance - making changes to the program

to accommodate user needs over time

Segregation of duties
System

development from computer

operations

Data

administration from other functions

New

system Development and

Maintenance
Inadequate
Program

documentation

Fraud

B. The Distributed Model

The DDP (distributed data processing)
reorganizes the IT function to small units
that are distributed to and managed by
end users.
Distribution may be by business
function, geographic location, or both.

Risks of DDP
Inefficient Use of Resources
Risk of Mismanagement of Resources
Risk of Operational Inefficiencies
Data Redundancy
Risk of Incompatible Hardware and Software

Destruction of Audit Trails

Inadequate Segregation of Duties
Hiring Qualified Professionals
Lack of Standards

Advantages of DDP
Cost Reduction
Data can be edited and entered by end
users
Application complexity can be reduced
Improved Cost Control Responsibility
Backup Flexibility
Requires coordination among end user
managers

Improving/Controlling
DDP
Implement
Corporate IT
Function
A corporate IT
function alleviates
potential problems
associated with
distributed IT
organizations by
providing:

Central testing of Commercial Software and Hardware

Central testing of Commercial Software and Hardware
User Services Staf
User Services Staf

Technical help
Technical help
Electronic Bulletin Board
Electronic Bulletin Board
Chat rooms
Chat rooms
Help desk
Help desk
Technical courses
Technical courses

Standard-Setting Body
Standard-Setting Body
Personnel Review
Personnel Review

Employment decisions and

Employment
decisions
and
reviewing technical
credentials
reviewing technical credentials

Distributed
Organization
with Corporate
Information
Technology
Function

Audit Objective
Verify

that the structure of the IT

function is that individuals in
incompatible areas are segregated in
accordance with the level of potential
risk and in a manner that promotes a
working environment.

Audit Procedures
Review the corporate policy regarding computer
security
Verify whether policy is communicated to
employees
Review documentation to determine incompatible
functions
Review systems documentation and maintenance
records
Verify that maintenance programmers are not also design programmers

Observe if segregation policies are followed in practice.

For example, check operations room access logs to determine if programmers
enter for reasons other than system failures

Review user rights and privileges

Computer center

COMPUTER CENTER

Physical Location

Construction

COMPUTER CENTER

Access
Air

Conditioning

Fire

Suppression

Fault

Tolerance

COMPUTER CENTER
Audit

Objectives:

verify that (1)

physical controls
and (2) insurance
coverage are
adequate

Audit Procedures

Tests of Physical
Construction

Tests of the Fire Detection

System

Tests of Access Control

Tests of Raid

Tests of Uninterruptible
Power Supply

Tests of Insurance Coverage

Disaster Recovery
Plan

IDENTIFY CRITICAL
APPLICATIONS

Customer sales and service

Fulfillment of legal obligations

Accounts receivable maintenance

and collection

Production and distribution

services

Purchasing Functions

Cash disbursements

CREATE A DISASTER
RECOVERY TEAM
Second-site
Program

Facilities Group

and Data Backup

Group
Data

Conversion and Data

Control Group

Providing Second-Site
Backup

Mutual Aid Pact

Empty Shell (Cold Site)

Recovery Operations Center (Hot Site)

Internally Provided Backup

BACKUP AND OFF-SITE

STORAGE
PROCEDURES

Operating System
Backup

Application Backup

Backup Data Files

Backup
Documentation

Backup Supplies and

Source Documents

Testing the Dry

Audit Procedures

Evaluate Site Backup

Review Critical Application List

Verify the copies of Software Backup

Verify Data Backup

Verify the types and quantities of Backup

Supplies, Documents and Documentation

Verify the members of Disaster Recovery

Team

IT Outsourcing

Benefits of IT
Outsourcing
Improved

core

business
processes
Improved

IT
performance

Reduced

costs

IT

Risks of IT Outsourcing
Failure

to perform

Vendor

exploitation

Costs

exceed benefits

Reduced
Loss

security

of strategic
advantage

Audit Implications of IT
Outsourcing

Management

retains
SOX responsibilities

SAS

No. 7 report or
audit of vendor will be
required