Chapter

IT
8
IT Governance:

Management Control
of Information
Technology and
Information Integrity

Learning Objectives

To explain why business organizations need to

achieve an adequate level of internal control

To explain the importance of internal control to

organizational and IT governance, and business
ethics

To enumerate IT resources and explain how difficult

it is to control them

To describe management fraud, computer fraud,

and computer abuse

Learning Objectives

To describe the major IT control processes

organizations use to manage their IT
resources

To identify operations and information

process control goals and categories of
control plans

Why Controls?

To ensure attainment of objectives

Technological risks

Organizational risks

computer fraud, security threats

fraud by management / employees

Emergencies natural / man-made disasters

Contingency planning

Fraud and Control

Fraud

Deliberate act or untruth intended to obtain unfair

or unlawful gain.

Management has the responsibility to prevent

and/or disclose fraud.

Control systems enable management to meet this

responsibility.

Agency Problem

Managers incentives are not the same as

firms incentives
Principal firm, agent manager
Control mechanisms are used to align the
incentives of managers with incentives of the
firm

Internal Control

A system of integrated elementspeople, structure,

processes, and proceduresacting together to provide
reasonable assurance that an organization achieves its
process goals.
The internal control system is the responsibility of top
management and therefore should:

Reflect managements careful assessment of risks.

Be based on managements evaluation of costs

versus benefits.

Be built on managements strong sense of business

ethics and personal integrity.

Ethics and Controls

COSO (Committee of Sponsoring

Organizations of the National Commission on
Fraudulent Financial Reporting) report
stresses ethics as part of control environment
Ethics and integrity arise from corporate
culture that includes standards for behavior,
how they are communicated, how they are
enforced.
Example codes of conduct

Business Process Control

Goals and Plans

Goals

Objectives to be obtained

Operations process objectives

Information process objectives

Plans

Policies and procedures that assist in

accomplishing control goals

Control Goals of Operations

Effectiveness of operations
Process

Ensure operations process is fulfilling its purpose

Is the goal reached?
Efficiency of operations
Is the use of resources optimal?
Security of resources
Protection from loss, disclosure, misuse
Example - Lock the door, use access
codes/passwords

Control Goals of the

Information Process

For transaction data (temporary)

Input validity (only approved/authorized data)
Input completeness (all valid data captured/entered)
Input accuracy (correct data entered correctly)
For master data (permanent)
Update completeness (all data entered in updated
master)
Update accuracy (data entered reflected accurately in
updated master)

Control Plans

Information processing policies and

procedures that assist in accomplishing
control goals

Control environment awareness of and

commitment to control
Pervasive control plans broad application of
controls (IT, financial, access controls)
Process control plans specific procedures
process by process

The Control Environment

Overall policies and procedures that demonstrate an
organizations commitment to the importance of control
Overall protection:
Enhances the effectiveness of
the pervasive and application
control plans.

Corporate ethics

Pervasive Control Plans

Address multiple goals and apply to many processes

Second level of protection:

A major subset of these
controls, IT processes (i.e.,
controls) are discussed
in this chapter.

Process Control Plans

Relate to specific business process or to

the technology used to implement the process
Third level of protection:
Discussed and illustrated in
Chapters 914.

A Control Hierarchy

Control Plans: Other

Classifications

Preventive prevent a problem

Detective detect a problem
Corrective correct a problem

Four Broad IT Control Process Domains (from COBIT)

FIGURE 8.2

Ten Important IT Control Processes

FIGURE 8.2

IT Control Processes and

Domains

Planning and Organization

Process 1: Establish strategic vision

Process 2: Develop tactics to realize strategic
vision

Acquisition and Implementation

Process 3: Identify automated solutions

Process 4: Develop and acquire IT solutions
Process 5: Integrate IT solutions into operations
Process 6: Manage change to existing IT systems

IT Control Processes and

Domains (contd)

Delivery and Support

Process 7: Deliver required IT services

Process 8: Ensure security and continuous
service
Process 9: Provide support services

Monitor operations

Process 1: Strategic Plan for

IT

Summary of the organizations strategic goals

and how they relate to the IT function.
Once strategic goals are established, they
can be transformed into short-term tactical
objectives
Controls are about ensuring attainment of
goals. Those goals and objectives are set
starting from the strategic plan.

Process 2: Realization of
strategic mission

Many techniques are use to reach strategic

goals
IT steering committee
Project management techniques
Quality assurance plan
Reviews, audits, inspections, monitoring

Control Plans

Segregation of duties control plan

Access control plans
Personnel control plans

rotation of duties
termination policies

Illustration of Segregation of Duties

Function 1
Authorizing
Events

Function 2
Executing
Events

Approve steps of
event processing.

Physically move resources.

Complete source documents.

Function 3
Recording
Events

Function 4
Safeguarding Resources
Resulting from
Consummating Events

Record events in the

appropriate data store(s).
Post event summaries to
the master data store.

Physically protect resources.

Maintain accountability of
physical resources.
TABLE 8.2a

Illustration of Segregation of Duties (contd)

TABLE 8.2b

Process 3: Identify IT
Solutions

Develop solutions consistent the strategic IT

plan ensure analysis stages of SDLC are
carried through

Process 4: Develop/Acquire IT
Solutions
Develop/acquire application software
Acquire technology infrastructure
Develop service-level requirements and
application documentation

Process 5: Integrate IT
Solutions Into Operational
Planned, tested, and controlled conversion to
Processes
new system

Process 6: Manage Changes to

Existing IT Systems
Change request, impact assessment
All changes are authorized, documented, and
properly implemented

Process 7: Deliver Required

IT Services

Define service levels

Manage Third-party services
Manage IT Operations
Manage data (backup)
Identify and allocate costs

Process 8: Ensure Security

and Continuous Service

Disaster recovery

Mirror site copy of all data

Hot site (fully equipped)
Cold site (equipped by customer)

Restrict Access

Physical access to facilities

Logical access to data / programs

Restricting Access to Computing Resources

Layers of Protection

FIGURE 8.4a

Restricting Access to Computing Resources

Layers of Protection (contd)

FIGURE 8.4b

Process 9: Provide Support

Regular Training sessions should be provided
Services

Advice and assistance should be given

Very often a help desk is set up for these purposes

Process 10: Monitor Operations

Gather data about processes
Generate performance reports.
Internal and external monitoring