02 Auditing It Governance Controls

Auditing IT Governance Controls
Introduction
IT Governance is a relatively new subset of
corporate governance that focuses on the
management AND assessment of strategic IT
resources.
This presentation discusses the risks, controls,

and test of controls related to IT Governance.
Modern IT Governance
All corporate stakeholders, including board of
directors, top management, and departmental
users (i.e. accounting and finance) must be active
participants in key IT decisions.
Such broad-based involvement reduces risk

AND increases the likelihood that IT decisions
will be in compliance with user needs, corporate
policies, strategic initiatives, and internal control
requirements.
IT Governance Controls
IT governance issues that may potentially impact
the financial reporting process:
1. Organizational structure of the IT function
2. Computer center operations
3. Disaster recovery planning
Structure of the IT Function
Models:
1.Centralized data processing approach
2.Distributed data processing approach
Models:
1. Centralized data processing
a)ALL data processing is performed by one or
more large computers housed at a central site
that serves users throughout the
organization.
b)End users compete for these resources on
the basis of need. The IT services function is
usually treated as a cost center whose
operating costs are charged back to the end
users.
Models:
c)Primary service areas
i.Database administration
ii.Data processing
iii.Systems development and maintenance
Models:
➢ Responsible for security and integrity of
the database
ii.Data processing
Models:
ii.Data processing
➢ Manages computer resources used to
perform the day-to-day processing of
transactions.
Data processing
1.Organizational functions
a)Data conversion
b)Computer operations
c)Data library
Data processing
a)Data conversion
➢ Transcribes transaction data from hard-
copy source documents into computer
input.
c)Data library
Data processing
a)Data conversion
➢ Files produced in data conversion are later
processed by the central computer, which
is managed under this function.
c)Data library
Data processing
a)Data conversion
c)Data library
➢ The data library is a room adjacent to the
computer center that provides safe storage
for the off-line data files.
➢ Responsible for data files received.
Models:
ii.Data processing
➢ Responsible for analyzing user needs
and for designing new systems.
Systems development
1.Participants:
a)Systems professionals
b)End users
c)Stakeholders
Systems development
1.Participants:
a)Systems professionals
i.Develop (design and build) a new
information system.
ii.Include systems analysts, database
designers, and programmers.
Systems development
1.Participants:
b)End users
a)Those for whom the system is built.
b)Include managers who receive reports
from the system and operations personnel
who work directly with the system as part
of their daily responsibilities.
Systems development
1.Participants:
c)Stakeholders
➢ Individuals who have an interest in the
system, but are NOT end users.
➢ Include accountants, internal auditors,
external auditors, and others who oversee
systems development.
Models:
ii.Data processing
➢ Responsible for keeping a system current
with user needs (e.g. shift in user
needs).
Incompatible IT Functions
Separating Systems Development (and
Maintenance) from Computer Operations
1.Is of the greatest importance.
2.Those who create and maintain systems should
have no involvement in entering data, or running
applications. Operations staff should run these
systems and have no involvement in their design.
3.With detailed knowledge of the application's logic
and control parameters and access to the computer's
operating system and utilities, an individual could
make unauthorized changes to the application
during its execution.
Separating Database Administration from Other
Functions
1.Delegating the database administrator's
responsibilities to others (data processing; systems
development and maintenance) who perform
incompatible tasks threatens database integrity (e.g.,
accuracy and consistency of data).
Separating New Systems Development from
Maintenance
1.Control problem
a)Inadequate documentation
b)Program fraud
Maintenance
1.Control problem
a)Inadequate documentation
➢ Difficulty in maintenance when responsibility is
assigned to another individual.
➢ Separation of these duties will force
development team to produce documentations
which will be demanded by the maintenance
team to aid them in performing their
responsibilities.
Maintenance
1.Control problems
b)Program fraud
i.When the original programmer is also assigned
maintenance responsibility, the potential for
fraud is increased. Program fraud involves
making unauthorized changes to program
modules for the purpose of committing an
illegal act.
Maintenance
1.Control problems
b)Program fraud
ii.Separation of these functions will discourage
program changes being made by a developer.
Should a developer make changes to a
program, it will be difficult to remodify the
program because the change will need
authorization from the maintenance team, who
may later detect the changes made by the
developer.
Models:
2. Distributed data processing (DDP) approach
a)Involves reorganizing the central IT function
into small IT units that are placed under the
control of end users.
b)All or any of the IT functions discussed may
be distributed.
Models:
c)Two alternatives:
i.A variant of the centralized model; the
difference is that terminals are distributed to
end users for handling input and output.
This eliminates the need for the centralized
data conversion groups. System
development, computer operations, and
database administration remain centralized.
Models:
c)Two alternatives:
ii.A significant departure from the centralized
model. Distributes all computer services to
the end users, where they operate as
standalone units. Resulting to elimination of
the central IT function from the
organizational structure.
Models:
d)Risks:
i.Inefficient use of resources (reinvention of
application programs, data redundancy)
ii.Inadequate segregation of duties
iii.Programming errors and systems failures
Models:
e)Advantages:
i.Cost reductions
ii.Improved cost control responsibility
iii.Improved user satisfaction
iv.Backup flexibility
Models:
f)Controlling the environment
i.Implement a corporate IT function
1)Central testing of commercial software
and hardware
2)User services
3)Standard-setting body
4)Personnel review
Audit Objective
To verify that the structure of the IT function is
such that individuals in incompatible areas are
segregated in accordance with the level of
potential risk and in a manner that promotes a
working environment. This is an environment in
which formal, rather than casual, relationships
need to exist between incompatible tasks.
Audit Objective
To verify that the structure of the IT function is
such that individuals in incompatible areas are
segregated in accordance with the level of
potential risk and in a manner that promotes a
working environment. This is an environment in
which formal, rather than casual, relationships
need to exist between incompatible tasks.
Audit Procedures (centralized IT)
1.Review relevant documentation, including the
current organizational chart, mission statement,
and job descriptions for key functions, to
determine if individuals or groups are performing
incompatible functions.
2.Review systems documentation and
maintenance records for a sample of applications.
Verify that maintenance programmers assigned to
specific projects are NOT also the original design
programmers.
3.Verify that computer operators do not have
access to the operational details of a system's
internal logic. Systems documentation, such as
systems flowchart, logic flowcharts and program
code listings, should not be part of the operation's
documentation set.
4.Through observation, determine that
segregation policy is being followed in practice.
Review operations room access logs to determine
whether programmers enter the facility for
reasons other than system failures.
Audit Procedures (distributed IT)
1.Review the current organizational chart, mission
statement, and job descriptions for key functions
to determine if individuals or groups are
performing incompatible duties.
2.Verify that corporate policies and standards for
systems design, documentation, and hardware
and software acquisition are published and
provided to distributed IT units.
Audit Procedures (distributed IT)
3.Verify that compensating controls, such as
supervision and management monitoring, are
employed when segregation of incompatible
duties is economically infeasible.
4.Review systems documentation to verify that
applications, procedures, and databases are
designed and functioning in accordance with
corporate standards.
That's all. Thank you! :)

02 Auditing It Governance Controls

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

02 Auditing It Governance Controls

Hochgeladen von

Copyright:

Verfügbare Formate

Auditing IT Governance Controls

This presentation discusses the risks, controls,

Such broad-based involvement reduces risk

Das könnte Ihnen auch gefallen