Introduction IT Governance is a relatively new subset of corporate governance that focuses on the management AND assessment of strategic IT resources.
This presentation discusses the risks, controls,
and test of controls related to IT Governance. Modern IT Governance All corporate stakeholders, including board of directors, top management, and departmental users (i.e. accounting and finance) must be active participants in key IT decisions.
Such broad-based involvement reduces risk
AND increases the likelihood that IT decisions will be in compliance with user needs, corporate policies, strategic initiatives, and internal control requirements. IT Governance Controls IT governance issues that may potentially impact the financial reporting process: 1. Organizational structure of the IT function 2. Computer center operations 3. Disaster recovery planning Structure of the IT Function Models: 1.Centralized data processing approach 2.Distributed data processing approach Structure of the IT Function Models: 1. Centralized data processing a)ALL data processing is performed by one or more large computers housed at a central site that serves users throughout the organization. b)End users compete for these resources on the basis of need. The IT services function is usually treated as a cost center whose operating costs are charged back to the end users. Structure of the IT Function Models: 1. Centralized data processing c)Primary service areas i.Database administration ii.Data processing iii.Systems development and maintenance Structure of the IT Function Models: 1. Centralized data processing c)Primary service areas i.Database administration ➢ Responsible for security and integrity of the database ii.Data processing iii.Systems development and maintenance Structure of the IT Function Models: 1. Centralized data processing c)Primary service areas i.Database administration ii.Data processing ➢ Manages computer resources used to perform the day-to-day processing of transactions. iii.Systems development and maintenance Structure of the IT Function Data processing 1.Organizational functions a)Data conversion b)Computer operations c)Data library Structure of the IT Function Data processing 1.Organizational functions a)Data conversion ➢ Transcribes transaction data from hard- copy source documents into computer input. b)Computer operations c)Data library Structure of the IT Function Data processing 1.Organizational functions a)Data conversion b)Computer operations ➢ Files produced in data conversion are later processed by the central computer, which is managed under this function. c)Data library Structure of the IT Function Data processing 1.Organizational functions a)Data conversion b)Computer operations c)Data library ➢ The data library is a room adjacent to the computer center that provides safe storage for the off-line data files. ➢ Responsible for data files received. Structure of the IT Function Models: 1. Centralized data processing c)Primary service areas i.Database administration ii.Data processing iii.Systems development and maintenance ➢ Responsible for analyzing user needs and for designing new systems. Structure of the IT Function Systems development 1.Participants: a)Systems professionals b)End users c)Stakeholders Structure of the IT Function Systems development 1.Participants: a)Systems professionals i.Develop (design and build) a new information system. ii.Include systems analysts, database designers, and programmers. Structure of the IT Function Systems development 1.Participants: b)End users a)Those for whom the system is built. b)Include managers who receive reports from the system and operations personnel who work directly with the system as part of their daily responsibilities. Structure of the IT Function Systems development 1.Participants: c)Stakeholders ➢ Individuals who have an interest in the system, but are NOT end users. ➢ Include accountants, internal auditors, external auditors, and others who oversee systems development. Structure of the IT Function Models: 1. Centralized data processing c)Primary service areas i.Database administration ii.Data processing iii.Systems development and maintenance ➢ Responsible for keeping a system current with user needs (e.g. shift in user needs). Incompatible IT Functions Separating Systems Development (and Maintenance) from Computer Operations 1.Is of the greatest importance. 2.Those who create and maintain systems should have no involvement in entering data, or running applications. Operations staff should run these systems and have no involvement in their design. 3.With detailed knowledge of the application's logic and control parameters and access to the computer's operating system and utilities, an individual could make unauthorized changes to the application during its execution. Incompatible IT Functions Separating Database Administration from Other Functions 1.Delegating the database administrator's responsibilities to others (data processing; systems development and maintenance) who perform incompatible tasks threatens database integrity (e.g., accuracy and consistency of data). Incompatible IT Functions Separating New Systems Development from Maintenance 1.Control problem a)Inadequate documentation b)Program fraud Incompatible IT Functions Separating New Systems Development from Maintenance 1.Control problem a)Inadequate documentation ➢ Difficulty in maintenance when responsibility is assigned to another individual. ➢ Separation of these duties will force development team to produce documentations which will be demanded by the maintenance team to aid them in performing their responsibilities. Incompatible IT Functions Separating New Systems Development from Maintenance 1.Control problems b)Program fraud i.When the original programmer is also assigned maintenance responsibility, the potential for fraud is increased. Program fraud involves making unauthorized changes to program modules for the purpose of committing an illegal act. Incompatible IT Functions Separating New Systems Development from Maintenance 1.Control problems b)Program fraud ii.Separation of these functions will discourage program changes being made by a developer. Should a developer make changes to a program, it will be difficult to remodify the program because the change will need authorization from the maintenance team, who may later detect the changes made by the developer. Structure of the IT Function Models: 2. Distributed data processing (DDP) approach a)Involves reorganizing the central IT function into small IT units that are placed under the control of end users. b)All or any of the IT functions discussed may be distributed. Structure of the IT Function Models: 2. Distributed data processing (DDP) approach c)Two alternatives: i.A variant of the centralized model; the difference is that terminals are distributed to end users for handling input and output. This eliminates the need for the centralized data conversion groups. System development, computer operations, and database administration remain centralized. Structure of the IT Function Models: 2. Distributed data processing (DDP) approach c)Two alternatives: ii.A significant departure from the centralized model. Distributes all computer services to the end users, where they operate as standalone units. Resulting to elimination of the central IT function from the organizational structure. Structure of the IT Function Models: 2. Distributed data processing (DDP) approach d)Risks: i.Inefficient use of resources (reinvention of application programs, data redundancy) ii.Inadequate segregation of duties iii.Programming errors and systems failures Structure of the IT Function Models: 2. Distributed data processing (DDP) approach e)Advantages: i.Cost reductions ii.Improved cost control responsibility iii.Improved user satisfaction iv.Backup flexibility Structure of the IT Function Models: 2. Distributed data processing (DDP) approach f)Controlling the environment i.Implement a corporate IT function 1)Central testing of commercial software and hardware 2)User services 3)Standard-setting body 4)Personnel review Structure of the IT Function Audit Objective To verify that the structure of the IT function is such that individuals in incompatible areas are segregated in accordance with the level of potential risk and in a manner that promotes a working environment. This is an environment in which formal, rather than casual, relationships need to exist between incompatible tasks. Structure of the IT Function Audit Objective To verify that the structure of the IT function is such that individuals in incompatible areas are segregated in accordance with the level of potential risk and in a manner that promotes a working environment. This is an environment in which formal, rather than casual, relationships need to exist between incompatible tasks. Structure of the IT Function Audit Procedures (centralized IT) 1.Review relevant documentation, including the current organizational chart, mission statement, and job descriptions for key functions, to determine if individuals or groups are performing incompatible functions. 2.Review systems documentation and maintenance records for a sample of applications. Verify that maintenance programmers assigned to specific projects are NOT also the original design programmers. Structure of the IT Function Audit Procedures (centralized IT) 3.Verify that computer operators do not have access to the operational details of a system's internal logic. Systems documentation, such as systems flowchart, logic flowcharts and program code listings, should not be part of the operation's documentation set. Structure of the IT Function Audit Procedures (centralized IT) 4.Through observation, determine that segregation policy is being followed in practice. Review operations room access logs to determine whether programmers enter the facility for reasons other than system failures. Structure of the IT Function Audit Procedures (distributed IT) 1.Review the current organizational chart, mission statement, and job descriptions for key functions to determine if individuals or groups are performing incompatible duties. 2.Verify that corporate policies and standards for systems design, documentation, and hardware and software acquisition are published and provided to distributed IT units. Structure of the IT Function Audit Procedures (distributed IT) 3.Verify that compensating controls, such as supervision and management monitoring, are employed when segregation of incompatible duties is economically infeasible. 4.Review systems documentation to verify that applications, procedures, and databases are designed and functioning in accordance with corporate standards. That's all. Thank you! :)