Professional Documents
Culture Documents
Auditing Governance
Auditing Governance
GOVERNANCE
CONTROLS
IT Governance
IT Structure
Computer Center
Disaster Recovery Plan
IT Outsourcing
Reduce risk
Corporate governance
IT resources add value
INFORMATION
TECHNOLOGY
GOVERNANCE
Corporate stakeholders
IT decisions
Organizational structure of the IT function
IT Governance Controls
I. Database Administration
a. Data Conversion
b. Computer Operations
c. Data Library
a. Data Conversion
✔Division of transaction
processing tasks
Organizational structure of the IT function
Separating Database
Administration From
Other Functions
• DBA function is responsible for a number of critical
tasks pertaining to database security and must be
segregated from other computer center functions.
Control Problems:
1.Inadequate Documentation
2.Program Fraud
Organizational structure of the IT function
Inadequate Documentation
• Reasons:
•not as interesting as designing, testing, and
implementing them
•Job security
Organizational structure of the IT function
Program Fraud
•making unauthorized changes to program modules for
the purpose of committing an illegal act
•fraudulent codes
A Superior Structure for Systems
Development..
•systems development function is separated
into two different groups: new systems
development and systems maintenance
A Superior Structure for Systems
Development..
•The new systems development group is
responsible for designing, programming,
and implementing new systems projects.
•The responsibility for the system’s ongoing
maintenance then falls to the systems
maintenance group.
Distributed
Data Processing
DDP
•reorganizing the central IT function into small IT units
that are placed under the control of end users
mismanagement
Operational inefficiencies
Incompatible hardware and software
Organizational structure of the IT function
4. Lack of Standards
Advantages of DDP
Organizational structure of the IT function
1. Cost reductions
2. Improved Cost Control
Responsibility
3. User Satisfaction
4. Back up Flexibility
THE COMPUTER
CENTER
The Computer Center
39
Computer Center
Audit Procedures:
Natural Flood
Tornado
Sabotage
Disaster Human Made
Error
Power Outrage
Crash/Lock
Four Essential Elements:
Example:
• Customer sales and service
• Fulfillment of legal obligations
• Accounts receivable maintenance and collection
• Production and distribution decisions
• Purchasing functions
• Cash disbursements (trade accounts ad payroll)
Creating a Disaster Recovery Team
Creating recovery team avoid serious
omissions or duplication of effort during
implementation of the contingency plan,
task responsibility must clearly defined
and communicated to personnel
involved.
Disaster Recovery Team
DRP Team Coordinator
VP Operation
Specific IT assets
= unique to the organization and
support its strategic objectives
= have little value outside their current
use
Transaction Cost Economics
Theory
conflict with core competency
suggest the firm should retain certain
specific non-core IT assets in house
supports the outsourcing of
commodity assets, which are easily
replaced or obtained from
alternative vendors
Risk Inherent to IT
Outsourcing
1. Failure to person
= negative implications of
outsourced specific IT assets are
illustrated in financial problems that
have plagued the huge outsourcing
vendor Electronic Date Systems
Corp. (EDS)
2. Vendor exploitation
= involves transferring to a vendor
“specific assets” such as the design,
development, and maintenance of unique
business applications that are critical to
an organization’s survival.
3. Outsourcing costs benefits
= unexpected costs arise and expected
benefit are not realized
4. Reduced security
= when corporate financial system are
developed and hosted overseas, and
program code is developed through
interfaces with the host company’s
network
5. Loss of strategic advantage
= due to incongruence of IT strategic
planning and its business planning
Audit implication of IT
Outsourcing
management may outsource its
organizations IT function but it
cannot outsource its management
responsibilities to maintain
effective internal control over
financial reporting