SYNC 2.

5
Dates @February 5, 2024

Type 📒 Lesson
Status Done

Shared

Topic Module 2: SOX and IT Governance and Management

Organizational Chart of a Centralized Information Technology Function

ideal organization

Alternative Organization of Systems Development

ok pa din naman

pero possible risk if programming also does maintenance → often if may changes, di maayos ang
documentation → magiging mahirap sundan ang changes, which can be the beginning of fraud

The Distributed Model

SYNC 2.5 1
 Distributed Data Processing (DDP) is reorganizing the IT function into small information
processing (IPUs) that are distributed to end users and placed under their control.

hindi pa centralized (each department uses their own systems)

Advantages of DDP

Cost reductions (identified agad kung aling department yung cost)

Improved cost control responsibility

Improved user satisfaction (tailored to preferences of each department)

Backup

Disadvantages of DDP

Mismanagement of organization-wide resources

Highly distributed responsibilities for information processing services can lead to

mismanagement and suboptimal utilization of resources

kasi kanya-kanya per department

Hardware and software incompatibility (across departments)

Working independently can result to using incompatible operating systems, etc.

Redundant tasks

Different units do the same tasks because the system is not integrated

e.g. gagawa ng sales file sa marketing, pati accounting gagawa ng sarili nilang file for the
same transaction

Consolidating incompatible activities (mahirap gawin kasi hindi pare-parehas)

Hiring qualified professionals

Difficulty getting highly qualified professionals due to limited career advancement

opportunity

since walang clear guidelines on managing the IT function, also minimized ang role niya sa
department which also leads to limited career path (kaya hindi appealing to IT
professionals)

Lack of standards

mahirap i-manage kasi iba-iba ang file formatting, etc.

Organizational Structure for a Distributed System

SYNC 2.5 2
 Creating a Corporate IT Function
Corporate IT function is a coordinating IT unit that attempts to establish corporate-wide standards
among distributed IT units. Has the capability to provide:

Central Testing of Commercial Software & Hardware

User Services: systems installation, technical help

Standard Setting Body: system dev’t., programming, documentation

Personnel review for prospective systems professionals

you are trying to create an office that will harmonize the independent IT functions across the
organization

DDP na may IT function kahit papaano

Distributed Organization with Corporate IT Function

Audit Objectives Relating to Organizational Structure

The auditor’s objective is to ascertain whether individuals serving in incompatible areas are
segregated in accordance with an acceptable level of risk and in a manner that promotes an
effective working environment.

to check if their set-up segregates incompatible functions, etc.

The ff. audit tests provide evidence in achieving the audit objective:

Obtain and review the corporate policy on computer security

Review relevant documentation, including the current organizational chart, mission statement,
and job descriptions for key functions, to determine if individuals or groups are performing
incompatible functions

Review systems documentation and maintenance records for a sample of applications

Through observation, determine that the segregation policy is being followed in practice

Review user roles to verify that programmers have access to privileges consistent with their job
descriptions

dapat yung access mo hanggang dun lang sa role mo

Computer Center Security and Controls

SYNC 2.5 3
 Fires, floods, wind, sabotage, earthquakes, or even power outages can deprive an organization of
its data processing facilities and bring to a halt those functions that are performed or aided by
computer

What does a company do to prepare itself for such an event?

How will it recover?

Objective: A Secure Environment for the Computer Center

Why? (why is this the objective even if FS audit ang ginagawa?)

Because weaknesses in computer center security have a potential impact on the function of
application controls related to the financial reporting process

Important Features

Physical Location

Airconditioning

Construction

Fire Suppression

Access

Fault tolerance controls (Redundant Arrays of Independent Disks/Uninterrupted Power Supply)

when checking for secure environment, eto ichecheck

Audit Objectives Relating to Computer Center Security is to Determine Whether

Controls governing computer center are adequate to reasonably protect the organization from
damage or losses

Insurance coverage on equipment is adequate to compensate for destruction or damage to the

computer center

Operator documentation is adequate to deal with system failures as well as routine operations

Computer Center Security and Controls: Audit Procedures

Assessing Physical Security Controls

Tests of Physical Construction: Get architectural plan

Tests of the Fire Detection System: Can detect smoke, heat

Tests of Access Control: No access for unauthorized personnel

Tests of Fault Tolerance Controls

RAID

Power Supplies Backup

Audit Procedures for Verifying Insurance Coverage

Audit Procedures for Verifying Adequacy of Operator Documentation

SYNC 2.5 4