Slide 2

Prior to the Sarbanes-Oxley (SOX) Act of 2002 aka Corporate and Auditing Accountability, Responsibility
and Transparency (House). Public Company Reform and Investor Protection Act (Senate)
Slide 2
the common practice regarding IT investments was to defer all decisions to corporate IT professionals.
Modern IT governance. however, follows the philosophy that all corporate stakeholders, including
boards of directors, top management, and departmental users (i.e., accounting and finance) be active
participants in key IT decisions. Such broad-based involvement reduces risk and increases the likelihood
that IT decisions will be in compliance with user needs, corporate policies, strategic initiatives, and
internal control requirements under SOX.

IT Governance Controls Although all IT governance issues are important to the organization, not all of
them are matters of internal control under SOX that may potentially impact the financial reporting
process.
Slide 3
COSO – Committee of Sponsoring Organization of the Treadway Commission
Slide 3
The discussion on each of these governance issues begins with an explanation of the nature of risk and
a description of the controls needed to mitigate the risk. Then, the audit objectives are presented, which
establishes what needs to be verified regarding the function of the control(s) in place. Finally, example
tests of controls are offered that describe how auditors might gather evidence to satisfy the audit
objectives. These tests may be performed by external auditors as part of their attest service or by
internal auditors (or advisory services professionals) who are providing evidence of management's
compliance with SOX. In this regard, we make no distinction between the two types of services.
Structure of the Information Technology Function (SLIDE 4)
These are illustrated through two extreme organizational models—the centralized approach and the
distributed approach. The risks, controls, and audit issues related to each model are then discussed. The
reader should recognize, however, that most organizational structures embody elements of both
models.
Centralized Data Processing (SLIDE 5)
Under the centralized data processing model. The IT services function is usually treated as a cost center
whose operating costs are charged back to the end users. DATA VS INFORMTION
Database Administration SLIDE 6.1
In this shared data arrangement, an independent group headed by the database administrator (DBA) is
responsible for the security and integrity of the database.
Data Processing SLIDE 6.2
It consists of the following organizational functions: data conversion, computer operations, and the data
library.
Data Conversion.
For example, data conversion could- involve key-stroking sales orders into a sale order application in
modern systems, or transcribing data into magnetic media (tape or disk) suitable for computer
processing in legacy type systems.
Computer Operations.
Accounting applications are usually executed according to a strict schedule that is controlled by the
central computer's operating system.
Data Library.
For instance, the data library could be used to store backup data on DVDs, CD-ROMs, tapes, or other
storage devices. It could also be used to store current operational data files on magnetic tapes and
removable disk packs. In addition, the data library is used to store original copies of commercial
software and their licenses for safekeeping. A data librarian, who is responsible for the receipt, storage,
retrieval, and custody of data files, controls access to the library. The librarian issues data files to
computer operators in accordance with program requests and takes custody of files when processing or
backup procedures are completed. The trend in recent years toward real-time processing and the
increased use of direct-access files has reduced or even eliminated the role of the data librarian in many
organizations.
Systems Development and Maintenance SLIDE 7
Systems professionals include systems analysts, database designers, and programmers who design and
build the system. Systems professionals gather facts about the user's problem, analyze the facts, and
formulate a solution. The product of their efforts is a new information system.
End users are those for whom the system is built. They are the managers who receive reports from the
system and the operations personnel who work directly with the system as part of their daily
responsibilities.
Stakeholders-are individuals inside or outside the firm who have an interest in the system, but are not
end users. They include accountants, internal auditors, external auditors, and others who oversee
systems development.
Once a new system has been designed and implemented, the systems maintenance group assumes
responsibility for keeping it current with user needs. The term maintenance refers to making changes to
program logic to accommodate shifts in user needs over time. During the course of the system's life
(often several years), as much as 80 or 90 percent of its total cost may be incurred through maintenance
activities.
Segregation of Incompatible IT Functions SLIDE 8
The IT environment tends to consolidate activities. A single application may authorize, process, and
record all aspects of a transaction. Thus, the focus of segregation control shifts from the operational
level (transaction processing tasks that computers now perform) to higher-level organizational
relationships within the computer services function. Using the organizational chart in Figure 2.2 as a
reference, the interrelationships among systems development, systems maintenance, database
administration, and computer operations activities are examined next.
Separating Systems Development from Computer Operations SLIDE 9
Systems development and maintenance professionals should create (and maintain) systems for users,
and should have no involvement in entering data, or running applications (i.e., computer operations).
Operations staff should run these systems and have no involvement in their design. These functions are
inherently incompatible, and consolidating them invites errors and fraud. With detailed knowledge of
the application's logic and control parameters and access to the computer's operating system and
utilities, an individual could make unauthorized changes to the application during its execution. Such
changes may be temporary ("on the fly") and will disappear without a trace when the application
terminates.

Separating Database Administration from Other Functions SLIDE 9

Delegating these responsibilities to others who perform incompatible tasks threatens database integrity.
Thus, we see from Figure 2 2 how the DBA function is organizationally independent of operations,
systems development, and maintenance.
Separating New Systems Development from Maintenance SLIDE 10
Under this approach, the programmer who codes the original programs also maintains the system
during, the maintenance phase of the systems development life cycle (discussed in Chapter 5). Although
a common arrangement, this approach is associated with two types of control problems: inadequate
documentation and the potential for program fraud.
Inadequate Documentation.
Inadequate - insufficient for a purpose, lacking the quality or quantity required.
There are at least two explanations for this phenomenon. First, documenting systems is not as
interesting as designing, testing, and implementing them. Systems professionals much prefer to move
on to an exciting new project rather than document one just completed.
The second possible reason for poor documentation is job security. When a system is poorly
documented, it is difficult to interpret, test, and debug. Therefore, the programmer who understands
the system (the one who coded it) maintains bargaining power and becomes relatively indispensable.
When the programmer leaves the firm, however, a new programmer inherits maintenance responsibility
for the undocumented system. Depending on its complexity, the transition period may be long and
costly.
Program Fraud.
The original programmer may have successfully concealed fraudulent code among the thousands of
lines of legitimate code and the hundreds of modules that constitute a system. For the fraud to work
successfully, however, the programmer must be able to control the situation through exclusive and
unrestricted access to the application's programs. The programmer needs to protect the fraudulent
code from accidental detection by another programmer performing maintenance or by auditors testing
application controls. Therefore, having sole responsibility for maintenance is an important element in
the duplicitous programmer's scheme. Through this maintenance authority, the programmer may freely
access the system, disabling fraudulent code during audits and then restoring the code when the coast is
clear. Frauds of this sort may continue for years without detection.
A Superior Structure for Systems Development
The success of this control depends on the existence of other controls that limit, prevent, and detect
unauthorized access to programs (such as source program library controls). Although organizational
separations alone cannot guarantee that computer frauds will not occur, they are critical to creating the
necessary control environment.
The Distributed Model
An alternative to the centralized model is the concept of distributed data processing (DDP). The IT units
may be distributed according to business function, geographic location, or both. All or any of the IT
functions represented in Figure 2.2 may be distributed. The degree to which they are distributed will
vary depending upon the philosophy and objectives of the organization's management.
Risks Associated with DDP
This section discusses the organizational risks that need to be considered when implementing DDP.
Inefficient Use of Resources.
DDP can expose and organization to three types of risks associated with inefficient use of organizational
resources. These are outlined on next page.
First, is the risk of mismanagement of organization-wide IT resources by end users.
Second For example, application programs created by one user, which could be used with little or no
change by others, will be redesigned from scratch rather than shared. Likewise, data common many
users may be recreated for each, resulting in a high level of data redundancy. This situation [Hs
implications for data accuracy and consistency.
Third, For example, decision makers in different organizational units working independently may settle
on dissimilar and incompatible operating systems, technology platforms, spreadsheets, word processors,
and database packages. Hardware and software incompatibilities can degrade and disrupt connectivity
between units, causing the loss of transactions and possible destruction of audit trails.
Destruction of Audit Trails.
Auditors use the audit trail to trace selected financial transactions from the source documents that
captured the events, through the journals, subsidiary ledgers, and general ledger accounts that recorded
the events, and ultimately to the financial statement themselves. The audit trail is critical to the
auditor's attest service.
Inadequate Segregation of Duties.
For example, within a single unit the same person may write application programs, perform program
maintenance, enter transaction data into the computer, and operate the computer equipment. Such a
situation would be a fundamental violation of internal control.
Hiring Qualified Professionals.
For these reasons, managers may experience difficulty attracting highly qualified personnel. The risk of
programming errors and system failures increases directly with the level of employee incompetence.
Lack of Standards.
Because of the distribution of responsibility in the DDP environment, standards for developing and
documenting systems, choosing programming languages, acquiring hardware and software, and
evaluating performance may he unevenly applied or even nonexistent. Opponents of DDP argue that the
risks associated with the design and operation of a DDP system are made tolerable only if such
standards are consistently applied.
Advantages of DDP
Cost Reductions.
DDP has reduced costs in two other areas: (1) data can be edited and entered by the end user, thus
eliminating the centralized task of data preparation; and (2) application complexity can be reduced,
which in turn reduces systems development and maintenance costs.
Improved Cost Control Responsibility.
Proponents of DDP contend that the benefits of improved management attitudes more than outweigh
any additional costs incurred from distributing these resources. They argue that if IT capability is indeed
critical to the success of a business operation, then management must be given control over these
resources. This argument counters the earlier discussion favoring the centralization of organization-wide
resources.
Improved User Satisfaction.
Perhaps the most often cited benefit of DDP is improved user satisfaction. DDP proponents claim that
distributing system to end users improves three areas of need that too often go unsatisfied in the
centralized model: (1) as previously stated, users desire to control the resources that influence their
profitability; (2) users want systems professionals (analysts, programmers, and computer operators) to
be responsive to their specific situation; and (3) users want to become more actively involved in
developing and implementing their own systems.
Backup Flexibility.
Later in the chapter we examine disaster recovery planning for such contingencies. The distributed
model offers organizational flexibility for providing backup. Each geographically separate IT unit can be
designed with excess capacity. If a disaster destroys a single site, the other sites can use their excess
capacity to process the transactions of the destroyed site. Naturally, this setup requires close
coordination between the end-user managers to ensure that they do not implement incompatible
hardware and software.
Controlling the DDP Environment
Before taking an irreversible step, decision makers must assess the true merits of DDP for their
organization. Nevertheless, careful planning and implementation of controls can mitigate some of the
DDP risks previously discussed. This section reviews several improvements to the strict DDP model.
Implement a Corporate IT Function
The completely centralized model and the distributed model represent extreme positions on a
continuum of structural alternatives. The needs of most firms fall somewhere between these end points.
Often, the control problems previously described can be addressed by implementing a corporate IT
function such as that illustrated in Figure 2.5.
This function is greatly reduced in size and status from that of the centralized model shown in Figure 2.2.
The corporate IT group provides systems development and database management for entity-wide
systems in addition to technical advice and expertise to the distributed IT community. This advisory role
is represented by the dotted lines in Figure 2.5. Some of the services provided are described next
Central Testing of Commercial Software and Hardware.
This allows the organization to effectively centralize the acquisition, testing, and implementation of
software and hardware and avoid many problems discussed earlier.
User Services.
In addition, a chat room could be established to provide threaded discussions, frequently asked
questions (FAQs), and intranet support. The corporate IT function could also provide a help desk, where
users can call and get a quick response to questions and problems. In many organizations’ user services
staff teach technical courses for end users as well as for computer services personnel. This raises the
level of user awareness and promotes the continued education of technical personnel.
Standard-Setting Body.
The relatively poor control environment imposed by the DDP model can be improved by establishing
some central guidance. The corporate group can contribute to this goal by establishing and distributing
to user areas appropriate standards for systems development programming, and documentation.
Personnel Review.
The corporate group is often better equipped than users to evaluate the technical credentials of
prospective systems professionals. Although the systems professional will actually be part of the end-
user group, the involvement of the corporate group in employment, decisions can render a valuable
service to the organization.
 Auditing is an independent examination of accounting and financial records and financial
statements to determine if they conform to the law and to generally
accepted accounting principles
Accounting involves tracking, reporting, and analyzing financial transaction
Audit Objective
The auditor's objective is to verify that the structure of the function is such that individuals in
incompatible areas are segregated in accordance with the level of potential risk and in a manner that
promotes a working environment. This is an environment in which formal, rather than casual,
relationships need to exist between incompatible tasks.
The word "audit" derives from the Latin word audire which means "to hear".
the auditing origin can be traced back to the 18th century, when the practice of large scale
production developed as a result of the Industrial Revolution. Systems of checks and counter
checks were implemented to maintain public accounts as early as the days of ancient
Egyptians, Greeks and Romans.
Audit Procedures
the following audit procedures would apply to an organization with a centralized IT function:
 Review relevant documentation, inducting the current organizational chart, mission statement, and
job descriptions for key functions, to determine if individuals or groups are performing incompatible
functions.
 Review systems documentation and maintenance records for a sample of applications. Verify that
maintenance programmers assigned to specific projects are not also the original design
programmers.
 Verify that computer operators do not have access to the operational details of a system's internal
logic. Systems documentation, such as systems flowcharts, logic flowcharts, and program code
listings, should not be part of the operation's documentation set.
■ Through observation, determine that segregation policy is being followed in practice. Review
operations room access logs to determine whether programmers enter the facility for reasons other
than system failures. The following audit procedures would apply to an organization with a distributed IT
function:
■ Review the current organizational chart, mission statement, and job descriptions for key functions to
determine if individuals or groups are performing incompatible duties.
■ Verify that corporate policies and standards for systems design, documentation, and hardware and
software acquisition are published and provided to distributed IT units.
■ Verify that compensating controls, such as supervision and management monitoring, are employed
when segregation of 'incompatible duties is economically infeasible.
■ Review systems documentation to verify that applications, procedures, and databases are designed
and functioning in accordance with corporate standards.