AIS CHAPTER 5 IT GOVERNANCE

Introduction to IT Governance (Study Objective 1)

💡 IT systems are critical to the success of the organizations that use them.

can improve efficiency and effectiveness, and reduce costs.

The company must ensure that its long-term strategies, and its ongoing operations, properly utilize
appropriate IT systems.

Strategic management
the process of determining the strategic vision for the organization, developing the long-term objectives,
creating the strategies that will achieve the vision and objectives, and implementing those strategies.

It requires continuous evaluation of, and refinements to, the vision, objectives, strategy, and implementation.

The IT Governance Institute defines IT governance as follows:

IT Governance is a structure of relationships and processes to direct and control the enterprise in order to
achieve the enterprise's goals by adding value while balancing risk versus return over IT and its processes.

the board of directors and top‐level executive managers must take responsibility to
ensure that the organization has processes that align IT systems to the strategies and
objectives of the organization. IT systems should be chosen and
implemented that support attainment of strategies and objectives.

To fulfill the management obligations that are inherent in IT governance, management

must focus on the following activities:
Aligning IT strategy with the business strategy

Cascading strategy and goals down into the enterprise

Providing organizational structures that facilitate the implementation of strategy and goals

Insisting that an IT control framework be adopted and implemented

Measuring IT's performance

three popular models of an IT control framework:

1. Information Systems Audit and Control Association (ISACA), Control Objectives for IT (COBIT)

2. The International Organization for Standardization (ISO) 27002, Code of Practice for Information Security
Management

3. The Information Technology Infrastructure Library (ITIL)

IT systems are critical to the long-term success of the organization, and board involvement in IT oversight is
therefore necessary.

The board should do the following:

Articulate and communicate the business direction to which IT should be aligned.

Make sure it is aware of the latest developments in IT, from a business perspective.

Insist that IT be a regular item on the agenda of the board and that it be addressed in a structured manner.

Be informed about how and how much the enterprise invests in IT compared with its competitors' investments.

Ensure that the reporting level of the most senior information technology manager is commensurate with the
importance of IT.

Ensure that it has a clear view of the major IT investments, from a risk-and-return perspective.

AIS CHAPTER 5 IT GOVERNANCE 1

 Receive regular progress reports on major IT projects.

Receive IT performance reports illustrating the value of IT.

Ensure that suitable IT resources, infrastructures, and skills are available to meet the required enterprise
strategic objectives.

The board and top management must ensure that the organization has processes to
accomplish the following tasks:
1. Continually evaluate the match of strategic goals to the IT systems in use.

2. Identify changes or improvements to the IT system that will enhance the ability to meet strategic
organizational objectives.

3. Prioritize the necessary changes to IT systems.

4. Develop the plan to design and implement those IT changes that are of high priority.

5. Implement and maintain the IT systems.

6. Continually loop back to Step 1.

💡 The managerial obligation to evaluate strategic match and to implement IT systems begins with the
board of directors and must cascade down into the organization. This means that the board, top
executive management, and lower‐level managers all must work toward the same goal of ensuring IT
systems and strategy align with the organization’s strategic goals.

IT governance committee is a group of senior managers selected to oversee the strategic management of IT.

The formal process that many organizations use to select, design, and implement IT systems is the System
Development Life Cycle, or SDLC.

An Overview of the SDLC (Study Objective 2)

Systems Development Life Cycle (SDLC)
is a systematic process to manage the acquisition, design, implementation, and use of IT systems.

was a systematic set of regular steps to accomplish the IT systems selection, design, programming, and
implementation.

IT governance committee
has the responsibility of oversight and management of the SDLC

usually made up of the top managers of the organization, including the Chief Executive Officer (CEO), the
Chief Financial Officer (CFO), the Chief Information Officer (CIO), top managers from user departments,
and top management from internal audit.

PHASES OF SDLC
1. Systems planning is the evaluation of long-term, strategic objectives and the prioritization of IT systems in
order to assist the organization in achieving its objectives.

2. Systems analysis is a study of the current system to determine the strengths and weaknesses and the user
needs of that system.

Analysis requires the collection of data about the system and the careful scrutiny of that data to
determine areas of the system that can be improved.

3. Systems design is the creation of the system that meets user needs and that incorporates the improvements
identified by the systems analysis phase.

4. Systems implementation is the set of steps undertaken to program, test, and activate the IT system as
designed in the system design phase.

5. Operation and maintenance is the regular, ongoing functioning of the IT system and the processes to fix
smaller problems, or "bugs," in the IT system.

AIS CHAPTER 5 IT GOVERNANCE 2

 Conceptual design is the process of matching alternative system models with the needs identified in the system
analysis phase.

Evaluation and selection is the process of assessing the feasibility and fit of each of these alternative conceptual
approaches and selecting the one that best meets the organization's need.
The best system may be either software that can be purchased, or a system designed and developed in-house.

If software is to be purchased, the company must undergo a set of steps called software selection to select the
best software for its needs.
When systems are to be developed in-house, the company must undertake steps to design the details of that
system.

Detailed design is the process of designing the outputs, inputs, user interfaces, databases, manual procedures,
security and controls, and documentation of the new system.

The Phases of the SDLC — It is important to remember that the descriptions presented here are for a typical set of
phases and steps within the SDLC and are not intended to imply that every organization must follow these exact
steps.

Elements of the Systems Planning Phase of the SDLC

(Study Objective 3)
Systems planning — is a managerial function of the IT governance committee.

The IT governance committee must constantly monitor the IT system through feedback about network
utilization, security breaches, and reports on the operation of the system.

The IT governance committee should consider two broad aspects:

1. the assessment of IT systems and their match to strategic organizational objectives, and

2. the feasibility of each of the requested modifications or upgrades.

The Match of IT Systems to Strategic Objectives

The IT governance committee must evaluate proposed changes to IT systems in terms of their usefulness in
assisting the organization to achieve its objectives.

This need to match IT systems to organizational objectives also highlights the need for the IT governance
committee to include as its members the top management such as the CEO, CFO, CIO, and other high-level
manager.

these managers establish strategic objectives, they are in the best position to assess the fit of IT systems
to those objectives.

top management has the authority to allocate resources and time to these projects that will modify or
upgrade IT systems.

Lower level managers would not have the authority or gravitas within the organization to push through IT
changes

Feasibility Study
Feasibility — refers to the realistic possibility of affording, implementing, and using the IT systems being
considered.

four feasibility aspects that should be considered (TOES)

1. Technical feasibility – assessment of the realistic possibility that technology exists to meet the needs
identified in the proposed change to the IT system.

2. Operational feasibility – assessment of the realistic possibility that current employees will be able to operate
the proposed IT system.

3. Economic feasibility – assessment of the costs and benefits associated with the proposed IT system. Is it
realistic to conclude that the benefits of the proposed IT system outweigh the costs?

4. Schedule feasibility – assessment of the realistic possibility that the proposed IT system can be implemented
within a reasonable time.

AIS CHAPTER 5 IT GOVERNANCE 3

 Planning and Oversight of the Proposed Changes
After the IT governance committee has prioritized the proposed changes. It must decide which changes can be
undertaken at the current time.

The committee should do several things to initiate the next phases of the SDLC:
1. Formally announce the project they have chosen to undertake.

2. Assign the project team that will begin the next phase, the systems analysis.

3. Budget the funds necessary to complete the SDLC.

4. Continue oversight and management of the project team and proposed IT changes as the remaining SDLC
phases occur.

Elements of the Systems Analysis Phase of the SDLC (Study

Objective 4)
Preliminary Investigation
occurs within a short period ranging from a few hours to a few days and should not exceed two to three days.

the purpose of the preliminary investigation is to determine whether the problem or deficiency in the current
system really exists.

the purpose is to make a “go” or “no‐go” decision (to proceed further or to abandon the project)

System Survey: The Study of the Current System

In most cases, it is easier to improve something only when you have a good understanding of it.
Throughput — transaction volumes, processes within the system, and controls within the system affect the
throughput of an accounting system.

is a measure of transactions per period.

Systems survey — a detailed study of the current system to identify weaknesses to improve upon and strengths
to be maintained.

requires collecting data about the current system, including the following:

Inputs —sources of data

Outputs —the uses of information from processing and outputs such as checks, reports, or forms

Processes —the individual steps undertaken to process transactions, including both manual and
computerized processes

Controls —the internal controls within the processing system

Data storage —how and where data is stored, and the size of the data storage

Transaction volumes —number of transactions per day or per hour

Errors —number of transaction processing errors

Data collection involves observation, documentation review, interviews, and questionnaires.

A project team would use each of these methods to collect the necessary data.

Data Collection Methods:

1. Observation is watching the steps that employees take as they process transactions in the system.

The purpose of the observation is to enable the project team to gain an understanding of the processing
steps within the system.

2. Documentation review is the detailed examination of documentation that exists about the system to gain an
understanding of the system under study.

The project team would examine any relevant documentation about the system, such as flowcharts, run
manuals, operating manuals, input forms, reports, and outputs.

AIS CHAPTER 5 IT GOVERNANCE 4

 Determination of User Requirements

💡 Interviews and questionnaires are data collection methods that solicit feedback from users of the
system. These are critical parts of the data collection, because it is of utmost importance that users
have input into the development of a new or revised system.

users — are the people who input data or use output reports on a daily
basis, the system must satisfy the needs of these users. The
user perspective and perception about the current system are an important part of the information that the
project team needs to collect in order to benefit from a system survey.
INTERVIEWS — a data collection method that help the project team in determining user needs.

are the face‐to‐face, verbal questioning of users to determine facts or beliefs about the system. The questions
asked can be structured, unstructured, or some mixture of the two.

Structured question is designed such that the format and range of the answer is known ahead of time.

Unstructured question is completely open‐ended, and the respondent is free to answer in any way that he
feels addresses the question.

multiple choice question has predetermined answers in a certain format, whereas the format and content of
an essay answer are much more flexible for the person answering the question. Both types of questions can
be used in interviews to solicit feedback from users about how they use the system and about strengths and
weaknesses in the current system.

QUESTIONNAIRES are also used to solicit feedback from users.

are a written, rather than an oral, form of questioning users to determine facts or beliefs about the system.

can also include both structured and unstructured questions.

can be answered anonymously, which allows the respondent to be more truthful without fear of negative
consequences.

other advantage to questionnaires is efficiency; that is, it is much

easier and less time‐consuming to process 100 questionnaires than it is to personally interview 100 users.

Analysis of the System Survey

The analysis phase is the critical‐thinking stage of the systems analysis.

purpose is to question the current approaches used in the system and to think about better ways to carry
out the steps and processes in the system.

The project team studies the information collected in the system survey phase and attempts to create
improvements to the system.

analysis phase and the attempt to create improvements may lead to business process reengineering
(BPR).

BPR — as “fundamental rethinking and radical redesign of business processes to bring about dramatic
improvements”
Business processes — are the many sets of activities within the organization performed to accomplish the
functions necessary to continue the daily operations.

For example, every organization has a process to collect and record the revenue earned.
revenue collection process — may simply be a single person who mails bills, receives customer checks in the
mail, totals the checks, records them in the accounting records, and deposits the funds.

💡 Anheuser Busch uses extensive IT systems to improve the forecasting of customer buying patterns.
This IT system and the processes that match it enable Anheuser Busch to keep customer store shelves
stocked with the right amount of its various beer brands.

Systems Analysis Report

AIS CHAPTER 5 IT GOVERNANCE 5

 The last step in the systems analysis phase is to prepare a systems analysis report for delivery to the IT
governance committee, which will inform the IT governance committee of the results of the systems survey,
user needs determination, and BPR.

The report will make recommendations to the IT governance committee regarding the continuation of the
project.

Elements of the Systems Design Phase of the SDLC (Study

Objective 5)
The nature of the steps within the design phase of the SDLC is different, depending on whether the
organization intends to purchase software or design the software in‐house

The Purchase of Software

When the project team has reached the design phase, user needs and system requirements have previously
been determined in the systems analysis phase.

the project team is ready to solicit proposals from different software vendors for accounting systems that
satisfy the identified user needs and meet the system requirements.

request for proposal or RFP — the process to solicit proposals.

may be sent to each software vendor offering a software package that meets the system and user needs.

When the vendor returns the RFP, it will include details such as a description of the software that it intends
to sell, the technical support that it intends to provide, and the related prices.

Things to consider when evaluating the proposal

1. The price of the software or software modules

2. The match of system and user needs to the features of the software

3. The technical, operational, economic, and schedule feasibility

4. Technical support provided by the vendor

5. Reputation and reliability of the vendor

6. Usability and user friendliness of the software

7. Testimonials from other customers who use the software.

Technical feasibility — is an assessment of whether or not the existing computer hardware, or hardware to be
purchased, represents adequate computing power to run the software.

Operational feasibility — refers to the capability of the existing staff of employees and any planned new hires to
use the software as it is intended.
Economic feasibility — refers to the cost–benefit analysis of each software package

The cost–benefit analysis — is a comparison of costs with benefits.

Schedule feasibility — is an analysis of the time to install and implement each software package
purchased software — is less costly and more reliable and has a shorter implementation time than software
designed in‐house.

Purchased software has these advantages because it is written by the software vendor, its cost is spread
over several clients, and the coding and testing are already complete when a customer buys the software.

system design phase — would include specific steps to design the outputs, inputs, processes, controls, and data
storage of the revised system.

In‐House Design
Hiring a Consultant
while it is not necessary to hire a consulting firm, many organizations find that the special expertise of
consulting firms is most beneficial in the design and implementation of accounting system software.

AIS CHAPTER 5 IT GOVERNANCE 6

 Conceptual Design
involves identifying the alternative conceptual design approaches to systems that will meet the needs
identified in the system analysis phase.

This step could be viewed as a sort of “brainstorming” to generate the different conceptual approaches in a
system design that will meet the identified needs.

Traditional System — matches the purchase order, receiving, and invoice documents.

traditional document matching — requires simpler technology and involves more manual tasks

electronic invoice presentment and payment (EIPP) system —

Web‐based “matchless” system in which invoices are paid as soon as they are electronically delivered;
there is no matching of documents prior to the approval and payment of the invoice.

requires more complex and advanced technology and fewer manual steps.

Evaluation and Selection

Evaluation and selection — is the process of assessing the feasibility and fit of each of the alternative conceptual
approaches and selecting the one that best fits the organization’s needs.

evaluation process — includes a more detailed feasibility study, with the same set of feasibility assessments
identified earlier examined in detail for each of the conceptual designs.

The feasibility assessments in the study include the following:

1. Technical feasibility — The project team will assess the technical feasibility of each alternative conceptual
design.

In general, designs that require more complex technology have a lower feasibility than designs with less
complex technology.

The project team may place a numeric score on the technical feasibility.

example, on a scale of 1 to 10, the invoice‐matching system may be scored as a 10 because the lower
technology requirements make it much easier and less risky to acquire and/or implement.

2. Operational feasibility — The project team will assess the realism of the possibility of operating each of the
alternative designs.

During this process, the team must consider the number of employees, their capabilities and expertise,
and any supporting systems necessary to operate each alternative design.

The team attempts to determine whether existing staff and support systems are adequate to operate the
systems.

example, with a given staff size, a highly computerized system such as a Web‐based system may be
more operationally feasible, because it would require fewer staff members to operate.

the project team may assign numerical assessment on a scale to indicate the relative operational
feasibility.

3. Economic feasibility — The project team must estimate the costs and benefits of each alternative design.

The costs and benefits can be compared by a formal cost–benefit method such as net present value,
internal rate of return, or payback period.

purpose of this analysis is to determine which of the alternative designs is most cost effective.

The costs of the system designs might include hardware and software costs, training expenses, and
increases in operating and supplies costs.

4. Schedule feasibility — For each alternative design, the project team must estimate the total amount of time
that will be required to implement the revised system.

The designs that take longer to implement are less feasible.

Cloud Computing as a Conceptual Design

This means the team conducting the SDLC must consider the risks, costs and benefits, and feasibility of the
cloud computing approach.

AIS CHAPTER 5 IT GOVERNANCE 7

 Cloud computing can entail greater security, availability, processing integrity, and confidentiality risks and
these must be appropriately weighed against the benefits of scalability, expanded access, cost savings, and
IT infrastructure changes.

other considerations related to adopting or increasing cloud computing usage, such as:
1. The customer support provided by the cloud vendor.

It is important to fully understand the level and reliability of support provided by a cloud vendor.

2. The service level agreement (SLA) with the cloud provider.

This contract should clearly specify the vendor’s responsibilities, including the billing terms and
expectations about allowable downtime.

3. The manner of monitoring cloud service usage.

cloud computing is often a pay for service model in which the client pays for the level of service used, it is
important that the client is able to monitor usage and reconcile billing with the actual service usage.

cloud computing clients must be able to track their usage of the cloud services and reconcile their
measure of services used to the billing provided by the cloud vendor.

Detailed Design
The purpose of the detailed design phase is to create the entire set of specifications necessary to build and
implement the system.

The various parts of the system that must be designed are the outputs, inputs, processes, data storage, and
internal controls.

Outputs of the system — are reports and documents, such as income statements, aged accounts receivable
listings, inventory status reports, and sales by product.

Other outputs are documents or turn‐around documents.

example, checks printed by the accounts payable system and invoices printed by the billing system are
outputs.

form may be a printed report or a report viewed on the screen.

format is the actual layout of the report or document.

Inputs — are the forms, documents, screens, or electronic means used to put data into the accounting system.

There are many ways that data can be input, ranging from the manual keying in of data on a keyboard to
computerized input such as bar code scanning.

Samples of the different methods of data input are as follows:

1. Keying in data with a keyboard from data on a paper form.

The person operating the keyboard must enter data from a paper form into an input screen on the
computer.

more error‐prone and much slower than the other electronic methods of input.

2. Magnetic ink character recognition (MICR) — is used on checks and turnaround documents such as the
portion of your credit card bill that you return.

The computer system reads the magnetic ink to determine information such as account number.

3. Electronic data interchange (EDI) — standard business documents are transmitted electronically.

4. Internet commerce — the customer enters customer and order data.

5. Bar code scanning — the point‐of‐sale systems used by grocery and department stores.

AIS CHAPTER 5 IT GOVERNANCE 8

 💡 All details of the processes of the system must also be designed. In the detailed design phase, all of the
individual steps within a process must be designed.
The internal controls within the system must be designed during the detailed design phase. Internal
controls are much more effective when they are designed into the processes from the beginning.
An IT system must also have the proper amount and type of data storage to accomplish the functions it
was designed to do.
The data storage method and size must match the design of the inputs, processes, and outputs.

Elements of the Systems Implementation Phase of the SDLC

(Study Objective 6)
Implementation time would be much shorter for purchased software, since the software
has already been written and tested by the vendor.

Software Programming
Using the design specifications developed in the detailed design phase, the programming staff would write
the program code for the new or revised system.

In the case of purchased software, the programming staff would modify the program code as necessary to
meet the design specifications.

Training Employees
As the programming is completed or nearing completion, employees should be trained to use the new system.

Depending on the extent of changes from the old system, employees may need training in the use of new
input screens, output reports, and processes.

Software Testing
As programmers complete the programming of the new system, the programs and the modules that make up
the programs must be tested.

Software should never be implemented before it is tested; otherwise, it can cause errors or problems in the
accounting system and thereby result in erroneous accounting data.

The most common way to test software is to use test data, which is specially created and entered into the
software to ensure that the software works correctly.

Documenting the System

Since inputs, outputs, and processes are very likely to change as systems are revised, it is important to write
the documentation that matches the new inputs, outputs, and processes.

kinds of documentation necessary to operate and maintain an accounting system: flowcharts, data flow
diagrams, entity relationship diagrams, process maps, operator manuals, and data dictionaries.

Data Conversion
The file or database storage for the new system may be different from the storage format of the old system.

can be written or acquired that will convert the data from the old to the new format.

To check the accuracy of the conversion, accountants can reconcile control totals from the old data set to
control totals from the converted data.

System Conversion
The system conversion is the actual changeover from the old to the new system.

Often, this is called the “go‐live” date.

AIS CHAPTER 5 IT GOVERNANCE 9

 The go‐live date is the day that the new system becomes fully in operation.

Different Conversion Methods:

Parallel conversion — is a conversion method in which the old and new systems are operated simultaneously for
a short time.

advantage is that it is the least risky. If errors or problems become apparent in the new system, the
company can continue to use the old system until the problems are resolved.

disadvantage is that parallel conversion is the most costly and time‐consuming conversion method, since
it requires that the operating staff operate two systems and input all data twice—once in each system.

Direct cutover conversion — means that on a chosen date the old system operation is terminated and all
processing begins on the new system.

is the riskiest method, but the least costly and time consuming.

Phase‐in conversion — is a method in which the system is broken into modules, or parts, which are phased in
incrementally and over a longer period.

is a low‐risk approach, as it does not disrupt large parts of the organization at the same time.

Pilot conversion — the system is operated in only one or a few subunits of the organization.

User Acceptance
User acceptance means that when the manager of the primary users of the system is satisfied with the
system, he will sign an acceptance agreement.

To ensure that user needs have been met.

The enforcement of user acceptance makes it much more likely that project teams will seek user input and
that the project team will work hard to meet user needs.

Post‐Implementation Review
This post‐implementation review is a review of the feasibility assessments and other estimates made during
the process.

The purpose of the review is to help the organization learn from any mistakes that were made.

The review does not correct any errors made, but it helps the company avoid those same errors in the future.

Elements of the Operation and Maintenance Phase of the

SDLC (Study Objective 7)
After implementation, the company will operate and maintain the system for some length of time.

This part of the SDLC is the longest and most costly part, since it may last for several years.

At some point, the company will need to make major revisions or updates to the system, which will trigger the
SDLC to begin again to revise the system.

During the ongoing operation, management should receive regular reports regarding the performance of the
IT system.

The reports are necessary to monitor the performance of IT and to enable management to determine whether
IT is aligned with business strategy and meets the objectives of the IT system.

examples of these IT reports (important part of IT governance, they drive the continual
monitoring of the IT system) are the following:
IT performance

IT load usage and excess capacity

Downtime of IT systems

Maintenance hours on IT systems

IT security and number of security breaches or problems

AIS CHAPTER 5 IT GOVERNANCE 10

 IT customer satisfaction, from both internal and external customers. Internal customers are the various
users of IT systems within the organization.

The Critical Importance of IT Governance in an

Organization (Study Objective 8)
The establishment and use of an IT governance committee and an SDLC are critically important for an
organization to accomplish IT governance.

Three major purposes are served by the continual and proper use of the IT governance
committee and the SDLC:
1. The strategic management process of the organization

2. The internal control structure of the organization

3. The fulfillment of ethical obligations

SDLC as Part of Strategic Management

IT systems — improve efficiency, effectiveness, and long‐term success of operations.

An SDLC process serves as the mechanism to continually assess the fit of IT systems to long‐term strategy
and short‐run goals of the organization.

Once the IT governance committee has identified which types of IT systems are appropriate for the
organization, the SDLC becomes the mechanism to properly manage the development, acquisition, and
implementation of IT systems.

SDLC as an Internal Control

Trust Services Principles — illustrate that the SDLC and an IT governance committee are important parts of
the IT system of an organization.

Without the use of an IT governance committee and the SDLC, the process of revising or updating systems
can be chaotic and uncontrolled.

An IT governance committee and the SDLC are used as internal control mechanisms to monitor and control
security, availability, acquisition, implementation, and maintenance of IT systems.

These internal control mechanisms allow management to ensure that IT systems meet organizational needs
and that the development and implementation of new IT systems is properly controlled.

Ethical Considerations Related to IT Governance (Study

Objective 9)
Ethical Considerations for Management
The management of any organization has an ethical obligation to maintain processes and procedures that
assure accurate and complete records and protection of assets

This obligation arises because management has a stewardship obligation to those who provide funds or invest
in the company.

Stewardship — is the careful and responsible oversight and use by management of the assets entrusted to
management.

This requires that management maintain systems that allow it to demonstrate that it has appropriately used
these funds and assets.

This is accomplished by maintaining accurate and complete accounting records and reports with full
disclosure within those reports.

AIS CHAPTER 5 IT GOVERNANCE 11

 💡 Poorly developed IT systems can be used by managers or employees to commit and hide fraud. A
management team that is focused on ethics throughout the organization should consistently monitor and
improve IT systems.
The SDLC is the mechanism to accomplish that. Thus, by diligently adhering to SDLC processes,
management is, in part, fulfilling its ethical obligations of stewardship and fraud prevention.
job losses are sometimes unavoidable, management must be especially conscious of the manner that it
informs, terminates, and assists employees who experience job loss due to system changes.

Ethical Considerations for Employees

As managers apply the processes within the SDLC to revise IT systems, employees should not subvert the
process.

A disgruntled employee may sabotage the SDLC process by not cooperating, providing false information in
interviews or questionnaires, or reverting to the old ways of doing things.

For employees who serve on project teams in the revision of IT systems, confidentiality can be an ethical
consideration.

As they participate in project teams, employees may learn things about people or processes in the
organization that they would not otherwise know.

These employees should not disclose things that management wishes to keep confidential.

Ethical Considerations for Consultants

When consultants are employed to assist the organization with phases of the SDLC, they have at least four
ethical obligations:

1. Bid the engagement fairly, and completely disclose the terms of potential cost increases.

2. Bill time accurately to the client, and do not inflate time billed.

3. Do not oversell unnecessary services or systems to the client just to inflate earnings on the consulting
engagement.

4. Do not disclose confidential or proprietary information from the company to other clients.

💡 Congress enacted the Sarbanes–Oxley Act of 2002 — prohibits CPA firms from providing systems
consulting services to any organization for which the CPA firm serves as the auditor.
Only CPA firms face this restriction under Sarbanes–Oxley Act, because CPA firms are the only entities
that are permitted to conduct external audits of public company financial statements.

The restrictions under the Sarbanes–Oxley Act are intended to enhance CPAs’ ethical obligation to
remain independent with respect to their clients.

AIS CHAPTER 5 IT GOVERNANCE 12