Scribd
Upload
121 views

Chapter 2 - CIS

This document discusses IT governance and organizational structures for IT functions. It describes centralized and distributed IT organizational models and the primary service areas in a centralized model, including database administration, data processing, and systems development and maintenance. It also discusses risks associated with different models and disaster recovery planning.

Uploaded by

Christian De Leon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
121 views

Chapter 2 - CIS

This document discusses IT governance and organizational structures for IT functions. It describes centralized and distributed IT organizational models and the primary service areas in a centralized model, including database administration, data processing, and systems development and maintenance. It also discusses risks associated with different models and disaster recovery planning.

Uploaded by

Christian De Leon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

Chapter 2

Information technology (IT) governance


Key objectives of IT governance are to reduce risk and ensure that
investments in IT resources add value to the corporation.
Three IT governance issues that are addressed by SOX and the
COSO internal control framework.
1. Organizational structure of the IT function
2. Computer center operations
3. Disaster recovery planning
Two extreme organizational modelsthe centralized approach
and the distributed approach.
Under the centralized data processing model, all data
processing is performed by one or more large computers housed
at a central site that serves users throughout the organization.
The IT services function is usually treated as a cost center whose
operating costs are charged back to the end users.
Primary service areas: database administration, data processing,
and systems development and maintenance.
Database Administration
Centrally organized companies maintain their data resources in a
central location that is shared by all end users.
Data Processing
The data processing group manages the computer resources used
to perform the day to- day processing of transactions. It consists
of the following organizational functions: data conversion,
computer operations, and the data library.
Data Conversion. The data conversion function transcribes
transaction data from hard-copy source documents into computer
input.
Computer Operations. The electronic files produced in data
conversion are later processed by the central computer, which is
managed by the computer operations groups.
Data Library. The data library is a room adjacent to the
computer center that provides safe storage for the off-line data
files.

Systems Development and Maintenance


The former group is responsible for analyzing user needs and for
designing new systems to satisfy those needs. The participants in
system development activities include systems professionals, end
users, and stakeholders.
Systems professionals include systems analysts, database
designers, and programmers who design and build the system.
Systems professionals gather facts about the users problem,
analyze the facts, and formulate a solution. The product of their
efforts is a new information system.
End users are those for whom the system is built. They are the
managers who receive reports from the system and the
operations personnel who work directly with the system as part of
their daily responsibilities.
Stakeholders are individuals inside or outside the firm who have
an interest in the system, but are not end users. They include
accountants, internal auditors, external auditors, and others who
oversee systems development.
The systems maintenance group assumes responsibility for
keeping it current with user needs. The term maintenance refers
to making changes to program logic to accommodate shifts in
user needs over time.
Operational tasks should be segregated to:
1. Separate transaction authorization from transaction
processing.
2. Separate record keeping from asset custody.
3. Divide transaction-processing tasks among individuals such
that short of collusion
between two or more individuals fraud would not be possible.
Inadequate Documentation.
There are at least two explanations for this phenomenon. First,
documenting systems is not as interesting as designing, testing,
and implementing them. Systems professionals much prefer to
move on to an exciting new project rather than document one just

completed. The second possible reason for poor documentation is


job security. When a system is poorly documented, it is difficult to
interpret, test, and debug.
Program Fraud. When the original programmer of a system is
also assigned maintenance responsibility, the potential for fraud
is increased. Program fraud involves making unauthorized
changes to program modules for the purpose of committing an
illegal act.
A Superior Structure for Systems Development
New systems development group is responsible for designing,
programming, and implementing new systems projects.
Responsibility for the systems ongoing maintenance falls to the
systems maintenance group.
Risks Associated with DDP
Inefficient Use of Resources
Destruction of Audit Trails
Inadequate Segregation of Duties
Hiring Qualified Professionals
Lack of Standards
Advantages of DDP
Cost Reductions
Improved Cost Control Responsibility
Improved User Satisfaction
Backup Flexibility
Fault tolerance is the ability of the system to continue operation
when part of the system fails because of hardware failure,
application program error, or operator error.
Disaster Recovery Plan (DRP)
1. Identify critical applications
2. Create a disaster recovery team
3. Provide site backup
4. Specify backup and off-site storage procedures

Mutual Aid Pact. A mutual aid pact is an agreement between


two or more organizations (with compatible computer facilities) to
aid each other with their data processing needs in the event of a
disaster.
Empty Shell. The empty shell or cold site plan is an arrangement
wherein the company buys or leases a building that will serve as a
data center. In the event of a disaster, the shell is available and
ready to receive whatever hardware the temporary user needs to
run essential systems.
Recovery Operations Center. A recovery operations center
(ROC) or hot site is a fully equipped backup data center that many
companies share.
Audit Procedures
Site Backup
Critical Application List
Software Backup
Data Backup
Backup Supplies, Documents, and Documentation
Disaster Recovery Team
Core competency theory - an organization should focus
exclusively on its core business competencies, while allowing
outsourcing vendors to efficiently manage the noncore areas
such as the IT functions.
Commodity IT assets are not unique to a particular organization
and are thus easily acquired in the marketplace.
Specific IT assets, in contrast, are unique to the organization
and support its strategic objectives.
Transaction Cost Economics (TCE) theory is in conflict with the
core competency school by suggesting that firms should retain
certain specific noncore IT assets in-house.
Risks Inherent to IT Outsourcing
Failure to Perform
Vendor Exploitation
Outsourcing Costs Exceed Benefits

Reduced Security
Loss of Strategic Advantage
Statement on Auditing Standard No. 70 (SAS 70) is the
definitive standard by which client organizations auditors can
gain knowledge that controls at the third-party vendor are
adequate to prevent or detect material errors that could impact
the clients financial statements. The SAS 70 report, which is
prepared by the vendors auditor, attests to the adequacy of the
vendors internal controls. This is the means by which an
outsourcing vendor can obtain a single audit report that may be
used by its clients auditors and thus preclude the need for each
client firm auditor to conduct its own audit of the vendor
organizations internal controls.

You might also like