Auditing IT Governance Controls

It is a subset of corporate governance that focuses on the management and assessment of strategic IT resources.

IT Governance

Key objectives of IT Governance

reduce risk and ensure investment in IT resources add value to the corporation

They must be active participants in key IT decisions

All corporate stakeholders

Components of IT Governance Controls

• Policies and procedures

• Risk Management

• Compliance

• Decision-making Processes

• Performance Monitoring and Measurement

• Resource Management

• Security Controls

• Change Management

• Communication and Collaboration

Three IT governance issues addressed by SOX and the COSO internal control framewok:

1. Organizational structure of the IT function

2. Computer center operations

3. Disaster recovery planning

It is a US Federal Law enacted to protect investors by improving the accuracy and reliability of corporate disclosures.

Sarbanes-Oxley Act of 2002

Components of Sarbanes-Oxley Act of 2002

1. Control Environment

2. Risk Assessment

3. Control Activities

4. Information and Communication

5. Monitoring Activities

They are responsible for establishing and maintaining adequate internal control over financial reporting

Management

They must attest to and report on management’s assessment of internal control effectiveness

Auditors

It helps organizations achieve their objectives by providing a comprehensive structure for designing and evaluating internal controls, enhancing the effectiveness and efficiency of operations, ensuring the reliability of financial reporting, safeguarding assets from loss and misuse, and ensuring compliance with laws and regulations

COSO

Under this model, all data processing performed at a central site

centralized data processing model

They compete for resources based on need

End users

In this model, two control problems with segregating systems analysis from applications programming

Alternative Organization of Systems Development

Relationship between groups should be formal and responsibilities should not be comingled (T/F)

True

He is responsible for many critical tasks and needs to be organizationally independent of operations, systems development and maintenance

Database Administration

This model involves reorganizing central IT function into small IT units that are placed under the control of end users.

Distributed Data Processing (DDP)

Variant of centralized model with terminals or microcomputers distributed to end users for handling input and output

Alternative A

It distributes all computer services to the end users where they operate as stand alone units.

Alternative B

Inventories listed on the balance sheet exist

Existence or occurence

Accounts payable include all obligations to vendors for the period

Completeness

Plant and equipment listed in the balance sheet are owned by the entity

Rights and obligations

Accounts receivable are stated at net realizable value

Valuation or Allocation

Contingencies not reported in financial accounts are properly disclosed in footnotes

Presentation and disclosure

Directly affects risk of destruction from a disaster.

Physical location

It is a statement of all actions to be taken before, during and after any type of disaster

Disaster Recovery Planning

It is an agreement between organizations to aid each other with data processing in a disaster

Mutual aid

It involves obtaining a building to serve as a data center in a disaster

Empty shell or cold site

It is fully equipped site that many companies share

Recovery Operations Center or Hot Site Plan

It suggests firms should retain specific non-core IT assets in house

Transaction cost economics (TCE)

Risk inherent to IT Outsourcing

• Failure to perform

• Vendor exploitation

• Outsourcing costs exceed benefits

• Reduced security

• Loss of strategic advantage