AA 3201 Study Notes 3 - BALAGTAS FY
AA 3201 Study Notes 3 - BALAGTAS FY
NAME:
Francis Ysabella S. Balagtas
SCHEDULE:
BSA 3 - Group 2
MW 6:00 – 7:30 PM
PROFESSOR:
Ms. Robee Ann L. Aranas
Contents
What is IT Governance? ....................................................................................................................................... 3
KEY OBJECTIVES ............................................................................................................................................................. 3
What are the components of IT Governance? (IT Governance Controls) ............................................................ 3
Organizational Structure of the IT function ....................................................................................................... 3
Centralized Data Processing model ............................................................................................................................... 3
Segregation of Incompatible IT Functions ..................................................................................................................... 4
The Distributed Model .................................................................................................................................................. 5
Controlling the DDP Environment ................................................................................................................................. 7
Computer Center operations............................................................................................................................. 8
Physical Location ........................................................................................................................................................... 8
Construction .................................................................................................................................................................. 8
Access ............................................................................................................................................................................ 8
Air Conditioning ............................................................................................................................................................. 8
Fire Suppression ............................................................................................................................................................ 8
Fault Tolerance .............................................................................................................................................................. 9
Audit Objectives ............................................................................................................................................................ 9
Audit Procedures ........................................................................................................................................................... 9
Disaster Recovery Planning............................................................................................................................ 10
Identify Critical Applications ....................................................................................................................................... 10
Creating a Disaster Recovery Team ............................................................................................................................. 10
Providing Second-Site Backup ..................................................................................................................................... 10
Outsourcing the IT function ................................................................................................................................ 12
Benefits of IT Outsourcing ........................................................................................................................................... 12
Risks Inherent to IT Outsourcing ................................................................................................................................. 12
Auditing IT Governance Controls
Chapter 2
Chapter Objectives:
1. Understand the risks of incompatible functions and how to structure the IT function.
2. Be familiar with the controls and precautions required to ensure the security of an organization’s computer
facilities.
3. Explain how general controls reduce IT risks
4. Understand the key elements of a disaster recovery plan
5. Be familiar with the benefits, risks, and audit issues related to IT outsourcing.
What is IT Governance?
- A relatively new subset of corporate governance that focuses on the management and assessment of strategic
IT resources.
- Modern philosophy: all corporate stakeholders be active participants in key IT decisions.
KEY OBJECTIVES
- reduce risk
- ensure that its investments add value to the corporation
Ø Alternative A is a variant of the centralized model. The difference is that the
terminals/microcomputers are distributed to end users for handling groups, since the user now
performs these tasks.
Ø Alternative B is very different from the centralized model. It distributes all computer services to
end users, where they operate as standalone units.
Risks Associated with DDP
Inefficient Use of Resources
DDP can expose the organization to:
Advantages of DDP
Cost Reductions
The move to DDP has reduced costs in two other areas: (1) data can be edited and entered by the
end user, thus eliminating the centralized task of data preparation; and (2) application complexity
can be reduced, which in turn reduces systems development and maintenance costs.
Improved Cost Control Responsibility
Managers are more motivated to work better and also have the power to make decisions that can
influence their overall success.
Improved User Satisfaction
DDP improves three areas of need that too often go unsatisfied in the centralized model: (1) users
desire to control the resources that influence their profitability; (2) users want systems professionals
to be responsive to their specific situation; and (3) users want to become more actively involved in
developing and implementing their own systems.
Backup Flexibility
It has the ability to back up computing facilities to protect against potential disasters such as fires,
floods, sabotage, and earthquakes. Having a second computer facility is a surefire way to backup
against disasters.
Controlling the DDP Environment
User Services
This activity provides technical help to users during the installation of new software and in
troubleshooting hardware and software problems.
Standard-Setting Body
Establishing and distributing to user areas the appropriate standards for systems development,
programming, and documentation can improve poor poor control environment.
Personnel Review
The corporate group is often better equipped than users to evaluate the technical credentials of
prospective systems professionals. Their involvement can bring quality in its top shape.
Audit Objective
The objective is to verify if the structure of the IT function can segregate individuals who are in incompatible
areas, in accordance with the level of potential risk and if it also promotes a working environment.
Audit Procedures
… in a centralized IT organization:
§ Review relevant documentation to determine if individuals or groups are performing incompatible
functions.
§ Review systems documentation and maintenance records to verify if the maintenance programmers
are not designers.
§ Observe to determine if the segregation policy is being followed.
… in a distributed IT organization:
§ Review relevant documentation to determine if individuals or groups are performing incompatible
duties.
§ Verify if the corporate policies and standards are published and then provided to the distributed IT
units.
§ Verify if the compensating controls are in p lace when needed.
§ Review system documentation to verify if the applications, procedures, and database are in
accordance with the standards.
Computer Center operations
Part of the annual audit is the examination of the physical environment of the computer center. Risks to this
environment may impact the quality of the information, accounting records, transaction processing, and the
effectiveness of other more conventional internal controls. Such risks may appear in the following aspects:
Physical Location
§ As much as possible, the computer center should be away form human-made and natural hazards. It
should be away from normal traffic, such as the top floor of a building or in a separate, self-
contained building. No basements.
Construction
§ An ideal spot for a computer center is in a single-floor building made of solid concrete. It should
have a restricted access, with its utility and communication lines buried underground. It would be
recommended to have a dust mite-free air filtration system in place to keep the equipment from
deteriorating due to these pests.
§ Locked doors should be employed to limit access to the center, with access controlled by a keypad
or swipe card.
§ To achieve a higher level of security, access should be monitored by closed-circuit cameras and
video recording systems.
Access
§ Only the operators and other staff who work there should have access, and programmers and
analysts should be forced to sign in and out in order to rectify program faults. To ensure access
control, the computer center should keep accurate records of all such events. There should only be
one door as the main entrance, aside from the necessary fire exits and alarms.
Air Conditioning
§ Perhaps it is because of its characteristic of heating up, especially when it has too many taks or it
has been powered on for too long, computers function best in an air-conditioned environment.
§ Recommended: room temperature of 70-75 degrees F and a humidity of 50%
§ Low humidity may result in circuit damage from static electricity and high humidity can cause molds
to grow and paper products to swell and jam equipment.
Fire Suppression
A good fire suppression system should include the ff.:
1. Automatic and manual alarms should be placed in strategic locations around the installation
and should be connected to permanently staffed fire-fighting stations.
2. There must be an automatic fire extinguishing system that dispenses the appropriate type of
suppressant for the location.
3. Manual fire extinguishers should be strategically placed throughout the building.
4. The structure should be strong enough to withstand water damage from fire suppression
equipment.
5. During a fire, fire exits should be clearly marked and lit.
Fault Tolerance
fault tolerance: the ability of the system to continue operation when part of the system fails
§ May cause total power outages, brownouts, and power fluctuation
§ Recommendation: invest in generators, batteries, and voltage regulators
§ 2 examples of fault tolerant technologies are:
1. Redundant arrays of independent disks (RAID) – using parallel disks. If one disk fails, the
lost data are automatically reconstructed from the redundant components stored on the
other disks.
2. Uninterruptible power supplies – the recommendation
Audit Objectives
§ Physical security controls are adequate to reasonably protect the organization from physical
exposures.
§ Insurance coverage on equipment is adequate to compensate the organization for the destruction
of, or damage to, its computer center.
Audit Procedures
Tests of Physical Construction
The auditor should obtain architectural plans to determine that the computer center is solidly built of
fireproof material. Location should be in an area that minimizes its exposure to fire, civil unrest, and
other hazards.
Benefits of IT Outsourcing
§ It improves the core business processes
§ It can improve IT performance
§ It can reduce IT costs.