INFORMATION

TECHNOLOGY
GOVERNANCE
ABAINZA . CENTENO . GENOTIVA . MERCURIO . REYNO
S R T L T L C Y MD I O V
P E N B C R U E I E A C G
C O M P U T E R
C E N T E R
O W E N R U A E O R G I S
A T S D B A P C M T K K N
D A T A B A S E
A G R N R A S L T I T S V
O C U T L E A D S A A M Y
 N A T U R A L
D I S A S T E R
C H O R E G A O O I S E S
U T C T R N U W N R S V A
O U T S O U R C I N G
G T R G O N Y N I H B U O
F E A C I O N T P L O D M
I N F O R M A T I O N
T E C H N O L O G Y
 OBJECTIVES
Understand the risks of incompatible functions
and how to structure IT function.
Be familiar with the controls and precautions
required to ensure the security of an
organization's computer facilities.
Understand the key elements of a disaster
recovery plan.
Be familiar with the benefits, risks, and audit
issues related to IT outsourcing.
IT GOVERNANCE

The management
and assessment
of IT resources.
IT GOVERNANCE

All stakeholders
must be active
participants in
key IT decisions.
IT GOVERNANCE CONTROLS

ORGANIZATIONAL STRUCTURE

DISASTER RECOVERY PLANNING

COMPUTER CENTER OPERATIONS

STRUCTURE OF THE
IT FUNCTION
ORGANIZATIONAL MODELS

CENTRALIZED DISTRIBUTED
APPROACH APPROACH
 CENTRALIZED DATA
PROCESSING

-all data processing is performed by

one or more large computers
housed at a central site that serves
users throughout organization
 MARKETING
FINANCE

IT
SERVICES PRODUCTION

DISTRIBUTION
DATA

INFORMATION

ACCOUNTING COST CHARGEBACK

 PRESIDENT

VP VP VP VP VP
MARKETNG FINANCE IT SERVICES ADMIN OPERATIONS

SYSTEMS
DATABASE DATA PROCESSING
DEVELOPMENT
ADMINISTRATOR MANAGER
MANAGER

NEW SYSTEMS SYSTEMS DATA

DATA LIBRARY
DEVELOPMENT MAINTENANCE CONVERSION

CENTRALIZED INFORMATION COMPUTER

OPERATIONS
TECHNOLOGY STRUCTURE
SECURITY
DATABASE
ADMINISTRATION
INTEGRITY
DATA PROCESSING
manages the computer
resources used to perform
the day-to-day processing
of transactions
DATA PROCESSING
DATA PROCESSING

DATA CONVERSION
transcribes transaction data from
hard-copy source documents into
computer input
DATA PROCESSING

COMPUTER OPERATIONS

processes electronic files

produced in data conversion
DATA PROCESSING

DATA LIBRARY

provides safe storage for the

off-line data files
DATA PROCESSING

DATA LIBRARY
DATA LIBRARIAN
controls access to the library
 SYSTEM
DEVELOPMENT
& MAINTENANCE
 SYSTEM
DEVELOPMENT
designs new systems to satisfy user’s needs

System Professionals
End Users
Stakeholders
 SYSTEM
MAINTENANCE
takes charge after system development

keeps the system updated with user’s needs

 SYSTEMS
DEVELOPMENT AND
MAINTENANCE

COMPUTER
OPERATIONS

SEGREGATION OF

INCOMPATIBLE IT FUNCTIONS
 DATABASE
ADMINISTRATION

OTHER
FUNCTIONS

SEGREGATION OF

INCOMPATIBLE IT FUNCTIONS
 NEW SYTEMS
DEVELOPMENT

SYSTEM
MAINTENANCE

SEGREGATION OF

INCOMPATIBLE IT FUNCTIONS
 SYSTEMS
DEVELOPMENT

SYSTEMS APPLICATIONS
ANALYSIS PROGRAMMING
works with users to codes the program
produce detailed designs according to design
of new systems specifications

SEGREGATION OF

INCOMPATIBLE IT FUNCTIONS
 SYSTEMS
DEVELOPMENT
INADEQUATE DOCUMENTATION

SYSTEMS APPLICATIONS
ANALYSIS PROGRAMMING
PROGRAM FRAUD
works with users to codes the program
produce detailed designs according to design
of new systems specifications

SEGREGATION OF

INCOMPATIBLE IT FUNCTIONS
 SYSTEMS
DEVELOPMENT

SYSTEMS SYSTEMS
DEVELOPMENT MAINTENANCE

SEGREGATION OF

INCOMPATIBLE IT FUNCTIONS
 DISTRIBUTED DATABASE

Reorganizing the central IT function into

small IT units that are place under the
control of end users.
 CENTRALIZED DATABASE

single database and multiple users can

access it
 CENTRALIZED DATABASE

Reorganizing the central IT function into

small IT units that are place under the
control of end users.
ACCOUNTING MARKETING ACCOUNTING MARKETING
FUNCTION FUNCTION FUNCTION FUNCTION

CENTRALIZED
COMPUTER
SERVICES

FINANCE PRODUCTION FINANCE PRODUCTION

FUNCTION FUNCTION FUNCTION FUNCTION
 DISTRIBUTED DATABASE

splits database into multiple files and they

are located at various locations in the
network.
 HIRING QUALIFIED
PROFESSIONALS

DESTRUCTION
OF AUDIT TRAILS

INADEQUATE
RISKS SEGREGATION OF DUTIES

INEFFICEINT
USE OF RESOURCES

LACK OF
STANDARDS
 COST BACK UP
REDUCTION FLEXIBILITY

ADVANTAGES

IMPROVED COST IMPROVED USER

RESPONSIBILITY SATISFACTION
CONTROLLING THE DDP ENVIRONMENT

USER SERVICE

PERSONNEL REVIEW

SERVICES PROVIDED

STANDARD SETTING BODY

 CONTROLLING THE DDP ENVIRONMENT

To verify the structure of the IT function is such

that in incompatible areas are segregated in
accordance with the level of potential risk and in
a manner that provides a working environment.
REVIEW RELEVANT DOCUMENTATION

REVIEW SYSTEM DOCUMENTATION

VERIFY COMPUTER OPERATIONS

SEGMENTATION POLICY

AUDIT PROCEDURES
CENTRALIZED IT FUNCTIONS
 REVIEW CURRENT ORGANIZATIONAL CHART

VERIFY CORPORATE POLICIES AND STANDARD

VERIFY COMPENSATING CONTROLS

REVIEW SYSTEMS DOCUMENTATION

IN ACCORDANCE WITH CORPORATE STANDARD

AUDIT PROCEDURES
DISTRIBUTED IT FUNCTIONS
COMPUTER CENTER
 PHYSICAL LOCATION
safe from human-made and natural disasters
located away from human traffic
not located on basements

CONSTRUCTION
singled story building with control access
utility and communication lines are underground
use air filtration systems and windows must be closed
 ACCESS
limited access
Physical: Locked and secured doors, use of keycards and CCTVs

Fire exit is a must have

AIR CONDITIONING
temperature range from 70 to 75 degrees
Humidity: 50 percent
 FIRE SUPPRESSION
most serious threat to a company
Implementation of fire suppression system is necessary

FAULT TOLERANCE
Redundant Arrays of Independent Disks (RAID)
uninterruptible power supplies
 AUDIT PROCEDURES
Verify and test physical security controls
that are adequate to reasonably protect
organization from physical exposure.

Verify if there is insurance coverage on

equipment that is adequate to compensate
organization for destruction of, or damage
to computer center
 AUDIT PROCEDURES
1. Tests of physical construction
2. Test of fire detection system
3. Tests of access control
4. Test of RAID
5. Tests of uninterruptable power supply
6. Tests for insurance coverage
DISASTER RECOVERY PLANNING
 DISASTER
HUMAN SYSTEM
NATURAL
MADE FAILURE
DISASTER RECOVERY PLAN (DRP)
 IDENTIFY CRITICAL APPLICATIONS

CREATE A SPECIFY
DISATER COMMON BACKUP AND
RECOVERY FEATURES OFF-SITE
STORAGE
TEAM OF DRP
PROCEDURE

PROVIDE SITE BACKUP

 IDENTIFY
CRITICAL APPLICATIONS
DRP = short term

Short term = cash flow function

System = DRP
 CREATE
DISASTER RECOVERY TEAM

Delay = successful recovery

Task Responsibility
 DRP TEAM COORDINATOR VP OPERATIONS

SECOND-SITE FACILITIES PROGRAM AND DATA DATA CONVERSION AND

GROUP BACKUP GROUP DATA CONTROL GROUP

SYSTEMS DEVELOPMENT MANAGER DATA

DP MANAGER MANAGER CONTROL
SYSTEMS MAINTENANCE MANAGER DATA
PLANT ENGINEER MANAGER CONVERSION
COMPUTER OPERATIONS SENIOR SYSTEMS DATA CONVERSION SHIFT
MANAGER PROGRAMMER SUPERIOR
SENIOR MAINTENANCE USER DEPARTMENTS
TELEPROCESSING
PROGRAMMER REPRESENTATIVE
MANAGER
INTERNAL AUDIT INTERNAL AUDIT
REPRESENTATIVE REPRESENTATIVE
USER DEPARTMENTS
REPRESENTATIVE
 PROVIDE
SECOND SITE BACKUP

Mutual Aid Pact

 PROVIDE
SECOND SITE BACKUP
stops processing schedule
emergency operation mode
 PROVIDE
SECOND SITE BACKUP
Empty Shell/Cold Site

Data Center Rented Building

Hardware Provider
 PROVIDE
SECOND SITE BACKUP
Recovery Operations Center/hot site

Company Backup Data Center

 BACKUP AND
OFF SITE STORAGE PROCEDURES
Operating System Backup
Application Backup
Backup Data Files
Backup Documentation
Backup Supplies and Source Documents
Testing the DRP
 AUDIT PROCEDURES

Site Backup
Critical Application List
Software Backup
Data Backup
Backup Supplies, Documents, Documentation
Disaster Recovery Team
OUTSOURCING
THE IT FUNCTION
 OUTSOURCING
Process by which an organization contracts with
another individual or company to get some of its
work done.
BENEFITS OF IT OUTSOURCING
FOCUS ON CORE
BUSINESS PERFORMANCE

INCREASE EFFICIENCY

SAVINGS/COST REDUCTION

BETTER ACCESS TO SPECIFIC

TECHNICAL SKILLS & EXPERTISE
BENEFITS OF IT OUTSOURCING

SAVINGS/COST REDUCTION

Outsourcing means saving money, this

is often due to lower labor costs,
cheaper infrastructure, or an
advantageous tax system in the
outsourcing location
BENEFITS OF IT OUTSOURCING

INCREASE EFFICIENCY
Choosing an outsourcing company that
specializes in the process or service
you want them to carry out for you,
can help you achieve a more
productive, efficient service, often of
greater quality.
BENEFITS OF IT OUTSOURCING
FOCUS ON
CORE BUSINES PERFORMANCE

Allows business manager to

concentrate on their core goals and
objectives
BENEFITS OF IT OUTSOURCING

TECHNICAL SKILLS & EXPERTISE

Organizations have access to better

and more varied technical skills
through outsourcing.
CORE COMPETENCY THEORY
An organization should focus exclusively on its
core business competencies, while allowing
outsourcing vendors to efficiently manage the
non–core areas such as the IT functions.
 COMMODITY
IT ASSET
not unique to a particular organization

Network Management

Systems Operations

Server Maintenance

Help-desk Functions
 SPECIFIC
IT ASSET
unique to a particular organization

System Development

Application Maintenance

Data Warehousing

Highly Skilled Employees

Firms should retain certain specific non–core IT
assets in-house. Because of their esoteric
nature, specific assets cannot be easily replaced
once they are given up in an outsourcing
arrangement.

TRANSACTION COST
ECONOMICS THEORY
RISKS INHERENT TO IT OUTSOURCING

FAILURE TO PERFORM

VENDOR EXPLOITATION

LOSS OF STRATEGIC ADVANTAGE

COSTS EXCEED BENEFITS

REDUCED SECURITY
 Definitive standard by
which client
organizations’ auditors
AUDIT can gain knowledge
that controls at the
IMPLICATIONS third-party vendor are
of IT Outsourcing adequate to prevent or
(SAS 70) detect material errors
that could impact the
client’s financial
statements.
SAS 70 OVERVIEW
SAS 70 TYPE I REPORT SAS 70 TYPE II REPORT

less rigorous of the Goes further and

two assesses whether the
controls are operating
comments only on the effectively based on
suitability of the tests conducted by the
controls’ design vendor organization’s
auditor.
 CASE STUDY
Since e-commerce is known for its risks and vulnerabilities
because of the exposure in the business data and systems
to unknown outsiders the airline industry is greatly
affected by e-commerce technology, especially with e-
ticketing, they operate in a stimulate and highly volatile
commercial environment. They also deal with the risks
like social, environmental, operational, strategic and
financial risks. For them to solve this problems they can
implement an effective IT governance that will serve as a
risk management and a performance measurement tool.