Chapter 2: Auditing i.

t governance
controls
2.1. Information and Technology Governance
2.2. Structure of Information Technology Function
2.1. INFORMATION AND TECHNOLOGY GOVERNANCE
• Information Technology (IT) Governance is a relatively new
subset of corporate governance that focuses on the
management and assessment of strategic IT resources.

Key Objectives of IT Governance

• to reduce risks
• ensure that investments in IT resources add value to the
corporation.
We consider three IT Governance issues that are addressed by SOX
and the COSO internal control framework. These are:
1. Organizational Structure of the IT Function
2. Computer Center Operations
3. Disaster Recovery Planning
2.2. STRUCTURE OF THE INFORMATION TECHNOLOGY FUNCTION

The organization of the IT function has implications for the

nature and effectiveness of internal controls, which, in turn, has
implications for the audit. In this section, some important
control issues related to IT structure are examined.
These are illustrated through two extreme organizational
models:
• the centralized approach
• the distributed approach.
CENTRALIZED DATA PROCESSING
• all data processing is performed by one or more large computers
housed at a central site that serves users throughout the
organization. MA
R KE
T ING

CE
AN
FIN

PRODUCTION
IT
SERVICES
DATA
DI

INFORMATION
ST
RIB

COST
UT
IO
N

G CHARGEBACK
CCOUNTIN
A
PRIMARY SERVICE AREAS OF CENTRALIZED IT SERVICES STRUCTURES
1. Database Administration
 Centrally organized companies maintain their data resources in a central location
that is shared by all end user.
2. Data Processing
 The data processing group manages the computer resources used to perform the
day-to-day processing of transactions.
2.1. Data Conversion - The data conversion function transcribes transaction data from hard-copy
source documents into computer input.
2.2. Computer Operations - The electronic files produced in data conversion are later processed
by the central computer, which is managed by the computer operations groups.
2.3. Data Library - The data library is a room adjacent to the computer center that provides safe
storage for the off-line data files. Those files could be backups or current data files.
3. Systems Development and Maintenance

 The information systems need of users are met by two related functions: system
development and systems maintenance. The former group is responsible for analyzing
user needs and for designing new systems to satisfy those needs. The participants in
system development activities include systems professionals, end users, and
stakeholders.

 Once a new system has been designed and implemented, the systems maintenance
group assumes responsibility for keeping it current with user needs. The term
maintenance refers to making changes to program logic to accommodate shifts in user
needs over time. During the course of the system's life (often several years), as much
as 80 or 90 percent of its total cost may be incurred through maintenance activities.
SEGREGATION OF INCOMPATIBLE IT FUNCTIONS

Operational tasks should be segregated to:

1. Separate transaction authorization from transaction processing.
2. Separate record keeping from asset custody.
3. Divide transaction-processing tasks among individuals such that short of collusion
between two or more individuals fraud would not be possible.
SEPARATING SYSTEMS DEVELOPMENT FROM COMPUTER OPERATIONS
• The segregation of systems development (both new systems development and
maintenance) and operations activities is of the greatest importance. The
relationship between these groups should be extremely formal, and their
responsibilities should not be commingled.

SEPARATING DATABASE ADMINISTRATION FROM OTHER FUNCTIONS

• Another important organizational control is the segregation of the database
administrator (DBA) from other computer center functions. The DBA function is
responsible for a number of critical tasks pertaining to database security,
including creating the database schema and user views, assigning database access
authority to users, monitoring database usage, and planning for future expansion.
SEPARATING NEW SYSTEMS DEVELOPMENT FROM MAINTENANCE
• Some companies organize their in-house systems development function into two
groups: systems analysis and programming. The systems analysis group works
with the users to produce detailed designs of the new systems. The
programming group codes the programs according to these design specifications.

• Although a common arrangement, this approach is associated with two types of

control problems:

Inadequate Documentation - Poor-quality systems documentation is a chronic IT problem

and a significant challenge for many organizations seeking SOX compliance.
Program Fraud - When the original programmer of a system is also assigned maintenance
responsibility, the potential for fraud is increased. Program fraud involves making
unauthorized changes to program modules for the purpose of committing an illegal act.
A SUPERIOR STRUCTURE FOR SYSTEMS DEVELOPMENT
• the systems development function is separated into two different groups: new
systems development and systems maintenance. The new systems development
group is responsible for designing, programming, and implementing new systems
projects. . Upon successful implementation, responsibility for the system's
ongoing maintenance falls to the systems maintenance group.
 THE DISTRIBUTED MODEL
• Distributed Data Processing is quite broad, touching upon such related topics as
end-user computing, commercial software, networking, and office automation.
Simply stated, DDP involves reorganizing the central Ft function into small IT units
that are placed under the control of end users.
RISKS ASSOCIATED WITH DISTRIBUTED DATA PROCESSING
Inefficient Use of Resources – DDP can expose and organization to three types of risks
associated with inefficient use of organizational resources.
• Risk of mismanagement of organization-wide IT resources by end users.
• DDP can increase the risk of operational inefficiencies because of redundant tasks
being performed within -the end-user committee.
• DDP environment poses a risk of incompatible hardware and software among end-
user functions. Distributing the responsibility for IT purchases to end users may
result in uncoordinated and poorly conceived decisions.
Destruction of Audit Trails – An audit trail provides the linkage between a company's
financial activities (transactions) and the financial statements that report on those
activities.
Inadequate Segregation of Duties – Achieving an adequate segregation of duties may not
be possible in some distributed environments. The distribution of the IT services to users
may result in the creation of small independent units that do not permit the desired
separation of incompatible functions.
Hiring Qualified Professionals – End-user managers may lack the IT knowledge to
evaluate the technical credentials and relevant experience of candidates applying for IT
professional positions. Also, if the organizational unit into which a new employee is
entering is small, the opportunity for personal growth, continuing education, and
promotion may be limited.
Lack of Standards – because of the distribution of responsibility in the DDP environment,
standards for developing and documenting systems, choosing programming languages,
acquiring hardware and software, and evaluating performance may he unevenly applied
or even nonexistent. Opponents of DDP argue that the risks associated with the design
and operation of a DDP system are made tolerable only if such standards are consistently
applied.
ADVANTAGES OF DISTRIBUTED DATA PROCESSING
Cost Reductions – For many years, achieving economics of scale wits tile principal
justification for the centralized data processing approach. The economics of date
processing favored large, expensive, powerful computers. DDP has reduced costs in
two other areas: (1) data can be edited and entered by the end user, thus eliminating
the centralized task of data preparation; and (2) application complexity can be
reduced, which in turn reduces systems development and maintenance costs.
Improved Cost Control Responsibility – End-user managers carry the responsibility for
the financial success of their operations. This responsibility requires that they be
properly empowered with the authority to make decisions about resources that
influence their overall success. When managers are precluded from making the
decisions necessary to achieve their goals, their performance can be negatively
influenced. A less aggressive and less effective management may evolve.
Improved User Satisfaction – Perhaps the most often cited benefit of DDP is improved
user satisfaction. DDP proponents claim that distributing system to end users improves
three areas of need that too often go unsatisfied in the centralized model: (1) as
previously stated, users desire to control the resources that influence their profitability;
(2) users want systems professionals (analysts, programmers, and computer operators)
to be responsive to their specific situation; and (3) users want to become more actively
involved in developing and implementing their own systems.

Backup Flexibility – The final argument in favor of DDP is the ability to back up
computing facilities to protect against potential disasters such as fires, floods, sabotage,
and earthquakes. The only way to back up a central computer site against such disasters
is to provide a second computer facility.
CONTROLLING THE DISTRIBUTED DATA PROCESSING ENVIRONMENT

DDP carries a certain leading-edge prestige value that, during an

analysis of its pros and cons, may overwhelm important
considerations of economic benefit and operational feasibility. Some
organizations have made the move to DDP without considering fully
whether the distributed organizational structure will better achieve
their business objectives. Many DDP initiatives have proven to be
ineffective, and even counterproductive, because decision makers
saw in these systems virtues that were more symbolic than real.
IMPLEMENT A CORPORATE IT FUNCTION
The completely centralized model and the distributed model represent extreme
positions on a continuum of structural alternatives. The needs of most firms fall
somewhere between these end points.
CENTRAL TESTING OF COMMERCIAL SOFTWARE AND HARDWARE.
A centralized corporate IT group is better equipped than are end users to evaluate the
merits of competing commercial software and hardware products under consideration. A
central, technically astute group such as this can evaluate systems features, controls, and
compatibility with industry and organizational standards. Test results can then be
distributed to user areas as standards for guiding acquisition decisions.

USER SERVICES
A valuable feature of the corporate group is its user services function. This activity
provides technical help to users during the installation of new software and in
troubleshooting hardware and software problems. The creation of an electronic bulletin
board for users is an excellent way to distribute information about common problems
and allows the sharing of user-developed programs with others in the organization.
STANDARD-SETTING BODY
The relatively poor control environment imposed by the DDP model can be improved by
establishing some central guidance. The corporate group can contribute to this goal by
establishing and distributing to user areas appropriate standards for systems
development programming, and documentation.

PERSONNEL REVIEW
The corporate group is often better equipped than users to evaluate the technical
credentials of prospective systems professionals. Although the systems professional will
actually be part of the end-user group, the involvement of the corporate group in
employment, decisions can render a valuable service to the organization.
AUDIT OBJECTIVE
The auditor's objective is to verify that the structure of the function is such
that individuals in incompatible areas are segregated in accordance with the
level of potential risk and in a manner that promotes a working
environment. This is an environment in which formal, rather than casual,
relationships need to exist between incompatible tasks.
 AUDIT PROCEDURES

• Review relevant documentation, inducting the current organizational chart, mission

statement, and job descriptions for key functions, to determine if individuals or groups are
performing incompatible functions.

• Review systems documentation and maintenance records for a sample of applications.

Verify that maintenance programmers assigned to specific projects are not also the original
design programmers.

• Verify that computer operators do not have access to the operational details of a system's
internal logic. Systems documentation, such as systems flowcharts, logic flowcharts, and
program code listings, should not be part of the operation's documentation set.
• Through observation, determine that segregation policy is being followed in practice.
Review operations room access logs to determine whether programmers enter the facility
for reasons other than system failures. The following audit procedures would apply to an
organization with a distributed IT function:
• Review the current organizational chart, mission statement, and job
descriptions for key functions to determine if individuals or groups are
performing incompatible duties.
• Verify that corporate policies and standards for systems design,
documentation, and hardware and software acquisition are published and
provided to distributed IT units.
• Verify that compensating controls, such as supervision and management
monitoring, are employed when segregation of incompatible duties is
economically infeasible.
• Review systems documentation to verify that applications, procedures, and
databases are designed and functioning in accordance with corporate
standards.