CHAPTER 2

INFORMATION TECHNOLOGY GOVERNANCE (IT Governance) - A relatively new subset of corporate

governance that focuses on the management and assessment of strategic IT resources.

Key Objectives

- Reduce Risk
- Ensure that investments in IT resources add value to the corporation.

Before SOX, all IT investment decisions was given to the corporate IT professionals

Modern IT governance – all corporate stakeholders (board of directors, top management, departmental
users) are involved in important IT decisions. This reduces risk and increases the likelihood that IT
decisions will be in compliance with user needs, corporate policies, strategic initiatives, and internal
control requirements under SOX.

IT Governance Controls

Although all IT governance issues are important to the organization, not all of them are matters of internal
control under SOX that may potentially impact the financial reporting process.

Three IT governance issues that are addressed by SOX and the COSO internal control framework:

1. Organizational structure of the IT function

2. Computer center operations

3. Disaster recovery planning

Structure of the Corporate Function

- Has implications for the nature and effectiveness of internal controls, which, in turn, has
implications for the audit.
- Two extreme organizational models—the centralized approach and the distributed approach.
- Most organizational structures embody elements of both models.

Centralized Data Processing

- Under this model, all data processing is performed by one or more large computers housed at a
central site.
- IT service activities are consolidated and managed as a shared organization resource
- IT services function are treated as a cost center whose operating costs are charged back to the
end users.
Organizational Chart of a Centralized IT Services Function

Database Administration – Responsible for the security and integrity of the database

Data Processing – Manages computer resources used to perform day-to-day transactions. Consist of the
following:

➢ Data Control / Data Entry – Receives hard copy source documents then transcribes/encodes them
into digital format. After data processing, this group would distribute finished sales reports to
users, such as the marketing managers.
➢ Computer Operations – Manages processing of the electronic files created in data conversion by
the central computer
➢ Data Library – A room adjacent to the computer center that stores offline data files. These files
can be back-ups or current data files. Also stores original copies of commercial software and their
licenses. Managed by a data librarian, responsible for the receipt, storage, retrieval, custody of
files, and controls access to the library. It is slowly becoming obsolete because of real-time
processing and direct-access files.

Systems Development and Maintenance

New Systems Development - responsible for analyzing user needs and for designing new systems to satisfy
those needs. Participants in these activities include:

➢ Systems Professionals - include systems analysts, database designers, and programmers who
design and build the system. Systems professionals gather facts about the user’s problem, analyze
the facts, and formulate a solution. They make the new information system.
➢ End Users – For whom the system is built. Includes Managers who receive reports and operations
personnel.
➢ Stakeholders – Individuals inside and outside the firm who have an interest in the system, but not
end users. Includes accountants, internal auditors, external auditor, and others who oversee the
systems development.

Systems Maintenance – Assumes responsibility after the system was designed and implemented.
Maintenance (Making changes to program logic to accommodate changes in user needs). During the
course of the system’s life (often several years), as much as 80 or 90 percent of its total cost may be
incurred through maintenance activities.
Segregation of Incompatible IT Functions

Operational tasks should be segregated to:

1. Separate transaction authorization from transaction processing.

2. Separate record keeping from asset custody.

3. Divide transaction-processing tasks among individuals such that short of collusion between two or more
individuals, fraud would not be possible.

The IT environment tends to consolidate activities. A single application may authorize, process, and record
all aspects of a transaction. Thus, the focus of segregation control shifts from the operational level
(transaction processing tasks that computers now perform) to higher-level organizational relationships
within the computer services function.

Separating Systems Development from Computer Operations

- Of greatest importance
- Systems development and maintenance, creates and maintains the system, should not enter data
or run applications. Operations staff should run the systems and have no involvement in their
design.
- Consolidating them invites fraud and error.
- With detailed knowledge of the application’s logic and control parameters and access to the
computer’s operating system and utilities, an individual could make unauthorized changes to the
application during its execution. Such changes may be temporary (“on the fly”) and will disappear
without a trace when the application terminates / closed.

Separating Database Administration from Other Functions

- . The DBA function is responsible for a number of critical tasks pertaining to database security,
including creating the database schema and user views, assigning database access authority to
users, monitoring database usage, and planning for future expansion. If they delegate these
responsibilities to others who have incompatible tasks, it may threaten database integrity. Thus,
it is independent in the organizational chart.

Separating New Systems Development from Maintenance

- Many companies organize their in-house systems development function into systems analysis,
who produce detailed designs of new systems, and applications programming, who codes the
system according to the design specifications and maintains the system.
- Two types of control problems associated:
➢ Inadequate Documentation – The two possible explanations are: it is more interesting to design,
test, and implement new systems than to document them, and job security. If only the
programmer knows how to interpret, test, and debug the system, it is difficult for others to figure
it out, therefore the programmer has bargaining power regarding his job, and becomes
indispensable. It creates a problem when the programmer leaves the firm, as the transition period
may become long and costly.
 ➢ Program Fraud- involves making unauthorized changes to program modules for the purpose of
committing an illegal act. If the original programmer is also assigned maintenance, the potential
for fraud is increased. The original programmer may have successfully hidden fraudulent code
among the legitimate ones, but it is important that only he has unrestricted access to it. It prevents
other programmers from finding it out, and he can make changes when audits are performed.
- The organizational chart earlier, which has new systems development and systems maintenance
separated is considered a superior structure. It addresses the two control problems:
➢ First, documentation standards are improved because the maintenance group requires
documentation to perform its maintenance duties. Without complete and adequate
documentation, the formal transfer of system responsibility from new systems development to
systems maintenance simply cannot occur.
➢ Second, denying the original programmer's future access to the program deters program fraud.
The fraudulent code will be out of the original programmer’s hand when it is handed over to the
maintenance group, meaning he cannot make more changes and is more likely to be discovered.
The success of this control depends on the existence of other controls that limit, prevent, and
detect unauthorized access to programs (such as source program library controls). Although
organizational separations alone cannot guarantee that computer frauds will not occur, they are
critical to creating the necessary control environment.

THE DISTRIBUTED MODEL

- Distributed Data Processing is an alternative to the centralized model (DDP).

- DDP, to put it simply, is dividing up the main IT department into smaller units that are managed by end
users.

- Distinction between Alternative A and the centralized approach is the distribution of terminals (or
microcomputers) to end users for managing input and output.

- Alternative B. With this option, all computer services are provided to end users, who run independently.
The central IT role is consequently removed from the organizational structure.

RISKS ASSOCIATED WITH DDP

− INEFFICIENT USE OF RESOURCES

1. mismanagement of organization-wide IT resources by end users.
2. increase the risk of operational inefficiencies because of redundant being performed within the
end-user community.
3. risk of incompatible hardware and software among end-user functions.
− Destruction of Audit Trails

- In DDP systems, the audit trail consists of a set of digital transaction files and master files that reside in
part or entirely on end-user computers.

− Inadequate Segregation of Duties

- Achieving an adequate segregation of duties may not be possible in some distributed environments. The
distribution of the IT services to users may result in the creation of small independent units that do not
permit the desired separation of incompatible functions.
 − Hiring Qualified Professionals

- End-user managers may lack the IT knowledge to evaluate the technical credentials and relevant
experience of candidates applying for IT professional positions.

− Lack of Standards

- Because of the distribution of responsibility in the DDP environment, standards for developing and
documenting systems, choosing programming languages, acquiring hardware and software, and
evaluating performance may be unevenly applied or even nonexistent.

ADVANTAGES OF DDP

− Cost Reductions

- DDP has reduced costs in two other areas: (1) data can be edited and entered by the end user, thus
eliminating the centralized task of data preparation; and (2) application complexity can be reduced, which
in turn reduces systems development and maintenance costs.

− Improved Cost Control Responsibility

- Proponents of DDP contend that the benefits of improved management attitudes more than outweigh
any additional costs incurred from distributing these resources. They argue that if IT capability is indeed
critical to the success of a business operation, then management must be given control over these
resources.

− Improved User Satisfaction

- DDP proponents claim that distributing system to end users improves three areas of need that too often
go unsatisfied in the centralized model: (1) as previously stated, users desire to control the resources that
influence their profitability; (2) users want systems professionals (analysts, programmers, and computer
operators) to be responsive to their specific situation; and (3) users want to become more actively
involved in developing and implementing their own systems.

− Backup Flexibility

- If a disaster destroys a single site, the other sites can use their excess capacity to process the transactions
of the destroyed site.

Controlling the DDP Environment

Implement a Corporate IT Function

1. Central Testing of Commercial Software and Hardware.

 - A centralized corporate IT group is better equipped than are end users to evaluate the merits of
competing commercial software and hardware products under consideration
2. User Services.
- A valuable feature of the corporate group is its user services function. This activity provides
technical help to users during the installation of new software and in troubleshooting hardware
and software problems.

3. Standard-Setting Body.

- The relatively poor control environment imposed by the DDP model can be improved by
establishing some central guidance.

4. Personnel Review.

- The corporate group is often better equipped than users to evaluate the technical credentials of
prospective systems professionals.

THE COMPUTER CENTER

• Physical Location
• Construction
• Access
• Air-conditioning
• Fire suppression
• Fault Tolerance

Audit Objectives

The auditor’s objective is to evaluate the controls governing computer center security.
Specifically, the auditor must verify that:
• Physical security controls are adequate to reasonably protect the organization from
physical exposures
• Insurance coverage on equipment is adequate to compensate the organization for
the destruction of, or damage to, its computer center

Audit Procedures

• Tests of Physical Construction. The auditor should obtain architectural plans to determine that
the computer center is solidly built of fireproof material.
• Tests of the Fire Detection System. The auditor should establish that fire detection and
suppression equipment, both manual and automatic, are in place and tested regularly.
 • Tests of Access Control. The auditor must establish that routine access to the computer center is
restricted to authorized employees. Details about visitor access (by programmers and others),
such as arrival and departure times, purpose, and frequency of access, can be obtained by
reviewing the access log.
• Tests of Raid. Most systems that employ RAID provide a graphical mapping of their redundant
disk storage. From this mapping, the auditor should determine if the level of RAID in place is
adequate for the organization, given the level of business risk associated with disk failure.
• Tests of the Uninterruptible Power Supply. The computer center should perform periodic tests
of the backup power supply to ensure that it has sufficient capacity to run the computer and air-
conditioning.
• Tests for Insurance Coverage. The auditor should annually review the organization’s insurance
coverage on its computer hardware, software, and physical facility. The auditor should verify that
all new acquisitions are listed on the policy and that obsolete equipment and software have been
deleted.

Disaster Recovery Plan

- is a comprehensive statement of all actions to be taken before, during, and after any type
of disaster.

four common essential element features:

1. Identify Critical Applications

- identify the firm’s critical applications and associated data files
- concentrate on restoring those applications that are critical to the short-term
survival of the organization
2. Create Disaster Recovery Team
- To avoid serious omissions or duplication of effort during implementation of the
contingency plan, task responsibility must be clearly defined and communicated
to the personnel involved
3. Provide Second site Back up
- is that it provides for duplicate data processing facilities following a disaste

Common Options:

- Mutal aid pact

o an agreement between two or more organizations (with
compatible computer facilities) to aid each other with their data
processing needs in the event of a disaster.
- Empty Shell (Cold Site)
o an arrangement wherein the company buys or leases a building
that will serve as a data center.
- Recovery Operation Center (Hot Site)
o is a fully equipped backup data center that many companies
share
- Internally Provided Back up
 o Larger organizations with multiple data processing centers often
prefer the self-reliance that creating internal excess capacity
provides. This permits firms to develop standardized hardware
and software configurations, which ensure functional
compatibility among their data processing centers and minimize
cutover problems in the event of a disaster.
4. Specify backup and off-site storage procedures
- All data files, applications, documentation, and supplies needed to perform
critical functions should be automatically backed up and stored at a secure off-
site location.
- Operating System Backup.
o procedures for obtaining a current version of the operating
system need to be clearly specified
- Application Back up
o include procedures to create copies of current versions of critical
applications.
- Back up data files
o databases should be copied daily to high-capacity, high-speed
media, such as tape or CDs/DVDs and secured offsite. In the
event of a disruption, reconstruction of the database is achieved
by updating the most current backed-up version with subsequent
transaction data.
- Back up Documentation
o system documentation for critical applications should be backed
up and stored off-site along with the applications.
o DRP should also include a provision backing up end-user manuals
because the individuals' processing transactions under disaster
conditions may not be usual staff who are familiar with the
system.
- Backup Supplies and Source Documents
o create backup inventories of supplies and source documents
used in processing critical transactions. Examples of critical
supplies are check stocks, invoices, purchase orders, and any
other special-purpose forms that cannot be obtained
immediately.
- Testing the DRP
o should be performed periodically. Tests measure the
preparedness of personnel and identify omissions or bottlenecks
in the plan.

Auditing Objective

- verify that management’s disaster recovery plan is adequate and feasible for
dealing with a catastrophe that could deprive the organization of its computing
resources
 Audit Procedures

- Site Backup.
o evaluate the adequacy of the backup site arrangement.
- Critical Application List
o review the list of critical applications to ensure that it is complete.
- Software Backup
o verify that copies of critical applications and operating systems
are stored off-site.
- Data Backup
o verify that critical data files are backed up in accordance with the
DRP.
- Backup Supplies, Documents, and Documentation
o verify that the types and quantities of items specified in the DRP
such as check stock, invoices, purchase orders, and any special
purpose forms exist in a secure location
- Disaster Recovery Team
o verify that members of the team are current employees and are
aware of their assigned responsibilities

Outsourcing the IT Function

IT outsourcing

- outsource their IT functions to third-party vendors who take over responsibility for the
management of IT assets and staff and for delivery of IT services, such as data entry, data
center operations, applications development, applications maintenance, and network
management

Benefits :

1. improved core business performance

2. improved IT performance
3. reduced IT costs

Core Competency theory

- an organization should focus exclusively on its core business competencies, while

allowing outsourcing vendors to efficiently manage the non-core areas such as the IT
functions.
o ignores an important distinction between commodity IT and specific IT assets.
▪ Commodity IT assets
• not unique to a particular organization and are thus easily
acquired in the marketplace
▪ Specific IT Asset
• unique to the organization and support its strategic objectives
Transaction Cost Economic Theory

- conflict with the core competency school by suggesting that firms should retain certain
specific non-core IT assets in-house.
- upports the outsourcing of commodity assets

Cloud Computing

- A location-independent computing whereby shared data centers deliver hosted IT

services over the Internet.
- “Cloud computing is a model for enabling convenient, on-demand network access to a
shared pool of configurable computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and released with minimal
management effort or service provider interaction.”
o key features of cloud computing
▪ Client firms can acquire IT resources from vendors on demand and as
needed. This is in contrast to the traditional IT outsourcing model in
which resources are provided to client firms in strict accordance with
long-term contracts that stipulate services and time frames.
▪ Resources are provided over a network (private or Internet) and accessed
through network terminals at the client location.
▪ Acquisition of resources is rapid and infinitely scalable. A client can
expand and contract the service demanded almost instantly and often
automatically.
▪ Computing resources are pooled to meet the needs of multiple client
firms. A consequence of this, however, is that an individual client may
have no control over, or knowledge of, the physical location of the service
being provided
o three primary classes of computing services
▪ Software as a service (SaaS)
• a software distribution model in which service providers host
applications for client organizations over a private network or the
Internet.
▪ Infrastructure as a service (Iaas)
• is the provision of computing power and disk space to client firms
who access it from desktop PCs
▪ Platform as a Service (PaaS)
• enables client firms to develop and deploy onto the cloud
infrastructure consumer-generated applications
- Virtualization
o a single computer runs a single operating system and a single real-time
application
o running more than one “virtual computer” on a single physical computer.
▪ Two other Virtualization
• Network virtualization
 o increases effective network bandwidth. optimizes
network speed, flexibility, reliability and improves
network scalability
• Storage Virtualization
o the pooling of physical storage from multiple network
storage devices into a single virtual storage device
- Cloud Computing Implementation Issues
o First, large firms have typically already incurred massive investments in
equipment, proprietary software, and human resources. These organizations are
often not inclined to walk away from their investments and turn over their entire
IT operations to a cloud vendor.
o Second, many large enterprises have mission-critical functions running on legacy
systems that are many decades old. These systems continue to exist because they
continue to add value. The task of migrating legacy systems to the cloud would
require new architectures and considerable reprogramming. Given their typically
high utilization, performance, and throughput, the cost/benefit of the cloud
alternative is debatable.
o Third, a central tenant of cloud computing is the philosophy that IT is a onesize-
fits-all commodity asset. Indeed, the economies of scale that cloud vendors
achieve depend upon standardization of solutions across all clients. Cloud
vendors treat all workloads and all clients as commodities and do not provide the
special treatment required by some organizations. Larger companies are more
likely to have esoteric information needs and pursue strategic advantage through
IT systems. A commodity provision approach is incompatible with the need for
unique strategic information
- Risks Inherent to IT Outsourcing
- Failure to Perform
o performance becomes linked to the vendor’s performance
- Vendor Exploitation
o Centers on Specific assets
o raising service rates to an exorbitant level
- Outsourcing Costs Exceed Benefits
o costs arise and the full extent of expected benefits are not
realized
- Reduced Security
o regarding internal control and the protection of sensitive
personal data.
- Loss of Strategic Advantage
o Organizations that use IT strategically must align business
strategy and IT strategy or run the risk of decreased business
performance

4 Commonly Outsourced IT Solutions

1. Network Security
2. Network Implementation and Maintenance
 3. Troubleshooting Support
4. System and File Backup

OUTSOURCING THE IT FUNCTION: AUDIT IMPLICATIONS

Statement on Standards for Attestation Engagements No. 16 (SSAE 16)

- an internationally recognized third-party attestation report designed for service organizations such as IT
outsourcing vendors.

- objective was to keep pace with the move toward globally accepted international accounting standards.

- certification does not stand as a symbol for exceptional service, it enables customers to recognize the
service provider as meeting a minimum set of standards within the industry. SSAE 16 certification is
focused on customers' business requirements rather than the needs of the business servicing those
customers.

TWO TYPES OF SSAE 16 REPORTS

1. Type 1 report attests to the vendor management’s description of their system and the suitability of the
design of controls.

2. Type 2 report attests to management’s description of their system, the suitability of the design of
controls, and the operating effectiveness of controls.

*Type 1 report is the least restrictive.

*Type 2 report takes a step further and evaluates the effectiveness of the controls.

*For client companies undergoing a financial statement audit, SSAE 16 Type 2 reports are important
because SOX Section 404 mandates the detailed testing of controls.

TWO REPORTING TECHNIQUES

1. CARVE-OUT METHOD - exclude the subservice organization’s relevant control objectives and related
controls from management’s description and scope of the service auditor’s engagement.

2. INCLUSIVE METHOD - the control activities performed by the subservice organization are included
within the scope of the report.

*A subservice organization is simply an outsourcing company to the main service organization.