Organizational Structure of the IT Function

avatar
Created by
CJ Suello

Cards (26)

  • Objectives of IT Governance are to:
    • Reduce risk
    • Ensure investments in IT sources add value to the corporation
  • Modern IT Governance involves active participation in key IT decisions by:
    • Board of Directors
    • Top management
    • Departmental users like accounting and finance
  • Three IT Governance Issues:
    1. Organizational structure of the IT function
    2. Computer center operations
    3. Disaster Recovery Planning
  • Logic of discussion involves:
    1. Nature of risk
    2. Description of controls needed to mitigate risk
    3. Audit objectives
    4. Testing of controls, which may be performed by external or internal auditors
  • Two Extreme Organizational Models:
    1. Centralized Data Processing
    2. Distributed Data Processing
  • Centralized Data Processing (CDP) involves all data processing being performed by one or more large computers housed at a central site that serve users throughout the organization
  • Primary Service Areas of IT in CDP include:
    1. Database administration
    2. Data processing
    3. Systems development and Maintenance
  • In Centralized Data Processing, Systems Development and Maintenance should be segregated to:
    • Systems Analysis
    • Programming
  • Distributed Data Processing (DDP) involves reorganizing the central IT function into small IT units that are placed under the control of end users
  • Risks associated with Distributed Data Processing include:
    • Inefficient use of resources
    • Destruction of audit trails
    • Inadequate segregation of duties
    • Hiring qualified professionals
    • Lack of standards
  • Advantages of Distributed Data Processing include:
    • Cost Reductions
    • Improved Cost Control Responsibility
    • Improved User Satisfaction
    • Backup Flexibility
  • Controlling the DDP Environment involves:
    • Implement a Corporate IT Function
    • Audit Objectives - verify that the structure of the IT function is such that individuals in incompatible areas are segregated in accordance with the level of potential risk and in a manner that promotes a working environment.
    • Audit Procedures
  • Audit procedures for Distributed IT Function:
    • Review the current organizational chart, mission statement, and job descriptions for key functions to determine if individuals or groups are performing incompatible duties
    • Verify that corporate policies and standards for systems design, documentation, and hardware and software acquisition are published and provided to distributed IT units
    • Verify that compensating controls, such as supervision and management monitoring, are employed when segregation of incompatible duties is economically infeasible
    • Review systems documentation to verify that applications, procedures, and databases are designed and functioning in accordance with corporate standards
  • Audit Procedures of Centralized IT Function
    (1) Review relevant documentation, including the current organizational chart, mission statement, and job descriptions for key functions, to determine if individuals or groups are performing incompatible functions.
    (2) Review systems documentation and maintenance records for a sample of applications.
    (3) Verify that computer operators do not have access to the operational details of a system’s internal logic.
    (4) Through observation, determine that segregation policy is being followed in practice.
  • Data processing consists Organizational Functions such as:
    1. Data Conversion - transcibes data from hard-copy source documents into coputer input
    2. Computer Operations - processes the electronic files produced in data convesion
    3. Data Library - provides storage for off-line data files
  • Data Librarian is RESPONSIBLE for Receipt, Storage, Retrieval, and Custody of data files
  • participants in system developments are
    (1) Systems professionals - Gather facts about the user's problem, analyze the facts, & Formulate a solution. Includes
    system analysts, database designers & programmers
    (2) End users - for whom the sytem is built
    (3) Stakeholders - individuals inside or outside the firm who have an interest in the system, but are not end users. Includes Accountants, Internal auditors, External auditors, Others who oversee system development.
  • operational tasks should be segregated to
    1. Separate transaction authorization from transaction processing.
    2. Separate record keeping from asset custody.
    3. Divide transaction-processing tasks among individuals such that short of collusion between two or more individuals fraud would not be possible.
  • Segregation of Incompatible IT Functions:
    • Separating Systems Development from Computer Operations
    • Separating Database Administration from Other Functions: DBA responsibilities include creating database schema and user views, assigning database access authority to users, monitoring database usage, and planning for future expansion
    • Separating New Systems Development from Maintenance: divides the in-house systems development function into two groups: Systems Analysis and Programming
    • Systems analysis works with users to produce detailed designs of the new systems
    • Programming codes the programs according to design specifications
  • Two types of control problems associated with separating new systems development from maintenance:
    • Inadequate Documentation: reasons include it not being as interesting as designing, testing, and implementing them, and job security
    • Program Fraud: making unauthorized changes to program modules
  • Two Alternative DDP Approaches:
    1. Alternative A - end users handle input and output but systems development, computer operations, and database administration remain centralized.
    2. Alternative B - distributes all computer services to the end users, where they operate as standalone units.
  • Inefficient use of resources - (1) risk of mismanagement of organization-wide IT resources by end users (2) risk of operational inefficiencies (3) risk of incompatible hardware and software among end-user functions
  • DDP has reduced costs in two other areas:
    (1) data can be edited and entered by the end user
    (2) application complexity can be reduced
  • DDP improves Three areas of need that too often go unsatisfied in the centralized model:
    (1) users desire to control the resources that influence their profitability
    (2) users want systems professionals to be responsive to their specific situation
    (3) users want to become more actively involved in developing and implementing their own systems
  • Implement a Corporate IT Function
    (1) Central testing of commercial software and hardware
    (2) User services - provides technical help to users during the installation of new software and in troubleshooting hardware and software problems
    (3) Standard-setting body
    (4) Personnel Review
  • Working environment is formal rather than casual