Cis Ch2

avatar
Created by
Niña Kyla

Subdecks (2)

Cards (111)

  • Information technology (IT) governance
    new subset of corporate governance that focuses on the management and assessment of strategic IT resources.
  • The key objectives of IT governance are to reduce risk and ensure that investments in IT resources add value to the corporation.
  • Modern IT governance, however, follows the philosophy that all corporate stakeholders, including boards of directors, top management, and departmental users (ie, accounting and finance) be active participants in key IT decisions.
  • three IT governance issues that are addressed by SOX and the COSO internal control framework. COD
    1. Computer center operations
    2. Organizational structure of the IT function
    3. Disaster recovery planning
  • The discussion on each of these governance issues begins with an explanation of the nature of risk and a description of the controls needed to mitigate the risk.
  • The organization of the IT function has implications for the nature and effectiveness of internal controls, which, in turn, has implications for the audit.
  • two extreme organizational models

    the centralized approach and the distributed approach.
  • centralized data processing
    all data processing is performed by one or more large computers housed at a central site that serves users throughout the organization.
  • The IT services function is usually treated as a cost center whose operating costs are charged back to the end users.
  • IT primary service areas: DDS
    1. database administration
    2. data processing, and
    3. systems development and maintenance.
  • Database Administration
    Centrally organized companies maintain their data resources in a central location that is shared by all end users.
  • Database Administration
    In this shared data arrangement, an independent group headed by the database administrator (DBA) is responsible for the security and integrity of the database.
  • Data Processing
    manages the computer resources used to perform the day-to-day processing of transactions.
  • Data Processing Functions: 3, COL

    1. data control/data entry,
    2. computer Operation
    3. data Library
  • Data Control/Data Entry
    receives hard copy source documents from end users and transcribes these into digital format for computer processing in batch systems.
  • Computer Operations.
    electronic files produced in data conversion are later processed by the central computer, which is managed by the computer operations groups.
  • Data Library
    room adjacent to the computer center that provides safe storage for the off-line data files. Those files could be backups or current data files.
  • data librarian
    1. responsible for the receipt, storage, retrieval, and custody of data files, controls access to the library.
    2. issues data files to computer operators in accordance with program requests and takes custody of files when processing or backup procedures are completed.
  • Systems Development
    responsible for analyzing user needs and for designing new systems to satisfy those needs.
  • participants in system development activities
    systems professionals, end users, and stakeholders.
  • Systems professionals
    systems analysts, database designers, and programmers who design and build the system. They gather facts about the user’s problem, analyze the facts, and formulate a solution. The product of their efforts is a new information system.
  • End users are those for whom the system is built. They are the managers who receive reports from the system and the operations personnel who work directly with the system as part of their daily responsibilities.
  • Stakeholders are individuals inside or outside the firm who have an interest in the system, but are not end users. They include accountants, internal auditors, external auditors, and others who oversee systems development.
  • Once a new system has been designed and implemented, the systems maintenance group assumes responsibility for keeping it current with user needs.
  • maintenance
    making changes to program logic to accommodate shifts in user needs over time.
  • operational tasks should be segregated to:
    1. Separate transaction authorization from transaction processing.
    2. Separate record keeping from asset custody.
    3. Divide transaction-processing tasks among individuals
  • The IT environment tends to consolidate activities. A single application may authorize, process, and record all aspects of a transaction. Thus, the focus of segregation control shifts from the operational level to higher-level organizational relationships within the computer services function.
  • The segregation of systems development (both new systems development and maintenance) and operations activities is of the greatest importance. The relationship between these groups should be extremely formal, and their responsibilities should not be commingled.
  • The DBA function is responsible for a number of critical tasks pertaining to database security, including creating the database schema and user views, assigning database access authority to users, monitoring database usage, and planning for future expansion.
    .
  • DBA function is organizationally independent of operations, systems development, and maintenance.
  • systems analysis group works with the users to produce detailed designs of the new systems.
  • programming group codes the programs according to these design specifications. Under this approach, the programmer who codes the original programs also maintains the system during the maintenance phase of the systems development life cycle
  • two types of control problems: inadequate documentation and the potential for program fraud.
  • Inadequate Documentation
    Poor-quality systems documentation, documenting systems is not as interesting as designing, testing, and implementing them.
  • Program fraud
    involves making unauthorized changes to program modules for the purpose of committing an illegal act.
  • Superior Structure for Systems Development: 2 control problems solutions
    First, documentation standards are improved
    Second, denying the original programmer future access to the program deters program fraud.
  • An alternative to the centralized model is the concept of distributed data processing (DDP).
  • DDP involves reorganizing the central IT function into small IT units that are placed under the control of end users.
  • Risks Associated with DDP.
    This section discusses the organizational risks that need to be considered when implementing DDP. The discussion focuses on important issues that carry control implications that auditors should recognize.
  • three types of risks associated with inefficient use of organizational resources. (Incompatible mis-opera)
    1. risk of mismanagement of organization-wide IT resources
    2. risk of operational inefficiencies
    3. risk of incompatible hardware and software