IT Governance Overview

Questions and Answers

What do users desire in a distributed system?

Centralized decision-making

No response from IT professionals

Less involvement in system development

Control over resources that influence profitability (correct)

Which of the following are services provided by the corporate IT function?

Central Testing of Commercial Software and Hardware (correct)

User Services (correct)

Standard-Setting Body (correct)

None of the above

What are examples of fault tolerance technologies?

Redundant arrays of independent disks (RAID) and uninterruptible power supplies

The disaster recovery plan (DRP) should identify ______ applications.

critical

A mutual aid pact is an agreement for companies to stop their operations during a disaster.

False

What is the primary function of a disaster recovery team?

To execute recovery efforts and delegate tasks following a disaster.

Match the following disaster types with their characteristics:

Natural disasters = Most potentially devastating Man-made disasters = Can be just as destructive but limited in scope System failures = Generally less severe but most likely to occur Technical disruptions = Malfunctioning hardware or software causing operational issues

What temperature range do computers function best in?

70 to 75°F

Fire is considered the most serious threat to computer equipment.

True

What should the auditor verify about the physical security controls in an organization?

That they are adequate to protect against physical exposures.

Disaster recovery plans (DRP) should specify backup and offsite ______ procedures.

storage

What is a key benefit of IT outsourcing?

Improved core business and IT performance

What is the primary focus of IT Governance?

Management and assessment of strategic IT resources

Before the Sarbanes-Oxley Act (SOX), corporate IT professionals made all IT investment decisions.

True

Which of the following are key objectives of IT Governance? (Select all that apply)

Reduce risk

What are the three IT Governance issues addressed by SOX and the COSO internal control framework?

Organizational structure of the IT function, computer center operations, disaster recovery planning.

What role does the Database Administrator (DBA) fulfill?

Maintaining security and integrity of the database

Systems maintenance involves making changes to program logic to accommodate shifts in user ______.

needs

What is a consequence of separating transaction authorization from transaction processing?

Prevention of fraud

What are the risks associated with Distributed Data Processing (DDP)?

Inefficient use of resources, destruction of audit trails, inadequate segregation of duties.

In a Distributed Data Processing (DDP) system, sharing data among users can lead to increased redundancy.

True

What are the advantages of Distributed Data Processing (DDP)?

Cost reductions, improved cost control, and enhanced management attitudes.

Study Notes

Information Technology (IT) Governance

• IT governance involves managing and assessing strategic IT resources to reduce risk and maximize value in corporate investments.
• The Sarbanes-Oxley Act (SOX) shifted IT decision-making from solely IT professionals to include broader corporate stakeholders for better compliance with user needs and policies.
• Modern IT governance promotes active involvement from the Board of Directors, top management, and departmental users.

IT Governance Controls

• SOX and the COSO internal control framework address three key IT governance issues:
  • Organizational structure of the IT function
  • Computer center operations
  • Disaster recovery planning

Structure of the Corporate IT Function

• Centralized Data Processing consolidates IT services, treated as a cost center with end users competing for resources based on need.
• Primary service areas include database administration, data processing, and systems development/maintenance.

Database Administration

• Maintains security and integrity of databases; requires centralized oversight from dedicated database administrators.
• The data library is responsible for secure storage and management of off-line data files, including backups and software licenses.

Data Processing

• Critical for day-to-day transaction management, including data entry, computer operations, and maintaining data libraries.

System Development and Maintenance

• New systems designed based on user needs; involves system analysts, programmers, and stakeholder input.
• Systems maintenance may account for 80-90% of a system’s total lifecycle costs, highlighting its importance and challenges like insufficient documentation.

Segregation of Incompatible IT Functions

• Important to separate transactions and records management to minimize fraud risk.
• Systems development and operations must be distinctly separated to avoid errors and enhance security.

Risks of Combining Roles

• Combining systems development and operations can lead to errors and security vulnerabilities, as developers could exploit inside knowledge.
• Database administration should remain independent to maintain data integrity and security.

Distributed Data Processing (DDP) Model

• DDP reorganizes the IT function into smaller units controlled by end users, enhancing flexibility and responsiveness.
• Risks associated with DDP include inefficient resource use, destruction of audit trails, inadequate segregation of duties, hiring unqualified professionals, and lack of standards.

Advantages of DDP

• Cost reductions from powerful, inexpensive computing resources.
• Improved user satisfaction and control over IT resources.
• Enhanced backup flexibility with excess capacity across geographically separate units.

Controlling the DDP Environment

• Ineffective DDP implementations arise when decision-makers overestimate its benefits.
• Essential to establish a corporate IT function that provides entity-wide systems development and technical support to ensure effective DDP management.### Central Testing of Commercial Software and Hardware
• Centralized IT groups are more effective than end users in evaluating competing software and hardware products.
• They assess systems for features, controls, and compatibility with standards.
• Test results guide acquisition decisions in user areas, centralizing acquisition and implementation processes.

User Services

• Technical support is provided during software installation and troubleshooting hardware/software issues.
• Creating electronic bulletin boards helps share common issues and user-developed programs.

Standard-Setting Body

• Standards for systems development, programming, and documentation are established and distributed to user areas.

Personnel Review

• Centralized groups have better capability to evaluate technical credentials of potential systems professionals.

Audit Objectives

• Verify segregation of incompatible areas in the IT structure to promote formal relationships and minimize risk.

Audit Procedures for Centralized IT Function

• Review documentation, organizational chart, and mission statements to identify incompatible functions.
• Check that maintenance programmers and operators do not have conflicting access to system details.
• Observe the implementation of segregation policies in practice.

Computer Center

• Physical location affects susceptibility to disasters; centers should avoid man-made/natural hazards.
• Construction should ideally be solid, with underground utility lines and secure access.
• Access limited to operators, controlled via keypads or swipe cards, monitored by cameras.

Environmental Control

• Air-conditioning is essential for optimal operating conditions (70-75°F, 50% humidity) to prevent hardware errors and damage.
• Regular checks of environmental parameters safeguard against issues like static electricity and mold growth.

Fire Suppression Systems

• Automatic and manual alarms should be installed; an effective extinguishing system is crucial.
• Manual fire extinguishers placed strategically as a backup.

Fault Tolerance

• Systems should remain operational during hardware or software failures.
• Technologies include RAID for data redundancy and uninterruptible power supplies for power outages.

Audit Objectives for Computer Center Security

• Evaluate controls safeguarding the computer center from physical threats and ensure proper insurance coverage.

Disaster Recovery Planning

• Types of disasters: Natural, man-made, and system failures pose risks to business continuity.
• A Disaster Recovery Plan (DRP) outlines critical actions pre, during, and post-disaster.

Features of a DRP

• Identification of critical applications crucial for short-term business survival.
• Creation of a disaster recovery team with defined roles.
• Provision of site backup with mutual aid arrangements or hot/cold site plans.

Backup and Off-Site Storage Procedures

• Regular backups of operating systems and critical applications are necessary.
• Secure off-site storage of databases and system documentation enables rapid recovery.

Testing the DRP

• Periodic tests assess personnel preparedness and identify potential bottlenecks.
• Actions include evaluating DRP team effectiveness and determining financial impacts of disruptions.

Audit Procedures for DRP

• Assess adequacy of backup site arrangements and completeness of critical application lists.
• Verify current versions of off-site stored applications and ensure data backups adhere to DRP specifications.

Outsourcing the IT Function

• Key advantages include enhanced core performance, improved IT functionality, and cost reduction.
• Core competency theory emphasizes focusing on primary business areas while outsourcing non-core IT functions.

Description

Explore the essentials of IT governance, focusing on strategic management and risk assessment of IT resources in corporate settings. This quiz covers key components like the Sarbanes-Oxley Act, organizational structures, and governance controls. Test your knowledge on how modern IT governance promotes compliance and value maximization.