Ch. 13 IT Governance and General Controls
IT Governance and General Controls
The four types of architectures for multi-user systems are (1) centralized, (2) centralized
with distributed data entry, (3) decentralized, and (4) distributed.
The four categories of controls are (a) workflow controls, (b) input controls, (c) general
controls, and (d) performance reviews.
Workflow controls (discussed in detail in Chapter 4) are used to control the steps
in a process, such as the steps in purchasing inventory (from purchase order to paying the
vendor). Input controls (discussed in Chapter 7) are used to control the input of data into
the computer system. General controls (discussed most prominently in this chapter) are
broad controls concerning information systems planning, organizing the IT function,
identifying and developing IS solutions, and implementing and operating accounting
systems. Performance review are controls that are often carried out by comparing actual
results with budgets, forecasts and prior-period data.
IT planning is important to the organization for several reasons. IT planning helps an
organization make sure that it has adequate hardware, software, and personnel resources
to function effectively, efficiently, and competitively. It helps in prioritizing information
system projects and in making sure that the projects are consistent with the company’s
Three important controls over the organization of the IT function are briefly described
Appropriate location of the IT function. If the information system is of strategic
importance and the company is not very small, in many cases, a special department
should be created that is separate from the user departments (e.g., production or
accounting). This increases the likelihood that the IT providers will not favor one
user department over the other. In very small organizations, the IT function can be
administered by one of the user departments, such as accounting.
Segregation of incompatible functions. For internal control purposes, it is ideal to
separate responsibilities for the following functions (a) user department from
computer operations unit, (b) systems development from computer operations, (c)
systems development from systems maintenance, and (d) components of systems
development process (e.g., analysis vs. design vs. programming).
Controls over personnel functions such as hiring, developing and terminating IT
SM 13-2 Part IV Managing Information Technology and Systems Development
Under a centralized IS with distributed data entry, the organization chart in
Figure 13.3 could be the same as to the responsibilities of the Manager of
Systems Development, and the Manager of Technical Services. However,
the responsibilities of the Manager of Data Processing would change. Data
control (obtaining batches of data) and data entry would be conducted by
the user. However, computer operations, such as backups and
maintenance of the operating system would continue to be done by the IT
unit. The data library would also be stored within the IT unit.
Under a decentralized organization, the organization chart in Figure 13.3
could become radically different. The user department would become
responsible for data processing and all IT functions, in theory. However
in reality, individual units may not have the expertise for developing their
systems and handling technical requirements. In that case, the functions
of the Manager of Systems Development and the Manager of Technical
Services could survive as service providers. They could also be given the
authority to set standards for software and hardware acquisition that would
need to be followed as a condition for support
Under a distributed system, some of the processing is under the control of
the IT function and some is controlled by the user department. If some
data entry is done in the IT unit, all of the functions in Figure 13.3 could
still apply. In addition, a unit that is responsible for end-user support,
support policies, user training and setting standards would be needed.
Some ways to segregate duties within the IT function and between user groups and the IT
function are described below:
Different personnel could be assigned to the functions of (a) systems development, which
involves creating new systems or making major changes to existing systems, and (b)
system maintenance, which involves making smaller changes and adjustments to meet
changing needs. This arrangement reduces the likelihood of fraud or errors by developers
because their work will be examined closely as changes are made.
Systems developers and programmers can be separated from computer operators and
users by allowing programmers’ access only to test data and a test copy of the software.
Computer operators and users would have access to the data and software actually in use.
The responsibilities for authorization, execution and custody of assets could be reserved
for user departments. Under this approach, the central IT function would be responsible
for data entry and processing only.
Ch. 13 IT Governance and General Controls
An organization needs to establish controls and standards for hiring, developing and
terminating personnel. Hiring controls include a careful writing of the job description
and collecting information about job candidates from resumes, interviews, tests and
references. The company also needs to have training programs in place that help the staff
keep up-to-date and adequately skilled. In addition, personnel reviews should be
conducted regularly to determine where additional training is necessary. Finally, a
company needs to be careful about the outcome of an employee termination whether
voluntary or involuntary. Examples of controls include determining the reason for
leaving, obtaining the employee’s keys and badges, canceling passwords, and removing
the employee’s name from distribution lists.
Three important controls related to identifying IT solutions are briefly described below:
Use of an appropriate systems development methodology that breaks the development
process into a series of manageable stages is necessary.
Implement procedures for program development and testing. An organization should
have a procedure for testing a program before implementation.
Ensure adequate documentation. The organization should require documentation of
the overall application and key components, user manuals and training materials.
Without documentation, if original developers leave the company, it could be very
difficult to maintain the system.
The following controls can be used to ensure security of resources in AIS.
Passwords can be used to limit access to authorized individuals.
An access control matrix can be used to specify to which parts of the AIS a particular
user has access.
Physical access to the computer system can be controlled.
Access to programs and documentation should be limited.
Continuity of services can be ensured by (a) performing regular backups of data, (b)
recording the same transaction in two different places as it occurs (planned redundancy)
and (c) using an uninterruptible power supply unit, especially for a computer that is a
SM 13-4 Part IV Managing Information Technology and Systems Development
The system architectures described in the exercise are classified in the order in which
they were presented in the exercise:
1. Distributed. It is not centralized with distributed data entry because the customer’s
computer is not merely acting as a dumb terminal. Data is verified by the
3. Centralized with distributed data entry.
The College of Business (one of the colleges in the University) intends to develop a plan
that would create a web site that could be used for communicating with current and
prospective students. Some of the issues that must be considered in this effort are
Organization’s strategy. Developers should make sure that they understand both the
University’s and College’s overall strategic plan. The college may wish to increase
enrollments, or increase the quality of the students that they would like to enroll. A web
site designed to attract high school students with excellent academic records may help
achieve this goal. As for current students, the college may wish to reduce registration
and transcript costs. Perhaps this could be achieved by allowing students to register and
to see their transcripts on-line.
IT strategy. Once the College’s overall strategy is understood, the college can develop
its IT strategy. It can start by assessing its current IT capabilities, and then determine the
capabilities required for to pursue the organization’s overall strategy. The planners can
then develop a plan that will move the college from its current capabilities to the required
future capabilities in an orderly fashion.
IT infrastructure. The planners will need to consider the current legacy systems and the
platform that will be used. For example, the University already has a system for
registering and displaying transcripts. It will be much cheaper if the College of Business
can continue to use the legacy system to provide information to the web page. Assume
that the registration and transcript information is stored in a database. The planners may
be able to use the three tier architecture described in Chapter 12. It may be possible to
use the existing database (bottom tier) to provide the information for the web site, and
then develop a web server that communicates with the database using SQL or other
database language and provides output in HTML format to the student’s computer (client
IT function. The College of Business could decide to outsource the work of developing
and maintaining the web site. However, more than likely, the University is large enough
to make it worth investing in personnel and training to handle this function. Some of the
Ch. 13 IT Governance and General Controls
work could probably done by the current IT staff and even talented students, as well as
the professors in the information system discipline. The College may decide that the
University IT staff should develop and maintain the system rather than create a web
development team within the College. Some of this would depend on whether the
University staff is willing and able to be responsive to the College’s needs.
Systems Development process. The College should plan how it will go about preparing
for the changes that the new web site would bring. A formal development methodology
may help in establishing the steps in the process. Even without a formal method, it will
still be necessary to determine the tasks required as well as assign the tasks to qualified
individuals. It will also be necessary to determine who will maintain the system, who
will provide the content, and the procedure for providing content. The College may
decide that it needs to create a committee of faculty and staff to coordinate the college’s
part of the development process.
The College of Business is interested in developing a web site that would be used by
faculty. Some of the issues to consider are described below:
Organization strategy. The University and its colleges may have a strategy of reducing
the costs of faculty communication. Much time is spent in scheduling meetings as to
time and place, announcing meetings, providing reports, and in developing and revising
shared documents and research. The organization may wish to use technology to reduce
IT strategy. The college must plan an IT strategy that is consistent with the University’s
and college’s strategy described above. The vision may include the use of internet
technology to schedule meetings and work together on documents.
IT infrastructure. The College will need a system that helps determine the availability
of faculty and rooms for meetings, and that can be used to schedule the required meeting.
A system that allows faculty to share and revise documents is also needed. Finally, the
system will need the capacity to store announcements of general interest to faculty
members. The system will need adequate software to provide these capabilities, a server
that can be used to store schedules and common documents, as well as hardware for
connecting faculty computers with the server. In addition, if access from home is
desired, there will need to be a way to access the college’s faculty web sites without fear
of intrusion by non-faculty.
IT function. To develop a satisfactory system, the college will need someone to develop
the web site, and install the software, hardware and network. This is something that
faculty are not likely to do, so the College will need to either create its own IT staff for
this, or take advantage of the university’s IT staff, or perhaps a combination of the two.
Even if all of the development and maintenance is done by the University’s IT staff, there
will still probably be a need for someone in the College, perhaps a staff or faculty
SM 13-6 Part IV Managing Information Technology and Systems Development
member, to serve as liaison with IT staff. In addition, faculty will need to be trained to
use the software that is planned. The members of the team that installs and develops the
application may be the ones who do this in the short-run, but long-term, there may be a
need for a full-time staff person who can provide services to faculty.
Systems development process. The individuals planning this project should use a
methodology that divides the process into stages so that progress can be measured and
tasks can be assigned to qualified individuals. Undoubtedly, faculty should be heavily
involved in the process, since their needs are paramount.
The advantages and disadvantages of using an internet application service provider are
By way of review, the advantages of outsourcing are repeated here: (1) provides access to
staff with current skills, (2) can be used to downsize a company and control labor costs,
(3) service providers may be better able to respond to changes in the technological
environment, and (4) if it is necessary to downsize further, the company can reduce
outsourcing services to reduce costs, without having to layoff in-house employees.
There are some additional advantages that may result from outsourcing the
processing of sales and other accounting functions. If the company is small, it may be
cheaper to use the services of an outside provider, especially for handling accounts
receivable and payroll. The accounts receivable task may not be so complex that it
requires internal expertise and may be similar across industries. This means that there
may be many providers of the service, and the competition could keep costs low. There
may be a large volume of mailings (invoices and customer statements) that have to be
made, and a service provider may have the equipment that can do large scale printing and
mailing at lower cost. The process of collecting and recording cash receipts from
customers can also be an operation that might be done at lower cost by a large
organization with economies of scale. Payroll is another application that is very similar
across industries. Again, there are many providers of payroll services. In addition to
relieving the client of this highly repetitive function, providers stay abreast of the payroll
tax regulations and make sure the company complies with all state and federal
The use of an outside provider for maintaining inventory information may be less
fruitful, since inventory can be specialized, and management of inventory information
may require more personal attention. If the provider has to customize the service to meet
the needs of the user, the service becomes more expensive. On the other hand, there are
some industries where standardization of inventory provides a mechanism for an outside
agency to provide such services at lower cost. For example, textbooks that are sold by
college bookstores are identified with a standard ISBN and information such as title,
author, edition, etc. can be easily obtained.
Finally, it is possible that the organization may benefit from outsourcing if the
service provider uses ‘best practices.’ Similar to the benefits of using an ERP (enterprise
Ch. 13 IT Governance and General Controls
resource planning) system, outsource providers may have arranged their services so that
they represent the current best practices in the industry.
Several disadvantages of outsourcing the entire IT function were already noted in the
text. Briefly they are as follows: (1) outsourcing creates loss of control, (2) IT permeates
the entire business making it more difficult to outsource, (3) there may be significant
additional costs when the agreement is amended for changes in the business or
technology, (4) long-term contracts are risky since future requirements are uncertain, (5)
the company may become locked into the supplier’s proprietary hardware/software, and
(6) providers may use subcontractors.
As noted above, outsourcing is often not advisable for the operations that are
unique to your company. Either the service provider would not provide the service, or
the provider would customize the software at great cost. Outsourcing general ledger
maintenance and the preparation of financial statements and other reporting may not be
desirable. For one thing, these documents may contain information that needs to be
confidential to avoid loss of competitive advantage. In addition, allowing others to do the
reporting means that the user is less aware of the information used to generate the reports,
and the possibility that insights gained in making the reports will be lost.
Below is an access control matrix for ELERBE’s purchasing and receiving process.
Many of the permission assignments in the matrix are somewhat arbitrary since the
narrative for ELERBE’s purchasing and receiving process is silent with respect to many
of the items. However, the write (W) permissions are more obviously aligned with the
narrative and are consistent with Figure 9.1, the overview activity diagram for ELERBE’s
purchasing and receiving process. It is assumed that users can read reference and
summary data about inventory, vendors and employees if they have read (R) access to the
maintain inventory, vendors and employee options. Likewise, it is assumed that users
who have the read (R) permission for recording requisitions, purchase orders and receipts
can review information about these transactions.
SM 13-8 Part IV Managing Information Technology and Systems Development
Access Control Matrix for ELERBE’s Purchasing and Receiving Process
Menu item Re- Super- Secre- Inven- Human Purchas Recei Accounts CFO
questor visor tary tory resources -ing v-ing payable
manager manager officer clerk clerk
Maintain vendor R R R X X RW R R RWD
Maintain R R R RW X R R R RWD
Maintain X R X R RW R X X RWD
Record R RW RW R X R R R RWD
Record purchase R R R R X RW R R RWD
Record receipt R R R R X R RW R RWD
Print new X R R R X RD R R RD
Print purchases X X X X X RD X R RD
Print supplier R R R R X R R R RD
Print inventory R R R RD X R R R RD
Print open X R R R X RD R R RD
R = read, W = write, D = design, X = no permission
See solution to entire case in separate file.