Informatica Economică vol. 14, no. 12010 21 [620542]

Informatica Economică vol. 14, no. 1/2010 21
Information Systems Audit for
University Governance in Bucharest Academy of Economic Studies

Ion Gh. RO ȘCA, Pavel NĂSTASE, Florin MIHAI
Bucharest Academy of Economic Studies
[anonimizat], [anonimizat], [anonimizat]

Today’s successful audit leaders never lose sight of the importance of continually assessing
and improving the organizations’ university governance structure. Focusing on small and
large mission, and using practical exercises and indiv idual activities, the auditors will help
gain the skills necessary to review and improve university governance structure, while deve l-
oping techniques to assess risk management activities. Attendees will leave with an unde r-
standing of legal and regulatory guidelines as they pertain to university governance and di s-
cuss in -depth issues such as business ethics, transparency and disclosure, IT governance and
university risks management. Identification, evaluation and management of university risks, is
an important element of the university governance system. Today, the Bucharest Academy of
Economic Studies is in a complex process to realize a university governance integrate info r-
mation system. In context of this paperwork there are presented the main aspects for develo p-
ing and implementing in actual phase information systems audit, to recognize the risks and
establish the necessary measures to eliminate them.
Keywords: University Governance, IT Governance, IS Audit, Risks Management, P erfor-
mance

Introduction
At the world level, from the analysis of the
main classification in higher education, it results that the performance universities are those that
became entrepreneurial universities. These un i-
versities apply the concept of university gove r-
nance, assume from busin ess domain, where is
known as corporate governance.
As it is define by different entities, university g o-
vernance is the set of processes, customs, poli-
cies, laws, and departments affecting the way a
university is directed, administered or controlled.
University governance also includes the relatio n-
ships among the many stakeholders involved and
the goals for which the entity is governed. The principal stakeholders are the shareholders, ma n-
agement, and the board of directors . Other stak e-
holders include employees, customers, creditors, suppli ers, students, professors, regulators, and the
community at large. The overriding objective of
the university should be to optimize over time the
returns to its shareholders. Where other consider-
ations affect this objective, they should be clearly
stated and disclosed. To achieve this objective,
the university should endeavor to ensure the
long-term viability of its business, and to manage
effectively its relationships with stakeholders. [1]
Many universities viewed business ethics only in terms of administ rative compliance with legal standards and adherence to internal rules and
regulations. Today the situation is different. A t-
tention to business ethics is on the rise across the
world and many entities realize that in order to
succeed, they must earn the respect and conf i-
dence of their customers. Like never before, un i-
versities are being asked, encouraged and pro d-
ded to improve their business practices to em-
phasize legal and ethical behavior. Universities
alike are being held increasingly accountable for
their actions, as demand grows for higher sta n-
dards of social responsibility.
Nevertheless, Information Technology Gove r-
nance (IT Governance) [10] is the difference b e-
tween success and failure in today’s high tech-nology environment and it is an important part of
the university governance. Regulators, students
and professors are increasingly concerned about
the proper use of information and particularly
personal data. Many organizations are identifying
information as an area of their operation that needs to be protected through university gove r-
nance plans as part of their system of internal control [7].
IT governance focuses on IT systems and their
performance and risk management. It is a core r e-
source to help those responsible for university
governance and IT management generally to u n-
derstand, direct and manage the IT governance 1

22 Informatica Economică vol. 14, no. 1/2010
and information security efforts within their or-
ganizations. Implementing a university gove r-
nance regime, it will put in compliance with the
needs of Sarbanes-Oxley and other key legisl a-
tion. Any of the myriad aspects of effective IT governance, rang from the provision of relevant
books and standards, through to training (both
classroom and computer -based) and consultancy
[2].
The primary goals for information technology
governance are to (1) assure that the investment
in IT generates value, and (2) mitigate the asso-
ciated risks with IT implementation. This can be done by implementing an organizational structure
with well -defined roles for the responsibility of
information, business processes, applications, i n-
frastructure etc [13].
It's virtually impossible to have too much trans-parency or education about IT governance.
Transparency and education often go together -the
more education, the more transparency, and vice versa. The more transparency of the governance processes, the more confidence in the governance
[15].
The Information Systems Audit and Control A s-
sociation (ISACA) IT governance status report
for 2008 stre ssed that there was substantial room
for improvement in the alignment between IT
governance and overall governance. Moreover,
research published by ISACA has shown that
most organizations are not generating optimal
value from their IT investments [11].The most
important factor in distinguishing between top –
performing and substandard-performing organi-
zations in both the private and public sectors is
the level of leadership from business and senior
managers in a handful of key IT decisions. This
holds true for government departments as they
must deliver, support and maintain successful IT
projects and IT infrastructure if they are to pr o-
vide their services to the public economically, ef-
ficiently and effectively [14].

Table 1. Audit objectives for IT governance
Major
objectives Implementing good practice
Assessing existent controls or in order to be introduce, like common policy and
processes [9] which include:
– IT Help desk amalgamation with common support processes
– PC/Desktop installation and deployment techniques
– Information Security
– Software licensing
– Virtualization of desktops, servers and data hosting.
Configuring of key points for information security
Reducing the frequency and/or impact of major incidents
Important objectives Aligning to the internal security policy
Integrating in the program of management risks
Appearing new requests at each faculty level
Growing the existent investments
Other objectives Gain the competition advantages
Appearing new requests at university level
Responding to the pressure made by third entity (ministry, collaborating with
other universities, suppliers, etc.)
Obtain a minimum cost

The objectives of this audit are to assess:
 the adequacy of Committee on Institutional
Cooperation (CIC)’s IT governance structure;
and
 the degree of alignment and integration be-
tween CIC’s IT strategy and its business
strategy.
Some universities have established the involve-
ment of board-level executives in IT issues to d e-
fer all key decisions to the university’s IT profe s-
sionals.
The main objectives are presented in the table 1. In the light of work to date these objectives can be expanded to: review staffing, resources and processes for provi sion of IT Services and aim to
move to a situation where:
 Policy, standards and common operational
processes are established once and impl e-
mented by all support services, faculties and
departments.
 Resources for policy implementation are
drawn from staff with appropriate skills, ir-
respective of their current location (i.e. estab-
lish matrix management to allow departmen-

Informatica Economică vol. 14, no. 1/2010 23
tal IT Support Staff to participate in organ i-
zation-wide, strategic projects) [18].

2 Methodology for university governance
University gov ernance methodology involves at
least six steps. This process first introduces the
students to university governance. The inves t-
ment staffs then reviews the student's governance
practices and, where necessary, develops a un i-
versity governance improvement program with the student. Matrices, checklists, and other tools
used in this process are tailored for each of the
five paradigms (investee university model).
Step 1: First Impressions
 Form an initial view on whether university
governance poses a special r isk or a good op-
portunity for value -added.
 Select the governance paradigm (or combina-tion of paradigms) to be applied to the uni-
versity.
 Identify, if possible, specific issues that are likely to be priorities and whether there will
be need for further re sources from the Un i-
versity Governance Unit.
At the earliest practical stage in the project cycle,
the investment staff should articulate their first
impressions concerning the student's university
governance. This will allow:
 the selection of the appropri ate paradigm to
use with the student.
 the IO to determine if the project requires a
University Governance Review (UGR) or a
Full University Governance Assessment
(UGA).
Step 2: Student Self -Assessment
 Begin the dialogue with the student and i n-
troduce university governance methodology.
 Send the student the appropriate progression matrix and the explanatory note "Why Uni-
versity Governance?"
 Enable students to assess their own gove r-
nance against the progression matrix.
Before conducts a thorough university gove r-
nance analysis of the university, the students
should carry out its own assessment. This self –
assessment not only encourages the student to
"buy -in" to the university governance dialogue,
but can also act as the first step in own analysis.
Step 3: University Governance Analysis [6]
 Send the information request list to the stu-dent, at least three weeks in advance of the
on-site appraisal, so that all the necessary
background information can be acquired by
the appraisal team prior to the review of the university's governance. The information r e-
quest list (and the delivery of responses from
the student) should be coordinated with other
parts of the investment team's legal and f i-
nancial information gathering.
 Implement an on-site review of the gover-
nance of the university, assessing which ap-
proximate "level" is achieved in the fiv e key
areas of governance outlined on the progre s-
sion matrices and clarifying any outstanding
issues from the Information Request List.
 Decide whether the student needs to under-take a university governance improvement
program. The basic purpose of the uni versity
governance review is to acquire understan d-
ing about the university, with a view to ide n-
tifying risk and opportunity and, if necessary,
developing an improvement program.
Step 4: University Governance Improvement
Program
 Prepare an analysis of the university's gove r-
nance, highlighting areas for improvement
and making proposals to address governance
weaknesses.
 Develop a university governance improve-
ment program with the student that is specif i-
cally tailored to the needs of the university.
 Agree with the client on a timetable and m e-
thods for the implementation of this program.
 Identify areas where can assist the university
in its university governance improvement e f-
forts even after the transaction has taken
place.
If the university governance anal ysis identifies a
need for an improvement program for the unive r-
sity, this program will be developed in university
with the owners and senior managers of the un i-
versity. In developing a program, the investment
staff can draw upon various university gove r-
nance resources. In some cases, the program will be comprehensive, covering all five key areas of
university governance. In other cases, the pr o-
gram will be more narrowly focused. For exa m-
ple, it will concentrate only on areas where risks
or opportunities are identified, such as the board
of directors or equitable treatment of sharehol d-
ers.
Step 5: Documentation and Implementation
 Draft the operational documentation outli n-
ing the agreed improvement program, such as
the Term Sheet, Loan Covenants or Shar e-
holders Agreement.
 Decide upon the appropriate degree of legal enforceability of the program and what pe-
nalties, if any, are appropriate for the failure

24 Informatica Economică vol. 14, no. 1/2010
to implement the program .
Identify any need for continuing assistance to the
client after the disbursement.
To ensure a common understanding of the uni-
versity governance improvement program and to
assign clear accountability for its effective i m-
plementation, both the program and the timetable
for its implementation should be appropriately documented. There is wide flexibility in the o p-
erational documentation that can contribute to this goal, including term sheets, loan covenants,
and shareholders agreements.
Step 6: Supervision
 Use the Supervision Checklist to ensure the
continuing adherence to the agreed university
governance improvement program.
 Identify the need for further university go-
vernance assistance.
The staff responsible for the subsequent supervi-
sion of an investment should become well a c-
quaint ed with the student's university governance
improvement program in order to monitor its i m-
plementation and identify need for further assi s-
tance.
This process is designed to be conducted as an integral part of the appraisal for new investments.
However, the methodology is flexible so that it
can be adapted to other circumstances, such as
supervision of and assistance to existing portfolio
university [17].

3 Collaborative University Governance in
Economic domain
In 2005, at the initiative of managers from AES,
there was founding Association of Economic F a-
culties in Romania (AEFR which is defining AFER). One of the major objectives of this asso-
ciation is to collaborate in management univers i-
ty governance. In this context, it will be pr e-
sented some particular ities regarding collabor a-
tion university governance. Collaboration is required when multiple univers i-
ties achieve complex goals that are difficult or impossible to attain for an individual one. This
collaboration takes place under conditions of i n-
complete information, uncertainty, and bounded
rationality, much of which has been previously
studied in economics and artificial intelligence.
However, many real world domains are charact e-
rized by even greater complexity, including the possibility of unreliable a nd non-complying col-
laborators, complex market and incentive fram e-
works, and complex transaction costs and organi-
zational structures [21].
Collaborative and autonomous university that plan, negotiate, coordinate, and act under this
complexity aims to fo ster models of collabor a-
tion in distributed systems , addressing a range of
theoretical and practical issues.
The main objectives for Collaborative University
Governance are as follows:
 enable collaborative university to form and follow joint agreements and contracts in
complex organizational and market driven
domains.
 develop a comprehensive contractual forma-
tion/maintenance framework applicable to
many application domains.
 build comprehensive customer lifecycle ma n-
agement systems for customers, including
telecommunication consumers, students, pr o-
fessors and patients.
 deploy lifecycle management systems in real
world applications , such as telecommunica-
tion and smart campuses [2].
 design markets that are adequate for students to act with incomplete and uncertain infor-
mation of the behaviour of collaborating d e-
partments.
 the implications of partial regulation on the
management of contractual relationships and
service delivery.
 organizational structures influence students
duties and the distribution/execution of tasks.
 cope with collaborators that exhibit unreli a-
ble and non- conformant behaviour , eg where
agreements are made but are not always co n-
formed with.
 can interventions and incentive structures as-
sist in managing contractual relationships and
service delivery.
 assign transaction costs to actions in pla n-
ning, assignment, and execution in organiz a-
tional structures.
 can transaction costs influence the social out-
come of the system which is further infl u-
enced by the orga nizational context under
which the collaboration takes place.
 can lessons learnt in game theoretic comput a-
tion inform collaborative entity settings.
 role does learning and adaptively play in
building organizational.
Strategic planning is about making conscious
choices concerning the key drivers shaping your
organization's future. Collaborative Strategies for
University helps to improve performance by e n-
gaging students, professors, employees, planning
strategy, and aligning capacity to reach outstan d-
ing r esults in organizational impact, capabilities,

Informatica Economică vol. 14, no. 1/2010 25
and relationships.
In many industries, on behalf of both for -profit
and not -for-profit organizations as AES, it raise
strategic questions and collaborate with you to
test hypotheses, find answers, and make deci-
sions to fulfill strategic vision. The practical a p-
proach emphasizes execution. It will work to de-
velop the metrics and define the milestones to
guide successful implementation of university
plan.
The approach starts with effective diagnosis
through data gathering, accurate analysis and tar-
geted interviewing. It applies that assembled
knowledge to collaborating with leadership team
to set a course for a desired future state and build
commitment with key constituents. It is deve l-
oped and documented a clear strategy that ident i-
fies the key needs to be addressed in order to
maximize the impact of your plan in the context
of your vision and mission – addressing the mar-
kets or constituents you will serve; the products, services and programs you will offer; the sales
and distribution methods you will employ; the
differentiators that will emphasize; and the cap i-
talization that will require [23].
This focused intent and attention to what matters
most yields breakthrough success and significan t-
ly improves results. Th e strategic planning ser-
vices help leaders take control of their organiza-
tions' destiny and secure valuable competitive
advantages. The success as a collaborator for
strategic planning is linked to long -term students
(master, doctoral school) who consisten tly
achieve and surpass their visions by devoting su f-
ficient attention to defining desired results, then aligning people and resources to shape the future.
The collaborative governance help to define f u-
tures with strategies that develop exceptional
people and systems, help attain leadership poten-
tial, enhance quality of life in campus, and a d-
vance the value and impact of university.
Privately -held businesses face the complex issue
of succession planning, both for company ma n-
agement and ownership. Likewise, not -for-profit
organizations must address leadership succession
to gain the full advantage of their strategic pla n-
ning efforts. In both cases, leaders must tackle the challenging issues associated with succession
planning and management. Decisions made and
actions taken – or not taken – have long-term co n-
sequences for students, professors, employees,
customers, suppliers, and the campus.
The work with students and professors establish realistic succession and transition goals. The as-sistance in navigating t he transition process max-imizes achievement of goals and minimizes the
financial, operational, and emotional risks. The
comprehensive succession management services can help:
 Learn the principles of succession planning as they apply to your unique situation.
 Establish a clear succession vision for owner-
ship, management, and the organization.
 Assess transition variables and options through a disciplined and informed process.
 Develop a comprehensive strategy and objec-
tive criteria for success.
 Find the win -win forms for purchase and
valuation.
 Help create a comprehensive succession plan
that separates ownership succession from
management succession, a key variable for
ensuring positive outcomes.
 Manage the efforts of the many specialists
required to achieve a successful transition.
 Take universities to the "next level" in stru c-
ture and management.
Early planning for succession strengthens unive r-
sities operating in both the for -profit and not -for-
profit sectors. Planning ahead of an immediate crisis offers the greatest flexibility and expands
options. Smart planning and disciplined impl e-
mentation make the difference between survival –
or not. Jim Collins, author of Good to Great, r e-
minds us that great leaders prepare for the time
when they no longer will be at t he helm [22].

4 IT governance model in Bucharest Academy
of Economic Studies
The Bucharest Academy of Economic Studies is
implementing a new IT governance model. Stage
I of the implementation, with the overall dire c-
tion by the Business and Administrative Systems
Enhancement (BASE) Steering Committee, is f o-
cused on addressing the administrative needs of
the university [4].
One of the key determinants of success of gove r-
nance is the degree to which people understand
the model.
IT governance will evolve ov er time based
on learning and experience and will extend the
scope of governance beyond the administrative
realm. In the near term, we will apply aspects of
the governance model more broadly; however,
for Stage I our priority is to ensure the success of
administrative governance.
The IT Project Office plays a key role in the faci-
litation of governance through the stewardship of
the methodology by which we identify, define,
and deliver IT initiatives, and the provision of

26 Informatica Economică vol. 14, no. 1/2010
portfolio management support to the various go-
vernance bodies [5].
As part of the overall IT governance model, the
IT Architecture and Standards Team is responsi-
ble for defining, designing and developing the
overall solution architecture for the univers i-
ty. This architecture defines the role that various
technical components such as Microsoft SQL
Server, Enterprise Reporting, the Application D a-
ta Warehouse, and .Net applications play in meet-
ing the information transaction and reporting
needs of the University. Although clearly not as
apparent from an application perspective, it e x-
tends to the entire supporting infrastructure r e-
quired to provide a secure and dependable co m-
puting environment.
Partnering with units and faculties, the IT Arch i-
tecture and Standards Team will work with the various delivery teams to apply existing, new and
emerging technology to help support and i m-
prove business processes. They also will help to
ensure interoperability with existing information
system s and technology. As part of the overall
IT governance model, this team will provide
technical input and recommendations at the a p-
propriate phases and gates as defined in the IT
Definition and Delivery Methodology.
The mission of the Business Administrat ive Sy s-
tems Enhancement (BASE) Governance Co m-
mittee is to represent the interests of the various
stakeholders to ensure that administrative
processes and related IT solutions effectively
support, and are responsive to, the evolving needs
of the Core Missio n of the University as pr e-
sented in figure 1 (adapted from [ 20]).

Fig. 1. University Administrative scope (model)

In support of this mission BASE has defined the
following principles:
 Resources allocation should be based upon
the degree of alignment with institutional
priorities.
 We need to target, measure, and assess our
performance against those priorities.
 Our decision -making process needs to be f o-
cused on, and responsive to, the ne eds of our
customer groups, (students, researchers, f a-
culty, staff, community) and compliance.
 Solutions should be integrated (end-to -end) with increased collaboration across fo r-
mer silos.
 Focus and resource allocation should be ba-
lanced on strategic, tact ical, and operational
issues.
 Our preference is to focus on and resolve root
causes rather than symptoms.
 Solutions must be delivered and maintained
in a sustainable, secure manner that supports
the availability and capacity needs of the
University.
 We want to assist our customer stakeholders

Informatica Economică vol. 14, no. 1/2010 27
in the transition from task -focused to value –
added knowledge work.
 Focus should be on reducing the number of
steps within processes (especially for higher –
frequency processes).
 We will adopt a continuous improve ment a p-
proach towards governance.
Management at all levels needs to support the
governance model.
The BASE Steering Committee defined a number
of risks to our administrative capabilities. Using
the same method of risk assessment used for E n-
terprise Risk Management the BASE Steering
Committee evaluated the priority of the various
risks [3]. While all of the risks are of significant
importance to warrant attention, BASE identified
several that should be given priority for attention
in the near term. The ris ks defined by BASE are
as follows: research noncompliance, can’t su p-
port student needs, failure to support key bus i-
ness processes due to systems availability and
support, poor data – quality/timeliness, action by
external bodies, provincial auditor non-
compliance, poor donor reporting, faculty loss
due to administrative frustration, staff loss due to
administrative frustration, research loss due to
administrative frustration, administrative ineff i-
ciencies, cost of systems duplication, system m i-
suse and frau d, liability to support systems
growth, systems failure in event of disaster, in a-
bility to attract/retain IT staff, security breach and
others.

5 Information System audit for risks ma n-
agement in Bucharest Academy of Economic Studies (AES)
Understanding and managing risk is an inherent
part of the business process. In order for your
university to survive and maintain a competitive
advantage, it must take planned risks that will be
rewarded with profit and growth. By confronting
the risks that await the un iversity before they b e-
come a threat, it gain the clarity to formulate e f-
fective controls that will offset the danger that
they pose. With compliance initiatives such as
the Sarbanes-Oxley Act (SOX), BASEL II , and
ISO, it has become imperative that a university
models its controls to ensure a transparent audit
trail. Without an effective tool to help manage
risk and controls, the compliance audit process
becomes an obstacle to your business [16].
Risk management allows business owners to i n-
clude risks in t heir business strategy. By concei v-ing of the risks related to business activities, the
university can focus on preventative rather than
reactive risk management. By looking at risk
management in terms of processes, a business
can use known risks to its adv antage, while of f-
setting the threat that they pose with specific co n-
trols. Risks no longer become threats, but
planned activities in the business process. This
brings the added benefit of maintaining a clear
repository of risks and controls and how they ar e
related to the business process management along
the dimensions of time and ownership. Coupled
with a reporting tool, the entity can achieve co m-
pliance with as little hassle as possible.
Overall, regarding the conditions to elaborate, editing and archive the electronic documents,
there must be following:
 From the databases point of view, there must
be possibility to backup and restore the doc-
uments anytime ;
 Documents archives on WORM (Write Once Read Many) supports, must be sign by pe r-
sons who do such an archive, as the law
455/2001 regarding electronic signature
said ;
 There must be a security plan for information systems with technical and organizational
measures to assure the next minimal request:
a) Confidentiality and integrity of communi-cations;
b) Confidentiality and nonrepudiation of
transactions;
c) Confidentiality and data integrity;
d) Restriction, detection and monitoring the
access in the system;
e) Restoring information managed by the sy s-
tem by natural cause or other events u n-
known, as follow s:
– archive the data using WORM techno l-
ogy, which allow to write one time and multi access of the saved data;
– recording the data from documents in
real time, from a system to another with the same configurations placed in other
site.
 There must assure t o print all the documents,
when there is a request.
To identify risks factors it was realized an IT au-
dit mission over information system if the B u-
charest Academy of Economic Studies, where the
risks were calculate with Mehari method – Clusif
Fr [12] and t he results are in the table 2.

28 Informatica Economică vol. 14, no. 1/2010
Table 2. Risks assessment at the university level in IT governance
No. Risks factors Risk a s-
sessment Risk
Value Observations
1. Organization low 1.04 The low level of the risk is because the efficiency of the specify
personnel responsibilities; maintain a contact with different o r-
ganizations, other entities, to solve very quickly any problem.
2. Sites low 0.5 The access in the sites is realized at the person level and less by
activity. Also, there are small problems regarding the access in
restricted sites because of the inexistence of special lists of auth o-
rized personnel.
In the university there is no monitories center even if in the inte r-
nal security policy there is mentioned such a s ystem to monitories
24 h by 24. The System is partial integrated in some buildings,
but not all.
3. Premises low 0.96 In generally, the level risk is low because of existing controls
(key, card, intrusion detection systems, guard)
Problems were found on the power sector. There are no measures
for losing data and information during technical problems at ge n-
eral level, just on local level.
4. Extended
Network (i n-
ter-sites) medium 2.15 University has equipment with license and there is a permanent
contact with suppliers for technical support.
A very good protection is accorded to backup and recovery plans
where the access is restricted.
5. Local Area
Network
(LAN) medium 2.34 It was taking to account the initiation of procedures to grow the
network safety by implement firewall and filters.
Frequent problems appear at equipment service with warranty,
which is done superficial and very slowly, from one to six month.
6. Network
Operations low 1.07 There are missing documents to report some data, there are no
training.
Inexistence of some explicit rules regarding how to add new a p-
plication tools do that employees not respect rules verbal co m-
municate.
7. Security of
Systems A r-
chitecture low 0.8 There are superficial tests to demonstrate performance equipment
security.
8. IT Produ c-
tion Env i-
ronment medium 2.25 There are missing trainings for risks analysis and procedures and
also rules regarding software installation.
All documents are secures.
9. Application
Security high 3.15 The access to the computer and to the applications is done by user
and password, incorrect introducing of these induces temporary
invalid state.
10. Security of
Application
Projects and
Develo p-
ments medium 2.77 There are problems regarding not apply support, of the projects
where security employees are not present.
Management takes into account the application continuity de p-
loyment plans, with equal responsibilities between specialists
avoiding segregation of duties for one person.
11. Work Env i-
ronment medium 2.08 Physic: The problem regarding security, the method apply in
present, guard -peoples in fixed places, is an inefficient one,
which must change with an automat surveillance system with
waking guardians.
There are no register to introduce data about visitors.
Logic: The entity has a security policy and procedures regarding
protection against viruses’ attacks and takes into account the n e-
cessity to actualize the antivirus applications and system patch.
12. Legal and
Regulatory high 3.43 The software has license; the control over this software is regula t-
ing done.
Managers understand the importance of kipping a long time the
applications which use this software, but also the control of these
to avoid modifications done by employees not well intentioned.

Informatica Economică vol. 14, no. 1/2010 29
Analyzing the partial risks, it results a general
risk level of 1.93. The low level of the risk from
the entire university is because the management by im plementing control measures to reduce the
IT risks and/or elaborate some different measures to minimize the impact of the threats and vuln e-
rabilities of the system.
Because the risks values were low as average, there is no necessary a general reorganizati on,
but just in areas where the risk is higher than 1.93
(considering being materiality level, if this would
be calculated just from risks) , the general risk
value of the university:
4. Extended Network: the risk level is 2.15 and it
is a medium risk
5. Local Area Network (LAN): the risk is m e-
dium, as 2.34
8. IT Production Environment: the medium risk
2.25
9. Application Security: the risk is 3.15 – high
risk
10. Security of Application Projects and Devel-
opments: the risk is 2.77 medium
11. Work Environm ent: the risk 2.08 medium
12. Legal and Regulatory: the risk is high 3.43.
The exact proposal to reorganized will be elab o-
rate in the future study as in this paperwork there
are presented a few general conclusions.

6 Conclusions
To improve university governance it is necessary
to:  Schedule regular meetings of the non-
executive board members from which direc-
tor and the other executives are excluded.
Non-executives are there to exercise “co n-
structive dissatisfaction” with the manag e-
ment team. They need t o discuss collectively
and frankly their views about the perfor-mance of the executives, the strategic direc-
tion of the university and worries about areas
where they feel inadequately briefed;
 Explain fully how discretion has been exe r-
cised in compiling the earnings and profit
figures. These are not as cut and dried as
many would imagine. Assets such as brands
are intangible and with financial practices
such as leasing common, a lot of subtle
judgments must be made about what goes on
or off the balance sheet . It must use discl o-
sure to win trust, not to hide;
 Initiate a risk -appetite review among non-
executives. At the root of most university
failures are ill -judged management decisions
on risk. Non-executives need not be risk e x-perts. But it is paramount tha t they unde r-
stand what the university’s appetite for risk is
and accept/or reject, any radical shifts;
 Check that non-executive directors are ind e-
pendent. Weed out members of the control-
ling family or former employees who still
have links to people in the university. Also
raise awareness of “soft” conflicts. Are there
payments or privileges such as consultancy
contracts, payments to favorite charities or
sponsorship of arts events that impair non-
executives’ ability to rock the boat?
 Audit non -executives’ p erformance and that
of the board. The attendance record of non-
executives needs to be discussed and an ap-
praisal made of the range of specialist skills.
The board should discuss annually how well
it has performed;
 Broaden and deepen disclosure on university
websites and in annual reports. Websites
should have a university governance section
containing information such as procedures
for getting a motion into a proxy ballot. The
level of detail should ideally include the a t-
tendance record of non-executives at board meetings. If you have global aspirations, an
English -language version must be available
[8];
 Lead by example, reining in a university cu l-
ture that excuses cheating. Don’t indulge in
sharp practice yourself – others will take this
as a green light for them to follow suit. If the
university culture has been compromised, or
if loose practices on booking revenues and
expenditure are sometimes tolerated, it must
be taken a few high -profile decisions that
signal change;
 Find a place for the grey and cautiou s em-
ployee alongside the youthful and visionary
one. Hiring thrusting MBAs will skew the
culture towards an aggressive, individualist
outlook. Balance this with some wiser, if du l-
ler heads – people who have seen booms and
busts before, value probity and ar e not in so
much of a hurry;
 Make compensation committees independent.
University executives should be prevented from selling shares in their entity while they
head them. Share options should be expensed
in established universities – cash-starved
start-ups may need to be more flexible;
 Don’t avoid risk. No doubt university gove r-
nance would be a lot simpler if universities
were totally risk averse. But in the words of Helmut Maucher, honorary chairman of

30 Informatica Economică vol. 14, no. 1/2010
Nestlé, “You have to accept risks. Those who
avoid them are taking the biggest risk of all.”
[19]

References
[1] I. Gh. Roșca, B. Ghilic -Micu and M. Stoica,
“Informational Trends for Organizations in
Information Society,” Economic Information
Journal , Vol. XI, No. 1, 2007, pp. 21 -26.
[2] P. Năstase (coordinator), A. Eden, V. Stanciu,
F. Năstase, G. Popescu, M. Gheorghe, D.
Băbeanu, D. Boldeanu and A. Gavrilă, “I n-
formation systems audit and control,” Ec o-
nomic Publishing House , 2007, pp. 53- 90.
[3] P. Năstase and F. Năstase, “Risk Management
for e -Busi ness,” Economic Information Jour-
nal, Vol. XI, No. 3, 2007, pp. 56-59.
[4] P. Năstase and F. Năstase, “Information Sec u-
rity Audit in e -business applications,” Eco-
nomic Infor mation Journal , Vol. XI, No. 1,
2007, pp. 79- 87.
[5] P. Weill and J. W. Ross, “IT Governance: how top performers manage IT decision
rights for superior results,” Harvard Business
School Press, 2004, pg. 25.
[6]
[7] J. L. Colley, Corporate Governance, 2003,
pg. 91.
R. A. G. Monks and N. Minow, Corporate
Governance, 2008, pg. 295.
[8] C. Paradeise, E. Reale, I. Bleiklie and E. Fe r-
lie, “ University Governance: Western Eur o-
pean Comparative Perspectives,” Springer Publishing House , 2009.
[9] M. Wallace and L. Webber , IT Governance
Policies & Pr ocedures 2009 , 2008.
[10] W. Van Grembergen, Strategies for
inform ation technology governance , 2004.
[11] http://www.isaca.org
[12] http://www.clusif.fr
[13] http://www.apru.org/activities/cio/IT Gove r-
nanceNov19-09.pdf
[14] http://www.cic.gc.ca/EnGLish/resources
/audit/governance.asp#governance
[15] http://www.itgovernance.co.uk/default. aspx
[16] http://www.interfacing.com/Compliance
SOX-ISO -BASEL-Six -Sigma -Risk/Risk
[17] http://www.ifc.org/ifcext/Corpora te Gover-
nance.nsf/content/Six_Steps
[18] http://www.theiia.org/training/index.cfm
?act=seminar.detail&semID=153
[19]http://www.nfcgindia.org/WhitepaperonCorp
orateGovernancebyKPMG.pdf – Economist
Intelligence Unit sponsored by KPMG Inte r-
national
[20] http://www.ucalgary.ca/pmo/itgover
nance/model
[21] http://www.csse.monash.edu.au/ ~xtg/
CARE2010/
[22] http://www.getcollaborative.com/ servic-
es/strategicPlanning.php
[23] http://www.isaca.org/Template.cfm ?Se c-
tion=Strategy1&Template=/Content Ma n-
agement/ContentDisplay.cfm
&ContentID=50408

Ion Gh. ROȘCA is professor at the Academy of Economic Studies, Bucha r-
est. From 2004 he is the Rector of the university. He taught computer pr o-
gramming and ICT. He is author of m ore than 30 textbooks. The research
domains are: knowledge society, e -business, project management, and GRID
systems. He published 11 books and more than 50 papers.

Professor Pavel NĂSTASE, PhD. is graduated from the Bucharest Academy
of Economic Studi es (ASE), Faculty of Economic Cybernetics and from the
University of Bucharest, F aculty of Mathematics. He has an experience of
over 33 years in the higher education and scientific research field at the B u-
charest Academy of Economic Studies, which has resu lted in: 14 books and
university courses, over 30 articles and studies published in the journals of
international scientific conferences or in professional journals, rated by
CNCSIS in the cat egory B+, indexed in international databases, among them 3 artic les are ISI
rated . Areas of pr ofessional competence are: Technology of databases, Technology of Web
applications, Man agerial expert systems, Management information systems, Information sy s-
tems audit, E -learning. He has occupied prestigious positions both academic and administr a-
tive such as: vice- dean, dean of faculty, vice -rector. He is an expert accountant, member of
the Body of Expert and Licensed Accountants of Romania (CECCAR) and financial auditor,

Informatica Economică vol. 14, no. 1/2010 31
member of the Chamber of Financial Auditors of Romani a (CAFR). At international level he
is a member of some prestigious professional associations such as: Information Systems Audit
and Control Association (ISACA – http://www.isaca.org ), International Association for A c-
counting Education and Research (IAAER – http://www.iaaer.org ), member of the editorial
board of the international journal „International Journal of Accounting and Information Ma n-
agement” (IJAIM), member of the Academy of Economic and Financial Studies and Sciences
from France. Since 2010, he i s an expert at European Association for Quality Assurance in
Higher Education.

Florin MIHAI is a professor at the Academy of Economic Studies Buchar-
est, Faculty of A ccounting and Management Information Systems. He gradu-
ated the Faculty of Accounting and Management Information Systems from the Academy of Economic Studies Bucharest. Co mpetence areas: inform a-
tion technology and communications, web technologies, e -business, i nforma-
tion systems audit, business intelligence, knowledge management and artif i-
cial intell igence. He is vice dean of the Faculty of Accounting and Manage-
ment Information Systems of the Academy of Economic Studies.