AUDITING IT

GOVERNANCE
CONTROLS
IT Governance
IT Structure
Computer Center
Disaster Recovery Plan
IT Outsourcing
 Reduce risk
Corporate governance
IT resources add value

INFORMATION
TECHNOLOGY
GOVERNANCE
Corporate stakeholders
IT decisions
Organizational structure of the IT function

IT Governance Controls

1. Organizational structure of the IT function

2. Computer center operations
3. Disaster Recovery Planning
STRUCTURE OF THE IT
FUNCTION
•Centralized Data Processing
•Distributed Data Processing
 Centralized
Data Processing
Centralized Data Processing
•Shared organization
resource
•Cost center
Primary Service Areas of a Centralized
IT Structure:
•Database Administration
•Data Processing
•Systems Dev’t and Maintenance
Organizational structure of the IT function

I. Database Administration

•Centrally organized companies maintain their

data resources in a central location that is shared
by all end users.
Organizational structure of the IT function

II. Data Processing

a. Data Conversion
b. Computer Operations
c. Data Library
a. Data Conversion

• transcribes transaction data from

hard-copy source documents into
computer input
b. Computer Operations

data conversion -> electronic files->

processed by the central computer
c. Data Library

•room adjacent to the computer center

•provides safe storage for the off-line data

files
Organizational structure of the IT function

user needs designing new systems

III. Systems Dev’t &

Maintenance
3 participants:
Systems professionals
End users
Stakeholders
Segregation of
Incompatible
IT Functions
✔Transaction authorization from
transaction processing
✔Record keeping from asset custody

✔Division of transaction
processing tasks
Organizational structure of the IT function

Separating Systems Development

from
Computer Operations
•Systems development and maintenance professionals
should create and maintain
systems for users, and should have no involvement in
entering data, or running
Applications.
Organizational structure of the IT function

Separating Database
Administration From
Other Functions
• DBA function is responsible for a number of critical
tasks pertaining to database security and must be
segregated from other computer center functions.
 Control Problems:
1.Inadequate Documentation
2.Program Fraud
Organizational structure of the IT function

Inadequate Documentation
• Reasons:
•not as interesting as designing, testing, and
implementing them
•Job security
Organizational structure of the IT function

Program Fraud
•making unauthorized changes to program modules for
the purpose of committing an illegal act
•fraudulent codes
A Superior Structure for Systems
Development..
•systems development function is separated
into two different groups: new systems
development and systems maintenance
A Superior Structure for Systems
Development..
 
•The new systems development group is
responsible for designing, programming,
and implementing new systems projects.
•The responsibility for the system’s ongoing
maintenance then falls to the systems
maintenance group.
 Distributed
Data Processing
 DDP
•reorganizing the central IT function into small IT units
that are placed under the control of end users

•IT units may be distributed according to business

function, geographic location, or both.
Organizational structure of the IT function

Risks Associated with

DDP
Organizational structure of the IT function

1. Inefficient use of resources

mismanagement
Operational inefficiencies
Incompatible hardware and software
Organizational structure of the IT function

2. Destruction of Audit Trails

Organizational structure of the IT function

3. Hiring Qualified Personnel

Organizational structure of the IT function

4. Lack of Standards

Standards for system development

Choosing programming languages
Acquiring hardware and software
Organizational structure of the IT function

Advantages of DDP
Organizational structure of the IT function

1. Cost reductions
2. Improved Cost Control
Responsibility
3. User Satisfaction
4. Back up Flexibility
THE COMPUTER
CENTER
 The Computer Center

❖ The objective of this section is to

present computer center risks and
the controls that help to mitigate
risk and create a secure
environment.
 The Computer Center
Considerations:
► man-made threats and natural hazards
► underground utility and communications lines
► air conditioning and air filtration systems
► access limited to operators and computer center
workers; others required to sign in and out
► fire suppression systems installed
► fault tolerance
► redundant disks and other system components 35

► backup power supplies

 THE COMPUTER CENTER
❖ Fault Tolerance
The ability of the system to continue operation
when part of the system fails because of
hardware failure, application program error, or
operator error.
 THE COMPUTER CENTER
….Fault Tolerance

Examples of fault tolerance technologies:

1. Redundant Arrays of Independent Disks (RAID)

Involves using parallel disks that contain redundant

elements of data and applications
If one disk fails, the lost data are automatically
reconstructed from the redundant components
stored on the other disks.
 THE COMPUTER CENTER
….Fault Tolerance

2. Uninterruptible Power Supply

The backup power allows the computer system to
shut down without losing the data and preventing
corruption.
 Computer Center
Audit Objectives:
❖ Physical security controls are adequate to reasonably
protect the organization from physical exposures.

❖ Insurance coverage on equipment is adequate to

compensate the organization for the destruction of, or
damage to, its computer center.

39
 Computer Center
Audit Procedures:

1. Tests of Physical Constructions

✔ The auditor should obtain architectural plans to
determine that the computer center is solidly built of
fireproof material.
✔ Adequate drainage
Audit Procedures

2. Tests of the Fire Detection System

✔ Manual and automatic fire detection and
suppression equipments are in place and tested
regularly.
3. Tests of Access Control
✔ Computer center is restricted to authorized employees.
Audit Procedures
4. Tests of RAID
✔ Determine if the level of RAID in place is adequate for
the organization, given the level of business risk
associated with disk failure.
Audit Procedures
5. Tests of the Uninterruptible Power Supply
✔ Periodic tests of the backup power supply should be
performed
✔ As a firm’s computer systems develop, and its
dependency increases, backup power needs are likely to
grow proportionally.
 Audit Procedures

6. Tests for Insurance Coverage

✔Review insurance coverage on hardware,
software, and physical facility
 DISASTER RECOVERY
PLANNING
This is a comprehensive statement of all
actions to be taken before , during, and
after any type of disaster .
 Fire

Natural Flood

Tornado

Sabotage
Disaster Human Made
Error

Power Outrage

System Failure Drive Failure

Crash/Lock
Four Essential Elements:

1. Identify Critical Applications

2. Create Disaster Recovery team
3. Provide Site Backup
4. Specify Backup and Off-site Storage
Procedures
Identify Critical Applications
Recovery efforts must concentrate on restoring
those applications that critical to the short-term
survival of the organization.

Example:
• Customer sales and service
• Fulfillment of legal obligations
• Accounts receivable maintenance and collection
• Production and distribution decisions
• Purchasing functions
• Cash disbursements (trade accounts ad payroll)
Creating a Disaster Recovery Team
Creating recovery team avoid serious
omissions or duplication of effort during
implementation of the contingency plan,
task responsibility must clearly defined
and communicated to personnel
involved.
Disaster Recovery Team
DRP Team Coordinator
VP Operation

Second-Site Program and Data Conversion

Facilities Data Backup and Data Control
Group Group Group
Systems Development
Manager Manager Data Control
DP Manager
Systems Maintenance
Manager Manager Data
Plant
Conversion
Engineer
Senior Systems
Programmer
Data Conversion
Computer operations Shift Supervisor
Senior Maintenance
Manager
Programmer
User Department
Teleprocessing User Departments Representative
Manager Representative Internal Audit
Representative
Internal Audit
Representative
Providing second-Site Backup
MUTUAL AID PACK
Agreement between two or more organization (with compatible computer
facilities) to aid each other with their data processing needs in the event of
disaster.
EMPTY SHELL Or Cold Site
Arrangement wherein company buys or leases building that will serve data
center.
RECOVERY OPERATIONS CENTER (ROC) or Hot Site
A fully equipped backup data center that many companies share.
INTERNALLY PROVIDED BACKUP
Larger organizations with multiple data processing centers often prefer the
self-reliance that creating internal excess capacity provides.
Permits firm to develop standardized hardware and software configurations.
Backup and Off-site storage Procedures
All data files, applications, documentation, and supplies
needed to perform critical functions should be
automatically backed up and stored at secure off-site
location.

• Operating System Backup

• Application Backup
• Backup Data Files
• Backup Documentation
• Backup supplies and Source Documents
• Testing the Disaster Recovery Planning (DRP)
Outsourcing the IT
Function
Benefits of Outsourcing:
Improved core business performance
Improved It performance
Reduction of IT costs
 IT Outsourcing
= follow from one competency theory
which argues that organization
should focus exclusively in its core
business competencies while allowing
outsourcing vendors to efficiently
manage the non-core areas b/w
commodity and specific IT assets
Commodity IT assets
= not unique in an organization and
easily acquired in the marketplace

Specific IT assets
= unique to the organization and
support its strategic objectives
= have little value outside their current
use
 Transaction Cost Economics
Theory
conflict with core competency
suggest the firm should retain certain
specific non-core IT assets in house
supports the outsourcing of
commodity assets, which are easily
replaced or obtained from
alternative vendors
 Risk Inherent to IT
Outsourcing
1. Failure to person
= negative implications of
outsourced specific IT assets are
illustrated in financial problems that
have plagued the huge outsourcing
vendor Electronic Date Systems
Corp. (EDS)
2. Vendor exploitation
= involves transferring to a vendor
“specific assets” such as the design,
development, and maintenance of unique
business applications that are critical to
an organization’s survival.
3. Outsourcing costs benefits
= unexpected costs arise and expected
benefit are not realized
4. Reduced security
= when corporate financial system are
developed and hosted overseas, and
program code is developed through
interfaces with the host company’s
network
5. Loss of strategic advantage
= due to incongruence of IT strategic
planning and its business planning
 Audit implication of IT
Outsourcing
management may outsource its
organizations IT function but it
cannot outsource its management
responsibilities to maintain
effective internal control over
financial reporting