Professional Documents
Culture Documents
Auditing It Governance Controls Compress
Auditing It Governance Controls Compress
Auditing It Governance Controls Compress
Three IT Governance issues that are addressed by SOX and the COSO
internal control framework.
o Organizational Structure of the IT function
o Computer Center Operations
o Disaster Recovery Planning
Marketing
Database administrator
Centralized location for maintaining data resources
DBA is responsible for security and integrity of database
Data Processing :
Manages resources used to perform day-to-day processing of transactions
Data preparation/conversion
Computer operations
Data library (storage of off-line data files)
System Maintenance
Assumes responsibility for keeping developed systems operational and in line with current user needs
They may make changes in program logic to accommodate shifts in user needs over time
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 12
SEGREGATION OF INCOMPATIBLE IT FUNCTIONS
Delegating these to others who perform incompatible tasks threatens database integrity
It should be independent of operations, system development and maintenance
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 15
SEGREGATION OF INCOMPATIBLE IT FUNCTIONS
Segregate Systems Development from Maintenance
o This is a better organizational structure
o Two types of improvements from this approach:
o Better documentation standards
o Necessary for transfer of responsibility
o Deters fraud by
Denys original programmer future access to program
If fraudulent code was introduced at development it is likely to be discovered during maintenance
Greater possibility of being discovered
o The success of this control depends on existence of other controls that limit, prevent and detect
unauthorized access to programs (such as source code)
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 16
DISTRIBUTED MODEL
Alternative B: Decentralized/Network
o Significant departure from centralized model
o Distributes all computer services to end users, where they operate as stand alone
units.
o The result is the elimination of the central IT function from the organizational
structure
o The network permits communication and data transfers between the units
o All data processing tasks to end-user areas
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 19
DISTRIBUTED MODEL
RISKS ASSOCIATED WITH DDP
Focuses on the important issues that carry control implications that auditors
should recognize
Potential problems include:
1. Inefficient use of resources
2. Destruction of audit trails
3. Inadequate segregation of duties
4. Hiring qualified professionals
5. Lack of standards
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 20
DISTRIBUTED MODEL
RISKS ASSOCIATED WITH DDP
Audit objectives:
Conduct a risk assessment to:
o Verify that the structure of the IT function is such that individuals in incompatible
areas are segregated in accordance with the level of potential risk and in a manner
that promotes a working environment
Formal rather than casual relationships need to exist between incompatible functions
o Verify the distributed IT units employ entity-wide standards of performance that
promotes compatibility among hardware, operating software, applications, and data
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 29
IT FUNCTION AUDIT
Audit procedures:
Verify corporate policies and standards are communicated
Review relevant documentation, including current organization chart,
mission statement, key job descriptions to determine if any incompatible
duties exist
o Verify compensating controls are in place where incompatible duties do exist and
segregation is economically infeasible
Review systems documentation and maintenance records for a sample
of applications.Verify maintenance programmers assigned to specific projects
are not also original design programmers
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 30
IT FUNCTION AUDIT
Audit procedures:
Verify access controls are properly established
Verify that computer operators do not have access to the operational details
of a program’s logic
Systems documentation such as flowcharts, program code listings should not be
part of operator’s documentation
Through observation, determine that segregation policy is being followed in
practice
e.g. Review operations room access logs to determine whether programmers
enter facility for reasons other than system failures
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 31
THE COMPUTER CENTER
5. Fire suppression
Fire is most serious threat. Organization can go out of business due to destruction of critical records and equipment
The fire suppression system should have:
o Automatic and manual alarms at strategic locations with sound and visible lights. Alarms should be connected to permanently
staffed fire-fighting stations
o Automatic fire extinguishing equipment (with power-off switch) that uses correct type of suppressant that does not destroy eqt
o Spraying water or certain chemicals on a computer destroys it and damages it just like the fire. Gas, such as Halon, that will smother fire by
removing oxygen can also kill and damage the environment
o Make sure your detection system is tuned not to react to possible false alarms caused by other components in your data center.
o Manual fire extinguishers should be placed at strategic locations
o Fire exits clearly marked and illuminated during fire
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 36
THE COMPUTER/DATA CENTER
6. Power supply
o Need for clean power, at a acceptable level (to avoid brownouts, and power fluctuations). Use voltage
regulators, surge protectors
o Install Uninterrupted Power Supply(UPS) units with backup batteries also consider having a generator for
long periods without power
7. Fault tolerance
o Ability of system to continue operation when part of system fails e.g. hardware failure, application program
or operator errors
o Have redundant hardware, disk storage e.g.
o RAID that uses parallel disks that contain redundant elements, if one disk fails the lost data can be
automatically reconstructed from components
BCHESOLI
stored on other disks
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE 10/5/2016 37
Audit objectives
Verify physical security controls are adequate to reasonably protect organization
from physical exposure
Verify there is insurance coverage on equipment is adequate to compensate
organization for destruction of, or damage to computer center
Audit procedures
Tests of physical construction
o Check architectural plans, check if room is built of fireproof material, adequate drainage under raised floor.
o Check physical location against hazards: fire, civil unrest etc
Natural Flood
Tornado
Sabotage
Disaster Human-Made
Error
Power Outage
O/s Crash/Lock
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 46
DISASTER RECOVERY PLANNING
The more the organization is dependent on technology, the more susceptible it is to these
risks
o Some risks cannot be prevented. What is key is how well organization is prepared to respond
and recover from them.
Disaster recovery plans (DRP) identify actions before, during, and after the disaster
They address the following 4 things:
Identify critical applications and priorities for restoring critical applications advised by
management
Create a disaster recovery team
Provide site backup
Specify backup and off-site storage procedures
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI 10/5/2016 47
Disaster Recovery Plan
1. Critical Applications – Rank critical applications so an orderly and effective restoration of computer systems is possible.
2. Create Disaster Recovery Team – Select team members, write job descriptions, describe recovery process in terms of who does
what.
3. Site Backup – a backup site facility including appropriate furniture, housing, computers, and telecommunications. Another valid
option is a mutual aid pact where a similar business or branch of same company swap availability when needed.4.
4. Hardware Backup – Some vendors provide computers with their site – known as a hot site or Recovery Operations Center.
Some do not provide hardware – known as a cold site. When not available, make sure plan accommodates compatible hardware (e.g.,
ability to lease computers).
5. System Software Backup – Some hot sites provide the operating system. If not included in the site plan, make sure copies are
available at the backup site.
6. Application Software Backup – Make sure copies of critical applications are available at the backup site
7. Data Backup – One key strategy in backups is to store copies of data backups away from the business campus, preferably several
miles away or at the backup site. Another key is to test the restore function of data backups before a crisis.
8. Supplies – A modicum inventory of supplies should be at the backup site or be able to be delivered quickly.
10. TEST! – The most important element of an effective Disaster Recovery Plan is to test it before a crisis occurs, and to test it
periodically (e.g., once a year).
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 48
DISASTER RECOVERY PLANNING
Major concerns:
Identify critical applications and concentrate on restoring those that are critical to the
short-term operations of organization
o Plan should focus on short-term survival. In the long run all applications will need to be restored
o This may lead to focus on functions that generate cash flows e.g. customer sales and service,
fulfillment of legal obligations, accounts receivable, production and distribution decisions, purchasing
and cash disbursements
o The needs may change over time thus plan needs to be updated
Empty shell
Also known as cold site
Company buys or leases a building and remodel it into a computer site but
without computer equipment
Management obtains contracts with hardware vendors that in event of disaster
the vendor will give the company the needed equipment on priority
Weakness: timely availability of equipment to restore processing isn't
guaranteed
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 54
SECOND-SITE BACKUPS
Recovery Operations Center (ROC)
It’s a hot site
A fully equipped site; very costly and typically shared among many companies
It can be offered as a service by a ROC provider
o 9/11 was a true test of ROC approach e.g. Comdisco which had 47 clients on their facilities from
ROC contractual agreement. Over 3,000 employees worked from their site and thousands of
computers were configured fore clients within the first 24 hours
Weakness would be problems in overstretched facilities if disaster hits many companies
o Management should consider problems of overcrowding and geographic clustering of current ROC
client membership even before disaster
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 55
SECOND-SITE BACKUPS
Audit Objective
o Verify management’s disaster recovery plan is adequate and feasible for
dealing with catastrophe that could deprive the organization of its
computing resources
3. Software Backup
Verify copies of critical applications and OS are stored offsite.
Compare version numbers with those in actual use
4. Data backup
Verify critical data files are backed up in accordance with DRP
5. Backup Supplies, Documents and Documentation
Verify that documentation and supplies of adequate amount are stored off-site
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 60
DRP AUDIT PROCEDURES
Logic underlying IT outsourcing follows the core competency theory – it argues that an
organization should focus exclusively on its core business competencies while allowing
outsourcing
FIC-4030-INFORMATION SYSTEMS vendors to efficiently manage
AUDITING-03-IT GOVERNANCE BCHESOLI non-core areas 10/5/2016 63
BENEFITS OF IT OUTSOURCING
The Transaction Cost Economics (TCE) theory suggests that firms
should retain specific IT assets in-house (i.e. IT assets that are unique to
organization and that support its strategic objectives).
o Because of their nature, they are difficult to replace/restore once an outsourcing
agreement is cancelled.
o Examples include systems development, application maintenance, data
warehousing, highly skilled employees trained to use the organization’s software.
TCE supports outsourcing of commodity IT assets (those that are not
unique to a particular organization and are easily acquired or replaced from
the market place) e.g. PCs, Help desk support, server maintenance
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 64
RISKS OF IT OUTSOURCING
1. Failure to perform
Vendor’s poor performance can have negative implications due to dependence on them e.g. if
vendor lays off workforce, or experiences financial or legal problems that threaten their continuity.
This directly affects the outsourcing firms
2.Vendor exploitation
Vendor acquires specific IT assets to serve the organization and the assets may not have value to
them other than for delivering to the client. This may involve client paying a premium to the vendor
or becoming very dependent on the vendor
The vendor may exploit this dependency by raising service rate. If new services are required, they
will be at a premium
This dependency threatens client’s long-term flexibility, agility, competitiveness, and result in greater
dependency
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 65
RISKS OF IT OUTSOURCING
Read COSO’s thought leadership paper on “Enterprise Risk Management for cloud computing” .
Consider the following issues it addresses:
Definition of cloud computing
Common deployment and service delivery models
Benefits of cloud computing
Risks associated with cloud computing
Changes in business environment
COSO’s ERM framework for cloud computing
Recommended risk responses to cloud computing
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 69
SUMMARY