Professional Documents
Culture Documents
IT Governance: IT Auditing, Hall, 3e
IT Governance: IT Auditing, Hall, 3e
IT Governance
IT Auditing, Hall, 3e
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
IT Governance
IT Governance: subset of corporate
governance that focuses on the
management and assessment of strategic IT
resources
Key objects:
Reduce risk
Ensure investments in IT resources add value to
the corporation
All employees and stakeholders must be
active participants in key IT decisions
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 2
IT Governance Controls
Three IT governance issues addressed by
SOX and the COSO internal control
framework:
Organizational structure of the IT function
Computer center operations
Disaster recovery planning
Nature of risk associated with each issue
Controls used to mitigate risk
Audit objectives
Tests of controls
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 3
Structuring the IT Function
Centralized data processing
[see Figure 2-1]
Organizational chart [see Figure 2-2]
Database administrator
Data processing manager/dept.
Data control
Data preparation/conversion
Computer operations
Data library
Systems Development manager/dept.
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 4
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 5
Structuring the IT Function
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 6
Structuring the IT Function
Segregation of incompatible IT
functions
Separating systems development from
computer operations
[see Figure 2-2]
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 7
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 8
Structuring the IT Function
Segregation of incompatible IT
functions
Separating DBA from other functions
DBA is responsible for several critical tasks:
Database security
Creating database schema and
user views
Assigning database access authority to users
Monitoring database usage
Planning for future changes
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 9
Structuring the IT Function
Segregation of incompatible IT
functions
Systems development & maintenance
Participants
End users
IS professionals
Auditors
Other stakeholders
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 10
Structuring the IT Function
Segregation of incompatible IT functions
Alternative 1: segregate systems analysis from
programming [see Figure 2-3]
Two types of control problems from this approach:
Inadequate documentation
Is a chronic problem. Why?
Not interesting
Lack of documentation provides job security
Assistance: Use of CASE tools
Potential for fraud
Example: Salami slicing, trap doors
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 11
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 12
Structuring the IT Function
Segregation of incompatible IT
functions
Alternative 2: segregate systems
development from maintenance
[see Figure 2-2]
Two types of improvements from this
approach:
Better documentation standards
Necessary for transfer of responsibility
Deters fraud
Possibility of being discovered
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 13
Structuring the IT Function
Segregation of incompatible IT functions
Segregate data library from operations
Physical security of off-line data files
Implications of modern systems on use of data
library:
Real-time/online vs. batch processing
Volume of tape files is insufficient to justify full-time
librarian
Alternative: rotate on ad hoc basis
Custody of on site data backups
Custody of original commercial software and
licenses
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 14
Structuring the IT Function
Segregation of incompatible IT functions
Audit objectives
Risk assessment
Verify incompatible areas are properly
segregated
How would an auditor accomplish this
objective?
Verify formal vs. informal relationships exist
between incompatible tasks
Why does it matter?
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 15
Structuring the IT Function
Segregation of incompatible IT functions
Audit procedures:
Obtain and review security policy
Verify policy is communicated
Review relevant documentation (org. chart,
mission statement, key job descriptions)
Review systems documentation and
maintenance records (using a sample)
Verify whether maintenance programmers are
also original design programmers
Observe segregation policies in practice
Review operations room access log
Review user rights and privileges
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 16
The Distributed Model
Distributed Data Processing (DDP)
involves reorganizing the central IT
function into small IT units that are
placed under the control of end
users
Two alternatives shown in [figure 2-4]
Alternative A: centralized
Alternative B: decentralized / network
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 17
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 18
Risks Associated with DDP
Inefficient use of resources
Mismanagement of resources by end
users
Hardware and software incompatibility
Redundant tasks
Destruction of audit trails
Inadequate segregation of duties
Hiring qualified professionals
Increased potential for errors
Programming errors and system failures
Lack of standards
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 19
Advantages of DDP
Cost reduction
End user data entry vs. data control group
Application complexity reduced
Development and maintenance costs
reduced
Improved cost control responsibility
IT critical to success then managers must
control the technologies
Improved user satisfaction
Increased morale and productivity
Backup flexibility
Excess capacity for DRP
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 20
Controlling the DDP Environment
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 21
Audit Objectives: DDP Environment
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 22
Audit Objectives: DDP
Environment
Review the corporate policy on computer
security
Verify that the security policy is
communicated to employees
Review documentation to determine if
maintenance records
Verify that maintenance programmers are not
also design programmers
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 23
The Computer Controls Center
Physical location
Avoid human-made and natural hazards
Example: Chicago Board of Trade
Construction
Ideally: single-story, underground utilities,
windowless, use of filters
If multi-storied building, use top floor (away from
traffic flows, and potential flooding in a basement)
Access
Physical: Locked doors, cameras
Manual: Access log of visitors
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 24
The Computer Controls Center
Air conditioning
Especially mainframes
Amount of heat even from a group of PCs
Fire suppression
Automatic: usually sprinklers
Gas, such as halon, that will smother fire by
removing oxygen can also kill anybody trapped
there
Sprinklers and certain chemicals can destroy the
computers and equipment
Manual methods
Power supply
Need for clean power, at a acceptable level
Uninterrupted power supply
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 25
Audit Objectives: The Computer
Center
physical security IC protects the
computer center from physical
exposures
insurance coverage compensates the
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 27
Audit Procedures: The Computer
Center
Review insurance coverage on hardware,
software, and physical facility
Review operator documentation, run
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 28
Disaster Recovery Planning
Disaster recovery plans (DRP) identify:
actions before, during, and after the
disaster
priorities for restoring critical applications
disaster recovery team
provide site back-up and off-site storage
procedures
Audit objective verify that DRP is
adequate and feasible for dealing with
disasters
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 29
Disaster Recovery Plan
1. Critical Applications Rank critical applications so an orderly and effective restoration of
computer systems is possible.
2. Create Disaster Recovery Team Select team members, write job descriptions, describe
recovery process in terms of who does what.
3. Site Backup a backup site facility including appropriate furniture, housing, computers, and
telecommunications. Another valid option is a mutual aid pact where a similar business or
branch of same company swap availability when needed.
4. Hardware Backup Some vendors provide computers with their site known as a hot site or
Recovery Operations Center. Some do not provide hardware known as a cold site. When
not available, make sure plan accommodates compatible hardware (e.g., ability to lease
computers).
5. System Software Backup Some hot sites provide the operating system. If not included in
the site plan, make sure copies are available at the backup site.
6. Application Software Backup Make sure copies of critical applications are available at the
backup site
7. Data Backup One key strategy in backups is to store copies of data backups away from the
business campus, preferably several miles away or at the backup site. Another key is to test
the restore function of data backups before a crisis.
8. Supplies A modicum inventory of supplies should be at the backup site or be able to be
delivered quickly.
9. Documentation An adequate set of copies of user and system documentation.
10. TEST! The most important element of an effective Disaster Recovery Plan is to test it
before a crisis occurs, and to test it periodically (e.g., once a year).
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 30
Disaster Recovery Planning
Major IC concerns:
second-site backups
critical applications and databases
including supplies and documentation
back-up and off-site storage
procedures
disaster recovery team
testing the DRP regularly
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 31
Second-Site Backups
Empty shell - involves two or more user
organizations that buy or lease a building
and remodel it into a computer site, but
without computer equipment
Recovery operations center - a
completely equipped site; very costly and
typically shared among many companies
Internally provided backup -
companies with multiple data processing
centers may create internal excess
capacity
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 32
DRP Audit Procedures
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 33
DRP Audit Procedures
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 34
Benefits of IT Outsourcing
Improved core business processes
Improved IT performance
Reduced IT costs
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 35
Risks of IT Outsourcing
Failureto perform
Vendor exploitation
Costs exceed benefits
Reduced security
Loss of strategic advantage
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 36
Audit Implications of IT Outsourcing
be required
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 37
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 38
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 39
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 40
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 41
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
Hall, 3e
duplicated, or posted to a publicly accessible website, in whole or in part. 42