Professional Documents
Culture Documents
Chapter 2: Auditing It Governance Controls
Chapter 2: Auditing It Governance Controls
Chapter 2: Auditing It Governance Controls
IT GOVERNANCE
CONTROLS
INFORMATION TECHNOLOGY
GOVERNANCE
• FOCUSES:
• Management
• Assessment of Strategic IT resources
• OBJECTIVES:
• Reduce Risk
• Ensure that investments in IT resources add value to the
corporation
Backup Flexibility
The final argument in favor of DDP is the ability to back up computing facilities to
protect against potential disasters such as fires, floods, sabotage, and earthquakes. The
distributed model offers organizational flexibility for providing back up. Each
geographically separate IT unit can be designed with excess capacity. If a disaster
destroys a single site, the other sites can use their excess capacity to process the
transactions of the destroyed site. Naturally, this setup requires close coordination
between end-user managers to ensure that they do not implement incompatible hardware
and software
CONTROLLING THE DDP ENVIRONMENT
CAREFUL PLANNING AND IMPLEMENTATION OF CONTROLS CAN MITIGATE
SOME OF THE DDP RISKS PREVIOUSLY DISCUSSED.
President
Corporate IT
Services
Manager
IT IT IT IT
Function Function Function Function
User Services
A valuable feature of the corporate group is its user services function. This activity
provides technical help to users during the installation of new software and in
troubleshooting hardware and software problems. The corporate IT function could also
provide a help desk, where users can call and get a quick response to questions and
problems.
Standard-Setting Body
The corporate group can contribute to this goal by
establishing and distributing to user areas appropriate
standards for systems development, programming, and
documentation.
Personnel Review
The corporate group is often better equipped than users to
evaluate the technical credentials of prospective systems
professionals
AUDIT OBJECTIVE :
The auditor’s objective is to verify that the structure of the IT
function is such that individuals incompatible areas are
segregated in accordance with the level of potential risk and in a
manner that promotes a working environment
AUDIT PROCEDURES:
Review relevant documentation to determine if individuals or groups
are performing incompatible functions.
Review systems documentation and maintenance records to verify
maintenance programmers are not designers.
Verify that computer operators do not have access to the operational
details of a system’s internal logic.
Observe to determine if segregation policy is being followed.
Review the current organizational chart, mission statement, and job
descriptions for key functions to determine if individuals or groups are
performing incompatible duties.
Verify corporate policies and standards are published and provided to
distributed IT units.
Verify that compensating controls are employed when segregation of
incompatible duties is economically infeasible.
Review systems documentation to verify that applications, procedures,
and databases are designed and functioning in accordance with
corporate standards.
THE COMPUTER CENTER
Physical location:
-Directly affects risk of destruction from a disaster.
-Away from hazards and traffic.
Construction:
-Ideally; a single-story solidly constructed with
underground utilities.
-Windows should not open and air filtration system
should be in place.
Access
-Should be limited with locked doors, cameras, key card entrance and
sign-in logs.
Air conditioning should provide appropriate temperature and
humidity for computers.
Fire suppression
-Alarms, fire extinguishing system, appropriate construction, fire exits.
Fault Tolerance
-is the ability of the system to continue operation when part of the
system fails. Total failure can occur only if multiple components fails.
-Redundant arrays of independent disks (RAID) involves using parallel
disks with redundant data and applications so if one disk fails, lost data can
be reconstructed.
-Uninterruptible power supplies.
DISASTER RECOVERY
PLANNING
Statement of all actions to be taken before,
during and after any type of disaster.
Disasters such as:
o Natural Disasters
(hurricanes, flooding, earthquakes)
o Human-made Disasters
(sabotage, errors)
o System Failure
(power outages or hard drive failure)
DISASTER RECOVERY PLAN
IDENTIFY CRITICAL APPLICATIONS
CREATE A DISASTER RECOVERY TEAM
PROVIDE SITE BACKUP
SPECIFY BACKUP AND OFF-SITE
PROCEDURES
9. It is the ability of the system to continue operation when part of the system
fails because of hardware failure, application program error, or operator error.
10. It involves using parallel disks that contain redundant elements of data
and applications.
Enumeration:
13-16 What are the recovery procedures?
17-20 What are the risks associated with DDP?