CHAPTER 2: AUDITING

IT GOVERNANCE
CONTROLS
 INFORMATION TECHNOLOGY
GOVERNANCE
• FOCUSES:
• Management
• Assessment of Strategic IT resources
• OBJECTIVES:
• Reduce Risk
• Ensure that investments in IT resources add value to the
corporation

• PHILOSOPHY: -all stakeholders be active participant in key IT

decisions.
 ITG CONTROLS
•Structure of the IT Function
1.Centralized Data Processing (CDP)
2.Distributed Approach (DP)

•Centralized Data Processing (CDP)

- all data processing is performed by ne or more large computers at a
central site that serves users throughout the organization
 PRIMARY SERVICE AREAS
1. Database Administration (DA)
2. Data Processing (DP)
3. System Development and Maintenance (SDM)
 PRIMARY SERVICE AREAS
1.Database Administration (DA)
Database Administrator- responsible for the security and integrity of
the database.
2. Data Processing (DP)- manages the computer resources for the day to
day operations.
FUNCTIONS:
A. Data Conversion (DC)- converts data from hard copy source
documents to computer input. (electronic files)
 PRIMARY SERVICE AREAS
B. Computer Operation (CO)- processing of accounting applications to
the electronic files.
C. Data Library (DL)
-safe storage for offline files (backups)
-safe storage of original copies of the commercial software and
their licenses for safekeeping.
Data librarian- responsible for the receipt, storage, retrieval and custody
of files.
 PRIMARY SERVICE AREAS
1. System Development and Maintenance (SDM)

System Development- analysing the user needs and

designing new system to satisfy the needs of system
professionals, end users and stakeholders.
System Maintenance- making changes to program
logic to accommodate shifts in user needs over time.
SEGREGATION OF IT FUNCTIONS
-the IT environment tends to consolidate activities
-the focus of segregation control shifts from the
operational level to higher-level organization
relationship within the computer services function.

•Seperation of System Development and Computer

Operations
1.System Development- Creating and maintaining systems
2.Computer Operations- Entering and running the applications
*The consolidation of the two invites errors.
SEGREGATION OF IT
FUNCTIONS
•Separation of Database Administrations and other Functions
1.Database Administrations- Creating database schema and user
views
- Assigning database access authority to users.
- Monitoring database usage
- Planning for future expansion
2.Other Functions- (Data Processing and System Development
and Maintenance)
*The consolidation of the two threatens database integrity.
SEGREGATION OF IT
FUNCTIONS
•Separation of System Development and Maintenance
1.System Development
Analysis- designs new systems
Programming- codes according to the designs
- also maintains the systems
2.System Maintenance- maintains the system
*The consolidation of the two results Inadequate
Documentation and Program Fraud (making
unauthorized changes to programs modules for the purpose
of committing an illegal act.)
SEGREGATION OF IT
FUNCTIONS
•Superior Structure for System Development
1.New system development- designing,
programming and implementing new systems.
2.System maintenance- maintaining new systems.
*The separation of the two results to:
1. Improved Documentation
2. Denied access for the program to open the
running program
 ITG CONTROLS
•The Distributed Approach Model (DA)
- involves reorganizing the central IT function into small IT units that are
placed under the control of end users.
-related topics are: end-user computing, commercial software,
networking and office automation.
 Alternative Approaches
1. Alternative A-terminals are distributed to end users for handling input
and output. (systems development, computer operations and database
administrations remain centralized.)
2. Alternative B- distributes all the computer services to the end users
where they operate as standalone units.
RISK ASSOCIATED WITH DDP

•Inefficient Use of Resources

1. The risk of mismanagement of organization-wide IT resources by end users.
2. DDP can increase the risk of operational inefficiencies because of redundant
tasks being performed within the end-user committee.
3. DDP environment poses a risk of incompatible hardware and software among
end-user functions.

•Destruction of Audit Trails

- Some digital transaction files and master files that reside in part or entirely on end-
user computers might get deleted.
 RISK ASSOCIATED WITH DDP
•Inadequate Segregation of Duties
- The distribution of IT services to users may result in the creation of small
independent units that do not permit the desired separation of incompatible
functions.

•Hiring Qualified professionals

- End-user managers may lack the IT knowledge to evaluate the technical
credentials and relevant experience of candidates applying for IT
professional positions.
RISK ASSOCIATED WITH DDP
•Lack of Standards
- Standards for developing and documenting systems, choosing
programming languages. Acquiring hardware and software and
evaluating performance may be unevenly applied or even nonexistent.
 ADVANTAGES OF
DDP
Cost Reductions
Powerful and inexpensive microcomputers that can perform specialized functions have
changed the economics of data processing dramatically. Moreover the move to DDP has
reduced costs in two other areas. (1) data can be edited and entered by the end user, thus
eliminating the centralized task of data preparation; and (2) application complexity can be
reduced, which in turn reduces systems development and maintenance costs.

Improved Cost Control Responsibility

Proponents of DDP contend that the benefits of improved management attitudes more
than outweigh any additional costs incurred from distributing these resources. They argue
that if IT capability is indeed critical to the success of a business operation, then
management must be given control over these resources.
Improved User Satisfaction
DDP proponents claim that distributing system to end users improves three areas of
need that too often go unsatisfied in the centralized model: (1) as previously stated ,
users desire to control the resources that influence their profitability; (2) users want
systems professionals (analysts, programmers, and computer operators) to be responsive
to their specific situation; and (3) users want to become more actively involved in
developing and implementing their own systems.

Backup Flexibility
The final argument in favor of DDP is the ability to back up computing facilities to
protect against potential disasters such as fires, floods, sabotage, and earthquakes. The
distributed model offers organizational flexibility for providing back up. Each
geographically separate IT unit can be designed with excess capacity. If a disaster
destroys a single site, the other sites can use their excess capacity to process the
transactions of the destroyed site. Naturally, this setup requires close coordination
between end-user managers to ensure that they do not implement incompatible hardware
and software
 CONTROLLING THE DDP ENVIRONMENT
CAREFUL PLANNING AND IMPLEMENTATION OF CONTROLS CAN MITIGATE
SOME OF THE DDP RISKS PREVIOUSLY DISCUSSED.

President

VP Marketing VP Finance VP Administration VP Operations

Treasurer Controller Manager Plant X Manager Plant Y

Corporate IT
Services
Manager

IT IT IT IT
Function Function Function Function

IT Figure 2.5 Organization Chart for a Distributed Data Processing

Function Environment
IMPLEMENT A CORPORATE IT FUNCTION

Central Testing of Commercial Software and Hardware

A centralized corporate IT group is better equipped than are end users to evaluate
the merits of competing commercial software and hardware products under
consideration. Test results can then be distributed to user areas as standards for guiding
acquisition decisions. This allows the organization to effectively centralize the
acquisition, testing, and implementation of software and hardware and avoid many
problems discussed earlier.

User Services
A valuable feature of the corporate group is its user services function. This activity
provides technical help to users during the installation of new software and in
troubleshooting hardware and software problems. The corporate IT function could also
provide a help desk, where users can call and get a quick response to questions and
problems.
Standard-Setting Body
The corporate group can contribute to this goal by
establishing and distributing to user areas appropriate
standards for systems development, programming, and
documentation.

Personnel Review
The corporate group is often better equipped than users to
evaluate the technical credentials of prospective systems
professionals
 AUDIT OBJECTIVE :
The auditor’s objective is to verify that the structure of the IT
function is such that individuals incompatible areas are
segregated in accordance with the level of potential risk and in a
manner that promotes a working environment

AUDIT PROCEDURES:
 Review relevant documentation to determine if individuals or groups
are performing incompatible functions.
 Review systems documentation and maintenance records to verify
maintenance programmers are not designers.
 Verify that computer operators do not have access to the operational
details of a system’s internal logic.
Observe to determine if segregation policy is being followed.
Review the current organizational chart, mission statement, and job
descriptions for key functions to determine if individuals or groups are
performing incompatible duties.
Verify corporate policies and standards are published and provided to
distributed IT units.
Verify that compensating controls are employed when segregation of
incompatible duties is economically infeasible.
Review systems documentation to verify that applications, procedures,
and databases are designed and functioning in accordance with
corporate standards.
 THE COMPUTER CENTER

Physical location:
-Directly affects risk of destruction from a disaster.
-Away from hazards and traffic.
Construction:
-Ideally; a single-story solidly constructed with
underground utilities.
-Windows should not open and air filtration system
should be in place.
Access
-Should be limited with locked doors, cameras, key card entrance and
sign-in logs.
Air conditioning should provide appropriate temperature and
humidity for computers.
Fire suppression
-Alarms, fire extinguishing system, appropriate construction, fire exits.
Fault Tolerance
-is the ability of the system to continue operation when part of the
system fails. Total failure can occur only if multiple components fails.
-Redundant arrays of independent disks (RAID) involves using parallel
disks with redundant data and applications so if one disk fails, lost data can
be reconstructed.
-Uninterruptible power supplies.
DISASTER RECOVERY
PLANNING
Statement of all actions to be taken before,
during and after any type of disaster.
Disasters such as:
o Natural Disasters
(hurricanes, flooding, earthquakes)
o Human-made Disasters
(sabotage, errors)
o System Failure
(power outages or hard drive failure)
 DISASTER RECOVERY PLAN
IDENTIFY CRITICAL APPLICATIONS
CREATE A DISASTER RECOVERY TEAM
PROVIDE SITE BACKUP
SPECIFY BACKUP AND OFF-SITE
PROCEDURES

 IDENTIFY CRITICAL APPLICATIONS

- short-term survival requires restoration of cash flow generating
function
- applications supporting those functions should be identified and
prioritized in the restoration plan
- task to identifying critical items and prioritizing applications
requires active participation of user departments, accountants, and
auditors.
 CREATE A DISASTER RECOVERY TEAM
- team members should be experts in their areas and have assigned
tasks.
 PROVIDE SITE BACKUP
- necessary ingredient in a DRP is that it provides for duplicate data
processing facilities following s disaster.

 SPECIFY BACK UP AND OFF-SITE PROCEDURES

- all the data files, applications, documentation and supplies needed to
perform critical functions should be automatically backed up and stored at a
secure off-site location.
 SECOND SITE BACKUP
 MUTUAL AID PACT
 EMPTY SHELL
 RECOVERY OPEARTION CENTER
 INTERNALLY PROVIDED BACKUP

 MUTUAL AUDIT PACT

- is an agreement between organizations to aid each other with data processing in a

disaster.
 EMPTY SHELL
- also called as COLD SITE PLAN
- involves obtaining a building to serve as a data center in a disaster.
- recovery depends on timely availability of hardware.
 RECOVERY OPERATION CENTER

- also called as HOT SITE PLAN

- fully equipped site that many companies share.
 INTERNALLY PROVIDED BACKUP

- may be preferred by organizations with many data processing centers.

BACKUP AND OFF-SITE STORAGE
PROCEDURES
 OPERATING SYSTEM BACKUP
 APPLICATION BACKUP
 BACKUP DATA FILES
 BACUP DOCUMENTATION
 BACKUP SUPPLIES AND SOURCE
DOCUMENTS
 TESTING THE DRY
 DRP AUDIT PROCEDURES
To verify DRP is a realistic solution, the following test may be performed:
 Evaluate adequacy of back up site
arrangements.
 Review list of critical applications for
completeness.
 Verify copies off critical data files are
backed up in accordance with the DRP.
 Verify that types and quantities of items
specified in the DRP exist in a secure
location.
 Verify disaster recovery team members are
current employees and aware of their
assigned responsibilities.
 OUTSOURCING THE IT
BENEFITS:
FUNCTION

Improved core business processes

Improved IT performance

Reduces IT cost
 Logic underlying outsourcing follows from core competency theory which argues
and organization should focus on its core business competencies.

Ignores an important distinction between:

 COMMODITY IT asset which are not unique to an organization and easily

acquired in the marketplace.
 SPECIFIC IT assets which are unique and support an organization’s strategic
objectives.
 TRANSACTION COST ECONOMICS suggests firms should retain specific non
core IT assets in the house.
Those tat cannot be easily replaced once they are given up in an outsourcing arrangement.
RISK INHERENT TO IT
OUTSOURCING
 Failure to Perform
 Vendor Exploitation
 Outsourcing costs exceed
benefits
 Reduced security
 Loss of strategic advantage
AUDIT IMPLICATIONS OF IT
OUTSOURCING
Use of a service organization does not
reduce management’s responsibilities under
SOX for ensuring adequate IT internal
controls.
SSAE16 replaced SAS 70 is the definitive
standard by which auditors can gain
knowledge that process and controls at
third party vendors are adequate to prevent
or detect material errors.
Report provides a description od service
provider’s description using either the carve-out
or the inclusive method.
SAS 70 OVERVIEW
1. Its objectives are to reduce risk and ensure that investments in IT
resources add value to the corporation.

2. In this structure, all data processing is performed by one or more

large computers at a central site that serves users throughout the
organization.

3-4. Primary Service Areas of ITG Controls

5. It is the primary service area that manages the computer resources

for the day to day operations.

6. On this model, it involves reorganizing the central IT function into

small IT units that are placed under the control of end users.
7. It is a valuable feature of the corporate group.

8. It is the most serious threat to a firm's computer equipment because of the

loss of critical records, such as accounts receivable.

9. It is the ability of the system to continue operation when part of the system
fails because of hardware failure, application program error, or operator error.

10. It involves using parallel disks that contain redundant elements of data
and applications.

11. This is a comprehensive statement of all actions to be taken before, during

and after any type of disaster. 12. Often cited benefits of this function include
improved core business performance, improved IT performance and reduced
IT costs.
12. Often cited benefits of this function include
improved core business performance, improved IT
performance and reduced IT costs.

Enumeration:
13-16 What are the recovery procedures?
17-20 What are the risks associated with DDP?