Auditing IT

Governance
Controls
IS FREE ELECTIVE 3
 After studying this topic, you should:
• Understand the risks of incompatible functions and
how to structure the IT function.
• Be familiar with the controls and precautions
Lesson required to ensure the security of an organization’s
Objectives computer facilities.
• Understand the key elements of a disaster recovery
plan.
• Be familiar with the benefits, risks, and audit issues
related to IT outsourcing.
 Information technology (IT) governance
is a relatively new subset of corporate
governance that focuses on the
IT management and assessment of strategic
Governance IT resources. Key objectives of IT
governance are to reduce risk and ensure
that investments in IT resources add value
to the corporation.
 This controls focus on:
IT 1. Organizational structure of the IT
Governance function
Controls 2. Computer center operations
3. Disaster recovery planning
STRUCTURE  The organization of the IT function
OF THE has implications for the nature and
INFORMATION effectiveness of internal controls,
TECHNOLOGY which, in turn, has implications for
FUNCTION the audit.
 Under the centralized data
processing model, all data
Centralized
processing is performed by one or
Data
more large computers housed at
Processing
a central site that serves users
throughout the organization.
Centralized
Data
Processing
Approach
Org Chart of
a Centralized
IT Function
 Database Administration
 Centrally organized companies
maintain their data resources in a
Related central location that is shared by all
Terms end users. In this shared data
arrangement, an independent group
headed by the database administrator
(DBA) is responsible for the security
and integrity of the database.
Data Processing
 The data processing group manages
the computer resources used to
perform the day-to-day processing of
transactions. It consists of the
following organizational functions:
data conversion, computer
operations, and the data library.
Data Conversion. The data conversion
function transcribes transaction data
from hard-copy source documents into
computer input. For example, data
conversion could involve keystroking
sales orders into a sale order application
in modern systems, or transcribing data
into magnetic media (tape or disk)
suitable for computer processing in
legacy type systems.
 Computer Operations. The electronic
files produced in data conversion are
later processed by the central
computer, which is managed by the
computer operations groups.
Accounting applications are usually
executed according to a strict schedule
that is controlled by the central
computer’s operating system.
Data Library. The data library is a room
adjacent to the computer center that
provides safe storage for the off-line
data files. Those files could be backups
or current data files. For instance, the
data library could be used to store
backup data on DVDs, CD-ROMs, tapes,
or other storage devices.
  The information systems needs of users
are met by two related functions:
system development and systems
maintenance.
Systems  Systems Development is responsible for
Development analyzing user needs and for designing
new systems to satisfy those needs. The
participants in system development
activities include systems professionals,
end users, and stakeholders.
Systems professionals include systems
analysts, database designers, and
programmers who design and build the
system. Systems professionals gather
facts about the user’s problem, analyze
the facts, and formulate a solution. The
product of their efforts is a new
information system.
 End users are those for whom the
system is built. They are the managers
who receive reports from the system
and the operations personnel who work
directly with the system as part of their
daily responsibilities.
Stakeholders are individuals inside or
outside the firm who have an interest in
the system, but are not end users. They
include accountants, internal auditors,
external auditors, and others who oversee
systems development.
  Once a new system has been designed
and implemented, the systems
maintenance group assumes
Systems responsibility for keeping it current with
Maintenance user needs. The term maintenance
refers to making changes to program
logic to accommodate shifts in user
needs over time.
 Operational tasks should be segregated
to:
 1. Separate transaction authorization
Segregation from transaction processing.
of  2. Separate record keeping from asset
Incompatible custody.
Functions  3. Divide transaction-processing tasks
among individuals such that short of
collusion between two or more
individuals fraud would not be possible.
  An alternative to the centralized model
is the concept of distributed data
processing (DDP). The topic of DDP is
The quite broad, touching upon such related
topics as end-user computing,
Distributed commercial software, networking, and
Data office automation.
Processing  Simply stated, DDP involves
reorganizing the central IT function into
small IT units that are placed under the
control of end users.
 1. Inefficient use of Resources
 risk of mismanagement of
organization-wide IT resources by
end users
Risks
 risk of operational inefficiencies
Associated because of redundant tasks being
with DDP performed within the end-user
committee
 risk of incompatible hardware and
software among end-user functions
2. Destruction of Audit Trails
3. Inadequate Segregation of Duties
4. Difficulty in Hiring Qualified Personnel
5. Lack of Standards
 1. Cost Control
2. Improved Cost Control Responsibility
Advantages 3. Improved User Satisfaction
of DDP
4. Backup Flexibility
 Implement a Corporate IT Function
1. Central Testing of Commercial
Controlling Hardware and Software
the DDP 2. User Services
Environment
3. Standard-setting body
4. Personnel Review
 The auditor’s objective is to verify that the
structure of the IT function is such that
individuals in incompatible areas are
Audit segregated in accordance with the level of
potential risk and in a manner that
Objective promotes a working environment. This is
an environment in which formal, rather
than casual, relationships need to exist
between incompatible tasks.
 If a company uses Centralized IT Function

• Review relevant documentation,

including the current organizational chart,
mission statement, and job descriptions
for key functions, to determine if
Audit individuals or groups are performing
Procedures incompatible functions.
• Review systems documentation and
maintenance records for a sample of
applications. Verify that maintenance
programmers assigned to specific projects
are not also the original design
programmers.
• Verify that computer operators do not
have access to the operational details of a
system’s internal logic. Systems
documentation, such as systems
flowcharts, logic flowcharts, and program
code listings, should not be part of the
operation’s documentation set.
• Through observation, determine that
segregation policy is being followed in
practice. Review operations room access
logs to determine whether programmers
enter the facility for reasons other than
system failures.
If DDP is used:
 Review the current organizational chart,
mission statement, and job descriptions
for key functions to determine if
individuals or groups are performing
incompatible duties.
 Verify that corporate policies and
standards for systems design,
documentation, and hardware and
software acquisition are published and
provided to distributed IT units.
 Verify that compensating controls, such
as supervision and management
monitoring, are employed when
segregation of incompatible duties is
economically infeasible.
 Review systems documentation to verify
that applications, procedures, and
databases are designed and functioning
in accordance with corporate standards.
  Accountants routinely examine the
physical environment of the computer
center as part of their annual audit. The
THE objective of this section is to present
computer center risks and the controls
COMPUTER that help to mitigate risk and create a
CENTER secure environment.
  The physical location of the computer
center directly affects the risk of
destruction to a natural or man-made
disaster. To the extent possible, the
computer center should be away from
human-made and natural hazards, such
Physical as processing plants, gas and water
Location mains, airports, high-crime areas, flood
plains, and geological faults. The center
should be away from normal traffic, such
as the top floor of a building or in a
separate, self-contained building.
Locating a computer in the basement
building increases its risk to floods.
  Ideally, a computer center should be
located in a single-story building of solid
construction with controlled access
(discussed next). Utility (power and
Construction telephone) lines should be underground.
The building windows should not open
and an air filtration system should be in
place that is capable of extracting
pollens, dust, and dust mites.
  Access to the computer center should be
limited to the operators and other
employees who work there. Physical
controls, such as locked doors, should be
employed to limit access to the center.
Access Access should be controlled by a keypad
or swipe card, though fire exits with
alarms are necessary. To achieve a
higher level of security, access should be
monitored by closed-circuit cameras and
video recording systems.
  Computers function best in an air-
conditioned environment, and providing
adequate air conditioning is often a
requirement of the vendor’s warranty.
Air Computers operate best in a
temperature range of 70 to 75 degrees
Conditioning Fahrenheit and a relative humidity of 50
percent. Logic errors can occur in
computer hardware when temperatures
depart significantly from this optimal
range.
  Fire is the most serious threat to a firm’s
computer equipment. Many companies
that suffer computer center fires go out
Fire of business because of the loss of critical
Suppression records, such as accounts receivable.
The implementation of an effective fire
suppression system requires
consultation with specialists.
  Fault tolerance is the ability of the
Fault system to continue operation when part
of the system fails because of hardware
Tolerance failure, application program error, or
operator error.
 1. Redundant arrays of independent
disks (RAID). Raid involves using parallel
disks that contain redundant elements
of data and applications. If one disk fails,
the lost data are automatically
reconstructed from the redundant
components stored on the other disks.
 2. Uninterruptible power supplies.
Commercially provided electrical power
presents several problems that can
disrupt the computer center operations,
including total power failures,
brownouts, power fluctuations, and
frequency variations. The equipment
used to control these problems includes
voltage regulators, surge protectors,
generators, and backup batteries.
 The auditor must verify that:
• Physical security controls are adequate
to reasonably protect the organization
Audit from physical exposures
Objectives • Insurance coverage on equipment is
adequate to compensate the organization
for the destruction of, or damage to, its
computer center
  Test of Physical Construction
 Test of Fire Detection System
Audit  Test of Access Control
Procedures  Rest of RAID
 Test of Uninterruptible Power Supply
 Test of Insurance Coverage
  Disasters such as earthquakes,
floods, sabotage, and even power
DISASTER failures can be catastrophic to an
organization’s computer center and
RECOVERY information systems. Disasters may
PLANNING be natural, human-made or system
failure.
  1. Identify critical applications
 2. Create a disaster recovery team
Features of a
DRP  3. Provide site backup
 4. Specify backup and off-site storage
procedures
  The first essential element of a DRP is to
Identify identify the firm’s critical applications
and associated data files. Recovery
Critical efforts must concentrate on restoring
Applications those applications that are critical to the
short-term survival of the organization.
  Recovering from a disaster depends on
timely corrective action. Delays in
performing essential tasks prolongs the
Create a recovery period and diminishes the
Disaster prospects for a successful recovery. To
avoid serious omissions or duplication of
Recovery effort during implementation of the
Team contingency plan, task responsibility
must be clearly defined and
communicated to the personnel
involved.
  A necessary ingredient in a DRP is that it
provides for duplicate data processing
Provide Site facilities following a disaster. Among the
options available the most common are
Backup mutual aid pact; empty shell or cold
site; recovery operations center or hot
site; and internally provided backup.
 Mutual Aid Pact. A mutual aid pact is an
agreement between two or more organizations
(with compatible computer facilities) to aid each
other with their data processing needs in the event
of a disaster.
 Empty Shell. The empty shell or cold
site plan is an arrangement wherein the
company buys or leases a building that
will serve as a data center. In the event
of a disaster, the shell is available and
ready to receive whatever hardware the
temporary user needs to run essential
systems.
 Recovery Operations Center. A recovery
operations center (ROC) or hot site is a
fully equipped backup data center that
many companies share. In addition to
hardware and backup facilities, ROC
service providers offer a range of
technical services to their clients, who
pay an annual fee for access rights.
 Internally Provided Backup. Larger
organizations with multiple data
processing centers often prefer the self-
reliance that creating internal excess
capacity provides. This permits firms to
develop standardized hardware and
software configurations, which ensure
functional compatibility among their
data processing centers and minimize
cutover problems in the event of a
disaster.
  Operating System Backup
Backup and  Application Backup
Off-Site  Backup Data Files
Storage  Backup Documentation
Procedures  Backup Supplies and Source Documents
 Test the DRP
  The auditor should verify that
Audit management’s disaster recovery plan is
adequate and feasible for dealing with a
Objective catastrophe that could deprive the
organization of its computing resources.
 The auditor may perform the following
tests:
Audit  Site Backup. The auditor should
Procedures evaluate the adequacy of the backup site
arrangement. System incompatibility
and human nature both greatly reduce
the effectiveness of the mutual aid pact.
 Critical Application List. The auditor
should review the list of critical
applications to ensure that it is
complete. Missing applications can
result in failure to recover. The same is
true, however, for restoring unnecessary
applications.
 Software Backup. The auditor should
verify that copies of critical applications
and operating systems are stored off-
site.
 Data Backup. The auditor should verify
that critical data files are backed up in
accordance with the DRP.
 Backup Supplies, Documents, and
Documentation. The system
documentation, supplies, and source
documents needed to process critical
transactions should be backed up and
stored off-site.
 Disaster Recovery Team. The DRP
should clearly list the names, addresses,
and emergency telephone numbers of
the disaster recovery team members.
The auditor should verify that members
of the team are current employees and
are aware of their assigned
responsibilities.
  The costs, risks, and responsibilities
associated with maintaining an effective
corporate IT function are significant.
Many executives have therefore opted
to outsource their IT functions to third-
IT party vendors who take over
SOURCING responsibility for the management of IT
assets and staff and for delivery of IT
services, such as data entry, data center
operations, applications development,
applications maintenance, and network
management.
  Failure to perform
 Vendor Exploitation
Risk Inherent  Outsourcing costs exceed benefits
to IT
 Reduced Security
Sourcing
 Loss of Strategic Advantage
  An auditor should consider PSA 402,
Audit AUDIT CONSIDERATIONS RELATING
Implications TO ENTITIES USING SERVICE
of Sourcing ORGANIZATIONS, in conducting the
IT Functions audit of a client that outsourced its IT
functions