Auditing IT Governance Controls

IT Auditing, Hall
Learning Objectives:

 Understand the risks of incompatible functions and how

to structure the IT function.

 Be familiar with the controls and precautions required to

ensure the security of an organization’s computer
facilities

 Understand the key elements of a disaster recovery plan

 Be familiar with the benefits, risks, and audit issues related

to IT outsourcing
IT Governance

 Subset of corporate governance that focuses on the

management and assessment of strategic IT resources

 Key objects are to reduce risk and ensure investments in

IT resources add value to the corporation

 All corporate stakeholders must be active participants in

key IT decisions
IT Governance Controls

 Three IT governance issues addressed by SOX and the

COSO internal control framework:
 Organizational structure of the IT function
 Computer center operations
 Disaster recovery planning
Structure of the Corporate IT Function

 Under the centralized data processing model, all data

processing performed at a central site

 End users compete for resources based on need

 Operating costs charged back to end user

 Primary service areas:

 Database administrator
 Data processing consisting of data control/data entry,
computer operations and data library
 System development and maintenance

 Participation in systems development activities include

system professional, end users and stakeholders.
 Structure of the IT Corporate Function

Centralized Data Processing Approach

 Structure of the Corporate IT Function
Organizational Chart of a Centralized IT Services Function
 Structure of the Corporate IT Function
Organizational Chart of a Centralized IT Services Function
The Distributed Model
Risks Associated with DDP

 Inefficient use or resources:

 Mismanagement of IT resources by end users
 Operational inefficiencies due to redundant tasks being performed
 Hardware and software incompatibility among end-user functions

 Destruction of audit trails

 Inadequate segregation of duties

 Hiring qualified professionals:

 Risk of programming errors and system failures increase directly with the
level of employee incompetence

 Lack of standards
The Computer Center
- Also known as Data Center
- A facility that centralizes an organization’s IT operations and equipment,
as well as where it stores, manages and disseminates its data
 The Computer Center
Physical location:
• Directly affects risk of destruction from
a disaster
• Away from hazards and traffic
Construction:
• Ideally: single-story, solidly constructed
with underground utilities
• Windows should not open and air
infiltration system should be in place.
Access:
• Should be limited with locked doors,
cameras, key card entrance and sign-
in logs
 The Computer Center
Air conditioning
• appropriate temperature and
humidity for computers
Fire suppression:
• Alarms, fire extinguishing system,
appropriate construction, fire exits
 The Computer Center
Fault tolerance is the ability of the system
to continue operation when part of the
system fails.

• Total failure can occur only if multiple

components fail

• Redundant arrays on independent

disks (RAID) involves using parallel disks
with redundant data and applications
so if one disk fails, lost data can be
reconstructed

• Uninterruptible power supplies

Audit Procedures: The Computer
Center

 Auditor must verify that physical controls and insurance

coverage are adequate

 Procedures include:
 Tests of physical construction
 Tests of the fire detection system
 Tests of access control
 Tests of RAID
 Tests of the uninterruptible power supply
 Tests of insurance coverage
Disaster Recovery Planning
A disaster recovery plan is a statement of all actions to be taken before,
during and after any type of disaster.
Disaster Recovery Planning

 Four common features:

1. Identify critical applications:

 Short-term survival requires restoration of cash flow
generating functions
 Applications supporting those functions should be identified
and prioritized in the restoration plan
 Task of identifying critical items and prioritizing applications
requires active participation of user departments,
accountants and auditors
Disaster Recovery Planning

2. Create a disaster recovery team:

 Team members should be experts in their areas and have
assigned tasks.

3. Provide second-site backup:

 Necessary ingredient in a DRP is that it provides for duplicate
data processing facilities following a disaster.

4. Specify back-up and off-site storage procedures:

 All data files, applications, documentation and supplies
needed to perform critical functions should be
automatically backed up and stored at a secure off-site
location.
Second-site Backups

 Mutual aid pact is an agreement between organizations

to aid each other with data processing in a disaster.

 Empty shell or cold site plan involves obtaining a building

to serve as a date center in a disaster
 Recovery depends on timely availability of hardware

 Recovery operations center or hot site plan is a fully

equipped site that many companies share.

 Internally provided backup may be preferred by

organizations with many data processing centers
DRP Audit Procedures

 To verify DRP is a realistic solution, the following tests may

be performed:
 Evaluate adequacy of backup site arrangements
 Review list of critical applications for completeness
 Verify copies of critical applications and operating systems
are stored off-site
 Verify critical data files are back up in accordance with the
DRP
 Verify that types and quantities of items specified in the DRP
exist in a secure location
 Verify disaster recovery team members are current
employees and aware of their assigned responsibilities