CHAPTER 2

AUDITING IT GOVERNANCE CONTROL

Information technology (IT) governance is a relatively new subset of corporate governance that focuses on the management and assessment of strategic IT resources

Key objectives of IT governance are to reduce risk and ensure that investments in IT resources add value to the corporation

IT Governance Controls

1. Organizational structure of the IT function2. Computer center operations3. Disaster recovery planning

STRUCTURE OF THE INFORMATION TECHNOLOGY FUNCTION

the centralized approach and the distributed approach

Centralized Data Processing all data processing is performed by one or more large

computers housed at a central site that serves users throughout the organization

See fig 2.1 See fig 2.2

DBA is responsible for the security and integrity of the database.

Data processing manages the computer resources used to perform the day-to-day processing of transactions Data conversion (transcribes transaction data from hard-

copy source documents into computer input) Computer operation (The electronic files produced in data

conversion are later processed by the central computer) Data library (a room adjacent to the computer center that

provides safe storage for the off-line data files)

System development and maintenance Systems professionals include systems analysts, database designers,

and programmers who design and build the system. Systems professionals gather facts about the user’s problem, analyze the facts, and formulate a solution. The product of their efforts is a new information system.

End users are those for whom the system is built. They are the managers who receive reports from the system and the operations personnel who work directly with the system as part of their daily responsibilities

Stakeholders are individuals inside or outside the firm who have an interest in the system, but are not end users. They include accountants, internal auditors, external auditors, and others who oversee systems development.

Segregation of Incompatible IT Functions

Separate transaction authorization from transaction processing.

Separate record keeping from asset custody.Divide transaction-processing tasks among

individuals such that short of collusion between two or more individuals fraud would not be possible.

Separating Systems Development from Computer Operations

Separating Database Administration from Other Functions

Separating New Systems Development from Maintenance

The Distributed Model

DDP involves reorganizing the central IT function into small IT units that are placed under the control of end users

The IT units may be distributed according to business function, geographic location, or both

See fig 2.4 alternative A and B

Risk associated with DDP

Inefficient Use of ResourcesDestruction of Audit TrailsInadequate Segregation of DutiesHiring Qualified ProfessionalsLack of Standards

Advantages of DDP

Cost ReductionsImproved Cost Control ResponsibilityImproved User SatisfactionBackup Flexibility

Controlling the DDP Environment

Implement a Corporate IT Function Central Testing of Commercial Software and

Hardware User Services Standard-Setting Body Personnel Review

Audit Objective to verify that the structure of the IT function is such that individuals incompatible areas are segregated in accordance with the level of potential risk and in a manner that promotes a working environment

Audit Procedures for Centralized IT function Review relevant documentation, including the current

organizational chart, mission statement, and job descriptions for key functions, to determine if individuals or groups are performing incompatible functions.

Review systems documentation and maintenance records for a sample of applications.

Verify that computer operators do not have access to the operational details of a system’s internal logic.

Through observation, determine that segregation policy is being followed in practice. Review operations room access logs to determine whether programmers enter the facility for reasons other than system failures.

Audit procedures for distributed IT function Review the current organizational chart, mission statement,

and job descriptions for key functions to determine if individuals or groups are performing incompatible duties.

Verify that corporate policies and standards for systems design, documentation, and hardware and software acquisition are

published and provided to distributed IT units. Verify that compensating controls, such as supervision and

management monitoring, are employed when segregation of incompatible duties is economically infeasible.

Review systems documentation to verify that applications, procedures, and databases are designed and functioning in accordance with corporate standards.

THE COMPUTER CENTER

Physical LocationConstructionAccessAir ConditioningFire SuppressionFault Tolerance

Audit Objectives the auditor must verify that:• Physical security controls are adequate to reasonably protect the organization from physical exposures• Insurance coverage on equipment is adequate to compensate the organization for the destruction of, or damage to, its computer center

Audit Procedures Tests of Physical Construction Tests of the Fire Detection System Tests of Access Control Tests of Raid Tests of the Uninterruptible Power Supply Tests for Insurance Coverage

DISASTER RECOVERY PLANNING

Disasters such as earthquakes, floods, sabotage, and even power failures can be catastrophic to an organization’s computer center and information systems

See fig 2.6DRP comprehensive statement of all actions to be

taken before, during, and after any type of disaster : Identify critical applications Create a disaster recovery team Provide site backup Specify backup and off-site storage procedures

Identify Critical Applications

The task of identifying critical items and prioritizing applications requires the active participation of user departments, accountants, and auditors

Creating a Disaster Recovery Team

depends on timely corrective action.

Providing Second-Site Backup

A mutual aid pact is an agreement between two or more organizations (with compatible computer facilities) to aid each other with their data processing needs in the event of a disaster

The empty shell or cold site plan is an arrangement wherein the company buys or leases a building that will serve as a data center

A recovery operations center (ROC) or hot site is a fully equipped backup data center that many companies share

Internally Provided Backup

Audit Objective

The auditor should verify that management’s disaster recovery plan is adequate and feasible for dealing with a catastrophe that could deprive the organization of its computing resources.

Audit Procedures

Site backupCritical application listSoftware backupData backupBackup supplies, document and

documentationDisaster recovery team

OUTSOURCING THE IT FUNCTION

outsource their IT functions to third-party vendors who take over responsibility for the management of IT assets and staff and for delivery of IT services, such as data entry, data center operations, applications development, applications maintenance, and network management

benefits of IT outsourcing include improved core business performance, improved IT performance (because of the vendor’s expertise), and reduced IT costs

Risks Inherent to IT Outsourcing

Failure to PerformVendor ExploitationOutsourcing Costs Exceed BenefitsReduced SecurityLoss of Strategic Advantage

Audit Implications of IT Outsourcing

Statement on Auditing Standard No. 70 (SAS 70) is the definitive standard by which client organizations’ auditors can gain knowledge that controls at the third-party vendor are adequate to prevent or detect material errors that could impact the client’s financial statements