Upload
ahmad-badrus-salam
View
24
Download
2
Embed Size (px)
DESCRIPTION
audit
Citation preview
Information technology (IT) governance is a relatively new subset of corporate governance that focuses on the management and assessment of strategic IT resources
Key objectives of IT governance are to reduce risk and ensure that investments in IT resources add value to the corporation
IT Governance Controls
1. Organizational structure of the IT function2. Computer center operations3. Disaster recovery planning
STRUCTURE OF THE INFORMATION TECHNOLOGY FUNCTION
the centralized approach and the distributed approach
Centralized Data Processing all data processing is performed by one or more large
computers housed at a central site that serves users throughout the organization
See fig 2.1 See fig 2.2
DBA is responsible for the security and integrity of the database.
Data processing manages the computer resources used to perform the day-to-day processing of transactions Data conversion (transcribes transaction data from hard-
copy source documents into computer input) Computer operation (The electronic files produced in data
conversion are later processed by the central computer) Data library (a room adjacent to the computer center that
provides safe storage for the off-line data files)
System development and maintenance Systems professionals include systems analysts, database designers,
and programmers who design and build the system. Systems professionals gather facts about the user’s problem, analyze the facts, and formulate a solution. The product of their efforts is a new information system.
End users are those for whom the system is built. They are the managers who receive reports from the system and the operations personnel who work directly with the system as part of their daily responsibilities
Stakeholders are individuals inside or outside the firm who have an interest in the system, but are not end users. They include accountants, internal auditors, external auditors, and others who oversee systems development.
Segregation of Incompatible IT Functions
Separate transaction authorization from transaction processing.
Separate record keeping from asset custody.Divide transaction-processing tasks among
individuals such that short of collusion between two or more individuals fraud would not be possible.
Separating Systems Development from Computer Operations
Separating Database Administration from Other Functions
Separating New Systems Development from Maintenance
The Distributed Model
DDP involves reorganizing the central IT function into small IT units that are placed under the control of end users
The IT units may be distributed according to business function, geographic location, or both
See fig 2.4 alternative A and B
Risk associated with DDP
Inefficient Use of ResourcesDestruction of Audit TrailsInadequate Segregation of DutiesHiring Qualified ProfessionalsLack of Standards
Advantages of DDP
Cost ReductionsImproved Cost Control ResponsibilityImproved User SatisfactionBackup Flexibility
Controlling the DDP Environment
Implement a Corporate IT Function Central Testing of Commercial Software and
Hardware User Services Standard-Setting Body Personnel Review
Audit Objective to verify that the structure of the IT function is such that individuals incompatible areas are segregated in accordance with the level of potential risk and in a manner that promotes a working environment
Audit Procedures for Centralized IT function Review relevant documentation, including the current
organizational chart, mission statement, and job descriptions for key functions, to determine if individuals or groups are performing incompatible functions.
Review systems documentation and maintenance records for a sample of applications.
Verify that computer operators do not have access to the operational details of a system’s internal logic.
Through observation, determine that segregation policy is being followed in practice. Review operations room access logs to determine whether programmers enter the facility for reasons other than system failures.
Audit procedures for distributed IT function Review the current organizational chart, mission statement,
and job descriptions for key functions to determine if individuals or groups are performing incompatible duties.
Verify that corporate policies and standards for systems design, documentation, and hardware and software acquisition are
published and provided to distributed IT units. Verify that compensating controls, such as supervision and
management monitoring, are employed when segregation of incompatible duties is economically infeasible.
Review systems documentation to verify that applications, procedures, and databases are designed and functioning in accordance with corporate standards.
THE COMPUTER CENTER
Physical LocationConstructionAccessAir ConditioningFire SuppressionFault Tolerance
Audit Objectives the auditor must verify that:• Physical security controls are adequate to reasonably protect the organization from physical exposures• Insurance coverage on equipment is adequate to compensate the organization for the destruction of, or damage to, its computer center
Audit Procedures Tests of Physical Construction Tests of the Fire Detection System Tests of Access Control Tests of Raid Tests of the Uninterruptible Power Supply Tests for Insurance Coverage
DISASTER RECOVERY PLANNING
Disasters such as earthquakes, floods, sabotage, and even power failures can be catastrophic to an organization’s computer center and information systems
See fig 2.6DRP comprehensive statement of all actions to be
taken before, during, and after any type of disaster : Identify critical applications Create a disaster recovery team Provide site backup Specify backup and off-site storage procedures
Identify Critical Applications
The task of identifying critical items and prioritizing applications requires the active participation of user departments, accountants, and auditors
Providing Second-Site Backup
A mutual aid pact is an agreement between two or more organizations (with compatible computer facilities) to aid each other with their data processing needs in the event of a disaster
The empty shell or cold site plan is an arrangement wherein the company buys or leases a building that will serve as a data center
A recovery operations center (ROC) or hot site is a fully equipped backup data center that many companies share
Internally Provided Backup
Audit Objective
The auditor should verify that management’s disaster recovery plan is adequate and feasible for dealing with a catastrophe that could deprive the organization of its computing resources.
Audit Procedures
Site backupCritical application listSoftware backupData backupBackup supplies, document and
documentationDisaster recovery team
OUTSOURCING THE IT FUNCTION
outsource their IT functions to third-party vendors who take over responsibility for the management of IT assets and staff and for delivery of IT services, such as data entry, data center operations, applications development, applications maintenance, and network management
benefits of IT outsourcing include improved core business performance, improved IT performance (because of the vendor’s expertise), and reduced IT costs
Risks Inherent to IT Outsourcing
Failure to PerformVendor ExploitationOutsourcing Costs Exceed BenefitsReduced SecurityLoss of Strategic Advantage
Audit Implications of IT Outsourcing
Statement on Auditing Standard No. 70 (SAS 70) is the definitive standard by which client organizations’ auditors can gain knowledge that controls at the third-party vendor are adequate to prevent or detect material errors that could impact the client’s financial statements