Auditing IT Governance Controls Chapter 2 - Presentation

7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation

http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 1/41

AU D ITIN G ITG O VERN AN CE CO N TRO LS



TABLE O F CO N TEN TS



Defnition o IT Governance 3

IT Governance Control 4

Structure o The Inormation Technology Function 5

Centralized Data Proceing !

Data"ae #dminitration $

Data Proceing %

Sytem develo&ment ' maintenance ()

Segregation o incom&ati"le IT Function ((

Se&arating ytem develo&ment rom com&uter o&eration (*

Se&arating data"ae adminitration rom othe unction (3

Ditri"ute data &roceing (5

+i, aociated -ith DDP ($

#dvantage aociated -ith DDP *)

Controlling the DDP environment *(

The com&uter center *3

Identiy critical a&&lication *5

Creating a diater +ecovery Team *!

Providing econd ite "ac,u& *$

.ac,u& and o/ ite torage &rocedure 3)

0utourcing the IT unction 3*

+i, inheren to IT outourcing 33

#udit im&lication o IT outourcing 34

Sa 1) overvie- 35

S#S 1) 3!

Summary 31



Definition

Inormation technology 2IT governance i arelatively ne- u"et o cor&orate governancethat ocue on the management and aemento trategic IT reource

ey o"6ective o IT governance are to reduce ri,and enure that invetment in IT reource addvalue to the cor&oration



IT G overnance Controls

Three IT governance iue that addreed"y S07 and C0S0 internal rame-or, Theeare8

9 0rganizational tructure o the ITunction

9 Com&uter center o&eration

9 Diater recovery &laning



Structure of the Infor ation Technolo!"Function

The organizational o the IT unctionha im&lication or the audit

Centralized Data Proceing Segregation o Incom&ati"le IT

Function

The Ditri"uted :odel Controlling the DDP ;nvironment



Centrali#e$ D ata

%rocessin!<nder the centralized data&roceing model= all data&roceing i &erormance "y one ormore large com&uter houed at acentral ite that erve uerthroughout the organization





Figure 2.1

Illutrate thi a&&roach in -hich ITervice activitie are conolidatedand managed a a haredorganization reource





Figure 2.2

Illutrate a centralized IT ervicetructure and ho- it &rimaryervice area8 data"aeadminitration= data &roceing= andytem develo&ment andmaintanance



Database Adm inistration

Centrally organized com&anie=maintance their data reource incentral location that i hared "y alluer



Data Processing

The data &roceing grou& managethe com&uter reource ued to&erorm the day9to day &roceing otranaction It conit o theollo-ing organizational unction8data converion= com&uter

o&eration= and data li"rary



System s Developm ent and M aintenance

The inormation ytem need o uer aremet "y t-o related unction8 dytemdevelo&ment and dytem maintenance The

ormer grou& i re&oni"le or analyzing uerneed and or deigning ne- ytem toatiy thoe need The &artici&ant in ytemdevelo&ment activitie include ytem&roeional= end uer= and ta,eholder0nce a ne- ytem ha "een deigned andim&lemented= the ytem maintanance grou&aume re&oni"illity to ,ee&ing it current-ith uer need



Se!re!ation of Inco &ati'le IT Functions

S&ecifcally= o&erational ta, hould "eegregated to8

Se&arate tranaction authorization rom

tranaction &roceing Se&arate record ,ee&ing rom aet cutody

Divide tranaction9&roceing ta, amongindividual uch that hort o colluio "et-een

t-o or more individual raud -ouldn>t&oi"le



Separating System s Developm ent fromCom puter Operations

The egregation o ytem develo&ment ando&eration activitie i o the greatetim&ortance The relationhi& "et-een thee

grou& hould "e e?tremely ormal and theirren&oni"ilitie hould not "e comingled



Separating Database Adm inistrationfrom Oter Functions

#nother im&ortant organizational controli the egregation o data"aeadminitrator 2D.# rom other com&uter

center unction The D.# unction ire&oni"le or a num"er o critical ta,&ertaining to ecurity= including creating

the data"ae cheme and uer vie-=aigning data"ae acce to authority touer=monitoring data"ae uage and&lanning or uture e?&anion





Distributed Data Processing

To&ic o DDP i @uite "road= touching u&onuch related to&ic a end9uer com&uting=commercial ot-are= net-or,ing= and oAce

automation DDP involve reorganizing thecentral IT unction into mall IT unit that are&laced under the control o end uer The IT<nit may "e ditri"uted according to the"uine unction= geogra&hic location= or"oth The degree to -hich they are ditri"uted-ill vary de&ending u&on the &hiloo&hy ando"6ective o the organization> management



Distributed Data Processing

#lternative # i actually avariant o the centralizedmodel

Thi eliminate the needor centralized dataconverion grou& Sincethe uer no- &erormthi ta, Sytem

develo&ment= com&utero&eration= and data"aeadminitration remaincentralized

Centralized

Com&uterService• Data"ae• Sytem

Develo&ment

• Proceing

#ccounting Function

:ar,etingFunction

FinanceFunction

ProductionFunction



D istri'ute$ D ata %rocessin!

#lternative . i aignifcant de&arturerom the centralizedmodel Thi alternativeditri"ute all com&uterervice to the end uer=-here they o&erate atandalone unit

The reult i theelimination o the centralIT unction rom theorganizational tructure

:ar,etingFunction

#ccounting Function

ProductionFunction

FinanceFunction



!is"s Associated # it DDP

( IneAcient <e o +eource

a +i, o mimanagement o organization -ide ITreource "y end uer

" Increae the ri, o o&erational ineAciencie"ecaue o redundant ta, "eing &erormed -ithinthe end9uer committee

c +i, o incom&ati"le hard-are and ot-are amongend9uer unction

* Detruction o #udit Trail) ;nd uer inadvertently delete one o the fle= the

audit trail could "e detroyed and unrecovera"le Ian end uer inert tranaction error into an audittrail fle= it could "ecome corru&ted



!is"s Associated # it DDP

3 Inde@uate Segregation o Dutie IT Service to uer may reult in the creation o

mall inde&endent unit that do not &ermit the

deired e&aration o incom&acti"le unction4 Biring ualifed Proeional

The ri, o &rogramming error and ytemailure increae directly -ith the level oem&loyee incom&etence

5 ac, o Standard 0&eration o DDP Sytem are ade tolera"le only

i uch tandard are conitently a&&lied



Advantages Associated # it DDP

( Cot +eduction Data can "e edited and entered "y the end uer= thu

eliminating the centralized ta, o data &re&aration#&&lication com&le?ity can "e reduced= thu reduce

ytem develo&ment and maintenance cot* Im&roved Cot Control +e&oni"ility Im&roved management attitude more than out-eigh any

additional cot incurred rom ditri"uting thee reource

3 Im&roved <er Satifcation

<er -ant to "ecome more active involved in develo&ingand im&lementing their o-n ytem

4 .ac,u& Fle?i"ility .ac, u& com&uting acilitie to &rotect againt &otential

diater uch a fre= Eood= a"otage and earth@ua,e



Controlling te DDP $nvironm ent

( Im&lement a Cor&orate IT Function The Cor&orate IT grou& &rovide ytem

develo&ment and data"ae

management or entity9-ide ytem inaddition to technical advice ande?&ertie to the ditri"uted ITCommunity

* Central Teting o CommercialSot-are and Bard-are Tet reult can "e ditri"uted to uer

area a tandard or guiding



Controlling te DDP $nvironm ent

3 <er Service alua"le eature o the cor&orate grou& i it uer

ervice unction

4 Standar9Setting .ody Cor&orate grou& can contri"ute to thi goal "y

eta"lihing and ditri"uting to uer areaa&&ro&riate tandard or ytem develo&ment=&rogramming= and documentation

5 Peronnel +evie- The involvement o the cor&orate grou& in

em&loyment deciion can render a valua"leervice to the organization



%e Com puter Center

To &reent com&uter center ri, and the control thathel& to mitigate ri, and create a ecureenvironment

( Phyical ocation The &hyical location o the com&uter center directly

a/ect the ri, o detruction to natural or man9madediater

* Contruction

Com&uter center hould "e located in a ingle9tory"uilding o olid contruction -ith controlled acce

3 #cce #cce to the com&uter center hould "e limited to the

o&erator and other em&loyee -ho -or, there



%e Com puter Center

4 #ir Conditioning Com&uter "et unction in an air9conditioned

environment

5 Fire Su&&reion Fire i the mot eriou threat to a frm>

com&ute environment

! Fault Tolerance The a"ility o the ytem to continue

o&eration -hen &art o the ytem ail"ecaue o hard-are ailure= a&&lication&rogram error= or o&erator error



&dentify Critical Applications

The frt eential element o a D+P i to identiyteh frm> critical a&&lication and aociated datafle +ecovery e/ort mut concentrate on retoringthoe a&&lication that are critical to the hort9term

urvival o the organization 0"viouly= over the longterm= all a&&lication mut "e retored to &rediater"uie activity level The D+P= ho-ever= i a hortterm document that hould not attem&t to retore theorganization> data &roceing acility to ull ca&acity

immediately ollo-ing the diater To do o -oulddivert reource a-ay rom critical area and delayrecovery The &lan hould thereore ocu on hort9term urvival= -hich i at ri, in any diater cenario



&dentify Critical Applications

For mot organization= hort9term urvival re@uiirethe retoration o thoe unction that generate cahEo- uAcient to atiy hort9term o"ligatin Fore?am&le= aume that the ollo-ing unction a/ect

the cah Eo- &oition o a &articular frm 8 Cutomer ale and ervice

Fulfllment o legal o"ligation

#ccount receiva"le maintenance and collection

Production and ditri"ution deciion Puchaing unction

Cah di"urement 2trade account and &ayroll



Creating a Disaster !ecovery

%eam+ecovering rom a diater de&end ontimely corrective action Delay on&erorming eential ta, &rolong the

recovery &eriod and diminihe the&ro&ect or a ucceul recovery Toavoid eriou omiion or du&lication oe/ort during im&lementation o the

contingency &lan= ta, re&oni"ility mut"e clearly defned and communicated tothe &eronnel involved

i



Disaster !ecovery %ean

D&:anager

Sytem develo&ment :anager

Plant ;ngineer

Com&uter0&eration:anager

Tele&roceing:anager

Internal #udit +e&reentativ

Senior Sytem Programmer

<er De&artment +e&reentative

Senior maintenance Programmer

Sytem manintenance :anager

:anager data converion

:anager data control

Second iteacilitiegrou&

D+P TeamCoordinator P

0&eration

Program anddata "ac,u&

Grou&

Data converionand data control

Grou&

Internal audit +e&reentative

<er De&artment

+e&reentative

Data converion hit u&ervior



Providing Second'Site (ac"up

# neceary ingredient in a D+P i that &rovideor du&licate data &roceing acilitie ollo-ing adiater #mong the o&tion availa"le the motcommon are mutual aid &act em&ty hell or cold

ite recovery o&eration center or hot ide andinternally &rovided "ac,u& ;ach o thee idicued in the ollo-ing ection

:utual #id Pact id an agreement "et-een t-o or

more organization to aid each other -ith theirdata &roceing need in the event o diater



EMPTY SHELL or COLD SITE PLAN i anarrangement -herein the com&any "uy orleae a "uilding that -ill erve a a data center

RECOVERY OPERATIONS CENTER (ROC) or

HOT SITE i a ully e@ui&&ed "ac,u& data thatmany com&anie hare

INTERNALLY PROVIDE BACKUP i argerorganization -ith multi&le data &roceing

center oten &reer the el9reliance thatcreating internal e?ce ca&acity &rovide



(ac"up And OffSite Storage Procedures

#ll data fle= a&&lication= documentation and u&&lieneeded to &erorm critical unction hould "e automatically"ac,ed u& and tored at a ecure o/ ite location

Operating Syte! "a#$%p& I the com&any ue a coldite or other method o ite "ac,u& that doe not includeacom&ati"le o&erating ytem 20S= &rocedure oro"taining acurrent verion o the o&erating ytem need to"e clearly &ecifed

App'i#atin Ba#$%p& .aed on reult o"tained in thecritcal a&&lication te& dicued &reviouly= the D+Phould include &rocedure to create co&ie o currentverion o critical a&&lication

Ba#$%p Data i'e& The tate9o9the9art in data"ae i theremote mirrored ite= -hich &rovide com&lete datacurrency

Ba#$% D#%!entatin& The tem documentation or




Ba#$%p S%pp'ie an* S%r#e D#%!ent& Theoraganization hould create "ac,u& inventorie o u&&lieand ource document ued in &roceing criticaltranaction

Teting T+e DRP& The mot neglected a&ect o

contingency &alnning i teting the D+P Heverthele= D+Ptet are im&ortant and hould "e &erormed &eriodically Tet meaure the &re&aredne o &eronnel and identiyomiion or "ottlenec, in the &lan

A%*it O",e#ti-e& The auditor hould veriy thatmanagement> diater recovery &lan i ade@uate andeai"le or dealing -ith a catatro&he that could de&rive theorganization o it> com&uting reource

A%*it pr#e*%re& In veriying that management> D+Pi a realitic olution or dealing -ith a catatro&he= theollo-ing tet may "e &erormed




Site Ba#$%p& The auditor hould evaluate the ade@uacyo the "ac,u& ite arrangement

Criti#a' App'i#atin Lit& The auditor hould revie- thelit o critical a&&lication to enure that it i com&lete

S.t/are Ba#$%p& The auditor hould veriy that co&ieo critical a&&lication and o&erating ytem are toredo/9ite

Data Ba#$%p& The auditor hould veriy that critical datafle are "ac,u& in accordance -ith the D+P

Ba#$%p S%pp'ie0 D#%!ent0 an* D#%!entatin& The ytem documentation= u&&lie= and ourcedocument needed to &roce critical tranaction hould"e "ac,ed u& and tored o/9ite

Diater Re#-ery Tea!& The D+P houd clearly lit the

name= addree= and emergency tele&hone num"er othe diater recover team mem"er



Outsourcing %e &% Function

The cot= ri,= and re&oni"ilitie aociated -ithmaintaining an e/ective cor&orate IT unction are ignifcantIT 0utourcing include im&roved core "uine &erormance=im&roved IT &erormance= and reduce IT cot

Commodity IT #et are not uni@ue to a &articular

organization and are thu eaily ac@uired in the mar,et&lace Thee includeuch thing a net-or, management= ytemo&eration= erver maintenance= dan hel& de, unction

Tranaction Cot ;conomic 2TC; theory i in conEict -ith thecore com&etency choll "y uggeting that frm hould retain

certain &ecifc non9core IT #et in9houe .ecau e o theireoteric nature= &ecifc aet cannot "e eaily re&laced oncethey are given u& in an outoucing arrangement



!is"s &nerent to &%

Outsourcingarge Scale IT outourcing event are ri,y endeavor= &artly "ecaue o the heerize o thee fnancial deal= "ut alo "ecaue o their nature The level o ri, irelated to the degree o aet &ecifcity o the outourched unction The ollo-ingection outline ome -ell9documented iue

AILURE TO PERORM& 0nce a client frm ha outourced &ecifc IT aet= it&erormance "ecome lin,ed to the vendor> &erormance

VENDOR E1PLOITATION& arge cale IT &utourcing involve tranerring to avendor &ecifc aetJ uch a the deign= develo&mendt= and maintenance ouni@ue "uine a&&lication that are critical to an organization> urvival

OUT SOURCHIN2 COST E1CEED BENEITS& 0utourcing ha "een criticized onthe ground that une?&edted cot arie and ull e?tent o e?&ected "eneft are

not realizedREDUCE SECURITY& Inormation outourched to o/hore IT vendor raie uni@ueand eriou @uetion regarding internal contorl and the &rotection o enitive&eronal data

LOSS O STRATE2IC ADVANTA2E& IT outourcingay a/ect incongruence"et-een the frm> IT trategic &lanning and it> "uine &lanning unction



Audit &m plications of &% Outsourcing

:anagement may outourcing it organization>IT unction= "ut it cannot outource itmanagement re&oni"ilitie under S07 orenuring ade@uate IT internal control The PC#0.&ecifcally tate in it #uditing H0*= The ueo a ervice organization doe not reducemanagement> re&oni"ility to maintaina/ective internal control over fnancing

re&ortingJ



SAS )*

State!ent n A%*iting Stan*ar*N&34 (SAS 34) i the defnitivetandard "y -hich client organization>

auditor can gain ,no-ledge thatcontrol at the third &arty vendor areade@uate to &revent or detect materialerror that could im&act the client>fnancial tatement

Documents

Auditing IT Governance Controls Chapter 2 - Presentation