Upload
saracsm
View
216
Download
0
Embed Size (px)
Citation preview
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 1/41
AU D ITIN G ITG O VERN AN CE CO N TRO LS
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 2/41
TABLE O F CO N TEN TS
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 3/41
Defnition o IT Governance 3
IT Governance Control 4
Structure o The Inormation Technology Function 5
Centralized Data Proceing !
Data"ae #dminitration $
Data Proceing %
Sytem develo&ment ' maintenance ()
Segregation o incom&ati"le IT Function ((
Se&arating ytem develo&ment rom com&uter o&eration (*
Se&arating data"ae adminitration rom othe unction (3
Ditri"ute data &roceing (5
+i, aociated -ith DDP ($
#dvantage aociated -ith DDP *)
Controlling the DDP environment *(
The com&uter center *3
Identiy critical a&&lication *5
Creating a diater +ecovery Team *!
Providing econd ite "ac,u& *$
.ac,u& and o/ ite torage &rocedure 3)
0utourcing the IT unction 3*
+i, inheren to IT outourcing 33
#udit im&lication o IT outourcing 34
Sa 1) overvie- 35
S#S 1) 3!
Summary 31
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 4/41
Definition
Inormation technology 2IT governance i arelatively ne- u"et o cor&orate governancethat ocue on the management and aemento trategic IT reource
ey o"6ective o IT governance are to reduce ri,and enure that invetment in IT reource addvalue to the cor&oration
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 5/41
IT G overnance Controls
Three IT governance iue that addreed"y S07 and C0S0 internal rame-or, Theeare8
9 0rganizational tructure o the ITunction
9 Com&uter center o&eration
9 Diater recovery &laning
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 6/41
Structure of the Infor ation Technolo!"Function
The organizational o the IT unctionha im&lication or the audit
Centralized Data Proceing Segregation o Incom&ati"le IT
Function
The Ditri"uted :odel Controlling the DDP ;nvironment
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 7/41
Centrali#e$ D ata
%rocessin!<nder the centralized data&roceing model= all data&roceing i &erormance "y one ormore large com&uter houed at acentral ite that erve uerthroughout the organization
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 8/41
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 9/41
Figure 2.1
Illutrate thi a&&roach in -hich ITervice activitie are conolidatedand managed a a haredorganization reource
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 10/41
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 11/41
Figure 2.2
Illutrate a centralized IT ervicetructure and ho- it &rimaryervice area8 data"aeadminitration= data &roceing= andytem develo&ment andmaintanance
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 12/41
Database Adm inistration
Centrally organized com&anie=maintance their data reource incentral location that i hared "y alluer
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 13/41
Data Processing
The data &roceing grou& managethe com&uter reource ued to&erorm the day9to day &roceing otranaction It conit o theollo-ing organizational unction8data converion= com&uter
o&eration= and data li"rary
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 14/41
System s Developm ent and M aintenance
The inormation ytem need o uer aremet "y t-o related unction8 dytemdevelo&ment and dytem maintenance The
ormer grou& i re&oni"le or analyzing uerneed and or deigning ne- ytem toatiy thoe need The &artici&ant in ytemdevelo&ment activitie include ytem&roeional= end uer= and ta,eholder0nce a ne- ytem ha "een deigned andim&lemented= the ytem maintanance grou&aume re&oni"illity to ,ee&ing it current-ith uer need
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 15/41
Se!re!ation of Inco &ati'le IT Functions
S&ecifcally= o&erational ta, hould "eegregated to8
Se&arate tranaction authorization rom
tranaction &roceing Se&arate record ,ee&ing rom aet cutody
Divide tranaction9&roceing ta, amongindividual uch that hort o colluio "et-een
t-o or more individual raud -ouldn>t&oi"le
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 16/41
Separating System s Developm ent fromCom puter Operations
The egregation o ytem develo&ment ando&eration activitie i o the greatetim&ortance The relationhi& "et-een thee
grou& hould "e e?tremely ormal and theirren&oni"ilitie hould not "e comingled
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 17/41
Separating Database Adm inistrationfrom Oter Functions
#nother im&ortant organizational controli the egregation o data"aeadminitrator 2D.# rom other com&uter
center unction The D.# unction ire&oni"le or a num"er o critical ta,&ertaining to ecurity= including creating
the data"ae cheme and uer vie-=aigning data"ae acce to authority touer=monitoring data"ae uage and&lanning or uture e?&anion
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 18/41
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 19/41
Distributed Data Processing
To&ic o DDP i @uite "road= touching u&onuch related to&ic a end9uer com&uting=commercial ot-are= net-or,ing= and oAce
automation DDP involve reorganizing thecentral IT unction into mall IT unit that are&laced under the control o end uer The IT<nit may "e ditri"uted according to the"uine unction= geogra&hic location= or"oth The degree to -hich they are ditri"uted-ill vary de&ending u&on the &hiloo&hy ando"6ective o the organization> management
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 20/41
Distributed Data Processing
#lternative # i actually avariant o the centralizedmodel
Thi eliminate the needor centralized dataconverion grou& Sincethe uer no- &erormthi ta, Sytem
develo&ment= com&utero&eration= and data"aeadminitration remaincentralized
Centralized
Com&uterService• Data"ae• Sytem
Develo&ment
• Proceing
#ccounting Function
:ar,etingFunction
FinanceFunction
ProductionFunction
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 21/41
D istri'ute$ D ata %rocessin!
#lternative . i aignifcant de&arturerom the centralizedmodel Thi alternativeditri"ute all com&uterervice to the end uer=-here they o&erate atandalone unit
The reult i theelimination o the centralIT unction rom theorganizational tructure
:ar,etingFunction
#ccounting Function
ProductionFunction
FinanceFunction
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 22/41
!is"s Associated # it DDP
( IneAcient <e o +eource
a +i, o mimanagement o organization -ide ITreource "y end uer
" Increae the ri, o o&erational ineAciencie"ecaue o redundant ta, "eing &erormed -ithinthe end9uer committee
c +i, o incom&ati"le hard-are and ot-are amongend9uer unction
* Detruction o #udit Trail) ;nd uer inadvertently delete one o the fle= the
audit trail could "e detroyed and unrecovera"le Ian end uer inert tranaction error into an audittrail fle= it could "ecome corru&ted
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 23/41
!is"s Associated # it DDP
3 Inde@uate Segregation o Dutie IT Service to uer may reult in the creation o
mall inde&endent unit that do not &ermit the
deired e&aration o incom&acti"le unction4 Biring ualifed Proeional
The ri, o &rogramming error and ytemailure increae directly -ith the level oem&loyee incom&etence
5 ac, o Standard 0&eration o DDP Sytem are ade tolera"le only
i uch tandard are conitently a&&lied
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 24/41
Advantages Associated # it DDP
( Cot +eduction Data can "e edited and entered "y the end uer= thu
eliminating the centralized ta, o data &re&aration#&&lication com&le?ity can "e reduced= thu reduce
ytem develo&ment and maintenance cot* Im&roved Cot Control +e&oni"ility Im&roved management attitude more than out-eigh any
additional cot incurred rom ditri"uting thee reource
3 Im&roved <er Satifcation
<er -ant to "ecome more active involved in develo&ingand im&lementing their o-n ytem
4 .ac,u& Fle?i"ility .ac, u& com&uting acilitie to &rotect againt &otential
diater uch a fre= Eood= a"otage and earth@ua,e
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 25/41
Controlling te DDP $nvironm ent
( Im&lement a Cor&orate IT Function The Cor&orate IT grou& &rovide ytem
develo&ment and data"ae
management or entity9-ide ytem inaddition to technical advice ande?&ertie to the ditri"uted ITCommunity
* Central Teting o CommercialSot-are and Bard-are Tet reult can "e ditri"uted to uer
area a tandard or guiding
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 26/41
Controlling te DDP $nvironm ent
3 <er Service alua"le eature o the cor&orate grou& i it uer
ervice unction
4 Standar9Setting .ody Cor&orate grou& can contri"ute to thi goal "y
eta"lihing and ditri"uting to uer areaa&&ro&riate tandard or ytem develo&ment=&rogramming= and documentation
5 Peronnel +evie- The involvement o the cor&orate grou& in
em&loyment deciion can render a valua"leervice to the organization
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 27/41
%e Com puter Center
To &reent com&uter center ri, and the control thathel& to mitigate ri, and create a ecureenvironment
( Phyical ocation The &hyical location o the com&uter center directly
a/ect the ri, o detruction to natural or man9madediater
* Contruction
Com&uter center hould "e located in a ingle9tory"uilding o olid contruction -ith controlled acce
3 #cce #cce to the com&uter center hould "e limited to the
o&erator and other em&loyee -ho -or, there
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 28/41
%e Com puter Center
4 #ir Conditioning Com&uter "et unction in an air9conditioned
environment
5 Fire Su&&reion Fire i the mot eriou threat to a frm>
com&ute environment
! Fault Tolerance The a"ility o the ytem to continue
o&eration -hen &art o the ytem ail"ecaue o hard-are ailure= a&&lication&rogram error= or o&erator error
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 29/41
&dentify Critical Applications
The frt eential element o a D+P i to identiyteh frm> critical a&&lication and aociated datafle +ecovery e/ort mut concentrate on retoringthoe a&&lication that are critical to the hort9term
urvival o the organization 0"viouly= over the longterm= all a&&lication mut "e retored to &rediater"uie activity level The D+P= ho-ever= i a hortterm document that hould not attem&t to retore theorganization> data &roceing acility to ull ca&acity
immediately ollo-ing the diater To do o -oulddivert reource a-ay rom critical area and delayrecovery The &lan hould thereore ocu on hort9term urvival= -hich i at ri, in any diater cenario
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 30/41
&dentify Critical Applications
For mot organization= hort9term urvival re@uiirethe retoration o thoe unction that generate cahEo- uAcient to atiy hort9term o"ligatin Fore?am&le= aume that the ollo-ing unction a/ect
the cah Eo- &oition o a &articular frm 8 Cutomer ale and ervice
Fulfllment o legal o"ligation
#ccount receiva"le maintenance and collection
Production and ditri"ution deciion Puchaing unction
Cah di"urement 2trade account and &ayroll
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 31/41
Creating a Disaster !ecovery
%eam+ecovering rom a diater de&end ontimely corrective action Delay on&erorming eential ta, &rolong the
recovery &eriod and diminihe the&ro&ect or a ucceul recovery Toavoid eriou omiion or du&lication oe/ort during im&lementation o the
contingency &lan= ta, re&oni"ility mut"e clearly defned and communicated tothe &eronnel involved
i
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 32/41
Disaster !ecovery %ean
D&:anager
Sytem develo&ment :anager
Plant ;ngineer
Com&uter0&eration:anager
Tele&roceing:anager
Internal #udit +e&reentativ
Senior Sytem Programmer
<er De&artment +e&reentative
Senior maintenance Programmer
Sytem manintenance :anager
:anager data converion
:anager data control
Second iteacilitiegrou&
D+P TeamCoordinator P
0&eration
Program anddata "ac,u&
Grou&
Data converionand data control
Grou&
Internal audit +e&reentative
<er De&artment
+e&reentative
Data converion hit u&ervior
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 33/41
Providing Second'Site (ac"up
# neceary ingredient in a D+P i that &rovideor du&licate data &roceing acilitie ollo-ing adiater #mong the o&tion availa"le the motcommon are mutual aid &act em&ty hell or cold
ite recovery o&eration center or hot ide andinternally &rovided "ac,u& ;ach o thee idicued in the ollo-ing ection
:utual #id Pact id an agreement "et-een t-o or
more organization to aid each other -ith theirdata &roceing need in the event o diater
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 34/41
EMPTY SHELL or COLD SITE PLAN i anarrangement -herein the com&any "uy orleae a "uilding that -ill erve a a data center
RECOVERY OPERATIONS CENTER (ROC) or
HOT SITE i a ully e@ui&&ed "ac,u& data thatmany com&anie hare
INTERNALLY PROVIDE BACKUP i argerorganization -ith multi&le data &roceing
center oten &reer the el9reliance thatcreating internal e?ce ca&acity &rovide
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 35/41
(ac"up And OffSite Storage Procedures
#ll data fle= a&&lication= documentation and u&&lieneeded to &erorm critical unction hould "e automatically"ac,ed u& and tored at a ecure o/ ite location
Operating Syte! "a#$%p& I the com&any ue a coldite or other method o ite "ac,u& that doe not includeacom&ati"le o&erating ytem 20S= &rocedure oro"taining acurrent verion o the o&erating ytem need to"e clearly &ecifed
App'i#atin Ba#$%p& .aed on reult o"tained in thecritcal a&&lication te& dicued &reviouly= the D+Phould include &rocedure to create co&ie o currentverion o critical a&&lication
Ba#$%p Data i'e& The tate9o9the9art in data"ae i theremote mirrored ite= -hich &rovide com&lete datacurrency
Ba#$% D#%!entatin& The tem documentation or
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 36/41
(ac"up And OffSite Storage Procedures
Ba#$%p S%pp'ie an* S%r#e D#%!ent& Theoraganization hould create "ac,u& inventorie o u&&lieand ource document ued in &roceing criticaltranaction
Teting T+e DRP& The mot neglected a&ect o
contingency &alnning i teting the D+P Heverthele= D+Ptet are im&ortant and hould "e &erormed &eriodically Tet meaure the &re&aredne o &eronnel and identiyomiion or "ottlenec, in the &lan
A%*it O",e#ti-e& The auditor hould veriy thatmanagement> diater recovery &lan i ade@uate andeai"le or dealing -ith a catatro&he that could de&rive theorganization o it> com&uting reource
A%*it pr#e*%re& In veriying that management> D+Pi a realitic olution or dealing -ith a catatro&he= theollo-ing tet may "e &erormed
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 37/41
(ac"up And OffSite Storage Procedures
Site Ba#$%p& The auditor hould evaluate the ade@uacyo the "ac,u& ite arrangement
Criti#a' App'i#atin Lit& The auditor hould revie- thelit o critical a&&lication to enure that it i com&lete
S.t/are Ba#$%p& The auditor hould veriy that co&ieo critical a&&lication and o&erating ytem are toredo/9ite
Data Ba#$%p& The auditor hould veriy that critical datafle are "ac,u& in accordance -ith the D+P
Ba#$%p S%pp'ie0 D#%!ent0 an* D#%!entatin& The ytem documentation= u&&lie= and ourcedocument needed to &roce critical tranaction hould"e "ac,ed u& and tored o/9ite
Diater Re#-ery Tea!& The D+P houd clearly lit the
name= addree= and emergency tele&hone num"er othe diater recover team mem"er
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 38/41
Outsourcing %e &% Function
The cot= ri,= and re&oni"ilitie aociated -ithmaintaining an e/ective cor&orate IT unction are ignifcantIT 0utourcing include im&roved core "uine &erormance=im&roved IT &erormance= and reduce IT cot
Commodity IT #et are not uni@ue to a &articular
organization and are thu eaily ac@uired in the mar,et&lace Thee includeuch thing a net-or, management= ytemo&eration= erver maintenance= dan hel& de, unction
Tranaction Cot ;conomic 2TC; theory i in conEict -ith thecore com&etency choll "y uggeting that frm hould retain
certain &ecifc non9core IT #et in9houe .ecau e o theireoteric nature= &ecifc aet cannot "e eaily re&laced oncethey are given u& in an outoucing arrangement
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 39/41
!is"s &nerent to &%
Outsourcingarge Scale IT outourcing event are ri,y endeavor= &artly "ecaue o the heerize o thee fnancial deal= "ut alo "ecaue o their nature The level o ri, irelated to the degree o aet &ecifcity o the outourched unction The ollo-ingection outline ome -ell9documented iue
AILURE TO PERORM& 0nce a client frm ha outourced &ecifc IT aet= it&erormance "ecome lin,ed to the vendor> &erormance
VENDOR E1PLOITATION& arge cale IT &utourcing involve tranerring to avendor &ecifc aetJ uch a the deign= develo&mendt= and maintenance ouni@ue "uine a&&lication that are critical to an organization> urvival
OUT SOURCHIN2 COST E1CEED BENEITS& 0utourcing ha "een criticized onthe ground that une?&edted cot arie and ull e?tent o e?&ected "eneft are
not realizedREDUCE SECURITY& Inormation outourched to o/hore IT vendor raie uni@ueand eriou @uetion regarding internal contorl and the &rotection o enitive&eronal data
LOSS O STRATE2IC ADVANTA2E& IT outourcingay a/ect incongruence"et-een the frm> IT trategic &lanning and it> "uine &lanning unction
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 40/41
Audit &m plications of &% Outsourcing
:anagement may outourcing it organization>IT unction= "ut it cannot outource itmanagement re&oni"ilitie under S07 orenuring ade@uate IT internal control The PC#0.&ecifcally tate in it #uditing H0*= The ueo a ervice organization doe not reducemanagement> re&oni"ility to maintaina/ective internal control over fnancing
re&ortingJ
7/25/2019 Auditing IT Governance Controls Chapter 2 - Presentation
http://slidepdf.com/reader/full/auditing-it-governance-controls-chapter-2-presentation 41/41
SAS )*
State!ent n A%*iting Stan*ar*N&34 (SAS 34) i the defnitivetandard "y -hich client organization>
auditor can gain ,no-ledge thatcontrol at the third &arty vendor areade@uate to &revent or detect materialerror that could im&act the client>fnancial tatement