Documente Academic
Documente Profesional
Documente Cultură
Natural disaster such as hurricanes, wide- It should be noted that traditional control
spread flooding, and earthquakes are the most concerns do not apply in this setting. The
potentially devastating of the three from a environment created by the disaster may make
societal perspective because they can it necessary to violate control principles such
simultaneously impact many organizations as segregation of duties, access controls, and
within the affected geographic area. supervision.
3. Provide site backup In effect, the host company itself must go into
an emergency operation mode and cut back on
4. Specify backup and off-site storage the processing of its lower-priority applications
procedures to accommodate the sudden increase in
Identify Critical Applications demand for its IT resources.
The first essential element of a DRP is to The popularity of these reciprocal agreements
identify the firm’s critical applications and is driven by economics; they are relatively cost-
associated data files. Recovery efforts must free to implement. In fact, mutual aid pacts
concentrate on restoring those applications work better in theory than in practice. In the
that are critical to the short-term survival of the event of a disaster, the stricken company has
organization. Obviously, over the long term, all no guarantee that the partner company will live
applications must be restored to pre-disaster up to its promise of assistance. To rely on such
business activity levels. The DRP, however, is an arrangement for substantive relief during a
a short-term document that should not attempt disaster requires a level of faith and untested
to restore the organization’s data processing trust that is uncharacteristic of sophisticated
facility to full capacity immediately following the management and its auditors.
disaster. To do so would divert resources away Empty Shell. The empty shell or cold site plan
from critical areas and delay recovery. The is an arrangement wherein the company buys
plan should therefore focus on short-term or leases a building that will serve as a data
survival, which is at risk in any disaster center. In the event of a disaster, the shell is
scenario. available and ready to receive whatever
Creating a Disaster Recovery Team hardware the temporary user needs to run
essential systems. This approach, however, Backup Data Files. The state-of-the-art in
has a fundamental weakness. Recovery database backup is the remote mirrored site,
depends on the timely availability of the which provides complete data currency. Not all
necessary computer hardware to restore the organizations are willing or able to invest in
data processing function. Management must such backup resources. As a minimum,
obtain assurances through contracts with however, databases should be copied daily to
hardware vendors that, in the event of a high-capacity, high-speed media, such as tape
disaster, the vendor will give the company’s or CDs/DVDs and secured offsite.
needs priority. An unanticipated hardware
In the event of a disruption, reconstruction of
supply problem at this critical juncture could be
the database is achieved by updating the most
a fatal blow.
current backed-up version with subsequent
Recovery Operations Center. A recovery transaction data. Likewise, master files and
operations center (ROC) or hot site is a fully transaction files should be protected.
equipped backup data center that many
Backup Documentation. The system
companies share. In addition to hardware and
documentation for critical applications should
backup facilities, ROC service providers offer a
be backed up and stored off-site along with the
range of technical services to their clients, who
applications. System documentation can
pay an annual fee for access rights. In the
constitute a significant amount of material and
event of a major disaster, a subscriber can
the backup process is complicated further by
occupy the premises and, within a few hours,
frequent application changes (see Chapter 5).
resume processing critical applications.
Documentation backup may, however, be
Internally Provided Backup. Larger simplified and made more efficient through the
organizations with multiple data processing use of Computer Aided Software Engineering
centers often prefer the self-reliance that (CASE) documentation tools. The DRP should
creating internal excess capacity provides. This also include a provision backing up end-user
permits firms to develop standardized manuals because the individuals processing
hardware and software configurations, which transactions under disaster conditions may not
ensure functional compatibility among their be usual staff who are familiar with the system.
data processing centers and minimize cutover
Backup Supplies and Source Documents. The
problems in the event of a disaster.
organization should create backup inventories
Backup and Off-Site Storage Procedures of supplies and source documents used in
processing critical transactions.
All data files, applications, documentation, and
supplies needed to perform critical functions Examples of critical supplies are check stocks,
should be automatically backed up and stored invoices, purchase orders, and any other
at a secure off-site location. Data processing special-purpose forms that cannot be obtained
personnel should routinely perform backup and immediately. The DRP should specify the types
storage procedures to obtain and secure these and quantities needed of these special items.
critical resources. Because these are such routine elements of
the daily operations, they are often overlooked
Operating System Backup. If the company
by disaster contingency planners.
uses a cold site or other method of site backup
that does not include a compatible operating At this point, it is worth noting that a copy of the
system (O/S), procedures for obtaining a current DRP document should also be stored
current version of the operating system need to off-site at a secure location.
be clearly specified. The data librarian, if one
Testing the DRP. The most neglected aspect
exists, would be a key person to involve in
of contingency planning is testing the DRP.
performing this task in addition to the
Nevertheless, DRP tests are important and
applications and data backups procedures
should be performed periodically.
discussed next.
Tests measure the preparedness of personnel
Application Backup. Based on results obtained
and identify omissions or bottlenecks in the
in the critical applications step discussed
plan.
previously, the DRP should include procedures
to create copies of current versions of critical A test is most useful when the simulation of a
applications. In the case of commercial disruption is a surprise. When the mock
software, this involves purchasing backup disaster is announced, the status of all
copies of the latest software upgrades used by processing affected by it should be
the organization. For in-house developed documented.
applications, backup procedures should be an
integral step in the systems development and This approach provides a benchmark for
program change process. subsequent performance assessments.
The plan should be carried through as far as is the number of ROC members and their
economically feasible. Ideally, that would geographic dispersion. A widespread disaster
include the use of backup facilities and may create a demand that cannot be satisfied
supplies. by the ROC facility.
The progress of the plan should be noted at Critical Application List. The auditor should
key points throughout the test period. review the list of critical applications to ensure
that it is complete. Missing applications can
At the conclusion of the test, the results can
result in failure to recover. The same is true,
then be analyzed and a DRP performance
however, for restoring unnecessary
report prepared. The degree of performance
applications. To include applications on the
achieved provides input for decisions to modify
critical list that are not needed to achieve short-
the DRP or schedule additional tests. The
term survival can misdirect resources and
organization’s management should seek
distract attention from the primary objective
measures of performance in each of the
during the recovery period.
following areas: (1) the effectiveness of DRP
team personnel and their knowledge levels; (2) Software Backup. The auditor should verify
the degree of conversion success (i.e., the that copies of critical applications and
number of lost records); (3) an estimate of operating systems are stored off-site. The
financial loss due to lost records or facilities; auditor should also verify that the applications
and (4) the effectiveness of program, data, and stored off-site are current by comparing their
documentation backup and recovery version numbers with those of the actual
procedures. applications in use. Application version
numbers is explained in detail in Chapter 5.
Audit Objective
Data Backup. The auditor should verify that
The auditor should verify that management’s
critical data files are backed up in accordance
disaster recovery plan is adequate and feasible
with the DRP. Specific data backup procedures
for dealing with a catastrophe that could
for both flat files and relational databases are
deprive the organization of its computing
discussed in detail in Chapter 4.
resources.
Backup Supplies, Documents, and
Audit Procedures
Documentation. The system documentation,
In verifying that management’s DRP is a supplies, and source documents needed to
realistic solution for dealing with a catastrophe, process critical transactions should be backed
the following tests may be performed. up and stored off-site. The auditor should verify
that the types and quantities of items specified
Site Backup. The auditor should evaluate the in the DRP such as check stock, invoices,
adequacy of the backup site arrangement. purchase orders, and any special purpose
System incompatibility and human nature both forms exist in a secure location.
greatly reduce the effectiveness of the mutual Disaster Recovery Team. The DRP should
aid pact. Auditors should be skeptical of such clearly list the names, addresses, and
arrangements for two reasons. emergency telephone numbers of the disaster
First, the sophistication of the computer system recovery team members. The auditor should
may make it difficult to find a potential partner verify that members of the team are current
with a compatible configuration. Second, most employees and are aware of their assigned
firms do not have the necessary excess responsibilities. On one occasion, while
capacity to support a disaster-stricken partner reviewing a firm’s DRP, the author discovered
while also processing their own work. When it that a team leader listed in the plan had been
comes to the crunch, the management of the deceased for nine months.
firm untouched by disaster will likely have little OUTSOURCING THE IT FUNCTION
appetite for the sacrifices that must be made to
honor the agreement. The costs, risks, and responsibilities
associated with maintaining an effective
More viable but expensive options are the corporate
empty shell and recovery operation center.
IT function are significant. Many executives
These too must be examined carefully. If the have therefore opted to outsource their IT
client organization is using the empty shell functions to third-party vendors who take over
method, then the auditor needs to verify the responsibility for the management of IT assets
existence of valid contracts with hardware and staff and for delivery of IT services, such
vendors that guarantee delivery of needed as data entry, data center operations,
computer hardware with minimum delay after
the disaster. If the client is a member of a applications development, applications
ROC, the auditor should be concerned about maintenance, and network management. Often
cited benefits of IT outsourcing include Often this comes down to a matter of definition
improved core business performance, and interpretation. For example, most CEOs
improved would define their IT function as a non–core
commodity, unless they are in the business of
IT performance (because of the vendor’s
developing and selling IT applications.
expertise), and reduced IT costs. By moving IT
facilities offshore to low labor-cost areas and/or Consequently, a belief that all IT can, and
through economies of scale (by combining the should, be managed by large service
work of several clients), the vendor can organizations tends to prevail. Such
perform the outsourced function more cheaply misperception reflects, in part, both lack of
than the client firm could have otherwise. The executive education and dissemination of faulty
resulting cost savings are then passed to the information regarding the virtues and
client organization. Furthermore, many IT limitations of IT outsourcing.
outsourcing arrangements involve the sale of
Risks Inherent to IT Outsourcing
the client firm’s IT assets—both human and
machine—to the vendor, which the client firm Large-scale IT outsourcing events are risky
then leases back. This transaction results in a endeavors, partly because of the sheer size of
significant one-time cash infusion to the firm. these financial deals, but also because of their
nature. The level of risk is related to the degree
The logic underlying IT outsourcing follows
of asset specificity of the outsourced function.
from core competency theory, which argues
The following sections outline some well-
that an organization should focus exclusively
documented issues.
on its core business competencies, while
allowing outsourcing vendors to efficiently Failure to Perform
manage the non–core areas such as the IT
functions. This premise, however, ignores an Once a client firm has outsourced specific IT
important distinction between commodity and assets, its performance becomes linked to the
specific IT assets. vendor’s performance. The negative
implications of such dependency are illustrated
Commodity IT assets are not unique to a in the financial problems that have plagued the
particular organization and are thus easily huge outsourcing vendor Electronic Data
acquired in the marketplace. These include Systems Corp. (EDS). In a cost-cutting effort,
such things as network management, systems EDS terminated seven thousand employees,
operations, server maintenance, and help-desk which impacted its ability to serve other clients.
functions. Specific IT assets, in contrast, are Following an 11-year low in share prices, EDS
unique to the organization and support its stockholders filed a class-action lawsuit against
strategic objectives. Because of their the company. Clearly, vendors experiencing
idiosyncratic nature, specific assets have little such serious financial and legal problems
value outside their current use. Such assets threaten the viability of their clients also.
may be tangible (computer equipment),
Vendor Exploitation
intellectual (computer programs), or human.
Examples of specific assets include systems Large-scale IT outsourcing involves
development, application maintenance, data transferring to a vendor “specific assets,” such
warehousing, and highly skilled employees as the design, development, and maintenance
trained to use organization specific software. of unique business applications that are critical
Transaction Cost Economics (TCE) theory is in to an organization’s survival. Specific assets,
conflict with the core competency school by while valuable to the client, are of little value to
suggesting that firms should retain certain the vendor beyond the immediate contract with
specific non–core IT assets inhouse. the client. Indeed, they may well be valueless
should the client organization go out of
Because of their esoteric nature, specific business. Because the vendor assumes risk by
assets cannot be easily replaced once they are acquiring the assets and can achieve no
given up in an outsourcing arrangement. economies of scale by employing them
Therefore, if the organization should decide to elsewhere, the client organization will pay a
cancel its outsourcing contract with the vendor, premium to transfer such functions to a third
it may not be able to return to its pre-outsource party. Further, once the client firm has divested
state. On the other hand, TCE theory supports itself of such specific assets it becomes
the outsourcing of commodity assets, which dependent on the vendor. The vendor may
are easily replaced or obtained from alternative exploit this dependency by raising service rates
vendors. to an exorbitant level. As the client’s IT needs
develop over time beyond the original contract
Naturally, a CEO’s perception of what
terms, it runs the risk that new or incremental
constitutes a commodity IT assets plays an
services will be negotiated at a premium. This
important role in IT outsourcing decisions.
dependency may threaten the client’s long-
term flexibility, agility, and competitiveness and outsourcing is inconsistent with the client’s
result in even greater vendor dependency. pursuit of strategic advantage in the
marketplace.
Outsourcing Costs Exceed Benefits
Audit Implications of IT Outsourcing
IT outsourcing has been criticized on the
grounds that unexpected costs arise and the Management may outsource its organization’s
full extent of expected benefits are not realized. IT functions, but it cannot outsource its
One survey revealed that 47 percent of 66 management responsibilities under SOX for
firms surveyed reported that the costs of IT ensuring adequate IT internal controls. The
outsourcing exceeded outsourcing benefits. PCAOB specifically states in its Auditing
Standard No. 2, “The use of a service
One reason for this is that outsourcing clients
organization does not reduce management’s
often fail to anticipate the costs of vendor
responsibility to maintain effective internal
selection, contracting, and the transitioning of
control over financial reporting. Rather, user
IT operations to the vendors.
management should evaluate controls at the
Reduced Security service organization, as well as related controls
at the user company, when making its
Information outsourced to offshore IT vendors assessment about internal control over
raises unique and serious questions regarding financial reporting.”
internal control and the protection of sensitive
personal data. When corporate financial Service provider auditors issue two types of
systems are developed and hosted overseas, SAS 70 reports. An SAS 70 Type I report is the
and program code is developed through less rigorous of the two and comments only on
interfaces with the host company’s network, the suitability of the controls’ design. An SAS
U.S. corporations are at risk of losing control of 70 Type II report goes further and assesses
their information. To a large degree U.S. firms whether the controls are operating effectively
are reliant on the outsourcing vendor’s security based on tests conducted by the vendor
measures, data-access policies, and the organization’s auditor. The vast majority of
privacy laws of the host country. SAS 70 reports issued are Type II. Because
Section 404 requires the explicit testing of
Loss of Strategic Advantage controls, SAS 70 Type I reports are of little
IT outsourcing may affect incongruence value in a post-SOX world.
between a firm’s IT strategic planning and its
business planning functions. Organizations that
use IT strategically must align business
strategy and IT strategy or run the risk of
decreased business performance. To promote
such alignment, firms need IT managers and
chief information officers (CIOs) who have a
strong working knowledge of the organization’s
business. A survey of 213 IT managers in the
financial services industry confirmed that a
firm’s IT leadership needs to be closely aligned
with the firm’s competitive strategy. Indeed,
some argue that the business competence of
CIOs is more important than their IT
competence in facilitating strategic
congruence.
To accomplish such alignment necessitates a
close working relationship between corporate
management and IT management in the
concurrent development of business and IT
strategies. This, however, is difficult to
accomplish when IT planning is geographically
redeployed offshore or even domestically.
Further, because the financial justification for
IT outsourcing depends upon the vendor
achieving economies of scale, the vendor is
naturally driven to toward seeking common
solutions that may be used by many clients
rather than creating unique solutions for each
of them. This fundamental underpinning of IT