Audcis – Chapter 2
computer’s operating system.
Information technology (IT) governance
 a relatively new subset of corporate
governance that focuses on the
management and assessment of
strategic IT resources.
Key objectives
 reduce risk
 ensure that investments in IT resources
add value to the corporation
IT Governance Controls
1. Organizational structure of the IT function
2. Computer center operations
3. Disaster recovery planning
Structure Of The Information Technology
Function
 The organization of the IT function has
implications for the nature and
effectiveness of internal controls, which,
in turn, has implications for the audit.
Centralized Data Processing
 all data processing is performed by one
or more large computers housed at a
central site that serves users throughout
the organization.
Database Administration
 Centrally organized companies maintain
their data resources in a central location
that is shared by all end users. In this
shared data arrangement, an
independent group headed by the
database administrator (DBA) is
responsible for the security and integrity
of the database.
Data Processing
 The data processing group manages the
computer resources used to perform the
day-to-day processing of transactions.
It consists of the following organizational
functions:
1. Data Conversion
 The data conversion function
transcribes transaction data from hard-
copy source documents into computer
input.
2. Computer Operations
 The electronic files produced in data
conversion are later processed by the
central computer, which is managed by
the computer operations groups.
 Accounting applications are usually
executed according to a strict schedule
that is controlled by the central
3. Data Library
 The data library is a room adjacent to
the computer center that provides safe
storage for the off-line data files.
Systems Development and Maintenance
The information systems needs of users are
met by two related functions: system
development and systems maintenance.
Systems Development
 responsible for analyzing user needs
and for designing new systems to satisfy
those needs.
The participants in system development
activities
Systems professionals
 systems analysts
 database designers
 programmers
 design and build the system. Systems
professionals gather facts about the user’s
problem, analyze the facts, and formulate a
solution.
 The product of their efforts is a new
information system.
End users
 those for whom the system is built. They
are the managers who receive reports from
the system and the operations personnel
who work directly with the system as part of
their daily responsibilities.
Stakeholders
 accountants
 internal auditors
 external auditors
 others who oversee systems
development.
 individuals inside or outside the firm who
have an interest in the system, but are not
end users.
 Once a new system has been designed and
implemented, the systems maintenance
group assumes responsibility for keeping it
current with user needs.
Maintenance
 refers to making changes to program
logic to accommodate shifts in user
needs over time.
Segregation of Incompatible IT Functions
1. Separate transaction authorization from
transaction processing.
2. Separate record keeping from asset
custody.
3. Divide transaction-processing tasks among
individuals such that short of collusion between
two or more individuals fraud would not be
possible.
Separating Systems Development from
Computer Operations
 Greatest importance.
 The relationship - extremely formal
 Responsibilities should not be
commingled.
 Create (and maintain) systems for
users, and should have no involvement
in entering data, or running applications.
 Operations staff should run these
systems and have no involvement in
their design.
 These functions are inherently
incompatible, and consolidating them
invites errors and fraud.
Separating Database Administration from
Other Functions
DBA function
 responsible for a number of critical tasks
pertaining to database security,
including creating the database schema
and user views, assigning database
access authority to users, monitoring
database usage, and planning for future
expansion.
 Delegating these responsibilities to others
who perform incompatible tasks threatens
database integrity.
Separating New Systems Development from
Maintenance
Systems analysis group
 Works with the users to produce
detailed designs of the new systems.
Programming group
 codes the programs according to these
design specifications. Under this
approach
 the programmer who codes the original
programs also maintains the system
during the maintenance phase of the
systems development life cycle
Control Problems
Inadequate Documentation
 Poor-quality systems documentation is a
chronic IT problem and a significant
challenge for many organizations
seeking SOX compliance.
There are at least two explanations for this
phenomenon.
 Documenting systems is not as
interesting as designing, testing, and
implementing them. Systems
professionals much prefer to move on to
an exciting new project rather than
document one just completed.
 Job security. When a system is poorly
documented, it is difficult to interpret,
test, and debug.
Program Fraud
 When the original programmer of a
system is also assigned maintenance
responsibility, the potential for fraud is
increased.
 Involves making unauthorized changes
to program modules for the purpose of
committing an illegal act.
A Superior Structure for Systems
Development
 The new systems development group is
responsible for designing, programming,
and implementing new systems
projects.
 Upon successful implementation,
responsibility for the system’s ongoing
maintenance falls to the systems
maintenance group.
Benefits
 Documentation standards are improved
because the maintenance group
requires documentation to perform its
maintenance duties.
 Denying the original programmer future
access to the program deters program
fraud.
 The success of this control depends on the
existence of other controls that limit,
prevent, and detect unauthorized access to
programs (such as source program library
controls).
Distributed data processing (DDP)
 An alternative to the centralized model
 Involves reorganizing the central IT
function into small IT units that are
placed under the control of end users.
 The IT units may be distributed according
to business function, geographic location,
or both.
Risks Associated with DDP
Inefficient Use of Resources
DDP can expose and organization to three
types of risks associated with inefficient use of
organizational resources
  the risk of mismanagement of
organization-wide IT resources by end
users.
 DDP can increase the risk of operational
inefficiencies because of redundant
tasks being performed within the end-
user committee.
 DDP environment poses a risk of
incompatible hardware and software
among end-user functions.
Destruction of Audit Trails
Audit trail
 provides the linkage between a
company’s financial activities
(transactions) and the financial
statements that report on those
activities.
 Auditors use the audit trail to trace
selected financial transactions from the
source documents that captured the
events, through the journals, subsidiary
ledgers, and general ledger accounts
that recorded the events, and ultimately
to the financial statement themselves.
 The audit trail is critical to the auditor’s
attest service.
Inadequate Segregation of Duties
 Achieving an adequate segregation of
duties may not be possible in some
distributed environments. The
distribution of the IT services to users
may result in the creation of small
independent units that do not permit the
desired separation of incompatible
functions.
Hiring Qualified Professionals
 End-user managers may lack the IT
knowledge to evaluate the technical
credentials and relevant experience of
candidates applying for IT professional
positions.
 If the organizational unit into which a
new employee is entering is small, the
opportunity for personal growth,
continuing education, and promotion
may be limited.
 Managers may experience difficulty
attracting highly qualified personnel.
 The risk of programming errors and
system failures increases directly with
the level of employee incompetence.
Lack of Standards
 Because of the distribution of
responsibility in the DDP environment,
standards for developing and
documenting systems, choosing
programming languages, acquiring
hardware and software, and evaluating
performance may be unevenly applied
or even nonexistent.
 Opponents of DDP argue that the risks
associated with the design and
operation of a DDP system are made
tolerable only if such standards are
consistently applied.
Advantages of DDP
Cost Reductions.
 Powerful and inexpensive
microcomputers and minicomputers that
can perform specialized functions have
changed the economics of data
processing dramatically.
 In addition, the unit cost of data storage,
which was once the justification for
consolidating data in a central location,
is no longer a prime consideration.
 Moreover, the move to DDP has
reduced costs in two other areas: (1)
data can be edited and entered by the
end user, thus eliminating the
centralized task of data preparation; and
(2) application complexity can be
reduced, which in turn reduces systems
development and maintenance costs.
Improved Cost Control Responsibility
 End-user managers carry the
responsibility for the financial success of
their operations.
 This responsibility requires that they be
properly empowered with the authority
to make decisions about resources that
influence their overall success.
 When managers are precluded from
making the decisions necessary to
achieve their goals, their performance
can be negatively influenced.
 A less aggressive and less effective
management may evolve.
 Proponents of DDP contend that the
benefits of improved management attitudes
more than outweigh any additional costs
incurred from distributing these resources.
 They argue that if IT capability is indeed
critical to the success of a business
operation, then management must be given
control over these resources.
Improved User Satisfaction
 Perhaps the most often cited benefit of
DDP is improved user satisfaction. DDP
proponents claim that distributing
system to end users improves three
areas of need that too often go
unsatisfied in the centralized model:
(1) users desire to control the resources that
influence their profitability
(2) users want systems professionals software and hardware and avoid many
(analysts, programmers, and computer problems discussed earlier.
operators) to be responsive to their specific
User Services.
situation
A valuable feature of the corporate group is its
(3) users want to become more actively
user services function. This activity provides
involved in developing and implementing their
technical help to users during the installation of
own systems.
new software and in troubleshooting hardware
Backup Flexibility and software problems. The creation of an
electronic bulletin board for users is an
 The final argument in favor of DDP is
excellent way to distribute information about
the ability to back up computing facilities
common problems and allows the sharing of
to protect against potential disasters
user-developed programs with others in the
such as fires, floods, sabotage, and
organization. In addition, a chat room could be
earthquakes.
established to provide threaded discussions,
 The only way to back up a central
frequently asked questions (FAQs), and
computer site against such disasters is
intranet support. The corporate IT function
to provide a second computer facility.
could also provide a help desk, where users
 The distributed model offers
can call and get a quick response to questions
organizational flexibility for providing
and problems.
backup.
In many organizations user services staff teach
Controlling the DDP Environment
technical courses for end users as well as for
DDP carries a certain leading-edge prestige computer services personnel. This raises the
value that, during an analysis of its pros and level of user awareness and promotes the
cons, may overwhelm important considerations continued education of technical personnel.
of economic benefit and operational feasibility.
Standard-Setting Body.
Many DDP initiatives have proven to be
The relatively poor control environment
ineffective, and even counterproductive,
imposed by the DDP model can be improved
because decision makers saw in these
by establishing some central guidance. The
systems virtues that were more symbolic than
corporate group can contribute to this goal by
real. Before taking an irreversible step,
establishing and distributing to user areas
decision makers must assess the true merits of
appropriate standards for systems
DDP for their organization. Nevertheless,
development, programming, and
careful planning and implementation of controls
documentation.
can mitigate some of the DDP risks previously
discussed. Personnel Review.
Implement a Corporate IT Function The corporate group is often better equipped
than users to evaluate the technical credentials
The completely centralized model and the
of prospective systems professionals. Although
distributed model represent extreme positions
the systems professional will actually be part of
on a continuum of structural alternatives. The
the end-user group, the involvement of the
needs of most firms fall somewhere between
corporate group in employment decisions can
these end points. Often, the control problems
render a valuable service to the organization.
previously described can be addressed by
implementing a corporate IT function Audit Objective
Central Testing of Commercial Software and The auditor’s objective is to verify that the
Hardware. structure of the IT function is such that
individuals in incompatible areas are
A centralized corporate IT group is better
segregated in accordance with the level of
equipped than are end users to evaluate the
potential risk and in a manner that promotes a
merits of competing commercial software and
working environment. This is an environment in
hardware products under consideration. A
which formal, rather than casual, relationships
central, technically astute group such as this
need to exist between incompatible tasks.
can evaluate systems features, controls, and
compatibility with industry and organizational Audit Procedures
standards. Test results can then be distributed
The following audit procedures would apply to
to user areas as standards for guiding
an organization with a centralized IT function:
acquisition decisions. This allows the
organization to effectively centralize the  Review relevant documentation,
acquisition, testing, and implementation of including the current organizational
chart, mission statement, and job
 descriptions for key functions, to
determine if individuals or groups are
performing incompatible functions.
 Review systems documentation and
maintenance records for a sample of
applications.
 Verify that maintenance programmers
assigned to specific projects are not
also the original design programmers.
 Verify that computer operators do not
have access to the operational details of
a system’s internal logic. Systems
documentation, such as systems
flowcharts, logic flowcharts, and
program code listings, should not be
part of the operation’s documentation
set.
 Through observation, determine that
segregation policy is being followed in
practice.
 Review operations room access logs to
determine whether programmers enter
the facility for reasons other than system
failures.
The following audit procedures would apply to
an organization with a distributed IT function:
 Review the current organizational chart,
mission statement, and job descriptions
for key functions to determine if
individuals or groups are performing
incompatible duties.
 Verify that corporate policies and
standards for systems design,
documentation, and hardware and
software acquisition are published and
provided to distributed IT units.
 Verify that compensating controls, such
as supervision and management
monitoring, are employed when
segregation of incompatible duties is
economically infeasible.
 Review systems documentation to verify
that applications, procedures, and
databases are designed and functioning
in accordance with corporate standards.
THE COMPUTER CENTER
Physical Location
The physical location of the computer center
directly affects the risk of destruction to a
natural or man-made disaster. To the extent
possible, the computer center should be away
from human-made and natural hazards, such
as processing plants, gas and water mains,
airports, high-crime areas, flood plains, and
geological faults. The center should be away
from normal traffic, such as the top floor of a
building or in a separate, self-contained
building. Locating a computer in the basement
building increases its risk to floods.
Construction
Ideally, a computer center should be located in
a single-story building of solid construction with
controlled access (discussed next). Utility
(power and telephone) lines should be
underground. The building windows should not
open and an air filtration system should be in
place that is capable of extracting pollens,
dust, and dust mites.
Access
Access to the computer center should be
limited to the operators and other employees
who work there. Physical controls, such as
locked doors, should be employed to limit
access to the center. Access should be
controlled by a keypad or swipe card, though
fire monitored by closed-circuit cameras and
video recording systems. Computer centers
should also use sign-in logs for programmers
and analysts who need access to correct
program errors. The computer center should
maintain accurate records of all such traffic.
Air Conditioning
Computers function best in an air-conditioned
environment, and providing adequate air
conditioning is often a requirement of the
vendor’s warranty. Computers operate best in
a temperature range of 70 to 75 degrees
Fahrenheit and a relative humidity of 50
percent. Logic errors can occur in computer
hardware when temperatures depart
significantly from this optimal range. Also, the
risk of circuit damage from static electricity is
increased when humidity drops. In contrast,
high humidity can cause molds to grow and
paper products (such as source documents) to
swell and jam equipment.
Fire Suppression
Fire is the most serious threat to a firm’s
computer equipment. Many companies that
suffer computer center fires go out of business
because of the loss of critical records, such as
accounts receivable. The implementation of an
effective fire suppression system requires
consultation with specialists. However, some of
the major features of such a system include the
following:
1. Automatic and manual alarms should be
placed in strategic locations around the
installation. These alarms should be connected
to permanently staffed fire-fighting stations.
2. There must be an automatic fire
extinguishing system that dispenses the
appropriate type of suppressant for the
location.2 For example, spraying water and
certain chemicals on a computer can do as
much damage as the fire.
3. Manual fire extinguishers should be placed
at strategic locations.
4. The building should be of sound construction
to withstand water damage caused by fire
suppression equipment.
5. Fire exits should be clearly marked and
illuminated during a fire.
Fault Tolerance
Fault tolerance is the ability of the system to
continue operation when part of the system
fails because of hardware failure, application
program error, or operator error. Implementing
fault tolerance control ensures that no single
point of potential system failure exists. Total
failure can occur only if multiple components
fail.
1. Redundant arrays of independent disks
(RAID). Raid involves using parallel disks that
contain redundant elements of data and
applications. If one disk fails, the lost data are
automatically reconstructed from the redundant
components stored on the other disks.
2. Uninterruptible power supplies.
Commercially provided electrical power
presents several problems that can disrupt the
computer center operations, including total
power failures, brownouts, power fluctuations,
and frequency variations. The equipment used
to control these problems includes voltage
regulators, surge protectors, generators, and
backup batteries. In the event of a power
outage, these devices provide backup power
for a reasonable period to allow commercial
power service restoration.
In the event of an extended power outage, the
backup power will allow the computer system
to shut down in a controlled manner and
prevent data loss and corruption that would
otherwise result from an uncontrolled system
crash.
Audit Objectives
The auditor’s objective is to evaluate the
controls governing computer center security.
Specifically, the auditor must verify that:
• Physical security controls are adequate to
reasonably protect the organization from
physical exposures
• Insurance coverage on equipment is
adequate to compensate the organization for
the destruction of, or damage to, its computer
center
Audit Procedures
The following are tests of physical security
controls.
Tests of Physical Construction.
The auditor should obtain architectural plans to
determine that the computer center is solidly
built of fireproof material. There should be
adequate drainage under the raised floor to
allow water to flow away in the event of water
damage from a fire in an upper floor or from
some other source. In addition, the auditor
should assess the physical location of the
computer center. The facility should be located
in an area that minimizes its exposure to fire,
civil unrest, and other hazards.
Tests of the Fire Detection System.
The auditor should establish that fire detection
and suppression equipment, both manual and
automatic, are in place and tested regularly.
The fire-detection system should detect smoke,
heat, and combustible fumes. The evidence
may be obtained by reviewing official fire
marshal records of tests, which are stored at
the computer center.
Tests of Access Control.
The auditor must establish that routine access
to the computer center is restricted to
authorized employees. Details about visitor
access (by programmers and others), such as
arrival and departure times, purpose, and
frequency of access, can be obtained by
reviewing the access log. To establish the
veracity of this document, the auditor may
covertly observe the process by which access
is permitted, or review videotapes from
cameras at the access point, if they are being
used.
Tests of Raid.
Most systems that employ RAID provide a
graphical mapping of their redundant disk
storage. From this mapping, the auditor should
determine if the level of RAID in place is
adequate for the organization, given the level
of business risk associated with disk failure. If
the organization is not employing RAID, the
potential for a single point of system failure
exists. The auditor should review with the
system administrator alternative procedures for
recovering from a disk failure.
Tests of the Uninterruptible Power Supply.
The computer center should perform periodic
tests of the backup power supply to ensure that
it has sufficient capacity to run the computer
and air conditioning. These are extremely
important tests, and their results should be
formally recorded. As a firm’s computer
systems develop, and its dependency
increases, backup power needs are likely to
grow proportionally. Indeed, without such tests,
an organization may be unaware that it has
outgrown its backup capacity until it is too late.
Tests for Insurance Coverage.
The auditor should annually review the
organization’s insurance coverage on its
computer hardware, software, and physical
facility. The auditor should verify that all new
acquisitions are listed on the policy and that
obsolete equipment and software have been
deleted. The insurance policy should reflect
management’s needs in terms of extent of
coverage.
DISASTER RECOVERY PLANNING
Types of Disasters
Natural disaster such as hurricanes, wide-
spread flooding, and earthquakes are the most
potentially devastating of the three from a
societal perspective because they can
simultaneously impact many organizations
within the affected geographic area.
Human-made disasters, such as sabotage or
errors, can be just as destructive to an
individual organization, but tend to be limited in
their scope of impact.
System failures such as power outages or a
hard-drive failure are generally less severe, but
are the most likely to occur. disaster recovery
plan (DRP).
This is a comprehensive statement of all
actions to be taken before, during, and after
any type of disaster. Although the details of
each plan are unique to the needs of the
organization, all workable plans possess four
common features:
1. Identify critical applications
2. Create a disaster recovery team
3. Provide site backup
4. Specify backup and off-site storage
procedures
Identify Critical Applications
The first essential element of a DRP is to
identify the firm’s critical applications and
associated data files. Recovery efforts must
concentrate on restoring those applications
that are critical to the short-term survival of the
organization. Obviously, over the long term, all
applications must be restored to pre-disaster
business activity levels. The DRP, however, is
a short-term document that should not attempt
to restore the organization’s data processing
facility to full capacity immediately following the
disaster. To do so would divert resources away
from critical areas and delay recovery. The
plan should therefore focus on short-term
survival, which is at risk in any disaster
scenario.
Creating a Disaster Recovery Team
Recovering from a disaster depends on timely
corrective action. Delays in performing
essential tasks prolongs the recovery period
and diminishes the prospects for a successful
recovery. To avoid serious omissions or
duplication of effort during implementation of
the contingency plan, task responsibility must
be clearly defined and communicated to the
personnel involved.
The team members should be experts in their
areas and have assigned tasks. Following a
disaster, team members will delegate subtasks
to their subordinates.
It should be noted that traditional control
concerns do not apply in this setting. The
environment created by the disaster may make
it necessary to violate control principles such
as segregation of duties, access controls, and
supervision.
Providing Second-Site Backup
A necessary ingredient in a DRP is that it
provides for duplicate data processing facilities
following a disaster. Among the options
available the most common are mutual aid
pact; empty shell or cold site; recovery
operations center or hot site; and internally
provided backup. Each of these is discussed in
the following sections.
Mutual Aid Pact. A mutual aid pact is an
agreement between two or more organizations
(with compatible computer facilities) to aid
each other with their data processing needs in
the event of a disaster. In such an event, the
host company must disrupt its processing
schedule to process the critical transactions of
the disaster-stricken company.
In effect, the host company itself must go into
an emergency operation mode and cut back on
the processing of its lower-priority applications
to accommodate the sudden increase in
demand for its IT resources.
The popularity of these reciprocal agreements
is driven by economics; they are relatively cost-
free to implement. In fact, mutual aid pacts
work better in theory than in practice. In the
event of a disaster, the stricken company has
no guarantee that the partner company will live
up to its promise of assistance. To rely on such
an arrangement for substantive relief during a
disaster requires a level of faith and untested
trust that is uncharacteristic of sophisticated
management and its auditors.
Empty Shell. The empty shell or cold site plan
is an arrangement wherein the company buys
or leases a building that will serve as a data
center. In the event of a disaster, the shell is
available and ready to receive whatever
hardware the temporary user needs to run
essential systems. This approach, however,
has a fundamental weakness. Recovery
depends on the timely availability of the
necessary computer hardware to restore the
data processing function. Management must
obtain assurances through contracts with
hardware vendors that, in the event of a
disaster, the vendor will give the company’s
needs priority. An unanticipated hardware
supply problem at this critical juncture could be
a fatal blow.
Recovery Operations Center. A recovery
operations center (ROC) or hot site is a fully
equipped backup data center that many
companies share. In addition to hardware and
backup facilities, ROC service providers offer a
range of technical services to their clients, who
pay an annual fee for access rights. In the
event of a major disaster, a subscriber can
occupy the premises and, within a few hours,
resume processing critical applications.
Internally Provided Backup. Larger
organizations with multiple data processing
centers often prefer the self-reliance that
creating internal excess capacity provides. This
permits firms to develop standardized
hardware and software configurations, which
ensure functional compatibility among their
data processing centers and minimize cutover
problems in the event of a disaster.
Backup and Off-Site Storage Procedures
All data files, applications, documentation, and
supplies needed to perform critical functions
should be automatically backed up and stored
at a secure off-site location. Data processing
personnel should routinely perform backup and
storage procedures to obtain and secure these
critical resources.
Operating System Backup. If the company
uses a cold site or other method of site backup
that does not include a compatible operating
system (O/S), procedures for obtaining a
current version of the operating system need to
be clearly specified. The data librarian, if one
exists, would be a key person to involve in
performing this task in addition to the
applications and data backups procedures
discussed next.
Application Backup. Based on results obtained
in the critical applications step discussed
previously, the DRP should include procedures
to create copies of current versions of critical
applications. In the case of commercial
software, this involves purchasing backup
copies of the latest software upgrades used by
the organization. For in-house developed
applications, backup procedures should be an
integral step in the systems development and
program change process.
Backup Data Files. The state-of-the-art in
database backup is the remote mirrored site,
which provides complete data currency. Not all
organizations are willing or able to invest in
such backup resources. As a minimum,
however, databases should be copied daily to
high-capacity, high-speed media, such as tape
or CDs/DVDs and secured offsite.
In the event of a disruption, reconstruction of
the database is achieved by updating the most
current backed-up version with subsequent
transaction data. Likewise, master files and
transaction files should be protected.
Backup Documentation. The system
documentation for critical applications should
be backed up and stored off-site along with the
applications. System documentation can
constitute a significant amount of material and
the backup process is complicated further by
frequent application changes (see Chapter 5).
Documentation backup may, however, be
simplified and made more efficient through the
use of Computer Aided Software Engineering
(CASE) documentation tools. The DRP should
also include a provision backing up end-user
manuals because the individuals processing
transactions under disaster conditions may not
be usual staff who are familiar with the system.
Backup Supplies and Source Documents. The
organization should create backup inventories
of supplies and source documents used in
processing critical transactions.
Examples of critical supplies are check stocks,
invoices, purchase orders, and any other
special-purpose forms that cannot be obtained
immediately. The DRP should specify the types
and quantities needed of these special items.
Because these are such routine elements of
the daily operations, they are often overlooked
by disaster contingency planners.
At this point, it is worth noting that a copy of the
current DRP document should also be stored
off-site at a secure location.
Testing the DRP. The most neglected aspect
of contingency planning is testing the DRP.
Nevertheless, DRP tests are important and
should be performed periodically.
Tests measure the preparedness of personnel
and identify omissions or bottlenecks in the
plan.
A test is most useful when the simulation of a
disruption is a surprise. When the mock
disaster is announced, the status of all
processing affected by it should be
documented.
This approach provides a benchmark for
subsequent performance assessments.
The plan should be carried through as far as is
economically feasible. Ideally, that would
include the use of backup facilities and
supplies.
The progress of the plan should be noted at
key points throughout the test period.
At the conclusion of the test, the results can
then be analyzed and a DRP performance
report prepared. The degree of performance
achieved provides input for decisions to modify
the DRP or schedule additional tests. The
organization’s management should seek
measures of performance in each of the
following areas: (1) the effectiveness of DRP
team personnel and their knowledge levels; (2)
the degree of conversion success (i.e., the
number of lost records); (3) an estimate of
financial loss due to lost records or facilities;
and (4) the effectiveness of program, data, and
documentation backup and recovery
procedures.
Audit Objective
The auditor should verify that management’s
disaster recovery plan is adequate and feasible
for dealing with a catastrophe that could
deprive the organization of its computing
resources.
Audit Procedures
In verifying that management’s DRP is a
realistic solution for dealing with a catastrophe,
the following tests may be performed.
Site Backup. The auditor should evaluate the
adequacy of the backup site arrangement.
System incompatibility and human nature both
greatly reduce the effectiveness of the mutual
aid pact. Auditors should be skeptical of such
arrangements for two reasons.
First, the sophistication of the computer system
may make it difficult to find a potential partner
with a compatible configuration. Second, most
firms do not have the necessary excess
capacity to support a disaster-stricken partner
while also processing their own work. When it
comes to the crunch, the management of the
firm untouched by disaster will likely have little
appetite for the sacrifices that must be made to
honor the agreement.
More viable but expensive options are the
empty shell and recovery operation center.
These too must be examined carefully. If the
client organization is using the empty shell
method, then the auditor needs to verify the
existence of valid contracts with hardware
vendors that guarantee delivery of needed
computer hardware with minimum delay after
the disaster. If the client is a member of a
ROC, the auditor should be concerned about
the number of ROC members and their
geographic dispersion. A widespread disaster
may create a demand that cannot be satisfied
by the ROC facility.
Critical Application List. The auditor should
review the list of critical applications to ensure
that it is complete. Missing applications can
result in failure to recover. The same is true,
however, for restoring unnecessary
applications. To include applications on the
critical list that are not needed to achieve short-
term survival can misdirect resources and
distract attention from the primary objective
during the recovery period.
Software Backup. The auditor should verify
that copies of critical applications and
operating systems are stored off-site. The
auditor should also verify that the applications
stored off-site are current by comparing their
version numbers with those of the actual
applications in use. Application version
numbers is explained in detail in Chapter 5.
Data Backup. The auditor should verify that
critical data files are backed up in accordance
with the DRP. Specific data backup procedures
for both flat files and relational databases are
discussed in detail in Chapter 4.
Backup Supplies, Documents, and
Documentation. The system documentation,
supplies, and source documents needed to
process critical transactions should be backed
up and stored off-site. The auditor should verify
that the types and quantities of items specified
in the DRP such as check stock, invoices,
purchase orders, and any special purpose
forms exist in a secure location.
Disaster Recovery Team. The DRP should
clearly list the names, addresses, and
emergency telephone numbers of the disaster
recovery team members. The auditor should
verify that members of the team are current
employees and are aware of their assigned
responsibilities. On one occasion, while
reviewing a firm’s DRP, the author discovered
that a team leader listed in the plan had been
deceased for nine months.
OUTSOURCING THE IT FUNCTION
The costs, risks, and responsibilities
associated with maintaining an effective
corporate
IT function are significant. Many executives
have therefore opted to outsource their IT
functions to third-party vendors who take over
responsibility for the management of IT assets
and staff and for delivery of IT services, such
as data entry, data center operations,
applications development, applications
maintenance, and network management. Often
cited benefits of IT outsourcing include
improved core business performance,
improved
IT performance (because of the vendor’s
expertise), and reduced IT costs. By moving IT
facilities offshore to low labor-cost areas and/or
through economies of scale (by combining the
work of several clients), the vendor can
perform the outsourced function more cheaply
than the client firm could have otherwise. The
resulting cost savings are then passed to the
client organization. Furthermore, many IT
outsourcing arrangements involve the sale of
the client firm’s IT assets—both human and
machine—to the vendor, which the client firm
then leases back. This transaction results in a
significant one-time cash infusion to the firm.
The logic underlying IT outsourcing follows
from core competency theory, which argues
that an organization should focus exclusively
on its core business competencies, while
allowing outsourcing vendors to efficiently
manage the non–core areas such as the IT
functions. This premise, however, ignores an
important distinction between commodity and
specific IT assets.
Commodity IT assets are not unique to a
particular organization and are thus easily
acquired in the marketplace. These include
such things as network management, systems
operations, server maintenance, and help-desk
functions. Specific IT assets, in contrast, are
unique to the organization and support its
strategic objectives. Because of their
idiosyncratic nature, specific assets have little
value outside their current use. Such assets
may be tangible (computer equipment),
intellectual (computer programs), or human.
Examples of specific assets include systems
development, application maintenance, data
warehousing, and highly skilled employees
trained to use organization specific software.
Transaction Cost Economics (TCE) theory is in
conflict with the core competency school by
suggesting that firms should retain certain
specific non–core IT assets inhouse.
Because of their esoteric nature, specific
assets cannot be easily replaced once they are
given up in an outsourcing arrangement.
Therefore, if the organization should decide to
cancel its outsourcing contract with the vendor,
it may not be able to return to its pre-outsource
state. On the other hand, TCE theory supports
the outsourcing of commodity assets, which
are easily replaced or obtained from alternative
vendors.
Naturally, a CEO’s perception of what
constitutes a commodity IT assets plays an
important role in IT outsourcing decisions.
Often this comes down to a matter of definition
and interpretation. For example, most CEOs
would define their IT function as a non–core
commodity, unless they are in the business of
developing and selling IT applications.
Consequently, a belief that all IT can, and
should, be managed by large service
organizations tends to prevail. Such
misperception reflects, in part, both lack of
executive education and dissemination of faulty
information regarding the virtues and
limitations of IT outsourcing.
Risks Inherent to IT Outsourcing
Large-scale IT outsourcing events are risky
endeavors, partly because of the sheer size of
these financial deals, but also because of their
nature. The level of risk is related to the degree
of asset specificity of the outsourced function.
The following sections outline some well-
documented issues.
Failure to Perform
Once a client firm has outsourced specific IT
assets, its performance becomes linked to the
vendor’s performance. The negative
implications of such dependency are illustrated
in the financial problems that have plagued the
huge outsourcing vendor Electronic Data
Systems Corp. (EDS). In a cost-cutting effort,
EDS terminated seven thousand employees,
which impacted its ability to serve other clients.
Following an 11-year low in share prices, EDS
stockholders filed a class-action lawsuit against
the company. Clearly, vendors experiencing
such serious financial and legal problems
threaten the viability of their clients also.
Vendor Exploitation
Large-scale IT outsourcing involves
transferring to a vendor “specific assets,” such
as the design, development, and maintenance
of unique business applications that are critical
to an organization’s survival. Specific assets,
while valuable to the client, are of little value to
the vendor beyond the immediate contract with
the client. Indeed, they may well be valueless
should the client organization go out of
business. Because the vendor assumes risk by
acquiring the assets and can achieve no
economies of scale by employing them
elsewhere, the client organization will pay a
premium to transfer such functions to a third
party. Further, once the client firm has divested
itself of such specific assets it becomes
dependent on the vendor. The vendor may
exploit this dependency by raising service rates
to an exorbitant level. As the client’s IT needs
develop over time beyond the original contract
terms, it runs the risk that new or incremental
services will be negotiated at a premium. This
dependency may threaten the client’s long-
term flexibility, agility, and competitiveness and outsourcing is inconsistent with the client’s
result in even greater vendor dependency. pursuit of strategic advantage in the
marketplace.
Outsourcing Costs Exceed Benefits
Audit Implications of IT Outsourcing
IT outsourcing has been criticized on the
grounds that unexpected costs arise and the Management may outsource its organization’s
full extent of expected benefits are not realized. IT functions, but it cannot outsource its
One survey revealed that 47 percent of 66 management responsibilities under SOX for
firms surveyed reported that the costs of IT ensuring adequate IT internal controls. The
outsourcing exceeded outsourcing benefits. PCAOB specifically states in its Auditing
Standard No. 2, “The use of a service
One reason for this is that outsourcing clients
organization does not reduce management’s
often fail to anticipate the costs of vendor
responsibility to maintain effective internal
selection, contracting, and the transitioning of
control over financial reporting. Rather, user
IT operations to the vendors.
management should evaluate controls at the
Reduced Security service organization, as well as related controls
at the user company, when making its
Information outsourced to offshore IT vendors assessment about internal control over
raises unique and serious questions regarding financial reporting.”
internal control and the protection of sensitive
personal data. When corporate financial Service provider auditors issue two types of
systems are developed and hosted overseas, SAS 70 reports. An SAS 70 Type I report is the
and program code is developed through less rigorous of the two and comments only on
interfaces with the host company’s network, the suitability of the controls’ design. An SAS
U.S. corporations are at risk of losing control of 70 Type II report goes further and assesses
their information. To a large degree U.S. firms whether the controls are operating effectively
are reliant on the outsourcing vendor’s security based on tests conducted by the vendor
measures, data-access policies, and the organization’s auditor. The vast majority of
privacy laws of the host country. SAS 70 reports issued are Type II. Because
Section 404 requires the explicit testing of
Loss of Strategic Advantage controls, SAS 70 Type I reports are of little
IT outsourcing may affect incongruence value in a post-SOX world.
between a firm’s IT strategic planning and its
business planning functions. Organizations that
use IT strategically must align business
strategy and IT strategy or run the risk of
decreased business performance. To promote
such alignment, firms need IT managers and
chief information officers (CIOs) who have a
strong working knowledge of the organization’s
business. A survey of 213 IT managers in the
financial services industry confirmed that a
firm’s IT leadership needs to be closely aligned
with the firm’s competitive strategy. Indeed,
some argue that the business competence of
CIOs is more important than their IT
competence in facilitating strategic
congruence.
To accomplish such alignment necessitates a
close working relationship between corporate
management and IT management in the
concurrent development of business and IT
strategies. This, however, is difficult to
accomplish when IT planning is geographically
redeployed offshore or even domestically.
Further, because the financial justification for
IT outsourcing depends upon the vendor
achieving economies of scale, the vendor is
naturally driven to toward seeking common
solutions that may be used by many clients
rather than creating unique solutions for each
of them. This fundamental underpinning of IT