THE COMPUTER CENTER

Accountants routinely examine the physical environment of the computer center as part of their annual
audit. The objective of this section is to present computer center risk and the controls that help to
mitigate risk and create a secure environment. The following are areas of potential exposure that can
impact the quality of information, accounting records, transaction processing, and the effectiveness of
other more conventional internal controls.

Physical Location

The physical location of the computer center directly affects the risk of destruction to a natural or man-
made disaster. To the extent possible, the computer center should be away from human-made and
natural hazard, such as a processing plants, gas and water mains, airports, high-crime areas, flood plains,
and geological faults. The center should be away from normal traffic, such as the top floor of a building
or in a separate, self-contained building. Locating a computer in the basement building increases its risk
to floods.

Construction

Ideally, a computer center should be located in a single-story building of solid construction with
controlled access (discussed next). Utility (power and telephone) lines should be underground. The
building windows should not open and an air filtration system should be in place that is capable of
extracting pollens, dust and dust mites.

Access

Access to the computer center should be limited to the operators and other employees who work there.
Physical controls, such as locked doors, should be employed to limit access to the center. Access should
be controlled by a keypad or swipe card, though fire exits with alarms are necessary. To achieve a higher
level of security, sccess should be monitored by closed-circuit cameras and video recording systems.
Computer centers should also use sign-in logs for programmers and analysts who need access to correct
program errors. The computer center should maintain accurate records of all such traffic.

Air conditioning

computer function best in an air-conditioned envirement, and providing adequate air conditioning is
often a requirement of the vendor's warranty. Computers operate best in a temperature range of 70 to
75 degrees Farenheit and a relative humidity of 50 percent. Logic errors can occurs in computer
hardware when temperature depart significantly from this optimal range. Also, the risk of circuit
damage from static electricity is increased when humidity drops. In contrast, high humidity can cause
molds to grow and paper products (such as source documents) to swell and jam equipment.

Fire Suppression

Fire is the most serious threat to a firm's computer equipment. Many companies that suffer computer
center fires go out of bussiness because of the loss of critical records, such as account receivable. The
implementation of an effective fire suppression system requires consultation with specialists. However,
some of the major features of such a system include the following :

1. Automatic and manual alarms should be placed in strategic locations around the installation.
These alarms should be connected to permanently staffed fire-fighting stations.
2. There must be an automatic fire extinguishing system that dispenses the appropriate type of
suppressant for the location. For example, spraying water and certain chemicals on a computer
can do as much damage as the fire.
3. Manual fire extinguishers should be placed at strategic location.
4. The building should be of sound construction to withstand water damage caused by fire
suppression equipment.
5. Fire exits should be clearly marked and illuminated during a fire.

Fault Tollerance

Fault tolerance is the ability of the system to continue operation when part of the system fails because
of hardware failure, application program error, or operator error. Implementing fault tolerance control
ensures that no single point of potential system failure exists. Total failure can occur only if multiple
component fail. Two examples of fault tolerance technologies are disscused next.

1. Redundant arrays of independent disks (RAID)

RAID involves using parallel disks that contain redundant elements of data and applications. If
one disk fails, the lost data are automatically reconstructed from the redundant components
stored on the other disk.
2. Uninterruptible power supplies
Commercially provided electrical power presents several problems that can disrupt the
computer center operations, including total power failures, brownsouts, power fluctuations, and
frequency variations. The equipment used to control these problems includes voltage
regulators, surge protectors, generators, and backup batteries. In the event of an extended
power outage, the backup power will allow the computer system to shut down in controlled
manner and prevent data loss and corruption that would otherwise result from an uncontrolled
system crash.

Audit Objectives
The auditor’s objective is to evaluate the controls governing computer center security. Specially, the
auditor must verify that :

 Physical security controls are adequate to reasonably protect the organization from physical
exposure
 Insurance coverage on equipment is adequate to compensate the organization for destruction
of, or damage to, its computer center.

Audit Procedures

The following are test of physical security controls.

a Tests of Physical Construction

The auditor should obtained architectural plans to determine that the computer center is solidly
built of fireproof material. There should be adequate drainage under the raised floor to allow
water to flow away in the event of water damage from a fire in an upper floor or from some
other source. In addition, the auditor should access the physical location of the computer
center. The facility should be located in an area that minimizes its exposure to fire, civil unrest,
and other hazards.
b Tests of the Fire Detection System
The auditor should establish that fire detection and suppression equipment, both manual and
automatic, are in placed and tested regularly. The fire-detection system should detect smoke,
heat, and combustible fumes. The evidence may be obtained by reviewing official fire marshal
records of tests, which are stored at the computer center.
c Tests of Access Control
The auditor must establish that routine access to the computer center is restricted to authorized
employees. Details about visitor access (by programmers and others), such as arrival and
departure times, purpose, and frequency of access, can be obtained by reviewing the access log.
To establish the veracity of this document, the auditor may covertly observe the process by
which access is permitted, or review videotapes from cameras at the access point, if they are
being used.
d Tests of Raid
Most systems that employ RAID provide a graphical mapping of their redundant disk storage.
From this mapping, the auditor should determine if the level of RAID in place is adequate for the
organization, given the level of bussiness risk associated with disk failure. If the organization is
not employing RAID, the potential for a single point of system failure exists. The auditor should
review with the system administrator alternative procedures for recovering from a disk failure.
e Tests of the Uninterruptible Power Supply
The computer center should perform periodic tests of the backup power supply to ensure that it
has sufficient capacity to run the computer and air conditioning. These are extremely important
test, and their results should be formally recorded. As a firm’s computer systems develop, and
its dependency increase, backup power needs are likely to grow proportionally. Indeed, without
 such tests, an organization may be unaware that it has outgrown its backup capacity until it is
too late.
f Tests for Insurance Coverage
The auditor should annually review the organization’s insurance coverage on its computer
hardware, software, and physical facility. The auditor should verify that all new acquisitions are
listed on the policy should reflect management’s needs in terms of extend of coverage. On the
other hand, the firm may seek complete replacement-cost coverage.

DISASTER RECOVERY PLANNING

Disasters such as earthquakes, floods, sabotage, and even power failures can be catastrophic to an
organization’s computer center and information systems. There are three ctegories of disaster that can
rob an organization of its IT resources, such as natural disasters, human-made disasters, and system
failure. Natural disaster such as hurricanes, wide-spread flooding, and earthquakes are the most
potentially devastating of the three from a societal perspective because they can simultaneously impact
many organizations within the affected geographic area. Human-made disasters, such as sabotage or
errors, can be just destructive to an individual organization, but tend to be limited in their scope of
impact. System failures such as power outages or a hard-drive failure are generally less severe, but are
the most likely to occur.

All of these disasters can deprive an organization of its data processing facilities, halt those bussiness
functions that are performed or aided by computers, and impair the organization’s ability to deliver its
products or services. In other words, the company loses its ability to do bussiness. The more dependent
an aorganization is on technology, the more susceptible it is to these types of risks. For bussiness such as
Amazon.com or eBay, the loss of even a few hours of computer processing capability can be
catastrophic.

Disasters of the sort outlined above usually cannot be prevented or evaded. Once stricken, the victim
firm’s survival will be determined by how well and how quickly it reacts. Therefore, with careful
contigency planning, the full impact of a disaster can be absorbed and the organization can recover. To
survive such an event, companies develop recovery procedures and formalize them into a disaster
recovery plan (DRP). This is a comprehensive statement of all actions to be taken before, during, and
after any type of disaster. Although the details of each plan are unique to the needs of the organization,
all workable plans possess four common features :

1. Identify critical applications

2. Create a disaster recovery team
3. Provide site backup
4. Specify backup and off-site storage procedures

The remainder of this section is devoted to a discussion of the essential elements of an effective DRP.

Identify Critical Application

The first essential element of a DRP is to identify the firm’s critical applications and associated data files.
Recovery efforts must concentrate on restoring those applications that are critical to the short-term
survival of the organization. Obviously, over the long term, all aplications must be restored to
predisaster business activity levels. The DRP, however, is a short term document that should not
attempt to restore the organization’s data processing facility to full capacity immediately following the
disaster. To do so would divert resources away from critical areas and delay recovery. The plan should
therefore focus on short-term survival, which is at risk in any disaster scenario.

For most organization, short-term survival requires the restoration of those functions that generate cash
flows sufficient to satisfy short-term obligations. For examples, assume that the following functions
affect the cash flow position of a particular firm :

 Customer sales and service

 Fulfillment of legal obligations
 Accounts receivable maintenance and collection
 Production and distribution decisions
 Purchasing functions
 Cash disbursements (trade accounts and payroll)

The computer applications that support these business functions directly are critical. Hence, these
applications should be identified and prioritized in the restoration plan.

Application priorities may change over time, and these decisions must be reassessed regularly. Systems
are constanly revised and expanded to reflect changes in user requirements. Similarly, the DRP must be
updated to reflect new developments and identify critical applications. Up-to-date priorities may cause
changes in the nature and extent of second-site backup requirements and specific backup procedures,
which are discussed later.

The task of identifying critical items and prioritizing applications requires the active participation of user
departments, accountants, and auditors. Too often, this task is incorrectly viewed as a technical
computer issue and therefore delegated to IT professionals. Although the technical assistance of IT
professionals will be required, this task is a business decision and should be made by those best
equipped to understand the business problem.

Creating a Disaster Recovery Team

Recovering from a disaster depends on timely corrective action. Delays in performing essential tasks
prolongs the recovery period and diminishes the prospects for successful recovery. To avoid serious
omissions or duplication of effort during implementation of the contigency plan, task responsibility must
be clearly defined and communicated to the personnel involved.

Figur 2.7 presents an organizational chart despicting the composition of a disaster recovery team. The
team members should be experts in their areas and have assigned tasks. Following a disaster, team
members will delegate subtasks to their subordinates. It should be noted that traditional control
concerns do not apply in this setting. The environment created by the disaster may make it necessary to
violate control principles such as segregation of duties, access controls, and supervision.

Providing Second Site Backup

A necessary ingredient in a DRP is that it provides for duplicate data processing facilities following a
disaster. Among the options available the most common are mutual aid pact; empty shell or cold site;
recovery operations center or hot site; and internally provided backup. Each of these is discussed in the
following sections.

Mutual Aid Pact

A mutual aid pact is an agreement two or more organizations (with compatible computer facilities) to
aid each other with their data processing needs in the event of disaster. In such an event, the host
company must disrupt its processing schedule to process the critical transactions of the disaster-stricken
company. In effect, the host company itself must go into an emergency operation mode and cut back on
the processing of its lower-priority applications to accommodate the sudden increase in demand for its
IT resources.

The popularity of these reciprocal agreements is driven by economics; they are relatively cost-free to
implement. In fact, mutual aid pacts work better in theory than in practice. In the event of a disaster,
the stricken company has no guarantee that the partner company will live up to its promise of
assistance. To rely on such an arrangement for substantive relief during a disaster requires a level of
faith and untested trust that is uncharacteristic of sophisticated management and its auditors.

Empty Shell

The empty shell or cold site plan is an arrangement wherein the company buys or leases a building that
will serve as a data center. In the event of a disaster, the shell is available and ready to receive whatever
hardware the temporary user needs to run essential systems. This approach, however, has a
fundamental weakness. Recovery depends on the timely availability of the necessary computer
hardware to restore the data processing function. Management must obtain assurances through
contracts with hardware vendors that, in the event of a disaster, the vendor will give the company’s
needs priority. An unanticipated hardware supply problem at this critical juncture could be a fatal blow.

Recovery operations center

Recovery Operations Center (ROC)

A recovery operations center (ROC) or hot site is a fully equipped backup data center that many
companies share. In addition to hardware and backup facilities, ROC providers offer a range of technical
services to their clients, who pay an annual fee for access rights. In the event of a major disaster, a
subscriber can occupy the premises and, within a few hours, resume processing critical applications.
September 11, 2001, wa a true test of the reliability and effectiveness of the ROC approach. Comdisco, a
major ROC provider, had 47 clients who declared 93 separate disasters on the day of the attack. All 47
companies relocated and worked out of ccomdisco’s recovery centers. At one point, 3000 client
employees were working out of the centers. Thousands of computers were configured for clients’ needs
within the first 24 hours, and systems recovery teams were on-site wherever police permitted access. By
September 25, nearly half of the vlients were able to return to their facilities with a fully functional
system.

Although the Comdisco story illustrates a ROC success, it also points to a potential problem with this
approach. A widespread natural disaster, such as a flood or an earthquake, may destroy the data
processing capabilities of several ROC members located in the same geographic area. All the victim
companies will find themselves vying for access to the same limited facilities. Because some ROC
providers oversell their capacity by a ratio of 20:1, the situation is analogous to a sinking ship that has an
inadequate number of lifeboats.

The period of confusion following a disaster is not an ideal time to negotiate property rights. Therefore,
before entering into a ROC arrangement, management should consider the potential problems of
overcrowding and geographic clustering of the current membership.