04 Auditing It Governance Controls 3 PDF

Auditing IT Governance Controls
IT Governance Controls
IT governance issues that may potentially impact
the financial reporting process:
1. Organizational structure of the IT function
2. Computer center operations
3. Disaster recovery planning
Disaster Recovery Planning
● Disasters such as earthquakes, floods,
sabotage, and even power failures can be
catastrophic to an organization's computer
center and information systems.
● Categories of disaster that can rob an
organization of its IT resources:
1.Natural disasters
2.Human-made disasters
3.System failure
● Categories of disaster that can rob an
organization of its IT resources:
1.Natural disasters
➢ Hurricanes, flooding, earthquakes.
2.Human-made disasters
➢ Sabotage, errors.
3.System failure
➢ Power outages, hard-drive failure
● To survive such disasters, companies develop
recovery procedures and formalize them into a
disaster recovery plan (DRP). This is a
comprehensive statement of all actions to be
taken before, during, and after any type of
disaster.
● Although the details of each plan are unique to
the needs of the organization, all workable
plans possess four common features:
1.Identify critical applications
2.Create a disaster recovery team
3.Provide site backup
4.Specify backup and off-site storage
procedures
1.Identify Critical Applications
a)The first essential element of a DRP is to
identify the firm's critical applications and
associated data files.
b)Recovery efforts must concentrate on
restoring those applications that are critical
to the short-term survival of the
organization.
c)For most organizations, short-term survival
requires the restoration of those functions
that generate cash flows sufficient to
satisfy short-term obligations.
d)The computer applications that support these
business functions directly are critical:
Customer sales and service
Fulfillment of legal obligations
Accounts receivable maintenance and collection
Production and distribution decisions
Purchasing functions
Cash disbursements (trade accounts and payroll)
e)Application priorities may change over time,
and these decisions must be reassessed
regularly. Changes in application priorities
may cause changes in the nature and
extent of second-site backup requirements
and specific backup procedures.
f)This task requires the active participation
of user departments, accountants, and
auditors. Too often, this tasks is incorrectly
viewed as a technical computer issue and
therefore delegated to IT professionals.
2.Creating a Disaster Recovery Team
a)Recovering from a disaster depends on
timely corrective action. Delays in
performing essential tasks prolongs the
recovery period and diminishes the
prospects for a successful recovery. To
avoid serious omissions or duplication
of effort during implementation of the
contingency plan, task responsibility
must be clearly defined and
communicated to the personnel
involved.
2.Creating a Disaster Recovery Team
b)Traditional control concerns do not apply in
this setting. The environment created by the
disaster may make it necessary to violate
control principles such as segregation of
duties, access controls, and supervision.
3.Providing second-site backup
a)A necessary ingredient in a DRP is that it
provides for duplicate data processing
facilities following a disaster. Among the
options available, the most common are:
i.Mutual aid pact
ii.Empty shell or cold site
iii.Recovery operations center or hot site
iv.Internally provided backup
a)Duplicate data processing facilities:
i.Mutual aid pact
An agreement between two or more
organizations to aid each other with
their data processing needs in the
event of a disaster. In such an event,
the host company must disrupt its
processing schedule to process the
critical transactions of the disaster-
stricken company.
ii.Empty shell
An arrangement wherein the company
buys or leases a building that will serve
as a data center. In the event of a
disaster, the shell is available and
ready to receive whatever hardware
the temporary user needs to run
essential systems.
iii.Recovery operations center
A fully equipped backup data center that
many companies share. In the event of
a major disaster, a subscriber can
occupy the premises and, within a few
hours, resume processing critical
applications.
iv.Internally provided backup
e.g., remote mirrored data center with
high-capacity storage devices capable
of storing more than 20 terabytes of
data and two IBM mainframes running
high-speed copy software. All
transactions that the main system
processes are transmitted in real time
to the remote backup facility.
4.Specify backup and off-site storage procedures
a)All data files, applications, documentation,
and supplies needed to perform critical
functions should be automatically backed
up and stored at a secure off-site location.
b)Operating system backup
The data librarian would be a key person
to involve in performing this task.
c)Applications backup
In the case of commercial software, this
involves purchasing backup copies of the
latest software upgrades used by the
organization.
d)Backup data files
e.g., use of remote mirrored site, external
drive, and other storage media.
e)Backup documentation
May be simplified and made more efficient
through the use of Computer Aided
Software Engineering (CASE)
documentation tools.
e.g., documentations such as end-user
manuals.
f)Backup supplies and source documents
e.g., check stocks, invoices, purchase
orders, and other special-purpose forms
that cannot be obtained immediately.
g)DRP tests
Should be performed periodically.
Audit Objective
● The auditor should verify that management's
disaster recovery plan is adequate and feasible
for dealing with a catastrophe that could deprive
the organization of its computing resources.
Audit Procedures
Site Backup
● The auditor should evaluate the adequacy of
the backup site arrangement. System
incompatibility and human nature both greatly
reduce the effectiveness of the mutual aid pact.
● If a client is using the empty shell method, then
the auditor needs to verify the existence of valid
contracts with hardware vendors that guarantee
delivery of needed computer hardware with
minimum delay.
Audit Procedures
Site Backup
● If a client is a member of a ROC, the auditor
should be concerned about the number of ROC
members and their geographic dispersion.
Audit Procedures
Critical Application List
● The auditor should review the list of critical
applications to ensure that it is complete.
● Missing applications can result in failure to
recover. The same is true, however, for
restoring unnecessary applications.
Audit Procedures
Software Backup
● The auditor should verify that copies of critical
applications and operating systems are stored
off-site.
● The auditor should also verify that the
application stored off-site are current by
comparing their version numbers with those of
the actual applications in use.
Audit Procedures
Data Backup
● The auditor should verify that critical data files
are backed up in accordance with the DRP.
Audit Procedures
Backup Supplies, Documents, and
Documentation
● The auditor should verify that the types and
quantities of items specified in the DRP exist in
a secure location.
Audit Procedures
Disaster Recovery Team
● The auditor should verify that members of the
team are current employees and are aware of
their assigned responsibilities.

04 Auditing It Governance Controls 3 PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

04 Auditing It Governance Controls 3 PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Auditing IT Governance Controls

S-ar putea să vă placă și