Sunteți pe pagina 1din 30

Auditing IT Governance Controls

Altura, Mac Austria, Gianna Parba, Fayemie Ponce, Dale

Floyd A. Marie A. Sophia C. Jericho G.
Learning Objectives

• Understand the risks of incompatible functions and how to structure

the IT Function.

•Be familiar with the controls and precautions required to ensure the
security of an organization’s computer facilities.

• Understand the key elements of a disaster recovery plan.

•Be familiar with the benefits, risks, and audit issues related to IT
IT Governance

• Subset of corporate governance that focuses on the management

and assessment of strategic IT resources.

• Key objects are to reduce risk and ensure investments in IT

resources add value to the corporation.

• All corporate stakeholders must be active participants in key IT

IT Governance Controls

• Three IT governance issues addressed by SOX and the COSO

internal control framework:

 Organizational structure of the IT function.

 Computer center operations.

 Disaster recovery planning.

Structure of the Corporate IT Function

• Under the centralized data processing model, all data processing

performed at a central site.

• End users compete for resources based on need.

 Operating costs charged back to end user.

• Primary service areas:

 Database administrator.
 Data processing consisting of data control/data entry, computer operations and data
 System development and maintenance

• Participation in systems development activities include system

professional, end users and stakeholders.
Structure of the Corporate IT Function
Alternative Organization of Systems Development
Alternative Organization of Systems Development Problems

• Two control problems with segregating systems analysis from

applications programming.
 Inadequate documentation a chronic problem.
 Documenting systems is not an interesting task.
 Lack of documentation provides job security for the programmer who
coded it.
 When systems programmer has maintenance responsibilities,
potential for fraud is increased.
 May have concealed fraudulent code in the system
 Having sole responsibility for maintenance may allow the programmer
to conceal the code for years.
Structure of the Corporate IT Function
Segregation of Incompatible IT Functions

• Systems development from computer operations.

 Relationship between groups should be formal and responsibilities
should not be comingled.

• Database administration from other functions.

 DBA function responsible for many critical tasks and needs to be
organizationally independent of operations, systems development and

• New systems development from maintenance.

 Improves documentation standards because maintenance group
requires documentation.
 Denying original programmer future access deters program fraud.
The Distributed Model

• Distributed Data Processing (DDP) involves reorganizing

central IT function into small IT units that are placed under the
control of end users.

• Two alternatives:
• Alternative A: Variant of centralized model with terminals or
microcomputers distributed to end users for handling input and output.

• Alternative B: Distributes all computer services to the end users where

they operate as stand alone units.
The Distributed Model
Audit Objectives and Audit Procedure Based on Management Assertions
Risk Associated with DDP

• Inefficient use of resources:

 Mismanagement of IT resources by end users.
 Operational inefficiencies due to redundant tasks being performed.
 Hardware and software incompatibility among end-user functions.

• Destruction of audit trails.

• Inadequate segregation of duties.

• Hiring qualified professionals:

 Risk of programming errors and system failures increase directly with the level of
employee incompetence.

• Lack of standards.
Controlling the DDP Environment

• Implement a corporate IT function:

– Central testing of commercial software and hardware.

– User services to provide technical help.

– Standard-setting body.

– Personnel review.
Audit Procedures for the DDP

• Audit procedures in a centralized IT organization:

– Review relevant documentation to determine if individuals or groups

are performing incompatible functions.

– Review systems documentation and maintenance records to verify

maintenance programmers are not designers.

– Observe to determine if segregation policy is being followed.

Audit Procedures for the DDP

• Audit procedures in a distributed IT organization:

– Review relevant documentation to determine if individuals or groups are

performing incompatible duties.

– Verify corporate policies and standards are published and provided to

distributed IT units.

– Verify compensating controls are in place when needed.

– Review system documentation to verify applications, procedures and

databased are in accordance with standards.
The Computer Center

• Physical location:
 Directly affects risk of destruction from a disaster.
 Away from hazards and traffic.

• Construction:
 Ideally: single-story, solidly constructed with underground utilities.
 Window should not open and an air filtration system should be in

• Access:
 Should be limited with locked doors, cameras, key card entrance and
logs.
The Computer Center

• Air conditioning should provide appropriate temperature and

humidity for computers.

• Fire suppression:
 Alarms, fire extinguishing system, appropriate construction, fire exits.

• Fault tolerance is the ability of the system to continue

operation when part of the system fails.
 Total failure can occur only if multiple components fail.
 Redundant arrays of independent disks (RAID) involves using parallel
disk with redundant data and applications so if one disk fails, lost data
can be reconstructed.
 Uninterruptible power supplies.
Audit Procedures: The Computer Center

• Auditor must verify the physical controls and insurance

coverage are adequate.

• Procedures include:
– Tests of physical construction.
– Tests of the fire detection system.
– Tests of access control.
– Tests of RAID.
– Tests of the uninterruptible power supply.
– Tests of insurance coverage.
Disaster Recovery Planning

• A disaster recovery plan is a statement of all actions to be

taken before, during and after any type of disaster. Four
common features:

• Identify-critical applications:
 Short-term survival requires restoration of cash flow generating
 Applications supporting those functions should be identified and
prioritized in the restoration plan.
 Task of identifying critical items and prioritizing applications
requires active participation of user departments, accountants an
Disaster Recovery Planning

• Create a disaster recovery team:

 Team members should be experts in their areas and have assigned

• Provide second-site backup:

 Necessary ingredient in a DRP is that it provides for duplicate data
processing facilities following a disaster.

• Specify back-up and off-site storage procedures:

 All data files, applications, documentation and supplies needed to
perform critical functions should be automatically backed up and
stored at a secure off-site location.
Second-Site Backups

• Mutual aid pact is an agreement between organizations to aid

each other with data processing in a disaster.

• Empty shell or cold site plan involves obtaining a building to

serve as a data center in a disaster.
 Recovery depends on timely availability of hardware.

• Recovery operations center or hot site plan is fully equipped

site that many companies share.

• Internally provided backup may be preferred by organizations

with many data processing centers.
DRP Audit Procedures

• To verify DRP is a realistic solution, the following tests may

be performed:

– Evaluate adequacy of back up site arrangements.

– Review list of critical applications for completeness.
– Verify copies of critical applications and operating systems are
stored off-site.
– Verify critical data files are backed up in accordance with the DRP.
– Verify the types and the quantities of items specified in the DRP
exist in a secure location.
– Verify disaster recovery team members are current employees and
aware of their assigned responsibilities.
Outsourcing the IT Function
• Benefits of IT outsourcing include:
– Improved core business processes.
– Improved IT performance.
– Reduced IT costs.

• Logic underlying outsourcing follows from core competency

theory which argues an organization should focus on its core
business competencies. This premise, however ignores an
important distinction between:

 Commodity IT assets which are not unique to an organization and

easily acquired in the marketplace.
 Specific IT assets which are unique and support an organization’s
strategic objectives.
Outsourcing the IT Function

• Transaction cost economics (TCE) suggests firms should

retain specific non-core IT assets in house.
 Specific assets cannot be easily replaced once they are given up in an
outsourcing arrangement.

• Cloud computing is location-independent computing whereby

shared data centers deliver hosted IT services over the
internet. Offers three primary classes of computing services:
 Software-as-a-Service (SaaS)
 Infrastructure-as-a-Service (IaaS)
 Platform-as-a-Service (PaaS)
Outsourcing the IT Function

• Virtualization has unleashed cloud computing.

o Network virtualization increase effective network bandwidth, optimizes
network speed, flexibility, and reliability, and improves network
o Storage virtualization is the pooling of physical storage from multiple
devices into what appears to be a single virtual storage device.

• Cloud computing not realistic for large firms.

 Typically has massive IT investments and therefore not inclined to turn
over their IT operations to a could vendor.
 May have critical functions running on legacy systems that could not be
easily migrated to the cloud.
 Commodity provision approach of the cloud incompatible with the need
for unique strategic information.
Risk Inherent to IT Outsourcing

• Failure to perform.
• Vendor exploitation.
• Outsourcing costs exceed benefits.
• Reduced security.
• Loss of strategic advantage.
Audit Implications of IT Outsourcing

• Use of service organization does not reduce management’s

responsibilities under SOX for ensuring adequate IT internal

• SSAE 16 replaced SAS 70 and is the definitive standard by

which auditors can gain knowledge that processes and
controls at third-party vendors are adequate to prevent or
detect material errors.
 Report provides a description or service provider’s description using
either that carve-out or the inclusive method.
Audit Implications of IT Outsourcing