Auditing IT

Governance Controls

Based on the book of James A. Hall

Allen Marie D. Gonzaga, CPA

 • Understand the risks of incompatible
functions and how to structure the IT
function.
• Be familiar with the controls and
Learning precautions required to ensure the
security of an organization’s computer
objectives: facilities.
• Understand the key elements of a
disaster recovery plan.
• Be familiar with the benefits, risks, and
audit issues related to IT outsourcing
 •A new subset of corporate
governance that focuses on the
Information management and assessment of
strategic IT resources
Technology •Objective – reduce risk and ensure
Governance that investments in IT resources add
value to the corporation
 3 IT
Governance
issues that 1. Organizational Structure of
the IT Function
are
2. Computer center operations
addressed by 3. Disaster recovery planning
SOX and
COSO
Structure
•Centralized approach
of the IT
•Distributed approach
Function
Centralized All data processing is performed by
one or more large computers
data housed at a central site that serves
processing users throughout the organization
Centralized
data
processing
Organizational
chart of a
centralized IT
function
Organizational
chart of a
centralized IT
function
Database responsible for the security
Administration and integrity of the database
 Manages the computer resources used to
perform the day to-day processing of
transaction:
1. Data conversion - transcribes transaction
data from hard-copy source documents
Data into computer input.
Processing 2. Computer operations - electronic files
produced in data conversion are later
processed by the central computer
3. Data Library - provides safe storage for
the off-line data files. Those files could
be backups or current data files.
 Systems Development - responsible for
analyzing user needs and for designing
new systems to satisfy those needs
1. System Professionals - gather facts
Systems
about the user’s problem, analyze
Development the facts, and formulate a solution.
and 2. End users - those for whom the
Maintenance system is built
3. Stakeholders - individuals inside or
outside the firm who have an interest
in the system, but are not end users
 Systems Maintenance - assumes
Systems responsibility for keeping it
Development current with user needs
and - making changes to program
Maintenance logic to accommodate shifts in
user needs over time
 1. Separate transaction authorization
from transaction processing.
Segregation 2. Separate record keeping from
asset custody.
of
3. Divide transaction-processing
Incompatible tasks among individuals such that
IT Functions short of collusion between two or
more individuals' fraud would not
be possible.
Separating:
The relationship between
Systems
these groups should be
development
extremely formal, and their
from responsibilities should not be
computer commingled.
operations
 The DBA function is responsible for a
number of critical tasks pertaining to
Separating: database security, including creating
the database schema and user views,
Database
assigning database access authority
Administration to users, monitoring database usage,
from Other and planning for future expansion.
Functions Delegating these responsibilities to
others who perform incompatible
tasks threatens database integrity.
 Systems analysis - works with the users to
Separating: produce detailed designs of the new
New Systems systems.
Development Programming - codes the programs
from according to these design specifications
Maintenance (maintain)
1. Inadequate documentation
• Documenting systems is not as interesting
as designing, testing, and implementing
them
• Job security
2. Program fraud
Distributed Involves reorganizing the
data central IT function into small
processing IT units that are placed under
the control of end users
(DDP)
DDP Approach:
Alternative A
DDP Approach:
Alternative B
 1. Inefficient use of resources - risk of
mismanagement of organization-
wide IT resources by end users, risk of
mismanagement of organization-
Risks wide IT resources by end users,
incompatible hardware and software
associated among end-user functions

with DDP 2. Destruction of audit trails - the audit

trail consists of a set of digital
transaction files and master files that
reside in part or entirely on end-user
computers
 3. Inadequate Segregation of
Risks Duties
associated 4. Hiring qualified professionals
with DDP 5. Lack of standards
 1. Cost Reductions
Advantages 2. Improved Cost Control Responsibility

of DDP 3.
4.
Improved User Satisfaction
Backup Flexibility
 The auditor’s objective is to verify that the
structure of the IT function is such that individuals
in incompatible areas are segregated in
Audit accordance with the level of potential risk and in a
manner that promotes a working environment.
Objective This is an environment in which formal, rather
than casual, relationships need to exist between
incompatible tasks.
 • Review relevant documentation, including the
current organizational chart, mission statement,
and job descriptions for key functions, to
determine if individuals or groups are
Audit performing incompatible functions.
Procedures
• Review systems documentation and
(Centralized) maintenance records for a sample of
applications. Verify that maintenance
programmers assigned to specific projects are
not also the original design programmers.
 • Verify that computer operators do not have
access to the operational details of a system’s
internal logic. Systems documentation, such as
systems flowcharts, logic flowcharts, and program
Audit code listings, should not be part of the
Procedures operation’s documentation set.
(Centralized) • Through observation, determine that
segregation policy is being followed in practice.
Review operations room access logs to determine
whether programmers enter the facility for
reasons other than system failures
 • Review the current organizational chart, mission
statement, and job descriptions for key functions
to determine if individuals or groups are
Audit performing incompatible duties.
Procedures
• Verify that corporate policies and standards for
(Distributed) systems design, documentation, and hardware
and software acquisition are published and
provided to distributed IT units.
 • Verify that compensating controls, such as
supervision and management monitoring, are
employed when segregation of incompatible
Audit duties is economically infeasible.
Procedures
• Review systems documentation to verify that
(Distributed) applications, procedures, and databases are
designed and functioning in accordance with
corporate standards.
 Accountants routinely
The examine the physical
Computer environment of the computer
Center center as part of their annual
audit.
 •Directly affects the risk of
Physical destruction to a natural or man-
Location made disaster

•Single-story building of solid

Construction construction with controlled
access
 • Limited to the operators and other
Access employees who work there, controlled
by a keypad or swipe card, monitored by
closed-circuit cameras and video
recording systems

Air • Computers operate best in

temperature range of 70 to 75 degrees
a

conditioning Fahrenheit and a relative humidity of 50

percent
 1. Automatic and manual alarms should be placed
in strategic locations around the installation.
These alarms should be connected to
permanently staffed fire-fighting stations.
2. There must be an automatic fire extinguishing
system that dispenses the appropriate type of
Fire suppressant for the location. Manual fire
suppression extinguishers should be placed at strategic
locations.
3. The building should be of sound construction to
withstand water damage caused by fire
suppression equipment.
4. Fire exits should be clearly marked and
illuminated during a fire
 The ability of the system to continue operation
when part of the system fails because of
hardware failure, application program error, or
operator error.
Fault
1. Redundant arrays of independent disks
tolerance (RAID) - Raid involves using parallel disks
that contain redundant elements of data and
applications.
2. Uninterruptible power supplies.
 To evaluate the controls governing
computer center security
• Physical security controls are
adequate to reasonably protect the
Audit organization from physical exposures
Objective • Insurance coverage on equipment is
adequate to compensate the
organization for the destruction of, or
damage to, its computer center
 1.Tests of Physical Construction
2. Tests of the Fire Detection
System
Audit 3. Tests of Access Control
Procedures 4. Tests of Raid
5. Tests of the Uninterruptible
Power Supply
6. Tests for Insurance Coverage
 This is a comprehensive
statement of all actions to be
taken before, during, and
Disaster after any type of disaster.
Recovery Although the details of each
plan are unique to the needs
Planning of the organization, all
workable plans possess four
common features.
Types of
Disasters
 1. Identify critical applications
Four 2. Create a disaster recovery team
common 3. Provide site backup
features 4. Specify backup and off-site
storage procedure
 The task of identifying critical items and
Identify
prioritizing applications requires the
critical
active participation of user departments,
application
accountants, and auditors.
 To avoid serious omissions or
duplication of effort during
Creating a implementation of the
Disaster
Recovery contingency plan, task
Team responsibility must be clearly
defined and communicated to
the personnel involved.
Composition
of a disaster
recovery
team
 It provides for duplicate data
processing facilities following a
disaster. Among the options
Providing
available the most common are
second site
mutual aid pact; empty shell or cold
back up
site; recovery operations center or
hot site; and internally provided
backup
 An agreement between two or more
1. Mutual organizations (with compatible
aid pact computer facilities) to aid each other
with their data processing needs in
the event of a disaster.

2. Empty An arrangement wherein the

shell company buys or leases a building
that will serve as a data center
 3. Recovery A fully equipped backup data center that
operations many companies share. ROC service providers
center offer a range of technical services to their
clients, who pay an annual fee for access
rights.

4. Internally Larger organizations with multiple data

provided back processing centers often prefer the self-reliance
up that creating internal excess capacity provides
 All data files, applications,
Back up documentation, and supplies
and off- needed to perform critical functions
storage should be automatically backed up
procedures and stored at a secure off-site
location.
 If the company uses a cold site or other
method of site backup that does not
include a compatible operating system
Operating
(O/S), procedures for obtaining a current
systems version of the operating system need to
backup be clearly specified. The data librarian, if
one exists, would be a key person to
involve in performing this task.
 Applications To create copies of current versions of critical
backup applications.

Databases should be copied daily to high-capacity,

high-speed media, such as tape or CDs/DVDs and
Backup data secured offsite.
files

Backup System documentation can constitute a significant

documentation amount of material and the backup process is
complicated further by frequent application changes.
 Backup The organization should create backup
supplies and inventories of supplies and source documents
source used in processing critical transactions.
documents

A test is most useful when the simulation of a

disruption is a surprise. When the mock disaster is
Testing the
announced, the status of all processing affected
DRP
by it should be documented. This approach
provides a benchmark for subsequent
performance assessments. The plan should be
carried through as far as is economically feasible.
Ideally, that would include the use of backup
facilities and supplies.
 The auditor should verify that
management’s disaster
recovery plan is adequate
Audit and feasible for dealing with
Objective a catastrophe that could
deprive the organization of
its computing resources.
 1. Site backup
2. Critical application list
3. Software backup
Audit
Procedures 4. Data backup
5. Backup supplies, documents
and documentation
6. Disaster recovery team
 Often cited benefits of IT
Outsourcing outsourcing include improved
core business performance,
the IT improved IT performance
Function (because of the vendor’s
expertise), and reduced IT costs.
 Are not unique to a particular
Commodity organization and are thus easily acquired
in the marketplace.
IT assets

Are unique to the organization and

Specific IT support its strategic objectives
assets
 1. Failure to perform
2. Vendor exploitation
Inherent 3. Costs exceed benefits
risks to IT 4. Reduced Security
Outsourcing 5. Loss of strategic
advantage
 Statement on Auditing
Standard No. 70 (SAS 70) is the
Audit definitive standard by which
client organizations’ auditors can
implications gain knowledge that controls at
of IT the third-party vendor are
Outsourcing adequate to prevent or detect
material errors that could impact
the client’s financial statements.
 SAS 70
Overview