Auditing IT Governance Controls

IT Governance Controls
IT governance issues that may potentially impact
the financial reporting process:
1. Organizational structure of the IT function
2. Computer center operations
3. Disaster recovery planning
 The Computer Center
Accountants routinely examine the physical
environment of the computer center as part of
their annual audit.

The objective of this presentation is to present

computer center risks and the controls that help
to mitigate risk and create a secure environment.
 The Computer Center
The following are areas of potential exposure that can
impact the quality of information, accounting records,
transaction processing, and the effectiveness of other
more conventional internal controls.
1.Physical location
2.Construction
3.Access
4.Air conditioning
5.Fire suppression
6.Fault tolerance
 The Computer Center
Areas of potential exposure:
1.Physical location of the computer center
a)Directly affects the risk of destruction to a natural
or man-made disaster.
b)To the extent possible, the computer center should
be away from human-made and natural hazards,
such as processing plants, gas and water mains,
airports, high-crime areas, flood plains, and
geographical faults.
 The Computer Center
Areas of potential exposure:
1.Physical location of the computer center
c)The center should be away from normal traffic,
such as the top floor of a building or in a separate,
self-contained building.
d)Locating a computer in the basement of a building
increases its risk to floods.
 The Computer Center
Areas of potential exposure:
2.Construction of the computer center
a)Ideally, a computer center should be located in a
single-story building of solid construction with
controlled access (discussed next).
b)Utility (power and telephone) lines should be
underground.
c)The building windows should not be open and an
air filtration system should be in place that is
capable of extracting pollens, dust, and dust mites.
 The Computer Center
Areas of potential exposure:
3.Access to the computer center
a)Should be limited to the operators and other
employees who work there.
b)Physical controls, like locked doors, should be
employed to limit access to the center.
c)Access should be controlled by a keypad or swipe
card.
d)Access should be monitored by closed-circuit
cameras and video recording systems.
 The Computer Center
Areas of potential exposure:
3.Access to the computer center
e)Computer centers should also use sign-in logs for
programmers and analysts who need access to
correct program errors. The computer center
should maintain accurate records of all such traffic.
 The Computer Center
Areas of potential exposure:
4.Air conditioning a computer center
a)Computers function best in air-conditioned
environment, and providing adequate air
conditioning is often a requirement of the vendor's
warranty.
b)Computers operate best in a temperature range of
70 to 75 degrees Fahrenheit and a relative
humidity of 50 percent. Logic errors can occur in
computer hardware when temperatures depart
significantly from this optimal range.
 The Computer Center
Areas of potential exposure:
4.Air conditioning a computer center
c)Also, the risk of circuit damage from static
electricity is increased when humidity drops.
d)In contrast, high humidity can cause molds to grow
and paper products to swell and jam equipment.
 The Computer Center
Areas of potential exposure:
5.Fire suppression in a computer center
a)Automatic and manual alarms should be placed in
strategic locations around the installation. These
alarms should be connected to permanently staffed
fire-fighting stations.
b)There must be an automatic fire extinguishing
system that dispenses the appropriate type of
suppressant for the location.
c)Manual fire extinguishers should be placed at
strategic locations.
 The Computer Center
Areas of potential exposure:
5.Fire suppression in a computer center
d)The building should be of sound construction to
withstand water damage caused by fire
suppression equipment.
e)Fire exits should be clearly marked and illuminated
during a fire.
 The Computer Center
Areas of potential exposure:
6.Fault tolerance of a computer center
a)The ability to continue operations when part of
the system fails because of hardware failure,
application program error, or operator error.
 The Computer Center
Areas of potential exposure:
6.Fault tolerance of a computer center
b)Technologies
i.Redundant arrays of independent disks (RAID)
ii.Uninterruptible power supplies
 The Computer Center
Areas of potential exposure:
6.Fault tolerance of a computer center
b)Technologies
i.Redundant arrays of independent disks (RAID)
➢ Use parallel disks that contain redundant
elements of data and applications.
➢ If one disk fails, the lost data are automatically
reconstructed from the redundant
components stored on the other disks.
 The Computer Center
Areas of potential exposure:
6.Fault tolerance of a computer center
b)Technologies
ii.Uninterruptible power supplies
➢ The equipment used to control commercially
provided electrical power problems includes
voltage regulators, surge protectors,
generators, and backup batteries.
 Audit Objectives
Evaluate the controls governing computer center
security. Verify that:
1.Physical security controls are adequate to
reasonably protect the organization from physical
exposures.
2.Insurance coverage on equipment is adequate to
compensate the organization for the destruction of, or
damage to, its computer center.
 Audit Procedures
Test of Controls
1.Tests of physical construction
2.Tests of the fire detection system
3.Tests of access control
4.Tests of RAID
5.Tests of the uninterruptible power supply
6.Tests for insurance coverage
 Audit Procedures
Test of Controls
1.Tests of physical construction
a)Obtain architectural plans to determine that the
computer center is solidly built of fireproof material.
b)There should be adequate drainage under the
raised floor to allow water to flow away in the event
of water damage from a fire in an upper floor or
from some other source.
c)Assess physical location. The facility should be
located in an area that minimizes its exposure to
fire, civil unrest, and other hazards.
 Audit Procedures
Test of Controls
2.Tests of the fire detection system
a)Establish that fire detection and suppression
equipment are in place and tested regularly. The
evidence may be obtained by reviewing official fire
marshal records of tests, which are stored at the
computer center.
b)The fire-detection system should detect smoke,
heat, and combustible fumes.
 Audit Procedures
Test of Controls
3.Tests of access control
a)Establish that routine access to the computer
center is restricted to authorized employees.
b)Details about visitor access (e.g., programmers)
can be obtained by reviewing the access log.
c)To establish the veracity of this document, the
auditor may covertly observe the process by which
access is permitted, or review videotapes from
cameras at the access point, if they are being
used.
 Audit Procedures
Test of Controls
4.Tests of RAID
a)Most systems that employ RAID provide a
graphical mapping of their redundant disk storage.
b)From this mapping, determine if the level of RAID
in place is adequate for the organization.
c)If the organization is not employing RAID, the
potential for a single point of system failure exists.
Review with the system administrator alternative
procedures for recovering from a disk failure.
 Audit Procedures
Test of Controls
5.Tests of the uninterruptible power supply
a)The computer center should perform periodic tests
of the backup power supply to ensure that it has
sufficient capacity to run the computer and air
conditioning. Tests results should be formally
recorded. The tests are necessary to be aware of
any need to upgrade backup capacity.
 Audit Procedures
Test of Controls
6.Tests for insurance coverage
a)Review insurance coverage on computer
hardware, software, and physical facility.
b)Verify that all new acquisitions are listed on the
policy and that obsolete equipment and software
have been deleted.
c)The insurance policy should reflect management's
needs in terms of extent of coverage.