Auditing IT Governance Controls

Course assignments
Auditing EDP

By
Group 2 :

Mochamad Nur Hidayatullah 160810301041

Lindi Nur Istiqomah 160810301058
Chesilia Pramesti 160810301084

Accounting Study Program

Economics and Business Faculty
University of Jember
2019
 INTRODUCTION

Information Technology (IT) is the use of any computers, storage, networking,

and other physical devices, infrastructure, and processes to create, process, store,
secure, and exchange all forms of electronic data (Margaret Rouse, Stephen J.
Bigelow). IT has taken the important role in many sectors of life. Everyone could find
and learn about IT even from a single thing, like handphone (HP). They are
accustomed to know the technology stuffs since the childhood phase. Moreover, we
are now living in the globalization era which means that the peoples of the world are
incorporated into a single world society, global society (Martin Albrow, 1990). It would
be impossible to be borderless across the countries without IT infrastructures.
The importance of IT is also used to help people in business sector. Many
companies have invested their funds in IT with the high number because they expect to
get the higher return. One benefit that very helpful for company is making the business
process become more simple, so the productivity will increase. The performance of IT
could be optimized if the company has IT governance, which focuses on the
management and assessment of strategic IT resource. IT governance also help in
reducing risk and ensure that the IT investment increases the company value (James
A. Hall, 2011).
The more IT being used in many companies, the more companies want to ensure
the effectiveness of their IT infrastructures so that the financial reporting process will
not be hampered, include the organizational structure of the IT function, computer
center operations, disaster recovery planning (James A. Hall, 2011). So, the audit IT
governance is required.

AUDITING IT GOVERNANCE CONTROLS

ii
A. Information Technology Governance
Information Technology (IT) governance is a relatively new subset of corporate
governance that focus on the management and assessment of strategic IT
resources. The objectives of implementing IT governance are to ensure that IT
investment had given the value to the company as expected and reduce the
company’s risks. The key IT decision must be decided by all corporate
stakeholders and compliance with users needs, corporate policies, internal control
(SOX), and initiatives.
a) IT Governance Control
There are three IT governance issues that are addressed by SOX and the
COSO internal control framework :
1. Organizational structure of the IT function
2. Computer center operations
3. Disaster recovery planning
The steps to discuss those issues are
1. Examine the nature of risk and the internal control needed to mitigate the risk
2. Audit objectives are presented – what needs to be verified
3. Example test of control – how auditor might gather audit evidence

B. Structure of the Information Technology Function

The IT organization has implication for the nature and effectiveness of internal
controls and audit. There are 2 IT organization models, centralized approach and
the distributed approach.
a) Centralized Data Processing
All data processing is performed by one or more large computers housed at a
central site that serves users throughout the organization. The picture above
illustrate the IT service activities that managed as a shared organization resource
and the end users are compete for these resources.

iii
 The second picture illustrates the centralized IT service and its primary service
areas :
1. Database Administration
The data resources stores in a central location that is shared by all end users.
Database administrator (DBA) is responsible for the security and integrity of
the database
2. Data Processing
Data processing group manages the computer resources to perform the day-
to-day processing of transactions.
 Data Convertion – transcribes transaction data from hard-copy source
documents into computer input.
 Computer Operations – the document from data conversion are
processed by the central computer (managed by the computer operations
group). Accounting applications are usually executed.
 Data library – a room adjacent to the computer center and provides safe
storage for the off-lines data files (could be backups or current data files),
could be used to store backup data, store current operational data files on
magnetic tapes and removable disk packs, store original copies of
commercial software and their licenses. The librarian issues data file to
computer as program requests and takes custody of files when
processing or backup procedures are complete.
3. Systems development and Maintenance
The information systems needs of users are met by 2 related functions :
system development and systems maintenance.
 System professionals – system analysts, database designer, and
programmers are gathering and analyzing facts about user’s problems
and formulate the solutions.
 End users – those for whom the system is built.

iv
  Stakeholders – the parties from inside or outside the firm who have an
interest in the system, but are not end users.

b) Segregation of Incompatible IT Functions

Some functions must be separated from some or all other functions to avoid
the fraud possibility. This procedure is one of the internal control. Thus, in IT
organizations, there are some tasks should be segregated to :
1. Separating systems development from computer operations
This segregation is greatest importance. System development and
maintenance professionals are function who create systems for user, while
operations staff run the system. Consolidating these functions invite errors and
fraud.With the detailed knowledge of system development professionals and
the access to computers by operations staff, an individual could make
unauthorized changes to the systems.
2. Separating database administration from other functions
The DBA function is responsible for critical tasks pertaining to database
security. Delegating responsibility to others who perform incompatible task
threatens database integrity.. DBA is organizationally independent.
3. Separating new systems development from maintenance

System analyst work with the users and produce detailed designs
specifications. The programmer codes the program according to the design
specifications and maintain the systems. Two types of control problems :
 Inadequate documentation – there are 2 reasons of this problems : 1)
documenting systems is not interesting as designing, testing, and
implementing them, 2) job security
 Program fraud – involves making unauthorized changes to program
modules for the purpose for committing an illegal act
4. A superior structure for systems development
The system development function is separated into 2 different groups. First,
the new system development group is responsible for designing,

v
 programming, and implementing new systems project. Second, the system
maintenance has responsibility for the system’s ongoing maintenance. Two
control problems :
 Documentation standards are improved – documentation perform its
maintenance duties
 Denying the original programmer future access to the program deters
program fraud.

c) The Distributed Model

An alternative to the centralized model is the concept of distributed data
processing (DDP). DDP involves reorganizing the central IT function into small IT
units that are placed under the control of end users. IT units can be distributed
according to business functions, geographical location, or both.
1. Risk Associated with DDP
This section discusses organizational risks that need to be considered
when implementing DDP. Potential problems include inefficient use of
resources, destruction of audit trails, inadequate separation of tasks, increased
potential for programming errors and system failure, and lack of standards.

Inefficient Use of Resources. DDP can expose and organization to three

types of risks associated with efficient use of organizational resources.
• First, is the risk of mismanagement of IT organization resources by end users.
• Second, DDP can increase the risk of operational inefficiencies due to
excessive tasks performed on end-user committees.
• Third, the DDP environment raises the risk of incompatible hardware and
software between end-user functions.
Destrucion of AuditTrails. The use of DDP can negatively affect the audit trail.
Because audit trails in modern systems tend to be electronic in nature, it is not
unusual for part or all of the audit trail to be in the last user's various computers.
Inadequate Segregation of Duties. Distribution of IT services to users can
result in the creation of many small units that do not allow for the separation of
various non-compliant functions. For example, in the same unit can write an
application program, perform maintenance of the program, enter transaction
data into the computer this condition will make violations of internal control.

vi
 Hiring Qualified Professionals. Managers who are also end users may lack
knowledge in evaluating the qualifications and experience related to some
candidates applying for positions as computer professionals.
Lack of standards. Because of the distribution of responsibilities in the DDP
environment, the standards for developing and documenting the system, the
selection of progress languages, the procurement of hardware and software,
and performance evaluation may rarely be applied or may not be available.

2. Advantages of DDP Benefit

Cost reductions. The economic value of data processing supports more large,
expensive, and sophisticated computers. The many types of needs that must be
met by such centralized systems require computers that are very generalized
and use complex operating systems.
Sophisticated but expensive microcomputers and minicomputers, which are
cost effective in carrying out special functions, have dramatically changed the
economic value of data processing. In addition, the cost per data storage unit,
which was once a justification for consolidating data in a centralized location, is
no longer a primary consideration. After all, moving to DDP can reduce costs in
two other areas:
(1) Data can be entered and edited in IPU
(2) Application complexity can be reduced, which can ultimately reduce
development and maintenance costs.
Improve Cost Control Responsibility. Managers accept responsibility for the
success of their various financial operations. This requires that they must be
given authority to make decisions regarding various resources that affect their
overall success. When managers are not allowed to make the decisions needed
to achieve their goals, their performance can be negatively affected. DDP
supporters argue that the benefits of improving management attitudes outweigh
the additional costs arising from distributing these various resources.
Improve User Satisfaction. Perhaps the most commonly mentioned DDP
benefit is increased user satisfaction. This is based on three areas of need
which are often left unfulfilled in a centralized approach:
(1) as explained before, users want to control resources that affect their
profitability

vii
 (2) users want system professionals (analysts, programmers and computer
operators) who are responsive to the user's specific situation
(3) users want to be more actively involved in the development and
implementation of the system they use. DDP supporters argue that providing
more tailored support - which can only be done in a distributed environment -
has direct benefits for users in terms of enthusiasm and productivity.
Back up Flexiility. The final argument in supporting DDP is its ability to support
various computing facilities in order to protect against potential disasters, such
as fire, floods, sabotage, and earthquakes. One solution is to build excess
capacity into each IPU. If a disaster destroys a location, the transaction will still
be processed by another IPU

d) Controlling the DDP Environment

The DDP brings high prestige value until the process of analyzing its pros and
cons will cover a number of important considerations in terms of economic benefits
and operational feasibility. Where some companies have shifted to DDP without
fully considering whether the distributed organizational structure will be able to
make them better achieve company goals or not.
1) Implementing the Company's IT Functions.
Full centralized models and fully distributed models represent two
extreme positions in an alternative area of structure. The needs of most
companies enter between these two extreme points. In most companies, control
problems can be addressed by implementing the company's IT functions.

Central Testing of Commercial Software and Hardware. Corporate IT groups

can better evaluate the goodness of some software and hardware sold on the
market. Centralized and technically good groups in providing assessments, can
evaluate various system features, control and conform to various industry and
organizational standards very efficiently.
User Services. A valuable feature of a group of companies is the user service
function. This activity provides technical assistance to users during the
installation of new software and in overcoming various hardware and software
problems.
Standard-Setting Body. The relatively poor control environment resulting from
the DDP model can be improved by making some centralized instructions.
Group companies can contribute to this goal by establishing and disseminating

viii
 to various user areas the right standards for system development, programming
and system documentation.
Personnel Review. Group companies may be better prepared than users in
evaluating technically the qualifications of prospective system practitioners.
Although system practitioners will actually be part of a group of users, the
involvement of a group of companies in the decision to employ can provide
valuable services for the company.
2) Audit Objectives
• Conduct risk assessments of DDP's IT functions;
• Verify that distributed IT units use a variety of overall company performance
standards that encourage compatibility between hardware, software
applications and data.
3) Audit Procedure
 Verify that various company policies and standards for system design,
documentation and procurement of hardware and software have been
issued and disseminated to various IT units.
 Review the organizational structure, mission and current job descriptions
of the main functions, to determine whether there are employees or
groups that do work that is not mutually compatible.
 Verifying that there are substitute controls such as supervision and
supervision of management carried out ethics of separation of work that
is not economically compatible with each other is not possible.
 Review the system documentation to verify that various applications,
procedures and databases are designed and functioning in accordance
with company standards.
 Verify that each employee is given a system access permit to various
programs and data in accordance with his job description.

C. THE COMPUTER CENTER

Accountants routinely examine the physical environment of the
computer center as part of their annual audit. The aim is to present the risks of
computer centers and controls that help reduce risks that can create a safe
environment. Some control features that contribute directly to the security of the
central computer environment are as follows:
a) Physical location
The physical location of the computer center directly affects the risk of
destruction due to natural or man-made disasters. Computer centers must be
far from man-made and natural hazards, such as processing plants, gas and

ix
 water pipes, airports, areas with high crime rates, floodplains, and geological
errors.
b) Construction
The computer center must be placed in a one-story building with sturdy
construction with controlled access. Utility lines (electricity and telephone) must
be underground. Building windows should not be open and air filtration systems
must be in a place that is capable of extracting pollen, dust and dust.
c) Access
Access to the computer center must be limited to operators and other
employees who work there. Physical controls, such as locked doors, must be
used to limit access to the center. Access must be controlled by keypad or
swipe card. To achieve a higher level of security, access must be monitored by
a closed-circuit camera and video recording system. Computer centers must
also use logins for programmers and analysts who need access to correct
program errors. The computer center must keep accurate records of all that
traffic.
d) Air Conditioning
The function of the computer in the best condition depends on the influence of
the air condition and the warranty supplier. Computers operate best in the
temperature range of 70 to 75 degrees farheit and relative humidity is around
50 percent. Far different temperatures will affect humidity. High humidity can
cause mold to grow on paper.
e) Fire Suppresion
Fire is the most serious threat in the company's computer equipment. Many
companies experience bankruptcy due to fires because they lose important
records or documents such as accounts receivable. There needs to be an
effective fire management system to overcome this threat, including:
1. There is an automatic and manual alarm that needs to be installed in a strategic
location around the company area and connected to the fire station.
2. There is an automatic fire extinguisher system, such as water spray and
chemical liquid on the computer as much as damage caused by fire.
3. Manual fire extinguisher placed in a strategic place.
4. Has a strong building construction to withstand water damage caused by fire
fighting equipment.
5. There must be an exit direction in the event of a fire.
f) Error tolerance
Error tolerance is the system's ability to be able to continue operations when
parts of the system fail due to hardware failures, application program errors, or
operator errors. Total failure can occur if several components fail. There are two
examples of fault tolerance technology, namely:

x
 a. Redundant Arrays of Independent Disks (RAID). Redundancy in data storage
due to parallel storage. If one data fails, the lost data is automatically
reconstructed from the component stored in the other data.
b. Uninterruptible Power Supplies. Unpredictable resource. Some problems that
can disrupt central computer operations such as total power failure and
power fluctuations. If there is a power outage, this device provides backup
power to allow recovery of power and backup power services that will allow
the computer system to be shut down in a controlled manner to prevent data
loss.
g) Audit Objectives
The object of auditors is to evaluate controls that regulate central computer
security which include physical security controls to protect organizations and
insurance protection such as equipment damage.
h) Audit Procedure
Test of Physical Construction. The auditor must know and inspect the
architectural parts of the building such as the facilities placed to minimize fire
exposure, community riots and other hazards.
Test the Fire Detection System. The auditor must determine that the fire
detection equipment both automatically and manually already exists and has
been tested regularly.
Test Access Control. The auditor must establish routine access to the
computer center only through authorized employees.
Test of Raid The auditor must examine and review the system of alternative
administrative procedures to protect and restore storage failures.
Test of the Unintruptible Power Supply. Computer centers must carry out
periodic tests of backup resources to ensure sufficient capacity to run
computers and air regulators.
Test of Insurance Coverage. The auditor must review the insurance coverage
the company has on computer hardware, software, and other physical facilities
every year. The auditor must also verify all new acquisitions listed in the policy
and eliminate obsolete and eliminated equipment and software.

D. DISASTER RECOVERY PLANNING

Disasters can occur due to natural factors, human factors, and system
failure. Disasters due to natural factors such as earthquakes and floods.
Disasters caused by human factors such as sabotage and human failure.
Meanwhile, disasters are caused by system failure, power failure, system failure

xi
and damage. These disasters can make a company lose its data processing
facilities, stop business functions carried out with the help of computers and
damage the ability of the organization to deliver its products or services. In
other words, companies lose the ability to conduct business activities.
Some disasters cannot be prevented or avoided, so the survival of a
company depends on how well and quickly reacts to it. Overcoming this, the
company developed recovery procedures and formalized them into Disaster
Recovery Plans (DRP). Although in every detail of planning varies in a
company, almost all companies have common features such as:

a) Identify Critical Applications

The first important element of a DRP is to identify critical applications of the
firm and associated data files. Recovery efforts must focus on restoring
those applications that are critical to the short-term survival of the
organization. Obviously, over the long term, All Applications must be restored
to predisaster business activity levels. DRP must be updated to reflect new
developments and identify critical applications.
b) Creating a Disaster Recovery Team
Recovering from a disaster depends on timely corrective action. Delays in
performing essential taskwill extend the recovery period and diminishes the
prospects for a succesfull a recovery. To avoid serious omissions or
duplication of effort during implementation of the contingency plan, task
responsibility must be clearly defined and communicated to the personnel
involved.

Below is the disaster recovery team :

xii
 c) Providing Second Site Backup
DRP provides for duplicate data processing facilities following a disaster.
Below are the following general option of DRP with a little bit explanations :
 Mutual Aid Pact
A mutual aid pact is an agreement between two or more organizations
(with compatible computer facilities) to aid each other with their data processing
needs in the event of a disaster.
 Empty Shell
The mutual shell or cold site plan is an agreement where the company
buys or leases a building that will serve as a data center. When a disaster
occurs, the shell is available and ready to receive whatever hardwere the
temporary user needs to run essential systems.
 Recovery Operations Center (ROC)
ROC or hot site is a fully equipped backup data center that many
companie share. In addition to hardware and backup facilities, ROC service
providers offer a range of technical services to their clients, who pay an annual
fee for acces rights. In the event of a major disaster, subcriber can occupy the
premises and whithin a few hours, resume processing critical applications.
 Internally Provided Backup
Larger organizations with multiple data processing centers often prefer the self-
reliance that creating internal excess capacity providers. This permits firms to

xiii
 develop standardized hardware and software configurations, which ensure
functional compatibility among their data processing centers and minimize
cutover problems in the event of a disaster.
1) Backup and Off-site Storage Procedures
All data files, applications, documentation and supplies needed to
perform critical functions should be automatically backed up and stored at a
secure off-site location . data processing personnel should routinely perform
backup and storage procedures to obtain and secure these critical resources.

Operating System Backup

If the company uses a cold site or other method of site backup that does not
include a compatible operating system (O/S), procedures for obtaining a current
version of the operating system need to be clearly specified.
Application Backup
Based on results obtained in the critical applications step discussed previously,
the DRP should include procedures to create copies of current versions of
critical applications.
Backup Data Files
The state of the art in database backup is the remote mirrored site, which
provides complete data currency. Not all organizations are willing or able to
invest in such backup resources. As a minimum, however, database should be
copied daily to high capacity, high speed media, such as tape or CDs/DVDs and
secured off site.
Backup Documentation
The system documentation forcritical applications should be backed up and
stored off-site along with the applications. System documentation can constitute
a significant amount of material and the backup process is complicated further
by frequent application changes. Document backup may, however be simplified
and made more efficient through the use of Computer Aided Software
Engineering (CASE).
Backup Supplies and Sources Documents
The organization should create backup inventories or supplies and source
documents use in processing critical transactions. The DRP should specify the
types and quantities needed of these special items.
Testing the DRP
Testing of DRP must be perform periodically, it measure the preparedness of
personnel and identify omissions or bottlenecks in the plan. A test is most useful
when the simulation of a disruption is a surprise. The progress of the plan
should be noted at key points throughout the test period. At the conclusion of
the test, the results can be analyzed and a DRP performance report prepared.
2) Audit Objective

xiv
 The objective of audit regarding disaster recovery plan is the auditor
should verify that management’s disaster recovery plan is adequate and
feasible to dealing with a catastrophe that could deprive the organization of its
computing resources.
3) Audit Procedures
Below are the following test to verify management’s DRP :
a. Site Backup
Auditor have to evaluate whether the backup site arrangement is
adequacy. Incompatibility between human and system will reduce the
effectiveness of the mutual aid pact. Auditor should be sceptical pf such
arrangements for 2 reasons. First, the sophisticationof the computer system
may make it difficult to find a potential partner with a compatible configuration.
Second, most of firms don’t have a necessary excess capacity to support a
disaster-stricken partner while also processing their own work.
b. Critical Application List
The auditor have to review the list of critical application to make sure
that it is complete.
c. Software Backup
The auditor should verify that copies of critical applications and
operating systems are stored off-site.
d. Data backup
The auditor should verify that critical data files are backedup in
accordance with the DRP
e. Backup Supplies, Documents and Documentation
The auditor should verify that the typoes and quantities of item specified
in the DRP exist in a secure location.
f. Diosaster Recovery Team
The auditor should verify that the members of the team are current
employees and are aware of their assigned responsibilities.

E. OUTSOURCING THE IT FUNCTION

a) Benefits of IT Outsourcing :
1. Improve core business performance
2. Improve IT performance
3. Reduce IT cost
b) Risk Inherent to IT Outsourcing
Inherent risk of IT can be caused by the sheer size of the financial deals and
also caused of the nature. Bellow are the following sections outline some
well-documented issues :
1. Failure to Perform

xv
 Once a client firm has outsourced specific IT assets,its performance
become linked to the vendor’s performance. The negative implications of such
dependency are illustrated in the financial problems that have plagued the huge
outsourcing vendor Electronic data Syistem Corp. (EDS). In cost cutting effort,
EDS terminated 7.000 employees, which impacted its ability to serve other
clients.
2. Vendor Exploitation
Large-scale IT outsourcing involoves transferring to a vendor “specific
assets” such as the design, development and maintenance of unique business
applications that are critical to an organization’s survival.
3. Outsourcing Cost Exceed Benefits
IT outsourcing has been criticized on the ground that unexpected cost
arise and the full extent of expected benefits are not realized.
4. Reduce Security
Information outsourced to offshore IT vendors raises unique and serious
quetions regarding internal control and the protection of sensitive personal data.
5. Loss of Strategic Advantage
IT outsourcing may affect incongruence between a firm’s IT strategic
planning and its business planning functions. Organizations that use IT
strategically must align business strategy and IT strategy or run the risk of
decreased business performance.

c) Audit Implications of IT Outsourcing

Statement of Auditing Standard No. 70 (SAS 70) is the definitive standard
by which client organizations auditor can gain knowledge that controls at the
third party vendor are adequate to prevent or detect material errors that
could impact the client’s financial statements. The SAS 70 report, which is
prepared by the vendor’s auditor, at test to the adequacy of the vendor’s
internal control. This is the means by which an outsourcing vendor can
obtaind a single audit report that may be used by its client’s auditors and
thus preclude the need for each client firm auditor to conduct its own audit
of the vendor organization’s internal controls.
Bellow is the chart that show how a SAS 70 report works in relation to the
vendor, the client, firms and their respective auditors :

xvi
 BIBLIOGRAPHY

James A. Hall. 2011 . Information Technology Auditing and Asurance. Cengage

Learning.
Howarth, Ian. 2013. Is Globalisation a Stabilising Force in the International
System?.
Available : https://imhowarth.wordpress.com/tag/martin-albrow/
Rouse, Margaret. 2019. Information Technology.
Available : https://searchdatacenter.techtarget.com/definition/IT

xvii