Auditing IT

Governance Controls
Corporate Governance
• system of rules, practices and processes by
which a company is directed and controlled
• balance the interests of a
company's stakeholders - shareholders,
management, customers, suppliers,
financiers, government and the community
• encompasses every sphere of management,
from action plans and internal controls to
performance measurement and
corporate disclosure
• Influenced primarily by BoD
Information Technology (IT) Governance
• subset of corporate governance
• focuses on the management and
assessment of strategic IT resources
• reduce risk and ensure that
investments in IT resources add value
to the corporation
How to plan an IT strategy
1. Outline your business goals and high-
level objectives.
2. Define your scope, stakeholders and
schedule
3. Review your existing infrastructure
4. Create a roadmap for resource
allocation and architecture
5. Define your metrics
IT Governance Issues
1. Organizational structure of the IT
function – centralized/distributive
2. Computer center operations – Physical
location, construction, access, air
conditioning, fire suppression, fault
tolerance
3. Disaster recovery planning – natural,
human-made, system failure
Organizational Structure of the IT function
Centralized data processing
- All data processing is performed by one or
more large computers housed at a central
site that serves users throughout the
organization.
- IT services activities are consolidated and
managed as a shared organization resource
- The IT Services function is usually treated
as a cost center whose operating costs are
charged back to the end users
Centralized Data Processing Approach
Organizational Chart of Centralized
Data Processing Approach
Centralized Data Processing Approach
Primary Service Areas
1. Database Administration
▪ Data resources is shared by all end users
▪ Database administrator – responsible for
the security and integrity of database
2. Data Processing
▪ Management of computer resources used
to perform day-to-day processing of
transactions
▪ Data conversion - Computer operations -
Data library
3. Systems Development and Maintenance
Centralized Data Processing Approach
Systems Development
▪ responsible for analyzing user needs and for
designing new systems to satisfy those needs.
▪ Systems professionals
• systems analysts, database designers,
and programmers
• design and build the system
• gather facts about the user’s problem,
analyze the facts, and formulate a
solution
• new information system
Centralized Data Processing Approach
Systems Development
▪ responsible for analyzing user needs and for
designing new systems to satisfy those needs.
▪ End users – managers and operations
personnel
▪ Stakeholders
Systems Maintenance
▪ Keeps the new system updated/ current with
user needs – makes changes to program logic,
etc.
Segregation of Incompatible IT Functions
▪ Systems Development and Computer
Operations
▪ Database Administration and Operations,
Systems Development and Maintenance
▪ New Systems Development and Maintenance
Segregation of Incompatible IT Functions
Control Issues
▪ Inadequate Documentation
▪ Not as interesting as designing, testing, and
implementing the systems
▪ Job security
▪ Program Fraud
Distributed Data Processing
▪ Reorganizing the central IT function into small
IT units that are placed under the control of
end users.
▪ Business function
▪ Geographic location
Distributed Data Processing Approaches
Risks Associated with DDP
▪ Inefficient Use of Resources
▪ Mismanagement of organization-wide IT
resources by end users
▪ Operational inefficiencies due to redundant
tasks performed by end-users
▪ Incompatible hardware and software among
end-user functions
▪ Destruction of Audit Trails
▪ Inadequate Segregation of Duties
▪ Hiring Qualified Professionals
▪ Lack of Standards
Advantages of DDP
▪ Cost reduction
▪ Improved cost control responsibility
▪ Improved user satisfaction
▪ Backup Flexibility
Controlling the DDP Environment
▪ Services Provided by Corporate IT Group
▪ Central Testing of Commercial Software and
Hardware
▪ User Services
▪ Standard-Setting Body
▪ Personnel Review
DDP Environment Organizational Chart
Risks Associated with DDP
▪ Inefficient Use of Resources
▪ Mismanagement of organization-wide IT
resources by end users
▪ Operational inefficiencies due to redundant
tasks performed by end-users
▪ Incompatible hardware and software among
end-user functions
▪ Destruction of Audit Trails
▪ Inadequate Segregation of Duties
▪ Hiring Qualified Professionals
▪ Lack of Standards
The Computer Center
▪ Physical location
• Avoid human-made hazard, system failure
and natural hazards
▪ Construction
• Ideally: single-story, underground utilities,
windowless. air filtration system
• If multi-storied building, use middle floor
(away from traffic flows, and potential
flooding in a basement)
▪ Access
• Physical: Locked doors, cameras
• Manual: Access log of visitors
Data Center Contruction
The Computer Center
▪ Air conditioning
• Best in temperature range of 70-75
Fahrenheit
• Relative humidity 50%
▪ Fire suppression
• Placed in strategic locations
• Automatic fire extinguishing system:
• Sprinklers (using water)
• halon gas (removing oxygen)
• FM200-TM (Safe fire suppression)
• Strong construction building
• Fire exits should be clearly marked and
illuminated during a fire
The Computer Center
▪ Fault Tolerance
▪ Redundant Arrays of Independent Disks
(RAID)
▪ Using parallel disks
▪ Power supply
▪ Need for clean power
▪ Backup power: uninterrupted power
supply
Audit Objectives: The Computer Center
▪ Physical security controls are adequate to
reasonably protect the organization from
physical exposures
▪ Insurance coverage on equipment is adequate
to compensate the organization for damage to
the computer center
Audit Procedures: The Computer Center

▪ Tests of Physical Construction

▪ Obtain architectural plans to determine the
building is solidly built and fireproof material
▪ Ensure adequate drainage
▪ Assess the physical location
▪ Tests of the Fire Detection System
▪ Ensure fire detection and suppression
equipment are in place and tested regularly
▪ Review official fire marshal records of tests
Audit Procedures: The Computer Center
▪ Tests of Access Control
▪ Computer center is restricted to authorized
employees
▪ Review access log
▪ Observe the process by which access
permitted
▪ Review camera videotapes
▪ Test of RAID
▪ Determine if the RAID level adequate for
the organization, give the level if business
risk associated with disk failure
▪ If no RAID, review the procedure for
recovering from a disk failure
Audit Procedures: The Computer Center
▪ Test of the Uninterruptible Power Supply
▪ Do periodic tests to ensure its capacity to
run the computer and air conditioning
▪ Record the result
▪ Test of Insurance Coverage
▪ Annually review the insurance coverage on
computer hardware, software and physical
facility
▪ Verify all new acquisitions
▪ Verify deleted obsolete equipment and
software
▪ Verify insurance policy
Disaster Recovery Planning
▪ Disasters such as earthquakes, floods, or
power failure can be catastrophic to an
organization’s computer center and
information systems
▪ The more dependent on technology, the
more susceptible to the risks
▪ DRP common feature
▪ Identify critical applications
▪ Create a disaster recovery team
▪ Provide site backup
▪ Specify backup and off-site storage
procedures
Types of Disaster
Identify Critical Applications
▪ Concentrate on restoring those applications
that are critical to the short-term survival of
the organization
▪ Not means to immediately restore data
processing facility in full capacity
▪ Application priorities may change overtime.
DRP must be updated
▪ Participation of user departments,
accountants and auditors needed to identify
critical items and application priorities
Creating a Disaster Recovery Team
▪ Recovering from a disaster depends on
timely corrective action
▪ Delays makes unsuccessful recovery
▪ Task responsibility must be clearly defined
and communicated to the personnel
involved
▪ Each member has expertise in each area
▪ In case of disaster, one may violate control
principles such as segregation of duties,
access controls and supervision
Providing Second-Site Backup
▪ Duplicate data processing models
▪ Mutual aid impact
▪ Agreement between two or more
organization to aid each other in the
event of disaster
▪ Driven by economics
▪ Empty shell or cold site
▪ Involves two or more organizations that
buy or lease a building and remodel it
into a computer site, but without
computer equipment
Providing Second-Site Backup
▪ Recovery operations center or hot site
▪ A completely equipped site; very costly
and typically shared among many
companies
▪ Warm site
▪ Hardware exist but backup may not be
complete
▪ Internally provided backup
▪ Self-backup
Comparison
Backup and Off-site Storage Procedures
▪ Operating system backup
▪ If operating system not included, specify current
operating systems in procedure
▪ Application backup
▪ Include procedure to create copies of current
versions of critical application
▪ Backup data files
▪ At minimum, backup daily. At best: remote
mirrored
▪ Backup documentation
▪ Backed up critical system documentation
▪ May be simplified by using Computer Aided
Software Engineering (CASE) documentation
tools
Backup and Off-site Storage Procedures
▪ Backup supplies and source documents
▪ Check stocks, invoices, purchase orders, etc
▪ Testing the DRP
▪ Should performed periodically
▪ Surprise simulation
▪ Document the status of all processing that affected
by the test
▪ Ideally include backup facilities and supplies
▪ Measure performance of below areas:
▪ The effectiveness of DRP team personnel and
their knowledge area
▪ The degree of conversion success (i.e., the
number of lost records)
▪ An estimate of financial loss due to lost records
or facilities
Disaster Recovery Plan
Audit Objective
▪ Verify that DRP is adequate and feasible for
dealing with disasters
DRP Audit Procedures
▪ Evaluate adequacy of second-site backup
arrangements
▪ Partner of mutual aid pact: system
compatible? Excess capacity support?
▪ ROC: how many members? Members
location?
▪ Empty shell: is the contract with
hardware vendors valid? Minimum delay
after the disaster specified?
DRP Audit Procedures
▪ Review list of critical applications for
completeness and currency
▪ Verify that procedures are in place for
storing off-site copies of applications and
data
▪ Check currency back-ups and copies
▪ Verify that documentation, supplies, etc.,
are stored offsite
▪ Check stock, invoices, purchase orders
and any special forms exist in secure
location
DRP Audit Procedures
▪ Verify that the disaster recovery team
knows its responsibilities
▪ Clearly list names, addresses and
telephone numbers of disaster recovery
team members
▪ Check frequency of testing the DRP