RESUME WEEK 2

“AUDITING IT GOVERNANCE CONTROL”

GROUP 4
MEMBERS​ :

1.DELAYA TIARA R.M (041711333105) 5.STEFANIE NATANIA (041911333187)

2.FAHMID (041911333065) 6.TARUNA PUTRA D.M. (041711333266)

3.MELLYANTI FELICIA A (041811333073) 7.TERESIA DIAN R.M. (041911333176)

4.RYAN KHAIRU BELMIRO M. (041811333143)

Information Technology (IT) Governance berfokus pada pengelolaan dan penilaian sumber
daya TI strategi dengan tujuan utama untuk mengurangi risiko dan memastikan bahwa
investasi dalam sumber daya TI menambah nilai bagi perusahaan.
IT Governance Controls
3 masalah tata kelola TI yang ditangani oleh SOX dan kerangka pengendalian internal COSO.:
1. Struktur organisasi dari fungsi TI
2. Pusat operasi komputer
3. Perencanaan pemulihan bencana
Struktur Fungsi Teknologi Informasi
Centralized Data Processing

Segregation of Incompatible IT Functions

1. Memisahkan otorisasi transaksi dari pemrosesan transaksi.
2. Memisahkan pencatatan dari penyimpanan aset.
3. Membagi tugas pemrosesan transaksi di antara individu
 A Superior Structure for Systems Development Figure 2.2 presents a superior
organizational structure in which the systems development function is separated into
two different groups: new systems development and systems maintenance. There are
two control problems just described.
1. First, documentation standards are improved because the maintenance group
requires documentation to perform its maintenance duties.
2. Second, denying the original programmer future access to the program deters
program fraud
Risks Associated with DDP​. This section discusses the organizational risks that need
to be considered when implementing DDP. The discussion focuses on important
issues that carry control implications that auditors should recognize
Inefficient Use of Resources​. DDP can expose and organization to three types of
risks associated with inefficient use of organizational resources.
Destruction of Audit Trails​. An audit trail provides the linkage between a
company’s financial activities (transactions) and the financial statements that report
on those activities.
- Inadequate segregation of duties
Segregation of duties may not be possible in some distributed environments.
- Hiring qualified professionals
End-user managers may lack the IT knowledge to evaluate the technical credentials
and relevant experience of candidates applying for IT professional positions.
- Lack of standards
Opponents of DPP argue that the risks associated with the design and operation of a
DPP system are made tolerable only if such standards are consistently applied.
Controlling the DPP Environment
- Central Testing of Commercial Software and Hardware
- User Services
- Standard Setting Body
- Personnel Review
Audit Objective
The objective of auditor is to verify that the structure of the IT function is such
that individuals in incompatible areas are segregated in accordance with the
level of potential risk and in a manner that promotes a working environment.
Audit Procedure
1. Review relevant documentation
2. Review system documentation and maintenance records
3. Verify computer operators dont have access to the operational details of a system’s
internal logic.
● Air conditioning​ should provide appropriate temperature and humidity for computers.
● Fire suppression​: alarms, fire extinguishing system, appropriate construction, fire exits.
● Fault tolerance is the ability of the system to continue operation when part of the system
fails.
● Audit Objectives​. Auditor must verify that physical controls and insurance coverage are
adequate.
● Audit Procedures​. Procedures include:
1. Tests of physical construction.
2. Tests of the fire detection system.
3. Tests of access control.
4. Tests of RAID.
5. Tests of the uninterruptible power supply.
6. Tests of insurance coverage.
● Disaster Recovery Planning​. A disaster recovery plan is a statement of all actions to be
taken before, during and after any type of disaster. Four common features:
1. Identify Critical Applications​:
a. Short-term survival requires restoration of cash flow generating functions.
b. Applications supporting those functions should be identified and prioritized in the
restoration plan.
c. Task of identifying critical items and prioritizing applications requires active
participation of user departments, accountants and auditors.
❖ Creating a Disaster Recovery Team
Recovering from a disaster depends on timely corrective action. Delays in Short-term
survival requires restoration of cash flow generating functions.
• Applications supporting those functions should be identified and prioritized in the
restoration plan.
• Task of identifying critical items and prioritizing applications requires active
participation of user departments, accountants and auditors. performing essential tasks
prolongs the recovery period and diminishes the prospects for a successful recovery. To
avoid serious omissions/duplication of effort during implementation of the contingency
plan, task responsibility must be clearly defined and communicated to the personnel
involved
❖ Providing Second-Site Backup
A necessary ingredient in a DRP is that it provides for duplicate data processing facilities
following a disaster/ The most common options:
1. Mutual Aid Pact : an agreement between two/more organizations to aid each other
with their data processing needs in the event of a disaster
2. Empty Shell (cold site plan) is an arrangement wherein the company buys/leases a
building that will serve as a data center
3. Recovery Operations Center(hot site) is a fully equipped backup data center that
many companies share.
4. Internally Provided Backup : Larger firms with multiple data processing centers
developed their own standardized hardware and software configurations which ensure
functional compatibility among their data processing centers and minimize cutover
problems in the event of a disaster
❖ Backup and Off-Site Storage Procedures
1. Operating System Backup
2. Application Backup
3. Backup Data Files
4. Backup Documentation
5. Backup Supplies and Source Documents
6. Testing the DRP
❖ Audit Objective
The auditor should verify that management's disaster recovery plan is
adequate and fea- sible for dealing with a catastrophe that could deprive the
organization of its computing resources.
❖ Audit Procedures
In verifying that management's DRP is a realistic solution for dealing with a
catastrophe, the following tests may be performed.
- Site Backup = ​The auditor should evaluate the adequacy of the backup
site arrangement.
- Critical Application List = ​The auditor should review the list of
critical applications to ensure that it is complete.
 - Software Backup = ​The auditor should verity that copies of critical
applications and operating systems are stored off-site.
- Data Backup = ​The auditor should verify that critical data files are
backed up in accordance with the DRP.
- Backup Supplies, Documents, and Documentation = ​The system
documentation, supplies, and source documents needed to process
critical transactions should be backed up and stored off-site.
- Disaster Recovery Team = ​The DRP should clearly list the names,
addresses, and emergency telephone numbers of the disaster recovery
team members.
❖ OUTSOURCING THE IT FUNCTION
Benefits of IT outsourcing include improved core business performance, improved IT
performance, and reduced IT costs.
Commodity IT assets These include such things as network management, systems
operations, server maintenance, and help-desk functions. Such assets may be tangible
(computer equipment), intellectual (computer programs), or human.
Transaction Cost Economics (ICE) theory is in confict with the core competency
school by suggesting that firms should retain certain specific non-core IT assets in-
house. Because of their esoteric nature, specifc assets cannot be easily replaced once
they are given up in an outsourcing arrangement.
❖ Risks Inherent to IT Outsourcing
- Failure to Perform
- Vendor Exploitation
- Outsourcing Costs Exceed Benefits
- Reduced Security
- Loss of Strategic Advantage
❖ Audit Implications of IT Outsourcing
User management should evaluate controls at the service organization, as well as
related controls at the user company, when making its assess- ment about internal
control over financial reporting." Statement on Auditing Standard No. 70 (SAS 70) is
the definitive standard by which client organizations' auditors can gain knowledge
that controls at the third-party vendor are adequate to prevent or detect material errors
that could impact the client's financial statements.