Ch2 - Auditing IT Governance Controls - FOR UPLOAD

IT Auditing, Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 1
A bank based in California has 13 branches
spread throughout northern California, each
with its own minicomputer where its data are
stored. Another bank has 10 branches also
spread throughout California, with data being
stored on a mainframe in San Francisco.
Which system do you think is more vulnerable

to unauthorized access? Which system is more
vulnerable to excessive losses from disaster?
 IT Governance: subset of corporate
governance that focuses on the management
and assessment of strategic IT resources
 Key objects:
◦ Reduce risk
◦ Ensure investments in IT resources add value to the
corporation
 All employees and stakeholders must be
active participants in key IT decisions
 Three IT governance issues addressed by SOX
and the COSO internal control framework:
◦ Organizational structure of the IT function
◦ Computer center operations
◦ Disaster recovery planning
 Nature of risk associated with each issue
 Controls used to mitigate risk
 Audit objectives
 Tests of controls
 Centralized data processing
[see Figure 2-1]
Organizational chart [see Figure 2-2]
Database administrator
Data processing manager/dept.
Data control
Data preparation/conversion
Computer operations
Data library
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e
5
Organization of Computer Services Function in a
Centralized System
 Segregation of incompatible IT functions
Systems development & maintenance
Participants
End users
IS professionals
Auditors
Other stakeholders
7
Objectives:
Segregate transaction authorization from
transaction processing
Segregate record keeping from asset custody
Divide transaction processing steps among
individuals to force collusion to perpetrate fraud
8
Separating systems development from
computer operations
[see Figure 2-2]
9
Separating DBA from other functions
DBA is responsible for several critical tasks:
 Database security
 Creating database schema and
user views
 Assigning database access authority to users
 Monitoring database usage
 Planning for future changes
10
 Alternative 1: segregate systems analysis from
programming [see Figure 2-3]
 Two types of control problems from this approach:
 Inadequate documentation
 Is a chronic problem. Why?
 Not interesting
 Lack of documentation provides job security
 Potential for fraud
 Frauds of this sort may continue for years without
detection.
 Segregate systems development from
maintenance
[see Figure 2-2]
 Two types of improvements from this
approach:
 Better documentation standards
 Necessary for transfer of responsibility
 Lack of documentation provides job security
 Deters fraud
 Possibility of being discovered
12
 Segregate data library from operations
 Physical security of off-line data files
 Implications of modern systems on use of data
library:
 Real-time/online vs. batch processing
 Volume of tape files is insufficient to justify full-time
librarian
 Alternative: rotate on ad hoc basis
 Custody of on site data backups
 Custody of original commercial software and licenses
13
 Audit objectives
 Risk assessment
 Verify incompatible areas are properly
segregated
 Verify formal vs. informal relationships exist
between incompatible tasks
 Why does it matter?
14
 Segregation of incompatible IT functions
 Audit procedures:
 Obtain and review security policy
 Verify policy is communicated
 Review relevant documentation (org. chart,
mission statement, key job descriptions)
 Review systems documentation and maintenance
records (using a sample)
 Verify whether maintenance programmers are also
original design programmers
 Observe segregation policies in practice
 Review operations room access log
 Review user rights and privileges
15
During its preliminary review of the financial
statements of Barton, Inc., Simon and
Associates, CPA discovered a lack of proper
segregation duties between the programming
and operating functions in Barton’s data
center. They discovered that some new
systems development programmers also filled
in as operators on occasion.
Simon and Associates extended the internal
control review and test of controls concluded
in its final report that sufficient compensating
general controls provided reasonable
assurance that the internal control objectives
were being met.
What compensating controls are most likely in

place?
 Three IT governance issues addressed by SOX
and the COSO internal control framework:
◦ Organizational structure of the IT function
◦ Computer center operations
◦ Disaster recovery planning
 Nature of risk associated with each issue
 Controls used to mitigate risk
 Audit objectives
 Tests of controls
 Distributed Data Processing (DDP)
involves reorganizing the central IT
function into small IT units that are
placed under the control of end users
 Two alternatives shown in [figure 2-4]
 Alternative A: centralized
 Alternative B: decentralized / network
19
Organizational Structure for a Distributed Processing
System
Advantages and Risks of DDP
 Cost reduction
 End user data entry vs. data control group
 Application complexity reduced
 Development and maintenance costs reduced
 Improved cost control responsibility
 IT critical to success; managers must be
empowered with authority
 Improved user satisfaction
 Increased morale and productivity
 Backup flexibility
 Excess capacity for DRP; protection against
potential disasters
23
 Inefficient use of resources
Mismanagement of resources by end
users
Hardware and software incompatibility
Redundant tasks
 Destruction of audit trails
 Inadvertently deleting or inserting files
 Inadequate segregation of duties
 Same person performing program maintenance
and computer operation
24
 Hiring qualified professionals
Increased potential for errors
Programming errors and system failures
 Lack of standards
 Uneven application or non-existence of
policies and guidelines
 Need for careful analysis
 Implement a corporate IT function
 Central systems development
 Acquisition, testing, and implementation of
commercial software and hardware
 User services
 Help desk: technical support, FAQs, chat room, etc.
 Standard-setting body
 Personnel review
 IT staff
26
 Verify that the structure of the IT function is
such that individuals in incompatible areas
are segregated:
◦ In accordance with the level of potential risk
◦ And in a manner that promotes a working
environment
 Verify that formal relationships needs to exist
between incompatible tasks
27
 Review the corporate policy on computer
security
◦ Verify that the security policy is communicated
to employees
 Review documentation to determine if
individuals or groups are performing
incompatible functions
 Review systems documentation and
maintenance records
◦ Verify that maintenance programmers are not
also design programmers
28
PHYSICAL ENVIRONMENT OF A COMPUTER
CENTER
 Physical location
 Avoid human-made and natural hazards
 Construction
 Ideally: single-storey, underground utilities,
windowless, use of filters
 If multi-storied building, use top floor (away from
traffic flows, and potential flooding in a basement)
 Access
 Physical: Locked doors, cameras
 Manual: Access log of visitors
30
 Air conditioning
 Especially mainframes
 Amount of heat even from a group of PCs
 Fire suppression
 Automatic: usually sprinklers
 Gas, such as halon, that will smother fire by
removing oxygen can also kill anybody trapped
there
 Sprinklers and certain chemicals can destroy the
computers and equipment
 Manual methods
 Power supply
 Need for clean power, at a acceptable level
 Uninterrupted power supply
31
 physical security IC protects the
computer center from physical
exposures
 insurance coverage compensates the
organization for damage to the
computer center
 operator documentation addresses
routine operations as well as system
failures
32
 man-made threats and natural hazards
 underground utility and communications lines
 air conditioning and air filtration systems
 access limited to operators and computer center
workers; others required to sign in and out
 fire suppression systems installed
 fault tolerance
◦ redundant disks and other system components
◦ backup power supplies
33
 Review insurance coverage on hardware,
software, and physical facility
 Review operator documentation, run
manuals, for completeness and accuracy
 Verify that operational details of a system’s
internal logic are not in the operator’s
documentation
34
 Disaster recovery plans (DRP) identify:
◦ actions before, during, and after the
disaster
◦ disaster recovery team
◦ priorities for restoring critical applications
◦ See Figure 2.6
 Audit objective – verify that DRP is
adequate and feasible for dealing with
disasters
Disaster Recovery Plan
1. Critical Applications – Rank critical applications so an orderly and effective restoration of
computer systems is possible.
2. Create Disaster Recovery Team – Select team members, write job descriptions, describe
recovery process in terms of who does what.
3. Site Backup – a backup site facility including appropriate furniture, housing, computers, and
telecommunications. Another valid option is a mutual aid pact where a similar business or
branch of same company swap availability when needed.
4. Hardware Backup – Some vendors provide computers with their site – known as a hot site
or Recovery Operations Center. Some do not provide hardware – known as a cold site. When
not available, make sure plan accommodates compatible hardware (e.g., ability to lease
computers).
5. System Software Backup – Some hot sites provide the operating system. If not included in
the site plan, make sure copies are available at the backup site.
6. Application Software Backup – Make sure copies of critical applications are available at the
backup site
7. Data Backup – One key strategy in backups is to store copies of data backups away from
the business campus, preferably several miles away or at the backup site. Another key is to
test the restore function of data backups before a crisis.
8. Supplies – A modicum inventory of supplies should be at the backup site or be able to be
delivered quickly.
9. Documentation – An adequate set of copies of user and system documentation.
10. TEST! – The MOST IMPORTANT ELEMENT of an effective Disaster Recovery Plan is to test
it before a crisis occurs, and to test it periodically (e.g., once a year).
 Empty shell (cold site) - involves two or
more user organizations that buy or lease
a building and remodel it into a computer
site, but without computer equipment
 Recovery operations center (hot site) - a
completely equipped site; very costly and
typically shared among many companies
 Internally provided backup - companies
with multiple data processing centers
may create internal excess capacity
 ..\Disaster Recovery & Business Continuity
(Millennium IT) Malabe.mp4
 Major IC concerns:
◦ second-site backups
◦ critical applications and databases
 including supplies and documentation
◦ back-up and off-site storage
procedures
◦ disaster recovery team
◦ testing the DRP regularly
 Evaluate adequacy of second-site
backup arrangements
 Review list of critical applications for
completeness and currency
 Verify that procedures are in place
for storing off-site copies of
applications and data
◦ Check currency back-ups and copies
 Verify that documentation, supplies,
etc., are stored off-site
 Verify that the disaster recovery
team knows its responsibilities
◦ Check frequency of testing the DRP
 Improved core business processes
 Improved IT performance
 Reduced IT costs
 Failure to perform
 Vendor exploitation
 Costs exceed benefits
 Reduced security
 Loss of strategic advantage
 Management retains SOX responsibilities
 SAS No. 70 report or audit of vendor will
be required

Ch2 - Auditing IT Governance Controls - FOR UPLOAD

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ch2 - Auditing IT Governance Controls - FOR UPLOAD

Uploaded by

Copyright:

Available Formats

IT Auditing, Hall, 3e

Which system do you think is more vulnerable

What compensating controls are most likely in

You might also like