Auditing IT Governance

Controls
Jorge A. Garcia, CPA, CMA
Information technology (IT) governance
• is a relatively new subset of corporate governance that focuses on
the management and assessment of strategic IT resources
• Key objectives of IT governance are to reduce risk and ensure that
investments in IT resources add value to the corporation.
• Modern IT governance - follows the philosophy that all corporate
stakeholders, including boards of directors, top management, and
departmental users (i.e., accounting and finance) be active
participants in key IT decisions.
IT Governance Controls
1. Organizational structure of the IT function
2. Computer center operations
3. Disaster recovery planning
STRUCTURE OF THE INFORMATION
TECHNOLOGY FUNCTION
• The organization of the IT function has implications for the nature and
effectiveness of internal controls, which, in turn, has implications for
the audit
• Two extreme organizational models
• Centralized approach
• Under the centralized data processing model, all data processing is performed by one or
more large computers housed at a central site that serves users throughout the
organization
• Distributed approach
• The IT units may be distributed according to business function, geographic location, or
both
Primary service areas
• database administration
• data processing
• systems development and maintenance
Database Administration
• Centrally organized companies maintain their data resources in a
central location that is shared by all end users. In this shared data
arrangement, an independent group headed by the database
administrator (DBA) is responsible for the security and integrity of the
database.
Data Processing
• The data processing group manages the computer resources used to
perform the day-to-day processing of transactions.
• data conversion
• transcribes transaction data from hard-copy source documents into computer input
• computer operations
• The electronic files produced in data conversion are later processed by the central
computer, which is managed by the computer operations groups.
• data library
• Room adjacent to the computer center that provides safe storage for the off-line data
files. Those files could be backups or current data files.
Systems Development and Maintenance
• The information systems needs of users are met by two related
functions: system development and systems maintenance. The
participants in system development activities include systems
professionals, end users, and stakeholders.
Segregation of Incompatible IT Functions
1. Separate transaction authorization from transaction processing.
2. Separate record keeping from asset custody.
3. Divide transaction-processing tasks among individuals such that
short of collusion between two or more individuals fraud would not
be possible
Separating Systems Development from
Computer Operations
The segregation of systems development (both new systems
development and maintenance) and operations activities is of the
greatest importance. The relationship between these groups should be
extremely formal, and their responsibilities should not be commingled.
Systems development and maintenance professionals should create
(and maintain) systems for users, and should have no involvement in
entering data, or running applications (i.e., computer operations).
Separating Database Administration from
Other Functions
• Another important organizational control is the segregation of the
database administrator (DBA) from other computer center functions.
• The DBA function is responsible for a number of critical tasks
pertaining to database security, including creating the database
schema and user views, assigning database access authority to users,
monitoring database usage, and planning for future expansion
Separating New Systems Development from
Maintenance

Although a common arrangement, this approach is associated with two types of control problems:
inadequate documentation and the potential for program fraud
• Inadequate Documentation
• First, documenting systems is not as interesting as designing, testing, and
implementing them. Systems professionals much prefer to move on to an
exciting new project rather than document one just completed.
• The second possible reason for poor documentation is job security. When a
system is poorly documented, it is difficult to interpret, test, and debug.
Therefore, the programmer who understands the system (the one who coded
it) maintains bargaining power and becomes relatively indispensable.
• Program Fraud
• When the original programmer of a system is also assigned maintenance
responsibility, the potential for fraud is increased. Program fraud involves
making unauthorized changes to program modules for the purpose of
committing an illegal act.
A Superior Structure for Systems Development
• Systems development function is separated into two different groups:
• new systems development
• is responsible for designing, programming, and implementing new systems projects
• systems maintenance
• Upon successful implementation, responsibility for the system’s ongoing maintenance
falls to the systems maintenance group.
The Distributed Model
• DDP involves reorganizing the central IT function into small IT units
that are placed under the control of end users
• The IT units may be distributed according to business function,
geographic location, or both.
• Alternative A is actually a variant of the centralized model; the
difference is that terminals (or microcomputers) are distributed to
end users for handling input and output. This eliminates the need for
the centralized data conversion groups, since the user now performs
this tasks. Under this model, however, systems development,
computer operations, and database administration remain
centralized.
• Alternative B is a significant departure from the centralized model.
This alternative distributes all computer services to the end users,
where they operate as standalone units. The result is the elimination
of the central IT function from the organizational structure. These
connections represent a networking arrangement that permits
communication and data transfers between the units.
Risks Associated with DDP
• Inefficient use of resources
• Destruction of audit trails
• Inadequate segregation of duties
• Increased potential for programming errors
• Systems failures
• Lack of standards.
Inefficient Use of Resources
• DDP can expose and organization to three types of risks associated
with inefficient use of organizational resources
• risk of mismanagement of organization-wide IT resources by end users
• DDP can increase the risk of operational inefficiencies because of redundant
tasks being performed within the end-user committee.
• DDP environment poses a risk of incompatible hardware and software among
end-user functions
Destruction of Audit Trails
• An audit trail provides the linkage between a company’s financial
activities (transactions) and the financial statements that report on
those activities.
• The audit trail consists of a set of
• digital transaction file
• master files
Inadequate Segregation of Duties
• The distribution of the IT services to users may result in the creation
of small independent units that do not permit the desired separation
of incompatible functions
Hiring Qualified Professionals
• End-user managers may lack the IT knowledge to evaluate the
technical credentials and relevant experience of candidates applying
for IT professional positions
Lack of Standards
• Because of the distribution of responsibility in the DDP environment,
standards for developing and documenting systems, choosing
programming languages, acquiring hardware and software, and
evaluating performance may be unevenly applied or even nonexistent
Advantages of DDP
• Potential advantages of DDP, including
• cost reductions
• improved cost control
• improved user satisfaction and
• backup.
Cost Reductions
• For many years, achieving economies of scale was the principal
justification for the centralized data processing approach
Improved Cost Control Responsibility
• End-user managers carry the responsibility for the financial success of
their operations
Improved User Satisfaction
• DDP proponents claim that distributing system to end users improves
three areas of need that too often go unsatisfied in the centralized
model:
(1) as previously stated, users desire to control the resources that influence
their profitability;
(2) users want systems professionals (analysts, programmers, and computer
operators) to be responsive to their specific situation; and
(3) users want to become more actively involved in developing and
implementing their own systems
Backup Flexibility
• The final argument in favor of DDP is the ability to back up computing
facilities to protect against potential disasters such as fires, floods,
sabotage, and earthquakes
Controlling the DDP Environment
• Corporate IT function
• Central Testing of Commercial Software and Hardware
• Test results can then be distributed to user areas as standards for guiding acquisition
decisions
• User Services
• This activity provides technical help to users during the installation of new software and
in troubleshooting hardware and software problems
• Standard-Setting Body
• The corporate group can contribute to this goal by establishing and distributing to user
areas appropriate standards for systems development, programming, and
documentation
• Personnel Review
• The corporate group is often better equipped than users to evaluate the technical
credentials of prospective systems professionals
Audit Objective
• The auditor’s objective is to verify that the structure of the IT
function is such that individuals in incompatible areas are segregated
in accordance with the level of potential risk and in a manner that
promotes a working environment. This is an environment in which
formal, rather than casual, relationships need to exist between
incompatible tasks.
Audit Procedures
• The following audit procedures would apply to an organization with a
centralized IT function:
• Review relevant documentation, including the current organizational chart, mission
statement, and job descriptions for key functions, to determine if individuals or groups
are performing incompatible functions.
• Review systems documentation and maintenance records for a sample of
applications. Verify that maintenance programmers assigned to specific projects are
not also the original design programmers.
• Verify that computer operators do not have access to the operational details of a
system’s internal logic. Systems documentation, such as systems flowcharts, logic
flowcharts, and program code listings, should not be part of the operation’s
documentation set.
• Through observation, determine that segregation policy is being followed in practice.
Audit Procedures
• The following audit procedures would apply to an organization with a
distributed IT function
• Review the current organizational chart, mission statement, and job
descriptions for key functions to determine if individuals or groups are
performing incompatible duties.
• Verify that corporate policies and standards for systems design,
documentation, and hardware and software acquisition are published and
provided to distributed IT units.
• Verify that compensating controls, such as supervision and management
monitoring, are employed when segregation of incompatible duties is
economically infeasible.
• Review systems documentation to verify that applications, procedures, and
databases are designed and functioning in accordance with corporate
standards.
THE COMPUTER CENTER
• The objective of this section is to present computer center risks and the
controls that help to mitigate risk and create a secure environment.
• Areas of potential exposure that can impact the quality of information,
accounting records, transaction processing, and the effectiveness of other
more conventional internal controls
• Physical Location
• Construction
• Access (Physical Access)
• Air Conditioning (70-75 deg F; 50% humidity)
• Fire Suppression
• Fault Tolerance
Fault Tolerance
• the ability of the system to continue operation when part of the
system fails because of hardware failure, application program error, or
operator error.
• Two examples of fault tolerance technologies:
• Redundant arrays of independent disks (RAID)
• Raid involves using parallel disks that contain redundant elements of data and
applications. If one disk fails, the lost data are automatically reconstructed from the
redundant components stored on the other disks
• Uninterruptible power supplies (UPS)
• Commercially provided electrical power presents several problems that can disrupt the
computer center operations, including total power failures, brownouts, power
fluctuations, and frequency variations
Audit Objectives
• The auditor’s objective is to evaluate the controls governing computer
center security. Specifically, the auditor must verify that:
• Physical security controls are adequate to reasonably protect the
organization from physical exposures
• Insurance coverage on equipment is adequate to compensate the
organization for the destruction of, or damage to, its computer center
Audit Procedures
• The following are tests of physical security controls:
• Tests of Physical Construction
• Tests of the Fire Detection System
• Tests of Access Control
• Tests of Raid
• Tests of the Uninterruptible Power Supply
• Tests for Insurance Coverage