AUDITING IT GOVERNANCE CONTROLS

Information Technology Governance

Information technology (IT) governance is a relatively new subset of corporate governance
that focuses on the management and assessment of strategic IT resources.
Key objectives of IT governance are to reduce risk and ensure that investments in IT resources add
value to the corporation.
IT Governance Controls
Although all IT governance issues are important to the organization, not all of them are matters of
internal control under SOX that may potentially impact the financial reporting process.
3 IT governance issues:
1. Organizational structure of the IT function
2. Computer center operation
3. Disaster recovery planning
Structure of the Information Technology Function
The organization of the IT function has implications for the nature and effectiveness of internal
controls, which in turn, has implications for the audit.
2 extreme organizational models
1. Centralized Approach
2. Distributed Approach
Centralized Data Processing
Under the centralized data processing model, all data processing is performed by one or more
large computers housed at a central site that serves users throughout the organization.
Database Administration
Centrally organized companies maintain their data resources in a central location that is shared by all
end users. In this shared data arrangement, an independent group headed by the database
administrator (DBA) is responsible for the security and integrity of the database.
Data Processing
The data processing group manages the computer resources used to perform the day-to- day
processing of transactions. It consists of the following organizational functions: data conversion,
computer operations, and the data library.
Data Conversion
The data conversion function transcribes transaction data from hard-copy documents into computer
input. For example, data conversion could involve keystroking sales orders into a sale order
application in modern systems, or transcribing data into magnetic media (tape or disk) suitable for
computer processing in legacy type systems.
 Marketing

Finance

Production

IT
Services

Accounting
Distribution

Data

Information

Cost Chargeback
Figure 2.1 Centralized Data Processing Approach

Computer Operations
The electronic files produced in data conversion are later processed by the central computer, which
is managed by the computer operations groups. Accounting applications are usually executed
according to a strict schedule that is controlled by the central computer’s operating system.
Data Library
The data library is a room adjacent to the computer center that provides safe storage for the off-
line data files. Those files could be backups or current data files for instance, the data library could
be used to store backup data on DVDs, CD-TOMs, tapes, or other storage devices. It could also be
used to store current operational data files on magnetic tapes and removable disks packs.
Data Librarian who is responsible for the receipt, storage, retrieval, and custody of data files,
control access to the library. The librarian issues data files to computer operators in accordance with
program requests and takes custody of files when processing or backup procedures are completed.
 President

VP VP VP VP VP
Marketing Finance IT Services Administration Operations

Systems Development Database Data Processing

Manager Administrator Manager

New Systems Systems Data Computer Data Library

Development Maintenance Conversation Operations

Figure 2.2 Organizational Chart of a Centralized Information Technology Function

Systems Development and Maintenance

The information systems needs of users are met by two related functions: system development and
systems maintenance. The former group is responsible for analyzing user needs and for designing
new systems to satisfy those needs. The participants in system development activities include
systems professionals, end users, and stakeholders.
Systems professionals include system analysts, database designers, and programmers who design
and build the system. Systems professionals gather facts about the user’s problem, analyze the facts,
and formulate a solution. The product of their efforts is a new information system.
End users are those for whom the system is built. They are the managers who receive reports from
the system and the operations personnel who work directly with the system as part of their daily
responsibilities.
Stakeholders are individuals inside or outside the firm who have an interest in the system, but are
not end users. They include accountants, internal auditors, external auditors, and others who oversee
systems development.
Maintenance refers to making changes to program logic to accommodate shifts in user needs
overtime. During the course of the system’s life (often several years), as much as 80 or 90 percent of
its total cost may be incurred through maintenance activities.
Segregation of Incompatible IT Functions
1. Separate transaction authorization from transaction processing.
2. Separate record keeping from asset custody
3. Divide transaction-processing tasks among individuals such that short of collusion between
two or more individuals fraud would not be possible.
The IT environment tends to consolidate activities. A single application may authorize, process, and
record all aspects of a transaction. Thus, the focus of segregation control shifts from the operational
level (transaction processing tasks that computers now perform) to higher-level organizational
relationships within the computer services function.
Separating Systems Development from Computer Operations
The segregation of systems development (both new systems development and maintenance) and
operations activities is of the greatest importance. The relationship between these groups should be
extremely formal, and their responsibilities should not be commingled. Systems development and
maintenance professionals should create (and maintain) systems for users, and should have no
involvement in entering data, or running applications.
Separating Database Administration from Other Functions
Another important organizational control is the segregation of the database administrator (DBA)
from other computer center functions. The DBA function is responsible for a number of critical tasks
pertaining to database security. Including creating the database schema and user views, assigning
database access authority to users, monitoring database usage and planning for future expansion.
Separating New Systems Development from Maintenance
Some companies organize their in-house systems development function into two groups:
 System analysis group works with the users to produce detailed designs of the new
systems.
 Programming group codes the program according to these design specifications. Under
this approach, the programmer who codes the original programs also maintains the system
during the maintenance phase of the systems development life cycle.
Two Types of Control Problems
 Inadequate Documentation - poor-quality systems documentation is a chronic IT
problem and a significant challenge for many organizations seeking SOX compliance.
Possible reasons for poor documentation:
 Documenting systems is not as interesting as designing, testing, and implementing
them. Systems professionals much prefer to move on to an exciting new project rather
than document one just completed.
 Job security. When a system is a poorly documented, it is difficult to interpret, test
and debug. Therefore, the programmer who understands the system (the one who
coded it) maintains bargaining power and becomes relatively indispensable.
 Program Fraud – When the original programmer of a system is also assigned maintenance
responsibility, the potential for fraud is increased program fraud is involves making
unauthorized changes to program modules for the purpose of committing an illegal act.
The programmer may have successfully concealed fraudulent code among the thousands
of lines of legitimate codes and the hundreds of modules that constitute a system.
- Needs to protect the fraudulent code from accidental detection by another programmer
performing maintenance or by auditors testing application control.
- May freely access the system, disabling fraudulent code during audits and then restoring
the code when the coast is clear.
DISTRIBUTED DATA PROCESSING (DDP) – an alternative to the centralized model. DDP
involves reorganizing the central IT function into small IT units that are placed under the control of
end users.

Destruction of Audit Trails – an audit trail provides the linkage between a company’s financial
activities (transactions) and the financial statements that report on those activities.
Inadequate Segregation of Duties –Achieving an adequate segregation of duties may not be
possible in some distributed environment.
Hiring Qualified Professionals – End-user managers may lack the IT knowledge to evaluate the
technical credentials and relevant experience of candidates applying for IT professional positions.
Lack of Standards – because of the distribution of responsibility in the DDP environment,
standards for developing and documenting systems, choosing programming languages, acquiring
hardware and software, and evaluating performance may be unevenly applied or even nonexistent.

ADVANTAGES OF DDP

Cost Reductions – achieving economics of scale was the principal jurisdiction for the centralized
data processing approach. The economics of data processing favored large, expensive, powerful
computers.

Improved Cost Control Responsibility – End-user managers carry the responsibility for the
financial success of their operations. This responsibility requires that they be properly empowered
with the authority to make decisions about resources that influence their overall success.

Improved User Satisfaction – perhaps the most often cited benefit of DDP is improved user
satisfaction. DDP proponents claim that distributing system to end users improves three areas of
need that too often go unsatisfied in the centralized model:
(1) Users desire to control the resources that influence their profitability;
(2) Users want systems professionals (analysts, programmers, and computer operators) to be
responsive to their specific situations; and
(3) Users want to become more actively involved in developing and implementing their own
system.

Backup Flexibility – the final argument in favor of DDP is the ability to back up computing
facilities to protect against potential disasters such as fires, floods, sabotage, and earthquakes.
CONTROLLING THE DDP ENVIRONMENT

Implement a Corporate IT Function – the completely centralized model and the distributed
model represent extreme positions on a continuum of structural alternatives. The needs of most
firms fall somewhere between these end points. Often, the control problems previously described
can be addressed by implementing a corporate IT functions.

Central Testing of Commercial Software and Hardware – a centralized corporate IT group

is better equipped than are end users to evaluate the merits of competing commercial software and
hardware products under consideration.

User Services – a valuable feature of the corporate group is its user services function. This
activity provides technical help to users during the installation of new software and in
troubleshooting hardware and software problems.

Standard-Setting Body – the relatively poor control environment imposed by the DDP model
can be improved by establishing some central guidance. The corporate group can contribute to this
goal by establishing and distributing to user areas appropriate standards for systems development,
programming, and documentation.

Personnel Review – the corporate group is often better equipped than users to evaluate the
technical credentials of prospective systems professionals.

Audit Objective – the auditor’s objective is to verify that the structure of the IT function is such
that individuals in incompatible areas are segregated in accordance with the level of potential risk
and in a manner that promotes a working environment.

Audit Procedures

- Review relevant documentation.

- Review systems documentation and maintenance records.
- Verify that computer operators do not have access to the operational details of system’s internal
logic.
- Through observation, determine that segregation policy is being followed in practice.
- Review the current organizational chart, mission statement, and job descriptions.
- Verify that corporate policies and standards for system design, documentation, and hardware and
software acquisition are published and provided to distributed IT units.
- Verify that compensating controls, such as supervision and management monitoring are
employed.
- Review systems documentation to verify that applications, procedures, and databases are designed
and functioning in accordance with corporate standards.

THE COMPUTER CENTER

The objective of this section is to present computer center risks and the controls that help to
mitigate risk and create a secure environment. The following are the areas of potential exposure:

Physical Location –the physical location of the computer center directly affects the risk of destruction
to a natural or man-made disaster.
Construction – a computer center should be located in a single-story building of solid construction
with controlled access.
Access – access to the computer center should be limited to the operators and other employees
who work there.
Air Conditioning – computer function best in an air-conditioned environment and
providing adequate air conditioning is often a requirement of the vendor’s warranty.
Fire Suppression – Fire is the most serious threat to a firm’s computer equipment.
Fault Tolerance – is the ability of the system to continue operation when part of the system fails
because of hardware failure, application program error, or operator error. Two (2) example of Fault
tolerance:
(1) Redundant Arrays of Independent Disks (RAID). It involves using parallel disks that
contain redundant elements of data and applications.
(2) Uninterruptible Power Supplies. Commercially provided electrical power

AUDIT OBJECTIVES

The auditor’s objective is to evaluate the controls governing computer center security. Specifically,
the auditor must verify that:
(1) Physical security controls are adequate to reasonably protect the organization from physical
exposures.
(2) Insurance coverage on equipment is adequate to compensate the organization for the
destruction of, or damage to, its computer center.

AUDIT PROCEDURES

The following are tests of physical security controls:

Tests of Physical Construction – the auditor should obtain architectural plans to determine that
the computer center is solidly built of fireproof material.
Tests of the Fire Detection System –the auditor should establish that fire detection and
suppression equipment, both manual and automatic, are in place and tested regularly.
Tests of Access Control – the auditor must establish that routine access to the computer center
is restricted to authorized employees.
Tests of Raid – most systems that employ RAID provide a graphical mapping of their redundant
disk storage.
Tests of the Uninterruptible Power Supply – the computer center should perform periodic
tests of the backup power supply to ensure that it has sufficient capacity to run the computer and air
conditioning.
Tests for Insurance Coverage – the auditor should annually review the organization’s
insurance coverage on its computer hardware, software, and physical facility.

DISASTER RECOVERY PLANNING

Disasters such as earthquakes, floods, sabotage, and even power failures can be catastrophic to an
organization’s computer center and information systems. Disaster Recovery Plan (DRP) is a
comprehensive statement of all actions to be taken before, during, and after any type of disaster.

Four (4) common features:

(1) Identify critical applications
(2) Create a disaster recovery team
(3) Provide site backup
(4) Specify backup and off-site storage procedures

IDENTIFY CRITICAL APPLICATIONS

The first essential element of a DRP is to identify the firm’s critical applications and associated data
files. Recovery efforts must concentrate on restoring those applications that are critical to the
short-term survival of the organization.
For most organizations, short-term survival requires the restoration of those functions that generate
cash flows sufficient to satisfy short-term obligations. For example, assume that the following
functions affect the cash flow of a particular firm:

 Customer sales and service

 Fulfillment of legal obligation
 Accounts receivable maintenance and collection
 Production and distribution decisions
 Purchasing functions
 Cash disbursements (trade accounts and payroll)

CREATING A DISASTER RECOVERY TEAM

Recovering from a disaster depends in timely corrective action. Delays in performing essential tasks
prolong the recovery period and diminishes the prospects for a successful recovery. To avoid serious
omissions or duplication of effort during implementation of the contingency plan, task responsibility
must be clearly defined and communicated to the personnel involved.

PROVIDING A SECOND-SITE BACKUP

A necessary ingredient in a DRP is that it provides for duplicate data processing facilities following
a disaster. Among the options available the most common are mutual aid pact; empty shell or
cold site; recovery operations center or hot site; and internally provided backup.

Mutual Aid Pact A mutual aid pact is an agreement between two or more organizations (with
compatible computer facilities) to aid each other with their data processing needs in the event of a
disaster. In such event the host company must disrupt its processing schedule to process the
critical transactions of the disaster-stricken company. In effect, the host company itself must go into
an emergency operation mode and cut back on the processing of its lower-priority applications to
accommodate the sudden increase in demand for its IT resources.

Empty Shell The empty or cold site plan is an arrangement wherein the company buys
or leases a building that will serve as data center. In the event of disaster, the shell is available and
ready to receive whatever hardware the temporary user needs to run essential systems.

Recovery Operations Center. A recovery operations center (ROC) or hot site is a fully
equipped backup data center that many companies share. In addition to hardware and backup
facilities, ROC service providers offer a range of technical services to their clients, who pay an
annual fee for the access rights. In the event of a major disaster, a subscriber can occupy the
premises and, within a few hours, resume processing critical applications.

Internally Provided Backup Larger organizations with multiple data processing centers
often prefer the self-reliance that creating internal excess capacity provides. This permits to develop
standardized hardware and software configurations, which ensure functional compatibility among
their data processing centers and minimize cutover problems in the event of a disaster.

Backup and Off-Site Storage Procedures All data files, applications, documentation, and
supplies needed to perform critical functions should be automatically backed up and stored at a
secured off-site location. Data processing personnel should routinely perform backup and storage
procedures to obtain and secure these critical resources.
Operating System Backup If the company uses a cold site or other method of site backup that
does not include a compatible operating system (O/S), procedures for obtaining a current version of
the operating system need to be clearly specified. The data librarian, if one exists would be a key
person to involve in performing this task in addition to the applications and data backups procedures
discussed next.

Application Backup Based on results obtained in the critical applications step discussed
previously, the DRP should include procedures to create copies of current versions of critical
application.

Backup Data Files The state-of-the-art in database backup is the remote mirrored site, which
provides complete data currency. Not all organizations are willing or able to invest in such backup
resources.

Backup Documentation The system documentation for the critical applications should be backed
up and stored off-site along with the applications. System documentation can constitute a significant
amount of material and the backup process is complicated further by frequent application changes.
Documentation backup may, however, be simplified and made more efficient through the use of
Computer Aided Software Engineering (CASE) documentation tools.

Backup Supplies and Source Documents The organization should create backup inventories
of supplies and source documents used in processing critical transactions. Examples of critical
supplies are check stocks, invoices, purchase orders, and any other special purpose forms that
cannot be obtained immediately.

Testing the DRY. The most neglected aspect of contingency planning is testing the DRP.
Nevertheless, DRP tests are important and should be performed periodically. Tests measures the
preparedness of personnel and identify omissions or bottlenecks in the plan.

Audit Objectives
The auditor should verify that management’s disaster recovery plan is adequate and feasible for
dealing with a catastrophe that could deprive the organization of its computing resources.

Audit Procedures
In verifying that management’s DRP is a realistic solution for dealing with a catastrophe, the
following tests may be performed.

Site Backup The auditor should evaluate the adequacy of the backup site arrangement. System
incompatibility and human nature both greatly reduce the effectiveness of the mutual aid pact.

Critical Application List The auditor should review the list of critical applications to ensure that
it is complete. Missing applications can result in failure to recover. The same is true, however, for
restoring unnecessary application. To include applications on the critical list that are not needed to
achieve short-term survival can misdirect resources and distract attention from the primary objective
during the recovery period.
Software Backup The auditor should verify that copies of critical applications and operating
systems are stored off-site. The auditor should also verify that the applications stored off-site are
current by comparing their version numbers with those of the actual applications in use.

Data backup. The auditor should verify that critical data files are backed up in accordance with the
DRP.

Backup Supplies, Documents, and Documentation. The system documentation, supplies,

and source documents needed to process critical transactions should be backed up and stored off-
site. The auditor should verify that the types and quantities of items specified in the DRP such as
check stock, invoices, purchase orders, and any special- purpose forms exist in a secure
location.

Disaster Recovery Team. The DRP should clearly list the names, addresses, and emergency
telephone numbers of the disaster recovery team members. The auditor should verify that members
of the team are current employees and are aware of their assigned responsibilities.