Professional Documents
Culture Documents
Finance
Production
IT
Services
Accounting
Distribution
Data
Information
Cost Chargeback
Figure 2.1 Centralized Data Processing Approach
Computer Operations
The electronic files produced in data conversion are later processed by the central computer, which
is managed by the computer operations groups. Accounting applications are usually executed
according to a strict schedule that is controlled by the central computer’s operating system.
Data Library
The data library is a room adjacent to the computer center that provides safe storage for the off-
line data files. Those files could be backups or current data files for instance, the data library could
be used to store backup data on DVDs, CD-TOMs, tapes, or other storage devices. It could also be
used to store current operational data files on magnetic tapes and removable disks packs.
Data Librarian who is responsible for the receipt, storage, retrieval, and custody of data files,
control access to the library. The librarian issues data files to computer operators in accordance with
program requests and takes custody of files when processing or backup procedures are completed.
President
VP VP VP VP VP
Marketing Finance IT Services Administration Operations
Destruction of Audit Trails – an audit trail provides the linkage between a company’s financial
activities (transactions) and the financial statements that report on those activities.
Inadequate Segregation of Duties –Achieving an adequate segregation of duties may not be
possible in some distributed environment.
Hiring Qualified Professionals – End-user managers may lack the IT knowledge to evaluate the
technical credentials and relevant experience of candidates applying for IT professional positions.
Lack of Standards – because of the distribution of responsibility in the DDP environment,
standards for developing and documenting systems, choosing programming languages, acquiring
hardware and software, and evaluating performance may be unevenly applied or even nonexistent.
ADVANTAGES OF DDP
Cost Reductions – achieving economics of scale was the principal jurisdiction for the centralized
data processing approach. The economics of data processing favored large, expensive, powerful
computers.
Improved Cost Control Responsibility – End-user managers carry the responsibility for the
financial success of their operations. This responsibility requires that they be properly empowered
with the authority to make decisions about resources that influence their overall success.
Improved User Satisfaction – perhaps the most often cited benefit of DDP is improved user
satisfaction. DDP proponents claim that distributing system to end users improves three areas of
need that too often go unsatisfied in the centralized model:
(1) Users desire to control the resources that influence their profitability;
(2) Users want systems professionals (analysts, programmers, and computer operators) to be
responsive to their specific situations; and
(3) Users want to become more actively involved in developing and implementing their own
system.
Backup Flexibility – the final argument in favor of DDP is the ability to back up computing
facilities to protect against potential disasters such as fires, floods, sabotage, and earthquakes.
CONTROLLING THE DDP ENVIRONMENT
Implement a Corporate IT Function – the completely centralized model and the distributed
model represent extreme positions on a continuum of structural alternatives. The needs of most
firms fall somewhere between these end points. Often, the control problems previously described
can be addressed by implementing a corporate IT functions.
User Services – a valuable feature of the corporate group is its user services function. This
activity provides technical help to users during the installation of new software and in
troubleshooting hardware and software problems.
Standard-Setting Body – the relatively poor control environment imposed by the DDP model
can be improved by establishing some central guidance. The corporate group can contribute to this
goal by establishing and distributing to user areas appropriate standards for systems development,
programming, and documentation.
Personnel Review – the corporate group is often better equipped than users to evaluate the
technical credentials of prospective systems professionals.
Audit Objective – the auditor’s objective is to verify that the structure of the IT function is such
that individuals in incompatible areas are segregated in accordance with the level of potential risk
and in a manner that promotes a working environment.
Audit Procedures
The objective of this section is to present computer center risks and the controls that help to
mitigate risk and create a secure environment. The following are the areas of potential exposure:
Physical Location –the physical location of the computer center directly affects the risk of destruction
to a natural or man-made disaster.
Construction – a computer center should be located in a single-story building of solid construction
with controlled access.
Access – access to the computer center should be limited to the operators and other employees
who work there.
Air Conditioning – computer function best in an air-conditioned environment and
providing adequate air conditioning is often a requirement of the vendor’s warranty.
Fire Suppression – Fire is the most serious threat to a firm’s computer equipment.
Fault Tolerance – is the ability of the system to continue operation when part of the system fails
because of hardware failure, application program error, or operator error. Two (2) example of Fault
tolerance:
(1) Redundant Arrays of Independent Disks (RAID). It involves using parallel disks that
contain redundant elements of data and applications.
(2) Uninterruptible Power Supplies. Commercially provided electrical power
AUDIT OBJECTIVES
The auditor’s objective is to evaluate the controls governing computer center security. Specifically,
the auditor must verify that:
(1) Physical security controls are adequate to reasonably protect the organization from physical
exposures.
(2) Insurance coverage on equipment is adequate to compensate the organization for the
destruction of, or damage to, its computer center.
AUDIT PROCEDURES
Tests of Physical Construction – the auditor should obtain architectural plans to determine that
the computer center is solidly built of fireproof material.
Tests of the Fire Detection System –the auditor should establish that fire detection and
suppression equipment, both manual and automatic, are in place and tested regularly.
Tests of Access Control – the auditor must establish that routine access to the computer center
is restricted to authorized employees.
Tests of Raid – most systems that employ RAID provide a graphical mapping of their redundant
disk storage.
Tests of the Uninterruptible Power Supply – the computer center should perform periodic
tests of the backup power supply to ensure that it has sufficient capacity to run the computer and air
conditioning.
Tests for Insurance Coverage – the auditor should annually review the organization’s
insurance coverage on its computer hardware, software, and physical facility.
Disasters such as earthquakes, floods, sabotage, and even power failures can be catastrophic to an
organization’s computer center and information systems. Disaster Recovery Plan (DRP) is a
comprehensive statement of all actions to be taken before, during, and after any type of disaster.
The first essential element of a DRP is to identify the firm’s critical applications and associated data
files. Recovery efforts must concentrate on restoring those applications that are critical to the
short-term survival of the organization.
For most organizations, short-term survival requires the restoration of those functions that generate
cash flows sufficient to satisfy short-term obligations. For example, assume that the following
functions affect the cash flow of a particular firm:
Recovering from a disaster depends in timely corrective action. Delays in performing essential tasks
prolong the recovery period and diminishes the prospects for a successful recovery. To avoid serious
omissions or duplication of effort during implementation of the contingency plan, task responsibility
must be clearly defined and communicated to the personnel involved.
A necessary ingredient in a DRP is that it provides for duplicate data processing facilities following
a disaster. Among the options available the most common are mutual aid pact; empty shell or
cold site; recovery operations center or hot site; and internally provided backup.
Mutual Aid Pact A mutual aid pact is an agreement between two or more organizations (with
compatible computer facilities) to aid each other with their data processing needs in the event of a
disaster. In such event the host company must disrupt its processing schedule to process the
critical transactions of the disaster-stricken company. In effect, the host company itself must go into
an emergency operation mode and cut back on the processing of its lower-priority applications to
accommodate the sudden increase in demand for its IT resources.
Empty Shell The empty or cold site plan is an arrangement wherein the company buys
or leases a building that will serve as data center. In the event of disaster, the shell is available and
ready to receive whatever hardware the temporary user needs to run essential systems.
Recovery Operations Center. A recovery operations center (ROC) or hot site is a fully
equipped backup data center that many companies share. In addition to hardware and backup
facilities, ROC service providers offer a range of technical services to their clients, who pay an
annual fee for the access rights. In the event of a major disaster, a subscriber can occupy the
premises and, within a few hours, resume processing critical applications.
Internally Provided Backup Larger organizations with multiple data processing centers
often prefer the self-reliance that creating internal excess capacity provides. This permits to develop
standardized hardware and software configurations, which ensure functional compatibility among
their data processing centers and minimize cutover problems in the event of a disaster.
Backup and Off-Site Storage Procedures All data files, applications, documentation, and
supplies needed to perform critical functions should be automatically backed up and stored at a
secured off-site location. Data processing personnel should routinely perform backup and storage
procedures to obtain and secure these critical resources.
Operating System Backup If the company uses a cold site or other method of site backup that
does not include a compatible operating system (O/S), procedures for obtaining a current version of
the operating system need to be clearly specified. The data librarian, if one exists would be a key
person to involve in performing this task in addition to the applications and data backups procedures
discussed next.
Application Backup Based on results obtained in the critical applications step discussed
previously, the DRP should include procedures to create copies of current versions of critical
application.
Backup Data Files The state-of-the-art in database backup is the remote mirrored site, which
provides complete data currency. Not all organizations are willing or able to invest in such backup
resources.
Backup Documentation The system documentation for the critical applications should be backed
up and stored off-site along with the applications. System documentation can constitute a significant
amount of material and the backup process is complicated further by frequent application changes.
Documentation backup may, however, be simplified and made more efficient through the use of
Computer Aided Software Engineering (CASE) documentation tools.
Backup Supplies and Source Documents The organization should create backup inventories
of supplies and source documents used in processing critical transactions. Examples of critical
supplies are check stocks, invoices, purchase orders, and any other special purpose forms that
cannot be obtained immediately.
Testing the DRY. The most neglected aspect of contingency planning is testing the DRP.
Nevertheless, DRP tests are important and should be performed periodically. Tests measures the
preparedness of personnel and identify omissions or bottlenecks in the plan.
Audit Objectives
The auditor should verify that management’s disaster recovery plan is adequate and feasible for
dealing with a catastrophe that could deprive the organization of its computing resources.
Audit Procedures
In verifying that management’s DRP is a realistic solution for dealing with a catastrophe, the
following tests may be performed.
Site Backup The auditor should evaluate the adequacy of the backup site arrangement. System
incompatibility and human nature both greatly reduce the effectiveness of the mutual aid pact.
Critical Application List The auditor should review the list of critical applications to ensure that
it is complete. Missing applications can result in failure to recover. The same is true, however, for
restoring unnecessary application. To include applications on the critical list that are not needed to
achieve short-term survival can misdirect resources and distract attention from the primary objective
during the recovery period.
Software Backup The auditor should verify that copies of critical applications and operating
systems are stored off-site. The auditor should also verify that the applications stored off-site are
current by comparing their version numbers with those of the actual applications in use.
Data backup. The auditor should verify that critical data files are backed up in accordance with the
DRP.
Disaster Recovery Team. The DRP should clearly list the names, addresses, and emergency
telephone numbers of the disaster recovery team members. The auditor should verify that members
of the team are current employees and are aware of their assigned responsibilities.