chapter 2 it governance

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or

duplicated, or posted to a publicly accessible website, in whole or in part.

IT Auditing, Hall, 3e



IT Governance: subset of corporate governance that focuses on the management and assessment of strategic IT resources

Key objects:◦ Reduce risk

◦ Ensure investments in IT resources add value to the corporation

All employees and stakeholders must be active participants in key IT decisions

1Hall, 3e



Three IT governance issues addressed by SOX and the COSO internal control framework:◦ Organizational structure of the IT function

◦ Computer center operations

◦ Disaster recovery planning

Nature of risk associated with each issue

Controls used to mitigate risk

Audit objectives

Tests of controls

2Hall, 3e



Centralized data processing [see Figure 2-1]Organizational chart [see Figure 2-2]

Database administrator

Data processing manager/dept.

Data control

Data preparation/conversion

Computer operations

Data library

3Hall, 3e



Segregation of incompatible IT functionsSystems development & maintenance

Participants

End users

IS professionals

Auditors

Other stakeholders

4Hall, 3e



Segregation of incompatible IT functionsObjectives:

Segregate transaction authorization from transaction processing

Segregate record keeping from asset custody

Divide transaction processing steps among individuals to force collusion to perpetrate fraud

5Hall, 3e



Segregation of incompatible IT functions

Separating systems development from computer operations[see Figure 2-2]

6Hall, 3e



Segregation of incompatible IT functionsSeparating DBA from other functions

DBA is responsible for several critical tasks:

Database security

Creating database schema and user views

Assigning database access authority to users

Monitoring database usage

Planning for future changes

7Hall, 3e



Segregation of incompatible IT functions Alternative 1: segregate systems analysis from

programming [see Figure 2-3]

Two types of control problems from this approach:

Inadequate documentation

Is a chronic problem. Why?

Not interesting

Lack of documentation provides job security

Assistance: Use of CASE tools

Potential for fraud

Example: Salami slicing, trap doors

8Hall, 3e



Segregation of incompatible IT functions Alternative 2: segregate systems

development from maintenance [see Figure 2-2] Two types of improvements from this

approach:

Better documentation standards

Necessary for transfer of responsibility

Deters fraud

Possibility of being discovered

9Hall, 3e



Segregation of incompatible IT functions Segregate data library from operations

Physical security of off-line data files

Implications of modern systems on use of data library:

Real-time/online vs. batch processing

Volume of tape files is insufficient to justify full-time librarian

Alternative: rotate on ad hoc basis

Custody of on site data backups

Custody of original commercial software and licenses

10Hall, 3e



Segregation of incompatible IT functions Audit objectives

Risk assessment

Verify incompatible areas are properly segregated How would an auditor accomplish this objective?

Verify incompatible areas are properly segregated

Verify formal vs. informal relationships exist between incompatible tasks Why does it matter?

11Hall, 3e



Segregation of incompatible IT functions Audit procedures: Obtain and review security policy Verify policy is communicated Review relevant documentation (org. chart,

mission statement, key job descriptions) Review systems documentation and maintenance

records (using a sample) Verify whether maintenance programmers are also

original design programmers Observe segregation policies in practice Review operations room access log Review user rights and privileges

12Hall, 3e



Distributed Data Processing (DDP) involves reorganizing the central IT function into small IT units that are placed under the control of end users

Two alternatives shown in [figure 2-4]

Alternative A: centralized

Alternative B: decentralized / network

13Hall, 3e



Inefficient use of resourcesMismanagement of resources by end

usersHardware and software incompatibilityRedundant tasks

Destruction of audit trails Inadequate segregation of duties Hiring qualified professionals Increased potential for errorsProgramming errors and system failures

Lack of standards

14Hall, 3e



Cost reduction End user data entry vs. data control groupApplication complexity reducedDevelopment and maintenance costs reduced

Improved cost control responsibility IT critical to success then managers must

control the technologies

Improved user satisfaction Increased morale and productivity

Backup flexibility Excess capacity for DRP

15Hall, 3e



Need for careful analysis

Implement a corporate IT function Central systems development

Acquisition, testing, and implementation of commercial software and hardware

User services

Help desk: technical support, FAQs, chat room, etc.

Standard-setting body

Personnel review

IT staff

16Hall, 3e



Verify that the structure of the IT function is such that individuals in incompatible areas are segregated:◦ In accordance with the level of potential risk

◦ And in a manner that promotes a working environment

Verify that formal relationships needs to exist between incompatible tasks

17Hall, 3e



Review the corporate policy on computer security

◦ Verify that the security policy is communicated to employees

Review documentation to determine if individuals or groups are performing incompatible functions

Review systems documentation and maintenance records

◦ Verify that maintenance programmers are not also design programmers

18Hall, 3e



Physical location Avoid human-made and natural hazards

Example: Chicago Board of Trade

Construction Ideally: single-story, underground utilities,

windowless, use of filters

If multi-storied building, use top floor (away from traffic flows, and potential flooding in a basement)

Access Physical: Locked doors, cameras

Manual: Access log of visitors

19Hall, 3e


duplicated, or posted to a publicly accessible website, in whole or in part.20

Air conditioning Especially mainframes Amount of heat even from a group of PCs

Fire suppression Automatic: usually sprinklers

Gas, such as halon, that will smother fire by removing oxygen can also kill anybody trapped there

Sprinklers and certain chemicals can destroy the computers and equipment

Manual methods

Power supply Need for clean power, at a acceptable level Uninterrupted power supply

Hall, 3e



physical security IC protects the computer center from physical exposures

insurance coverage compensates the organization for damage to the computer center

operator documentation addresses routine operations as well as system failures

21Hall, 3e



man-made threats and natural hazards

underground utility and communications lines

air conditioning and air filtration systems

access limited to operators and computer center workers; others required to sign in and out

fire suppression systems installed

fault tolerance◦ redundant disks and other system components

◦ backup power supplies

22Hall, 3e



Review insurance coverage on hardware, software, and physical facility

Review operator documentation, run manuals, for completeness and accuracy

Verify that operational details of a system’s internal logic are not in the operator’s documentation

23Hall, 3e



Disaster recovery plans (DRP) identify:◦ actions before, during, and after the

disaster◦ disaster recovery team◦ priorities for restoring critical

applications

Audit objective – verify that DRP is adequate and feasible for dealing with disasters

24Hall, 3e


duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 25

Disaster Recovery Plan

1. Critical Applications – Rank critical applications so an orderly and effective restoration of computer systems is possible.

2. Create Disaster Recovery Team – Select team members, write job descriptions, describe recovery process in terms of who does what.

3. Site Backup – a backup site facility including appropriate furniture, housing, computers, and telecommunications. Another valid option is a mutual aid pact where a similar business or branch of same company swap availability when needed.

4. Hardware Backup – Some vendors provide computers with their site – known as a hot site or Recovery Operations Center. Some do not provide hardware – known as a cold site. When not available, make sure plan accommodates compatible hardware (e.g., ability to lease computers).

5. System Software Backup – Some hot sites provide the operating system. If not included in the site plan, make sure copies are available at the backup site.

6. Application Software Backup – Make sure copies of critical applications are available at the backup site

7. Data Backup – One key strategy in backups is to store copies of data backups away from the business campus, preferably several miles away or at the backup site. Another key is to test the restore function of data backups before a crisis.

8. Supplies – A modicum inventory of supplies should be at the backup site or be able to be delivered quickly.

9. Documentation – An adequate set of copies of user and system documentation.

10. TEST! – The most important element of an effective Disaster Recovery Plan is to test it before a crisis occurs, and to test it periodically (e.g., once a year).



Major IC concerns: ◦ second-site backups

◦ critical applications and databases including supplies and documentation

◦ back-up and off-site storage procedures

◦ disaster recovery team

◦ testing the DRP regularly

26Hall, 3e



Empty shell - involves two or more user organizations that buy or lease a building and remodel it into a computer site, but without computer equipment

Recovery operations center - a completely equipped site; very costly and typically shared among many companies

Internally provided backup - companies with multiple data processing centers may create internal excess capacity

27Hall, 3e



Evaluate adequacy of second-site backup arrangements

Review list of critical applications for completeness and currency

Verify that procedures are in place for storing off-site copies of applications and data◦ Check currency back-ups and copies

28Hall, 3e



Verify that documentation, supplies, etc., are stored off-site

Verify that the disaster recovery team knows its responsibilities◦ Check frequency of testing the DRP

29Hall, 3e



Improved core business processes

Improved IT performance

Reduced IT costs

30Hall, 3e



Failure to perform

Vendor exploitation

Costs exceed benefits

Reduced security

Loss of strategic advantage

31Hall, 3e



Management retains SOX responsibilities

SAS No. 70 report or audit of vendor will be required

32Hall, 3e

chapter 2 it governance

Documents

cengage learning

accessible website

segregation of incompatible

computer operationssee

centralized data processing

governance issues

segregate systems analysis

resources key objects