Auditing IT Governance

Controls
Chapter 2
Learning Objectives
• Understand the risks of incompatible functions
and how to structure the IT function
• Be familiar with the controls and precautions
required to ensure the security of an
organization’s computer facilities
• Understand the key elements of a disaster
recovery plan
• Be familiar with the benefits, risks, and audit
issues related to IT outsourcing
IT Governance
• Subset of corporate governance that focuses on
the management and assessment of strategic IT
resources
• Key objects are to reduce risk and ensure
investments in IT resources add value to the
corporation
• All corporate stakeholders must be active
participants in key IT decisions
IT Governance Controls
• Three IT governance issues addressed by SOX
and the COSO internal control framework:
▫ Organizational structure of the IT function
▫ Computer center operations
▫ Disaster recovery planning
Structure of the Corporate IT Function
• Under the centralized data processing model, all
data processing performed at a central site.
• End users compete for resources based on need
▫ Operating costs charged back to end user
• Primary service areas:
▫ Database administrator
▫ Data processing consisting of data control/data
entry
▫ System development and maintenance
Structure of the Corporate IT Function
• Participation in systems development activities
include system professional, end users and
stakeholders.
Structure of the Corporate IT Function
Alternative Organization of Systems
Development
 Alternative Organization of Systems
Development Problems
• Two control problems with segregating systems
analysis from applications programming

• Inadequate documentation a chronic problem

▫ Documenting systems is not an integrating task
▫ Lack of documentation provides job security for
the programmer who coded it.
 Alternative Organization of Systems
Development Problems

• When system programmer has maintenance

responsibilities, potential for fraud is increased
▫ May have concealed fraudulent code in the system
▫ Having sole responsibility for maintenance may
allow the programmer to conceal the code for
years
Structure of the Corporate IT Function
 Segregation of Incompatible IT
Functions
• Systems development from computer operations
▫ Relationship between groups should be formal
and responsibilities should not be comingled.

• Database administration from other functions

▫ DBA function responsible for many critical tasks
and needs to be organizationally independent of
operations, systems development and
maintenance
 Segregation of Incompatible IT
Functions

• New systems development from maintenance

▫ Improves documentation standards because
maintenance group requires documentation
▫ Denying original programmer future access deters
program fraud
The Distributed Model
• Distributed Data Processing (DDP) involves
reorganizing central IT function into small IT
units that are placed under the control of end
users
• Two alternatives:
▫ Alternative A: Variant of centralized model with
terminals or microcomputers distributed to end
users for handling input and output.
▫ Alternative B: Distributes all computer services to
the end users where they operate as stand alone
units.
The Distributed Model
 Audit Objectives and Audit Procedures
Based on Management Assertions
Management Assertions Audit Objectives Audit Procedure

Existence or Occurrence
Completeness
Rights and Obligations
Valuation and Allocation
Presentation and Disclosure
Inventories listed on the balance
sheet exist.
Accounts payable include all
obligations to vendors for the period.
Plant and equipment listed in the
balance sheet are owned by the entity.
Accounts receivable are stated at net
realizable value.
Contingencies not reported in
financial accounts are properly
disclosed in footnotes.
Observe the counting of physical
inventory.
Compare receiving reports, supplier
invoices, purchase orders, and journal
entries for the period and the
beginning of the next period.
Review purchase agreements,
insurance policies, and related
documents.
Review entity’s aging of accounts and
evaluate the adequacy of the
allowance for uncorrectable accounts.
Obtain information from entity
lawyers about the status of litigation
and estimates of potential loss.
Risks Associated with DDP
• Inefficient use of resources:
▫ Mismanagement of IT resources by end users.
▫ Operational inefficiencies due to redundant tasks
being performed.
▫ Hardware and software incompatibility among
end-user functions.

• Destruction of audit trails

Risks Associated with DDP
• Inadequate segregation of duties

• Hiring qualified professionals:

▫ Risk of programming errors and system failures
increase directly with the level of employee
incompetence

• Lack of standards
Controlling the DDP Environment
• Implement a corporate IT function:
▫ Central testing of commercial software and
hardware
▫ User services to provide technical help
▫ Standard – setting body
▫ Personnel review
Audit Procedures for the DDP
• Audit Procedures in a centralized IT
organization:
▫ Review relevant documentation to determine if
individuals or groups are performing incompatible
functions
▫ Review systems documentation and maintenance
records to verify maintenance programmers are
not designers
▫ Observe to determine if segregation policy is being
followed
Audit Procedures for the DDP
• Audit Procedures in a distributed IT organization:
▫ Review relevant documentation to determine if
individuals or groups are performing incompatible
duties
▫ Verify corporate policies and standards are published
and provided to distributed IT units
▫ Verify compensating controls are in place when
needed
▫ Review system documentation to verify applications,
procedures and database are in accordance with
standards
The Computer Center
• Physical location:
▫ Directly affects risk of destruction from a disaster
▫ Away from hazards and traffic
• Construction:
▫ Ideally: single-story, solidly constructed with
underground utilities
▫ Windows should not open and an air filtration system
should be in place
• Access:
▫ Should be limited with locked doors, cameras, key
card entrance and sign-in logs
The Computer Center
• Air conditioning should provide appropriate
temperature and humidity for computers

• Fire suppression:
▫ Alarms, fire extinguishing system, appropriate
construction, fire exits
The Computer Center
• Fault tolerance is the ability of the system to
continue operation when part of the system fails
▫ Total failure can occur only if multiple
components fail
▫ Redundant arrays of independent disks (RAID)
involves using parallel disks with redundant data
and applications so if one disk fails, lost data can
be reconstructed
▫ Uninterruptible power supplies
Disaster Recovery Planning
• A disaster recovery plan is a statement of all
actions to be taken before, during and after any
type of disaster. Four (4) common features:
▫ Identify critical applications:
 Short-term survival requires restoration of cash flow
generating functions
 Applications supporting those functions should be
identified and prioritized in the restoration plan
 Task of identifying critical items and prioritizing
applications requires active participation of user
departments, accountants and auditors
Disaster Recovery Planning
▫ Create a disaster recovery team:
 Team members should be experts in their areas and
have assigned tasks
▫ Provide second-site backup:
 Necessary ingredient in a DRP is that it provides for
duplicate data processing facilities following a
disaster
▫ Specify back-up and off-site storage procedures:
 All data files, applications, documentation and
supplies needed to perform critical functions should
be automatically backed up and stored at a secure
off-site location
Second-Site Backups
• Mutual aid pact is an agreement between
organizations to aid each other with data
processing in disaster

• Empty shell or cold site plan involves obtaining a

building to serve as a data center in a disaster
▫ Recovery depends on timely availability of
hardware
Second-Site Backups
• Recovery operations center or hot site plan is a
fully equipped site that many companies share

• Internally provided backup may be preferred by

organizations with many data processing centers
DRP Audit Procedures
• To verify DRP is a realistic solution, the following
tests may be performed:
 Evaluate adequacy of backup site arrangements
 Review list of critical applications for completeness
 Verify copies of critical applications and operating
systems are stored off-site
 Verify critical data files are backed up in accordance with
the DRP
 Verify that types and quantities of items specified in the
DRP exist in a secure location
 Verify disaster recovery team members are current
employees and aware of their assigned responsibilities
Outsourcing the IT Function
• Benefits of IT outsourcing include:
 Improved core business processes
 Improved IT performance
 Reduced IT costs
• Logic underlying outsourcing follows from core
competency theory which argues an organization
should focus on its core business competencies.
Ignores an important distinction between:
 Commodity IT assets which are not unique to an
organization and easily acquired in the marketplace
 Specific IT assets which are unique and support an
organization’s strategic objectives
Outsourcing the IT Function

• Transaction cost economics (TCE) suggests

firms should retain specific non-core IT assets in
house
▫ Those that cannot be easily replaced once they are
given up in an outsourcing arrangement
Outsourcing the IT Function
• Cloud computing is location-independent
computing whereby shared data centers deliver
hosted IT services over the internet. Offers three
(3) primary classes of computing services:
▫ Software-as-a-Service (SaaS)
▫ Infrastructure-as-a-Service (IaaS)
▫ Platform-as-a-Service (PaaS)
Outsourcing the IT Function
• Virtualization has unleashed cloud computing
▫ Network virtualization increases effective network
bandwidth, optimizes network speed, flexibility,
and reliability, and improves network scalability.
▫ Storage virtualization is the pooling of physical
storage from multiple devices into what appears to
be a single virtual storage device.
Outsourcing the IT Function
• Cloud computing not realistic for large firms
▫ Typically have massive IT investments and
therefore not inclined to turn over their IT
operations to a could vendor
▫ May have critical functions running on legacy
systems that could not be easily migrated to the
cloud
▫ Commodity provision approach of the cloud
incompatible with the need for unique strategic
information
Risk Inherent to IT Outsourcing
• Failure to perform
• Vendor exploitation
• Outsourcing costs exceed benefits
• Reduced security
• Loss of strategic advantage
Audit Implications of IT Outsourcing
• Use of a service organization does not reduce
management’s responsibilities under SOX for
ensuring adequate IT internal controls
• SSAE 16 replaced SAS 70 and is the definitive
standard by which auditors can gain knowledge
that processes and controls at third-party
vendors are adequate to prevent or detect
material errors
▫ Report provides a description of service provider’s
description using either the carve-out or the
inclusive method
Audit Implications of IT Outsourcing