Beruflich Dokumente
Kultur Dokumente
Controls
Chapter 2
Learning Objectives
• Understand the risks of incompatible functions
and how to structure the IT function
• Be familiar with the controls and precautions
required to ensure the security of an
organization’s computer facilities
• Understand the key elements of a disaster
recovery plan
• Be familiar with the benefits, risks, and audit
issues related to IT outsourcing
IT Governance
• Subset of corporate governance that focuses on
the management and assessment of strategic IT
resources
• Key objects are to reduce risk and ensure
investments in IT resources add value to the
corporation
• All corporate stakeholders must be active
participants in key IT decisions
IT Governance Controls
• Three IT governance issues addressed by SOX
and the COSO internal control framework:
▫ Organizational structure of the IT function
▫ Computer center operations
▫ Disaster recovery planning
Structure of the Corporate IT Function
• Under the centralized data processing model, all
data processing performed at a central site.
• End users compete for resources based on need
▫ Operating costs charged back to end user
• Primary service areas:
▫ Database administrator
▫ Data processing consisting of data control/data
entry
▫ System development and maintenance
Structure of the Corporate IT Function
• Participation in systems development activities
include system professional, end users and
stakeholders.
Structure of the Corporate IT Function
Alternative Organization of Systems
Development
Alternative Organization of Systems
Development Problems
• Two control problems with segregating systems
analysis from applications programming
Existence or Occurrence Inventories listed on the balance Observe the counting of physical
sheet exist. inventory.
Completeness Accounts payable include all Compare receiving reports, supplier
obligations to vendors for the period. invoices, purchase orders, and journal
entries for the period and the
beginning of the next period.
Rights and Obligations Plant and equipment listed in the Review purchase agreements,
balance sheet are owned by the entity. insurance policies, and related
documents.
Valuation and Allocation Accounts receivable are stated at net Review entity’s aging of accounts and
realizable value. evaluate the adequacy of the
allowance for uncorrectable accounts.
Presentation and Disclosure Contingencies not reported in Obtain information from entity
financial accounts are properly lawyers about the status of litigation
disclosed in footnotes. and estimates of potential loss.
Risks Associated with DDP
• Inefficient use of resources:
▫ Mismanagement of IT resources by end users.
▫ Operational inefficiencies due to redundant tasks
being performed.
▫ Hardware and software incompatibility among
end-user functions.
• Lack of standards
Controlling the DDP Environment
• Implement a corporate IT function:
▫ Central testing of commercial software and
hardware
▫ User services to provide technical help
▫ Standard – setting body
▫ Personnel review
Audit Procedures for the DDP
• Audit Procedures in a centralized IT
organization:
▫ Review relevant documentation to determine if
individuals or groups are performing incompatible
functions
▫ Review systems documentation and maintenance
records to verify maintenance programmers are
not designers
▫ Observe to determine if segregation policy is being
followed
Audit Procedures for the DDP
• Audit Procedures in a distributed IT organization:
▫ Review relevant documentation to determine if
individuals or groups are performing incompatible
duties
▫ Verify corporate policies and standards are published
and provided to distributed IT units
▫ Verify compensating controls are in place when
needed
▫ Review system documentation to verify applications,
procedures and database are in accordance with
standards
The Computer Center
• Physical location:
▫ Directly affects risk of destruction from a disaster
▫ Away from hazards and traffic
• Construction:
▫ Ideally: single-story, solidly constructed with
underground utilities
▫ Windows should not open and an air filtration system
should be in place
• Access:
▫ Should be limited with locked doors, cameras, key
card entrance and sign-in logs
The Computer Center
• Air conditioning should provide appropriate
temperature and humidity for computers
• Fire suppression:
▫ Alarms, fire extinguishing system, appropriate
construction, fire exits
The Computer Center
• Fault tolerance is the ability of the system to
continue operation when part of the system fails
▫ Total failure can occur only if multiple
components fail
▫ Redundant arrays of independent disks (RAID)
involves using parallel disks with redundant data
and applications so if one disk fails, lost data can
be reconstructed
▫ Uninterruptible power supplies
Disaster Recovery Planning
• A disaster recovery plan is a statement of all
actions to be taken before, during and after any
type of disaster. Four (4) common features:
▫ Identify critical applications:
Short-term survival requires restoration of cash flow
generating functions
Applications supporting those functions should be
identified and prioritized in the restoration plan
Task of identifying critical items and prioritizing
applications requires active participation of user
departments, accountants and auditors
Disaster Recovery Planning
▫ Create a disaster recovery team:
Team members should be experts in their areas and
have assigned tasks
▫ Provide second-site backup:
Necessary ingredient in a DRP is that it provides for
duplicate data processing facilities following a
disaster
▫ Specify back-up and off-site storage procedures:
All data files, applications, documentation and
supplies needed to perform critical functions should
be automatically backed up and stored at a secure
off-site location
Second-Site Backups
• Mutual aid pact is an agreement between
organizations to aid each other with data
processing in disaster