Auditing IT Governance Controls
Auditing IT Governance Controls
Auditing IT Governance Controls
Governance
Controls IT
2
Three IT governance issues that are
addressed by Sarbanes-Oxley (SOX) and
the COSO internal control framework
1. Organizational structure of the IT function
2. Computer center operations
3. Disaster recovery planning
STRUCTURE OF THE INFORMATION
TECHNOLOGY FUNCTION
4
1. Centralized Data Processing
5
6
7
Key functions
1. Database Administration
An independent group headed by the database administrator (DBA) is
responsible for the security and integrity of the database.
2. Data Processing
The data processing group manages the computer resources used to
perform the day-to-day processing of transactions.
8
2. Data Processing consists of:
10
Segregation of Incompatible IT Functions
Operational tasks should be segregated to:
1. Separate transaction authorization from transaction processing.
2. Separate record keeping from asset custody.
3. Divide transaction-processing tasks among individuals such that short
of collusion between two or more individuals fraud would not be
possible.
Separating Systems Development from Computer Operations
With detailed knowledge of the application’s logic and control parameters and access to the
computer’s operating system and utilities, an individual could make unauthorized changes
to the application during its execution.
13
14
Risks Associated with DDP
Inefficient Use of Resources. DDP can expose and organization to three
types of risks associated with inefficient use of organizational
resources.
Destruction of Audit Trails. An audit trail provides the linkage
between a company’s financial activities (transactions) and the
financial statements that report on those activities.
Inadequate Segregation of Duties. Achieving an adequate segregation
of duties may not be possible in some distributed environments.
Risks Associated with DDP
Hiring Qualified Professionals. End-user managers may lack the IT
knowledge to evaluate the technical credentials and relevant
experience of candidates applying for IT professional positions.
Lack of Standards. Because of the distribution of responsibility in the
DDP environment, standards for developing and documenting
systems, choosing programming languages, acquiring hardware and
software, and evaluating performance may be unevenly applied or
even nonexistent.
Advantages of DDP
Cost Reductions. DDP has reduced costs in two other areas: (1) data can be
edited and entered by the end user, thus eliminating the centralized task of
data preparation; and (2) application complexity can be reduced, which in
turn reduces systems development and maintenance costs.
Improved Cost Control Responsibility. End-user managers carry the
responsibility for the financial success of their operations.
Advantages of DDP
Improved User Satisfaction. Improves 3 areas (1) users desire to control the
resources that influence their profitability; (2) users want systems
professionals to be responsive to their specific situation; and (3) users want
to become more actively involved in developing and implementing their
own systems.
Backup Flexibility. The final argument in favor of DDP is the ability to back
up computing facilities to protect against potential disasters such as fires,
floods, sabotage, and earthquakes.
Controlling the DDP Environment
21
Audit Procedures
Audit procedures under centralized IT function:
✓ Verify that computer operators do not have access to the operational details
of a system’s internal logic. Systems documentation, such as systems
flowcharts, logic flowcharts, and program code listings, should not be part
of the operation’s documentation set.
✓ Through observation, determine that segregation policy is being followed in
practice. Review operations room access logs to determine whether
programmers enter the facility for reasons other than system failures.
22
Audit Procedures
23
Audit Procedures
24
THE COMPUTER CENTER
The following are areas of potential exposure
to risk that can impact the quality of
information, accounting records, transaction
processing, and the effectiveness of other
more conventional internal controls.
25
Risk Areas
1. Physical Location
2. Construction
3. Access
4. Air Conditioning
5. Fire Suppression
6. Fault Tolerance
a. Redundant arrays of independent disks (RAID).
b. Uninterruptible power supplies.
AUDIT OBJECTIVES
27
Audit Procedures
✓ Tests of Physical Construction. The auditor should obtain architectural
plans to determine that the computer center is solidly built of fireproof
material.
✓ Tests of the Fire Detection System. The auditor should establish that fire
detection and suppression equipment, both manual and automatic, are in
place and tested regularly.
✓ Tests of Access Control. The auditor must establish that routine access to
the computer center is restricted to authorized employees.
28
Audit Procedures
✓ Tests of Raid. the auditor should determine through mapping if the level of
RAID in place is adequate for the organization, given the level of business
risk associated with disk failure.
✓ Tests of the Uninterruptible Power Supply. The computer center should
perform periodic tests of the backup power supply to ensure that it has
sufficient capacity to run the computer and air conditioning.
✓ Tests for Insurance Coverage. The auditor should annually review the
organization’s insurance coverage on its computer hardware, software, and
physical facility.
29
DISASTER RECOVERY PLANNING
30
31
4 COMMON FEATURES OF DISASTER RECOVERY PLAN (DRP)
1. Identify Critical Applications. Recovery efforts must concentrate on restoring those
applications that are critical to the short-term survival of the organization.
2. Creating a Disaster Recovery Team. To avoid serious omissions or duplication of
effort during implementation of the contingency plan, task responsibility must be clearly
defined and communicated to the personnel involved.
3. Providing Second-Site Backup. Among the options available the most common are
mutual aid pact; empty shell or cold site; recovery operations center or hot site; and
internally provided backup.
4. Specify backup and off-site storage procedures. All data files, applications,
documentation, and supplies needed to perform critical functions should be automatically
backed up and stored at a secure off-site location.
AUDIT OBJECTIVES
33
Audit Procedures
✓ Site Backup. The auditor should evaluate the adequacy of the backup site arrangement.
✓ Critical Application List. The auditor should review the list of critical application to ensure
that it is complete.
✓ Software Backup. The auditor should verify that copies of critical applications and operating
systems are stored off-site. The auditor should also verify that the applications stored off-site
are current by comparing their version numbers with those of the actual applications in use
34
Audit Procedures
✓ Data Backup. The auditor should verify that critical data files are backed up in accordance
with the DRP.
✓ Backup Supplies, Documents, and Documentation. The system documentation, supplies,
and source documents needed to process critical transactions should be backed up and stored
off-site.
✓ Disaster Recovery Team. The DRP should clearly list the names, addresses, and emergency
telephone numbers of the disaster recovery team members.
35
IT Outsourcing
Delegation of IT functions to
third-party vendors who take over
responsibility for the management
of IT assets and staff and for
delivery of IT services, such as
data entry, data center operations,
applications development,
applications maintenance, and
network management.
36
Advantages of IT Outsourcing (core competency theory)
✓ Improve core business performance
✓ Improve IT performance (because of the vendor’s expertise)
✓ Reduced IT costs.
37
Risks Inherent to IT Outsourcing
Failure to Perform. Once a client firm has outsourced specific IT assets, its performance
becomes linked to the vendor’s performance.
Outsourcing Costs Exceed Benefits. IT outsourcing has been criticized on the grounds that
unexpected costs arise and the full extent of expected benefits are not realized.
Reduced Security. Information outsourced to offshore IT vendors raises unique and serious
questions regarding internal control and the protection of sensitive personal data.
38
Sh0uld a company
do IT outsourcing?
39
Management may outsource its organization’s IT
functions, but it cannot outsource its management
responsibilities under SOX for ensuring adequate IT
internal controls.
40
PCAOB in Auditing Standards 2, “The use of a
service organization does not reduce the
management’s responsibility to maintain
effective internal control over reporting.”
41
Statement on Standards for Attestation
Engagement No. 16 (SSAE 16) is an
internationally recognized third-party attestation
report designed for service organizations such
as IT outsourcing vendors. A standard which
entails the knowledge about processes and
controls at the third-party vendor to prevent or
detect material errors that could impact the
client’s financial statements.
42
Two reporting techniques under SSAE 16
1. Carve-out Method. Service provider
management would exclude the subservice
organization’s relevant control objectives
and related controls from the description of
its system.
2. Inclusive Method. The service provider’s
description of its system will include the
services performed by the subservice
organization. The report will include the
subservice organization’s relevant control
objectives and related controls from the
description of its system.
43
End of Reporting
44