Auditing IT Governance Controls

Download as pdf or txt
Download as pdf or txt
You are on page 1of 44

Auditing IT

Governance
Controls IT

Presented by: Camelle Mancao


INFORMATION TECHNOLOGY
GOVERNANCE
Definition: A relatively new subset of corporate governance that
focuses on the management and assessment of strategic IT resources.
Key objectives: Reduce risk and ensure that investments in IT
resources add value to the corporation.
Modern IT governance: All corporate stakeholders, including boards
of directors, top management, and departmental users (i.e., accounting
and finance) be active participants in key IT decisions.

2
Three IT governance issues that are
addressed by Sarbanes-Oxley (SOX) and
the COSO internal control framework
1. Organizational structure of the IT function
2. Computer center operations
3. Disaster recovery planning
STRUCTURE OF THE INFORMATION
TECHNOLOGY FUNCTION

Structure has implications for the nature and


effectiveness of internal controls, which, in
turn, has implications for the audit.

4
1. Centralized Data Processing

All data processing is performed by one or


more large computers housed at a central
site that serves users throughout the
organization

5
6
7
Key functions
1. Database Administration
An independent group headed by the database administrator (DBA) is
responsible for the security and integrity of the database.
2. Data Processing
The data processing group manages the computer resources used to
perform the day-to-day processing of transactions.

8
2. Data Processing consists of:

✓ Data Conversion. The data conversion function transcribes transaction data


from hard-copy source documents into computer input.
✓ Computer Operations. The electronic files produced in data conversion
are later processed by the central computer, which is managed by the
computer operations groups.
✓ Data Library. The data library is a room adjacent to the computer center
that provides safe storage for the off-line data files. Those files could be
backups or current data files.
9
Key functions
3. Systems Development and Maintenance. It consists of:
✓ Systems Development. Responsible for analyzing user needs and for designing
new systems to satisfy those needs. The participants in system development
activities include systems professionals, end users, and stakeholders.
✓ Systems Maintenance. Assumes responsibility for keeping it current with user
needs.

10
Segregation of Incompatible IT Functions
Operational tasks should be segregated to:
1. Separate transaction authorization from transaction processing.
2. Separate record keeping from asset custody.
3. Divide transaction-processing tasks among individuals such that short
of collusion between two or more individuals fraud would not be
possible.
Separating Systems Development from Computer Operations
With detailed knowledge of the application’s logic and control parameters and access to the
computer’s operating system and utilities, an individual could make unauthorized changes
to the application during its execution.

Separating Database Administration from Other Functions


Delegating the responsibilities of database security, usage and monitoring to others who
perform incompatible tasks threatens database integrity.

Separating New Systems Development from Maintenance


Inadequate Documentation. Poor-quality systems documentation is a chronic IT problem
and a significant challenge for many organizations seeking SOX compliance.
Program Fraud. When the original programmer of a system is also assigned maintenance
responsibility, the potential for fraud is increased.
2. Distributed Model
An alternative to the centralized model.
DDP involves reorganizing the central IT
function into small IT units that are placed
under the control of end users.

13
14
Risks Associated with DDP
Inefficient Use of Resources. DDP can expose and organization to three
types of risks associated with inefficient use of organizational
resources.
Destruction of Audit Trails. An audit trail provides the linkage
between a company’s financial activities (transactions) and the
financial statements that report on those activities.
Inadequate Segregation of Duties. Achieving an adequate segregation
of duties may not be possible in some distributed environments.
Risks Associated with DDP
Hiring Qualified Professionals. End-user managers may lack the IT
knowledge to evaluate the technical credentials and relevant
experience of candidates applying for IT professional positions.
Lack of Standards. Because of the distribution of responsibility in the
DDP environment, standards for developing and documenting
systems, choosing programming languages, acquiring hardware and
software, and evaluating performance may be unevenly applied or
even nonexistent.
Advantages of DDP

Cost Reductions. DDP has reduced costs in two other areas: (1) data can be
edited and entered by the end user, thus eliminating the centralized task of
data preparation; and (2) application complexity can be reduced, which in
turn reduces systems development and maintenance costs.
Improved Cost Control Responsibility. End-user managers carry the
responsibility for the financial success of their operations.
Advantages of DDP

Improved User Satisfaction. Improves 3 areas (1) users desire to control the
resources that influence their profitability; (2) users want systems
professionals to be responsive to their specific situation; and (3) users want
to become more actively involved in developing and implementing their
own systems.
Backup Flexibility. The final argument in favor of DDP is the ability to back
up computing facilities to protect against potential disasters such as fires,
floods, sabotage, and earthquakes.
Controlling the DDP Environment

Central Testing of Commercial Software and Hardware.


User Services.
Standard-Setting Body.
Personnel Review.
AUDIT OBJECTIVES

The auditor’s objective is to verify


that the structure of the IT function is
such that individuals
in incompatible areas are segregated
in accordance with the level of
potential risk and in a manner that
promotes a working environment.
This is an environment in which
formal, rather than casual,
relationships need to exist between
incompatible tasks.
20
Audit Procedures
Audit procedures under centralized IT function:
✓ Review relevant documentation, including the current organizational chart,
mission statement, and job descriptions for key functions, to determine if
individuals or groups are performing incompatible functions.
✓ Review systems documentation and maintenance records for a sample of
applications.
✓ Verify that maintenance programmers assigned to specific projects are not
also the original design programmers.

21
Audit Procedures
Audit procedures under centralized IT function:
✓ Verify that computer operators do not have access to the operational details
of a system’s internal logic. Systems documentation, such as systems
flowcharts, logic flowcharts, and program code listings, should not be part
of the operation’s documentation set.
✓ Through observation, determine that segregation policy is being followed in
practice. Review operations room access logs to determine whether
programmers enter the facility for reasons other than system failures.

22
Audit Procedures

Audit procedures under distributed IT function:


✓ Review the current organizational chart, mission statement, and job
descriptions for key functions to determine if individuals or groups are
performing incompatible duties.
✓ Verify that corporate policies and standards for systems design,
documentation, and hardware and software acquisition are published and
provided to distributed IT units.

23
Audit Procedures

Audit procedures under distributed IT function:


✓ Verify that compensating controls, such as supervision and management
monitoring, are employed when segregation of incompatible duties is
economically infeasible.
✓ • Review systems documentation to verify that applications, procedures,
and databases are designed and functioning in accordance with corporate
standards.

24
THE COMPUTER CENTER
The following are areas of potential exposure
to risk that can impact the quality of
information, accounting records, transaction
processing, and the effectiveness of other
more conventional internal controls.

25
Risk Areas
1. Physical Location
2. Construction
3. Access
4. Air Conditioning
5. Fire Suppression
6. Fault Tolerance
a. Redundant arrays of independent disks (RAID).
b. Uninterruptible power supplies.
AUDIT OBJECTIVES

1. Physical security controls are


adequate to reasonably protect the
organization from physical
exposures

2.Insurance coverage on equipment


is adequate to compensate the
organization for the destruction of,
or damage to, its computer center

27
Audit Procedures
✓ Tests of Physical Construction. The auditor should obtain architectural
plans to determine that the computer center is solidly built of fireproof
material.
✓ Tests of the Fire Detection System. The auditor should establish that fire
detection and suppression equipment, both manual and automatic, are in
place and tested regularly.
✓ Tests of Access Control. The auditor must establish that routine access to
the computer center is restricted to authorized employees.

28
Audit Procedures
✓ Tests of Raid. the auditor should determine through mapping if the level of
RAID in place is adequate for the organization, given the level of business
risk associated with disk failure.
✓ Tests of the Uninterruptible Power Supply. The computer center should
perform periodic tests of the backup power supply to ensure that it has
sufficient capacity to run the computer and air conditioning.
✓ Tests for Insurance Coverage. The auditor should annually review the
organization’s insurance coverage on its computer hardware, software, and
physical facility.
29
DISASTER RECOVERY PLANNING

Disasters such as earthquakes, floods,


sabotage, and even power failures can be
catastrophic to an organization’s computer
center and information systems.

30
31
4 COMMON FEATURES OF DISASTER RECOVERY PLAN (DRP)
1. Identify Critical Applications. Recovery efforts must concentrate on restoring those
applications that are critical to the short-term survival of the organization.
2. Creating a Disaster Recovery Team. To avoid serious omissions or duplication of
effort during implementation of the contingency plan, task responsibility must be clearly
defined and communicated to the personnel involved.
3. Providing Second-Site Backup. Among the options available the most common are
mutual aid pact; empty shell or cold site; recovery operations center or hot site; and
internally provided backup.
4. Specify backup and off-site storage procedures. All data files, applications,
documentation, and supplies needed to perform critical functions should be automatically
backed up and stored at a secure off-site location.
AUDIT OBJECTIVES

The auditor should verify that management’s disaster recovery


plan is adequate and feasible for dealing with a catastrophe
that could deprive the organization of its computing resources.

33
Audit Procedures

✓ Site Backup. The auditor should evaluate the adequacy of the backup site arrangement.
✓ Critical Application List. The auditor should review the list of critical application to ensure
that it is complete.
✓ Software Backup. The auditor should verify that copies of critical applications and operating
systems are stored off-site. The auditor should also verify that the applications stored off-site
are current by comparing their version numbers with those of the actual applications in use

34
Audit Procedures

✓ Data Backup. The auditor should verify that critical data files are backed up in accordance
with the DRP.
✓ Backup Supplies, Documents, and Documentation. The system documentation, supplies,
and source documents needed to process critical transactions should be backed up and stored
off-site.
✓ Disaster Recovery Team. The DRP should clearly list the names, addresses, and emergency
telephone numbers of the disaster recovery team members.

35
IT Outsourcing
Delegation of IT functions to
third-party vendors who take over
responsibility for the management
of IT assets and staff and for
delivery of IT services, such as
data entry, data center operations,
applications development,
applications maintenance, and
network management.

36
Advantages of IT Outsourcing (core competency theory)
✓ Improve core business performance
✓ Improve IT performance (because of the vendor’s expertise)
✓ Reduced IT costs.

Transaction Cost Economics (TCE). Firms should retain certain


specific non–core IT assets inhouse. Because of their esoteric nature, specific
assets cannot be easily replaced once they are given up in an outsourcing
arrangement.

37
Risks Inherent to IT Outsourcing
Failure to Perform. Once a client firm has outsourced specific IT assets, its performance
becomes linked to the vendor’s performance.

Vendor Exploitation. Large-scale IT outsourcing involves transferring to a vendor “specific


assets,” such as the design, development, and maintenance of unique business applications that
are critical to an organization’s survival.

Outsourcing Costs Exceed Benefits. IT outsourcing has been criticized on the grounds that
unexpected costs arise and the full extent of expected benefits are not realized.
Reduced Security. Information outsourced to offshore IT vendors raises unique and serious
questions regarding internal control and the protection of sensitive personal data.

Loss of Strategic Advantage. IT outsourcing may affect incongruence between a firm’s IT


strategic planning and its business planning functions.

38
Sh0uld a company
do IT outsourcing?

39
Management may outsource its organization’s IT
functions, but it cannot outsource its management
responsibilities under SOX for ensuring adequate IT
internal controls.

40
PCAOB in Auditing Standards 2, “The use of a
service organization does not reduce the
management’s responsibility to maintain
effective internal control over reporting.”

41
Statement on Standards for Attestation
Engagement No. 16 (SSAE 16) is an
internationally recognized third-party attestation
report designed for service organizations such
as IT outsourcing vendors. A standard which
entails the knowledge about processes and
controls at the third-party vendor to prevent or
detect material errors that could impact the
client’s financial statements.

42
Two reporting techniques under SSAE 16
1. Carve-out Method. Service provider
management would exclude the subservice
organization’s relevant control objectives
and related controls from the description of
its system.
2. Inclusive Method. The service provider’s
description of its system will include the
services performed by the subservice
organization. The report will include the
subservice organization’s relevant control
objectives and related controls from the
description of its system.
43
End of Reporting

44

You might also like