Abstract image of a woman sitting on books and studying on a laptop

Chapter 2 auditing it governance controls

Download as PPTX, PDF
J
jayussuryawan

This document discusses controls related to IT governance, including the structure of the IT function, computer center operations, and disaster recovery planning. It covers topics such as segregating incompatible duties within the IT function, physical and environmental controls for the computer center, and key elements of an effective disaster recovery plan such as identifying critical applications and creating an off-site backup. The document also outlines some audit procedures auditors can perform to evaluate these controls, such as reviewing policies and documentation, testing backup procedures, and evaluating disaster recovery plans and backup site arrangements.

Education
1 of 30
Downloaded 293 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Most read
19
Most read
20
21
22
23
Most read
24
25
26
27
28
29
30
Chapter 2: Auditing IT Governance Controls IT Auditing, Hall, 4e © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use. 0
Learning Objectives • Understand the risks of incompatible functions and how to structure the IT function. • Be familiar with the controls and precautions required to ensure the security of an organization’s computer facilities. • Understand the key elements of a disaster recovery plan. • Be familiar with the benefits, risks, and audit issues related to IT outsourcing. 1
IT Governance • Subset of corporate governance that focuses on the management and assessment of strategic IT resources. • Key objects are to reduce risk and ensure investments in IT resources add value to the corporation. • All corporate stakeholders must be active participants in key IT decisions. 2
IT Governance Controls • Three IT governance issues addressed by SOX and the COSO internal control framework: • Organizational structure of the IT function. • Computer center operations. • Disaster recovery planning. 3
Structure of the Corporate IT Function • Under the centralized data processing model, all data processing performed at a central site. • End users compete for resources based on need. • Operating costs charged back to end user. • Primary service areas: • Database administrator. • Data processing consisting of data control/data entry, computer operations and data library. • System development and maintenance • Participation in systems development activities include system professional, end users and stakeholders. 4
Structure of the Corporate IT Function 5
Alternative Organization of Systems Development 6
Alternative Organization of Systems Development Problems • Two control problems with segregating systems analysis from applications programming. • Inadequate documentation a chronic problem. • Documenting systems is not an interesting task. • Lack of documentation provides job security for the programmer who coded it. • When system programmer has maintenance responsibilities, potential for fraud is increased. • May have concealed fraudulent code in the system. • Having sole responsibility for maintenance may allow the programmer to conceal the code for years. 7
Structure of the Corporate IT Function 8
Segregation of Incompatible IT Functions • Systems development from computer operations. • Relationship between groups should be formal and responsibilities should not be comingled. • Database administration from other functions. • DBA function responsible for many critical tasks and needs to be organizationally independent of operations, systems development and maintenance. • New systems development from maintenance. • Improves documentation standards because maintenance group requires documentation. • Denying original programmer future access deters program fraud. 9
The Distributed Model • Distributed Data Processing (DDP) involves reorganizing central IT function into small IT units that are placed under the control of end users. • Two alternatives: • Alternative A: Variant of centralized model with terminals or microcomputers distributed to end users for handling input and output. • Alternative B: Distributes all computer services to the end users where they operate as stand alone units. 10
The Distributed Model 11
Management Assertions Audit Objectives Audit Procedure Existence or occurrence Inventories listed on the balance sheet exist. Observe the counting of physical inventory. Completeness Accounts payable include all obligations to vendors for the period. Compare receiving reports, supplier invoices, purchase orders, and journal entries for the period and the beginning of the next period. Rights and obligations Plant and equipment listed in the balance sheet are owned by the entity. Review purchase agreements, insurance policies, and related documents. Valuation or allocation Accounts receivable are stated at net realizable value. Review entity’s aging of accounts and evaluate the adequacy of the allowance for uncorrectable accounts. Presentation and disclosure Contingencies not reported in financial accounts are properly disclosed in footnotes. Obtain information from entity lawyers about the status of litigation and estimates of potential loss. Audit Objectives and Audit Procedures Based on Management Assertions 12
Risks Associated with DDP • Inefficient use of resources: • Mismanagement of IT resources by end users. • Operational inefficiencies due to redundant tasks being performed. • Hardware and software incompatibility among end-user functions. • Destruction of audit trails. • Inadequate segregation of duties. • Hiring qualified professionals: • Risk of programming errors and system failures increase directly with the level of employee incompetence. • Lack of standards. 13
Controlling the DDP Environment • Implement a corporate IT function: • Central testing of commercial software and hardware. • User services to provide technical help. • Standard-setting body. • Personnel review. 14
Audit Procedures for the DDP • Audit procedures in a centralized IT organization: • Review relevant documentation to determine if individuals or groups are performing incompatible functions. • Review systems documentation and maintenance records to verify maintenance programmers are not designers. • Observe to determine if segregation policy is being followed. 15
Audit Procedures for the DDP • Audit procedures in a distributed IT organization: • Review relevant documentation to determine if individuals or groups are performing incompatible duties. • Verify corporate policies and standards are published and provided to distributed IT units. • Verify compensating controls are in place when needed. • Review system documentation to verify applications, procedures and databased are in accordance with standards. 16
The Computer Center • Physical location: • Directly affects risk of destruction from a disaster. • Away from hazards and traffic. • Construction: • Ideally: single-story, solidly constructed with underground utilities. • Windows should not open and an air filtration system should be in place. • Access: • Should be limited with locked doors, cameras, key card entrance and sign-in logs. 17
The Computer Center • Air conditioning should provide appropriate temperature and humidity for computers. • Fire suppression: • Alarms, fire extinguishing system, appropriate construction, fire exits. • Fault tolerance is the ability of the system to continue operation when part of the system fails. • Total failure can occur only if multiple components fail. • Redundant arrays of independent disks (RAID) involves using parallel disks with redundant data and applications so if one disk fails, lost data can be reconstructed. • Uninterruptible power supplies. 18
Audit Procedures: The Computer Center • Auditor must verify that physical controls and insurance coverage are adequate. • Procedures include: • Tests of physical construction. • Tests of the fire detection system. • Tests of access control. • Tests of RAID. • Tests of the uninterruptible power supply. • Tests of insurance coverage. 19
Disaster Recovery Planning • A disaster recovery plan is a statement of all actions to be taken before, during and after any type of disaster. Four common features: • Identify critical applications: • Short-term survival requires restoration of cash flow generating functions. • Applications supporting those functions should be identified and prioritized in the restoration plan. • Task of identifying critical items and prioritizing applications requires active participation of user departments, accountants and auditors. 20
Disaster Recovery Planning • Create a disaster recovery team: • Team members should be experts in their areas and have assigned tasks. • Provide second-site backup: • Necessary ingredient in a DRP is that it provides for duplicate data processing facilities following a disaster. • Specify back-up and off-site storage procedures: • All data files, applications, documentation and supplies needed to perform critical functions should be automatically backed up and stored at a secure off-site location. 21
Second-Site Backups • Mutual aid pact is an agreement between organizations to aid each other with data processing in a disaster. • Empty shell or cold site plan involves obtaining a building to serve as a data center in a disaster. • Recovery depends on timely availability of hardware. • Recovery operations center or hot site plan is a fully equipped site that many companies share. • Internally provided backup may be preferred by organizations with many data processing centers. 22
DRP Audit Procedures • To verify DRP is a realistic solution, the following tests may be performed: • Evaluate adequacy of backup site arrangements. • Review list of critical applications for completeness. • Verify copies of critical applications and operating systems are stored off-site. • Verify critical data files are backed up in accordance with the DRP. • Verify that types and quantities of items specified in the DRP exist in a secure location. • Verify disaster recovery team members are current employees and aware of their assigned responsibilities. 23
Outsourcing the IT Function • Benefits of IT outsourcing include: • Improved core business processes. • Improved IT performance. • Reduced IT costs. • Logic underlying outsourcing follows from core competency theory which argues an organization should focus on its core business competencies. Ignores an important distinction between: • Commodity IT assets which are not unique to an organization and easily acquired in the marketplace. • Specific IT assets which are unique and support an organization’s strategic objectives. 24
Outsourcing the IT Function • Transaction cost economics (TCE) suggests firms should retain specific non-core IT assets in house. • Those that cannot be easily replaced once they are given up in an outsourcing arrangement. • Cloud computing is location-independent computing whereby shared data centers deliver hosted IT services over the Internet. Offers three primary classes of computing services: • Software-as-a-Service (SaaS). • Infrastructure-as-a-Service (IaaS). • Platform-as-a-Service (PaaS). 25
Outsourcing the IT Function • Virtualization has unleashed cloud computing. • Network virtualization increases effective network bandwidth, optimizes network speed, flexibility, and reliability, and improves network scalability. • Storage virtualization is the pooling of physical storage from multiple devices into what appears to be a single virtual storage device. • Cloud computing not realistic for large firms. • Typically have massive IT investments and therefore not inclined to turn over their IT operations to a could vendor. • May have critical functions running on legacy systems that could not be easily migrated to the cloud. • Commodity provision approach of the cloud incompatible with the need for unique strategic information. 26
Risks Inherent to IT Outsourcing • Failure to perform. • Vendor exploitation. • Outsourcing costs exceed benefits. • Reduced security. • Loss of strategic advantage. 27
Audit Implications of IT Outsourcing • Use of a service organization does not reduce management’s responsibilities under SOX for ensuring adequate IT internal controls. • SSAE 16 replaced SAS 70 and is the definitive standard by which auditors can gain knowledge that processes and controls at third-party vendors are adequate to prevent or detect material errors. • Report provides a description of service provider’s description using either the carve-out or the inclusive method 28
Audit Implications of IT Outsourcing 29

More Related Content

PPTX
CIA part 1 essentials of internal auditing
ariundalai1
 
PPTX
Chapter 4 security part ii auditing database systems
jayussuryawan
 
PPTX
Chapter 2 auditing it governance controls
Tommy Zul Hidayat
 
PPTX
Chapter 1 auditing and internal control
Tommy Zul Hidayat
 
PPTX
Chapter 3 security part i auditing operating systems and networks
Tommy Zul Hidayat
 
PPTX
Chapter 1 auditing and internal control
jayussuryawan
 
PPTX
Chapter 3 security part i auditing operating systems and networks
jayussuryawan
 
PPTX
Computer-Assisted Audit Tools and Techniques
_supriadi
 
CIA part 1 essentials of internal auditing
ariundalai1
 
Chapter 4 security part ii auditing database systems
jayussuryawan
 
Chapter 2 auditing it governance controls
Tommy Zul Hidayat
 
Chapter 1 auditing and internal control
Tommy Zul Hidayat
 
Chapter 3 security part i auditing operating systems and networks
Tommy Zul Hidayat
 
Chapter 1 auditing and internal control
jayussuryawan
 
Chapter 3 security part i auditing operating systems and networks
jayussuryawan
 
Computer-Assisted Audit Tools and Techniques
_supriadi
 

What's hot (20)

PPTX
Generalized audit-software
kzoe1996
 
PPTX
Test Data Approach
kzoe1996
 
PDF
Auditing application controls
CenapSerdarolu
 
PPT
AUDITING IT GOVERNANCE CONTROLS
Dhina Pohan
 
PPTX
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Vhena Pilongo
 
PPT
James hall ch 9
David Julian
 
PPTX
Lecture 16 internal control - james a. hall book chapter 3
Habib Ullah Qamar
 
PPTX
Auditing SOX ITGC Compliance
seanpizzy
 
PPTX
Auditing the expenditure cycle
Angela Torres
 
PDF
Paps 1006
RS NAVARRO
 
DOCX
Computer Assisted Audit Techniques (CAATS) - IS AUDIT
Shahzeb Pirzada
 
PPS
Control Self Assessment
Manoj Agarwal
 
PPSX
CIS Audit Lecture # 1
Cheng Olayvar
 
PPTX
Conducting an Information Systems Audit
Sreekanth Narendran
 
PDF
IT Control Objectives for SOX
Mahesh Patwardhan
 
PPT
James hall ch 15
David Julian
 
PPTX
Integrated Test Facility
kzoe1996
 
PDF
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...
Ee Chuan Yoong
 
PPT
James hall ch 3
David Julian
 
PPTX
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx
OliviaCelestine
 
Generalized audit-software
kzoe1996
 
Test Data Approach
kzoe1996
 
Auditing application controls
CenapSerdarolu
 
AUDITING IT GOVERNANCE CONTROLS
Dhina Pohan
 
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Vhena Pilongo
 
James hall ch 9
David Julian
 
Lecture 16 internal control - james a. hall book chapter 3
Habib Ullah Qamar
 
Auditing SOX ITGC Compliance
seanpizzy
 
Auditing the expenditure cycle
Angela Torres
 
Paps 1006
RS NAVARRO
 
Computer Assisted Audit Techniques (CAATS) - IS AUDIT
Shahzeb Pirzada
 
Control Self Assessment
Manoj Agarwal
 
CIS Audit Lecture # 1
Cheng Olayvar
 
Conducting an Information Systems Audit
Sreekanth Narendran
 
IT Control Objectives for SOX
Mahesh Patwardhan
 
James hall ch 15
David Julian
 
Integrated Test Facility
kzoe1996
 
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...
Ee Chuan Yoong
 
James hall ch 3
David Julian
 
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx
OliviaCelestine
 
Ad

Viewers also liked (14)

RTF
It audit ch 1
Ahmed Tnt
 
DOC
Chap002
allen210
 
PPT
Chap. 3 corp. gov. in global operations.ppt.
Magiel Amora
 
PDF
St. mgt. chapter 4
Rao Majid Shamshad
 
DOC
Chap005 tb-sample
Ying Sun
 
PPT
Chap. 3 corp. gov. in global operations.ppt.
Magiel Amora
 
PPT
Auditing by CIS . Chapter 6
Sharah Ayumi
 
PPTX
CISA Training - Chapter 2 - 2016
Hafiz Sheikh Adnan Ahmed
 
DOCX
Cisa exam mock test questions-1
Hemang Doshi
 
PPTX
CISA Training - Chapter 5 - 2016
Hafiz Sheikh Adnan Ahmed
 
PPTX
CISA Training - Chapter 1 - 2016
Hafiz Sheikh Adnan Ahmed
 
PPTX
CISA exam 100 practice question
Arshad A Javed
 
PDF
Accounting information system
Vivek K. Singh
 
DOCX
Multiple choice questions with answers
Classic Tech
 
It audit ch 1
Ahmed Tnt
 
Chap002
allen210
 
Chap. 3 corp. gov. in global operations.ppt.
Magiel Amora
 
St. mgt. chapter 4
Rao Majid Shamshad
 
Chap005 tb-sample
Ying Sun
 
Chap. 3 corp. gov. in global operations.ppt.
Magiel Amora
 
Auditing by CIS . Chapter 6
Sharah Ayumi
 
CISA Training - Chapter 2 - 2016
Hafiz Sheikh Adnan Ahmed
 
Cisa exam mock test questions-1
Hemang Doshi
 
CISA Training - Chapter 5 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 1 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA exam 100 practice question
Arshad A Javed
 
Accounting information system
Vivek K. Singh
 
Multiple choice questions with answers
Classic Tech
 
Ad

Similar to Chapter 2 auditing it governance controls (20)

PPTX
Chapter 15-Accounting Information System
RejiePantinople
 
PDF
Internal Controls Over Information Systems
Jeffrey Paulette
 
PPTX
CISA Training - Chapter 4 - 2016
Hafiz Sheikh Adnan Ahmed
 
PPTX
Lecture 7 organization structure- chapter 1 jamed a hall
Habib Ullah Qamar
 
PPTX
Security Baselines and Risk Assessments
Priyank Hada
 
PPSX
Does audit make us more secure
EnterpriseGRC Solutions, Inc.
 
PPTX
IT Audit For Non-IT Auditors
Ed Tobias
 
PPTX
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
Muhammad Azmy
 
PDF
IT & the Auditor
Linda Forbes
 
PPTX
03.1 general control
Mulyadi Yusuf
 
PPTX
Accounting System Design and Development-Internal Controls
HelpWithAssignment.com
 
PDF
Business Continuity for Mission Critical Applications
DataCore Software
 
PDF
CIO IT Audit Survival TNS07
Thomas Danford
 
PPS
Business Meets IT Presentatie
Ruud Stroet
 
PPT
IT System & Security Audit
Mufaddal Nullwala
 
DOCX
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
LynellBull52
 
PPTX
Office management
Aditya Purohit
 
PDF
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Yoyo Sudaryo
 
PPTX
Pp 15-new
Sri Apriyanti Husain
 
DOCX
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
joellemurphey
 
Chapter 15-Accounting Information System
RejiePantinople
 
Internal Controls Over Information Systems
Jeffrey Paulette
 
CISA Training - Chapter 4 - 2016
Hafiz Sheikh Adnan Ahmed
 
Lecture 7 organization structure- chapter 1 jamed a hall
Habib Ullah Qamar
 
Security Baselines and Risk Assessments
Priyank Hada
 
Does audit make us more secure
EnterpriseGRC Solutions, Inc.
 
IT Audit For Non-IT Auditors
Ed Tobias
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
Muhammad Azmy
 
IT & the Auditor
Linda Forbes
 
03.1 general control
Mulyadi Yusuf
 
Accounting System Design and Development-Internal Controls
HelpWithAssignment.com
 
Business Continuity for Mission Critical Applications
DataCore Software
 
CIO IT Audit Survival TNS07
Thomas Danford
 
Business Meets IT Presentatie
Ruud Stroet
 
IT System & Security Audit
Mufaddal Nullwala
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
LynellBull52
 
Office management
Aditya Purohit
 
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Yoyo Sudaryo
 
Pp 15-new
Sri Apriyanti Husain
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
joellemurphey
 

Recently uploaded (20)

PPTX
Chinmaya Tiranga Azadi Quiz (Class 7-8 )
Nitin Suresh
 
PPTX
B.Sc. DS Unit 2 Software Engineering.pptx
Dr. Pallawi Bulakh
 
PPTX
Virtual and Augmented Reality in Current Scenario
Shruti Dalela
 
PDF
CISA (Certified Information Systems Auditor) Domain-Wise Summary.pdf
infosecTrain
 
PDF
advance database management system book.pdf
hinamannan364
 
PPTX
Onco Emergencies - Spinal cord compression Superior vena cava syndrome Febr...
Medpopz
 
PDF
BP 704 T. NOVEL DRUG DELIVERY SYSTEMS (UNIT 2).pdf
CMEmpire
 
PPTX
A powerpoint presentation on the Revised K-10 Science Shaping Paper
JericEstaco2
 
PPTX
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
PPTX
20th Century Theater, Methods, History.pptx
cpadilla9
 
PDF
AI-driven educational solutions for real-life interventions in the Philippine...
EleniIlkou
 
PDF
Hazard Identification & Risk Assessment .pdf
estagiarioprotegesms
 
PDF
medical_surgical_nursing_10th_edition_ignatavicius_TEST_BANK_pdf.pdf
victor kamau
 
PDF
Vision Prelims GS PYQ Analysis 2011-2022 www.upscpdf.com.pdf
navneetgupta711851
 
PDF
My India Quiz Book_20210205121199924.pdf
AtandraDey2
 
PDF
IGGE1 Understanding the Self1234567891011
rhea22labucay
 
PDF
What if we spent less time fighting change, and more time building what’s rig...
Derek Wenmoth
 
PDF
Uderstanding digital marketing and marketing stratergie for engaging the digi...
afreenpeshmam
 
PPTX
Introduction to pro and eukaryotes and differences.pptx
AvaniKarumathil
 
PDF
Paper A Mock Exam 9_ Attempt review.pdf.
SameeraNaveed2
 
Chinmaya Tiranga Azadi Quiz (Class 7-8 )
Nitin Suresh
 
B.Sc. DS Unit 2 Software Engineering.pptx
Dr. Pallawi Bulakh
 
Virtual and Augmented Reality in Current Scenario
Shruti Dalela
 
CISA (Certified Information Systems Auditor) Domain-Wise Summary.pdf
infosecTrain
 
advance database management system book.pdf
hinamannan364
 
Onco Emergencies - Spinal cord compression Superior vena cava syndrome Febr...
Medpopz
 
BP 704 T. NOVEL DRUG DELIVERY SYSTEMS (UNIT 2).pdf
CMEmpire
 
A powerpoint presentation on the Revised K-10 Science Shaping Paper
JericEstaco2
 
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
20th Century Theater, Methods, History.pptx
cpadilla9
 
AI-driven educational solutions for real-life interventions in the Philippine...
EleniIlkou
 
Hazard Identification & Risk Assessment .pdf
estagiarioprotegesms
 
medical_surgical_nursing_10th_edition_ignatavicius_TEST_BANK_pdf.pdf
victor kamau
 
Vision Prelims GS PYQ Analysis 2011-2022 www.upscpdf.com.pdf
navneetgupta711851
 
My India Quiz Book_20210205121199924.pdf
AtandraDey2
 
IGGE1 Understanding the Self1234567891011
rhea22labucay
 
What if we spent less time fighting change, and more time building what’s rig...
Derek Wenmoth
 
Uderstanding digital marketing and marketing stratergie for engaging the digi...
afreenpeshmam
 
Introduction to pro and eukaryotes and differences.pptx
AvaniKarumathil
 
Paper A Mock Exam 9_ Attempt review.pdf.
SameeraNaveed2
 

Chapter 2 auditing it governance controls

  • 1. Chapter 2: Auditing IT Governance Controls IT Auditing, Hall, 4e © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use. 0
  • 2. Learning Objectives • Understand the risks of incompatible functions and how to structure the IT function. • Be familiar with the controls and precautions required to ensure the security of an organization’s computer facilities. • Understand the key elements of a disaster recovery plan. • Be familiar with the benefits, risks, and audit issues related to IT outsourcing. 1
  • 3. IT Governance • Subset of corporate governance that focuses on the management and assessment of strategic IT resources. • Key objects are to reduce risk and ensure investments in IT resources add value to the corporation. • All corporate stakeholders must be active participants in key IT decisions. 2
  • 4. IT Governance Controls • Three IT governance issues addressed by SOX and the COSO internal control framework: • Organizational structure of the IT function. • Computer center operations. • Disaster recovery planning. 3
  • 5. Structure of the Corporate IT Function • Under the centralized data processing model, all data processing performed at a central site. • End users compete for resources based on need. • Operating costs charged back to end user. • Primary service areas: • Database administrator. • Data processing consisting of data control/data entry, computer operations and data library. • System development and maintenance • Participation in systems development activities include system professional, end users and stakeholders. 4
  • 6. Structure of the Corporate IT Function 5
  • 8. Alternative Organization of Systems Development Problems • Two control problems with segregating systems analysis from applications programming. • Inadequate documentation a chronic problem. • Documenting systems is not an interesting task. • Lack of documentation provides job security for the programmer who coded it. • When system programmer has maintenance responsibilities, potential for fraud is increased. • May have concealed fraudulent code in the system. • Having sole responsibility for maintenance may allow the programmer to conceal the code for years. 7
  • 9. Structure of the Corporate IT Function 8
  • 10. Segregation of Incompatible IT Functions • Systems development from computer operations. • Relationship between groups should be formal and responsibilities should not be comingled. • Database administration from other functions. • DBA function responsible for many critical tasks and needs to be organizationally independent of operations, systems development and maintenance. • New systems development from maintenance. • Improves documentation standards because maintenance group requires documentation. • Denying original programmer future access deters program fraud. 9
  • 11. The Distributed Model • Distributed Data Processing (DDP) involves reorganizing central IT function into small IT units that are placed under the control of end users. • Two alternatives: • Alternative A: Variant of centralized model with terminals or microcomputers distributed to end users for handling input and output. • Alternative B: Distributes all computer services to the end users where they operate as stand alone units. 10
  • 13. Management Assertions Audit Objectives Audit Procedure Existence or occurrence Inventories listed on the balance sheet exist. Observe the counting of physical inventory. Completeness Accounts payable include all obligations to vendors for the period. Compare receiving reports, supplier invoices, purchase orders, and journal entries for the period and the beginning of the next period. Rights and obligations Plant and equipment listed in the balance sheet are owned by the entity. Review purchase agreements, insurance policies, and related documents. Valuation or allocation Accounts receivable are stated at net realizable value. Review entity’s aging of accounts and evaluate the adequacy of the allowance for uncorrectable accounts. Presentation and disclosure Contingencies not reported in financial accounts are properly disclosed in footnotes. Obtain information from entity lawyers about the status of litigation and estimates of potential loss. Audit Objectives and Audit Procedures Based on Management Assertions 12
  • 14. Risks Associated with DDP • Inefficient use of resources: • Mismanagement of IT resources by end users. • Operational inefficiencies due to redundant tasks being performed. • Hardware and software incompatibility among end-user functions. • Destruction of audit trails. • Inadequate segregation of duties. • Hiring qualified professionals: • Risk of programming errors and system failures increase directly with the level of employee incompetence. • Lack of standards. 13
  • 15. Controlling the DDP Environment • Implement a corporate IT function: • Central testing of commercial software and hardware. • User services to provide technical help. • Standard-setting body. • Personnel review. 14
  • 16. Audit Procedures for the DDP • Audit procedures in a centralized IT organization: • Review relevant documentation to determine if individuals or groups are performing incompatible functions. • Review systems documentation and maintenance records to verify maintenance programmers are not designers. • Observe to determine if segregation policy is being followed. 15
  • 17. Audit Procedures for the DDP • Audit procedures in a distributed IT organization: • Review relevant documentation to determine if individuals or groups are performing incompatible duties. • Verify corporate policies and standards are published and provided to distributed IT units. • Verify compensating controls are in place when needed. • Review system documentation to verify applications, procedures and databased are in accordance with standards. 16
  • 18. The Computer Center • Physical location: • Directly affects risk of destruction from a disaster. • Away from hazards and traffic. • Construction: • Ideally: single-story, solidly constructed with underground utilities. • Windows should not open and an air filtration system should be in place. • Access: • Should be limited with locked doors, cameras, key card entrance and sign-in logs. 17
  • 19. The Computer Center • Air conditioning should provide appropriate temperature and humidity for computers. • Fire suppression: • Alarms, fire extinguishing system, appropriate construction, fire exits. • Fault tolerance is the ability of the system to continue operation when part of the system fails. • Total failure can occur only if multiple components fail. • Redundant arrays of independent disks (RAID) involves using parallel disks with redundant data and applications so if one disk fails, lost data can be reconstructed. • Uninterruptible power supplies. 18
  • 20. Audit Procedures: The Computer Center • Auditor must verify that physical controls and insurance coverage are adequate. • Procedures include: • Tests of physical construction. • Tests of the fire detection system. • Tests of access control. • Tests of RAID. • Tests of the uninterruptible power supply. • Tests of insurance coverage. 19
  • 21. Disaster Recovery Planning • A disaster recovery plan is a statement of all actions to be taken before, during and after any type of disaster. Four common features: • Identify critical applications: • Short-term survival requires restoration of cash flow generating functions. • Applications supporting those functions should be identified and prioritized in the restoration plan. • Task of identifying critical items and prioritizing applications requires active participation of user departments, accountants and auditors. 20
  • 22. Disaster Recovery Planning • Create a disaster recovery team: • Team members should be experts in their areas and have assigned tasks. • Provide second-site backup: • Necessary ingredient in a DRP is that it provides for duplicate data processing facilities following a disaster. • Specify back-up and off-site storage procedures: • All data files, applications, documentation and supplies needed to perform critical functions should be automatically backed up and stored at a secure off-site location. 21
  • 23. Second-Site Backups • Mutual aid pact is an agreement between organizations to aid each other with data processing in a disaster. • Empty shell or cold site plan involves obtaining a building to serve as a data center in a disaster. • Recovery depends on timely availability of hardware. • Recovery operations center or hot site plan is a fully equipped site that many companies share. • Internally provided backup may be preferred by organizations with many data processing centers. 22
  • 24. DRP Audit Procedures • To verify DRP is a realistic solution, the following tests may be performed: • Evaluate adequacy of backup site arrangements. • Review list of critical applications for completeness. • Verify copies of critical applications and operating systems are stored off-site. • Verify critical data files are backed up in accordance with the DRP. • Verify that types and quantities of items specified in the DRP exist in a secure location. • Verify disaster recovery team members are current employees and aware of their assigned responsibilities. 23
  • 25. Outsourcing the IT Function • Benefits of IT outsourcing include: • Improved core business processes. • Improved IT performance. • Reduced IT costs. • Logic underlying outsourcing follows from core competency theory which argues an organization should focus on its core business competencies. Ignores an important distinction between: • Commodity IT assets which are not unique to an organization and easily acquired in the marketplace. • Specific IT assets which are unique and support an organization’s strategic objectives. 24
  • 26. Outsourcing the IT Function • Transaction cost economics (TCE) suggests firms should retain specific non-core IT assets in house. • Those that cannot be easily replaced once they are given up in an outsourcing arrangement. • Cloud computing is location-independent computing whereby shared data centers deliver hosted IT services over the Internet. Offers three primary classes of computing services: • Software-as-a-Service (SaaS). • Infrastructure-as-a-Service (IaaS). • Platform-as-a-Service (PaaS). 25
  • 27. Outsourcing the IT Function • Virtualization has unleashed cloud computing. • Network virtualization increases effective network bandwidth, optimizes network speed, flexibility, and reliability, and improves network scalability. • Storage virtualization is the pooling of physical storage from multiple devices into what appears to be a single virtual storage device. • Cloud computing not realistic for large firms. • Typically have massive IT investments and therefore not inclined to turn over their IT operations to a could vendor. • May have critical functions running on legacy systems that could not be easily migrated to the cloud. • Commodity provision approach of the cloud incompatible with the need for unique strategic information. 26
  • 28. Risks Inherent to IT Outsourcing • Failure to perform. • Vendor exploitation. • Outsourcing costs exceed benefits. • Reduced security. • Loss of strategic advantage. 27
  • 29. Audit Implications of IT Outsourcing • Use of a service organization does not reduce management’s responsibilities under SOX for ensuring adequate IT internal controls. • SSAE 16 replaced SAS 70 and is the definitive standard by which auditors can gain knowledge that processes and controls at third-party vendors are adequate to prevent or detect material errors. • Report provides a description of service provider’s description using either the carve-out or the inclusive method 28
  • 30. Audit Implications of IT Outsourcing 29