Académique Documents
Professionnel Documents
Culture Documents
Three IT Governance issues that are addressed by SOX and the COSO
internal control framework.
o Organizational Structure of the IT function
o Computer Center Operations
o Disaster Recovery Planning
Marketing
BCHESOL
Database administrator
Centralized location for maintaining data resources
DBA is responsible for security and integrity of database
Data Processing :
Manages resources used to perform day-to-day processing of transactions
Data preparation/conversion
Computer operations
Data library (storage of off-line data files)
System Maintenance
Assumes responsibility for keeping developed systems operational and in line with current user needs
They may make changes in program logic to accommodate shifts in user needs over time
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 12
SEGREGATION OF INCOMPATIBLE IT FUNCTIONS
o The success of this control depends on existence of other controls that limit, prevent and detect
unauthorized access to programs (such as source code)
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 16
DISTRIBUTED MODEL
Alternative B: Decentralized/Network
o Significant departure from centralized model
o Distributes all computer services to end users, where they operate as stand alone
units.
o The result is the elimination of the central IT function from the organizational
structure
o The network permits communication and data transfers between the units
o All data processing tasks to end-user areas
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 19
DISTRIBUTED MODEL
RISKS ASSOCIATED WITH DDP
Focuses on the important issues that carry control implications that auditors
should recognize
Potential problems include:
1. Inefficient use of resources
2. Destruction of audit trails
3. Inadequate segregation of duties
4. Hiring qualified professionals
5. Lack of standards
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 20
DISTRIBUTED MODEL
RISKS ASSOCIATED WITH DDP
Audit objectives:
Conduct a risk assessment to:
o Verify that the structure of the IT function is such that individuals in incompatible
areas are segregated in accordance with the level of potential risk and in a manner
that promotes a working environment
Formal rather than casual relationships need to exist between incompatible functions
o Verify the distributed IT units employ entity-wide standards of performance that
promotes compatibility among hardware, operating software, applications, and data
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 29
IT FUNCTION AUDIT
Audit procedures:
Verify corporate policies and standards are communicated
Review relevant documentation, including current organization chart,
mission statement, key job descriptions to determine if any incompatible
duties exist
o Verify compensating controls are in place where incompatible duties do exist and
segregation is economically infeasible
Review systems documentation and maintenance records for a sample
of applications.Verify maintenance programmers assigned to specific projects
are not also original design programmers
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 30
IT FUNCTION AUDIT
Audit procedures:
Verify access controls are properly established
Verify that computer operators do not have access to the operational details
of a program’s logic
Systems documentation such as flowcharts, program code listings should not be
part of operator’s documentation
Through observation, determine that segregation policy is being followed in
practice
e.g. Review operations room access logs to determine whether programmers
enter facility for reasons other than system failures
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 31
THE COMPUTER CENTER
5. Fire suppression
Fire is most serious threat. Organization can go out of business due to destruction of critical records and equipment
The fire suppression system should have:
o Automatic and manual alarms at strategic locations with sound and visible lights.Alarms should be connected to permanently
staffed fire-fighting stations
o Automatic fire extinguishing equipment (with power-off switch) that uses correct type of suppressant that does not destroy eqt
o Spraying water or certain chemicals on a computer destroys it and damages it just like the fire. Gas, such as Halon, that will smother fire by
removing oxygen can also kill and damage the environment
o Make sure your detection system is tuned not to react to possible false alarms caused by other components in your data center.
o Manual fire extinguishers should be placed at strategic locations
o Fire exits clearly marked and illuminated during fire
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 36
THE COMPUTER/DATA CENTER
6. Power supply
o Need for clean power, at a acceptable level (to avoid brownouts, and power fluctuations). Use voltage
regulators, surge protectors
o Install Uninterrupted Power Supply(UPS) units with backup batteries also consider having a generator for
long periods without power
7. Fault tolerance
o Ability of system to continue operation when part of system fails e.g. hardware failure, application program
or operator errors
o Have redundant hardware, disk storage e.g.
o RAID that uses parallel disks that contain redundant elements, if one disk fails the lost data can be
automatically reconstructed from components stored on other disks
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 37
Audit objectives
Verify physical security controls are adequate to reasonably protect organization
from physical exposure
Verify there is insurance coverage on equipment is adequate to compensate
organization for destruction of, or damage to computer center
Audit procedures
Tests of physical construction
o Check architectural plans, check if room is built of fireproof material, adequate drainage under raised floor.
o Check physical location against hazards: fire, civil unrest etc
Tornado
Sabotage
Disaster Human-Made
Error
Power Outage
O/s Crash/Lock
2. Create Disaster Recovery Team – Select team members, write job descriptions, describe recovery process in terms of who does
what.
3. Site Backup – a backup site facility including appropriate furniture, housing, computers, and telecommunications. Another valid
option is a mutual aid pact where a similar business or branch of same company swap availability when needed.4.
4. Hardware Backup – Some vendors provide computers with their site – known as a hot site or Recovery Operations Center.
Some do not provide hardware – known as a cold site.When not available, make sure plan accommodates compatible hardware (e.g.,
ability to lease computers).
5. System Software Backup – Some hot sites provide the operating system. If not included in the site plan, make sure copies are
available at the backup site.
6.Application Software Backup – Make sure copies of critical applications are available at the backup site
7. Data Backup – One key strategy in backups is to store copies of data backups away from the business campus, preferably several
miles away or at the backup site.Another key is to test the restore function of data backups before a crisis.
8. Supplies – A modicum inventory of supplies should be at the backup site or be able to be delivered quickly.
10.TEST! – The most important element of an effective Disaster Recovery Plan is to test it before a crisis occurs, and to test it
periodically (e.g., once
FIC-4030-INFORMATION SYSTEMSaAUDITING-03-IT
year). GOVERNANCE BCHESOLI 10/5/2016 48
DISASTER RECOVERY PLANNING
Major concerns:
Identify critical applications and concentrate on restoring those that are critical to the
short-term operations of organization
o Plan should focus on short-term survival. In the long run all applications will need to be restored
o This may lead to focus on functions that generate cash flows e.g. customer sales and service,
fulfillment of legal obligations, accounts receivable, production and distribution decisions, purchasing
and cash disbursements
o The needs may change over time thus plan needs to be updated
Disaster Recovery Team
o Task responsibility must be clearly defined and communicated.
o Team members should be experts in thBCeHEiSrOLtI asks/areas
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE 10/5/2016 49
DISASTER RECOVERY PLANNING
Major concerns:
Physical Security and Information Security
Disaster Recovery Team staff
Senior Management e.g. COO Main roles will be to:
HR/Personnel Manager o Prepare backup site for operation
Facilities Group: Managers and Maintenance o Provide current versions of software,
staff restore systems and data
Fire and Safety Officer o Account for the organization staff and co-
ordinate them
IT Staff – System administrators, Backup
and Restore staff o Secure access to premises and data in
disaster
Network and Communication staff
FIC-4030-IN FORMATION SYSTEMS AUDITING -03-IT GOVERNANCE BCHESOLI 10/5/2016 50
DISASTER RECOVERY PLANNING
Empty shell
Also known as cold site
Company buys or leases a building and remodel it into a computer site but
without computer equipment
Management obtains contracts with hardware vendors that in event of disaster
the vendor will give the company the needed equipment on priority
Weakness: timely availability of equipment to restore processing isn't
guaranteed
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 54
SECOND-SITE BACKUPS
Recovery Operations Center (ROC)
It’s a hot site
A fully equipped site; very costly and typically shared among many companies
It can be offered as a service by a ROC provider
o 9/11 was a true test of ROC approach e.g. Comdisco which had 47 clients on their facilities from
ROC contractual agreement. Over 3,000 employees worked from their site and thousands of
computers were configured fore clients within the first 24 hours
Weakness would be problems in overstretched facilities if disaster hits many companies
o Management should consider problems of overcrowding and geographic clustering of current ROC
client membership even before disaster
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 55
SECOND-SITE BACKUPS
Audit Objective
o Verify management’s disaster recovery plan is adequate and feasible for
dealing with catastrophe that could deprive the organization of its
computing resources
3. Software Backup
Verify copies of critical applications and OS are stored offsite.
Compare version numbers with those in actual use
4. Data backup
Verify critical data files are backed up in accordance with DRP
5. Backup Supplies, Documents and Documentation
Verify that documentation and supplies of adequate amount are stored off-site
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 60
DRP AUDIT PROCEDURES
Read COSO’s thought leadership paper on “Enterprise Risk Management for cloud computing” .
Consider the following issues it addresses:
Definition of cloud computing
Common deployment and service delivery models
Benefits of cloud computing
Risks associated with cloud computing
Changes in business environment
COSO’s ERM framework for cloud computing
Recommended risk responses to cloud computing
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 69
SUMMARY