Auditing It Governance Controls

AUDITING IT GOVERNANCE CONTROLS
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 1

AUDITING IT GOVERNANCE CONTROLS
At the end of this session, participants will be able to understand and

appreciate:
Understand the risks of incompatible functions and how to structure the IT
function
Be familiar with controls and precautions required to ensure security of an
organization’s computer facilities
Understand key elements of a Disaster Recovery Plan
Be familiar with the benefits, risks and audit issues related to IT outsourcing
IT GOVERNANCE
IT governance is a subset of corporate governance that focuses on the

management and assessment of strategic IT resources
Key objectives:
o Reduce risk and
o Ensure that investments in IT resources add value to the corporation.
It emphasizes that all corporate stakeholders including board of directors are
involved in key IT decisions
IT GOVERNANCE CONTROLS
Three IT Governance issues that are addressed by SOX and the COSO
internal control framework.
o Organizational Structure of the IT function
o Computer Center Operations
o Disaster Recovery Planning

STRUCTURE OF THE IT FUNCTION

STRUCTURING THE IT FUNCTION
The organization of the IT function has implications for nature and

effectiveness of internal controls, in turn, has implications for the audit.
Two organizational models
o Centralized IT Function
o Distributed IT Function

CENTRALIZED IT FUNCTION

CENTRALIZED DATA PROCESSING MODEL
All data processing is performed by one or more large computers housed at a

central site that serves users throughout the organization.
IT services are consolidated and managed as a shared organization resource.

Marketing
Centralized data Finance Production
processing [see Figure 2-1] IT

services
Information
Cost Chargeback
Distribution Accounting Data
BCHESOL
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE I 10/5/2016 9


Database administrator
Centralized location for maintaining data resources
DBA is responsible for security and integrity of database
Data Processing :
Manages resources used to perform day-to-day processing of transactions
Data preparation/conversion
Computer operations
Data library (storage of off-line data files)

Systems Development and Maintenance
System Developers
Analyzes user needs
Designs new systems to meet those needs (solution)
Participants
End users (for whom system is built)
IS professionals (analysts, designers, developers/programmers)
Other stakeholders e.g.Auditors (oversee the SAD process)
System Maintenance
Assumes responsibility for keeping developed systems operational and in line with current user needs
They may make changes in program logic to accommodate shifts in user needs over time
SEGREGATION OF INCOMPATIBLE IT FUNCTIONS
Remember COSO Objectives:

o Segregate transaction authorization from transaction processing
o Segregate record keeping from asset custody
o Divide transaction processing steps among individuals to force collusion to
perpetrate fraud
Since IT applications tend to combine these functions, then the focus of
segregation moves to interrelationships between system development,
maintenance, database administration and computer operation activities
Separate Systems Development from Computer Operations

o This is of greatest importance
o Systems development professionals should not be involved in entering data,
running applications
o Operations staff should run the systems and have no involvement in their actual
design and development
With detailed knowledge of logic and control and access to the application system and
utilities an individual could make unauthorized changes during program operation
On the fly changes may not leave a trace
Separating Database Administration from other Computer Center functions
o DBA is responsible for several critical tasks:
o Database security
o Creating database schema and user views
o Assigning database access authority to users
o Monitoring database usage
o Planning for future changes
Delegating these to others who perform incompatible tasks threatens database integrity
It should be independent of operations, system development and maintenance
Segregate Systems Development from Maintenance
o This is a better organizational structure
o Two types of improvements from this approach:
o Better documentation standards
o Necessary for transfer of responsibility
o Deters fraud by
Denys original programmer future access to program
If fraudulent code was introduced at development it is likely to be discovered during maintenance
Greater possibility of being discovered
o The success of this control depends on existence of other controls that limit, prevent and detect
unauthorized access to programs (such as source code)
DISTRIBUTED MODEL

DISTRIBUTED MODEL
Distributed Data Processing (DDP) model involves reorganizing the central IT
function into small IT units placed under the control of end users. They may be
distributed in terms of
o Business function
o Geographic location or both
Alternative A: Variant of Centralized Model
o End users are empowered to handle data and processing on their own machines.They use
powerful machines (PCs)
o However Systems Development, Computer Operations (in Server rooms) and Database
Administration remain centralized
DISTRIBUTED MODEL
Alternative B: Decentralized/Network
o Significant departure from centralized model
o Distributes all computer services to end users, where they operate as stand alone
units.
o The result is the elimination of the central IT function from the organizational
structure
o The network permits communication and data transfers between the units
o All data processing tasks to end-user areas
DISTRIBUTED MODEL
RISKS ASSOCIATED WITH DDP
Focuses on the important issues that carry control implications that auditors
should recognize
Potential problems include:
1. Inefficient use of resources
2. Destruction of audit trails
3. Inadequate segregation of duties
4. Hiring qualified professionals
5. Lack of standards
DISTRIBUTED MODEL
Inefficient use of resources

o Risk of Mismanagement of resources by end users
If organization-wide IT resources exceed a given threshold (eg 5%) of operations budget, effective IT governance
requires that there should be centralized management of resources
Risk of operational inefficiencies due to redundant tasks

o There is duplication of effort across organization instead of benefiting from work of others. E.g. software
developed, data duplication leading to issues in data accuracy and consistency
Risk of incompatible Hardware and software
o Responsibility of IT purchases left to end users leading to uncoordinated, poorly conceived decisions
,dissimilar technologies and different vendors
o This disrupts co-ordination and connectivity within the organization
DISTRIBUTED MODEL
Destruction of audit trails

o In DDP audit trails reside in part or entirely on end-user computers. Should a user delete or
tamper with the files, the audit trail could be destroyed, corrupted, be unrecoverable
o Audit trails provide the linkage between a company’s financial activities (transactions) and financial
statements.Auditors rely on them to trace selected transactions as they give attestation service.
Inadequate segregation of duties
There would be shortfall in human resources and one person could end up performing multiple
roles.The same person would program, do maintenance, enter data and operate server room

DISTRIBUTED MODEL
Hiring qualified professionals
o End-user managers may lack IT knowledge to know how to evaluate technical credentials and
relevant experiences of candidates applying for IT positions
o Also since units are small, there would be limited opportunity for growth, continuing education and
promotion in small IT function
o It would be hard to attract highly qualified IT staff leading to less qualified IT staff that brings
increased potential for errors and system failures
Lack of standards
o Due to distribution of responsibility, standards for documentation, programming languages,
acquiring hardware and software and evaluating performance may be unevenly used or be
inconsistent
THE DISTRIBUTED MODEL - ADVANTAGES
Advantages of DDP
1. Cost reduction
o Don’t invest in large data centers and expensive systems. Unit cost of systems and technology is much lower
now
o Use powerful inexpensive PCs, minicomputers
o End user data entry vs. data control group
o Application complexity reduced
o Development and maintenance costs reduced
2. Improved cost control responsibility

o End-user managers carry responsibility for financial success of their operations. DDP empowers them to have
better control on the financing and success of IT implementation
THE DISTRIBUTED MODEL - ADVANTAGES
3.Improved user satisfaction
(1) Users desire to be in control, (2) more responsive system professionals (analysts, programmers,
operators) to their specific needs and (3) users participate more in developing and implementing their
systems leading to increased morale and productivity
4. Backup flexibility
In centralized model the effective way is to provide another disaster recovery site (2nd computer
facility)
Geographically distributed sites can be designed with excess capacity to provide Disaster Recovery
for other sites.
This requires close co-ordination between managers so that they do not implement incompatible
hardware/software
THE DISTRIBUTED MODEL - CONTROLLING
Controlling the DDP environment

There is need for careful analysis before choosing and implementing DDP model
Some organizations get into it before careful consideration and find it hard to
move out of it
Careful planning and implementation can mitigate risks previously discussed.
The completely centralized model and the distributed model represent extreme
positions.The needs of most firms fall somewhere in between the continuum
There can be several improvements to the model by implementing a Corporate
IT Function
CORPORATE IT FUNCTION
Implement a Corporate IT function
Technical IT advice and expertise to whole organization
With better and specialized skills than end users would have
Central systems development and database management
Centralized acquisition, testing, and implementation of commercial software and hardware
This resolves many issues in incompatibility and best solutions emerge
User services through Help desk for technical support, FAQs on blogs/intranet, chat room, etc.Training of end
users
Standard-setting body - central guidance on standards for system development, programming, documentation
and hardware
Personnel review - better in evaluate credentials/expertise of potential IT staff even if the staff will be in
FIC-4030-INFdeMcAeTIOnNtrSYaSlTiEzMeS AdUDoITfIfNiGc-e03s-IT GOVERNANCE
OR BCHESOLI 10/5/2016 27
AUDITING THE IT FUNCTION

IT FUNCTION AUDIT
Audit objectives:
Conduct a risk assessment to:
o Verify that the structure of the IT function is such that individuals in incompatible
areas are segregated in accordance with the level of potential risk and in a manner
that promotes a working environment
Formal rather than casual relationships need to exist between incompatible functions
o Verify the distributed IT units employ entity-wide standards of performance that
promotes compatibility among hardware, operating software, applications, and data
IT FUNCTION AUDIT
Audit procedures:
Verify corporate policies and standards are communicated
Review relevant documentation, including current organization chart,
mission statement, key job descriptions to determine if any incompatible
duties exist
o Verify compensating controls are in place where incompatible duties do exist and
segregation is economically infeasible
Review systems documentation and maintenance records for a sample
of applications.Verify maintenance programmers assigned to specific projects
are not also original design programmers
IT FUNCTION AUDIT
Audit procedures:
Verify access controls are properly established
Verify that computer operators do not have access to the operational details
of a program’s logic
Systems documentation such as flowcharts, program code listings should not be
part of operator’s documentation
Through observation, determine that segregation policy is being followed in
practice
e.g. Review operations room access logs to determine whether programmers
enter facility for reasons other than system failures
THE COMPUTER CENTER

THE COMPUTER/DATA CENTER
Auditor should examine the physical environment of the computer center as part of the annual audit.
Objectives of this section is to review:
Computer Center Risks
Controls put to mitigate risk and create a secure environment
1. Physical location
Risk of destruction due to natural or man-made disaster
Should be away from human-made and natural hazards e.g. gas /water pipes, high crime, flood plain,
geographical fault lines
It should be away from normal human traffic e.g. on top floor of building or in separate self-contained building
Locating it on basement increases risk of floods
2.Construction
o Ideally: single-story building with controlled access,
o Underground telephone, power, network utilities,
o Windowless or windows should not open
o Use air filters to remove pollen, dust, insects
o If multi-storied building, use top floor (away from traffic flows, and potential flooding in a basement)
3.Access
o Limited access
o Physical: Locked doors, access using keycard or swipe card, monitoring CCTV cameras and video recording system
o Manual: Maintain accurate access log of visitors and personnel who enter to perform any maintenance or administrative
work
o Fire exits should have alarms
4.Air conditioning
AC environment is essential to proper functioning machines
o They need cool air to prevent logic errors in hardware,
o Prevents damage from static electricity in low humidity
o Prevents mold and paper products from swelling in high humidity
Temperature to 20 – 23 degrees Celsius
Humidity of 50%
Heat is generated by the machines themselves so in designing the AC requirements
its good to know the capacity of the computer center
5. Fire suppression
Fire is most serious threat. Organization can go out of business due to destruction of critical records and equipment
The fire suppression system should have:
o Automatic and manual alarms at strategic locations with sound and visible lights.Alarms should be connected to permanently
staffed fire-fighting stations
o Automatic fire extinguishing equipment (with power-off switch) that uses correct type of suppressant that does not destroy eqt
o Spraying water or certain chemicals on a computer destroys it and damages it just like the fire. Gas, such as Halon, that will smother fire by
removing oxygen can also kill and damage the environment
o Make sure your detection system is tuned not to react to possible false alarms caused by other components in your data center.
o Manual fire extinguishers should be placed at strategic locations
o Fire exits clearly marked and illuminated during fire
6. Power supply
o Need for clean power, at a acceptable level (to avoid brownouts, and power fluctuations). Use voltage
regulators, surge protectors
o Install Uninterrupted Power Supply(UPS) units with backup batteries also consider having a generator for
long periods without power
7. Fault tolerance
o Ability of system to continue operation when part of system fails e.g. hardware failure, application program
or operator errors
o Have redundant hardware, disk storage e.g.
o RAID that uses parallel disks that contain redundant elements, if one disk fails the lost data can be
automatically reconstructed from components stored on other disks
o UPS and different power supplies

AUDITING THE COMPUTER/DATA CENTER

THE COMPUTER/DATA CENTER - AUDIT
Audit objectives
Verify physical security controls are adequate to reasonably protect organization
from physical exposure
Verify there is insurance coverage on equipment is adequate to compensate
organization for destruction of, or damage to computer center

Audit procedures
Tests of physical construction
o Check architectural plans, check if room is built of fireproof material, adequate drainage under raised floor.
o Check physical location against hazards: fire, civil unrest etc
Tests of fire detection system

o Check the detection and suppression equipment are in place and have been tested regularly
o The system should detect smoke, heat, flames
o Review official fire marshal record of tests
Audit procedures
Tests of access control
o Establish routine access is restricted to authorized employees
o Details of access e.g. arrival and departure times, purpose, frequency of access are
captured on log
o Auditor should observe process e.g. from video cameras
Tests of operator documentation controls
o Review that operational maintenance and administrative tasks are fully logged for
routine tasks and system failures
Audit procedures
Tests for fault tolerance
o Check RAID and determine if the level used is adequate for the organization given the level of risk
in disk failure
o Check with system administrators that fault tolerance of servers and critical infrastructure is
adequate
Tests of Uninterruptible Power Supply
o Check it to be operational
o Check if its sufficient capacity to run computer and AC equipment.There is likelihood that there
has been increase in the number of devices on the UPS since it was installed, so the load should be
tested.The org could outgrow its backup supply capacity
Audit procedures
Tests of uninterruptible power supply
o Check it to be operational
o Check if its sufficient capacity to run computer and AC equipment.There is likelihood that there
has been increase in the number of devices on the UPS since it was installed, so the load should
be tested.The org could outgrow its backup supply capacity
Tests for insurance coverage
o Review annual insurance coverage on the hardware, software and physical facility
o Verify new acquisitions are listed, old ones removed
oFIC-4I0t30-IsNhFOo
RMu
ATlIO
dN SrYSeTEfMleS AcUDtITIm
NG-a
03n
-ITa
GgOVe
ERm eCnE t’s needs inBCHtESeOLrI ms of compensation
NAN 10/5/2016 43
DISASTER RECOVERY PLANNING

Disasters e.g. earthquakes, floods, sabotage or power failures can be
catastrophic to organization
They can be classified as:
o Natural
o Human-made
o System Failures
They deprive an organization of data processing facilities and could halt

business functions aided by those facilities and hinder its ability to deliver its
products and services
o It looses ability to do business

Fire
Natural Flood
Tornado
Sabotage
Disaster Human-Made
Error
Power Outage
System Failure Drive Failure
O/s Crash/Lock

The more the organization is dependent on technology, the more susceptible it is to these
risks
o Some risks cannot be prevented.What is key is how well organization is prepared to respond
and recover from them.
Disaster recovery plans (DRP) identify actions before, during, and after the disaster
They address the following 4 things:
Identify critical applications and priorities for restoring critical applications advised by
management
Create a disaster recovery team
Provide site backup
Specify backup and off-site storage procedures
Disaster Recovery Plan
1. Critical Applications – Rank critical applications so an orderly and effective restoration of computer systems is possible.
2. Create Disaster Recovery Team – Select team members, write job descriptions, describe recovery process in terms of who does
what.
3. Site Backup – a backup site facility including appropriate furniture, housing, computers, and telecommunications. Another valid
option is a mutual aid pact where a similar business or branch of same company swap availability when needed.4.
4. Hardware Backup – Some vendors provide computers with their site – known as a hot site or Recovery Operations Center.
Some do not provide hardware – known as a cold site.When not available, make sure plan accommodates compatible hardware (e.g.,
ability to lease computers).
5. System Software Backup – Some hot sites provide the operating system. If not included in the site plan, make sure copies are
available at the backup site.
6.Application Software Backup – Make sure copies of critical applications are available at the backup site
7. Data Backup – One key strategy in backups is to store copies of data backups away from the business campus, preferably several
miles away or at the backup site.Another key is to test the restore function of data backups before a crisis.
8. Supplies – A modicum inventory of supplies should be at the backup site or be able to be delivered quickly.
9. Documentation – An adequate set of copies of user and system documentation.
10.TEST! – The most important element of an effective Disaster Recovery Plan is to test it before a crisis occurs, and to test it
periodically (e.g., once
FIC-4030-INFORMATION SYSTEMSaAUDITING-03-IT
year). GOVERNANCE BCHESOLI 10/5/2016 48
Major concerns:
Identify critical applications and concentrate on restoring those that are critical to the
short-term operations of organization
o Plan should focus on short-term survival. In the long run all applications will need to be restored
o This may lead to focus on functions that generate cash flows e.g. customer sales and service,
fulfillment of legal obligations, accounts receivable, production and distribution decisions, purchasing
and cash disbursements
o The needs may change over time thus plan needs to be updated
Disaster Recovery Team
o Task responsibility must be clearly defined and communicated.
o Team members should be experts in thBCeHEiSrOLtI asks/areas
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE 10/5/2016 49
Major concerns:
Physical Security and Information Security
Disaster Recovery Team staff
Senior Management e.g. COO Main roles will be to:
HR/Personnel Manager o Prepare backup site for operation
Facilities Group: Managers and Maintenance o Provide current versions of software,
staff restore systems and data
Fire and Safety Officer o Account for the organization staff and co-
ordinate them
IT Staff – System administrators, Backup
and Restore staff o Secure access to premises and data in
disaster
Network and Communication staff
FIC-4030-IN FORMATION SYSTEMS AUDITING -03-IT GOVERNANCE BCHESOLI 10/5/2016 50
Major concerns: Testing the DRP regularly

Second-site backup facilities o This is one of the most neglected
Back-up and off-site storage procedures aspects of DRP
o Operating System backup: software and licensing o Simulate surprise disruption and
o Application backup: esp. of critical applications check preparedness of staff and
o Data backup: of database and data files facilities to respond to disaster and
o System documentation backup
recover normal operations
o Office supplies & source documents (invoices, o Results of test can be analyzed and
POs, forms) backup decisions made to improve
SECOND-SITE BACKUPS
The most common options for providing this are;

o Mutual aid pact
o Empty shell (cold site)
o Recovery Operations Center (hot site)
o Internally provided backup

SECOND-SITE BACKUPS
Mutual Aid pact

o Agreement between two or more organizations with compatible computer
facilities to aid each other with their data processing needs in event of disaster
o In the event of disaster, the host company must disrupt its schedule and work in
emergency mode.
o The host company should live up to its offer but the risk is that it works better in
theory than practice
o Its more economical to rely on each other than invest in redundant equipment
SECOND-SITE BACKUPS
Empty shell
Also known as cold site
Company buys or leases a building and remodel it into a computer site but
without computer equipment
Management obtains contracts with hardware vendors that in event of disaster
the vendor will give the company the needed equipment on priority
Weakness: timely availability of equipment to restore processing isn't
guaranteed
SECOND-SITE BACKUPS
Recovery Operations Center (ROC)
It’s a hot site
A fully equipped site; very costly and typically shared among many companies
It can be offered as a service by a ROC provider
o 9/11 was a true test of ROC approach e.g. Comdisco which had 47 clients on their facilities from
ROC contractual agreement. Over 3,000 employees worked from their site and thousands of
computers were configured fore clients within the first 24 hours
Weakness would be problems in overstretched facilities if disaster hits many companies
o Management should consider problems of overcrowding and geographic clustering of current ROC
client membership even before disaster
SECOND-SITE BACKUPS
Internally provided backup

Used by larger organizations with multiple data processing centers that offer self-reliance
and internal excess capacity
There would be standardized hardware and software configurations that ensure functional
compatibility and minimize cutover problems
It can also be through a mirrored data center
o A live site that synchronizes data and applications with the operational data center over high speed
network e.g. fiber optic cabling.At any point in time the mirrored data center reflects current state
of organization and could lower data recovery time frame to just hours e.g. 1 hour

AUDITING THE DRP

DRP AUDIT OBJECTIVES
Audit Objective
o Verify management’s disaster recovery plan is adequate and feasible for
dealing with catastrophe that could deprive the organization of its
computing resources

DRP AUDIT PROCEDURES
1. Site backup
Evaluate adequacy.
Check incompatibilities that could reduce effectiveness e.g. type of system, capacity of
host organization in mutual aid pact or ROC in terms of number of organizations hosted
Check existence of valid contracts with vendors and ROC
2. Critical Applications List
Review list and ensure it is complete
Ensure it only includes applications that are critical for short-term restoration so as not
to misdirect resources
3. Software Backup
Verify copies of critical applications and OS are stored offsite.
Compare version numbers with those in actual use
4. Data backup
Verify critical data files are backed up in accordance with DRP
5. Backup Supplies, Documents and Documentation
Verify that documentation and supplies of adequate amount are stored off-site
6. Disaster Recovery Team

Verify that the disaster recovery team is clearly listed with names, addresses and
emergency phone numbers
Verify members are current employees and they know their responsibilities
7. Check frequency of testing the DRP
Verify that the plan is regularly tested and check to see that recommendations
from those tests are implemented

OUTSOURCING THE IT FUNCTION

BENEFITS OF IT OUTSOURCING
IT Outsourcing is when management opts to contract a third-party vendor to deliver IT
services e.g. data entry, data center operations, applications management, network
management, IT support etc.
Why does management do it?
o To concentrate on core business processes
o Speed of deployment
o Improved IT performance from vendor’s expertise area
o Reduced IT costs through economies of scale
Logic underlying IT outsourcing follows the core competency theory – it argues that an
organization should focus exclusively on its core business competencies while allowing
FIC-40o
30-u
INFtOs
RoMAu rNcSiYnSTEgMSvAUeDnITIdNGo-03r-ITsGOtVoERNeANffCiEciently manBCaHgESOeLI non-core areas
TIO 10/5/2016 63
BENEFITS OF IT OUTSOURCING
The Transaction Cost Economics (TCE) theory suggests that firms
should retain specific IT assets in-house (i.e. IT assets that are unique to
organization and that support its strategic objectives).
o Because of their nature, they are difficult to replace/restore once an outsourcing
agreement is cancelled.
o Examples include systems development, application maintenance, data
warehousing, highly skilled employees trained to use the organization’s software.
TCE supports outsourcing of commodity IT assets (those that are not
unique to a particular organization and are easily acquired or replaced from
the market place) e.g. PCs, Help desk support, server maintenance
RISKS OF IT OUTSOURCING
1. Failure to perform
Vendor’s poor performance can have negative implications due to dependence on them e.g. if
vendor lays off workforce, or experiences financial or legal problems that threaten their continuity.
This directly affects the outsourcing firms
2.Vendor exploitation
Vendor acquires specific IT assets to serve the organization and the assets may not have value to
them other than for delivering to the client.This may involve client paying a premium to the vendor
or becoming very dependent on the vendor
The vendor may exploit this dependency by raising service rate. If new services are required, they
will be at a premium
This dependency threatens client’s long-term flexibility, agility, competitiveness, and result in greater
dependency
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI 10/5/2016 65
3. Outsourcing costs exceed benefits
Unexpected costs may arise and full benefits not realized
A survey reveals 47% of 66 firms surveyed reported costs of IT outsourcing exceeded outsourcing
benefits
4. Reduced security
There are serious concerns over internal control and protection of sensitive data esp. with
offshore IT vendors
There is reliance on the vendors security measures, data-access policies and privacy laws of the
host country for offshore contracts.
Terrorists may attack the outsourced firms to get to the client
5. Loss of strategic advantage

Outsourcing may affect alignment of the firm’s IT strategic planning and
business planning
CIO and IT management may not be very well versed with the working of
the IT infrastructure
Vendor solutions may be common so as to serve many clients.They may not
be specific/unique for strategic advantage
AUDIT IMPLICATIONS OF OUTSOURCING
Management cannot outsource management responsibilities for ensuring adequate IT controls

SOX and Auditing Standards specify this
Management should evaluate vendor controls as well as related controls in their company when assessing internal
controls
The auditor needs to conduct an evaluation of the vendor organization’s controls OR alternatively obtain SAS 70
report (Auditing Service Organizations)from the vendor.
o It would come from the vendor’s auditor attesting to the adequacy of vendors internal controls and issuing the SAS report
o Service provider auditors can provide two types of SAS 70 reports.Type I is less rigorous and looks at control’s design. Due
to SOX,Type II report is the desired one which goes into details of testing whether controls are operating effectively

READING ASSIGNMENT
Read COSO’s thought leadership paper on “Enterprise Risk Management for cloud computing” .
Consider the following issues it addresses:
Definition of cloud computing
Common deployment and service delivery models
Benefits of cloud computing
Risks associated with cloud computing
Changes in business environment
COSO’s ERM framework for cloud computing
Recommended risk responses to cloud computing
SUMMARY
Understand the risks of incompatible functions and how to structure the IT

function
Be familiar with controls and precautions required to ensure security of an
organization’s computer facilities
Understand key elements of a Disaster Recovery Plan
Be familiar with the benefits, risks and audit issues related to IT outsourcing

REVIEW QUESTIONS
1. What is IT governance? What objectives does it seek to meet?

2. Explain three primary computer based information system functions must be separated
3. What problems may occur as a result of combining application programming and
maintenance in one position
4. What are 5 risks associated with distributed data processing and how can they be
overcome?
5. Outline 5 things you would look at in your audit procedure when auditing an organization’s
data center. Explain what you would ensure the organization has addressed during your
audit
REVIEW QUESTIONS
1. Differentiate between a mutual aid pact, cold site, hot site and mirrored data
center options for site backup
2. What are five key things you would look at when auditing a Disaster Recovery
Plan?
3. What are 5 risks associated with IT outsourcing?
4. Define cloud computing and highlight 3 common service delivery models
5. Outline and explain an approach to cloud computing that you would
recommend to an organization to ensure they are not exposed to adverse
risks while obtaining IT services from a vendor.

Auditing It Governance Controls

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Auditing It Governance Controls

Transféré par

Droits d'auteur :

Formats disponibles

AUDITING IT GOVERNANCE CONTROLS

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 1

At the end of this session, participants will be able to understand and

IT governance is a subset of corporate governance that focuses on the

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 4

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 5

The organization of the IT function has implications for nature and

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 6

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 7

All data processing is performed by one or more large computers housed at a

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 8

Centralized data Finance Production

processing [see Figure 2-1] IT

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE I 10/5/2016 9

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 10

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 11

Remember COSO Objectives:

Separate Systems Development from Computer Operations

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 17

Inefficient use of resources

Risk of operational inefficiencies due to redundant tasks

Destruction of audit trails

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 22

2. Improved cost control responsibility

Controlling the DDP environment

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 28

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 32

o UPS and different power supplies

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 38

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 39

Tests of fire detection system

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 44

They deprive an organization of data processing facilities and could halt

o It looses ability to do business

System Failure Drive Failure

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 46

9. Documentation – An adequate set of copies of user and system documentation.

Major concerns: Testing the DRP regularly

The most common options for providing this are;

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 52

Mutual Aid pact

Internally provided backup

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 56

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 57

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 58

6. Disaster Recovery Team

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 61

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 62

5. Loss of strategic advantage

Management cannot outsource management responsibilities for ensuring adequate IT controls

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 68

Understand the risks of incompatible functions and how to structure the IT

FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 70

1. What is IT governance? What objectives does it seek to meet?

Vous aimerez peut-être aussi