Vous êtes sur la page 1sur 69


Group 3
IT Governance

• Subset of corporate governance that focuses on the

management and assessment of strategic IT resources.

• All corporate stakeholders must be active participants in key IT

IT Governance Controls

Three IT governance issues addressed by SOX and the COSO

internal control framework:

• Organizational structure of the IT function.

• Computer center operations.
• Disaster recovery planning.
Structure of the IT Function

• Centralized data processing model

Structure of the IT Function
• Primary service areas:
1. Database administration – Database Administrator
2. Data processing – 3 data organizational functions:
a. Data Conversion – from hardcopy to computer input
b. Computer Operations
c. Data Library - provides safe storage for the off-line data files (Back up data,
current data files and original copies of commercial software and their
- Responsible: Data Librarian
3. System development and maintenance
Structure of the IT Function

Segregation of Incompatible IT Functions

• Systems development from computer operations.

Relationship between groups should be formal and responsibilities should not be comingled.

• Database administration from other functions.

- DBA function responsible for many critical tasks and needs to be organizationally
independent of operations, systems development and maintenance.

• New systems development from maintenance.

- Improves documentation standards because maintenance group requires documentation.
- Denying original programmer future access deters program fraud.
2 Types of Control Problems
• Inadequate documentation a chronic problem.
- Documenting systems is not an interesting task.
■ - Lack of documentation provides job security for the programmer who
coded it.

• When system programmer has maintenance responsibilities, potential for

fraud is increased.
■ - May have concealed fraudulent code in the system.
■ - Having sole responsibility for maintenance may allow the programmer
to conceal the code for years.
The Distributed Model
• Distributed Data Processing (DDP) involves reorganizing
central IT function into small IT units that are placed under the
control of end users.

• Two alternatives of DDP:

 Alternative A: Variant of centralized model with terminals
or microcomputers distributed to end users for handling
input and output.
 Alternative B: Distributes all computer services to the end
users where they operate as stand alone units.
The Distributed Model
Risks Associated with DDP
1. Inefficient use of resources
• Mismanagement of IT resources by end users
• Operational inefficiencies due to redundant
tasks being performed
• Hardware and software incompatibility among
end-user functions
2. Destruction of audit trails
3. Inadequate segregation of duties
4. Hiring qualified professionals
5. Lack of standards
Advantages of DDP

■Cost Reduction
■Improved Cost Control Responsibility
■Improved User Satisfaction
■Backup Flexibility
Cost Reduction

■ For many years, achieving economies of scale was the principal

justification for the centralized data processing approach. The
economics of data processing favored large, expensive, powerful
computer. Thus, for many users large centralized systems
represented expensive overkill that they should escape.
■ Powerful and inexpensive microcomputers and minicomputers
that can perform specialized functions have changed the
economics of data processing.
■ Distributed Data Processing (DDP) has reduced costs in two
other areas:

 Data can be edited and entered by the end user, thus

eliminating the centralized task of data preparation.
 Application complexity can be reduced, which in turn
reduces systems development and maintenance cost.
■ End-user managers carry the responsibility for their financial
success of their operations.

■ Proponents of DDP contend that the benefits of improved

management attitudes more than outweigh any additional costs
incurred from distributing these resources.
Improved User Satisfaction
■ Most often cited benefit of Distributed Data Processing (DDP).
■ DDP proponents claimed that distributing system to end users
improves three areas of need that too often go unsatisfied in the
centralized model:
 As previously stated, users desire to control the resources
that influence their profitability;
 Users want systems professionals (analysts, programmers,
and computer operators) to be responsive to their specific
situation; and
 Users want to become more actively involved in developing
and implementing their own systems.
Backup Flexibility

■ The only way to backup a central computer site against

disasters is to provide a second computer facility.

■ If a disaster destroys a single site, the other sites can use

their excess capacity to process the transactions of the
destroyed site.
Controlling the DDP Environment

■ Implement a Corporate IT Function

■ Central Testing of Commercial Software and
■ User Services
■ Standard-Setting Body
■ Personnel Review
Implement a Corporate IT Function

■ The completely centralized model and the distributed model

represent extreme positions on a continuum of structural
alternatives. The needs of most firms fall somewhere between
these end points.
Central Testing of Commercial Software
and Hardware

■ A centralized corporate IT group is better equipped than are

end users to evaluate the merits of competing commercial
software and hardware products under consideration.
User Services

■ A valuable feature of the corporate group is its user services

function. This activity provides technical help to users during
the installation of new software and in troubleshooting hardware
and software problems.
■ The creation of an electronic bulletin board for users is an
excellent way to distribute information about common problems
and allows the sharing of user-developed programs with others
in the organization.
■ The relatively poor control environment imposed by the DDP
model can be improved by establishing some central guidance.

■ The corporate group is often better equipped than users to
evaluate the technical credentials of prospective systems
Audit Objective

■ To verify that the structure of the IT function is such

that individuals in incompatible areas are segregated in
accordance with the level of potential risk and in a
manner that promotes a working environment. This is
an environment in which formal, rather than casual,
relationships need to exist between incompatible tasks.
Audit Procedures
 Review relevant documentation, including the current organizational chart,
mission statement, and job descriptions for key functions, to determine if
individuals or groups are performing incompatible functions

 Review systems documentation and maintenance records for a sample of


 Verify that computer operators do not have access to the operational

details of a system’s internal logic.

 Through observation, determine that segregation policy is being followed

in practice.
Audit Procedures
The following audit procedures would apply to an organization with a distributed IT

■ Review the current organizational chart, mission statement, and job descriptions for
key functions to determine if individuals or groups are performing incompatible
■ Verify that corporate policies and standards for system design, documentation, and
hardware and software acquisition are published and provided to distributed IT
■ Verify that compensating controls, such as supervision and management monitoring,
are employed when segregation of incompatible duties is economically infeasible.
■ Review systems documentation to verify that applications, procedures, and databases
are designed and functioning in accordance with corporate standards.
The Computer Center

■ Physical Location
■ Construction
■ Access
■ Air Conditioning
■ Fire Suppression
■ Fault Tolerance
Physical Location
■ Physical location of the computer center directly affects the risk of
destruction to a natural or man-made disaster.

■ A computer center should be located at a single-storey building of solid
construction with controlled access.
■ Utility lines should be underground.
■ Building windows should not open and an air filtration system should be in
place that is capable of extracting pollens, dust, and dust mites.

■ Access to the computer should be limited to the operators and

other employees who work there.
■ Access should be controlled by a keypad or swipe card, though
fire alarms are necessary.
■ For a higher level of security, access should be monitored by
closed-circuit cameras and video recording systems.
■ Computer centers should also use sign-in logs for programmers
and analysts who need access to correct program errors.
Air Conditioning

■ Computers function best in an air-conditioned environment,

and providing adequate air conditioning is often a requirement
of the vendor’s warranty.

■ Computers operate best in a temperature range of 70 to 75

degrees fahrenheit and a relative humidity of 50 percent.
Fire Suppression

■ The implementation of an effective fire suppression system requires consultation with

specialists. However, some of the major features of such a system include the following:
 Automatic and manual alarms should be placed in strategic locations around the
 There must be an automatic fire extinguishing system that dispenses the appropriate
type of suppressant for the location
 Manual fire extinguishers should be places at strategic locations
 The building should be of sound construction to withstand water damage caused by
fire suppression equipment
 Fire exits should be clearly marked and illuminates during a fire.
Fault Tolerance
■ Implementing fault tolerance control ensures that no single point of
potential system failure exists. Total failure can only occur only if multiple
components fail. Examples of fault tolerance technologies are:

 Redundant arrays of independent disk (RAID)- involves using parallel

disks that contain redundant elements of data and applications.
 Uninterruptible power supplies- In the event of a power outage, these
devices provide backup power for a reasonable period to allow
commercial power service rotation. In the event of an extended power
outage, the backup power will allow the computer system to shut down
in a controlled manner and prevent data loss and corruption that
would otherwise result from an uncontrolled system crash.
Audit Objectives

■ To evaluate the controls governing computer center security.

Specifically, the auditor must verify that:

 Physical security controls are adequate to reasonably protect

the organization from physical exposures
 Insurance coverage on equipment is adequate to
compensate the organization for the destruction of, or
damage to, its computer center.
Audit Procedures

■ Test of Physical Security Controls

 Tests of Physical Construction
 Tests of Fire Detection System
 Tests of Access Control
 Tests of Raid
 Tests of Uninterruptible Power Supply
 Tests for Insurance Coverage
Test of Physical Construction

■ The auditor should obtain architectural plans to

determine that computer is solidly built of fireproof

■ The auditor should assess the physical location of the

computer center.
Test of Fire Detection System
■ The auditor should establish that fire detection and suppression equipment,
both manual and automatic, are in place and tested regularly.

Test of Access Control

■ The auditor must establish that routine access to the computer center
restricted to authorized employees.
■ To establish the veracity of the document, the auditor may covertly observe
the process by which access is permitted, or review videotapes from cameras
at the access point, if they are being used.
Test of Raid
■ Most systems that employ RAID provide a graphical mapping of their
redundant disk storage.
■ If the organization is not employing RAID, the potential for a single point of
system failure exists.

Tests of the Uninterruptible Power Supply

■ The computer center should perform periodic tests of the backup power
supply to ensure that it has sufficient capacity to run the computer and air
Tests for Insurance Coverage

■ The auditor should annually review the organization’s insurance

coverage on its computer hardware, software, and physical

■ The auditor should verify that all new acquisitions are listed on
the policy and that obsolete equipment and software have been
Types of Disasters
Disaster Recovery Plan (DRP)
■ A comprehensive statement of all actions to be
taken before, during, and after any type of
■ Four Common Features
1. Identify critical applications
2. Create a disaster recovery team
3. Provide site backup
4. Specify backup and off-site storage procedures
Identify Critical Applications

■ First essential element of a DRP is to identify the firm’s critical

applications and associated data files.

■ Recovery efforts must concentrate on restoring those

applications that are critical to the short-term survival of the

■ Requires the active participation of user departments,

accountants and auditors.
Creating a Disaster Recovery Team
Providing Second-Site Backup

■ Provides for duplicate data processing facilities

following a disaster

1. Mutual Aid Pact

2. Empty Shell or Cold Site
3. Recovery Operations Center (ROC) of Hot Site
Providing Second-Site Backup
Mutual Aid Pact
■ An agreement between two or more organizations (with
compatible computer facilities) to aid each other with their data
processing needs in the event of a disaster.
Empty Shell
■ An arrangement wherein the company buys or leases a building
that will serve as a data center.
Recovery Operations Center
■ A fully equipped backup data center that many companies
Internally Provided Backup

■ Larger organizations with multiple data processing centers often

prefer the self-reliance that creating internal excess capacity

■ This permits firms to develop standardized hardware and

software configurations, which ensure functional compatibility
among their data processing centers and minimize cut-over
problems in the event of a disaster.
Backup and Off-Site Storage Procedures
■ Operating System Backup
If the company uses a cold site or other method of site
backup that does not include a compatible operating system (O/S),
procedures for obtaining a current version of the operating system
need to be clearly specified.
■ Application Backup
Based on results obtained in the critical applications step
discussed previously, the DRP should include procedures to
create copies of current versions of critical applications.
Backup and Off-Site Storage Procedures

■ Backup Data Files

As a minimum, however, databases should be copied daily
to high-capacity, high-speed media, such as tape or CDs/DVDs
and secured offsite.
In the event of a disruption, reconstruction of the database is
achieved by updating the most current backed-up version with
subsequent transaction data.
Backup and Off-Site Storage Procedures
■ Backup Documentation
The system documentation for critical applications should be
backed up and stored off-site along with the applications.
The DRP should also include a provision backing up end-user
manuals because the individuals processing transactions under disaster
conditions may not be usual staff who are familiar with the system.
■ Backup Supplies and Source Documents
The organization should create backup inventories of supplies and
source documents used in processing critical transactions.
At this point, it is worth noting that a copy of the current DRP
document should also be stored off-site at a secure location.
Testing the DRP
■ The most neglected aspect of contingency planning is testing the DRP. Nevertheless, DRP
tests are important and should be performed periodically.

■ The organization’s management should seek measures of performance in each of the

following areas:
(1) the effectiveness of DRP team personnel and their knowledge levels;
(2) the degree of conversion success (i.e., the number of lost records);
(3) an estimate of financial loss due to lost records or facilities; and
(4) the effectiveness of program, data, and documentation backup and recovery procedures.
Audit Objective
■ The auditor should verify that management’s disaster recovery
plan is adequate and feasible for dealing with a catastrophe that
could deprive the organization of its computing resources.

Audit Procedures
■ In verifying that management’s DRP is a realistic solution for
dealing with a catastrophe, the following tests may be

Site Backup
■ The auditor should evaluate the adequacy of the backup site
■ System incompatibility and human nature both greatly reduce
the effectiveness of the mutual aid pact.
■ Auditors should be skeptical of such arrangements for two

Critical Application List

■ The auditor should review the list of critical applications to
ensure that it is complete. Missing applications can result in
failure to recover.

Software Backup
■ The auditor should verify that copies of critical applications and
operating systems are stored off-site.
Data Backup
■ The auditor should verify that critical data files are backed up in
accordance with the DRP.
Backup Supplies, Documents, and Documentation
■ The system documentation, supplies, and source documents
needed to process critical transactions should be backed up and
stored off-site.
Disaster Recovery Team
■ The DRP should clearly list the names, addresses, and
emergency telephone numbers of the disaster recovery team
Core competency theory
This theory argues that an organization should focus exclusively on
its core business competencies, while allowing outsourcing vendors
to efficiently manage the non–core areas such as the IT functions.
Transaction Cost Economics (TCE)
This theory, in contrary to CCT, suggests that firms should retain
certain specific non–core IT assets inhouse. Because of their
complex nature, specific assets cannot be easily replaced once they
are given up in an outsourcing arrangement.
■ Commodity IT Assets
are assets common to a particular organization and are thus easily
acquired in the marketplace.

■ Specific IT Assets
are unique to the organization and support its strategic objectives.
However, because of their distinctive nature, specific assets have
little value outside their current use.
Cloud Computing
■ is an information technology (IT) paradigm that enables ubiquitous access
to shared pools of configurable system resources and higher-level services
that can be rapidly provisioned with minimal management effort, often
over the internet. Cloud computing relies on sharing of resources to
achieve coherence and economies of scale, similar to a public utility.
■ It enables companies to consume a compute resource, such as a virtual
machine (VM), storage or an application, as a utility -- just like electricity --
rather than having to build and maintain computing infrastructures in
Key Features of Cloud Computing
A. Client firms can acquire IT resources from vendors on demand and as

B. Resources are provided over a network and accessed through network

terminals at the client location

C. Acquisition of resources is rapid and infinitely scalable.

D. Computing resources are pooled to meet the needs of multiple client

3 Primary Classes of Cloud Computing
1. Software-as-a-service (SaaS)
2. Infrastructure-as-a-service (IaaS)
3. Platform-as-a-service (PaaS)

- The technology that has unleashed cloud computing.

- Virtualization has exploded into 2 other areas of IT:

A. Network virtualization
B. Storage virtualization
Cloud Computing Implementation Issues

1. Large firms have typically already incurred massive investments

in equipment proprietary software, and human resources
2. Many large enterprises have mission-critical functions running
on legacy systems that are many decades old.
3. A central tenant of cloud computing is the philosophy that IT
is a one-size-fits-all commodity asset
4. Internal control and security issues
Risks Inherent to IT Outsourcing

A. Failure to perform
B. Vendor Exploitation
C. Outsourcing costs exceed benefits
D. Reduced Security
E. Loss of Strategic advantage
Audit Implications of IT Outsourcing

Statement on Auditing Standard No. 70 (SAS 70) is the definitive

standard by which client organizations’ auditors can gain
knowledge that controls at the third-party vendor are adequate to
prevent or detect material errors that could impact the client’s
financial statements.
2 Types of SSAE 16 Reports

Type 1 report attests to the vendor management’s description of

their system and the suitability of the design of controls

Type 2 report attests to management’s description of their system,

the suitability of the design of controls, and the operating
effectiveness of controls
SSAE 16 Report Contents

- Provides a description of the service provider’s system including

details of how transactions are processed and results are
communicated to their client organizations.

- Describes relevant internal control issues consistent with the

COSO control model including the control environment, risk
assessment, information and communication systems, control
activities, and control monitoring.
2 reporting techniques designed to address
the subservice organization issue

A. Carve-out method – service provider management would

exclude the subservice organization’s relevant control objectives
and related controls from the description of its system.

B. Inclusive method – service provider’s description of its system

will include the services performed by the subservice