Académique Documents
Professionnel Documents
Culture Documents
Hall, 3e 1
Three IT governance issues addressed by SOX
and the COSO internal control framework:
◦ Organizational structure of the IT function
◦ Computer center operations
◦ Disaster recovery planning
Hall, 3e 2
Centralized data processing
Organizational chart]
Database administrator
Data processing manager/dept.
Data control
Data preparation/conversion
Computer operations
Data library
Hall, 3e
3
Segregation of incompatible IT functions
Systems development & maintenance
Participants
End users
IS professionals
Auditors
Other stakeholders
Hall, 3e
4
Segregation of incompatible IT functions
Objectives:
Segregate transaction authorization from
transaction processing
Segregate record keeping from asset custody
Divide transaction processing steps among
individuals to force collusion to perpetrate fraud
Hall, 3e
5
Segregation of incompatible IT functions
Separating systems development from
computer operations
Hall, 3e
6
Segregation of incompatible IT functions
Separating DBA from other functions
DBA is responsible for several critical tasks:
Database security
Creating database schema and
user views
Assigning database access authority to users
Monitoring database usage
Planning for future changes
Hall, 3e
7
Segregation of incompatible IT functions
Alternative 1: segregate systems analysis from
programming
types of control problems from this
approach?
Hall, 3e 8
Segregation of incompatible IT functions
Alternative 2: segregate systems
development from maintenance
Hall, 3e
9
Segregation of incompatible IT functions
Segregate data library from operations
Physical security of off-line data files
Implications of modern systems on use of data
library:
Real-time/online vs. batch processing
Volume of tape files is insufficient to justify full-time
librarian
Alternative: rotate on ad hoc basis
Custody of on site data backups
Custody of original commercial software and licenses
Hall, 3e
10
Segregation of incompatible IT functions
Audit objectives
Hall, 3e
11
Segregation of incompatible IT functions
Audit procedures:
Hall, 3e
12
Distributed Data Processing (DDP)
involves reorganizing the central IT
function into small IT units that are
placed under the control of end users
Hall, 3e
13
Inefficient use of resources
Destruction of audit trails
Inadequate segregation of duties
Hiring qualified professionals
Lack of standards
Hall, 3e
14
Cost reduction
Improved cost control responsibility
Improved user satisfaction
Backup flexibility
Hall, 3e
15
Need for careful analysis
Implement a corporate IT function
Central systems development
Acquisition, testing, and implementation of
commercial software and hardware
User services
Help desk: technical support, FAQs, chat room, etc.
Standard-setting body
Personnel review
IT staff
Hall, 3e
16
Verify that the structure of the IT function is
such that individuals in incompatible areas
are segregated
Verify that formal relationships needs to exist
between incompatible tasks
Hall, 3e
17
Review the corporate policy on computer
security
Review documentation to determine if
individuals or groups are performing
incompatible functions
Review systems documentation and
maintenance records
Hall, 3e
18
Physical location
Construction
Access
Air conditioning
Fire suppression
Power supply
Hall, 3e
19
physical security IC protects the
computer center from physical
exposures
insurance coverage compensates the
organization for damage to the
computer center
operator documentation addresses
routine operations as well as system
failures
Hall, 3e
20
Review insurance coverage on hardware,
software, and physical facility
Review operator documentation, run
manuals, for completeness and accuracy
Verify that operational details of a system’s
internal logic are not in the operator’s
documentation
Hall, 3e
21
Disaster recovery plans (DRP)
identify:
Audit objective – verify that DRP is
adequate and feasible for dealing
with disasters
Hall, 3e 22
Disaster Recovery Plan
1. Critical Applications – Rank critical applications so an orderly and effective restoration of
computer systems is possible.
2. Create Disaster Recovery Team – Select team members, write job descriptions, describe
recovery process in terms of who does what.
3. Site Backup – a backup site facility including appropriate furniture, housing, computers, and
telecommunications. Another valid option is a mutual aid pact where a similar business or
branch of same company swap availability when needed.
4. Hardware Backup – Some vendors provide computers with their site – known as a hot site
or Recovery Operations Center. Some do not provide hardware – known as a cold site. When
not available, make sure plan accommodates compatible hardware (e.g., ability to lease
computers).
5. System Software Backup – Some hot sites provide the operating system. If not included in
the site plan, make sure copies are available at the backup site.
6. Application Software Backup – Make sure copies of critical applications are available at the
backup site
7. Data Backup – One key strategy in backups is to store copies of data backups away from
the business campus, preferably several miles away or at the backup site. Another key is to
test the restore function of data backups before a crisis.
8. Supplies – A modicum inventory of supplies should be at the backup site or be able to be
delivered quickly.
9. Documentation – An adequate set of copies of user and system documentation.
10. TEST! – The most important element of an effective Disaster Recovery Plan is to test it
before a crisis occurs, and to test it periodically (e.g., once a year).
Hall, 3e 23
Major IC concerns:
◦ second-site backups
◦ critical applications and databases
including supplies and documentation
◦ back-up and off-site storage
procedures
◦ disaster recovery team
◦ testing the DRP regularly
Hall, 3e 24
Empty shell
Recovery operations center
Internally provided backup
Hall, 3e 25
Evaluate adequacy of second-site
backup arrangements
Review list of critical applications for
completeness and currency
Verify that procedures are in place
for storing off-site copies of
applications and data
◦ Check currency back-ups and copies
Hall, 3e 26
Verify that documentation, supplies,
etc., are stored off-site
Verify that the disaster recovery
team knows its responsibilities
◦ Check frequency of testing the DRP
Hall, 3e 27
Hall, 3e 28
Hall, 3e 29
Management retains SOX responsibilities
SAS No. 70 report or audit of vendor will
be required
Hall, 3e 30