ch02-auditing it governance controls-rev26022014
DESCRIPTION
Ch02-Auditing IT Governance ControlsTRANSCRIPT
CHAPTER 2:
IT GOVERNANCE
CSI4601851
Dasar-Dasar Audit SI Semester Genap 2013/2014
Fakultas Ilmu Komputer
Universitas Indonesia
Learning Objectives
• Understand the risk of incompatible functions
and how to structure the IT function
• Be familiar with the controls and precautions
required to ensure the security of an
organization’s computer facilities
• Be familiar with the benefits, risks and audit
issues related to IT outsourcing
Outline
1. Information Technology Governance
2. Structure of the Information Technology Function
3. The Computer Center
4. Outsourcing the IT Function
IT Governance
• IT Governance: subset of corporate governance that
focuses on the management and assessment of strategic
IT resources
• Key objects:
• Reduce risk
• Ensure investments in IT resources add value to the corporation
• All employees and stakeholders must be active
participants in key IT decisions
IT Governance Controls
• Three IT governance issues addressed by SOX and the
COSO internal control framework:
• Organizational structure of the IT function
• Computer center operations
• Disaster recovery planning
• It begins with a explanation of the nature of risk
associated with each issue
• The description of the controls needed to mitigate risk
• Present audit objectives, to define what needs to be
verified regarding the function of the controls in place
• Example of tests of controls to satisfy the audit objectives
Structuring the IT Function
• The organization of the IT Function has implications for
the nature and effectiveness of internal control
• IT Structure models:
• Centralized Data Processing Approach
• Distributed Data Processing Approach
Centralized Data Processing
• All data processing is performed by one or more large
computers housed at a central site that serves users
throughout the organization
• IT services activities are consolidated and managed as a
shared organization resource
• The IT Services function is usually treated as a cost
center whose operating costs are charged back to the end
users
Centralized Data Processing Approach
Organizational Chart of Centralized Data
Processing Approach
Primary Services Areas
• Database Administration
• Headed by database Administrator, responsible for the security and
integrity of the database
• Data Processing
• Manages the computer resources used to perform the day-to-day
processing of transactions
• Consists of:
• Data conversion. Convert hard-copy source into computer input
• Computer Operations. Manage electronic files and control applications
• Data library. A Room adjacent to the computer center that provide safe
storage for the off-line data files.
Primary Services Areas
• Systems development and maintenance
• Accommodate the user needs of information systems
• System Development. Responsible for analyzing user needs and
designing new systems to satisfy those needs. Participants:
System professionals, end users and stakeholders.
• Systems maintenance. Keeping the information systems current
with user needs
Structuring the IT Function
• Segregation of incompatible IT functions
• Objectives:
• Segregate transaction authorization from transaction processing
• Segregate record keeping from asset custody
• Divide transaction processing steps among individuals to force collusion
to perpetrate fraud
• Separating systems development from computer
operations
• Systems development and professional cannot enter data or run
applications
• Operation staff have no involvement in application design
Structuring the IT Function
• Separating DBA from other functions. DBA is responsible
for several critical tasks: • Database security
• Creating database schema and
user views
• Assigning database access authority to users
• Monitoring database usage
• Planning for future changes
• Separating new systems development from maintenance
• Systems development group: system analysis and programming
• Inadequate Documentation. Reasons: not an interesting task and job
security
• Program Fraud. Unauthorized changes to program module. Example:
Salami slicing, trap doors
System development
Structuring the IT Function
• A superior structure for systems development
• Separate new systems development and systems maintenance
functions. Reasons:
• To improve documentation standard
• To block original programmer future access to the program
The Distributed Model
• Distributed Data Processing (DDP) involves reorganizing
the central IT function into small IT units that are placed
under the control of end users
• Two alternative approach:
• Alternative A: variant of centralized model
• Systems development. Computer operations and database
administration remain centralized
• Alternative B: decentralized
• Need a networking arrangement that permits communication and data
transfers between the units
Two Distributed Data Processing
Approach
Risks Associated with DDP
• Inefficient use of resources • Mismanagement of resources by end users
• Redundant tasks
• Hardware and software incompatibility
• Destruction of audit trails. • Users inadvertently delete files or transactions
• Inadequate segregation of duties • One person has several duties
• Hiring qualified professionals • Manager may lack the IT Knowledge to select IT Professional
• Programming errors and system failures due to incompetence employee
• Lack of standards. • e.g.: in developing & documenting systems, choosing program
language, evaluating performance, acquiring hardware/software
Advantages of DDP
• Cost reduction
• Data can be edited and entered by end user, eliminating the centralized task of data preparation
• Application complexity can be reduced, which in turn reduces systems development and maintenance costs
• Improved cost control responsibility
• Managers have more control on IT resource
• Improved user satisfaction • Users are not hindered in controlling resource
• Users wants systems professionals (analysts, programmer, and computer operators) be responsive in any situation
• User can actively involved in developing their own system
• Backup Flexibility
• Ability to do backup computing facilities
Controlling the DDP Environment
• Need for careful analysis to decide whether centralized or distributed.
Several Improvements to the strict DDP model:
• Implement a corporate IT function
• Central Testing of Commercial software and Hardware
• Evaluate systems features, controls, and compatibility with industry and organizational standard
• User services
• Help desk: technical support, FAQs, chat room, etc.
• Standard-testing body
• Distribute standard in system development, programming and documentation
• Personnel review
• Involvement of IT staff in employment decision
Organization Chart for DDP
Audit Objectives: DDP Environment
• Verify that the structure of the IT function is such that
individuals in incompatible areas are segregated:
• In accordance with the level of potential risk
• And in a manner that promotes a working environment
• Verify that formal relationships needs to exist between
incompatible tasks
Audit Procedures: Centralized IT
Functions Review relevant documentation to determine if individuals or
groups are performing incompatible functions
Including organizational chart, mission statement and job desc
Review systems documentation and maintenance records for a sample of applications
◦ Verify that maintenance programmers for specific projects are not also the original design programmers
Verify that computer operators do not have access to the operational detail of system’s internal logic
Including systems documentations, such as systems flowcharts, etc
Determine that segregation policy is being followed
Review operation room access logs, determine whether programmers entry because of system failures or for other reasons.
Audit Procedures: Distributed IT Function
• Review the current organizational chart, mission
statement and job descriptions for key functions to
determine if individuals or groups are performing
incompatible duties
• Verify that corporate policies and standards are published
and provided to distributed IT Units
• Verify that compensating controls are employed when
segregation of incompatible duties infeasible
• Review systems documentation to verify that applications,
procedures, and database are designed and functioning
in accordance with corporate standards
The Computer Center
• Here are the list of computer center risks and the controls
that help to mitigate risk and create a secure environment
• Physical location
• Avoid human-made hazard, system failure and natural hazards
• Construction
• Ideally: single-story, underground utilities, windowless. air filtration
system
• If multi-storied building, use middle floor (away from traffic flows,
and potential flooding in a basement)
• Access
• Physical: Locked doors, cameras
• Manual: Access log of visitors
Data Center Construction
The Computer Center
• Air conditioning
• Best in temperature range of 70-75 Fahrenheit
• Relative humidity 50%
• Fire suppression
• Placed in strategic locations
• Automatic fire extinguishing system:
• Sprinklers (using water)
• halon gas (removing oxygen)
• FM200-TM (Safe fire suppression)
• Strong contruction building
• Fire exits should be clearly marked and illuminated during a fire
Air conditioning
The Computer Center
• Fault Tolerance
• Redundant Arrays of Independent Disks (RAID)
• Using parallel disks
• Power supply
• Need for clean power
• Backup power: uninterrupted power supply
Audit Objectives: The Computer
Center • Physical security controls are adequate to reasonably
protect the organization from physical exposures
• Insurance coverage on equipment is adequate to
compensate the organization for damage to the computer
center
Audit Procedures: The Computer Center
• Tests of Physical Construction
• Obtain architectural plans to determine the building is solidly built
and fireproof material
• Ensure adequate drainage
• Assess the physical location
• Tests of the Fire Detection System
• Ensure fire detection and suppression equipment are in place and
tested regularly
• Review official fire marshal records of tests
Audit Procedures: The Computer Center
• Tests of Access Control
• Computer center is restricted to authorized employees
• Review access log
• Observe the process by which access permitted
• Review camera videotapes
• Test of Raid
• Determine if the RAID level adequate for the organization, give the
level if business risk associated with disk failure
• If no RAID, review the procedure for recovering from a disk failure
Audit Procedures: The Computer Center
• Test of the Uninterruptible Power Supply
• Do periodic tests to ensure its capacity to run the computer and air
conditioning
• Record the result
• Test of Insurance Coverage
• Annually review the insurance coverage on computer hardware,
software and physical facility
• Verify all new acquisitions
• Verify deleted obsolete equipment and software
• Verify insurance policy
Disaster Recovery Planning
• Disasters such as earthquakes, floods, or power failure
can be catastrophic to an organization’s computer center
and information systems
• The more dependent on technology, the more susceptible
to the risks
• DRP common feature
• Identify critical applications
• Create a disaster recovery team
• Provide site backup
• Specify backup and off-site storage procedures
Types of
Disaster
Identify Critical Applications
• Concentrate on restoring those applications that are
critical to the short-term survival of the organization
• Not means to immediately restore data processing facility
in full capacity
• Application priorities may change overtime. DRP must be
updated
• Participation of user departments, accountants and
auditors needed to identify critical items and application
priorities
Creating a Disaster Recovery Team
• Recovering from a disaster depends on timely corrective
action
• Delays makes unsuccessful recovery
• Task responsibility must be clearly defined and
communicated to the personnel involved
• Each member has expertise in each area
• In case of disaster, one may violate control principles
such as segregation of duties, access controls and
supervision
Disaster Recovery Team
Providing Second-Site Backup
• Duplicate data processing models • Mutual aid impact
• Agreement between two or more organization to aid each other in the event of disaster
• Driven by economics
• Empty shell or cold site
• Involves two or more organizations that buy or lease a building and remodel it into a computer site, but without computer equipment
• Recovery operations center or hot site
• A completely equipped site; very costly and typically shared among many companies
• Warm site
• Hardware exist but backup may not be complete.
• Internally provided backup
• Self-backup
Comparison
Backup and Off-site Storage Procedures
• Operating system backup
• If operating system not included, specify current operating systems
in procedure
• Application backup
• Include procedure to create copies of current versions of critical
application
• Backup data files
• At minimum, backup daily. At best: remote mirrored
• Backup documentation
• Backed up critical system documentation
• May be simplified by using Computer Aided Software Engineering
(CASE) documentation tools
Backup and Off-site Storage Procedures
• Backup supplies and source documents
• Example: check stocks, invoices, purchase orders, etc
• Testing the DRP
• Should performed periodically
• Surprise simulation
• Document the status of all processing that affected by the test
• Ideally include backup facilities and supplies
• Measure performance of below areas:
• The effectiveness of DRP team personnel and their knowledge area
• The degree of conversion success (i.e., the number of lost records)
• An estimate of financial loss due to lost records or facilities
• The effectiveness of program, data, and documentation backup and
recovery procedures
Disaster Recovery Plan
1. Critical Applications – Rank critical applications so an orderly and effective restoration of computer systems is possible.
2. Create Disaster Recovery Team – Select team members, write job descriptions, describe recovery process in terms of who does what.
3. Site Backup – a backup site facility including appropriate furniture, housing, computers, and telecommunications. Another valid option is a mutual aid pact where a similar business or branch of same company swap availability when needed.
4. Hardware Backup – Some vendors provide computers with their site – known as a hot site or Recovery Operations Center. Some do not provide hardware – known as a cold site. When not available, make sure plan accommodates compatible hardware (e.g., ability to lease computers).
5. System Software Backup – Some hot sites provide the operating system. If not included in the site plan, make sure copies are available at the backup site.
6. Application Software Backup – Make sure copies of critical applications are available at the backup site
7. Data Backup – One key strategy in backups is to store copies of data backups away from the business campus, preferably several miles away or at the backup site. Another key is to test the restore function of data backups before a crisis.
8. Supplies – A modicum inventory of supplies should be at the backup site or be able to be delivered quickly.
9. Documentation – An adequate set of copies of user and system documentation.
10. TEST! – The most important element of an effective Disaster Recovery Plan is to test it before a crisis occurs, and to test it periodically (e.g., once a year).
Audit Objective
• Audit objective – verify that DRP is adequate and feasible
for dealing with disasters
DRP Audit Procedures
• Evaluate adequacy of second-site backup arrangements
• Partner of mutual aid pact: system compatible? Excess capacity
support?
• ROC: how many members? Members location?
• Empty shell: is the contract with hardware vendors valid? Minimum
delay after the disaster specified?
• Review list of critical applications for completeness and
currency
• Verify that procedures are in place for storing off-site
copies of applications and data
• Check currency back-ups and copies
DRP Audit Procedures
• Verify that documentation, supplies, etc., are stored off-
site
• Check stock, invoices, purchase orders and any special forms exist
in secure location
• Verify that the disaster recovery team knows its
responsibilities
• Clearly list names, addresses and telephone numbers of disaster
recovery team members
• Check frequency of testing the DRP
Benefits of IT Outsourcing
• Improved core business processes
• Improved IT performance
• Reduced IT costs
Risks of IT Outsourcing
• Failure to perform
• Vendor bad performance
• Vendor exploitation
• Vendor dependency
• Costs exceed benefits
• Fail to anticipate the cost of vendor selection, contracting and the
transitioning of IT operations to the vendors
• Reduced security
• Sensitive data owned by vendor
• Loss of strategic advantage
• Close working relationship between corporate management and IT
Management difficult to happen
Audit Implications of IT Outsourcing
• Management retains SOX responsibilities for ensuring
adequate IT internal controls
• SAS No. 70 report or audit of vendor will be required
Audit Implications of IT Outsourcing
Question - 01
Segregation of duties in the computer-based information
system includes
a. separating the programmer from the computer operator.
b. preventing management override.
c. separating the inventory process from the billing
process.
d. performing independent verifications by the computer
operator.
Question - 02
A disadvantage of distributed data processing is
a. the increased time between job request and job
completion.
b. the potential for hardware and software incompatibility
among users.
c. the disruption caused when the mainframe goes down.
d. that users are not likely to be involved.
e. that data processing professionals may not be properly
involved.
Question - 03
Which of the following is an advantage distributed data
processing?
a. Redundancy
b. user satisfaction
c. Incompatibility
d. lack of standards
Question - 04
Which of the following disaster recovery techniques may be
least optimal in the case of a disaster?
a. empty shell
b. mutual aid pact
c. internally provided backup
d. they are all equally beneficial
Question - 05
Which of the following is a feature of fault tolerance
control?
a. interruptible power supplies
b. RAID
c. Distributed Data Processing
d. Centralized Data Processing
Question - 06
Which of the following disaster recovery techniques is has
the least risk associated with it?
a. empty shell (cold site)
b. Recovery Operation Center (hot site)
c. Internally provided backup
d. they are all equally risky
Question - 07
Which of the following is NOT a potential threat to computer
hardware and peripherals?
a. low humidity
b. high humidity
c. carbon dioxide fire extinguishers
d. water sprinkler fire extinguishers
Question - 08
Which of the following would strengthen organizational
control over a large-scale data processing center?
a. requiring the user departments to specify the general
control standards necessary for processing transactions
b. requiring that requests and instructions for data
processing services be submitted directly to the
computer operator in the data center
c. having the database administrator report to the
manager of computer operations.
d. assigning maintenance responsibility to the original
system designer who best knows its logic
Question - 09
The following are the benefits of IT Outsourcing EXCEPT
a. Improved core business processes
b. Improved IT performance
c. Reduced IT costs
d. Vendor dependency
Question - 10
Which of the following is true?
a. Core competency theory argues that an organization
should outsource specific core assets.
b. Core competency theory argues that an organization
should focus exclusively on its core business
competencies.
c. Core competency theory argues that an organization
should not outsource specific commodity assets.
d. Core competency theory argues that an organization
should retain certain specific non-core assets in-house.