Chapter 2:Auditing IT
Governance ControlsIT Auditing, Hall, 4e
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
1
2
Learning Objectives• Understand the risks of incompatible functions and
how to structure the IT function.• Be familiar with the controls and precautions
required to ensure the security of an organization’s computer facilities.• Understand the key elements of a disaster recovery
plan.• Be familiar with the benefits, risks, and audit issues
related to IT outsourcing.
3
IT Governance • Subset of corporate governance that focuses on the
management and assessment of strategic IT resources.• Key objects are to reduce risk and ensure
investments in IT resources add value to the corporation.• All corporate stakeholders must be active
participants in key IT decisions.
4
IT Governance Controls• Three IT governance issues addressed by SOX and
the COSO internal control framework:• Organizational structure of the IT function.• Computer center operations.• Disaster recovery planning.
5
Structure of the Corporate IT Function• Under the centralized data processing model, all data
processing performed at a central site.• End users compete for resources based on need.
• Operating costs charged back to end user.• Primary service areas:
• Database administrator.• Data processing consisting of data control/data entry,
computer operations and data library.• System development and maintenance
• Participation in systems development activities include system professional, end users and stakeholders.
6
Structure of the Corporate IT Function
7
Alternative Organization of Systems Development
8
Alternative Organization of Systems Development Problems• Two control problems with segregating systems
analysis from applications programming.• Inadequate documentation a chronic problem.
• Documenting systems is not an interesting task.• Lack of documentation provides job security for the
programmer who coded it.
• When system programmer has maintenance responsibilities, potential for fraud is increased.• May have concealed fraudulent code in the system.• Having sole responsibility for maintenance may allow the
programmer to conceal the code for years.
9
Structure of the Corporate IT Function
10
Segregation of Incompatible IT Functions• Systems development from computer operations.
• Relationship between groups should be formal and responsibilities should not be comingled.
• Database administration from other functions.• DBA function responsible for many critical tasks and needs to
be organizationally independent of operations, systems development and maintenance.
• New systems development from maintenance.• Improves documentation standards because maintenance
group requires documentation.• Denying original programmer future access deters program
fraud.
11
The Distributed Model• Distributed Data Processing (DDP) involves
reorganizing central IT function into small IT units that are placed under the control of end users.• Two alternatives:• Alternative A: Variant of centralized model with
terminals or microcomputers distributed to end users for handling input and output.• Alternative B: Distributes all computer services to the
end users where they operate as stand alone units.
12
The Distributed Model
13
Management Assertions Audit Objectives Audit Procedure
Existence or occurrence Inventories listed on the balance sheet exist.
Observe the counting of physical inventory.
Completeness Accounts payable include all obligations to vendors for the period.
Compare receiving reports, supplier invoices, purchase orders, and journal entries for the period and the beginning of the next period.
Rights and obligations Plant \and equipment listed in the balance sheet are owned by the entity.
Review purchase agreements, insurance policies, and related documents.
Valuation or allocation Accounts receivable are stated at net realizable value.
Review entity’s aging of accounts and evaluate the adequacy of the allowance for uncorrectable accounts.
Presentation and disclosure Contingencies not reported in financial accounts are properly disclosed in footnotes.
Obtain information from entity lawyers about the status of litigation and estimates of potential loss.
Audit Objectives and Audit Procedures Based on Management Assertions
14
Risks Associated with DDP• Inefficient use of resources:
• Mismanagement of IT resources by end users.• Operational inefficiencies due to redundant tasks being
performed.• Hardware and software incompatibility among end-user functions.
• Destruction of audit trails.• Inadequate segregation of duties.• Hiring qualified professionals:
• Risk of programming errors and system failures increase directly with the level of employee incompetence.
• Lack of standards.
15
Controlling the DDP Environment• Implement a corporate IT function:• Central testing of commercial software and hardware.• User services to provide technical help. • Standard-setting body.• Personnel review.
16
Audit Procedures for the DDP• Audit procedures in a centralized IT organization:• Review relevant documentation to determine if
individuals or groups are performing incompatible functions.• Review systems documentation and maintenance
records to verify maintenance programmers are not designers.• Observe to determine if segregation policy is being
followed.
17
Audit Procedures for the DDP• Audit procedures in a distributed IT organization:• Review relevant documentation to determine if
individuals or groups are performing incompatible duties.• Verify corporate policies and standards are published
and provided to distributed IT units.• Verify compensating controls are in place when needed.• Review system documentation to verify applications,
procedures and databased are in accordance with standards.
18
The Computer Center• Physical location:• Directly affects risk of destruction from a disaster.• Away from hazards and traffic.
• Construction:• Ideally: single-story, solidly constructed with underground
utilities.• Windows should not open and an air filtration system
should be in place.
• Access:• Should be limited with locked doors, cameras, key card
entrance and sign-in logs.
19
The Computer Center• Air conditioning should provide appropriate temperature
and humidity for computers.• Fire suppression:
• Alarms, fire extinguishing system, appropriate construction, fire exits.
• Fault tolerance is the ability of the system to continue operation when part of the system fails.• Total failure can occur only if multiple components fail.• Redundant arrays of independent disks (RAID) involves using
parallel disks with redundant data and applications so if one disk fails, lost data can be reconstructed.
• Uninterruptible power supplies.
20
Audit Procedures: The Computer Center• Auditor must verify that physical controls and
insurance coverage are adequate.• Procedures include:• Tests of physical construction.• Tests of the fire detection system.• Tests of access control.• Tests of RAID.• Tests of the uninterruptible power supply.• Tests of insurance coverage.
21
Disaster Recovery Planning• A disaster recovery plan is a statement of all actions
to be taken before, during and after any type of disaster. Four common features:• Identify critical applications:• Short-term survival requires restoration of cash flow
generating functions.• Applications supporting those functions should be
identified and prioritized in the restoration plan.• Task of identifying critical items and prioritizing
applications requires active participation of user departments, accountants and auditors.
22
Disaster Recovery Planning• Create a disaster recovery team:• Team members should be experts in their areas and
have assigned tasks.
• Provide second-site backup:• Necessary ingredient in a DRP is that it provides for
duplicate data processing facilities following a disaster.
• Specify back-up and off-site storage procedures:• All data files, applications, documentation and supplies
needed to perform critical functions should be automatically backed up and stored at a secure off-site location.
23
Second-Site Backups• Mutual aid pact is an agreement between
organizations to aid each other with data processing in a disaster.• Empty shell or cold site plan involves obtaining a
building to serve as a data center in a disaster.• Recovery depends on timely availability of hardware.
• Recovery operations center or hot site plan is a fully equipped site that many companies share.• Internally provided backup may be preferred by
organizations with many data processing centers.
24
DRP Audit Procedures• To verify DRP is a realistic solution, the following tests
may be performed:• Evaluate adequacy of backup site arrangements.• Review list of critical applications for completeness.• Verify copies of critical applications and operating systems
are stored off-site.• Verify critical data files are backed up in accordance with
the DRP.• Verify that types and quantities of items specified in the
DRP exist in a secure location.• Verify disaster recovery team members are current
employees and aware of their assigned responsibilities.
25
Outsourcing the IT Function• Benefits of IT outsourcing include:
• Improved core business processes.• Improved IT performance.• Reduced IT costs.
• Logic underlying outsourcing follows from core competency theory which argues an organization should focus on its core business competencies. Ignores an important distinction between:• Commodity IT assets which are not unique to an organization
and easily acquired in the marketplace.• Specific IT assets which are unique and support an
organization’s strategic objectives.
26
Outsourcing the IT Function• Transaction cost economics (TCE) suggests firms
should retain specific non-core IT assets in house.• Those that cannot be easily replaced once they are given
up in an outsourcing arrangement.
• Cloud computing is location-independent computing whereby shared data centers deliver hosted IT services over the Internet. Offers three primary classes of computing services:• Software-as-a-Service (SaaS).• Infrastructure-as-a-Service (IaaS).• Platform-as-a-Service (PaaS).
27
Outsourcing the IT Function• Virtualization has unleashed cloud computing.
• Network virtualization increases effective network bandwidth, optimizes network speed, flexibility, and reliability, and improves network scalability.
• Storage virtualization is the pooling of physical storage from multiple devices into what appears to be a single virtual storage device.
• Cloud computing not realistic for large firms.• Typically have massive IT investments and therefore not inclined to
turn over their IT operations to a could vendor.• May have critical functions running on legacy systems that could not
be easily migrated to the cloud.• Commodity provision approach of the cloud incompatible with the
need for unique strategic information.
28
Risks Inherent to IT Outsourcing• Failure to perform.• Vendor exploitation.• Outsourcing costs exceed benefits.• Reduced security.• Loss of strategic advantage.
29
Audit Implications of IT Outsourcing• Use of a service organization does not reduce
management’s responsibilities under SOX for ensuring adequate IT internal controls.• SSAE 16 replaced SAS 70 and is the definitive
standard by which auditors can gain knowledge that processes and controls at third-party vendors are adequate to prevent or detect material errors. • Report provides a description of service provider’s
description using either the carve-out or the inclusive method
30
Audit Implications of IT Outsourcing