Auditing IT Governance Controls

Defining IT Governance

● Information Technology (IT) Governance a relatively new subset of corporate governance that focuses on the management and
assessment of strategic IT resources.

Key Objectives: to reduce risk and ensure that investments in IT resources add value to the corporation.

IT Governance Controls
(Three IT Governance issues that are addressed by SOX & COSO internal control framework)
Organizational Structure of the IT Function

● Two Extreme Organizational Models:

1. Centralized Data Processing model - all data processing is performed by one or more large computers housed at a central
site that serves users throughout the organization.

a) Database Administration - the data resources maintained in the central location that is shared by all end users are
headed by the database administrator (DBA)－ an independent group responsible for the security and integrity of
the database.

b) Data Processing - group that manages the computer resources used to perform the day-to-day processing of the
transactions.

Consists of the ff organizational functions:

i. Data Conversion - transcribes transaction data from hard-copy source documents into computer input.

ii. Computer Operations - Computer Operations Groups managed the electronic files produced in data conversion
and are later processed by the central computer.

iii. Data Library - is a room adjacent to the computer center that provides safe storage for the off-line data files. A
data librarian is the one responsible for the receipt, storage, retrieval, and custody of all data files, control access
to the library.

c) Systems Development and Maintenance

i. Systems Development is responsible for analyzing user needs and for designing new systems to satisfy those
needs.

Participants:

 Systems professionals - gather facts about the user;s problem, analyze the facts, and formulate a solution.
(includes: systems analysts, database designers, and programmers)

 End users - those for whom the system is build. (includes: managers and operations personnel)

 Stakeholders - individuals inside or outside the firm who have an interest in the system but are not end
users. (includes: accountants, internal and external auditors, others who oversee systems development)

ii. Systems Maintenance - assumes responsibility for keeping the system current with the users

● Segregation of Incompatible IT Functions

Operational tasks should be segregated to:

1. Separate transaction authorization from transaction processing

2. Separate record keeping from asset custody

3. Divide transaction-processing tasks among individuals such that short of collusion between or more individuals fraud
would not be possible

4. Separating systems development from computer operations

Systems development and maintenance professionals should create and maintain systems for users, and should have no
involvement in entering data or running applications. Operations staff should run these systems and have no involvement
in their design.
 5. Separating database administration from other functions

The DBA function is responsible for a number of critical tasks pertaining to database security, delegating these
responsibilities to others who perform incompatible tasks threatens database integrity.

6. Separating new systems development from maintenance

 Systems analysis group works with the users to produce detailed designs of the new systems.

 Programming group codes the programs according to these design specification.

Two types of control problem: Inadequate documentation

Potential for program fraud

2. The Distribute Data Processing (DDP) - involves reorganizing the central IT function into small IT units that are placed
under the control of end users.

a) Alternative A - variant of the centralized model; the difference is that terminals are distributed to end users for
handling input and output.

b) Alternative B - a significant departure from the centralized model; distributes all computer services to the end users,
where they operate a standalone units. The connections represent a networking arrangement that permits
communications and data transfers between the units.

 Risk Associate with DDP

 Inefficient Use of resources

 Risk of mismanagement of organization-wide IT resources by end users

 DDP can increase the risk of operational inefficiencies

 DDP environment poses a risk of incompatible hardware and software among end-user functions

 Destruction of Audit Trails

 Audit Trails - provides linkage between a company’s financial activities (transactions) and the financial statements
that report on those activities.

 Inadequate Segregation of Duties

 Hiring qualified professionals - the risk of programming errors and system failures increases directly with the level of
employee incompetence

 Lack of Standards - environment standards for developing and documenting systems, choosing programming languages,
acquiring hardware and software, and evaluating performance may be unevenly applied or even nonexistent.

 Advantages of DDP

 Cost Reduction

 Data can be edited and entered by the end user, thus eliminating the centralized task of data preparation

 Application complexity can be reduced, which in turn reduces systems development and maintenance costs

 Improved Cost Control responsibility - end-user manager carry the responsibility for the financial success of their
operations

 Improved User Satisfaction - distributing system to end users improves three areas of need that too often go unsatisfied in
centralized model:

 User desire to control the resources that influence their profitability

 Users want systems professionals to be responsive to their specific situation

 Users want to become more actively involves in developing and implementing their own systems

 Backup Flexibility - the ability to back up computing facilities to protect against potential disasters
 Controlling the DDP Environment - Many DDP initiatives have proven to be ineffective , and even counterproductive, because
decision makers saw these systems virtues that were more symbolic than real.

 Implement a Corporate IT Function - the corporate IT group provides systems development and database management for
entity-wide systems in addition to technical advice and expertise to the distributed IT community. Some services are:

 Central Testing of Commercial Software and Hardware - can evaluate systems features, controls, and compatibility
with industry and organizational standards

 User Services - provides technical help to users during the installation of new software and in troubleshooting
hardware and software problems

 Standard-Setting Body - establishing and distributing t user areas appropriate standards for systems development,
programming, and documentation

 Personnel Review - the corporate group is often better equipped than users to evaluate the technical credentials of
prospective systems professionals

 Audit Objective : auditor’s objective is to verify that structure of the IT function is such that individuals in incompatible areas
are segregated in accordance with the level of potential risk and in a manner that promotes a working environment

 Audit Procedures

(For Centralized IT functions)

 Review relevant documentation

 Review systems documentation and maintenance records for a sample of applications

 Verify that computer operators do not have access to the operational details of a system’s internal logic

 Through observation, determine that segregation policy is being followed in practice

(For Distributed IT functions)

 Review the current organizational chart, mission statement, and job descriptions for key functions to determine of
individuals/groups are performing incompatible duties

 Verify that corporate policies and standards for systems design, documentation, and hardware and software acquisition
are published and provided to distributed I units

 Verify that compensating controls, such as supervision and management monitoring, are employed when segregation of
incompatible duties is economically infeasible

 Review systems documentation to verify that applications, procedures, and databases are designed and functioning in
accordance with corporate standards

The Computer Center

(Objective: To present computer center risks and

controls that help to mitigate risk and create a secure environment)

Computer Center Threats and Controls

1. Physical Location - directly affects the risk of destruction to a natural or man-made disasters. Computer centers should:

 Be away from human-made and natural hazards

 Be away from normal traffic

2. Construction - should be located in a single-story building of solid construction with controlled access; Utility should be
underground; Building windows should not open and air filtration system should be placed

3. Access - to the computer center should be limited to the operators and other employees who work there. Physical Controls:
locked doors, keypad or swipe card, monitored by closed-circuit cameras & video recording systems

4. Air Conditioning - computers function best in an air-conditioned environment, and providing adequate air conditioning is often
a requirement of the vendor’s warranty.

5. Fire Suppression
Effective Fire Suppression System:

 Automatic and manual alarms

 Automatic fire extinguishing system

 Manual fire extinguishers

 Building of sound construction

 Fire exits

6. Fault Tolerance - ability of the system to continue operation when part of the system fails because of hardware failure,
application program error, or operator error.

Fault Tolerance Technologies:

 Redundant arrays of independent disks (RAID) - involves using parallel disks that contain redundant elements of data and
applications

 Uninterrupted power supplies - in the event of a power outage, these devices provides backup power for a reasonable
period to allow commercial power service restoration (e.g., voltage regulators, surge protectors, generators, and backup
batteries)

 Audit Objectives: to evaluate the controls governing computer center security

 Physical security controls must be adequate to reasonably protect the organization from physical exposures

 Insurance coverage on equipment must be adequate to compensate the organization for the destruction of, or damage to,
its computer center

● Audit Procedures 9Test of Physical Security Controls)

 Tests of physical Construction

 Tests of the fire detection system

 Tests of access control

 Tests of raid

 Tests of uninterruptible power supply

 Tests of insurance coverage

Disaster Recovery Planning

 Types of Disasters:

1. Natural Disasters - most devastating because they can simultaneously impact many organizations within the affected
geographic area

E.g., hurricanes, wide-spread flooding, earthquakes

2. Human-made Disasters - e.g., sabotage or errors, van be destructive to an individual organization but tend tend to be
limited in their scope of impact

3. System Failure - e.g., power outages or hard-drive failure are generally less severe, but most likely to occur

 Disaster Recovery Plan (DRP)

1. Identify critical applications - recovery efforts must concentrate on restoring applications that are critical to the
short-term survival of the organization.

2. Create a disaster recovery team

3. Provide second-site backup

a) Mutual Aid Pact - agreement between two or more organizations to aid each other with their data processing needs
in the event of a disaster

b) Empty Shell/Cold Site Plan - an arrangement wherein the company buys or leases a building that will serve as a data
center.
 c) Recovery Operations Center/Hot Site - a fully equipped backup data center that many companies share

d) Internally Provided Backup - larger organizations often prefer the self-reliance that creating internal excess capacity
provides

4. Specify backup and off-site storage procedures

a) Operating System Backup - the company uses a cold site or other method of site backup that does not include a
compatible operating system, procedures for obtaining a current version of the operating system need to be clearly
specified.

b) Application Backup - DRP should include procedures to create copies of current versions of critical applications

c) Backup Data Files - remote mirrored site provides complete data currency

d) Backup Documentation - system documentation for critical applications should be backed up and stored off-site
along with the application

e) Backup supplies and source documents - organizations should create backup inventories of supplies and source
documents used in processing critical transactions

f) Testing the DRP

 Audit Objective: The auditor should verify that management’s disaster recovery plan is adequate and feasible for dealing with a
catastrophe that could deprive the organization of its computing resources

 Audit Procedures:

 Site Backup

 Critical application list

 Software backup

 Data backup

 Backup supplies, documents, and documentation

 Disaster recovery team

Outsourcing the IT Function

 IT outsourcing - where third-party vendors take over the responsibility for the management of IT assets and staff and for
delivery of IT services, such as data entry, data center operations, applications development, applications maintenance, and
network management.

Benefits: Improved core business performance, improved IT performance, reduced IT costs

 Core Competency Theory - argues that organization should focus exclusively on its core business competencies, while allowing
outsourcing vendors to efficiently manage the non-core areas such as IT functions.

 Commodity IT assets - include things such as network management, systems operations, server maintenance, help-desk
function

 Specific IT assets - unique to the organization and support its strategic objectives

 Transaction Cost Economics (TCE) theory - is in conflict with the core competency school by suggesting that firms should retain
certain specific non-core IT assets in-house

 Risk Inherent to IT outsourcing

 Failure to perform

 Vendor exploitation

 Outsourcing costs exceed benefits

 Reduced security

 Loss of strategic advantage

 Audit Implications of IT Outsourcing

 “The use of a service organization does not reduce management’s responsibility to maintain effective internal control over
financial reporting. Rather, user management should evaluate controls at the service organization, as well as related controls at the
user company, when making its assessment about internal control over financial reporting” -PCAOB

“The definitive standard by which client organization’ auditors can gain knowledge that controls at the third-party vendor are
adequate to prevent or detect material errors that could impact the client’s financial statements.” -Statement on Auditing Standards No.
70(SAS 70)