Chapter 2: IT Governance

CHAPTER 2:
IT Governance
IT Auditing, Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
IT Governance
IT Governance: subset of corporate governance that
focuses on the management and assessment of strategic
IT resources
Key objects:
◦ Reduce risk
◦ Ensure investments in IT resources add value to the
corporation
All employees and stakeholders must be active
participants in key IT decisions
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 1
IT Governance Controls
Three IT governance issues addressed by SOX and the
COSO internal control framework:
◦ Organizational structure of the IT function
◦ Computer center operations
◦ Disaster recovery planning
Nature of risk associated with each issue
Controls used to mitigate risk
Audit objectives
Tests of controls
Structuring the IT Function
Centralized data processing
[see Figure 2-1]
Organizational chart [see Figure 2-2]
Database administrator
Data processing manager/dept.
Data control
Data preparation/conversion
Computer operations
Data library
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e
3
Segregation of incompatible IT functions

Systems development & maintenance
Participants
End users
IS professionals
Auditors
Other stakeholders
4

Objectives:
Segregate transaction authorization from transaction
processing
Segregate record keeping from asset custody
Divide transaction processing steps among individuals to
force collusion to perpetrate fraud
5

Separating systems development from computer
operations
[see Figure 2-2]
6

Separating DBA from other functions
DBA is responsible for several critical tasks:
Database security
Creating database schema and
user views
Assigning database access authority to users
Monitoring database usage
Planning for future changes
7
Alternative 1: segregate systems analysis from programming
[see Figure 2-3]
Two types of control problems from this approach:
Inadequate documentation
Is a chronic problem. Why?
Not interesting
Lack of documentation provides job security
Assistance: Use of CASE tools
Potential for fraud
Example: Salami slicing, trap doors

Alternative 2: segregate systems development from
maintenance
[see Figure 2-2]
Two types of improvements from this approach:
Better documentation standards
Necessary for transfer of responsibility
Deters fraud
Possibility of being discovered
9
Segregate data library from operations
Physical security of off-line data files
Implications of modern systems on use of data library:
Real-time/online vs. batch processing
Volume of tape files is insufficient to justify full-time librarian
Alternative: rotate on ad hoc basis
Custody of on site data backups
Custody of original commercial software and licenses
10

Audit objectives
Risk assessment
Verify incompatible areas are properly segregated
How would an auditor accomplish this objective?
Verify incompatible areas are properly segregated
Verify formal vs. informal relationships exist between
incompatible tasks
Why does it matter?
11
▪ Segregation of incompatible IT functions
✔ Audit procedures:
❑ Obtain and review security policy
❑ Verify policy is communicated
❑ Review relevant documentation (org. chart, mission
statement, key job descriptions)
❑ Review systems documentation and maintenance records
(using a sample)
❑ Verify whether maintenance programmers are also original
design programmers
❑ Observe segregation policies in practice
❑ Review operations room access log
❑ Review user rights and privileges
12
The Distributed Model
Distributed Data Processing (DDP) involves
reorganizing the central IT function into small
IT units that are placed under the control of
end users
Two alternatives shown in [figure 2-4]
Alternative A: centralized
Alternative B: decentralized / network
13
Risks Associated with DDP
Inefficient use of resources
Mismanagement of resources by end users
Hardware and software incompatibility
Redundant tasks
Destruction of audit trails
Inadequate segregation of duties
Hiring qualified professionals
Increased potential for errors
Programming errors and system failures
Lack of standards
14
Advantages of DDP
Cost reduction
End user data entry vs. data control group
Application complexity reduced
Development and maintenance costs reduced
Improved cost control responsibility
IT critical to success then managers must control the
technologies
Improved user satisfaction
Increased morale and productivity
Backup flexibility
Excess capacity for DRP
15
Controlling the DDP Environment
Need for careful analysis

Implement a corporate IT function
Central systems development
Acquisition, testing, and implementation of commercial
software and hardware
User services
Help desk: technical support, FAQs, chat room, etc.
Standard-setting body
Personnel review
IT staff
16
Audit Objectives: DDP Environment
Verify that the structure of the IT function is such that

individuals in incompatible areas are segregated:
◦ In accordance with the level of potential risk
◦ And in a manner that promotes a working environment
Verify that formal relationships needs to exist between
incompatible tasks
17
Audit Objectives: DDP Environment
Review the corporate policy on computer security
◦ Verify that the security policy is communicated to
employees
Review documentation to determine if individuals or
groups are performing incompatible functions
Review systems documentation and maintenance records
◦ Verify that maintenance programmers are not also design
programmers
18
The Computer Controls Center
Physical location
Avoid human-made and natural hazards
Example: Chicago Board of Trade
Construction
Ideally: single-story, underground utilities, windowless, use of
filters
If multi-storied building, use top floor (away from traffic flows,
and potential flooding in a basement)
Access
Physical: Locked doors, cameras
Manual: Access log of visitors
19
The Computer Controls Center
Air conditioning
Especially mainframes
Amount of heat even from a group of PCs
Fire suppression
Automatic: usually sprinklers
Gas, such as halon, that will smother fire by removing oxygen
can also kill anybody trapped there
Sprinklers and certain chemicals can destroy the computers
and equipment
Manual methods
Power supply
Need for clean power, at a acceptable level
Uninterrupted power supply
20
Audit Objectives: The Computer
Center
physical security IC protects the computer
center from physical exposures
insurance coverage compensates the
organization for damage to the computer
center
operator documentation addresses routine
operations as well as system failures
21
Considerations: The Computer Center
Controls
man-made threats and natural hazards
underground utility and communications lines
air conditioning and air filtration systems
access limited to operators and computer center workers;
others required to sign in and out
fire suppression systems installed
fault tolerance
◦ redundant disks and other system components
◦ backup power supplies
22
Audit Procedures: The Computer Center
Review insurance coverage on hardware, software,

and physical facility
Review operator documentation, run manuals, for
completeness and accuracy
Verify that operational details of a system’s internal
logic are not in the operator’s documentation
23
Disaster Recovery Planning
Disaster recovery plans (DRP) identify:
◦ actions before, during, and after the disaster
◦ disaster recovery team
◦ priorities for restoring critical applications
Audit objective – verify that DRP is
adequate and feasible for dealing with
disasters
Disaster Recovery Plan
1. Critical Applications – Rank critical applications so an orderly and effective restoration of
computer systems is possible.
2. Create Disaster Recovery Team – Select team members, write job descriptions, describe
recovery process in terms of who does what.
3. Site Backup – a backup site facility including appropriate furniture, housing, computers, and
telecommunications. Another valid option is a mutual aid pact where a similar business or
branch of same company swap availability when needed.
4. Hardware Backup – Some vendors provide computers with their site – known as a hot site or
Recovery Operations Center. Some do not provide hardware – known as a cold site. When
not available, make sure plan accommodates compatible hardware (e.g., ability to lease
computers).
5. System Software Backup – Some hot sites provide the operating system. If not included in
the site plan, make sure copies are available at the backup site.
6. Application Software Backup – Make sure copies of critical applications are available at the
backup site
7. Data Backup – One key strategy in backups is to store copies of data backups away from the
business campus, preferably several miles away or at the backup site. Another key is to test
the restore function of data backups before a crisis.
8. Supplies – A modicum inventory of supplies should be at the backup site or be able to be
delivered quickly.
9. Documentation – An adequate set of copies of user and system documentation.
10. TEST! – The most important element of an effective Disaster Recovery Plan is to test it
before a crisis occurs, and to test it periodically (e.g., once a year).
Disaster Recovery Planning
Major IC concerns:
◦second-site backups
◦critical applications and databases
● including supplies and documentation
◦back-up and off-site storage procedures
◦disaster recovery team
◦testing the DRP regularly
Second-Site Backups
Empty shell - involves two or more user
organizations that buy or lease a building and
remodel it into a computer site, but without
computer equipment
Recovery operations center - a completely
equipped site; very costly and typically shared
among many companies
Internally provided backup - companies with
multiple data processing centers may create
internal excess capacity
DRP Audit Procedures
Evaluate adequacy of second-site backup

arrangements
Review list of critical applications for
completeness and currency
Verify that procedures are in place for
storing off-site copies of applications and
data
◦ Check currency back-ups and copies
DRP Audit Procedures
Verify that documentation, supplies, etc., are

stored off-site
Verify that the disaster recovery team knows
its responsibilities
◦ Check frequency of testing the DRP
Benefits of IT Outsourcing
Improved core business processes
Improved IT performance
Reduced IT costs
Risks of IT Outsourcing
Failure to perform
Vendor exploitation
Costs exceed benefits
Reduced security
Loss of strategic advantage
Audit Implications of IT Outsourcing
Management retains SOX responsibilities

SAS No. 70 report or audit of vendor will be
required

Chapter 2: IT Governance

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Chapter 2: IT Governance

Загружено:

Авторское право:

Доступные форматы

CHAPTER 2:

Segregation of incompatible IT functions

Segregation of incompatible IT functions

Segregation of incompatible IT functions

Segregation of incompatible IT functions

Segregation of incompatible IT functions

Segregation of incompatible IT functions

Need for careful analysis

Verify that the structure of the IT function is such that

Review insurance coverage on hardware, software,

Evaluate adequacy of second-site backup

Verify that documentation, supplies, etc., are

Management retains SOX responsibilities

Вам также может понравиться