Lord, make me an instrument of your peace.

Where there is hatred, let me sow love.

Where there is injury, pardon.
Where there is doubt, faith.
Where there is despair, hope.
Where there is darkness, light.
Where there is sadness, joy.
O Lord, grant that I may not so much seek;
to be consoled, as to console;
to be understood, as to understand;
to be loved, as to love.
For it is in giving that we receive.
It is in forgiving that we are forgiven,
and it is in dying that we are born to Eternal Life.
Amen.
CHAPTER 2:
AUDITING IT GOVERNANCE CONTROLS
Powerpoint – email to arnoldsalcedo1111@gmail.com before 12 midnight
Subject Line: Group No._Section_Case No._Company

Case Company Pages Deadline

Number
1 Oakdale #3 42-43 November 13

2 Arlington #1 44 November 13

3 Steeple Chase #9 75 November 16

4 Avatar #6 76-77 November 16

5 Hill Crest #5 77 November 18

6 National Comm’l Bank #4 79 November 18

7 Stephanie Baskill #2 139 November 23

8 Global Manufacturing Company 139 November 23

#8
9 British Brewing Bottle& Assurance,
IT Auditing Company2e, Hall & Singleton
141 November 25 3
Powerpoint – email to arnoldsalcedo1111@gmail.com before 12 midnight
Subject Line: Group No._Section_Case No._Company

Case Company Pages Deadline

Number
1 Oakdale #7 42-43 November 16

2 Arlington #2 44 November 16

3 Steeple Chase #6 75 November 18

4 Avatar #4 76-77 November 18

5 Hill Crest #8 77 November 23

6 National Comm’l Bank #3 79 November 23

7 Stephanie Baskill #9 139 November 25

8 Global Manufacturing Company #1 139 November 25

9 British Brewing Bottle Company #5 141 November 27

IT Auditing & Assurance, 2e, Hall & Singleton 4
Powerpoint – email to arnoldsalcedo1111@gmail.com before 12 midnight
Subject Line: Group No._Section_Case No._Company

Case Company Pages Deadline

Number
1 Oakdale 42-43 November 16

2 Arlington 44 November 16

3 Steeple Chase 75 November 18

4 Avatar 76-77 November 18

5 Hill Crest 77 November 23

6 National Comm’l Bank 79 November 23

7 Stephanie Baskill 139 November 25

8 Global Manufacturing Company 139 November 25

9 British Brewing Bottle Company 141 November 27

IT Auditing & Assurance, 2e, Hall & Singleton 5
 Centralized data processing
[see Figure 2-1]
 Organizational chart [see Figure 2-2]
 Database administrator
 Data processing manager/dept.
 Data control
 Data preparation/conversion
 Computer operations
 Data library
 Systems development & Systems
maintenance
 Participants
 End users
 IS professionals
 Auditors
 Other stakeholders
 “Maintenance”
 Segregation of incompatible IT functions
 Objectives:
 Segregate transaction authorization from
transaction processing
 Segregate record keeping from asset custody
 Divide transaction processing tasks among
individuals such that short of collusion between
two or more individuals would not be possible.
1.Separating systems development from
computer operations
[see Figure 2-3]
2. Separating DBA from other functions
 DBA is responsible for several critical tasks:
 Database security
 Creating database schema and
user views
 Assigning database access authority to users
 Monitoring database usage
 Planning for future changes
3. Segregate data library from operations
 Physical security of off-line data files
 Implications of modern systems on use of data
library:
 Real-time/online vs. batch processing
 Volume of tape files is insufficient to justify full-time
librarian
 Alternative: rotate on ad hoc basis
 Custody of on site data backups
 Custody of original commercial software and licenses
4. Segregate Systems Development from
Maintenance
[see Figure 2-2]
 Two types of improvements from this
approach:
1. Better documentation standards
 Necessary for transfer of responsibility
2. Deters fraud
 Possibility of being discovered
 Audit objectives
 Risk assessment
 Verify incompatible areas are properly
segregated
 How would an auditor accomplish this objective?
 Verify incompatible areas are properly
segregated
 Verify formal vs. informal relationships exist
between incompatible tasks
 Why does it matter?
 Segregation of incompatible IT functions
 Audit procedures:
 Obtain and review security policy
 Verify policy is communicated
 Review relevant documentation (org. chart, mission
statement, key job descriptions)
 Review systems documentation and maintenance records
(using a sample)
 Verify whether maintenance programmers are also original
design programmers
 Observe segregation policies in practice
 Review operations room access log
 Review user rights and privileges
 The distributed model
 Distributed Data Processing (DDP)
 Definition [see figure 2-4]
 Alternative A: centralized
 Alternative B: decentralized / network
 The distributed model
 Risks associated with DDP
 Inefficient use of resources
 Mismanagement of resources by end users
 Hardware and software incompatibility
 Redundant tasks
 Destruction of audit trails
 Inadequate segregation of duties
 Hiring qualified professionals
 Increased potential for errors
 Programming errors and system failures
 Lack of standards
 The distributed model
 Advantages of DDP
 Cost reduction
 End user data entry vs. data control group
 Application complexity reduced
 Development and maintenance costs reduced
 Improved cost control responsibility
 IT critical to success then managers must control
the technologies
 Improved user satisfaction
 Increased morale and productivity
 Backup flexibility
 Excess capacity for DRP
 Controlling the DDP environment
 Need for careful analysis
 Implement a corporate IT function
 Central systems development
 Acquisition, testing, and implementation of
commercial software and hardware
 User services
 Help desk: technical support, FAQs, chat room, etc.
 Standard-setting body
 Personnel review
 IT staff
 Controlling the DDP environment
 Audit objectives:
 Conduct a risk assessment
 Verify the distributed IT units employ entity-
wide standards of performance that promotes
compatibility among hardware, operating
software, applications, and data
 Controlling the DDP environment
 Audit procedures:
 Verify corporate policies and standards are
communicated
 Review current organization chart, mission
statement, key job descriptions to determine if
any incompatible duties exist
 Verify compensating controls are in place where
incompatible duties do exist
 Review systems documentation
 Verify access controls are properly established
 Computer center controls
 Physical location
 Avoid human-made and natural hazards
 Example: Chicago Board of Trade
 Construction
 Ideally: single-story, underground utilities, windowless,
use of filters
 If multi-storied building, use top floor (away from
traffic flows, and potential flooding in a basement)
 Access
 Physical: Locked doors, cameras
 Manual: Access log of visitors

IT Auditing & Assurance, 2e, Hall & Singleton

 Computer center controls
 Air conditioning
 Especially mainframes
 Amount of heat even from a group of PCs
 Fire suppression
 Automatic: usually sprinklers
 Gas, such as halon, that will smother fire by
removing oxygen can also kill anybody trapped there
 Sprinklers and certain chemicals can destroy the
computers and equipment
 Manual methods
 Power supply
 Need for clean power, at a acceptable level
 Uninterrupted power supply
IT Auditing & Assurance, 2e, Hall & Singleton
 Computer center controls
 Audit objectives
 Verify physical security controls are reasonable
 Verify insurance coverage is adequate
 Verify operator documentation is adequate in case
of failure
 Audit procedures
 Tests of physical construction
 Tests of fire detection
 Tests of access control
 Tests of backup power supply
 Tests for insurance coverage
 Tests of operator documentation controls
IT Auditing & Assurance, 2e, Hall & Singleton
 Disaster recovery planning

 Types of disaster

IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton 25
 Disaster recovery planning

 Definition

IT Auditing & Assurance, 2e, Hall & Singleton

 Disaster recovery planning

 Critical applications identified and

ranked
 Create a disaster recovery team with
responsibilities

IT Auditing & Assurance, 2e, Hall & Singleton

 Disaster recovery planning
 Site backup
 “Hot site” – Recovery Operations Center
 “Cold site” – empty shell
 Mutual aid pact
 Internally provided backup
 Other options

IT Auditing & Assurance, 2e, Hall & Singleton

 Disaster recovery planning
 Hardware backup
(if NOT a hot site)
 Software backup: operating system
(if NOT a hot site)
 Software backup: application
software
(based on critical application step)

IT Auditing & Assurance, 2e, Hall & Singleton

 Disaster recovery planning
 Data backup
 Supplies (on site)
 Documentation (on site)
 User manuals
 System and software technical manuals
 Test!

IT Auditing & Assurance, 2e, Hall & Singleton

 Disaster Recovery Plan
1. Critical Applications – Rank critical applications so an orderly and effective restoration of
computer systems is possible.
2. Create Disaster Recovery Team – Select team members, write job descriptions, describe
recovery process in terms of who does what.
3. Site Backup – a backup site facility including appropriate furniture, housing, computers, and
telecommunications. Another valid option is a mutual aid pact where a similar business or
branch of same company swap availability when needed.

4. Hardware Backup – Some vendors provide computers with their site – known as a hot site
or Recovery Operations Center. Some do not provide hardware – known as a cold site. When
not available, make sure plan accommodates compatible hardware (e.g., ability to lease
computers).
5. System Software Backup – Some hot sites provide the operating system. If not included in
the site plan, make sure copies are available at the backup site.
6. Application Software Backup – Make sure copies of critical applications are available at the
backup site
7. Data Backup – One key strategy in backups is to store copies of data backups away from
the business campus, preferably several miles away or at the backup site. Another key is to
test the restore function of data backups before a crisis.

8. Supplies – A modicum inventory of supplies should be at the backup site or be able to be

delivered quickly.
9. Documentation – An adequate set of copies of user and system documentation.
10. TEST! – The most important element of an effective Disaster Recovery Plan is to test it
IT Auditing & Assurance, 2e, Hall & Singleton 31
before a crisis occurs, and to test it periodically (e.g., once a year).
 Disaster recovery planning
 Audit objectives
 Verify management’s DRP is adequate
 Audit procedures
 Verify a second-site backup is adequate
 Review the critical application list for completeness
 Verify backups of application software are stored off-site
 Verify that critical data files are backed up and readily
accessible to DRP team
 Verify resources of supplies, documents, and
documentation are backed up and stored off-site
 Verify that members listed on the team roster are current
employees and that they are aware of their
responsibilities

IT Auditing & Assurance, 2e, Hall & Singleton

 Fault tolerance
 Definition
 44% of time IS unavailable is due to system failures!
 Controls
 Redundant systems or parts
 RAID
 UPS
 Multiprocessors
 Audit objective
 To ensure the organization is employing an appropriate level
of fault tolerance
 Audit procedures
 Verify proper level of RAID devices
 Review procedures for recovery from system failure
 Verify boot disks are secured

IT Auditing & Assurance, 2e, Hall & Singleton

 Commodity IT Assets
 Specific IT Assets
RISK TO IT OUTSOURCING
1. Failure to Perform
2. Vendor Exploitation
3. Outsourcing Cost Exceed Benefits
4. Reduced Security
5. Loss of Strategic Advantage

SAS 70 – Outsourcing Vendor (BPO) figure 2.80

IT Auditing & Assurance, 2e, Hall & Singleton