Chapter 2 Auditing IT Governance Controls PDF

Preview

Summary

CIS auditing...

Description

Chapter2 : Auditing IT Governance Controls IT Governance • Subset of corporate governance that focuses on the management and assessment of strategic IT resources. • Key objects are to reduce risk and ensure investments in IT resources add value to the corporation. • All corporate stakeholders must be active participants in key IT decisions. • Three IT governance issues addressed by SOX and the COSO internal control framework: • Organizational structure of the IT function. • Computer center operations. • Disaster recovery planning.

STRUCTURE OF THE INFORMATION TECHNOLOGY FUNCTION

● ● ●

The organization of the IT function has implications for the nature and effectiveness of internal controls, which, in turn, has implications for the audit. These are illustrated through two extreme organizational models—the centralized approach and the distributed approach. Centralized Data Processing ○ all data processing is performed by one or more large computers housed at a central site that serves users throughout the organization ○ IT services activities are consolidated and managed as a shared organization resource. End users compete for these resources on the basis of need. The IT services function is usually treated as a cost center whose operating costs are charged back to the end users.

Organizational Chart of a Centralized Information Technology Function ● ●

Database Administration Centrally organized companies maintain their data resources in a central location that is shared by all end users. Data Processing The data processing group manages the computer resources used to perform the dayto-day processing of transactions ○ data conversion,- The data conversion function transcribes transaction data from hard-copy source documents into computer

○ ○

input. computer operations- The electronic files produced in data conversion are later processed by the central computer, which is managed by the computer operations groups. data library- The data library is a room adjacent to the computer center that provides safe storage for the off-line data files. Those files could be backups or current data files. Forinstance, the data library could be used to store backup data on DVDs, CDROMs, tapes, or other storage devices.

Systems Development and Maintenance ● The former group is responsible for analyzing user needs and for designing new systems to satisfy those needs. The participants in system development activities include systems professionals, end users, and stakeholders. ● the systems maintenance group assumes responsibility for keeping it current with user needs. The term maintenance refers to making changes to program logic to accommodate shifts in user needs over time Segregation of Incompatible IT Functions operational tasks should be segregated to: 1. Separate transaction authorization from transaction processing. 2. Separate record keeping from asset custody. 3. Divide transaction-processing tasks among individuals such that short of collusion between two or more individuals fraud would not be possible. The IT environment tends to consolidate activities. A single application may authorize, process, and record all aspects of a transaction. Thus, the focus of segregation control shifts from the operational level (transaction processing tasks that computers now perform) to higher-level organizational relationships within the computer services function. Separating Systems Development from Computer Operations ● Systems development and maintenance professionals should create (and maintain) systems for users, and should have no involvement in entering data, or running applications (i.e., computer operations) ● Operations staff should run these systems and have no involvement in their design. Separating Database Administration from Other Functions ● The DBA function is responsible for a number of critical tasks pertaining to database security, including creating the database schema and user views, assigning database access authority to users, monitoring database usage, and planning for future expansion.1 Delegating

these responsibilities to others who perform incompatible tasks threatens database integrity Separating New Systems Development from Maintenance ● Some companies organize their in-house systems development function into two groups: systems analysis and programming (see Figure 2.3). ● The systems analysis group works with the users to produce detailed designs of the new systems. The programming group codes the programs according to these design specification two types of control problems: ● inadequate documentation ○ First, documenting systems is not as interesting as designing, testing, and implementing them. Systems professionals much prefer to move on to an exciting new project rather than document one just completed. ○ The second possible reason for poor documentation is job security. When a system is poorly documented, it is difficult to interpret, test, and debug. Therefore, the programmer who understands the system (the one who coded it) maintains bargaining power and becomes relatively indispensable. When the programmer leaves the firm, however, a new programmer inherits maintenance responsibility for the undocumented system. Depending on its complexity, the transition period may be long and costly. ● the potential for program fraud. ○ When the original programmer of a system is also assigned maintenance responsibility, the potential for fraud is increased. Program fraud involves making unauthorized changes to program modules for the purpose of committing an illegal act. A Superior Structure for Systems Development ● two different groups: ○ new systems development ○ systems maintenance. ● The new systems development group is responsible for designing, programming, and implementing new systems projects. Upon successful implementation, responsibility for the system’s ongoing maintenance falls to the systems maintenance group. This restructuring has implications that directly address the two control problems just described. 1. First, documentation standards are improved because the maintenance group requires documentation to perform its maintenance

duties. Without complete and adequate documentation, the formal transfer of system responsibility from new systems development to systems maintenance simply cannot occur. 2. Second, denying the original programmer future access to the program deters program fraud. That the fraudulent code, once concealed within the system, is out of the programmer’s control and may later be discovered increases the risk associated with program fraud. The Distributed Model ● An alternative to the centralized model is the concept of distributed data processing (DDP). ● DDP involves reorganizing the central IT function into small IT units that are placed under the control of end users. The IT units may be distributed according to business function, geographic location, or both Risks Associated with DDP This section discusses the organizational risks that need to be considered when implementing DDP. Inefficient use of resources ○ First, is the risk of mismanagement of organization-wide IT resources by end users. Some argue that when organization-wide IT resources exceed a threshold amount, for example 5 percent of the total operations budget, effective IT governance requires central management and monitoring of such resources. ○ Second, DDP can increase the risk of operational inefficiencies because of redundant tasks being performed within the end-user committee. Autonomous systems development initiatives distributed throughout the firm can result in each user area reinventing the wheel rather than benefiting from the work of others. ○ Third, the DDP environment poses a risk of incompatible hardware and software among end-user functions. Distributing the responsibility for IT purchases to end users may result in uncoordinated and poorly conceived decisions. ● Destruction of audit trails ○ Auditors use the audit trail to trace selected financial transactions from the source documents that captured the events, through the journals, subsidiary ledgers, and general ledger accounts that recorded the events, and ultimately to the financial statement themselves. The audit trail is critical to the auditor’s attest service. Should an end user inadvertently delete one of the files, the audit trail could be destroyed and unrecoverable. Similarly, if an end user inadvertently inserts transaction errors into an audit trail file, it could become corrupted. ● Inadequate segregation of duties ○ For example, within a single unit the same person may write application programs, perform program maintenance, enter transaction data into the computer, and operate the computer equipment. Such a situation would be a fundamental violation of

● ●

●

●

internal control. Hiring qualified professionals ○ End-user managers may lack the IT knowledge to evaluate the technical credentials and relevant experience of candidates applying for IT professional positions. Also, if the organizational unit into which a new employee is entering is small, the opportunity for personal growth, continuing education, and promotion may be limited Lack of standards. ○ , standards for developing and documenting systems, choosing programming languages, acquiring hardware and software, and evaluating performance may be unevenly applied or even nonexistent. Opponents of DDP argue that the risks associated with the design and operation of a DDP system are made tolerable only if such standards are consistently applied.

Advantages of DDP PAGE 45 Cost Reductions ○ Powerful and inexpensive microcomputers and minicomputers that can perform specialized functions have changed the economics of data processing dramatically. ● Improved cost control responsibility ● Improved user satisfaction ● Backup flexibility

●

Controlling the DDP Environment ● Implement a corporate IT function: ○ Central testing of commercial software and hardware. ○ User services to provide technical help. ○ Standard setting body. ○ Personnel review. Audit Objective The auditor’s objective is to verify that the structure of the IT function is such that individuals in incompatible areas are segregated in accordance with the level of potential risk and in a manner that promotes a working environment. This is an environment in which formal, rather than casual, relationships need to exist between incompatible tasks.

Audit Procedures The following audit procedures would apply to an organization with a centralized IT function: ● ● ●

Review relevant documentation Review system documentation and maintenance records Observe to determine if segregation policy is being followed.

______________________________________________________________________ THE COMPUTER CENTER Areas of potential exposure ● ● ● ● ● ●

Physical Location Construction Access Air conditioning Fire suppression Fault tolerance

Audit Objectives The auditor’s objective is to evaluate the controls governing computer center security. Specifically, the auditor must verify that: • Physical security controls are adequate to reasonably protect the organization from physical exposures • Insurance coverage on equipment is adequate to compensate the organization for the destruction of, or damage to, its computer center Audit Procedures ● Tests of physical construction ● Tests of the fire detection system ● Tests of access control ● Tests of RAID ● Tests of the uninterruptible power supply

● Tests of insurance coverage _______________________________________________________________________ DISASTER RECOVERY PLANNING PAGE 16 -A disaster recovery plan is statement of all actions to be taken before, during and after any type of disaster. Four common features ● Identify critical applications - Recovery efforts must concentrate on restoring those applications that are critical to the short-term survival of the organization ● Create a disaster recovery plan ○ To avoid serious omissions or duplication of effort during implementation of the contingency plan, task responsibility must be clearly defined and communicated to the personnel involved. ● Provide second-site backup ○ duplicate data processing facilities following a disaster. ○ Mutual Aid Pact ■ A mutual aid pact is an agreement between two or more organizations (with compatible computer facilities) to aid each other with their data processing needs in the event of a disaster. ○ Empty Shell ■ The empty shell or cold site plan is an arrangement wherein the company buys or leases a building that will serve as a data center. ○ Recovery Operations Center ■ A recovery operations center (ROC) or hot site is a fully equipped backup data center that many companies share. In addition to hardware and backup facilities, ROC service providers offer a range of technical services to their ○ Internally provided backup ●

Specify backup and and off-site storage procedures ○ All data files, applications, documentation, and supplies needed to perform critical functions should be automatically backed up and stored at a secure off-site location ○ Operating system backup ○ Application backup ○ Backup data files

○ ○ ○

Backup documentation Backup supplies and source documents Testing the DRP

Audit Objective The auditor should verify that management’s disaster recovery plan is adequate and feasible for dealing with a catastrophe that could deprive the organization of its computing resources. Audit Procedures ● Site backup ● Critical Application List ● Software backup ● Data backup ● Backup supplies, documents and documentation ● Disaster recovery team ___________________________________________________________ Outsourcing the IT Function ● The costs, risks, and responsibilities associated with maintaining an effective corporate IT function are significant. ● Oftencited benefits of IT outsourcing include improved core business performance, improved IT performance (because of the vendor’s expertise), and reduced IT costs. Distinction between Commodity 1.

Specific IT assets

1. Commodity IT assets Specific IT assets

Risk Inherent to IT Outsourcing ● Large-scale IT outsourcing events are risky endeavors, partly because of the sheer size of these financial deals, but also because of their nature Failure to perform ● Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendor’s performance. The negative implications of such dependency are illustrated in the financial problems that have plagued the huge outsourcing vendor Electronic Data Systems Corp. Vendor exploitation ● Large-scale IT outsourcing involves transferring to a vendor “specific assets,” such as the design, development, and maintenance of unique business applications that are critical to an organization’s survival Outsourcing costs exceed benefits ● t unexpected costs arise and the full extent of expected benefits are not realized. Reduced security ● Information outsourced to offshore IT vendors raises unique and serious questions regarding internal control and the protection of sensitive personal data Loss of strategic advantage ● IT outsourcing may affect incongruence between a firm’s IT strategic planning and its business planning functions. Organizations that use IT strategically must align business strategy and IT strategy or run the risk of decreased business performance. Audit Implications Use of a service organization does not reduce management’s responsibilitites under SOX for ensuring adequate IT internal controls SSAE 16 replaced SAS 70 and is the definitive standard by which auditors can gain knowledge that processes and controls at third-party vendors are adequate to prevent or detect material errors....