Study Notes 3 It governance PDF

Preview

Summary

Shiena Mae M. Maupo Block – A AA3201 MW 3:00 – 4:Information technology (IT) governance- focuses on the management and assessment of strategic IT resources. - Key objectives: reduce risk and ensure that investments in IT resources add value to the corporation. - All employees and stakeholders must b...

Description

Shiena Mae M. Maupo

Block – A

AA3201 MW 3:00 – 4:30

Information technology (IT) governance -

focuses on the management and assessment of strategic IT resources. Key objectives: reduce risk and ensure that investments in IT resources add value to the corporation. All employees and stakeholders must be active participants in key IT decisions.

IT Governance Controls 3 IT Governance Issues that are Addressed by SOX and the COSO Internal Control Framework 1. Organizational structure of the IT function 2. Computer center operations 3. Disaster recovery planning Structure of the Information Technology Function Centralized Data Processing - all data processing is performed by one or more large computers housed at a central site IT services activities are consolidated and managed as a shared organization resource End users compete for these resources on the basis of need. - The IT services function is usually treated as a cost center whose operating costs are charged back to the end users. Key Functions Database Administration - Centrally organized companies maintain their data resources in a central location that is shared by all end users. - In this shared data arrangement, an independent group headed by the database administrator (DBA) is responsible for the security and integrity of the database. Data Processing - manages the computer resources used to perform the daily processing of transactions. 3 Organizational Functions 1. Data Conversion - transcribes transaction data from hard-copy source documents into computer input. 2. Computer Operations - The electronic files produced in data conversion are later processed by the central computer, which is managed by the computer operations groups. 3. Data Library - is a room adjacent to the computer center that provides safe storage for the offline data files. Those files could be backups or current data files. In addition, the data library is used to store original copies of commercial software and their licenses for safekeeping. Data librarian - responsible for the receipt, storage, retrieval, and custody of data files, controls access to the library. The librarian issues data files to computer operators in accordance with program requests and takes custody of files when processing or backup procedures are completed.

Systems Development and Maintenance System Development - is responsible for analyzing user needs and for designing new systems to satisfy those needs. Participants in systems development activities: Systems professionals - Include systems analysts, database designers, and programmers who design and build the system - Gather facts about the user’s problem, analyze the facts, and formulate a solution - Product: new information system End users - For whom the system is built - They are the managers who receive reports from the system and the operations personnel who work directly with the system as part of their daily responsibilities. Stakeholders - individuals inside or outside the firm who have an interest in the system, but are not end users. - Include accountants, internal auditors, external auditors, and others who oversee systems development Systems Maintenance - refers to making changes to program logic to accommodate shifts in user needs over time. Much of the total throughout the system’s life is incurred through maintenance. Segregation of Incompatible IT Functions 1. Separate transaction authorization from transaction processing. 2. Separate record keeping from asset custody. 3. Divide transaction-processing tasks among individuals such that short of collusion between two or more individuals’ fraud would not be possible. Separating Systems Development from Computer Operations - Systems development and maintenance professionals should create and maintain systems for users, and should have no involvement in entering data, or running applications (i.e., computer operations). - Operations staff should run these systems and have no involvement in their design. These functions are inherently incompatible, and consolidating them invites errors and fraud. Separating Database Administration from Other Functions - The DBA function is responsible for critical tasks pertaining to database security, including creating the database schema and user views, assigning database access authority to users, monitoring database usage, and planning for future expansion. Delegating these responsibilities to incompatible persons threatens database integrity Separating New Systems Development from Maintenance Some companies organize their in-house systems development function into two groups: systems analysis and programming - Systems analysis group works with the users to produce detailed designs of the new systems. - The programming group codes the programs according to these design specifications. In this approach programmer who codes the original programs also maintains the system during the maintenance phase of the systems development life cycle.

2 types of control problems for this approach: 1. Inadequate Documentation – Poor documentation happens because; - Documenting systems is not as interesting as designing, testing, and implementing them - Another reason for poor documentation is job security. When a system is poorly documented, it is difficult to interpret, test, and debug. Therefore, the programmer who understands the system (the one who coded it) maintains bargaining power and becomes relatively indispensable 2. Program Fraud – If original programmer of a system is also assigned maintenance responsibility, the potential for fraud is increased. Program fraud involves making unauthorized changes to program modules for the purpose of committing an illegal act. By giving programmer the maintenance authority, he may freely access the system, disabling fraudulent code during audits and then restoring the code when the coast is clear. Distributed Model Distributed Data Processing (DDP) involves reorganizing the central IT function into small IT units that are placed under the control of end users. Alternative A - Variant of the centralized model. The difference is that terminals (or microcomputers) are distributed to end users for handling input and output. - Eliminates the need for the centralized data conversion groups. - Systems development, computer operations, and database administration remain centralized Alternative B - Significant departure from the centralized model. - Distributes all computer services to the end users, operating as standalone units - Central IT function is eliminated from the organizational structure

Risks Associated with DDP - Inefficient use of resources o Mismanagement of IT resources by end users o Hardware and software incompatibility o Redundant tasks by end users causing operational inefficiencies - Destruction of audit trails - audit trail consists of a set of digital transaction files and master files that reside in part or entirely on end-user computers. Should an end user inadvertently delete one of the files, the audit trail could be destroyed and unrecoverable. Similarly, if an end user inadvertently inserts transaction errors into an audit trail file, it could become corrupted.

-

-

-

Inadequate segregation of duties - The distribution of the IT services to users may result in the creation of small independent units that do not permit the desired separation of incompatible functions Hiring qualified professionals – End-user managers may lack the IT knowledge to evaluate the technical credentials and relevant experience of candidates applying for IT professional positions. o Increased potential for errors o Programming errors and system failures Lack of standards

Advantages of DDP - Cost reduction o End user data entry vs. data control group o Application complexity reduced o Development and maintenance costs reduced - Improved cost control responsibility o IT capability critical to success then managers must control these resources and technologies - Improved user satisfaction o Increased morale and productivity: 3 areas to improve; o Users desire to control the resources that influence their profitability o Users want systems professionals (analysts, programmers, and computer operators) to be responsive to their specific situation o Users want to become more actively involved in developing and implementing their own systems. - Backup flexibility o Excess capacity for DRP. o Offers organizational flexibility for providing backup. o If a disaster destroys a single site, the other sites can use their excess capacity to process the transactions of the destroyed site Controlling the DDP Environment Before implementing the DDP, decision makers need careful analysis and must assess the true merits of DDP for their organization. Implement a corporate IT function - Central systems development - A central can evaluate systems features, controls, and compatibility with industry and organizational standards. This allows the organization to effectively centralize acquisition, testing, and implementation of commercial software and hardware. - User services - This activity provides technical help to users during the installation of new software and in troubleshooting hardware and software problems. Also provide help desk for technical support, FAQs, chat room, etc. - Standard-setting body - Establishing and distributing to user areas appropriate standards for systems development, programming, and documentation. - Personnel review - The involvement of the corporate group in employment decisions can render a valuable service to the organization.

Audit Objective - Verify that the structure of the IT function is such that individuals in incompatible areas are segregated in accordance with the level of potential risk and in a manner that promotes a working environment. - This is an environment in which formal, rather than casual, relationships need to exist between incompatible tasks Audit Procedures - Centralized IT function o Review relevant documentation, including the current organizational chart, mission statement, and job descriptions for key functions, to determine if individuals or groups are performing incompatible functions. o Review systems documentation and maintenance records for a sample of applications. Verify that maintenance programmers assigned to specific projects are not also the original design programmers. o Verify that computer operators do not have access to the operational details of a system’s internal logic. Systems documentation, such as systems flowcharts, logic flowcharts, and program code listings, should not be part of the operation’s documentation set. o Through observation, determine that segregation policy is being followed in practice. Review operations room access logs to determine whether programmers enter the facility for reasons other than system failures. -

Distributed IT Function o Review the current organizational chart, mission statement, and job descriptions for key functions to determine if individuals or groups are performing incompatible duties. o Verify that corporate policies and standards for systems design, documentation, and hardware and software acquisition are published and provided to distributed IT units. o Verify that compensating controls, such as supervision and management monitoring, are employed when segregation of incompatible duties is economically infeasible. o Review systems documentation to verify that applications, procedures, and databases are designed and functioning in accordance with corporate standards.

The Computer Center -

-

-

-

-

Physical location o Avoid human-made and natural hazards such as processing plants, gas and water mains, airports, high-crime areas, flood plains, and geological faults. Construction o Ideally located in a single-story, underground utilities, windowless, use of filters o If multi-storied building, use top floor (away from traffic flows, and potential flooding in a basement) Access o Physical controls: Locked doors to limit access to the center, access should be monitored with closed-circuit cameras and video recording systems o Manual: Access log of visitors Air conditioning q o Computers operate best in a temperature range of 70 to 75 degrees Fahrenheit and a relative humidity of 50 percent Fire suppression

Automatic and manual alarms should be placed in strategic locations Automatic and manual fire extinguishing system that dispenses the appropriate type of suppressant for the location o Building should be of sound construction to withstand water damage caused by fire suppression equipment. o Fire exits should be clearly marked and illuminated during a fire o Automatic sprinklers Fault Tolerance o is the ability of the system to continue operation when part of the system fails because of hardware failure, application program error, or operator error. o Redundant arrays of independent disks (RAID) - Raid involves using parallel disks that contain redundant elements of data and applications. o Uninterruptible power supplies- The equipment used to control these problems includes voltage regulators, surge protectors, generators, and backup batteries. In the event of a power outage, these devices provide backup power for a reasonable period to allow commercial power service restoration. o o

-

Audit Objectives - Verify that physical security controls are adequate to reasonably protect the organization from physical exposures - Verify that insurance coverage on equipment is adequate to compensate the organization for the destruction of, or damage to, its computer center Audit Procedures - Tests of Physical Construction - The auditor should obtain architectural plans to determine that the computer center is solidly built of fireproof material. - Tests of the Fire Detection System - The auditor should establish that fire detection and suppression equipment, both manual and automatic, are in place and tested regularly. The firedetection system should detect smoke, heat, and combustible fumes. - Tests of Access Control - The auditor must establish that routine access to the computer center is restricted to authorized employees. - Tests of Raid - From the graphic mapping, the auditor should determine if the level of RAID in place is adequate for the organization, given the level of business risk associated with disk failure. - Tests of the Uninterruptible Power Supply - The computer center should perform periodic tests of the backup power supply to ensure that it has sufficient capacity to run the computer and air conditioning - Tests for Insurance Coverage. The auditor should annually review the organization’s insurance coverage on its computer hardware, software, and physical facility. Disaster Recovery Planning (ICPS) 1. Identify Critical Applications Recovery efforts must concentrate on restoring those applications that are critical to the short-term survival of the organization. The DRP, however, is a short-term document that should not attempt to restore the organization’s data processing facility to full capacity immediately following the disaster. The DRP must be updated to reflect new developments and identify critical applications. Up-to-date priorities are important, because they affect other aspects of the strategic plan. The task of identifying critical items and prioritizing applications requires the active participation of user departments, accountants, and auditors

2. Creating a Disaster Recovery Team The team members should be experts in their areas and have assigned tasks. Following a disaster, team members will delegate subtasks to their subordinates. It should be noted that traditional control concerns do not apply in this setting 3. Providing Second-Site Backup Providing duplicate data processing facilities following a disaster with the following available options: - Mutual Aid Pact - is an agreement between two or more organizations (with compatible computer facilities) to aid each other with their data processing needs in the event of a disaster. In such an event, the host company must disrupt its processing schedule to process the critical transactions of the disaster-stricken company. In effect, the host company itself must go into an emergency operation mode and cut back on the processing of its lowerpriority applications to accommodate the sudden increase in demand for its IT resources. - Empty Shell – also known as cold site plan is an arrangement wherein the company buys or leases a building that will serve as a data center. In the event of a disaster, the shell is available and ready to receive whatever hardware the temporary user needs to run essential systems. - Recovery Operations Center (ROC) - or hot site is a fully equipped backup data center that many companies share. In addition to hardware and backup facilities, ROC service providers offer a range of technical services to their clients, who pay an annual fee for access rights. In the event of a major disaster, a subscriber can occupy the premises and, within a few hours, resume processing critical applications - Internally Provided Backup - This permits firms to develop standardized hardware and software configurations, which ensure functional compatibility among their data processing centers and minimize cutover problems in the event of a disaster. 4. Specifying Backup and Off-Site Storage Procedures - Operating System Backup - If the company uses a cold site or other method of site backup that does not include a compatible operating system (O/S), procedures for obtaining a current version of the operating system need to be clearly specified. - Application Backup - Based on results obtained in the critical applications step discussed previously, the DRP should include procedures to create copies of current versions of critical applications - Backup Data Files - The state-of-the-art in database backup is the remote mirrored site, which provides complete data currency. Databases should be copied daily to high-capacity, high-speed media, such as tape or CDs/DVDs and secured offsite. - Backup Documentation -The system documentation for critical applications should be backed up and stored off-site along with the applications. - Backup Supplies and Source Documents - The organization should create backup inventories of supplies and source documents used in processing critical transactions. Examples of critical supplies are check stocks, invoices, purchase orders, and any other special-purpose forms that cannot be obtained immediately. - Testing the DRP – It is performed periodically and it measure the preparedness of personnel and identify omissions or bottlenecks in the plan. The management should seek measures of performance in each of the following areas: (1) the effectiveness of DRP team personnel and their knowledge levels; (2) the degree of conversion success (i.e., the number of lost records); (3) an estimate of financial loss due to lost records or facilities; and (4) the effectiveness of program, data, and documentation backup and recovery procedures.

Audit Objective - Verify that management’s disaster recovery plan is adequate and feasible for dealing with a catastrophe that could deprive the organization of its computing resources. Audit Procedures - Site Backup - The auditor should evaluate the adequacy of the backup site arrangement. Auditors should be skeptical of such arrangements for two reasons. First, the sophistication of the computer system may make it difficult to find a potential partner with a compatible configuration. Second, most firms do not have the necessary excess capacity to support a disaster-stricken partner while also processing their own work. - Critical Application List - The auditor should review the list of critical applications to ensure that it is complete. Missing applications can result in failure to recover. - Software Backup - The auditor should verify that copies of critical applications and operating systems are stored off-site. He must also verify that the applications stored off-site are current by comparing their version numbers with those of the actual appli...