Ch02-Auditing IT Governance Controls-rev26022014

CHAPTER 2: IT GOVERNANCE CSI4601851 Dasar-Dasar Audit SI Semester Genap 2013/2014

Fakultas Ilmu Komputer Universitas Indonesia

Learning Objectives • Understand the risk of incompatible functions

and how to structure the IT function • Be familiar with the controls and precautions required to ensure the security of an organization’s computer facilities • Be familiar with the benefits, risks and audit issues related to IT outsourcing

Outline 1. Information Technology Governance

2. Structure of the Information Technology Function 3. The Computer Center 4. Outsourcing the IT Function

IT Governance • IT Governance: subset of corporate governance that

focuses on the management and assessment of strategic IT resources • Key objects: • Reduce risk • Ensure investments in IT resources add value to the corporation

• All employees and stakeholders must be active

participants in key IT decisions

IT Governance Controls • Three IT governance issues addressed by SOX and the

COSO internal control framework: • Organizational structure of the IT function • Computer center operations • Disaster recovery planning

• It begins with a explanation of the nature of risk

associated with each issue • The description of the controls needed to mitigate risk • Present audit objectives, to define what needs to be verified regarding the function of the controls in place • Example of tests of controls to satisfy the audit objectives

Structuring the IT Function • The organization of the IT Function has implications for

the nature and effectiveness of internal control • IT Structure models: • Centralized Data Processing Approach • Distributed Data Processing Approach

Centralized Data Processing • All data processing is performed by one or more large

computers housed at a central site that serves users throughout the organization • IT services activities are consolidated and managed as a shared organization resource • The IT Services function is usually treated as a cost center whose operating costs are charged back to the end users

Centralized Data Processing Approach

Organizational Chart of Centralized Data Processing Approach

Primary Services Areas • Database Administration • Headed by database Administrator, responsible for the security and integrity of the database • Data Processing • Manages the computer resources used to perform the day-to-day processing of transactions • Consists of: • Data conversion. Convert hard-copy source into computer input • Computer Operations. Manage electronic files and control applications

• Data library. A Room adjacent to the computer center that provide safe

storage for the off-line data files.

Primary Services Areas • Systems development and maintenance • Accommodate the user needs of information systems • System Development. Responsible for analyzing user needs and designing new systems to satisfy those needs. Participants: System professionals, end users and stakeholders. • Systems maintenance. Keeping the information systems current with user needs

Structuring the IT Function • Segregation of incompatible IT functions • Objectives: • Segregate transaction authorization from transaction processing • Segregate record keeping from asset custody • Divide transaction processing steps among individuals to force collusion

to perpetrate fraud

• Separating systems development from computer

operations • Systems development and professional cannot enter data or run

applications • Operation staff have no involvement in application design

Structuring the IT Function • Separating DBA from other functions. DBA is responsible

for several critical tasks: • Database security • Creating database schema and

user views • Assigning database access authority to users • Monitoring database usage • Planning for future changes • Separating new systems development from maintenance • Systems development group: system analysis and programming • Inadequate Documentation. Reasons: not an interesting task and job

security • Program Fraud. Unauthorized changes to program module. Example: Salami slicing, trap doors

System development

Structuring the IT Function • A superior structure for systems development • Separate new systems development and systems maintenance functions. Reasons: • To improve documentation standard • To block original programmer future access to the program

The Distributed Model • Distributed Data Processing (DDP) involves reorganizing

the central IT function into small IT units that are placed under the control of end users • Two alternative approach: • Alternative A: variant of centralized model • Systems development. Computer operations and database

administration remain centralized • Alternative B: decentralized • Need a networking arrangement that permits communication and data

transfers between the units

Two Distributed Data Processing Approach

Risks Associated with DDP • Inefficient use of resources • Mismanagement of resources by end users • Redundant tasks • Hardware and software incompatibility • Destruction of audit trails. • Users inadvertently delete files or transactions • Inadequate segregation of duties • One person has several duties • Hiring qualified professionals • Manager may lack the IT Knowledge to select IT Professional • Programming errors and system failures due to incompetence employee • Lack of standards. • e.g.: in developing & documenting systems, choosing program language, evaluating performance, acquiring hardware/software

Advantages of DDP • Cost reduction • Data can be edited and entered by end user, eliminating the centralized task of data preparation • Application complexity can be reduced, which in turn reduces systems development and maintenance costs • Improved cost control responsibility • Managers have more control on IT resource

• Improved user satisfaction • Users are not hindered in controlling resource • Users wants systems professionals (analysts, programmer, and

computer operators) be responsive in any situation • User can actively involved in developing their own system • Backup Flexibility • Ability to do backup computing facilities

Controlling the DDP Environment • Need for careful analysis to decide whether centralized or

distributed. Several Improvements to the strict DDP model: • Implement a corporate IT function • Central Testing of Commercial software and Hardware • Evaluate systems features, controls, and compatibility with industry and

organizational standard • User services • Help desk: technical support, FAQs, chat room, etc.

• Standard-testing body • Distribute standard in system development, programming and

documentation • Personnel review • Involvement of IT staff in employment decision

Organization Chart for DDP

Audit Objectives: DDP Environment • Verify that the structure of the IT function is such that

individuals in incompatible areas are segregated: • In accordance with the level of potential risk • And in a manner that promotes a working environment

• Verify that formal relationships needs to exist between

incompatible tasks

Audit Procedures: Centralized IT Functions  Review relevant documentation to determine if individuals or

groups are performing incompatible functions  Including organizational chart, mission statement and job desc

 Review systems documentation and maintenance records for a

sample of applications ◦ Verify that maintenance programmers for specific

projects are not also the original design programmers  Verify that computer operators do not have access to the

operational detail of system’s internal logic

 Including systems documentations, such as systems flowcharts, etc

 Determine that segregation policy is being followed  Review operation room access logs, determine whether

programmers entry because of system failures or for other reasons.

Audit Procedures: Distributed IT Function • Review the current organizational chart, mission

statement and job descriptions for key functions to determine if individuals or groups are performing incompatible duties • Verify that corporate policies and standards are published and provided to distributed IT Units • Verify that compensating controls are employed when segregation of incompatible duties infeasible • Review systems documentation to verify that applications, procedures, and database are designed and functioning in accordance with corporate standards

The Computer Center • Here are the list of computer center risks and the controls

that help to mitigate risk and create a secure environment • Physical location • Avoid human-made hazard, system failure and natural hazards

• Construction • Ideally: single-story, underground utilities, windowless. air filtration system • If multi-storied building, use middle floor (away from traffic flows, and potential flooding in a basement) • Access • Physical: Locked doors, cameras • Manual: Access log of visitors

Data Center Construction

The Computer Center • Air conditioning • Best in temperature range of 70-75 Fahrenheit • Relative humidity 50% • Fire suppression • Placed in strategic locations • Automatic fire extinguishing system: • Sprinklers (using water) • halon gas (removing oxygen) • FM200-TM (Safe fire suppression)

• Strong contruction building • Fire exits should be clearly marked and illuminated during a fire

Air conditioning

The Computer Center • Fault Tolerance • Redundant Arrays of Independent Disks (RAID) • Using parallel disks

• Power supply • Need for clean power

• Backup power: uninterrupted power supply

Audit Objectives: The Computer Center • Physical security controls are adequate to reasonably

protect the organization from physical exposures • Insurance coverage on equipment is adequate to compensate the organization for damage to the computer center

Audit Procedures: The Computer Center • Tests of Physical Construction • Obtain architectural plans to determine the building is solidly built and fireproof material • Ensure adequate drainage • Assess the physical location

• Tests of the Fire Detection System • Ensure fire detection and suppression equipment are in place and tested regularly • Review official fire marshal records of tests

Audit Procedures: The Computer Center • Tests of Access Control • Computer center is restricted to authorized employees • Review access log • Observe the process by which access permitted • Review camera videotapes • Test of Raid • Determine if the RAID level adequate for the organization, give the level if business risk associated with disk failure • If no RAID, review the procedure for recovering from a disk failure

Audit Procedures: The Computer Center • Test of the Uninterruptible Power Supply • Do periodic tests to ensure its capacity to run the computer and air conditioning • Record the result • Test of Insurance Coverage • Annually review the insurance coverage on computer hardware, software and physical facility • Verify all new acquisitions • Verify deleted obsolete equipment and software • Verify insurance policy

Disaster Recovery Planning • Disasters such as earthquakes, floods, or power failure

can be catastrophic to an organization’s computer center and information systems • The more dependent on technology, the more susceptible to the risks • DRP common feature • Identify critical applications • Create a disaster recovery team

• Provide site backup • Specify backup and off-site storage procedures

Types of Disaster

Identify Critical Applications • Concentrate on restoring those applications that are

critical to the short-term survival of the organization • Not means to immediately restore data processing facility in full capacity • Application priorities may change overtime. DRP must be updated • Participation of user departments, accountants and auditors needed to identify critical items and application priorities

Creating a Disaster Recovery Team • Recovering from a disaster depends on timely corrective • • • •

action Delays makes unsuccessful recovery Task responsibility must be clearly defined and communicated to the personnel involved Each member has expertise in each area In case of disaster, one may violate control principles such as segregation of duties, access controls and supervision

Disaster Recovery Team

Providing Second-Site Backup • Duplicate data processing models • Mutual aid impact • Agreement between two or more organization to aid each other in the

event of disaster • Driven by economics • Empty shell or cold site • Involves two or more organizations that buy or lease a building and

remodel it into a computer site, but without computer equipment • Recovery operations center or hot site • A completely equipped site; very costly and typically shared among

many companies • Warm site • Hardware exist but backup may not be complete. • Internally provided backup • Self-backup

Comparison

Backup and Off-site Storage Procedures • Operating system backup • If operating system not included, specify current operating systems in procedure • Application backup • Include procedure to create copies of current versions of critical application • Backup data files • At minimum, backup daily. At best: remote mirrored • Backup documentation • Backed up critical system documentation • May be simplified by using Computer Aided Software Engineering (CASE) documentation tools

Backup and Off-site Storage Procedures • Backup supplies and source documents • Example: check stocks, invoices, purchase orders, etc • Testing the DRP • Should performed periodically • Surprise simulation • Document the status of all processing that affected by the test • Ideally include backup facilities and supplies • Measure performance of below areas: • The effectiveness of DRP team personnel and their knowledge area • The degree of conversion success (i.e., the number of lost records) • An estimate of financial loss due to lost records or facilities • The effectiveness of program, data, and documentation backup and

recovery procedures

Disaster Recovery Plan 1.

Critical Applications – Rank critical applications so an orderly and effective restoration of computer systems is possible.

2.

Create Disaster Recovery Team – Select team members, write job descriptions, describe recovery process in terms of who does what.

3.

Site Backup – a backup site facility including appropriate furniture, housing, computers, and telecommunications. Another valid option is a mutual aid pact where a similar business or branch of same company swap availability when needed.

4.

Hardware Backup – Some vendors provide computers with their site – known as a hot site or Recovery Operations Center. Some do not provide hardware – known as a cold site. When not available, make sure plan accommodates compatible hardware (e.g., ability to lease computers).

5.

System Software Backup – Some hot sites provide the operating system. If not included in the site plan, make sure copies are available at the backup site.

6.

Application Software Backup – Make sure copies of critical applications are available at the backup site

7.

Data Backup – One key strategy in backups is to store copies of data backups away from the business campus, preferably several miles away or at the backup site. Another key is to test the restore function of data backups before a crisis.

8.

Supplies – A modicum inventory of supplies should be at the backup site or be able to be delivered quickly.

9.

Documentation – An adequate set of copies of user and system documentation.

10.

TEST! – The most important element of an effective Disaster Recovery Plan is to test it before a crisis occurs, and to test it periodically (e.g., once a year).

Audit Objective • Audit objective – verify that DRP is adequate and feasible

for dealing with disasters

DRP Audit Procedures • Evaluate adequacy of second-site backup arrangements • Partner of mutual aid pact: system compatible? Excess capacity support? • ROC: how many members? Members location? • Empty shell: is the contract with hardware vendors valid? Minimum delay after the disaster specified? • Review list of critical applications for completeness and

currency • Verify that procedures are in place for storing off-site copies of applications and data • Check currency back-ups and copies

DRP Audit Procedures • Verify that documentation, supplies, etc., are stored off-

site • Check stock, invoices, purchase orders and any special forms exist

in secure location

• Verify that the disaster recovery team knows its

responsibilities • Clearly list names, addresses and telephone numbers of disaster

recovery team members

• Check frequency of testing the DRP

Benefits of IT Outsourcing • Improved core business processes

• Improved IT performance • Reduced IT costs

Risks of IT Outsourcing • Failure to perform • Vendor bad performance • Vendor exploitation • Vendor dependency • Costs exceed benefits • Fail to anticipate the cost of vendor selection, contracting and the transitioning of IT operations to the vendors • Reduced security • Sensitive data owned by vendor • Loss of strategic advantage • Close working relationship between corporate management and IT Management difficult to happen

Audit Implications of IT Outsourcing • Management retains SOX responsibilities for ensuring

adequate IT internal controls • SAS No. 70 report or audit of vendor will be required

Audit Implications of IT Outsourcing

Question - 01 Segregation of duties in the computer-based information system includes a. separating the programmer from the computer operator. b. preventing management override. c. separating the inventory process from the billing process. d. performing independent verifications by the computer operator.

Question - 02 A disadvantage of distributed data processing is a. the increased time between job request and job completion. b. the potential for hardware and software incompatibility among users. c. the disruption caused when the mainframe goes down. d. that users are not likely to be involved. e. that data processing professionals may not be properly involved.

Question - 03 Which of the following is an advantage distributed data processing? a. Redundancy b. user satisfaction c. Incompatibility d. lack of standards

Question - 04 Which of the following disaster recovery techniques may be least optimal in the case of a disaster? a. empty shell b. mutual aid pact c. internally provided backup d. they are all equally beneficial

Question - 05 Which of the following is a feature of fault tolerance control? a. interruptible power supplies b. RAID c. Distributed Data Processing d. Centralized Data Processing

Question - 06 Which of the following disaster recovery techniques is has the least risk associated with it? a. empty shell (cold site) b. Recovery Operation Center (hot site) c. Internally provided backup d. they are all equally risky

Question - 07 Which of the following is NOT a potential threat to computer hardware and peripherals? a. low humidity b. high humidity c. carbon dioxide fire extinguishers d. water sprinkler fire extinguishers

Question - 08 Which of the following would strengthen organizational control over a large-scale data processing center? a. requiring the user departments to specify the general control standards necessary for processing transactions b. requiring that requests and instructions for data processing services be submitted directly to the computer operator in the data center c. having the database administrator report to the manager of computer operations. d. assigning maintenance responsibility to the original system designer who best knows its logic

Question - 09 The following are the benefits of IT Outsourcing EXCEPT a. Improved core business processes b. Improved IT performance c. Reduced IT costs d. Vendor dependency

Question - 10 Which of the following is true? a. Core competency theory argues that an organization should outsource specific core assets. b. Core competency theory argues that an organization should focus exclusively on its core business competencies. c. Core competency theory argues that an organization should not outsource specific commodity assets. d. Core competency theory argues that an organization should retain certain specific non-core assets in-house.