chapter 2 it governance
DESCRIPTION
.TRANSCRIPT
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
IT Auditing, Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
IT Governance: subset of corporate governance that focuses on the management and assessment of strategic IT resources
Key objects:◦ Reduce risk
◦ Ensure investments in IT resources add value to the corporation
All employees and stakeholders must be active participants in key IT decisions
1Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Three IT governance issues addressed by SOX and the COSO internal control framework:◦ Organizational structure of the IT function
◦ Computer center operations
◦ Disaster recovery planning
Nature of risk associated with each issue
Controls used to mitigate risk
Audit objectives
Tests of controls
2Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Centralized data processing [see Figure 2-1]Organizational chart [see Figure 2-2]
Database administrator
Data processing manager/dept.
Data control
Data preparation/conversion
Computer operations
Data library
3Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Segregation of incompatible IT functionsSystems development & maintenance
Participants
End users
IS professionals
Auditors
Other stakeholders
4Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Segregation of incompatible IT functionsObjectives:
Segregate transaction authorization from transaction processing
Segregate record keeping from asset custody
Divide transaction processing steps among individuals to force collusion to perpetrate fraud
5Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Segregation of incompatible IT functions
Separating systems development from computer operations[see Figure 2-2]
6Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Segregation of incompatible IT functionsSeparating DBA from other functions
DBA is responsible for several critical tasks:
Database security
Creating database schema and user views
Assigning database access authority to users
Monitoring database usage
Planning for future changes
7Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Segregation of incompatible IT functions Alternative 1: segregate systems analysis from
programming [see Figure 2-3]
Two types of control problems from this approach:
Inadequate documentation
Is a chronic problem. Why?
Not interesting
Lack of documentation provides job security
Assistance: Use of CASE tools
Potential for fraud
Example: Salami slicing, trap doors
8Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Segregation of incompatible IT functions Alternative 2: segregate systems
development from maintenance [see Figure 2-2] Two types of improvements from this
approach:
Better documentation standards
Necessary for transfer of responsibility
Deters fraud
Possibility of being discovered
9Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Segregation of incompatible IT functions Segregate data library from operations
Physical security of off-line data files
Implications of modern systems on use of data library:
Real-time/online vs. batch processing
Volume of tape files is insufficient to justify full-time librarian
Alternative: rotate on ad hoc basis
Custody of on site data backups
Custody of original commercial software and licenses
10Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Segregation of incompatible IT functions Audit objectives
Risk assessment
Verify incompatible areas are properly segregated How would an auditor accomplish this objective?
Verify incompatible areas are properly segregated
Verify formal vs. informal relationships exist between incompatible tasks Why does it matter?
11Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Segregation of incompatible IT functions Audit procedures: Obtain and review security policy Verify policy is communicated Review relevant documentation (org. chart,
mission statement, key job descriptions) Review systems documentation and maintenance
records (using a sample) Verify whether maintenance programmers are also
original design programmers Observe segregation policies in practice Review operations room access log Review user rights and privileges
12Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Distributed Data Processing (DDP) involves reorganizing the central IT function into small IT units that are placed under the control of end users
Two alternatives shown in [figure 2-4]
Alternative A: centralized
Alternative B: decentralized / network
13Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Inefficient use of resourcesMismanagement of resources by end
usersHardware and software incompatibilityRedundant tasks
Destruction of audit trails Inadequate segregation of duties Hiring qualified professionals Increased potential for errorsProgramming errors and system failures
Lack of standards
14Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Cost reduction End user data entry vs. data control groupApplication complexity reducedDevelopment and maintenance costs reduced
Improved cost control responsibility IT critical to success then managers must
control the technologies
Improved user satisfaction Increased morale and productivity
Backup flexibility Excess capacity for DRP
15Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Need for careful analysis
Implement a corporate IT function Central systems development
Acquisition, testing, and implementation of commercial software and hardware
User services
Help desk: technical support, FAQs, chat room, etc.
Standard-setting body
Personnel review
IT staff
16Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Verify that the structure of the IT function is such that individuals in incompatible areas are segregated:◦ In accordance with the level of potential risk
◦ And in a manner that promotes a working environment
Verify that formal relationships needs to exist between incompatible tasks
17Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Review the corporate policy on computer security
◦ Verify that the security policy is communicated to employees
Review documentation to determine if individuals or groups are performing incompatible functions
Review systems documentation and maintenance records
◦ Verify that maintenance programmers are not also design programmers
18Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Physical location Avoid human-made and natural hazards
Example: Chicago Board of Trade
Construction Ideally: single-story, underground utilities,
windowless, use of filters
If multi-storied building, use top floor (away from traffic flows, and potential flooding in a basement)
Access Physical: Locked doors, cameras
Manual: Access log of visitors
19Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.20
Air conditioning Especially mainframes Amount of heat even from a group of PCs
Fire suppression Automatic: usually sprinklers
Gas, such as halon, that will smother fire by removing oxygen can also kill anybody trapped there
Sprinklers and certain chemicals can destroy the computers and equipment
Manual methods
Power supply Need for clean power, at a acceptable level Uninterrupted power supply
Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
physical security IC protects the computer center from physical exposures
insurance coverage compensates the organization for damage to the computer center
operator documentation addresses routine operations as well as system failures
21Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
man-made threats and natural hazards
underground utility and communications lines
air conditioning and air filtration systems
access limited to operators and computer center workers; others required to sign in and out
fire suppression systems installed
fault tolerance◦ redundant disks and other system components
◦ backup power supplies
22Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Review insurance coverage on hardware, software, and physical facility
Review operator documentation, run manuals, for completeness and accuracy
Verify that operational details of a system’s internal logic are not in the operator’s documentation
23Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Disaster recovery plans (DRP) identify:◦ actions before, during, and after the
disaster◦ disaster recovery team◦ priorities for restoring critical
applications
Audit objective – verify that DRP is adequate and feasible for dealing with disasters
24Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 25
Disaster Recovery Plan
1. Critical Applications – Rank critical applications so an orderly and effective restoration of computer systems is possible.
2. Create Disaster Recovery Team – Select team members, write job descriptions, describe recovery process in terms of who does what.
3. Site Backup – a backup site facility including appropriate furniture, housing, computers, and telecommunications. Another valid option is a mutual aid pact where a similar business or branch of same company swap availability when needed.
4. Hardware Backup – Some vendors provide computers with their site – known as a hot site or Recovery Operations Center. Some do not provide hardware – known as a cold site. When not available, make sure plan accommodates compatible hardware (e.g., ability to lease computers).
5. System Software Backup – Some hot sites provide the operating system. If not included in the site plan, make sure copies are available at the backup site.
6. Application Software Backup – Make sure copies of critical applications are available at the backup site
7. Data Backup – One key strategy in backups is to store copies of data backups away from the business campus, preferably several miles away or at the backup site. Another key is to test the restore function of data backups before a crisis.
8. Supplies – A modicum inventory of supplies should be at the backup site or be able to be delivered quickly.
9. Documentation – An adequate set of copies of user and system documentation.
10. TEST! – The most important element of an effective Disaster Recovery Plan is to test it before a crisis occurs, and to test it periodically (e.g., once a year).
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Major IC concerns: ◦ second-site backups
◦ critical applications and databases including supplies and documentation
◦ back-up and off-site storage procedures
◦ disaster recovery team
◦ testing the DRP regularly
26Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Empty shell - involves two or more user organizations that buy or lease a building and remodel it into a computer site, but without computer equipment
Recovery operations center - a completely equipped site; very costly and typically shared among many companies
Internally provided backup - companies with multiple data processing centers may create internal excess capacity
27Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Evaluate adequacy of second-site backup arrangements
Review list of critical applications for completeness and currency
Verify that procedures are in place for storing off-site copies of applications and data◦ Check currency back-ups and copies
28Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Verify that documentation, supplies, etc., are stored off-site
Verify that the disaster recovery team knows its responsibilities◦ Check frequency of testing the DRP
29Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Improved core business processes
Improved IT performance
Reduced IT costs
30Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Failure to perform
Vendor exploitation
Costs exceed benefits
Reduced security
Loss of strategic advantage
31Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Management retains SOX responsibilities
SAS No. 70 report or audit of vendor will be required
32Hall, 3e