Chapter 2

AUDITING IT GOVERNANCE CONTROLS

Information Technology Governance
Information technology (IT) governance is a relatively new subset of corporate
governance that focuses on the management and assessment of strategic IT resources.
Key objectives of IT governance are to reduce risk and ensure that investments in IT
resources add value to the corporation.
IT Governance Controls
Although all IT governance issues are important to the organization, not all of them are
matters of internal control under SOX that may potentially impact the financial reporting
process.
3 IT governance issues:
1. Organizational structure of the IT function
2. Computer center operation
3. Disaster recovery planning
Structure of the Information Technology Function
The organization of the IT function has implications for the nature and effectiveness of
internal controls, which in turn, has implications for the audit.
2 extreme organizational models
1. Centralized Approach
2. Distributed Approach
Centralized Data Processing
Under the centralized data processing model, all data processing is performed by one or
more large computers housed at a central site that serves users throughout the
organization.
Database Administration
Centrally organized companies maintain their data resources in a central location that is
shared by all end users. In this shared data arrangement, an independent group headed by
the database administrator (DBA) is responsible for the security and integrity of the
database.
Data Processing
The data processing group manages the computer resources used to perform the day-to-
day processing of transactions. It consists of the following organizational functions: data
conversion, computer operations, and the data library.
Data Conversion
The data conversion function transcribes transaction data from hard-copy documents into
computer input. For example, data conversion could involve keystroking sales orders into a
sale order application in modern systems, or transcibing data into magnetic media (tape or
disk) suitable for computer processing in legacy type systems.

pg. 1
 Marketing

Finance

Production

IT
Services

Distribution Accounting

Data

Information

Cost Chargeback
Figure 2.1 Centralized Data Processing Approach

Computer Operations
The electronic files produced in data convertion are later processed by the central
computer, which is managed by the computer operations groups. Accounting applications
are usually executed according to a strict schedule that is controlled by the central
computer’s operating system.
Data Library
The data library is a room adjacent to the computer center that provides safe storage for
the off-line data files. Those files could be backups or current data files. for instance, the
data library could be used to store backup data on DVDs, CD-TOMs, tapes, or other
storage devices. It could also be used to store current operational data files on magnetic
tapes and removable disks packs.
Data Librarian who is responsible for the receipt, storage, retrieval, and custody of data
files, control access to the library. The librarian issues data files to computer operators in
accordance with program requests and takes custody of files when processing or backup
procedures are completed.

pg. 2
 President

VP VP VP VP VP
Marketing Finance IT Services Administration Operations

Systems Development Database Data Processing

Manager Administrator Manager

New Systems Systems Data Computer Data

Development Maintenance Conversation Operations Library
Manager
Figure 2.2 Organizational Chart of a Centralized Information Technology Function

Systems Development and Maintenance

The information systems needs of users are met by two related functions: system
development and systems maintenance. The former group is responsible for analyzing user
needs and for designing new systems to satisfy those needs. The participants in system
development activities include systems professionals, end users, and stakeholders.
Systems professionals include system analysts, database designers, and programmers
who design and build the system. Systems professionals gather facts about the user’s
problem, analyze the facts, and formulate a solution. The product of their efforts is a new
information system.
End users are those for whom the system is built. They are the managers who receive
reports from the system and the operations personnel who work directly with the system as
part of their daily responsibilities.
Stakeholders are individuals inside or outside the firm who have an interest in the system,
but are not end users. They include accountants, internal auditors, external auditors, and
others who oversee systems development.
Maintenance refers to making changes to program logic to accomodate shifts in user
needs ovetime. During the course of the system’s life (often several years), as much as 80
or 90 percent of its total cost may be incurred through maintenance activities.
Segregation of Incompatible IT Functions
1. Separate transaction authorization from transaction processing.
2. Separate record keeping from asset custody
3. Divide transaction-processing tasks among individuals such that short of collusion
between two or more individuals fraud would not be possible.
The IT environment tends to consolidate activities. A single application may authorize,
process, and record all aspects of a transaction. Thus, the focus of segregation control
shifts from the operational level (transaction processing tasks that computers now perform)
to higher-level organizational relationships within the computer services function.

pg. 3
Separating Systems Development from Computer Operations
The segregation of systems development (both new systems development and
maintenance) and operations activities is of the greatest importance. The relationship
between these groups should be extremely formal, and their responsibilities should not be
commingled. Systems development and maintenance professionals should create (and
maintain) systems for users, and should have no involvement in entering data, or running
applications.
Separating Database Administration from Other Functions
Another important organizational control is the segregation of the database administrator
(DBA) from other computer center functions. The DBA function is responsible for a number
of critical tasks pertaning to database security. Including creating the database schema and
user views, assigning database access authority to users, monitoring database usage and
planning for future expansion.
Separating New Systems Development from Maintenance
Some companies organize their in-house systems development fuction into two groups:
 System analysis group works with the users to produce detailed designs of the
new systems.
 Programming group codes the program accoding to these design specifications.
Under this approah, the programmer who codes the original programs also
maintains the system during the maintenance phase of the systems development life
cycle.
Two Types of Control Problems
 Inadequate Documentation - poor-quality systems documentation is a chronic IT
problem and a significant challenge for many organizations seeking SOX
compliance.
Possible reasons for poor documentation:
 Documentating systems is not as interesting as designing, testing, and
implementing them. Systems professionals much prefer to move on to an
exciting new project rather than document one just completed.
 Job security. When a system is a poorly documented, it is difficult to interpret,
test and debug. Therefore, the programmer who understands the system (the
one who coded it) maintains bargaining power and becomes relatively
indespensable.
 Program Fraud – When the original programmer of a system is also assigned
maintenance responsibility, the potential for fraud is increased. program fraud is
involves making unauthorized changes to program modules for the purpose of
committing an illegal act.
The programmer may have successfully concealed fraudulent code among the
thousands of lines of legitimate codes and the hundreds of modules that constitute a
system.
- needs to protect the fraudulent code from accidental detection by another
programmer performing maintenance or by auditors testing application control.
- may freely access the system, disabling fraudulent code during audits and then
restoring the code when the coast is clear.
DISTRIBUTED DATA PROCESSING (DDP) – an alternative to the centralized model. DDP
involves reorganizing the central IT function into small IT units that are placed under the
control of end users.

Destruction of Audit Trails – an audit trail provides the linkage between a company’s
financial activities (transactions) and the financial statements that report on those activities.

pg. 4
Inadequate Segregation of Duties –Achieving an adequate segregation of duties may not
be possible in some distributed environment.
Hiring Qualified Professionals – End-user managers may lack the IT knowledge to
evaluate the technical credentials and relevant experience of candidates applying for IT
professional positions.
Lack of Standards – because of the distribution of responsibility in the DDP environment,
standards for developing and documenting systems, choosing programming languages,
acquiring hardware and software, and evaluating performance may be unevenly applied or
even nonexistent.

ADVANTAGES OF DDP

Cost Reductions – achieving economics of scale was the principal jurisdiction for the
centralized data processing approach. The economics of data processing favored large,
expensive, powerful computers.

Improved Cost Control Responsibility – End-user managers carry the responsibility for
the financial success of their operations. This responsibility requires that they be properly
empowered with the authority to make decisions about resources that influence their overall
success.

Improved User Satisfaction – perhaps the most often cited benefit of DDP is improved
user satisfaction. DDP proponents claim that distributing system to end users improves
three areas of need that too often go unsatisfied in the centralized model:
(1) Users desire to control the resources that influence their profitability;
(2) Users want systems professionals (analysts, programmers, and computer operators) to
be responsive to their specific situations; and
(3) Users want to become more actively involved in developing and implementing their own
system.

Backup Flexibility – the final argument in favor of DDP is the ability to back up computing
facilities to protect against potential disasters such as fires, floods, sabotage, and
earthquakes.

pg. 5
CONTROLLING THE DDP ENVIRONMENT

Implement a Corporate IT Function – the completely centralized model and the

distributed model represent extreme positions on a continuum of structural alternatives.
The needs of most firms fall somewhere between these end points. Often, the control
problems previously described can be addressed by implementing a corporate IT functions.

Central Testing of Commercial Software and Hardware – a centralized corporate IT

group is better equipped than are end users to evaluate the merits of competing
commercial software and hardware products under consideration.

User Services – a valuable feature of the corporate group is its user services function. This
activity provides technical help to users during the installation of new software and in
troubleshooting hardware and software problems.

Standard-Setting Body – the relatively poor control environment imposed by the DDP
model can be improved by establishing some central guidance. The corporate group can
contribute to this goal by establishing and distributing to user areas appropriate standards
for systems development, programming, and documentation.

Personnel Review – the corporate group is often better equipped than users to evaluate
the technical credentials of prospective systems professionals.

Audit Objective – the auditor’s objective is to verify that the structure of the IT function is
such that individuals in incompatible areas are segregated in accordance with the level of
potential risk and in a manner that promotes a working environment.

Audit Procedures

- Review relevant documentation.

- Review systems documentation and maintenance records.
- Verify that computer operators do not have access to the operational details of system’s
internal logic.
- Through observation, determine that segregation policy is being followed in practice.
- Review the current organizational chart, mission statement, and job descriptions.
- Verify that corporate policies and standards for system design, documentation, and
hardware and software acquisition are published and provided to distributed IT units.
- Verify that compensating controls, such as supervision and management monitoring are
employed.
- Review systems documentation to verify that applications, procedures, and databases are
designed and functioning in accordance with corporate standards.

THE COMPUTER CENTER

The objective of this section is to present computer center risks and the controls that help
to mitigate risk and create a secure environment. The following are the areas of potential
exposure:

Physical Location –the physical location of the computer center directly affects the risk of
destruction to a natural or man-made disaster.
Construction – a computer center should be located in a single-story building of solid
construction with controlled access.
Access – access to the computer center should be limited to the operators and other
employees who work there.
Air Conditioning – computer function best in an air-conditioned environment and
providing adequate air conditioning is often a requirement of the vendor’s warranty.

pg. 6
Fire Suppression – Fire is the most serious threat to a firm’s computer equipment.
Fault Tolerance – is the ability of the system to continue operation when part of the system
fails because of hardware failure, application program error, or operator error. Two (2)
example of Fault tolerance:
(1) Redundant Arrays of Independent Disks (RAID). It involves using parallel disks that
contain redundant elements of data and applications.
(2) Uninterruptible Power Supplies. Commercially provided electrical power

AUDIT OBJECTIVES

The auditor’s objective is to evaluate the controls governing computer center security.
Specifically, the auditor must verify that:
(1) Physical security controls are adequate to reasonably protect the organization from
physical exposures.
(2) Insurance coverage on equipment is adequate to compensate the organization for the
destruction of, or damage to, its computer center.

AUDIT PROCEDURES

The following are tests of physical security controls:

Tests of Physical Construction – the auditor should obtain architectural plans to

determine that the computer center is solidly built of fireproof material.
Tests of the Fire Detection System –the auditor should establish that fire detection and
suppression equipment, both manual and automatic, are in place and tested regularly.
Tests of Access Control – the auditor must establish that routine access to the computer
center is restricted to authorized employees.
Tests of Raid – most systems that employ RAID provide a graphical mapping of their
redundant disk storage.
Tests of the Uninterruptible Power Supply – the computer center should perform
periodic tests of the backup power supply to ensure that it has sufficient capacity to run the
computer and air conditioning.
Tests for Insurance Coverage – the auditor should annually review the organization’s
insurance coverage on its computer hardware, software, and physical facility.

DISASTER RECOVERY PLANNING

Disasters such as earthquakes, floods, sabotage, and even power failures can be
catastrophic to an organization’s computer center and information systems. Disaster
Recovery Plan (DRP) is a comprehensive statement of all actions to be taken before,
during, and after any type of disaster.

Four (4) common features:

(1) Identify critical applications
(2) Create a disaster recovery team
(3) Provide site backup
(4) Specify backup and off-site storage procedures

IDENTIFY CRITICAL APPLICATIONS

The first essential element of a DRP is to identify the firm’s critical applications and
associated data files. Recovery efforts must concentrate on restoring those applications
that are critical to the short-term survival of the organization.

pg. 7
For most organizations, short-term survival requires the restoration of those functions that
generate cash flows sufficient to satisfy short-term obligations. For example, assume that
the following functions affect the cash flow of a particular firm:

 Customer sales and service

 Fulfillment of legal obligation
 Accounts receivable maintenance and collection
 Production and distribution decisions
 Purchasing functions
 Cash disbursements (trade accounts and payroll)

CREATING A DISASTER RECOVERY TEAM

Recovering from a disaster depends in timely corrective action. Delays in performing

essential tasks prolong the recovery period and diminishes the prospects for a successful
recovery. To avoid serious omissions or duplication of effort during implementation of the
contingency plan, task responsibility must be clearly defined and communicated to the
personnel involved.

PROVIDING A SECOND-SITE BACKUP

A necessary ingredient in a DRP is that it provides for duplicate data processing facilities
following a disaster. Among the options available the most common are mutual aid pact;
empty shell or cold site; recovery operations center or hot site; and internally provided
backup.

Mutual Aid Pact A mutual aid pact is an agreement between two or more organizations
(with compatible computer facilities) to aid each other with their data processing needs in
the event of a disaster. In such event the host company must disrupt its processing
schedule to process the critical transactions of the disaster-stricken company. In effect, the
host company itself must go into an emergency operation mode and cut back on the
processing of its lower-priority applications to accommodate the sudden increase in
demand for its IT resources.

Empty Shell The empty or cold site plan is an arrangement wherein the company
buys or leases a building that will serve as data center. In the event of disaster, the shell is
available and ready to receive whatever hardware the temporary user needs to run
essential systems.

Recovery Operations Center A recovery operations center (ROC) or hot site is a fully
equipped backup data center that many companies share. In addition to hardware and
backup facilities, ROC service providers offer a range of technical services to their clients,
who pay an annual fee for the access rights. In the event of a major disaster, a subscriber
can occupy the premises and, within a few hours, resume processing critical applications.

Internally Provided Backup Larger organizations with multiple data processing

centers often prefer the self-reliance that creating internal excess capacity provides. This
permits to develop standardized hardware and software configurations, which ensure
functional compatibility among their data processing centers and minimize cutover
problems in the event of a disaster.

Backup and Off-Site Storage Procedures All data files, applications, documentation, and
supplies needed to perform critical functions should be automatically backed up and stored
at a secured off-site location. Data processing personnel should routinely perform backup
and storage procedures to obtain and secure these critical resources.

pg. 8
Operating System Backup If the company uses a cold site or other method of site backup
that does not include a compatible operating system (O/S), procedures for obtaining a
current version of the operating system need to be clearly specified. The data librarian, if
one exists would be a key person to involve in performing this task in addition to the
applications and data backups procedures discussed next.

Application Backup Based on results obtained in the critical applications step discussed
previously, the DRP should include procedures to create copies of current versions of
critical application.

Backup Data Files The state-of-the-art in database backup is the remote mirrored site,
which provides complete data currency. Not all organizations are willing or able to invest in
such backup resources.

Backup Documentation The system documentation for the critical applications should be
backed up and stored off-site along with the applications. System documentation can
constitute a significant amount of material and the backup process is complicated further by
frequent application changes. Documentation backup may, however, be simplified and
made more efficient through the use of Computer Aided Software Engineering (CASE)
documentation tools.

Backup Supplies and Source Documents The organization should create backup
inventories of supplies and source documents used in processing critical transactions.
Examples of critical supplies are check stocks, invoices, purchase orders, and any other
special purpose forms that cannot be obtained immediately.

Testing the DRY The most neglected aspect of contingency planning is testing the DRP.
Nevertheless, DRP tests are important and should be performed periodically. Tests
measures the preparedness of personnel and identify omissions or bottlenecks in the plan.

Audit Objectives
The auditor should verify that management’s disaster recovery plan is adequate and
feasible for dealing with a catastrophe that could deprive the organization of its computing
resources.

Audit Procedures
In verifying that management’s DRP is a realistic solution for dealing with a catastrophe,
the following tests may be performed.

Site Backup The auditor should evaluate the adequacy of the backup site arrangement.
System incompatibility and human nature both greatly reduce the effectiveness of the
mutual aid pact.

Critical Application List The auditor should review the list of critical applications to
ensure that it is complete. Missing applications can result in failure to recover. The same is
true, however, for restoring unnecessary application. To include applications on the critical
list that are not needed to achieve short-term survival can misdirect resources and disract
attention from the primary objective during the recovery period.

pg. 9
Software Backup The auditor should verify that copies of critical applications and
operating systems are stored off-site. The auditor should also verify that the applications
stored off-site are current by comparing their version numbers with those of the actual
appplications in use.

Data backup The auditor should verify that critical data files are backed up in accordance
with the DRP.

Backup Supplies, Documents, and Documentation The system documentation,

supplies, and source documents needed to process critical transactions should be backed
up and stored off-site. The auditor should verify that the types and quantities of items
specified in the DRP such as check stock, invoices, purchase orders, and any special-
purpose forms exist in a secure location.

Disaster Recovery Team The DRP should clearly list the names, addresses, and
emergency telephone numbers of the disaster recovery team members. The auditor should
verify that members of the team are current employees and are aware of their assigned
reponsibilities.

pg. 10