AA 3201

AUDITING IN A CIS ENVIRONMENT

NAME:
Francis Ysabella S. Balagtas

SCHEDULE:
BSA 3 - Group 2
MW 6:00 – 7:30 PM

PROFESSOR:
Ms. Robee Ann L. Aranas
Contents
What is IT Governance? ....................................................................................................................................... 3
KEY OBJECTIVES ............................................................................................................................................................. 3
What are the components of IT Governance? (IT Governance Controls) ............................................................ 3
Organizational Structure of the IT function ....................................................................................................... 3
Centralized Data Processing model ............................................................................................................................... 3
Segregation of Incompatible IT Functions ..................................................................................................................... 4
The Distributed Model .................................................................................................................................................. 5
Controlling the DDP Environment ................................................................................................................................. 7
Computer Center operations............................................................................................................................. 8
Physical Location ........................................................................................................................................................... 8
Construction .................................................................................................................................................................. 8
Access ............................................................................................................................................................................ 8
Air Conditioning ............................................................................................................................................................. 8
Fire Suppression ............................................................................................................................................................ 8
Fault Tolerance .............................................................................................................................................................. 9
Audit Objectives ............................................................................................................................................................ 9
Audit Procedures ........................................................................................................................................................... 9
Disaster Recovery Planning............................................................................................................................ 10
Identify Critical Applications ....................................................................................................................................... 10
Creating a Disaster Recovery Team ............................................................................................................................. 10
Providing Second-Site Backup ..................................................................................................................................... 10
Outsourcing the IT function ................................................................................................................................ 12
Benefits of IT Outsourcing ........................................................................................................................................... 12
Risks Inherent to IT Outsourcing ................................................................................................................................. 12
 Auditing IT Governance Controls
Chapter 2

Chapter Objectives:

1. Understand the risks of incompatible functions and how to structure the IT function.
2. Be familiar with the controls and precautions required to ensure the security of an organization’s computer
facilities.
3. Explain how general controls reduce IT risks
4. Understand the key elements of a disaster recovery plan
5. Be familiar with the benefits, risks, and audit issues related to IT outsourcing.

Information Technology (IT)

Governance

What is IT Governance?
- A relatively new subset of corporate governance that focuses on the management and assessment of strategic
IT resources.
- Modern philosophy: all corporate stakeholders be active participants in key IT decisions.

KEY OBJECTIVES
- reduce risk
- ensure that its investments add value to the corporation

What are the components of IT Governance?

(IT Governance Controls)

The three IT governance issues addressed by the SOX and COSO internal framework:

Organizational Structure of the IT function

There are two extreme organizational models to choose from:

Centralized Data Processing model 

§ All data processing is performed by one or more large computers housed at a central site for all
users in the organization.
 Database Administration
An independent group, headed by its database administrator (DBA), is responsible for the security and integrity
of the database.

Database Processing
The data processing group manages the computer resources used to perform the day-to-day processing of
transactions.
Its organizational functions include:

Data Conversion
Transcribing transaction data from hard-copy source docs into computer input.

Computer Operations
The computer operations group will process the electronic files that were produced in Data
Conversion.

Data Library
This is a room adjacent to the computer center that provides safe storage for the off-line data files.
(example: storing backup data on DVDs, CD-ROMs, tapes, and other storage devices)

Systems Development & Maintenance
System Development group: responsible for analyzing user needs
: designing new systems to satisfy those needs
Participants include: Systems Professionals. They gather facts about the user’s problem, analyze the
facts, and formulate a solution. They produce a new information system.
End users. These are for whom the system is built.
Stakeholders. They are individuals inside/outside the firm who have an interest in
the system but are not end users.
System Maintenance group: responsible for keeping the new system current with user needs.
maintenance: making changes to program logic to accommodate shifts in user needs overtime.

Segregation of Incompatible IT Functions 


1. Separate transaction authorization from transaction processing.
2. Separate record keeping from asset custody.
3. Divide transaction-processing tasks among individuals such that short of collusion between two
or more individuals’ fraud would not be possible.

Separating Systems Development from Computer Operations
The relationship between these groups must be extremely formal, with no responsibilities co-mingled. Systems
development and maintenance professionals should have no involvement in entering data, or running
applications. Operations staff should run these systems and have no involvement in their design.

What if the opposite happens?
With detailed knowledge of the application’s logic and control parameters and access to the computer’s
operating system and utilities, an individual could make unauthorized changes to the application during its
execution.
Separating Database Administration from Other Functions
The DBA’s function is to be responsible for many critical tasks and they need to be organizationally
independent of operations, systems development, and maintenance. You cannot entrust these tasks to others,
for delegating these responsibilities to others who perform incompatible tasks threatens database integrity.

Separating New Systems Development from Maintenance
This segregation can improve documentation standards and prevent program fraud by denying the original
programmer future access.

Threats that will be avoided:

Inadequate Documentation
Documenting systems are considered to be not as interesting as designing, testing, and implementing
them, leaving the systems professionals to prefer to move on to another one. This leads to poor
documentation and too much dependency on the original programmer for interpreting, testing, and
debugging.

Program Fraud
This happens when the original programmer of a system is also responsible for maintenance. This
may lead to making unauthorized changes to program modules for the purpose of committing an
illegal act.


The Distributed Model 

Distributed Data Processing (DDP) is an alternative to the Centralized Data processing model. This
model involves reorganizing the central IT function into small IT units that are placed under the control
of end users.

The 2 Distributed Data Processing Approaches:

Ø Alternative A is a variant of the centralized model. The difference is that the
terminals/microcomputers are distributed to end users for handling groups, since the user now
performs these tasks.

Ø Alternative B is very different from the centralized model. It distributes all computer services to
end users, where they operate as standalone units.
 Risks Associated with DDP

Inefficient Use of Resources
DDP can expose the organization to:

§ Risk of mismanagement of organization-wide IT resources by end users.

§ Risk of operational inefficiencies because of redundant tasks being performed within the
end-user committee
§ Risk of incompatible hardware and software among end-user functions. This may result in
uncoordinated and poorly conceived decisions.

Destruction of Audit Trails
This happens when an end user inadvertently deletes one of the files, resulting in the audit trail being
destroyed and is now unrecoverable. Similarly, if an end user inadvertently inserts transaction errors
into an audit trail file, it could become corrupted.

Inadequate Segregation of Duties
The distribution of the IT services to users may result in the creation of small independent units that
do not permit the desired separation of incompatible functions.

Hiring Qualified Professionals
The level of employee incompetence will increase along with the risk of programming errors and
system failures.

Lack of Standards
The standards for developing and documenting systems, choosing programming languages, acquiring
hardware and software, and evaluating performance may be unevenly applied or even nonexistent.

Advantages of DDP

Cost Reductions
The move to DDP has reduced costs in two other areas: (1) data can be edited and entered by the
end user, thus eliminating the centralized task of data preparation; and (2) application complexity
can be reduced, which in turn reduces systems development and maintenance costs.

Improved Cost Control Responsibility
Managers are more motivated to work better and also have the power to make decisions that can
influence their overall success.

Improved User Satisfaction
DDP improves three areas of need that too often go unsatisfied in the centralized model: (1) users
desire to control the resources that influence their profitability; (2) users want systems professionals
to be responsive to their specific situation; and (3) users want to become more actively involved in
developing and implementing their own systems.

Backup Flexibility
It has the ability to back up computing facilities to protect against potential disasters such as fires,
floods, sabotage, and earthquakes. Having a second computer facility is a surefire way to backup
against disasters.

Controlling the DDP Environment


Implement a Corporate IT Function

The corporate IT group provides systems development and database management for
entity-wide systems in addition to technical advice and expertise to the distributed IT community.

Central Testing of Commercial Software and Hardware
This is the evaluation of the merits of competing commercial software and hardware products. These
test results can then be distributed to user areas as standards for guiding acquisition decisions.

User Services
This activity provides technical help to users during the installation of new software and in
troubleshooting hardware and software problems.

Standard-Setting Body
Establishing and distributing to user areas the appropriate standards for systems development,
programming, and documentation can improve poor poor control environment.

Personnel Review
The corporate group is often better equipped than users to evaluate the technical credentials of
prospective systems professionals. Their involvement can bring quality in its top shape.

Audit Objective
The objective is to verify if the structure of the IT function can segregate individuals who are in incompatible
areas, in accordance with the level of potential risk and if it also promotes a working environment.

Audit Procedures

… in a centralized IT organization:
§ Review relevant documentation to determine if individuals or groups are performing incompatible
functions.
§ Review systems documentation and maintenance records to verify if the maintenance programmers
are not designers.
§ Observe to determine if the segregation policy is being followed.

… in a distributed IT organization:
§ Review relevant documentation to determine if individuals or groups are performing incompatible
duties.
§ Verify if the corporate policies and standards are published and then provided to the distributed IT
units.
§ Verify if the compensating controls are in p lace when needed.
§ Review system documentation to verify if the applications, procedures, and database are in
accordance with the standards.





Computer Center operations

Part of the annual audit is the examination of the physical environment of the computer center. Risks to this
environment may impact the quality of the information, accounting records, transaction processing, and the
effectiveness of other more conventional internal controls. Such risks may appear in the following aspects:

Physical Location

§ As much as possible, the computer center should be away form human-made and natural hazards. It
should be away from normal traffic, such as the top floor of a building or in a separate, self-
contained building. No basements.

Construction 

§ An ideal spot for a computer center is in a single-floor building made of solid concrete. It should
have a restricted access, with its utility and communication lines buried underground. It would be
recommended to have a dust mite-free air filtration system in place to keep the equipment from
deteriorating due to these pests.
§ Locked doors should be employed to limit access to the center, with access controlled by a keypad
or swipe card.
§ To achieve a higher level of security, access should be monitored by closed-circuit cameras and
video recording systems.

Access 

§ Only the operators and other staff who work there should have access, and programmers and
analysts should be forced to sign in and out in order to rectify program faults. To ensure access
control, the computer center should keep accurate records of all such events. There should only be
one door as the main entrance, aside from the necessary fire exits and alarms.

Air Conditioning 

§ Perhaps it is because of its characteristic of heating up, especially when it has too many taks or it
has been powered on for too long, computers function best in an air-conditioned environment.
§ Recommended: room temperature of 70-75 degrees F and a humidity of 50%
§ Low humidity may result in circuit damage from static electricity and high humidity can cause molds
to grow and paper products to swell and jam equipment.

Fire Suppression 

A good fire suppression system should include the ff.:

1. Automatic and manual alarms should be placed in strategic locations around the installation
and should be connected to permanently staffed fire-fighting stations.
2. There must be an automatic fire extinguishing system that dispenses the appropriate type of
suppressant for the location.
3. Manual fire extinguishers should be strategically placed throughout the building.
4. The structure should be strong enough to withstand water damage from fire suppression
equipment.
5. During a fire, fire exits should be clearly marked and lit.
 Fault Tolerance 

fault tolerance: the ability of the system to continue operation when part of the system fails
§ May cause total power outages, brownouts, and power fluctuation
§ Recommendation: invest in generators, batteries, and voltage regulators
§ 2 examples of fault tolerant technologies are:
1. Redundant arrays of independent disks (RAID) – using parallel disks. If one disk fails, the
lost data are automatically reconstructed from the redundant components stored on the
other disks.
2. Uninterruptible power supplies – the recommendation

Audit Objectives 

§ Physical security controls are adequate to reasonably protect the organization from physical
exposures.
§ Insurance coverage on equipment is adequate to compensate the organization for the destruction
of, or damage to, its computer center.

Audit Procedures

Tests of Physical Construction
The auditor should obtain architectural plans to determine that the computer center is solidly built of
fireproof material. Location should be in an area that minimizes its exposure to fire, civil unrest, and
other hazards.

Tests of Fire Detection System

Manual and automatic fire suppression systems must be in place and tested regularly.

Tests of Access Control
The routine access to the computer center should be restricted to authorized employees. Details
about visitor access such as arrival and departure times, purpose, and frequency of access, can be
obtained by reviewing the access log.

Tests of Raid
The auditor should determine if the level of RAID in place is adequate for the organization, given the
level of business risk associated with disk failure.

Tests of the Uninterruptable Power Supply

This is to ensure that it has sufficient capacity to run the computer and air conditioning. Without such
tests, an organization may be unaware that it has outgrown its backup capacity until it is too late.

Tests for Insurance Coverage
The auditor should verify that all new acquisitions are listed on the policy and that obsolete
equipment and software have been deleted.
Disaster Recovery Planning
A comprehensive statement of all actions to be taken before, during, and after any type of disaster. It has four features
such as:

Identify Critical Applications 

§ Recovery efforts must concentrate on the restoration of applications that are critical to the short-
term survival of the organization.
§ Applications supporting those functions should be identified and prioritized in the restoration plan.
§ This requires the active participation of user departments, accountants, and auditors.

Creating a Disaster Recovery Team 

§ To avoid serious omissions or duplication of effort during implementation of the contingency plan,
task responsibility must be clearly defined and communicated to the personnel involved.
§ Team members should be experts in their areas and have assigned tasks.























Providing Second-Site Backup
There must be duplicate data processing facilities incase of a disaster. Some examples of these are:

Mutual Aid Pact
This is an agreement between organizations to aid each other with data process in the event of a
disaster.
In this scenario, the host company will process the disaster-stricken company’s transactions for
them, even when it can halt their own processes.

They are relatively cost-free to implement. However, it also requires a level of faith and untested
trust that is uncharacteristic of sophisticated management and its auditors.

Empty Shell or cold site
This involves obtaining a building to serve as a data center in a disaster. The recovery time depends
on the availability of hardware.

Recovery Operations Center
This is a fully equipped site that many companies share.

Internally Provided Backup
This method can be preferred by organizations with many data processing centers.

Backup and Offsite Storage Procedures

Operating System Backup
Procedures for obtaining a current version of the operating system need to be clearly specified.
Application Backup
The DRP should include procedures to create copies of current versions of critical applications. This
involves purchasing backup copies of the latest software upgrades used by the organization.
Backup Data Files
Databases should be copied daily to high-capacity, high-speed media, such as tape or CDs/DVDs and
secured off- site.
Backup Documentation
The system documentation for critical applications should be backed up and stored off-site along
with the applications.
Backup Supplies and Source Documents
The organization should create backup inventories of supplies and source documents used in
processing critical transactions. (check stocks, invoices, purchase orders, etc.)
Testing the DRP
DRP tests are important and should be performed periodically. Tests measure the preparedness of
personnel and identify omissions or bottlenecks in the plan.

Audit Objective
The DRP must be adequate and feasible for dealing with a catastrophe that could deprive the organization of
its computing resources.

Audit Procedures
To verify if the DRP procedures are a realistic solution, the following tests are performed:

§ Evaluate the efficiency of the backup site arrangements
§ Review the list od critical applications for completeness
§ Verify that the copies of critical applications and operating systems that are stored off-site
§ Verify that the critical data files that are backed up in accordance with the DRP.
§ Verify that the types and quantities of items specified in the DRP does exist and are in a secure
location.
§ Verify that the disaster recovery team members are current employees and are also aware of their
assigned responsibilities.







Outsourcing the IT function

Benefits of IT Outsourcing
§ It improves the core business processes
§ It can improve IT performance
§ It can reduce IT costs.

Risks Inherent to IT Outsourcing

§ Failure to perform
§ Vendor exploitation
§ Outsourcing costs will exceed the benefits
§ Reduced security
§ Loss of a strategic advantage