Auditing IT Governance Controls Lesson Objectives After studying this topic, you should: • Understand the risks of incompatible functions and how to structure the IT function. • Be familiar with the controls and precautions required to ensure the security of an organization’s computer facilities. • Understand the key elements of a disaster recovery plan. • Be familiar with the benefits, risks, and audit issues related to IT outsourcing. IT Governance Information technology (IT) governance is a relatively new subset of corporate governance that focuses on the management and assessment of strategic IT resources. Key objectives of IT governance are to reduce risk and ensure that investments in IT resources add value to the corporation. IT Governance Controls This controls focus on: 1. Organizational structure of the IT function 2. Computer center operations 3. Disaster recovery planning STRUCTURE OF THE INFORMATION TECHNOLOGY FUNCTION • The organization of the IT function has implications for the nature and effectiveness of internal controls, which, in turn, has implications for the audit. Centralized Data Processing Under the centralized data processing model, all data processing is performed by one or more large computers housed at a central site that serves users throughout the organization. Centralized Data Processing Approach Org Chart of a Centralized IT Function Related Terms Database Administration • Centrally organized companies maintain their data resources in a central location that is shared by all end users. In this shared data arrangement, an independent group headed by the database administrator (DBA) is responsible for the security and integrity of the database. Data Processing • The data processing group manages the computer resources used to perform the dayto-day processing of transactions. It consists of the following organizational functions: data conversion, computer operations, and the data library. Data Conversion. The data conversion function transcribes transaction data from hard-copy source documents into computer input. For example, data conversion could involve keystroking sales orders into a sale order application in modern systems, or transcribing data into magnetic media (tape or disk) suitable for computer processing in legacy type systems. • Computer Operations. The electronic files produced in data conversion are later processed by the central computer, which is managed by the computer operations groups. Accounting applications are usually executed according to a strict schedule that is controlled by the central computer’s operating system. Data Library. The data library is a room adjacent to the computer center that provides safe storage for the off-line data files. Those files could be backups or current data files. For instance, the data library could be used to store backup data on DVDs, CD-ROMs, tapes, or other storage devices. Systems Development • The information systems needs of users are met by two related functions: system development and systems maintenance. • Systems Development is responsible for analyzing user needs and for designing new systems to satisfy those needs. The participants in system development activities include systems professionals, end users, and stakeholders. Systems professionals include systems analysts, database designers, and programmers who design and build the system. Systems professionals gather facts about the user’s problem, analyze the facts, and formulate a solution. The product of their efforts is a new information system. • End users are those for whom the system is built. They are the managers who receive reports from the system and the operations personnel who work directly with the system as part of their daily responsibilities. Stakeholders are individuals inside or outside the firm who have an interest in the system, but are not end users. They include accountants, internal auditors, external auditors, and others who oversee systems development. Systems Maintenance • Once a new system has been designed and implemented, the systems maintenance group assumes responsibility for keeping it current with user needs. The term maintenance refers to making changes to program logic to accommodate shifts in user needs over time. Segregation of Incompatible Functions Operational tasks should be segregated to: • 1. Separate transaction authorization from transaction processing. • 2. Separate record keeping from asset custody. • 3. Divide transaction-processing tasks among individuals such that short of collusion • between two or more individuals fraud would not be possible. The Distributed Data Processing • An alternative to the centralized model is the concept of distributed data processing (DDP). The topic of DDP is quite broad, touching upon such related topics as end-user computing, commercial software, networking, and office automation. • Simply stated, DDP involves reorganizing the central IT function into small IT units that are placed under the control of end users. Risks Associated with DDP 1. Inefficient use of Resources – risk of mismanagement of organization-wide IT resources by end users – risk of operational inefficiencies because of redundant tasks being performed within the enduser committee – risk of incompatible hardware and software among end-user functions 2. Destruction of Audit Trails 3. Inadequate Segregation of Duties 4. Difficulty in Hiring Qualified Personnel 5. Lack of Standards Advantages of DDP 1. 2. 3. 4. Cost Control Improved Cost Control Responsibility Improved User Satisfaction Backup Flexibility Controlling the DDP Environment Implement a Corporate IT Function 1. Central Testing of Commercial Hardware and Software 2. User Services 3. Standard-setting body 4. Personnel Review Audit Objective The auditor’s objective is to verify that the structure of the IT function is such that individuals in incompatible areas are segregated in accordance with the level of potential risk and in a manner that promotes a working environment. This is an environment in which formal, rather than casual, relationships need to exist between incompatible tasks. Audit Procedures If a company uses Centralized IT Function • Review relevant documentation, including the current organizational chart, mission statement, and job descriptions for key functions, to determine if individuals or groups are performing incompatible functions. • Review systems documentation and maintenance records for a sample of applications. Verify that maintenance programmers assigned to specific projects are not also the original design programmers. • Verify that computer operators do not have access to the operational details of a system’s internal logic. Systems documentation, such as systems flowcharts, logic flowcharts, and program code listings, should not be part of the operation’s documentation set. • Through observation, determine that segregation policy is being followed in practice. Review operations room access logs to determine whether programmers enter the facility for reasons other than system failures. If DDP is used: • Review the current organizational chart, mission statement, and job descriptions for key functions to determine if individuals or groups are performing incompatible duties. • Verify that corporate policies and standards for systems design, documentation, and hardware and software acquisition are published and provided to distributed IT units. • Verify that compensating controls, such as supervision and management monitoring, are employed when segregation of incompatible duties is economically infeasible. • Review systems documentation to verify that applications, procedures, and databases are designed and functioning in accordance with corporate standards. THE COMPUTER CENTER • Accountants routinely examine the physical environment of the computer center as part of their annual audit. The objective of this section is to present computer center risks and the controls that help to mitigate risk and create a secure environment. Physical Location • The physical location of the computer center directly affects the risk of destruction to a natural or man-made disaster. To the extent possible, the computer center should be away from humanmade and natural hazards, such as processing plants, gas and water mains, airports, high-crime areas, flood plains, and geological faults. The center should be away from normal traffic, such as the top floor of a building or in a separate, selfcontained building. Locating a computer in the basement building increases its risk to floods. Construction • Ideally, a computer center should be located in a single-story building of solid construction with controlled access (discussed next). Utility (power and telephone) lines should be underground. The building windows should not open and an air filtration system should be in place that is capable of extracting pollens, dust, and dust mites. Access • Access to the computer center should be limited to the operators and other employees who work there. Physical controls, such as locked doors, should be employed to limit access to the center. Access should be controlled by a keypad or swipe card, though fire exits with alarms are necessary. To achieve a higher level of security, access should be monitored by closed-circuit cameras and video recording systems. Air Conditioning • Computers function best in an air-conditioned environment, and providing adequate air conditioning is often a requirement of the vendor’s warranty. Computers operate best in a temperature range of 70 to 75 degrees Fahrenheit and a relative humidity of 50 percent. Logic errors can occur in computer hardware when temperatures depart significantly from this optimal range. Fire Suppression • Fire is the most serious threat to a firm’s computer equipment. Many companies that suffer computer center fires go out of business because of the loss of critical records, such as accounts receivable. The implementation of an effective fire suppression system requires consultation with specialists. Fault Tolerance • Fault tolerance is the ability of the system to continue operation when part of the system fails because of hardware failure, application program error, or operator error. • 1. Redundant arrays of independent disks (RAID). Raid involves using parallel disks that contain redundant elements of data and applications. If one disk fails, the lost data are automatically reconstructed from the redundant components stored on the other disks. • 2. Uninterruptible power supplies. Commercially provided electrical power presents several problems that can disrupt the computer center operations, including total power failures, brownouts, power fluctuations, and frequency variations. The equipment used to control these problems includes voltage regulators, surge protectors, generators, and backup batteries. Audit Objectives The auditor must verify that: • Physical security controls are adequate to reasonably protect the organization from physical exposures • Insurance coverage on equipment is adequate to compensate the organization for the destruction of, or damage to, its computer center Audit Procedures • • • • • • Test of Physical Construction Test of Fire Detection System Test of Access Control Rest of RAID Test of Uninterruptible Power Supply Test of Insurance Coverage DISASTER RECOVERY PLANNING • Disasters such as earthquakes, floods, sabotage, and even power failures can be catastrophic to an organization’s computer center and information systems. Disasters may be natural, human-made or system failure. Features of a DRP • • • • 1. Identify critical applications 2. Create a disaster recovery team 3. Provide site backup 4. Specify backup and off-site storage procedures Identify Critical Applications • The first essential element of a DRP is to identify the firm’s critical applications and associated data files. Recovery efforts must concentrate on restoring those applications that are critical to the short-term survival of the organization. Create a Disaster Recovery Team • Recovering from a disaster depends on timely corrective action. Delays in performing essential tasks prolongs the recovery period and diminishes the prospects for a successful recovery. To avoid serious omissions or duplication of effort during implementation of the contingency plan, task responsibility must be clearly defined and communicated to the personnel involved. Provide Site Backup • A necessary ingredient in a DRP is that it provides for duplicate data processing facilities following a disaster. Among the options available the most common are mutual aid pact; empty shell or cold site; recovery operations center or hot site; and internally provided backup. • Mutual Aid Pact. A mutual aid pact is an agreement between two or more organizations (with compatible computer facilities) to aid each other with their data processing needs in the event of a disaster. • Empty Shell. The empty shell or cold site plan is an arrangement wherein the company buys or leases a building that will serve as a data center. In the event of a disaster, the shell is available and ready to receive whatever hardware the temporary user needs to run essential systems. • Recovery Operations Center. A recovery operations center (ROC) or hot site is a fully equipped backup data center that many companies share. In addition to hardware and backup facilities, ROC service providers offer a range of technical services to their clients, who pay an annual fee for access rights. • Internally Provided Backup. Larger organizations with multiple data processing centers often prefer the self-reliance that creating internal excess capacity provides. This permits firms to develop standardized hardware and software configurations, which ensure functional compatibility among their data processing centers and minimize cutover problems in the event of a disaster. Backup and Off-Site Storage Procedures • • • • • • Operating System Backup Application Backup Backup Data Files Backup Documentation Backup Supplies and Source Documents Test the DRP Audit Objective • The auditor should verify that management’s disaster recovery plan is adequate and feasible for dealing with a catastrophe that could deprive the organization of its computing resources. Audit Procedures The auditor may perform the following tests: • Site Backup. The auditor should evaluate the adequacy of the backup site arrangement. System incompatibility and human nature both greatly reduce the effectiveness of the mutual aid pact. • Critical Application List. The auditor should review the list of critical applications to ensure that it is complete. Missing applications can result in failure to recover. The same is true, however, for restoring unnecessary applications. • Software Backup. The auditor should verify that copies of critical applications and operating systems are stored off-site. • Data Backup. The auditor should verify that critical data files are backed up in accordance with the DRP. • Backup Supplies, Documents, and Documentation. The system documentation, supplies, and source documents needed to process critical transactions should be backed up and stored off-site. • Disaster Recovery Team. The DRP should clearly list the names, addresses, and emergency telephone numbers of the disaster recovery team members. The auditor should verify that members of the team are current employees and are aware of their assigned responsibilities. IT SOURCING • The costs, risks, and responsibilities associated with maintaining an effective corporate IT function are significant. Many executives have therefore opted to outsource their IT functions to third-party vendors who take over responsibility for the management of IT assets and staff and for delivery of IT services, such as data entry, data center operations, applications development, applications maintenance, and network management. Risk Inherent to IT Sourcing • • • • • Failure to perform Vendor Exploitation Outsourcing costs exceed benefits Reduced Security Loss of Strategic Advantage Audit Implications of Sourcing IT Functions • An auditor should consider PSA 402, AUDIT CONSIDERATIONS RELATING TO ENTITIES USING SERVICE ORGANIZATIONS, in conducting the audit of a client that outsourced its IT functions