Chapter 2: Auditing IT Governance Controls PDF
Document Details
Uploaded by StainlessBeige
Tags
Summary
This chapter details auditing IT governance controls, focusing on the management and assessment of strategic IT resources. It covers key objectives related to risk reduction and value addition in IT investments. The document also highlights IT governance controls, addressing issues such as organizational structure, computer operations, and disaster recovery planning, within a centralized data processing framework.
Full Transcript
CHAPTER 2: AUDITING IT GOVERNANCE CONTROLS INFORMATION TECHNOLOGY (IT) GOVERNANCE - Focuses on the management and assessment of strategic IT resources - Key objectives of IT Governance: reduce risk and ensure that investments in IT resources add value to the corporation - Before SOX act, the co...
CHAPTER 2: AUDITING IT GOVERNANCE CONTROLS INFORMATION TECHNOLOGY (IT) GOVERNANCE - Focuses on the management and assessment of strategic IT resources - Key objectives of IT Governance: reduce risk and ensure that investments in IT resources add value to the corporation - Before SOX act, the common practice regarding IT investments was to defer all decisions to corporate IT professionals - Modern IT governance: follows the philosophy that all corporate stakeholders, including BOD, top management, and departmental users (i.e., accounting and finance) be active in key IT decisions - Such broad-based involvement reduces risk and increases the likelihood that IT decisions will be in compliance with user needs, corporate policies, strategic initiatives, and internal control requirements under SOX IT GOVERNANCE CONTROLS Three IT Governance issues that are addresses by SOX and the COSO internal control framework 1. Organizational structure of the IT function 2. Computer center operations 3. Disaster recovery planning STRUCTURE OF THE CORPORATE IT FUNCTION Centralized Data Processing - All data processing is performed by one or more large computers housed at a central site that services users throughout the organization Marketing Servicos Production Distribution Accounting Information Cost Chargeback - IT services activities are consolidated and managed as a shared organization resource - End users compete for these resources on the basis of need - The IT services function is usually treated as a cost center whose operating costs are charged back to the end users - Primary service areas (Figure 2.1): database administration, data processing, and systems development and maintenance FIGURE 2.2 Organizatinal Chort ord Odest (CEO) Intraton Adriristrason Orion (CFO) Dus Procesong Nor 5yateres Conircu Dam Larary Database Administration - Centrally organized companied maintain their data resources in a central location that is shared by all end users - An independent group headed by the database administrator - Responsible for the security and integrity of the database Data Processing - Manages the computer resources used to perform the day-to-day processing of transactions A. Data Control/Data Entry Receives hard copy source documents from end users and transcribes these into digital format for computer processing in batch systems E.g., data control/entry would keystroke sales order data into magnetic disks for input into the system. After data processing this group would then disseminate the finished sales reports to the appropriate end users, such as the marketing manager B. Computer Operations This is where the electronic files produced in data conversion are later processed Accounting applications are usually executed according to a strict schedule that is controlled by the central computer's operating system C. Data Library Room adjacent to the computer center that provides safe storage for the off-line data files Those files could be backups or current data file The data library could be used to store backup data ón DVDs, CD-ROMs, tapes, or other storage devices It could also be used to store current operational data filés on magnetic tapes and removable disk packs It is used to store original copies of commercial software and their licenses for safekeeping Data librarian: responsible for the receipt, storage, retrieval, and custody of data files, controls access to the library Issues data files to computer operators in accordance with program requests and takes custody of files when processing or backup procedures are completed Real-time processing and the increased use of direct-access files has reduced or even eliminated the role of the data librarian in many organizations System development: responsible for analyzing user needs and for designing new systems to satisfy those needs; Participants include: System professionals - system analyst, database designers, and programmers who design and build the system; gather facts about the user's problem, analyze the fact, and formulate a solution; product of their efforts is a new information system End users - those for whom the system is built; they are the managers who receive reports from the system and the operations personnel who work directly with the system as part of their daily responsibilities Stakeholders - individuals inside or outside the firm who have an interest in the system, but are not end users; they include accountants, internal auditors, external auditors, and others who oversee systems development - Systems maintenance: once a new system has been designed and implemented, it assumes responsibility for keeping it current with user needs; maintenance: making changes to program logic to accommodate shifts in user needs over time; during the course of the system's life, as much 80% or 90% of its total costs may be incurred through maintenance activities SEGREGATION OF INCOMPATIBLE IT FUNCTIONS Operational tasks should be segregated to: System Development and Maintenance - Met by two related functions: system development and systems maintenance 1. Separate transaction authorization from transaction processing 2. Separate record keeping from asset custody 3. Divide transaction-processing tasks among the individuals such that short of collusion between two or more individuals fraud would not be possible Separating Systems Development from Computer Operations - Of the greatest importance - The relationship between these groups should be extremely formal, and their responsibilities should not be commingled Systems development and maintenance professionals: should create (and maintain) systems for users, and should have no involvement in entering data, or running computer applications (i.e., computer operations) - Operations staff. should run these systems and have no involvement in their design - These functions are inherently incompatible, and consolidating them invites errors and fraud - With detailed knowledge of the application's logic and control parameters and access to the computer's operating system and utilities, an individual could make unauthorized changes to the application during its execution Such changes may be temporary ("on the fly") and will disappear without a trace when the application terminates Separating Database Administration from Other Functions - The DBA functions is responsible for a number of critical tasks pertaining to database security, including creating the database schema and user views, assigning database access authority to users, monitoring database usage, and planning for future expansion - Delegating these responsibilities to others who perform incompatible tasks threatens database integrity - DBA function is organizationally independent of operations, systems development, and maintenance Separating New Systems Development from Maintenance - In-house systems development: 1. Systems analysis 2. Programming Systems Development Systems Analysis Applications Programming Systems Analysis: works with users to produce detailed designs of the new systems - Programming: codes the programs according to these design specifications Under this approach, the programmer who codes the original programs also maintains the system during the maintenance phase of the systems development life cycle Associated with two types of control problems: Inadequate documentation chronic IT problem and a significant challenge for many organizations. seeking SOX compliance At least two explanations for this phenomenon First, documenting systems is not as interesting as designing, testing, and implementing them; systems professional much prefer to move on to an exciting new project rather than document one just completed Second, job security; when system is poorly documented, it is difficult to interpret, test, and debug The programmer who understands the system (the one who coded it:) maintains bargaining power and becomes relatively indispensable When the programmer leaves the firm, however, a new programmer inherits maintenance responsibility for the undocumented system; depending on its complexity, the transition period may be long and costly Program Fraud When the original programmer of a system is also assigned maintenance responsibility, the potential for fraud is increased Involves making unauthorized changes to program modules for the purpose of committing an illegal act The original programmer may have successfully concealed fraudulent code among the thousands of lines of legitimate code and the hundreds of modules that constitute a system For the fraud to work successfully, however, the programmer must be able to control the situation through exclusive and unrestricted access to the application's program The programmer needs to protect the fraudulent code from accidental detection by another programmer performing maintenance or by auditors testing application controls Therefore, having the sole responsibility for maintenance is a important element in the duplicitous programmer's scheme Through this maintenance authority, the programmer may freely access the system, disabling fraudulent code during audits, and then restoring the code when the coats is clear A Superior Structure for Systems Development - New systems development: responsible for designing programming, and implementing new systems project - Upon successful implementation, responsibility for the system's maintenance falls to the systems maintenance group documented, it is difficult to interpret, test, and debug The programmer who understands the system (the one who coded it:) maintains bargaining power and becomes relatively indispensable When the programmer leaves the firm, however, a new programmer inherits maintenance responsibility for the undocumented system; depending on its complexity, the transition period may be long and costly Program Fraud When the original programmer of a system is also assigned maintenance responsibility, the potential for fraud is increased Involves making unauthorized changes to program modules for the purpose of committing an illegal act The original programmer may have successfully concealed fraudulent code among the thousands of lines of legitimate code and the hundreds of modules that constitute a system For the fraud to work successfully, however, the programmer must be able to control the situation through exclusive and unrestricted access to the application's program The programmer needs to protect the fraudulent code from accidental detection by another programmer performing maintenance or by auditors testing application controls Therefore, having the sole responsibility for maintenance is a important element in the duplicitous programmer's scheme Through this maintenance authority, the programmer may freely access the system, disabling fraudulent code during audits, and then restoring the code when the coats is clear A Superior Structure for Systems Development - New systems development: responsible for designing programming, and implementing new systems project - Upon successful implementation, responsibility for the system's maintenance falls to the systems maintenance group This restructuring has implications that directly address the two control problems 1. Documentation standards are improved because the maintenance group requires documentation to perform its maintenance duties. Without complete and adequate documentation, the formal transfer of system responsibility from new systems development to systems maintenance simply cannot occur 2. Denying the original programmer future access to the program deters program fraud. That the fraudulent code, once concealed within the system, is out of the programmer's control and may later be discovered increases the risk associated with program fraud. The success of this control depends on the existence of other controls that limit, prevent, and detect unauthorized access to programs (such as source program library controls) THE DISTIBUTED MODEL - Distributed data processing - Alternative to the centralized model - Involves reorganizing the central IT function into small IT units that are placed under the control of the end users - IT units may be distributed according to business function, geographic location, or both The degree to which they are distributed will vary depending upon the philosophy and objectives of the organization's management Acureen Meneng Computer Services Saveoprenr Processing PLOSURECEI Functon RUCICA Procation Function Two alternative DDP approaches 1. Alternative A Variant of the centralized model Difference is that terminals (or microcomputers) are distributed to end users for handling input and output This eliminates the need for centralized data conversion groups, since the user now performs these tasks Under this model, however, systems development, computer operations, and database administration remain centralized 2. Alternative B Significant departure from centralized model Distributes all computer services to end users, where they operate as standalone units Elimination of the central IT function from the organizational structure Interconnections between the distributed units: represent a networking arrangement that permits communication and data transfer among units Risks Associated with DDP 1. Inefficient Use of Resources DDP can expose an organization to three types of risks associated with inefficient use of resources Risk of mismanagement of organization-wide IT resources by end user DDP can increase the risk of operational inefficiencies because of redundant tasks being performed within the end-user community E.g., application programs created by one user, which could be used with little or no change by the others, will be redesigned from scratch rather than shared Data common for many users may be recreated for each, resulting in a high level of redundancy DDP environment poses a risk of incompatible hardware and software among end-user functions Distributing responsibility for IT purchases to end user may result in uncoordinated and poorly conceived decisions E.g., decision maker in different organization units working independently may settle on dissimilar and incompatible operating systems, technology platforms, spreadsheets, word processors, and database packages Hardware and software incompatibilities can degrade and disrupt connectivity between units, causing the loss of transactions and possible destruction of audit trails 2. Destruction of Audit Trails An audit trail provides the linkage between a company's financial activities (transaction) and the fimancial statements that report on those activities Auditors use audit trail to trace selected financial transactions from the source documents that captured the events, through the journal, subsidiary ledger, and general ledger accounts that record the events, and ultimately to the financial statements Audit trail is critical to the auditor's attest service In DDP systems, the audit trail consists of a set of digital transaction files and master files Should an end user inadvertently delete one of the files, the audit trail could be destroyed and unrecoverable Similarly, if an end user inadvertently inserts transaction errors into an audit trail file, it could become corrupted 3. Inadequate Segregation of Duties The distribution of the IT services to users may result in the creation of small independent units that do not permit the desired separation of incompatible functions E.g., within a single unit the same person may write application programs, perform program transactions data into the computer, and operate the computer equipment Such situation would be a fundamental violation of internal control 4. Hiring Qualified Professionals End-user managers may lack the IT knowledge to evaluate the technical credentials and relevant experience of candidates applying for IT professional positions If the organizational unit into which a new employee is entering is small, the opportunity for personal growth, continuing education, and promotion may be limited For these reasons, managers may experience difficulty attracting highly qualified professionals The risk of programming errors and system failures increases directly with the level of employee incompetence 5. Lack of Standards Because of the distribution of responsibility in the DDP environment, standards for developing and documenting systems, choosing programming languages, acquiring hardware and software, and evaluating performance may be unevenly applied or even nonexistent Advantages of DDP 1. Cost reductions Powerful and inexpensive microcomputers and minicomputers that can perform specialized functions have changes the economics of data processing dramatically In addition, the unit cost of data storage, which was once the justification for consolidating data in a central location, is no longer a prime consideration The move to DDP has reduced costs in two other areas: data can be edited and entered by the end user, thus eliminating the centralized task of data preparation; application complexity can be reduced, which in turn reduces systems development and maintenance costs 2. Improved Cost Control Responsibility The benefits improved management attitudes more than outweigh any additional costs incurred from distributing these resources They argue that if IT capability is indeed critical to the success of a business operation, then management must be given control over these resources 3. Improved User Satisfaction Distributing system to end users improves three areas of need that too often go unsatisfied in the centralized model Users desire to control the resources that influence their profitability Users want systems professionals (analysts, programmers, and computer operators) to be responsive to their specific situation Users want to become more actively involved in developing and implementing their own systems 4. Backup Flexibility - Ability to back up computing facilities to protect against potential disasters such as fires, floods, sabotage, and earthquakes - The distributed model offers organizational flexibility for providing backup - Each geographically separate IT unit can be designed with excess capacity - If a disaster destroys a single site, the other sites can use their excess capacity to process the transactions of the destroyed site - This setup requires close coordination between the end-user managers to ensure that they do not implement incompatible hardware and software CONTROLLING THE DDP ENVIROMENT - Many DDP initiatives have proven to be ineffective, and even counterproductive, because decision makers saw in these systems virtues that were more symbolic than real Before taking an irreversible step, decision makers must assess the true merits of DDP for their organization Implement a Corporate IT Function - This function greatly reduced in size and status from that of the centralized model - Provides systems development and database management for entity-wide systems in addition to technical advice and expertise to the distributed IT community Some of the services provided: 1. Central Testing of Commercial Software and Hardware o Centralized corporate IT group is better equipped than are end users to evaluate the merits of competing commercia software and hardware products under consideration It can evaluate systems features, controls, and compatibility with industry and organizational standards Test result can then be distributed to user areas as standards for guiding acquisition decisions This allows the organization to effectively centralize the acquisition, testing, and implementation of software and hardware and avoid many problems 2. User Services This activity provides technical help to users during the installation of new software and in troubleshooting hardware and software problems The creation of an electronic bulletin board for users is an excellent way to distribute information about common problems and allows the sharing of user-developed programs with others in the organization 3. Standard-Setting Body Establishing and distributing to user areas appropriate standards for systems development, programming, and documentation 4. Personnel Review The corporate group is often better equipped than users to evaluate the technical credentials of prospective systems professionals Audit Objective - Auditors objective: to verify that the structure of the IT function is such that individuals in incompatible areas are segregated in accordance with the level of potential risk and in a manner that promotes a working environment - Working environment: environment in which formal, rather than casual, relationships need to exist between incompatible tasks Audit Procedures - For centralized IT function: Review relevant documentation, including the current organizational chart, mission statement, and job descriptions for key functions, to determine if individuals or groups are performing incompatible functions. Review systems documentation and maintenance records for a sample of applications. Verify that maintenance programmers assigned to specific projects are not also the original design programmers. Verify that computer operators do not have access to the operational details of a system's internal logic. Systems documentation, such as systems flowcharts, logic flowcharts, and program code listings, should not be part of the operation's documentation set. Through observation, determine that segregation policy is being followed in practice. Review operations room access logs to determine whether programmers enter the facility for reasons other than system failures. For distributed IT function: Review the current organizational chart, mission statement, and job descriptions for key functions to determine if individuals or groups are performing incompatible duties. Verify that corporate policies and standards for systems design, documentation, and hardware and software acquisition are published and provided to distributed IT units. Verify that compensating controls, such as supervision and management monitoring, are employed when segregation of incompatible duties is economically infeasible. Review systems documentation to verify that applications, procedures, and databases are designed and functioning in accordance with corporate Standards. THE COMPUTER CENTER - Accountants routinely examine the physical environment of the computer center as part of their annual audit Physical Location - Directly affects the risk of destruction to a natural or man-made disaster. - To the extent possible, the computer center should be away from man-made and natural hazards, such as processing plants, gas and water mains, airports, high-crime areas, flood plains, and geological faults. Construction - Ideally, a computer center should be located in a single-story building of solid construction with controlled access - Utility (power and telephone) lines should be underground. The building windows should not open and an air filtration system should be in place that is capable of extracting pollens, dust, and dust mites. Access - Access to the computer center should be limited to the operators and other employees who work there. - Physical controls, such as locked doors, should be employed to limit access to the center. - Access should be controlled by a keypad or swipe card, though fire exits with alarms are necessary - To achieve a higher level of security, access should be monitored by closed-circuit cameras and video recording systems - Computer centers should also use sign-in logs for programmers and analysts who need access to correct program errors. - Computer center should maintain accurate records of all such traffic. Air-Conditioning - Computers function best in an air-conditioned environment, and providing adequate air- conditioning is often a requirement of the vendor's warranty. - Computers operate best in a temperature range of 70 to 75°F (21 to 24 °C) and a relative humidity of 50 percent - Logic errors can occur in computer hardware when temperatures depart significantly from this optimal range. - Also, the risk of circuit damage from static electricity is increased when humidity drops. - In contrast, high humidity can cause molds to grow and paper products (such as source documents) to swell and jam equipment. Fire Suppression - Fire is the most serious threat to a firm's computer equipment. - Some of the major features of such a system include the following: 1. Automatic and manual alarms should be placed in strategic locations around the installation. These alarms should be connected to permanently staffed firefighting stations. 2. There must be an automatic fire extinguishing system that dispenses the appropriate type of suppressant for the location. For example, spraying water and certain chemicals on a computer can do as much damage as the fire. 3. Manual fire extinguishers should be placed at strategic locations. 4. The building should be of sound construction to withstand water damage caused by fire suppression equipment. 5. Fire exits should be clearly marked and illuminated during a fire. Fault Tolerance - Fault tolerance: is the ability of the system to continue operation when part of the system fails because of hardware failure, application program error, or operator error. - Ensures that no single point of potential system failure exists. - Total failure can occur only if multiple components fail - Two examples of fault tolerance technologies: Redundant arrays of independent disks (RAID) Involves using parallel disks that contain redundant elements of data and applications If one disk fails, the lost data are automatically reconstructed from the redundant components stored on the other disks. Uninterruptible power supplies The equipment used to control these problems includes voltage regulators, surge protectors, generators, and backup batteries. In the event of a power outage, these devices provide backup power for a reasonable period to allow commercial power service restoration. In the event of an extended power outage, the backup power will allow the computer system to shut down in a controlled manner and prevent data loss and corruption that would otherwise result from an uncontrolled system crash. Audit Objectives - Evaluate the controls governing computer center security. - Specifically, the auditor must verify that: Physical security controls are adequate to reasonably protect the organization from physical exposures Insurance coverage on equipment is adequate to compensate the organization for the destruction of, or damage to, its computer center Audit Procedures - The following are tests of physical security controls: Tests of Physical Construction Test of the Fire Detection System Test of Access Control Tests of RAID Tests of Uninterruptible Power Supply Tests for Insurance Coverage DISASTER RECOVERY PLANNING FIGURE 26 Types of Daasters - Natural disasters - most potentially devastating - Man-made - can be just as destructive but tend to be limited in their scope of impact - System failures - generally less - severe, but are most likely to occur Because of all of these disasters, the company loses its ability to do business. - The more dependent an organization is on technology, the more susceptible it is to these types of risks - Disaster Recovery Plan This is a comprehensive statement of all actions to be taken before, during, and after any type of disaster. Although the details of each plan are unique to the needs of the organization, all workable plans possess four common features: 1. Identify critical applications 2. Create a disaster recovery team 3. Provide site backup 4. Specify backup and offsite storage procedures Identify Critical Applications - First essential element - Recovery efforts must concentrate on restoring those applications that are critical to the short-term survival of the organization - The DRP, however, is a short-term document that should not attempt to restore the organization's data processing facility to full capacity immediately following the disaster For most organizations, short- term survival requires the restoration of those functions that generate cash flows sufficient to satisfy short-term obligations - Application priorities may change over time, and these decisions must be reassessed regularly - The task of identifying critical items and prioritizing applications requires the active participation of user departments, accountants, and auditors Creating a Disaster Recovery Team - The team members should be experts in their areas and have assigned tasks - Following a disaster, team members will delegate subtasks to their subordinates - The environment created by the disaster may make it necessary to violate control principles such as segregation of duties, access controls, and supervision PGURE 3.7 Recoviry Team SONG DO MATAS part togees: Providing Second-Site Backup - A necessary ingredient in a DRP is that it provides for duplicate data processing facilities following a disaster - Mutual Aid Pact An agreement between two or more organizations (with compatible computer facilities) to aid each other with their data processing needs in the event of a disaster. In such an event, the host company must disrupt its processing schedule to process the critical transactions of the disaster-stricken company. o In effect, the host company itself must go into an emergency operation mode and cut back on the processing of its lower-priority applications to accommodate the sudden increase in demand for its IT resources. The popularity of these reciprocal agreements is driven by economics; they are relatively cost-free to implement Works better in theory than in practice Empty Shell Cold site plan An arrangement wherein the company buys or leases a building that will serve as a data center In the event of a disaster, the shell is available and ready to receive whatever hardware the temporary user needs to run essential systems. Recovery Operations Center Hot site Fully equipped backup data center that many companies share. In addition to hardware and backup facilities, ROC service providers offer a range of technical services to their clients, who pay an annual fee for access rights In the event of a major disaster, a subscriber can occupy the premises and, within a few hours, resume processing critical applications. Internally Provided Backup Larger organizations with multiple data processing centers often prefer the self-reliance that creating internal excess capacity provides This permits firms to develop standardized hardware and software configurations, which ensure functional compatibility among their data processing centers and minimize cutover problems in the event of a disaster. BACKUP AND OFF-SITE STORAGE PROCEDURES Operating System Backup - If the company uses a cold site or other method of site backup that does not include a compatible operating system (O/S), procedures for obtaining a current version of the operating system need to be clearly specified - The data librarian, if one exists, would be a key person to involve in performing this task Application Backup - the DRP should include procedures to create copies of current versions of critical applications - In the case of commercial software, this involves purchasing backup copies of the latest software upgrades used by the organization. - For in-house developed applications, backup procedures should be an integral step in the systems development and program change process Backup Data Files - The state-of-the-art in database backup is the remote mirrored site, which provides complete data currency - As a minimum, however, databases should be copied daily to high-capacity, high-speed media, such as tape or CDs/DVDs and secured offsite. - In the event of a disruption, reconstruction of the database is achieved by updating the most current backed-up version with subsequent transaction data - Likewise, master files and transaction files should be protected. Backup Documentation - The system documentation for critical applications should be backed up and stored off-site along with the applications - Documentation backup may, however, be simplified and made more efficient through the use of computer-aided software engineering (CASE) documentation tools. Backup Supplies and Source Documents - The organization should create backup inventories of supplies and source documents used in processing critical transactions Testing the DRP - DRP tests are important and should be performed periodically - Tests measure the preparedness of personnel and identify omissions or bottlenecks in the plan - A test is most useful when the simulation of a disruption is a surprise - The organization's management should seek measures of performance in each of the following areas: o the effectiveness of DRP team personnel and their knowledge levels o the degree of conversion success (i.e., the number of lost records) an estimate of financial loss due to lost records or facilities the effectiveness of program, data, and documentation backup and recovery procedures. Audit Objective - Verify that management's disaster recovery plan is adequate and feasible for dealing with a catastrophe that could deprive the organization of its computing resources Audit Procedures 1. Site Backup The auditor should evaluate the adequacy of the backup site arrangement. 2. Critical Application List The auditor should review the list of critical applications to ensure that it is complete Missing applications can result in failure to recover 3. Software Backup The auditor should verify that copies of critical applications and operating systems are stored off-site The auditor should also verify that the applications stored off-site are current by comparing their version numbers with those of the 4. Data backup actual applications in use. The auditor should verify that critical data files are backed up in accordance with the DRP 5. Backup Supplies, Documents, and Documentation The auditor should verify that the types and quantities of items specified in the DRP such as check stock, invoices, purchase orders, and any special purpose forms exist in a secure location. 6. Disaster Recovery Team The DRP should clearly list the names, addresses, and emergency telephone numbers of the disaster recovery team members The auditor should verify that members of the team are current employees and are aware of their assigned responsibilities. OUTSOURCING THE IT FUNCTION - Benefits of IT outsourcing improved core business performance improved IT performance (because of the vendor's expertise) reduced IT costs - Core competency theory Argues that an organization should focus exclusively on its core business competencies, while allowing outsourcing vendors to efficiently manage the noncore areas such as the IT functions - Commodity IT Assets Not unique to a particular organization and are thus easily acquired in the marketplace.