Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


IT Auditing

No description

Christine Mendoza

on 12 January 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of IT Auditing

DRP identifies:
actions before, during, and after the disaster
disaster recovery team
priorities for restoring critical applications

Types of Disasters:
System Failure

Identify critical applications
Create a disaster recovery team
Provide site backup
Specify backup and off-site storage procedures

Operating System Backup
- If the company uses a cold site or other method of site backup that does not include a compatible operating system (O/S), procedures for obtaining a current version of the operating system need to be clearly specified

Application Backup
- procedures to create copies of current versions of critical applications

Backup Data Files
- reconstruction of the database is achieved by updating the most current backed-up version with subsequent transaction data

Backup Documentation
- system documentation for critical applications should be backed up and stored off-site along with the applications

Backup Supplies and Source Documents
- create backup inventories of supplies and source documents used in processing critical transactions

Testing the DRP
- most neglected aspect of contingency planning

Auditing IT Governance Controls
IT Governance


Audit Objective

Systems Development and Maintenance
Disaster Recovery Planning
The Distributed Model
Database Administration
- focuses on the management and assessment of of strategic IT resources

- to reduce risk

- ensure that investments in IT resources
add value to the corporation
1. Organizational structure of the IT function

2. Computer center operations

3. Disaster recovery planning
The organization of the IT function has implications for the nature and effectiveness of internal controls, which, in turn, has implications for the audit. These are illustrated through two extreme organizational models—the centralized approach and the distributed approach.
Centralized Data Processing
-all data processing is performed by one or more large computers housed at a central site that serves users throughout the organization.
Centrally organized companies maintain their data resources in a central location that is shared by all end users. In this shared data arrangement, an independent group headed by the database administrator (DBA) is responsible for the security and integrity of the database.
Data Processing
The data processing group manages the computer resources used to perform the day to day processing of transactions. It consists of the following organizational functions:
Data Conversion
Computer Operations
Data Library

The information systems needs of users are met by two related functions: system development and systems maintenance. The former group is responsible for analyzing user needs and for designing new systems to satisfy those needs. The participants in system development activities include:

Systems professionals
-The product of their efforts is a new information system.
- include systems analysts, database designers, and programmers who design and build the system. Systems professionals gather facts about the user’s problem, analyze the facts, and formulate a solution.

End users
- are those for whom the system is built.
- They are the managers who receive reports from the system and the operations personnel who work directly with the system as part of their daily responsibilities.

- are individuals inside or outside the firm who have an interest in the system, but are not end users.
-They include accountants, internal auditors, external auditors, and others who oversee systems development.

Physical Location
o The computer center should be away from human-made and natural hazards.

o A computer center should be located in a single-story building of solid construction with controlled access.

o Access to the computer center should be limited to the operators and other employees who work there.

Air Conditioning
o Logic errors can occur in computer hardware when temperatures depart significantly from the optimal range.

o Computers operate best in a temperature range from 70 to 75 degrees Fahrenheit and a relative humidity of 50%.

Fire Suppression
o Major features of a fire suppression system:

1. Automatic and manual alarms should be placed in strategic locations around the installation. These alarms should be connected to permanently staffed fire-fighting stations.

2. There must be an automatic fire extinguishing system that dispenses the appropriate type of suppressant for the location.

3. Manual fire extinguishers should be placed at strategic locations.

4. The building should be of sound construction to withstand water damage caused by fire suppression equipment.

5. Fire exits should be clearly marked and illuminated during a fire.

Fault tolerance
o The ability of the system to continue operation when part of the system fails because of hardware failure, application program error, or operator error.

o Two examples of fault tolerance technologies:

1. Redundant arrays of independent disks (RAID)
2. Uninterruptable power supplies

Audit objectives
The auditor’s objective is to evaluate the controls governing computer center security. The auditor must verify that:

Physical security controls are adequate to reasonably protect the organization from physical exposures
Insurance coverage on equipment is adequate to compensate the organization for the destruction of, or damage to, its computer center.

Audit procedures
Tests of Physical Construction
Tests of the Fire Detection System
Tests of Access control
Tests of RAID
Tests of the Uninterruptable Power Supply
Tests for Insurance Coverage

IT Auditing and Assurance by James A. Hall

maintaining a system of effective internal control does require
appropriate separation of responsibilities
Separate transaction authorization from transaction processing.
Separate record keeping from asset custody
Divide transaction-processing tasks among individuals

System Analysis Group
*Produced detailed designs of new system
Programming Group
*Codes the programs accordingly to the design specification.

Two-types of control problem
– Poor-quality systems documentation is a chronic IT problem and a significant challenge for many organization.

Two Possible Reasons:
– Not as interesting as designing, testing and implementing document system. Document one just completed.
Job Security
– when a system is poorly documented it is difficult to interpret, test, and debug.

System Development and Maintenance
-Responsible in creating the systems for users.
Ex. Designing the system

Operations Staffs
-Responsible in running the system.
Ex. Entering of data.
Detailed knowledge of the applications’ logic and control parameters and access to the computer’s operating system and utilities, an individual could make unauthorized changes to the application during its execution
Database Administration
 Organizationally independent
 Responsible in security database, creating database schema and user view, assigning database access to users, monitoring database and planning future expansion.

When the original programmer of a system is also assigned maintenance responsibility, the potential for fraud increased.

Program fraud involves making unauthorized changes to program modules for the purpose of committing illegal act.

Control problems:

1. Documentation standards are improved because the maintenance group requires documentation to perform its maintenance duties.

2. Fraudulent code, once concealed w/in the system, is out of the programmers control and may later be discovered increases the risk associated with program fraud.

I. Identify Critical Applications
Recovery efforts must concentrate on restoring applications critical to the short-term survival of the organization.

II. Create a Disaster Recovery Team
To avoid serious omissions or duplication of effort during implementation of the contingency plan, task responsibility must be clearly defined and communicated to the personnel involved.

III. Provide Second-Site Backups
 Mutual Aid Pact
- an agreement between two or more organizations (with compatible computer facilities) to aid each other with their data processing needs in the event of a disaster.

 Empty shell
- involves two or more user organizations that buy or lease a building and remodel it into a computer site, but without computer equipment

 Recovery operations center
- a completely equipped site; very costly and typically shared among many companies

 Internally provided backu
p - companies with multiple data processing centers may create internal excess capacity

IV. Backup and Off-Site Storage Procedures
What is distributed data processing (DDP)?
- Involves reorganizing the central IT function into small IT units that are placed under the control of end users.

- The IT units may be distributed according to business function, geographic location, or both.

- The degree to which they are distributed will vary depending upon the philosophy and objectives of the organization’s management.

Alternative A
is actually a variant of the centralized model; the difference is that terminals (or microcomputers) are distributed to end users for handling input and output. This eliminates the need for the centralized data conversion groups, since the user now performs this task. Under this model, however, systems development, computer operations, and database administration remain centralized.

Alternative B
is a significant departure from the centralized model. This alternative distributes all computer services to the end users, where they operate as standalone units. The result is the elimination of the central IT function from the organizational structure. Figure 2.5 shows a possible organizational structure reflecting the distribution of all traditional data processing tasks to end-user areas.
What are the disadvantages of DDP?
-Inefficient Use of Resources
1) The risk of mismanagement of organization-wide IT resources by end users.
2) DDP can increase the risk of operational inefficiencies because of redundant tasks being performed within the end-user committee.
3) The DDP environment poses a risk of incompatible hardware and software among end-user functions.

-Destruction of Audit Trails
Should an end user inadvertently delete one of the files, the audit trail could be destroyed and unrecoverable. Similarly, if an end user inadvertently inserts transaction errors into an audit trail file, it could become corrupted.

-Inadequate Segregation of Duties

The distribution of the IT services to users may result in the creation of small independent units that do not permit the desired separation of incompatible functions.

-Hiring Qualified Professionals.
Managers may experience difficulty attracting highly qualified personnel. The risk of programming errors and system failures increases directly with the level of employee incompetence.

-Lack of Standards.
Because of the distribution of responsibility in the DDP environment, standards for developing and documenting systems, choosing programming languages, acquiring hardware and software, and evaluating performance may be unevenly applied or even nonexistent.

What are the advantages of DDP?
-Cost Reductions

The unit cost of data storage, which was once the justification for consolidating data in a central location, is no longer a prime consideration.

The move to DDP has reduced costs in two other areas:
(1) data can be edited and entered by the end user, thus eliminating the centralized task of data preparation; and
(2) application complexity can be reduced, which in turn reduces systems development and maintenance costs.

-Improved Cost Control Responsibility

Proponents of DDP contend that the benefits of improved management attitudes more than outweigh any additional costs incurred from distributing these resources. They argue that if IT capability is indeed critical to the success of a business operation, then management must be given control over these resources.

-Improved User Satisfaction

(1) Users desire to control the resources that influence their profitability;
(2) Users want systems professionals (analysts, programmers, and computer operators) to be responsive to their specific situation; and
(3) Users want to become more actively involved in developing and implementing their own systems.

-Backup Flexibility

The distributed model offers organizational flexibility for providing backup. Each geographically separate IT unit can be designed with excess capacity. If a disaster destroys a single site, the other sites can use their excess capacity to process the transactions of the destroyed site.

Controlling the DDP Environment
Several Improvements to the strict DDP Model

Implement a corporate IT Function
- Corporate IT groups provides systems development and data-base management for entity-wide systems in addition to technical advice and expertise to the distributed IT community.

Central Testing of Commercial Software and Hardware
- Test results can then be distributed to user areas as standards for guiding acquisition decisions. This allows the organization to effectively centralize the acquisition, testing, and implementation of software and hardware and avoid many problems.

User Services
- This activity provides technical help to users during the installation of new software and in troubleshooting hardware and software problems. In many organizations user services staff each technical courses for end users as well as for computer services personnel.

Standard-Setting Body
- The corporate group can contribute to this goal by establishing and distributing to user areas appropriate standards for systems development, programming, and documentation.

Personal Review
- The involvement of the corporate group in employment decisions can render need a valuable service to the organization.

- The auditors objective is to verify that the structure of the IT function is such that individuals in incompatible areas are segregated in accordance with the level of potential risk and manner that promotes a working environment.
Audit Procedures
relevant documentation, including the current organizational chart, mission statement, and job description for key functions, to determine if individuals or groups are performing incompatible functions.

systems documentation and maintenance records for a sample of applications. Verify that maintenance programmers assigned to specific projects are not also the original design programmers.

that computer operators do not have access to the operational details of a system’s internal logic. Systems documentation, such as systems flowcharts, logic flowcharts, and program code listings, should not be part of the operation’s documentation set.

observation, determine that segregation policy is being followed in practice. Review operations room access logs to determine whether programmers enter the facility or reasons other than systems failures.

The following audit procedures would apply to an organization with a distributed IT function:
the current organizational chart, mission statement, and job descriptions for key functions to determine if individuals or groups are performing incompatible duties.

that corporate policies and standards for systems design, documentation, and hardware and software acquisition are published and provided to distributed IT units.

that compensating controls, such as supervision and management monitoring, are employed when segregation of incompatible duties is economically infeasible.

systems documentation to verify that applications, procedures, and databases are designed and functioning in accordance with corporate standards.

The organization’s management should seek measures of performance in each of the following areas:
(1) the effectiveness of DRP team personnel and their knowledge levels;

(2) the degree of conversion success

(3) an estimate of financial loss due to lost records or facilities; and

(4) the effectiveness of program, data, and documentation backup and recovery procedures.

Audit Objective
The auditor should verify that management’s disaster recovery plan is adequate and feasible for dealing with a catastrophe that could deprive the organization of its computing resources.

Audit Procedures
In verifying that management’s DRP is a realistic solution for dealing with a catastrophe, the following tests may be performed.

A. Site Backup
B. Critical Application list
C. Software Backup
D. Date Backup
E. Backup Supplies, Documents, and Documentation
F. Disaster Recovery Team

The costs, risks, and responsibilities associated with maintaining an effective corporate IT function are significant. Many executives have therefore opted to outsource their IT functions to third-party vendors who take over responsibility for the management of IT assets and staff and for delivery of IT services, such as data entry, data center operations, applications development, applications maintenance, and network management.
Benefits of IT outsourcing includes:
improved core business performance
improved IT performance (because of the vendor’s expertise), and
reduced IT costs

Many IT outsourcing arrangements involve the sale of the client firm’s IT assets—both human and machine—to the vendor, which the client firm then leases back. This transaction results in a significant one-time cash infusion to the firm.
Core competency theory

Argues that an organization should focus exclusively on its core business competencies, while allowing outsourcing vendors to efficiently manage the non–core areas such as the IT functions.

Commodity IT assets

These include such things as network management, systems operations, server maintenance, and help-desk functions.

Specific IT assets

This is idiosyncratic in nature, specific assets have little value outside their current use. Such assets may be tangible (computer equipment), intellectual (computer programs), or human.

Transaction Cost Economics (TCE) theory

This suggests that firms should retain certain specific non–core IT assets in house. Because of their esoteric nature, specific assets cannot be easily replaced once they are given up in an outsourcing arrangement.

Mendoza, Christine Joy A.
Geremillo, Zheddy Anne DC.
Loste, Queenie Myka B.
Mascarenas, Ma. Emma Concepcion M.
Junio, Lara
Cordero, Maria Lourdes
Hubalde, Jacquilyn
Pinlac, Krystalee A.
Full transcript