SlideShare a Scribd company logo

Chapter 2 auditing it governance controls

Download as PPTX, PDF
J
jayussuryawan

This document discusses controls related to IT governance, including the structure of the IT function, computer center operations, and disaster recovery planning. It covers topics such as segregating incompatible duties within the IT function, physical and environmental controls for the computer center, and key elements of an effective disaster recovery plan such as identifying critical applications and creating an off-site backup. The document also outlines some audit procedures auditors can perform to evaluate these controls, such as reviewing policies and documentation, testing backup procedures, and evaluating disaster recovery plans and backup site arrangements.

Education
1 of 30
Chapter 2: Auditing IT Governance Controls IT Auditing, Hall, 4e © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use. 0
Learning Objectives • Understand the risks of incompatible functions and how to structure the IT function. • Be familiar with the controls and precautions required to ensure the security of an organization’s computer facilities. • Understand the key elements of a disaster recovery plan. • Be familiar with the benefits, risks, and audit issues related to IT outsourcing. 1
IT Governance • Subset of corporate governance that focuses on the management and assessment of strategic IT resources. • Key objects are to reduce risk and ensure investments in IT resources add value to the corporation. • All corporate stakeholders must be active participants in key IT decisions. 2
IT Governance Controls • Three IT governance issues addressed by SOX and the COSO internal control framework: • Organizational structure of the IT function. • Computer center operations. • Disaster recovery planning. 3
Structure of the Corporate IT Function • Under the centralized data processing model, all data processing performed at a central site. • End users compete for resources based on need. • Operating costs charged back to end user. • Primary service areas: • Database administrator. • Data processing consisting of data control/data entry, computer operations and data library. • System development and maintenance • Participation in systems development activities include system professional, end users and stakeholders. 4
Structure of the Corporate IT Function 5
Alternative Organization of Systems Development 6
Alternative Organization of Systems Development Problems • Two control problems with segregating systems analysis from applications programming. • Inadequate documentation a chronic problem. • Documenting systems is not an interesting task. • Lack of documentation provides job security for the programmer who coded it. • When system programmer has maintenance responsibilities, potential for fraud is increased. • May have concealed fraudulent code in the system. • Having sole responsibility for maintenance may allow the programmer to conceal the code for years. 7
Structure of the Corporate IT Function 8
Segregation of Incompatible IT Functions • Systems development from computer operations. • Relationship between groups should be formal and responsibilities should not be comingled. • Database administration from other functions. • DBA function responsible for many critical tasks and needs to be organizationally independent of operations, systems development and maintenance. • New systems development from maintenance. • Improves documentation standards because maintenance group requires documentation. • Denying original programmer future access deters program fraud. 9
The Distributed Model • Distributed Data Processing (DDP) involves reorganizing central IT function into small IT units that are placed under the control of end users. • Two alternatives: • Alternative A: Variant of centralized model with terminals or microcomputers distributed to end users for handling input and output. • Alternative B: Distributes all computer services to the end users where they operate as stand alone units. 10
The Distributed Model 11
Management Assertions Audit Objectives Audit Procedure Existence or occurrence Inventories listed on the balance sheet exist. Observe the counting of physical inventory. Completeness Accounts payable include all obligations to vendors for the period. Compare receiving reports, supplier invoices, purchase orders, and journal entries for the period and the beginning of the next period. Rights and obligations Plant and equipment listed in the balance sheet are owned by the entity. Review purchase agreements, insurance policies, and related documents. Valuation or allocation Accounts receivable are stated at net realizable value. Review entity’s aging of accounts and evaluate the adequacy of the allowance for uncorrectable accounts. Presentation and disclosure Contingencies not reported in financial accounts are properly disclosed in footnotes. Obtain information from entity lawyers about the status of litigation and estimates of potential loss. Audit Objectives and Audit Procedures Based on Management Assertions 12
Risks Associated with DDP • Inefficient use of resources: • Mismanagement of IT resources by end users. • Operational inefficiencies due to redundant tasks being performed. • Hardware and software incompatibility among end-user functions. • Destruction of audit trails. • Inadequate segregation of duties. • Hiring qualified professionals: • Risk of programming errors and system failures increase directly with the level of employee incompetence. • Lack of standards. 13
Controlling the DDP Environment • Implement a corporate IT function: • Central testing of commercial software and hardware. • User services to provide technical help. • Standard-setting body. • Personnel review. 14
Audit Procedures for the DDP • Audit procedures in a centralized IT organization: • Review relevant documentation to determine if individuals or groups are performing incompatible functions. • Review systems documentation and maintenance records to verify maintenance programmers are not designers. • Observe to determine if segregation policy is being followed. 15
Audit Procedures for the DDP • Audit procedures in a distributed IT organization: • Review relevant documentation to determine if individuals or groups are performing incompatible duties. • Verify corporate policies and standards are published and provided to distributed IT units. • Verify compensating controls are in place when needed. • Review system documentation to verify applications, procedures and databased are in accordance with standards. 16
The Computer Center • Physical location: • Directly affects risk of destruction from a disaster. • Away from hazards and traffic. • Construction: • Ideally: single-story, solidly constructed with underground utilities. • Windows should not open and an air filtration system should be in place. • Access: • Should be limited with locked doors, cameras, key card entrance and sign-in logs. 17
The Computer Center • Air conditioning should provide appropriate temperature and humidity for computers. • Fire suppression: • Alarms, fire extinguishing system, appropriate construction, fire exits. • Fault tolerance is the ability of the system to continue operation when part of the system fails. • Total failure can occur only if multiple components fail. • Redundant arrays of independent disks (RAID) involves using parallel disks with redundant data and applications so if one disk fails, lost data can be reconstructed. • Uninterruptible power supplies. 18
Audit Procedures: The Computer Center • Auditor must verify that physical controls and insurance coverage are adequate. • Procedures include: • Tests of physical construction. • Tests of the fire detection system. • Tests of access control. • Tests of RAID. • Tests of the uninterruptible power supply. • Tests of insurance coverage. 19
Disaster Recovery Planning • A disaster recovery plan is a statement of all actions to be taken before, during and after any type of disaster. Four common features: • Identify critical applications: • Short-term survival requires restoration of cash flow generating functions. • Applications supporting those functions should be identified and prioritized in the restoration plan. • Task of identifying critical items and prioritizing applications requires active participation of user departments, accountants and auditors. 20
Disaster Recovery Planning • Create a disaster recovery team: • Team members should be experts in their areas and have assigned tasks. • Provide second-site backup: • Necessary ingredient in a DRP is that it provides for duplicate data processing facilities following a disaster. • Specify back-up and off-site storage procedures: • All data files, applications, documentation and supplies needed to perform critical functions should be automatically backed up and stored at a secure off-site location. 21
Second-Site Backups • Mutual aid pact is an agreement between organizations to aid each other with data processing in a disaster. • Empty shell or cold site plan involves obtaining a building to serve as a data center in a disaster. • Recovery depends on timely availability of hardware. • Recovery operations center or hot site plan is a fully equipped site that many companies share. • Internally provided backup may be preferred by organizations with many data processing centers. 22
DRP Audit Procedures • To verify DRP is a realistic solution, the following tests may be performed: • Evaluate adequacy of backup site arrangements. • Review list of critical applications for completeness. • Verify copies of critical applications and operating systems are stored off-site. • Verify critical data files are backed up in accordance with the DRP. • Verify that types and quantities of items specified in the DRP exist in a secure location. • Verify disaster recovery team members are current employees and aware of their assigned responsibilities. 23
Outsourcing the IT Function • Benefits of IT outsourcing include: • Improved core business processes. • Improved IT performance. • Reduced IT costs. • Logic underlying outsourcing follows from core competency theory which argues an organization should focus on its core business competencies. Ignores an important distinction between: • Commodity IT assets which are not unique to an organization and easily acquired in the marketplace. • Specific IT assets which are unique and support an organization’s strategic objectives. 24
Outsourcing the IT Function • Transaction cost economics (TCE) suggests firms should retain specific non-core IT assets in house. • Those that cannot be easily replaced once they are given up in an outsourcing arrangement. • Cloud computing is location-independent computing whereby shared data centers deliver hosted IT services over the Internet. Offers three primary classes of computing services: • Software-as-a-Service (SaaS). • Infrastructure-as-a-Service (IaaS). • Platform-as-a-Service (PaaS). 25
Outsourcing the IT Function • Virtualization has unleashed cloud computing. • Network virtualization increases effective network bandwidth, optimizes network speed, flexibility, and reliability, and improves network scalability. • Storage virtualization is the pooling of physical storage from multiple devices into what appears to be a single virtual storage device. • Cloud computing not realistic for large firms. • Typically have massive IT investments and therefore not inclined to turn over their IT operations to a could vendor. • May have critical functions running on legacy systems that could not be easily migrated to the cloud. • Commodity provision approach of the cloud incompatible with the need for unique strategic information. 26
Risks Inherent to IT Outsourcing • Failure to perform. • Vendor exploitation. • Outsourcing costs exceed benefits. • Reduced security. • Loss of strategic advantage. 27
Audit Implications of IT Outsourcing • Use of a service organization does not reduce management’s responsibilities under SOX for ensuring adequate IT internal controls. • SSAE 16 replaced SAS 70 and is the definitive standard by which auditors can gain knowledge that processes and controls at third-party vendors are adequate to prevent or detect material errors. • Report provides a description of service provider’s description using either the carve-out or the inclusive method 28
Audit Implications of IT Outsourcing 29

Recommended

Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
Tommy Zul Hidayat
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networks
Tommy Zul Hidayat
 
Chapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsChapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systems
jayussuryawan
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controls
Tommy Zul Hidayat
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
jayussuryawan
 
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...Vhena Pilongo
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networks
jayussuryawan
 
Coso framework
Coso frameworkCoso framework
Coso frameworkDarryl Woolley
 

Recommended

Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
Tommy Zul Hidayat
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networks
Tommy Zul Hidayat
 
Chapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsChapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systems
jayussuryawan
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controls
Tommy Zul Hidayat
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
jayussuryawan
 
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...Vhena Pilongo
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networks
jayussuryawan
 
Coso framework
Coso frameworkCoso framework
Coso frameworkDarryl Woolley
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDIT
Ros Dina
 
James hall ch 1
James hall ch 1James hall ch 1
James hall ch 1
David Julian
 
Systems development and program change activities
Systems development and program change activitiesSystems development and program change activities
Systems development and program change activities
kristine manzano
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
Hafiz Sheikh Adnan Ahmed
 
Internal controls
Internal controlsInternal controls
Internal controls
Geetali Tare
 
James hall ch 3
James hall ch 3James hall ch 3
James hall ch 3
David Julian
 
Module_1_Acctg440.pptx
Module_1_Acctg440.pptxModule_1_Acctg440.pptx
Module_1_Acctg440.pptx
LeahMaeNolasco
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management FrameworkTreasury Consulting LLP
 
Operatiional Audit
Operatiional AuditOperatiional Audit
Operatiional AuditMalay Paul
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
_supriadi
 
Chapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's PerspectiveChapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's Perspective
ermin08
 
IT General Controls
IT General ControlsIT General Controls
IT General Controls
Cicero Ray Rufino
 
ERM Presentation
ERM PresentationERM Presentation
ERM Presentation
H Contrex
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated Framework
Aziz Fataliyev, Internal Audit Practitioner
 
Lecture slide, chapter 1, An Overview of Auditing
Lecture slide, chapter 1, An Overview of AuditingLecture slide, chapter 1, An Overview of Auditing
Lecture slide, chapter 1, An Overview of Auditing
Sazzad Hossain, ITP, MBA, CSCA™
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Sreekanth Narendran
 
James hall ch 10
James hall ch 10James hall ch 10
James hall ch 10
David Julian
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
Sazzad Hossain, ITP, MBA, CSCA™
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
 
Corporate Governance
Corporate GovernanceCorporate Governance
Corporate Governance
Aliza Racelis
 
It audit ch 1
It audit ch 1It audit ch 1
It audit ch 1Ahmed Tnt
 
Chap002
Chap002Chap002
Chap002allen210
 

More Related Content

What's hot

CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDIT
Ros Dina
 
James hall ch 1
James hall ch 1James hall ch 1
James hall ch 1
David Julian
 
Systems development and program change activities
Systems development and program change activitiesSystems development and program change activities
Systems development and program change activities
kristine manzano
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
Hafiz Sheikh Adnan Ahmed
 
Internal controls
Internal controlsInternal controls
Internal controls
Geetali Tare
 
James hall ch 3
James hall ch 3James hall ch 3
James hall ch 3
David Julian
 
Module_1_Acctg440.pptx
Module_1_Acctg440.pptxModule_1_Acctg440.pptx
Module_1_Acctg440.pptx
LeahMaeNolasco
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management FrameworkTreasury Consulting LLP
 
Operatiional Audit
Operatiional AuditOperatiional Audit
Operatiional AuditMalay Paul
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
_supriadi
 
Chapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's PerspectiveChapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's Perspective
ermin08
 
IT General Controls
IT General ControlsIT General Controls
IT General Controls
Cicero Ray Rufino
 
ERM Presentation
ERM PresentationERM Presentation
ERM Presentation
H Contrex
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated Framework
Aziz Fataliyev, Internal Audit Practitioner
 
Lecture slide, chapter 1, An Overview of Auditing
Lecture slide, chapter 1, An Overview of AuditingLecture slide, chapter 1, An Overview of Auditing
Lecture slide, chapter 1, An Overview of Auditing
Sazzad Hossain, ITP, MBA, CSCA™
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Sreekanth Narendran
 
James hall ch 10
James hall ch 10James hall ch 10
James hall ch 10
David Julian
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
Sazzad Hossain, ITP, MBA, CSCA™
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
 
Corporate Governance
Corporate GovernanceCorporate Governance
Corporate Governance
Aliza Racelis
 

What's hot (20)

CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDIT
 
James hall ch 1
James hall ch 1James hall ch 1
James hall ch 1
 
Systems development and program change activities
Systems development and program change activitiesSystems development and program change activities
Systems development and program change activities
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
 
Internal controls
Internal controlsInternal controls
Internal controls
 
James hall ch 3
James hall ch 3James hall ch 3
James hall ch 3
 
Module_1_Acctg440.pptx
Module_1_Acctg440.pptxModule_1_Acctg440.pptx
Module_1_Acctg440.pptx
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management Framework
 
Operatiional Audit
Operatiional AuditOperatiional Audit
Operatiional Audit
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
 
Chapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's PerspectiveChapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's Perspective
 
IT General Controls
IT General ControlsIT General Controls
IT General Controls
 
ERM Presentation
ERM PresentationERM Presentation
ERM Presentation
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated Framework
 
Lecture slide, chapter 1, An Overview of Auditing
Lecture slide, chapter 1, An Overview of AuditingLecture slide, chapter 1, An Overview of Auditing
Lecture slide, chapter 1, An Overview of Auditing
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
 
James hall ch 10
James hall ch 10James hall ch 10
James hall ch 10
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
Corporate Governance
Corporate GovernanceCorporate Governance
Corporate Governance
 

Viewers also liked

It audit ch 1
It audit ch 1It audit ch 1
It audit ch 1Ahmed Tnt
 
Chap. 3 corp. gov. in global operations.ppt.
Chap. 3 corp. gov. in global operations.ppt.Chap. 3 corp. gov. in global operations.ppt.
Chap. 3 corp. gov. in global operations.ppt.Magiel Amora
 
Chap005 tb-sample
Chap005 tb-sampleChap005 tb-sample
Chap005 tb-sampleYing Sun
 
Chap. 3 corp. gov. in global operations.ppt.
Chap. 3 corp. gov. in global operations.ppt.Chap. 3 corp. gov. in global operations.ppt.
Chap. 3 corp. gov. in global operations.ppt.
Magiel Amora
 
Auditing by CIS . Chapter 6
Auditing by CIS . Chapter 6Auditing by CIS . Chapter 6
Auditing by CIS . Chapter 6Sharah Ayumi
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
Hafiz Sheikh Adnan Ahmed
 
Cisa exam mock test questions-1
Cisa exam mock test questions-1Cisa exam mock test questions-1
Cisa exam mock test questions-1
Hemang Doshi
 
CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA exam 100 practice question
CISA exam 100 practice questionCISA exam 100 practice question
CISA exam 100 practice question
Arshad A Javed
 
Accounting information system
Accounting information systemAccounting information system
Accounting information system
Vivek K. Singh
 
Multiple choice questions with answers
Multiple choice questions with answersMultiple choice questions with answers
Multiple choice questions with answersClassic Tech
 

Viewers also liked (13)

It audit ch 1
It audit ch 1It audit ch 1
It audit ch 1
 
Chap002
Chap002Chap002
Chap002
 
Chap. 3 corp. gov. in global operations.ppt.
Chap. 3 corp. gov. in global operations.ppt.Chap. 3 corp. gov. in global operations.ppt.
Chap. 3 corp. gov. in global operations.ppt.
 
St. mgt. chapter 4
St. mgt. chapter 4St. mgt. chapter 4
St. mgt. chapter 4
 
Chap005 tb-sample
Chap005 tb-sampleChap005 tb-sample
Chap005 tb-sample
 
Chap. 3 corp. gov. in global operations.ppt.
Chap. 3 corp. gov. in global operations.ppt.Chap. 3 corp. gov. in global operations.ppt.
Chap. 3 corp. gov. in global operations.ppt.
 
Auditing by CIS . Chapter 6
Auditing by CIS . Chapter 6Auditing by CIS . Chapter 6
Auditing by CIS . Chapter 6
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
 
Cisa exam mock test questions-1
Cisa exam mock test questions-1Cisa exam mock test questions-1
Cisa exam mock test questions-1
 
CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016
 
CISA exam 100 practice question
CISA exam 100 practice questionCISA exam 100 practice question
CISA exam 100 practice question
 
Accounting information system
Accounting information systemAccounting information system
Accounting information system
 
Multiple choice questions with answers
Multiple choice questions with answersMultiple choice questions with answers
Multiple choice questions with answers
 

Similar to Chapter 2 auditing it governance controls

CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
dotco
 
Robert Williams Final Project
Robert Williams Final Project Robert Williams Final Project
Robert Williams Final Project Robert D. Williams
 
Robert Williams Final Project
Robert Williams Final Project Robert Williams Final Project
Robert Williams Final Project Robert D. Williams
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
ssuser61ebf5
 
Reengineering pros and cons
Reengineering pros and consReengineering pros and cons
Reengineering pros and cons
Neema Volvoikar
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
Adetula Bunmi
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
_supriadi
 
computer system validation
computer system validationcomputer system validation
computer system validation
Gopal Patel
 
Myths of validation
Myths of validationMyths of validation
Myths of validation
Jeff Thomas
 
Itrisksisaudit1
Itrisksisaudit1Itrisksisaudit1
Itrisksisaudit1
PrabhatSingh316896
 
Chapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning SystemChapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning System
Muhammad Azmy
 
Best practices in networks and infrastructure
Best practices in networks and infrastructureBest practices in networks and infrastructure
Best practices in networks and infrastructure
nicholas njoroge
 
auditing-190520092523.pdf
auditing-190520092523.pdfauditing-190520092523.pdf
auditing-190520092523.pdf
chetanvchaudhari
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1
Sreekanth Narendran
 
Mainframe Sort Operations: Gaining the Insights You Need for Peak Performance
Mainframe Sort Operations: Gaining the Insights You Need for Peak PerformanceMainframe Sort Operations: Gaining the Insights You Need for Peak Performance
Mainframe Sort Operations: Gaining the Insights You Need for Peak Performance
Precisely
 
3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdf3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdf
Nehemiah27
 
Software Engineering- Requirement Elicitation and Specification
Software Engineering- Requirement Elicitation and SpecificationSoftware Engineering- Requirement Elicitation and Specification
Software Engineering- Requirement Elicitation and Specification
Nishu Rastogi
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
Jim Kaplan CIA CFE
 

Similar to Chapter 2 auditing it governance controls (20)

CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
 
Robert Williams Final Project
Robert Williams Final Project Robert Williams Final Project
Robert Williams Final Project
 
Robert Williams Final Project
Robert Williams Final Project Robert Williams Final Project
Robert Williams Final Project
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
 
Reengineering pros and cons
Reengineering pros and consReengineering pros and cons
Reengineering pros and cons
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
 
computer system validation
computer system validationcomputer system validation
computer system validation
 
A075434624
A075434624A075434624
A075434624
 
Myths of validation
Myths of validationMyths of validation
Myths of validation
 
Itrisksisaudit1
Itrisksisaudit1Itrisksisaudit1
Itrisksisaudit1
 
Chapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning SystemChapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning System
 
3. 1 req elicitation
3. 1 req elicitation3. 1 req elicitation
3. 1 req elicitation
 
Best practices in networks and infrastructure
Best practices in networks and infrastructureBest practices in networks and infrastructure
Best practices in networks and infrastructure
 
auditing-190520092523.pdf
auditing-190520092523.pdfauditing-190520092523.pdf
auditing-190520092523.pdf
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1
 
Mainframe Sort Operations: Gaining the Insights You Need for Peak Performance
Mainframe Sort Operations: Gaining the Insights You Need for Peak PerformanceMainframe Sort Operations: Gaining the Insights You Need for Peak Performance
Mainframe Sort Operations: Gaining the Insights You Need for Peak Performance
 
3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdf3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdf
 
Software Engineering- Requirement Elicitation and Specification
Software Engineering- Requirement Elicitation and SpecificationSoftware Engineering- Requirement Elicitation and Specification
Software Engineering- Requirement Elicitation and Specification
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
 

Recently uploaded

Digital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion DesignsDigital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion Designs
chanes7
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
Balvir Singh
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
Thiyagu K
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
David Douglas School District
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
DhatriParmar
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
heathfieldcps1
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
Levi Shapiro
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
thanhdowork
 
Normal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of LabourNormal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of Labour
Wasim Ak
 
Advantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO PerspectiveAdvantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO Perspective
Krisztián Száraz
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
Celine George
 
The Diamond Necklace by Guy De Maupassant.pptx
The Diamond Necklace by Guy De Maupassant.pptxThe Diamond Necklace by Guy De Maupassant.pptx
The Diamond Necklace by Guy De Maupassant.pptx
DhatriParmar
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
EugeneSaldivar
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
JosvitaDsouza2
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
Sandy Millin
 
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama UniversityNatural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Akanksha trivedi rama nursing college kanpur.
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
Vivekanand Anglo Vedic Academy
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
Vikramjit Singh
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
Special education needs
 

Recently uploaded (20)

Digital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion DesignsDigital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion Designs
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
 
Normal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of LabourNormal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of Labour
 
Advantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO PerspectiveAdvantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO Perspective
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
 
The Diamond Necklace by Guy De Maupassant.pptx
The Diamond Necklace by Guy De Maupassant.pptxThe Diamond Necklace by Guy De Maupassant.pptx
The Diamond Necklace by Guy De Maupassant.pptx
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
 
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama UniversityNatural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
 

Chapter 2 auditing it governance controls

  • 1. Chapter 2: Auditing IT Governance Controls IT Auditing, Hall, 4e © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use. 0
  • 2. Learning Objectives • Understand the risks of incompatible functions and how to structure the IT function. • Be familiar with the controls and precautions required to ensure the security of an organization’s computer facilities. • Understand the key elements of a disaster recovery plan. • Be familiar with the benefits, risks, and audit issues related to IT outsourcing. 1
  • 3. IT Governance • Subset of corporate governance that focuses on the management and assessment of strategic IT resources. • Key objects are to reduce risk and ensure investments in IT resources add value to the corporation. • All corporate stakeholders must be active participants in key IT decisions. 2
  • 4. IT Governance Controls • Three IT governance issues addressed by SOX and the COSO internal control framework: • Organizational structure of the IT function. • Computer center operations. • Disaster recovery planning. 3
  • 5. Structure of the Corporate IT Function • Under the centralized data processing model, all data processing performed at a central site. • End users compete for resources based on need. • Operating costs charged back to end user. • Primary service areas: • Database administrator. • Data processing consisting of data control/data entry, computer operations and data library. • System development and maintenance • Participation in systems development activities include system professional, end users and stakeholders. 4
  • 6. Structure of the Corporate IT Function 5
  • 8. Alternative Organization of Systems Development Problems • Two control problems with segregating systems analysis from applications programming. • Inadequate documentation a chronic problem. • Documenting systems is not an interesting task. • Lack of documentation provides job security for the programmer who coded it. • When system programmer has maintenance responsibilities, potential for fraud is increased. • May have concealed fraudulent code in the system. • Having sole responsibility for maintenance may allow the programmer to conceal the code for years. 7
  • 9. Structure of the Corporate IT Function 8
  • 10. Segregation of Incompatible IT Functions • Systems development from computer operations. • Relationship between groups should be formal and responsibilities should not be comingled. • Database administration from other functions. • DBA function responsible for many critical tasks and needs to be organizationally independent of operations, systems development and maintenance. • New systems development from maintenance. • Improves documentation standards because maintenance group requires documentation. • Denying original programmer future access deters program fraud. 9
  • 11. The Distributed Model • Distributed Data Processing (DDP) involves reorganizing central IT function into small IT units that are placed under the control of end users. • Two alternatives: • Alternative A: Variant of centralized model with terminals or microcomputers distributed to end users for handling input and output. • Alternative B: Distributes all computer services to the end users where they operate as stand alone units. 10
  • 13. Management Assertions Audit Objectives Audit Procedure Existence or occurrence Inventories listed on the balance sheet exist. Observe the counting of physical inventory. Completeness Accounts payable include all obligations to vendors for the period. Compare receiving reports, supplier invoices, purchase orders, and journal entries for the period and the beginning of the next period. Rights and obligations Plant and equipment listed in the balance sheet are owned by the entity. Review purchase agreements, insurance policies, and related documents. Valuation or allocation Accounts receivable are stated at net realizable value. Review entity’s aging of accounts and evaluate the adequacy of the allowance for uncorrectable accounts. Presentation and disclosure Contingencies not reported in financial accounts are properly disclosed in footnotes. Obtain information from entity lawyers about the status of litigation and estimates of potential loss. Audit Objectives and Audit Procedures Based on Management Assertions 12
  • 14. Risks Associated with DDP • Inefficient use of resources: • Mismanagement of IT resources by end users. • Operational inefficiencies due to redundant tasks being performed. • Hardware and software incompatibility among end-user functions. • Destruction of audit trails. • Inadequate segregation of duties. • Hiring qualified professionals: • Risk of programming errors and system failures increase directly with the level of employee incompetence. • Lack of standards. 13
  • 15. Controlling the DDP Environment • Implement a corporate IT function: • Central testing of commercial software and hardware. • User services to provide technical help. • Standard-setting body. • Personnel review. 14
  • 16. Audit Procedures for the DDP • Audit procedures in a centralized IT organization: • Review relevant documentation to determine if individuals or groups are performing incompatible functions. • Review systems documentation and maintenance records to verify maintenance programmers are not designers. • Observe to determine if segregation policy is being followed. 15
  • 17. Audit Procedures for the DDP • Audit procedures in a distributed IT organization: • Review relevant documentation to determine if individuals or groups are performing incompatible duties. • Verify corporate policies and standards are published and provided to distributed IT units. • Verify compensating controls are in place when needed. • Review system documentation to verify applications, procedures and databased are in accordance with standards. 16
  • 18. The Computer Center • Physical location: • Directly affects risk of destruction from a disaster. • Away from hazards and traffic. • Construction: • Ideally: single-story, solidly constructed with underground utilities. • Windows should not open and an air filtration system should be in place. • Access: • Should be limited with locked doors, cameras, key card entrance and sign-in logs. 17
  • 19. The Computer Center • Air conditioning should provide appropriate temperature and humidity for computers. • Fire suppression: • Alarms, fire extinguishing system, appropriate construction, fire exits. • Fault tolerance is the ability of the system to continue operation when part of the system fails. • Total failure can occur only if multiple components fail. • Redundant arrays of independent disks (RAID) involves using parallel disks with redundant data and applications so if one disk fails, lost data can be reconstructed. • Uninterruptible power supplies. 18
  • 20. Audit Procedures: The Computer Center • Auditor must verify that physical controls and insurance coverage are adequate. • Procedures include: • Tests of physical construction. • Tests of the fire detection system. • Tests of access control. • Tests of RAID. • Tests of the uninterruptible power supply. • Tests of insurance coverage. 19
  • 21. Disaster Recovery Planning • A disaster recovery plan is a statement of all actions to be taken before, during and after any type of disaster. Four common features: • Identify critical applications: • Short-term survival requires restoration of cash flow generating functions. • Applications supporting those functions should be identified and prioritized in the restoration plan. • Task of identifying critical items and prioritizing applications requires active participation of user departments, accountants and auditors. 20
  • 22. Disaster Recovery Planning • Create a disaster recovery team: • Team members should be experts in their areas and have assigned tasks. • Provide second-site backup: • Necessary ingredient in a DRP is that it provides for duplicate data processing facilities following a disaster. • Specify back-up and off-site storage procedures: • All data files, applications, documentation and supplies needed to perform critical functions should be automatically backed up and stored at a secure off-site location. 21
  • 23. Second-Site Backups • Mutual aid pact is an agreement between organizations to aid each other with data processing in a disaster. • Empty shell or cold site plan involves obtaining a building to serve as a data center in a disaster. • Recovery depends on timely availability of hardware. • Recovery operations center or hot site plan is a fully equipped site that many companies share. • Internally provided backup may be preferred by organizations with many data processing centers. 22
  • 24. DRP Audit Procedures • To verify DRP is a realistic solution, the following tests may be performed: • Evaluate adequacy of backup site arrangements. • Review list of critical applications for completeness. • Verify copies of critical applications and operating systems are stored off-site. • Verify critical data files are backed up in accordance with the DRP. • Verify that types and quantities of items specified in the DRP exist in a secure location. • Verify disaster recovery team members are current employees and aware of their assigned responsibilities. 23
  • 25. Outsourcing the IT Function • Benefits of IT outsourcing include: • Improved core business processes. • Improved IT performance. • Reduced IT costs. • Logic underlying outsourcing follows from core competency theory which argues an organization should focus on its core business competencies. Ignores an important distinction between: • Commodity IT assets which are not unique to an organization and easily acquired in the marketplace. • Specific IT assets which are unique and support an organization’s strategic objectives. 24
  • 26. Outsourcing the IT Function • Transaction cost economics (TCE) suggests firms should retain specific non-core IT assets in house. • Those that cannot be easily replaced once they are given up in an outsourcing arrangement. • Cloud computing is location-independent computing whereby shared data centers deliver hosted IT services over the Internet. Offers three primary classes of computing services: • Software-as-a-Service (SaaS). • Infrastructure-as-a-Service (IaaS). • Platform-as-a-Service (PaaS). 25
  • 27. Outsourcing the IT Function • Virtualization has unleashed cloud computing. • Network virtualization increases effective network bandwidth, optimizes network speed, flexibility, and reliability, and improves network scalability. • Storage virtualization is the pooling of physical storage from multiple devices into what appears to be a single virtual storage device. • Cloud computing not realistic for large firms. • Typically have massive IT investments and therefore not inclined to turn over their IT operations to a could vendor. • May have critical functions running on legacy systems that could not be easily migrated to the cloud. • Commodity provision approach of the cloud incompatible with the need for unique strategic information. 26
  • 28. Risks Inherent to IT Outsourcing • Failure to perform. • Vendor exploitation. • Outsourcing costs exceed benefits. • Reduced security. • Loss of strategic advantage. 27
  • 29. Audit Implications of IT Outsourcing • Use of a service organization does not reduce management’s responsibilities under SOX for ensuring adequate IT internal controls. • SSAE 16 replaced SAS 70 and is the definitive standard by which auditors can gain knowledge that processes and controls at third-party vendors are adequate to prevent or detect material errors. • Report provides a description of service provider’s description using either the carve-out or the inclusive method 28
  • 30. Audit Implications of IT Outsourcing 29