SlideShare a Scribd company logo

Chapter 2 auditing it governance controls

Download as PPTX, PDF
T
Tommy Zul Hidayat

This document discusses controls related to IT governance, including the structure of the IT function, computer center operations, and disaster recovery planning. It covers topics such as segregating incompatible duties within the IT function, physical and environmental controls for the computer center, and key elements of an effective disaster recovery plan including identifying critical systems, backup sites, and testing procedures. Audit procedures are also presented for evaluating these various IT governance controls.

Technology
1 of 30
Chapter 2: Auditing IT Governance Controls IT Auditing, Hall, 4e © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use. 0
Learning Objectives • Understand the risks of incompatible functions and how to structure the IT function. • Be familiar with the controls and precautions required to ensure the security of an organization’s computer facilities. • Understand the key elements of a disaster recovery plan. • Be familiar with the benefits, risks, and audit issues related to IT outsourcing. 1
IT Governance • Subset of corporate governance that focuses on the management and assessment of strategic IT resources. • Key objects are to reduce risk and ensure investments in IT resources add value to the corporation. • All corporate stakeholders must be active participants in key IT decisions. 2
IT Governance Controls • Three IT governance issues addressed by SOX and the COSO internal control framework: • Organizational structure of the IT function. • Computer center operations. • Disaster recovery planning. 3
Structure of the Corporate IT Function • Under the centralized data processing model, all data processing performed at a central site. • End users compete for resources based on need. • Operating costs charged back to end user. • Primary service areas: • Database administrator. • Data processing consisting of data control/data entry, computer operations and data library. • System development and maintenance • Participation in systems development activities include system professional, end users and stakeholders. 4
Structure of the Corporate IT Function 5
Alternative Organization of Systems Development 6
Alternative Organization of Systems Development Problems • Two control problems with segregating systems analysis from applications programming. • Inadequate documentation a chronic problem. • Documenting systems is not an interesting task. • Lack of documentation provides job security for the programmer who coded it. • When system programmer has maintenance responsibilities, potential for fraud is increased. • May have concealed fraudulent code in the system. • Having sole responsibility for maintenance may allow the programmer to conceal the code for years. 7
Structure of the Corporate IT Function 8
Segregation of Incompatible IT Functions • Systems development from computer operations. • Relationship between groups should be formal and responsibilities should not be comingled. • Database administration from other functions. • DBA function responsible for many critical tasks and needs to be organizationally independent of operations, systems development and maintenance. • New systems development from maintenance. • Improves documentation standards because maintenance group requires documentation. • Denying original programmer future access deters program fraud. 9
The Distributed Model • Distributed Data Processing (DDP) involves reorganizing central IT function into small IT units that are placed under the control of end users. • Two alternatives: • Alternative A: Variant of centralized model with terminals or microcomputers distributed to end users for handling input and output. • Alternative B: Distributes all computer services to the end users where they operate as stand alone units. 10
The Distributed Model 11
Management Assertions Audit Objectives Audit Procedure Existence or occurrence Inventories listed on the balance sheet exist. Observe the counting of physical inventory. Completeness Accounts payable include all obligations to vendors for the period. Compare receiving reports, supplier invoices, purchase orders, and journal entries for the period and the beginning of the next period. Rights and obligations Plant and equipment listed in the balance sheet are owned by the entity. Review purchase agreements, insurance policies, and related documents. Valuation or allocation Accounts receivable are stated at net realizable value. Review entity’s aging of accounts and evaluate the adequacy of the allowance for uncorrectable accounts. Presentation and disclosure Contingencies not reported in financial accounts are properly disclosed in footnotes. Obtain information from entity lawyers about the status of litigation and estimates of potential loss. Audit Objectives and Audit Procedures Based on Management Assertions 12
Risks Associated with DDP • Inefficient use of resources: • Mismanagement of IT resources by end users. • Operational inefficiencies due to redundant tasks being performed. • Hardware and software incompatibility among end-user functions. • Destruction of audit trails. • Inadequate segregation of duties. • Hiring qualified professionals: • Risk of programming errors and system failures increase directly with the level of employee incompetence. • Lack of standards. 13
Controlling the DDP Environment • Implement a corporate IT function: • Central testing of commercial software and hardware. • User services to provide technical help. • Standard-setting body. • Personnel review. 14
Audit Procedures for the DDP • Audit procedures in a centralized IT organization: • Review relevant documentation to determine if individuals or groups are performing incompatible functions. • Review systems documentation and maintenance records to verify maintenance programmers are not designers. • Observe to determine if segregation policy is being followed. 15
Audit Procedures for the DDP • Audit procedures in a distributed IT organization: • Review relevant documentation to determine if individuals or groups are performing incompatible duties. • Verify corporate policies and standards are published and provided to distributed IT units. • Verify compensating controls are in place when needed. • Review system documentation to verify applications, procedures and databased are in accordance with standards. 16
The Computer Center • Physical location: • Directly affects risk of destruction from a disaster. • Away from hazards and traffic. • Construction: • Ideally: single-story, solidly constructed with underground utilities. • Windows should not open and an air filtration system should be in place. • Access: • Should be limited with locked doors, cameras, key card entrance and sign-in logs. 17
The Computer Center • Air conditioning should provide appropriate temperature and humidity for computers. • Fire suppression: • Alarms, fire extinguishing system, appropriate construction, fire exits. • Fault tolerance is the ability of the system to continue operation when part of the system fails. • Total failure can occur only if multiple components fail. • Redundant arrays of independent disks (RAID) involves using parallel disks with redundant data and applications so if one disk fails, lost data can be reconstructed. • Uninterruptible power supplies. 18
Audit Procedures: The Computer Center • Auditor must verify that physical controls and insurance coverage are adequate. • Procedures include: • Tests of physical construction. • Tests of the fire detection system. • Tests of access control. • Tests of RAID. • Tests of the uninterruptible power supply. • Tests of insurance coverage. 19
Disaster Recovery Planning • A disaster recovery plan is a statement of all actions to be taken before, during and after any type of disaster. Four common features: • Identify critical applications: • Short-term survival requires restoration of cash flow generating functions. • Applications supporting those functions should be identified and prioritized in the restoration plan. • Task of identifying critical items and prioritizing applications requires active participation of user departments, accountants and auditors. 20
Disaster Recovery Planning • Create a disaster recovery team: • Team members should be experts in their areas and have assigned tasks. • Provide second-site backup: • Necessary ingredient in a DRP is that it provides for duplicate data processing facilities following a disaster. • Specify back-up and off-site storage procedures: • All data files, applications, documentation and supplies needed to perform critical functions should be automatically backed up and stored at a secure off-site location. 21
Second-Site Backups • Mutual aid pact is an agreement between organizations to aid each other with data processing in a disaster. • Empty shell or cold site plan involves obtaining a building to serve as a data center in a disaster. • Recovery depends on timely availability of hardware. • Recovery operations center or hot site plan is a fully equipped site that many companies share. • Internally provided backup may be preferred by organizations with many data processing centers. 22
DRP Audit Procedures • To verify DRP is a realistic solution, the following tests may be performed: • Evaluate adequacy of backup site arrangements. • Review list of critical applications for completeness. • Verify copies of critical applications and operating systems are stored off-site. • Verify critical data files are backed up in accordance with the DRP. • Verify that types and quantities of items specified in the DRP exist in a secure location. • Verify disaster recovery team members are current employees and aware of their assigned responsibilities. 23
Outsourcing the IT Function • Benefits of IT outsourcing include: • Improved core business processes. • Improved IT performance. • Reduced IT costs. • Logic underlying outsourcing follows from core competency theory which argues an organization should focus on its core business competencies. Ignores an important distinction between: • Commodity IT assets which are not unique to an organization and easily acquired in the marketplace. • Specific IT assets which are unique and support an organization’s strategic objectives. 24
Outsourcing the IT Function • Transaction cost economics (TCE) suggests firms should retain specific non-core IT assets in house. • Those that cannot be easily replaced once they are given up in an outsourcing arrangement. • Cloud computing is location-independent computing whereby shared data centers deliver hosted IT services over the Internet. Offers three primary classes of computing services: • Software-as-a-Service (SaaS). • Infrastructure-as-a-Service (IaaS). • Platform-as-a-Service (PaaS). 25
Outsourcing the IT Function • Virtualization has unleashed cloud computing. • Network virtualization increases effective network bandwidth, optimizes network speed, flexibility, and reliability, and improves network scalability. • Storage virtualization is the pooling of physical storage from multiple devices into what appears to be a single virtual storage device. • Cloud computing not realistic for large firms. • Typically have massive IT investments and therefore not inclined to turn over their IT operations to a could vendor. • May have critical functions running on legacy systems that could not be easily migrated to the cloud. • Commodity provision approach of the cloud incompatible with the need for unique strategic information. 26
Risks Inherent to IT Outsourcing • Failure to perform. • Vendor exploitation. • Outsourcing costs exceed benefits. • Reduced security. • Loss of strategic advantage. 27
Audit Implications of IT Outsourcing • Use of a service organization does not reduce management’s responsibilities under SOX for ensuring adequate IT internal controls. • SSAE 16 replaced SAS 70 and is the definitive standard by which auditors can gain knowledge that processes and controls at third-party vendors are adequate to prevent or detect material errors. • Report provides a description of service provider’s description using either the carve-out or the inclusive method 28
Audit Implications of IT Outsourcing 29

Recommended

Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controls
jayussuryawan
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
Tommy Zul Hidayat
 
Chapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsChapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systems
jayussuryawan
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networks
Tommy Zul Hidayat
 
James hall ch 1
James hall ch 1James hall ch 1
James hall ch 1
David Julian
 
Chapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's PerspectiveChapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's Perspective
ermin08
 
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Vhena Pilongo
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
jayussuryawan
 

Recommended

Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controls
jayussuryawan
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
Tommy Zul Hidayat
 
Chapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsChapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systems
jayussuryawan
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networks
Tommy Zul Hidayat
 
James hall ch 1
James hall ch 1James hall ch 1
James hall ch 1
David Julian
 
Chapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's PerspectiveChapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's Perspective
ermin08
 
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Vhena Pilongo
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
jayussuryawan
 
Pp 16-new
Pp 16-newPp 16-new
Pp 16-new
Sri Apriyanti Husain
 
Ethics fraud & internal control ppt @ dom s
Ethics fraud & internal control ppt @ dom sEthics fraud & internal control ppt @ dom s
Ethics fraud & internal control ppt @ dom s
Babasab Patil
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networks
jayussuryawan
 
Chapter 11, Tests of Controls
Chapter 11, Tests of ControlsChapter 11, Tests of Controls
Chapter 11, Tests of Controls
Sazzad Hossain, ITP, MBA, CSCA™
 
James hall ch 3
James hall ch 3James hall ch 3
James hall ch 3
David Julian
 
Chapter 12-fraud-and-error-report
Chapter 12-fraud-and-error-reportChapter 12-fraud-and-error-report
Chapter 12-fraud-and-error-report
JamesChaves3
 
Lecture slide, chapter 4, Other Assurance Engagements and Quality Standards
Lecture slide, chapter 4, Other Assurance Engagements and Quality StandardsLecture slide, chapter 4, Other Assurance Engagements and Quality Standards
Lecture slide, chapter 4, Other Assurance Engagements and Quality Standards
Sazzad Hossain, ITP, MBA, CSCA™
 
Lecture 17 sas framework internal control - james a. hall book chapter 3
Lecture 17 sas framework internal control - james a. hall book chapter 3Lecture 17 sas framework internal control - james a. hall book chapter 3
Lecture 17 sas framework internal control - james a. hall book chapter 3
Habib Ullah Qamar
 
James hall ch 13
James hall ch 13James hall ch 13
James hall ch 13
David Julian
 
James hall ch 4
James hall ch 4James hall ch 4
James hall ch 4
David Julian
 
James hall ch 8
James hall ch 8James hall ch 8
James hall ch 8
David Julian
 
James hall ch 15
James hall ch 15James hall ch 15
James hall ch 15
David Julian
 
Audit report- Consideration of Internal Control
Audit report- Consideration of Internal ControlAudit report- Consideration of Internal Control
Audit report- Consideration of Internal Control
nellynljcoles
 
James hall ch 2
James hall ch 2James hall ch 2
James hall ch 2
David Julian
 
Systems development and program change activities
Systems development and program change activitiesSystems development and program change activities
Systems development and program change activities
kristine manzano
 
It audit ch 1
It audit ch 1It audit ch 1
It audit ch 1
Ahmed Tnt
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit
Sreekanth Narendran
 
03.1 general control
03.1 general control03.1 general control
03.1 general control
Mulyadi Yusuf
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
Sazzad Hossain, ITP, MBA, CSCA™
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
_supriadi
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
dotco
 
Robert Williams Final Project
Robert Williams Final Project Robert Williams Final Project
Robert Williams Final Project
Robert D. Williams
 

More Related Content

What's hot

Pp 16-new
Pp 16-newPp 16-new
Pp 16-new
Sri Apriyanti Husain
 
Ethics fraud & internal control ppt @ dom s
Ethics fraud & internal control ppt @ dom sEthics fraud & internal control ppt @ dom s
Ethics fraud & internal control ppt @ dom s
Babasab Patil
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networks
jayussuryawan
 
Chapter 11, Tests of Controls
Chapter 11, Tests of ControlsChapter 11, Tests of Controls
Chapter 11, Tests of Controls
Sazzad Hossain, ITP, MBA, CSCA™
 
James hall ch 3
James hall ch 3James hall ch 3
James hall ch 3
David Julian
 
Chapter 12-fraud-and-error-report
Chapter 12-fraud-and-error-reportChapter 12-fraud-and-error-report
Chapter 12-fraud-and-error-report
JamesChaves3
 
Lecture slide, chapter 4, Other Assurance Engagements and Quality Standards
Lecture slide, chapter 4, Other Assurance Engagements and Quality StandardsLecture slide, chapter 4, Other Assurance Engagements and Quality Standards
Lecture slide, chapter 4, Other Assurance Engagements and Quality Standards
Sazzad Hossain, ITP, MBA, CSCA™
 
Lecture 17 sas framework internal control - james a. hall book chapter 3
Lecture 17 sas framework internal control - james a. hall book chapter 3Lecture 17 sas framework internal control - james a. hall book chapter 3
Lecture 17 sas framework internal control - james a. hall book chapter 3
Habib Ullah Qamar
 
James hall ch 13
James hall ch 13James hall ch 13
James hall ch 13
David Julian
 
James hall ch 4
James hall ch 4James hall ch 4
James hall ch 4
David Julian
 
James hall ch 8
James hall ch 8James hall ch 8
James hall ch 8
David Julian
 
James hall ch 15
James hall ch 15James hall ch 15
James hall ch 15
David Julian
 
Audit report- Consideration of Internal Control
Audit report- Consideration of Internal ControlAudit report- Consideration of Internal Control
Audit report- Consideration of Internal Control
nellynljcoles
 
James hall ch 2
James hall ch 2James hall ch 2
James hall ch 2
David Julian
 
Systems development and program change activities
Systems development and program change activitiesSystems development and program change activities
Systems development and program change activities
kristine manzano
 
It audit ch 1
It audit ch 1It audit ch 1
It audit ch 1
Ahmed Tnt
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit
Sreekanth Narendran
 
03.1 general control
03.1 general control03.1 general control
03.1 general control
Mulyadi Yusuf
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
Sazzad Hossain, ITP, MBA, CSCA™
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
_supriadi
 

What's hot (20)

Pp 16-new
Pp 16-newPp 16-new
Pp 16-new
 
Ethics fraud & internal control ppt @ dom s
Ethics fraud & internal control ppt @ dom sEthics fraud & internal control ppt @ dom s
Ethics fraud & internal control ppt @ dom s
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networks
 
Chapter 11, Tests of Controls
Chapter 11, Tests of ControlsChapter 11, Tests of Controls
Chapter 11, Tests of Controls
 
James hall ch 3
James hall ch 3James hall ch 3
James hall ch 3
 
Chapter 12-fraud-and-error-report
Chapter 12-fraud-and-error-reportChapter 12-fraud-and-error-report
Chapter 12-fraud-and-error-report
 
Lecture slide, chapter 4, Other Assurance Engagements and Quality Standards
Lecture slide, chapter 4, Other Assurance Engagements and Quality StandardsLecture slide, chapter 4, Other Assurance Engagements and Quality Standards
Lecture slide, chapter 4, Other Assurance Engagements and Quality Standards
 
Lecture 17 sas framework internal control - james a. hall book chapter 3
Lecture 17 sas framework internal control - james a. hall book chapter 3Lecture 17 sas framework internal control - james a. hall book chapter 3
Lecture 17 sas framework internal control - james a. hall book chapter 3
 
James hall ch 13
James hall ch 13James hall ch 13
James hall ch 13
 
James hall ch 4
James hall ch 4James hall ch 4
James hall ch 4
 
James hall ch 8
James hall ch 8James hall ch 8
James hall ch 8
 
James hall ch 15
James hall ch 15James hall ch 15
James hall ch 15
 
Audit report- Consideration of Internal Control
Audit report- Consideration of Internal ControlAudit report- Consideration of Internal Control
Audit report- Consideration of Internal Control
 
James hall ch 2
James hall ch 2James hall ch 2
James hall ch 2
 
Systems development and program change activities
Systems development and program change activitiesSystems development and program change activities
Systems development and program change activities
 
It audit ch 1
It audit ch 1It audit ch 1
It audit ch 1
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit
 
03.1 general control
03.1 general control03.1 general control
03.1 general control
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
 

Similar to Chapter 2 auditing it governance controls

CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
dotco
 
Robert Williams Final Project
Robert Williams Final Project Robert Williams Final Project
Robert Williams Final Project
Robert D. Williams
 
Robert Williams Final Project
Robert Williams Final Project Robert Williams Final Project
Robert Williams Final Project
Robert D. Williams
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
ssuser61ebf5
 
Reengineering pros and cons
Reengineering pros and consReengineering pros and cons
Reengineering pros and cons
Neema Volvoikar
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
Adetula Bunmi
 
computer system validation
computer system validationcomputer system validation
computer system validation
Gopal Patel
 
A075434624
A075434624A075434624
A075434624
Dharmendra Kumar
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
_supriadi
 
Myths of validation
Myths of validationMyths of validation
Myths of validation
Jeff Thomas
 
Itrisksisaudit1
Itrisksisaudit1Itrisksisaudit1
Itrisksisaudit1
PrabhatSingh316896
 
Chapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning SystemChapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning System
Muhammad Azmy
 
3. 1 req elicitation
3. 1 req elicitation3. 1 req elicitation
3. 1 req elicitation
Ashenafi Workie
 
Best practices in networks and infrastructure
Best practices in networks and infrastructureBest practices in networks and infrastructure
Best practices in networks and infrastructure
nicholas njoroge
 
auditing-190520092523.pdf
auditing-190520092523.pdfauditing-190520092523.pdf
auditing-190520092523.pdf
chetanvchaudhari
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1
Sreekanth Narendran
 
Mainframe Sort Operations: Gaining the Insights You Need for Peak Performance
Mainframe Sort Operations: Gaining the Insights You Need for Peak PerformanceMainframe Sort Operations: Gaining the Insights You Need for Peak Performance
Mainframe Sort Operations: Gaining the Insights You Need for Peak Performance
Precisely
 
3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdf3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdf
Nehemiah27
 
Software Engineering- Requirement Elicitation and Specification
Software Engineering- Requirement Elicitation and SpecificationSoftware Engineering- Requirement Elicitation and Specification
Software Engineering- Requirement Elicitation and Specification
Nishu Rastogi
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
Jim Kaplan CIA CFE
 

Similar to Chapter 2 auditing it governance controls (20)

CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
 
Robert Williams Final Project
Robert Williams Final Project Robert Williams Final Project
Robert Williams Final Project
 
Robert Williams Final Project
Robert Williams Final Project Robert Williams Final Project
Robert Williams Final Project
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
 
Reengineering pros and cons
Reengineering pros and consReengineering pros and cons
Reengineering pros and cons
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
 
computer system validation
computer system validationcomputer system validation
computer system validation
 
A075434624
A075434624A075434624
A075434624
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
 
Myths of validation
Myths of validationMyths of validation
Myths of validation
 
Itrisksisaudit1
Itrisksisaudit1Itrisksisaudit1
Itrisksisaudit1
 
Chapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning SystemChapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning System
 
3. 1 req elicitation
3. 1 req elicitation3. 1 req elicitation
3. 1 req elicitation
 
Best practices in networks and infrastructure
Best practices in networks and infrastructureBest practices in networks and infrastructure
Best practices in networks and infrastructure
 
auditing-190520092523.pdf
auditing-190520092523.pdfauditing-190520092523.pdf
auditing-190520092523.pdf
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1
 
Mainframe Sort Operations: Gaining the Insights You Need for Peak Performance
Mainframe Sort Operations: Gaining the Insights You Need for Peak PerformanceMainframe Sort Operations: Gaining the Insights You Need for Peak Performance
Mainframe Sort Operations: Gaining the Insights You Need for Peak Performance
 
3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdf3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdf
 
Software Engineering- Requirement Elicitation and Specification
Software Engineering- Requirement Elicitation and SpecificationSoftware Engineering- Requirement Elicitation and Specification
Software Engineering- Requirement Elicitation and Specification
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
 

Recently uploaded

How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Zilliz
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 

Recently uploaded (20)

How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 

Chapter 2 auditing it governance controls

  • 1. Chapter 2: Auditing IT Governance Controls IT Auditing, Hall, 4e © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use. 0
  • 2. Learning Objectives • Understand the risks of incompatible functions and how to structure the IT function. • Be familiar with the controls and precautions required to ensure the security of an organization’s computer facilities. • Understand the key elements of a disaster recovery plan. • Be familiar with the benefits, risks, and audit issues related to IT outsourcing. 1
  • 3. IT Governance • Subset of corporate governance that focuses on the management and assessment of strategic IT resources. • Key objects are to reduce risk and ensure investments in IT resources add value to the corporation. • All corporate stakeholders must be active participants in key IT decisions. 2
  • 4. IT Governance Controls • Three IT governance issues addressed by SOX and the COSO internal control framework: • Organizational structure of the IT function. • Computer center operations. • Disaster recovery planning. 3
  • 5. Structure of the Corporate IT Function • Under the centralized data processing model, all data processing performed at a central site. • End users compete for resources based on need. • Operating costs charged back to end user. • Primary service areas: • Database administrator. • Data processing consisting of data control/data entry, computer operations and data library. • System development and maintenance • Participation in systems development activities include system professional, end users and stakeholders. 4
  • 6. Structure of the Corporate IT Function 5
  • 8. Alternative Organization of Systems Development Problems • Two control problems with segregating systems analysis from applications programming. • Inadequate documentation a chronic problem. • Documenting systems is not an interesting task. • Lack of documentation provides job security for the programmer who coded it. • When system programmer has maintenance responsibilities, potential for fraud is increased. • May have concealed fraudulent code in the system. • Having sole responsibility for maintenance may allow the programmer to conceal the code for years. 7
  • 9. Structure of the Corporate IT Function 8
  • 10. Segregation of Incompatible IT Functions • Systems development from computer operations. • Relationship between groups should be formal and responsibilities should not be comingled. • Database administration from other functions. • DBA function responsible for many critical tasks and needs to be organizationally independent of operations, systems development and maintenance. • New systems development from maintenance. • Improves documentation standards because maintenance group requires documentation. • Denying original programmer future access deters program fraud. 9
  • 11. The Distributed Model • Distributed Data Processing (DDP) involves reorganizing central IT function into small IT units that are placed under the control of end users. • Two alternatives: • Alternative A: Variant of centralized model with terminals or microcomputers distributed to end users for handling input and output. • Alternative B: Distributes all computer services to the end users where they operate as stand alone units. 10
  • 13. Management Assertions Audit Objectives Audit Procedure Existence or occurrence Inventories listed on the balance sheet exist. Observe the counting of physical inventory. Completeness Accounts payable include all obligations to vendors for the period. Compare receiving reports, supplier invoices, purchase orders, and journal entries for the period and the beginning of the next period. Rights and obligations Plant and equipment listed in the balance sheet are owned by the entity. Review purchase agreements, insurance policies, and related documents. Valuation or allocation Accounts receivable are stated at net realizable value. Review entity’s aging of accounts and evaluate the adequacy of the allowance for uncorrectable accounts. Presentation and disclosure Contingencies not reported in financial accounts are properly disclosed in footnotes. Obtain information from entity lawyers about the status of litigation and estimates of potential loss. Audit Objectives and Audit Procedures Based on Management Assertions 12
  • 14. Risks Associated with DDP • Inefficient use of resources: • Mismanagement of IT resources by end users. • Operational inefficiencies due to redundant tasks being performed. • Hardware and software incompatibility among end-user functions. • Destruction of audit trails. • Inadequate segregation of duties. • Hiring qualified professionals: • Risk of programming errors and system failures increase directly with the level of employee incompetence. • Lack of standards. 13
  • 15. Controlling the DDP Environment • Implement a corporate IT function: • Central testing of commercial software and hardware. • User services to provide technical help. • Standard-setting body. • Personnel review. 14
  • 16. Audit Procedures for the DDP • Audit procedures in a centralized IT organization: • Review relevant documentation to determine if individuals or groups are performing incompatible functions. • Review systems documentation and maintenance records to verify maintenance programmers are not designers. • Observe to determine if segregation policy is being followed. 15
  • 17. Audit Procedures for the DDP • Audit procedures in a distributed IT organization: • Review relevant documentation to determine if individuals or groups are performing incompatible duties. • Verify corporate policies and standards are published and provided to distributed IT units. • Verify compensating controls are in place when needed. • Review system documentation to verify applications, procedures and databased are in accordance with standards. 16
  • 18. The Computer Center • Physical location: • Directly affects risk of destruction from a disaster. • Away from hazards and traffic. • Construction: • Ideally: single-story, solidly constructed with underground utilities. • Windows should not open and an air filtration system should be in place. • Access: • Should be limited with locked doors, cameras, key card entrance and sign-in logs. 17
  • 19. The Computer Center • Air conditioning should provide appropriate temperature and humidity for computers. • Fire suppression: • Alarms, fire extinguishing system, appropriate construction, fire exits. • Fault tolerance is the ability of the system to continue operation when part of the system fails. • Total failure can occur only if multiple components fail. • Redundant arrays of independent disks (RAID) involves using parallel disks with redundant data and applications so if one disk fails, lost data can be reconstructed. • Uninterruptible power supplies. 18
  • 20. Audit Procedures: The Computer Center • Auditor must verify that physical controls and insurance coverage are adequate. • Procedures include: • Tests of physical construction. • Tests of the fire detection system. • Tests of access control. • Tests of RAID. • Tests of the uninterruptible power supply. • Tests of insurance coverage. 19
  • 21. Disaster Recovery Planning • A disaster recovery plan is a statement of all actions to be taken before, during and after any type of disaster. Four common features: • Identify critical applications: • Short-term survival requires restoration of cash flow generating functions. • Applications supporting those functions should be identified and prioritized in the restoration plan. • Task of identifying critical items and prioritizing applications requires active participation of user departments, accountants and auditors. 20
  • 22. Disaster Recovery Planning • Create a disaster recovery team: • Team members should be experts in their areas and have assigned tasks. • Provide second-site backup: • Necessary ingredient in a DRP is that it provides for duplicate data processing facilities following a disaster. • Specify back-up and off-site storage procedures: • All data files, applications, documentation and supplies needed to perform critical functions should be automatically backed up and stored at a secure off-site location. 21
  • 23. Second-Site Backups • Mutual aid pact is an agreement between organizations to aid each other with data processing in a disaster. • Empty shell or cold site plan involves obtaining a building to serve as a data center in a disaster. • Recovery depends on timely availability of hardware. • Recovery operations center or hot site plan is a fully equipped site that many companies share. • Internally provided backup may be preferred by organizations with many data processing centers. 22
  • 24. DRP Audit Procedures • To verify DRP is a realistic solution, the following tests may be performed: • Evaluate adequacy of backup site arrangements. • Review list of critical applications for completeness. • Verify copies of critical applications and operating systems are stored off-site. • Verify critical data files are backed up in accordance with the DRP. • Verify that types and quantities of items specified in the DRP exist in a secure location. • Verify disaster recovery team members are current employees and aware of their assigned responsibilities. 23
  • 25. Outsourcing the IT Function • Benefits of IT outsourcing include: • Improved core business processes. • Improved IT performance. • Reduced IT costs. • Logic underlying outsourcing follows from core competency theory which argues an organization should focus on its core business competencies. Ignores an important distinction between: • Commodity IT assets which are not unique to an organization and easily acquired in the marketplace. • Specific IT assets which are unique and support an organization’s strategic objectives. 24
  • 26. Outsourcing the IT Function • Transaction cost economics (TCE) suggests firms should retain specific non-core IT assets in house. • Those that cannot be easily replaced once they are given up in an outsourcing arrangement. • Cloud computing is location-independent computing whereby shared data centers deliver hosted IT services over the Internet. Offers three primary classes of computing services: • Software-as-a-Service (SaaS). • Infrastructure-as-a-Service (IaaS). • Platform-as-a-Service (PaaS). 25
  • 27. Outsourcing the IT Function • Virtualization has unleashed cloud computing. • Network virtualization increases effective network bandwidth, optimizes network speed, flexibility, and reliability, and improves network scalability. • Storage virtualization is the pooling of physical storage from multiple devices into what appears to be a single virtual storage device. • Cloud computing not realistic for large firms. • Typically have massive IT investments and therefore not inclined to turn over their IT operations to a could vendor. • May have critical functions running on legacy systems that could not be easily migrated to the cloud. • Commodity provision approach of the cloud incompatible with the need for unique strategic information. 26
  • 28. Risks Inherent to IT Outsourcing • Failure to perform. • Vendor exploitation. • Outsourcing costs exceed benefits. • Reduced security. • Loss of strategic advantage. 27
  • 29. Audit Implications of IT Outsourcing • Use of a service organization does not reduce management’s responsibilities under SOX for ensuring adequate IT internal controls. • SSAE 16 replaced SAS 70 and is the definitive standard by which auditors can gain knowledge that processes and controls at third-party vendors are adequate to prevent or detect material errors. • Report provides a description of service provider’s description using either the carve-out or the inclusive method 28
  • 30. Audit Implications of IT Outsourcing 29