SlideShare a Scribd company logo

Chapter 2 auditing it governance controls

Download as PPTX, PDF
T
Tommy Zul Hidayat

Describing suditing on IT governance

Technology
1 of 30
Chapter 2: Auditing IT Governance Controls IT Auditing, Hall, 4e © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use. 0
Learning Objectives • Understand the risks of incompatible functions and how to structure the IT function. • Be familiar with the controls and precautions required to ensure the security of an organization’s computer facilities. • Understand the key elements of a disaster recovery plan. • Be familiar with the benefits, risks, and audit issues related to IT outsourcing. 1
IT Governance • Subset of corporate governance that focuses on the management and assessment of strategic IT resources. • Key objects are to reduce risk and ensure investments in IT resources add value to the corporation. • All corporate stakeholders must be active participants in key IT decisions. 2
IT Governance Controls • Three IT governance issues addressed by SOX and the COSO internal control framework: • Organizational structure of the IT function. • Computer center operations. • Disaster recovery planning. 3
Structure of the Corporate IT Function • Under the centralized data processing model, all data processing performed at a central site. • End users compete for resources based on need. • Operating costs charged back to end user. • Primary service areas: • Database administrator. • Data processing consisting of data control/data entry, computer operations and data library. • System development and maintenance • Participation in systems development activities include system professional, end users and stakeholders. 4
Structure of the Corporate IT Function 5
Alternative Organization of Systems Development 6
Alternative Organization of Systems Development Problems • Two control problems with segregating systems analysis from applications programming. • Inadequate documentation a chronic problem. • Documenting systems is not an interesting task. • Lack of documentation provides job security for the programmer who coded it. • When system programmer has maintenance responsibilities, potential for fraud is increased. • May have concealed fraudulent code in the system. • Having sole responsibility for maintenance may allow the programmer to conceal the code for years. 7
Structure of the Corporate IT Function 8
Segregation of Incompatible IT Functions • Systems development from computer operations. • Relationship between groups should be formal and responsibilities should not be comingled. • Database administration from other functions. • DBA function responsible for many critical tasks and needs to be organizationally independent of operations, systems development and maintenance. • New systems development from maintenance. • Improves documentation standards because maintenance group requires documentation. • Denying original programmer future access deters program fraud. 9
The Distributed Model • Distributed Data Processing (DDP) involves reorganizing central IT function into small IT units that are placed under the control of end users. • Two alternatives: • Alternative A: Variant of centralized model with terminals or microcomputers distributed to end users for handling input and output. • Alternative B: Distributes all computer services to the end users where they operate as stand alone units. 10
The Distributed Model 11
Management Assertions Audit Objectives Audit Procedure Existence or occurrence Inventories listed on the balance sheet exist. Observe the counting of physical inventory. Completeness Accounts payable include all obligations to vendors for the period. Compare receiving reports, supplier invoices, purchase orders, and journal entries for the period and the beginning of the next period. Rights and obligations Plant and equipment listed in the balance sheet are owned by the entity. Review purchase agreements, insurance policies, and related documents. Valuation or allocation Accounts receivable are stated at net realizable value. Review entity’s aging of accounts and evaluate the adequacy of the allowance for uncorrectable accounts. Presentation and disclosure Contingencies not reported in financial accounts are properly disclosed in footnotes. Obtain information from entity lawyers about the status of litigation and estimates of potential loss. Audit Objectives and Audit Procedures Based on Management Assertions 12
Risks Associated with DDP • Inefficient use of resources: • Mismanagement of IT resources by end users. • Operational inefficiencies due to redundant tasks being performed. • Hardware and software incompatibility among end-user functions. • Destruction of audit trails. • Inadequate segregation of duties. • Hiring qualified professionals: • Risk of programming errors and system failures increase directly with the level of employee incompetence. • Lack of standards. 13
Controlling the DDP Environment • Implement a corporate IT function: • Central testing of commercial software and hardware. • User services to provide technical help. • Standard-setting body. • Personnel review. 14
Audit Procedures for the DDP • Audit procedures in a centralized IT organization: • Review relevant documentation to determine if individuals or groups are performing incompatible functions. • Review systems documentation and maintenance records to verify maintenance programmers are not designers. • Observe to determine if segregation policy is being followed. 15
Audit Procedures for the DDP • Audit procedures in a distributed IT organization: • Review relevant documentation to determine if individuals or groups are performing incompatible duties. • Verify corporate policies and standards are published and provided to distributed IT units. • Verify compensating controls are in place when needed. • Review system documentation to verify applications, procedures and databased are in accordance with standards. 16
The Computer Center • Physical location: • Directly affects risk of destruction from a disaster. • Away from hazards and traffic. • Construction: • Ideally: single-story, solidly constructed with underground utilities. • Windows should not open and an air filtration system should be in place. • Access: • Should be limited with locked doors, cameras, key card entrance and sign-in logs. 17
The Computer Center • Air conditioning should provide appropriate temperature and humidity for computers. • Fire suppression: • Alarms, fire extinguishing system, appropriate construction, fire exits. • Fault tolerance is the ability of the system to continue operation when part of the system fails. • Total failure can occur only if multiple components fail. • Redundant arrays of independent disks (RAID) involves using parallel disks with redundant data and applications so if one disk fails, lost data can be reconstructed. • Uninterruptible power supplies. 18
Audit Procedures: The Computer Center • Auditor must verify that physical controls and insurance coverage are adequate. • Procedures include: • Tests of physical construction. • Tests of the fire detection system. • Tests of access control. • Tests of RAID. • Tests of the uninterruptible power supply. • Tests of insurance coverage. 19
Disaster Recovery Planning • A disaster recovery plan is a statement of all actions to be taken before, during and after any type of disaster. Four common features: • Identify critical applications: • Short-term survival requires restoration of cash flow generating functions. • Applications supporting those functions should be identified and prioritized in the restoration plan. • Task of identifying critical items and prioritizing applications requires active participation of user departments, accountants and auditors. 20
Disaster Recovery Planning • Create a disaster recovery team: • Team members should be experts in their areas and have assigned tasks. • Provide second-site backup: • Necessary ingredient in a DRP is that it provides for duplicate data processing facilities following a disaster. • Specify back-up and off-site storage procedures: • All data files, applications, documentation and supplies needed to perform critical functions should be automatically backed up and stored at a secure off-site location. 21
Second-Site Backups • Mutual aid pact is an agreement between organizations to aid each other with data processing in a disaster. • Empty shell or cold site plan involves obtaining a building to serve as a data center in a disaster. • Recovery depends on timely availability of hardware. • Recovery operations center or hot site plan is a fully equipped site that many companies share. • Internally provided backup may be preferred by organizations with many data processing centers. 22
DRP Audit Procedures • To verify DRP is a realistic solution, the following tests may be performed: • Evaluate adequacy of backup site arrangements. • Review list of critical applications for completeness. • Verify copies of critical applications and operating systems are stored off-site. • Verify critical data files are backed up in accordance with the DRP. • Verify that types and quantities of items specified in the DRP exist in a secure location. • Verify disaster recovery team members are current employees and aware of their assigned responsibilities. 23
Outsourcing the IT Function • Benefits of IT outsourcing include: • Improved core business processes. • Improved IT performance. • Reduced IT costs. • Logic underlying outsourcing follows from core competency theory which argues an organization should focus on its core business competencies. Ignores an important distinction between: • Commodity IT assets which are not unique to an organization and easily acquired in the marketplace. • Specific IT assets which are unique and support an organization’s strategic objectives. 24
Outsourcing the IT Function • Transaction cost economics (TCE) suggests firms should retain specific non-core IT assets in house. • Those that cannot be easily replaced once they are given up in an outsourcing arrangement. • Cloud computing is location-independent computing whereby shared data centers deliver hosted IT services over the Internet. Offers three primary classes of computing services: • Software-as-a-Service (SaaS). • Infrastructure-as-a-Service (IaaS). • Platform-as-a-Service (PaaS). 25
Outsourcing the IT Function • Virtualization has unleashed cloud computing. • Network virtualization increases effective network bandwidth, optimizes network speed, flexibility, and reliability, and improves network scalability. • Storage virtualization is the pooling of physical storage from multiple devices into what appears to be a single virtual storage device. • Cloud computing not realistic for large firms. • Typically have massive IT investments and therefore not inclined to turn over their IT operations to a could vendor. • May have critical functions running on legacy systems that could not be easily migrated to the cloud. • Commodity provision approach of the cloud incompatible with the need for unique strategic information. 26
Risks Inherent to IT Outsourcing • Failure to perform. • Vendor exploitation. • Outsourcing costs exceed benefits. • Reduced security. • Loss of strategic advantage. 27
Audit Implications of IT Outsourcing • Use of a service organization does not reduce management’s responsibilities under SOX for ensuring adequate IT internal controls. • SSAE 16 replaced SAS 70 and is the definitive standard by which auditors can gain knowledge that processes and controls at third-party vendors are adequate to prevent or detect material errors. • Report provides a description of service provider’s description using either the carve-out or the inclusive method 28
Audit Implications of IT Outsourcing 29

Recommended

Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksTommy Zul Hidayat
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal controlTommy Zul Hidayat
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsjayussuryawan
 
Chapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsChapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsjayussuryawan
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal controljayussuryawan
 
Chapter 4 : Security Part II Auditing Database System
Chapter 4 : Security Part II Auditing Database SystemChapter 4 : Security Part II Auditing Database System
Chapter 4 : Security Part II Auditing Database Systemrefidelia19
 
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...Vhena Pilongo
 
James hall ch 3
James hall ch 3James hall ch 3
James hall ch 3David Julian
 

Recommended

Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksTommy Zul Hidayat
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal controlTommy Zul Hidayat
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsjayussuryawan
 
Chapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsChapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsjayussuryawan
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal controljayussuryawan
 
Chapter 4 : Security Part II Auditing Database System
Chapter 4 : Security Part II Auditing Database SystemChapter 4 : Security Part II Auditing Database System
Chapter 4 : Security Part II Auditing Database Systemrefidelia19
 
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...Vhena Pilongo
 
James hall ch 3
James hall ch 3James hall ch 3
James hall ch 3David Julian
 
James hall ch 1
James hall ch 1James hall ch 1
James hall ch 1David Julian
 
James hall ch 15
James hall ch 15James hall ch 15
James hall ch 15David Julian
 
Lecture 21 expenditure cycle part i - accounting information systesm james ...
Lecture 21 expenditure cycle part i - accounting information systesm james ...Lecture 21 expenditure cycle part i - accounting information systesm james ...
Lecture 21 expenditure cycle part i - accounting information systesm james ...Habib Ullah Qamar
 
Chapter 12 - Designing Substantive Procedures
Chapter 12 - Designing Substantive ProceduresChapter 12 - Designing Substantive Procedures
Chapter 12 - Designing Substantive ProceduresSazzad Hossain, ITP, MBA, CSCA™
 
Chapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's PerspectiveChapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's Perspectiveermin08
 
Test Data Approach
Test Data ApproachTest Data Approach
Test Data Approachkzoe1996
 
Savant
SavantSavant
Savantobsession56
 
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptxOliviaCelestine
 
Audit Sampling for Tests of Details of Balances
Audit Sampling for Tests of Details of BalancesAudit Sampling for Tests of Details of Balances
Audit Sampling for Tests of Details of BalancesCarl Hebeler
 
General Ledger and Financial Reporting System (GLFRS)
General Ledger and Financial Reporting System (GLFRS)General Ledger and Financial Reporting System (GLFRS)
General Ledger and Financial Reporting System (GLFRS)Osareme Erhomosele
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques_supriadi
 
Chapter 02 - Transaction Processing System
Chapter 02 - Transaction Processing SystemChapter 02 - Transaction Processing System
Chapter 02 - Transaction Processing SystemViduni Udovita
 
James hall ch 2
James hall ch 2James hall ch 2
James hall ch 2David Julian
 
Audit planning- Review Questionnaire.
Audit planning- Review Questionnaire.Audit planning- Review Questionnaire.
Audit planning- Review Questionnaire.Magnolia Raz
 
Auditing the expenditure cycle
Auditing the expenditure cycleAuditing the expenditure cycle
Auditing the expenditure cycleAngela Torres
 
Internal Control
Internal ControlInternal Control
Internal ControlSalih Islam
 
At (07) code of ethics
At (07) code of ethicsAt (07) code of ethics
At (07) code of ethicsRoward Patnaan
 
James hall ch 4
James hall ch 4James hall ch 4
James hall ch 4David Julian
 
Accounting information system
Accounting information systemAccounting information system
Accounting information systemsellyhood
 
James hall ch 8
James hall ch 8James hall ch 8
James hall ch 8David Julian
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptxdotco
 
Robert Williams Final Project
Robert Williams Final Project Robert Williams Final Project
Robert Williams Final Project Robert D. Williams
 

More Related Content

What's hot

Lecture 21 expenditure cycle part i - accounting information systesm james ...
Lecture 21 expenditure cycle part i - accounting information systesm james ...Lecture 21 expenditure cycle part i - accounting information systesm james ...
Lecture 21 expenditure cycle part i - accounting information systesm james ...Habib Ullah Qamar
 
Chapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's PerspectiveChapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's Perspectiveermin08
 
Test Data Approach
Test Data ApproachTest Data Approach
Test Data Approachkzoe1996
 
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptxOliviaCelestine
 
Audit Sampling for Tests of Details of Balances
Audit Sampling for Tests of Details of BalancesAudit Sampling for Tests of Details of Balances
Audit Sampling for Tests of Details of BalancesCarl Hebeler
 
General Ledger and Financial Reporting System (GLFRS)
General Ledger and Financial Reporting System (GLFRS)General Ledger and Financial Reporting System (GLFRS)
General Ledger and Financial Reporting System (GLFRS)Osareme Erhomosele
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques_supriadi
 
Chapter 02 - Transaction Processing System
Chapter 02 - Transaction Processing SystemChapter 02 - Transaction Processing System
Chapter 02 - Transaction Processing SystemViduni Udovita
 
Audit planning- Review Questionnaire.
Audit planning- Review Questionnaire.Audit planning- Review Questionnaire.
Audit planning- Review Questionnaire.Magnolia Raz
 
Auditing the expenditure cycle
Auditing the expenditure cycleAuditing the expenditure cycle
Auditing the expenditure cycleAngela Torres
 
Internal Control
Internal ControlInternal Control
Internal ControlSalih Islam
 
At (07) code of ethics
At (07) code of ethicsAt (07) code of ethics
At (07) code of ethicsRoward Patnaan
 
Accounting information system
Accounting information systemAccounting information system
Accounting information systemsellyhood
 

What's hot (20)

James hall ch 1
James hall ch 1James hall ch 1
James hall ch 1
 
James hall ch 15
James hall ch 15James hall ch 15
James hall ch 15
 
Lecture 21 expenditure cycle part i - accounting information systesm james ...
Lecture 21 expenditure cycle part i - accounting information systesm james ...Lecture 21 expenditure cycle part i - accounting information systesm james ...
Lecture 21 expenditure cycle part i - accounting information systesm james ...
 
Chapter 12 - Designing Substantive Procedures
Chapter 12 - Designing Substantive ProceduresChapter 12 - Designing Substantive Procedures
Chapter 12 - Designing Substantive Procedures
 
Chapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's PerspectiveChapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's Perspective
 
Test Data Approach
Test Data ApproachTest Data Approach
Test Data Approach
 
Savant
SavantSavant
Savant
 
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx
 
Audit Sampling for Tests of Details of Balances
Audit Sampling for Tests of Details of BalancesAudit Sampling for Tests of Details of Balances
Audit Sampling for Tests of Details of Balances
 
General Ledger and Financial Reporting System (GLFRS)
General Ledger and Financial Reporting System (GLFRS)General Ledger and Financial Reporting System (GLFRS)
General Ledger and Financial Reporting System (GLFRS)
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
 
Chapter 02 - Transaction Processing System
Chapter 02 - Transaction Processing SystemChapter 02 - Transaction Processing System
Chapter 02 - Transaction Processing System
 
James hall ch 2
James hall ch 2James hall ch 2
James hall ch 2
 
Audit planning- Review Questionnaire.
Audit planning- Review Questionnaire.Audit planning- Review Questionnaire.
Audit planning- Review Questionnaire.
 
Auditing the expenditure cycle
Auditing the expenditure cycleAuditing the expenditure cycle
Auditing the expenditure cycle
 
Internal Control
Internal ControlInternal Control
Internal Control
 
At (07) code of ethics
At (07) code of ethicsAt (07) code of ethics
At (07) code of ethics
 
James hall ch 4
James hall ch 4James hall ch 4
James hall ch 4
 
Accounting information system
Accounting information systemAccounting information system
Accounting information system
 
James hall ch 8
James hall ch 8James hall ch 8
James hall ch 8
 

Similar to Chapter 2 auditing it governance controls

CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptxdotco
 
Robert Williams Final Project
Robert Williams Final Project Robert Williams Final Project
Robert Williams Final Project Robert D. Williams
 
Robert Williams Final Project
Robert Williams Final Project Robert Williams Final Project
Robert Williams Final Project Robert D. Williams
 
Reengineering pros and cons
Reengineering pros and consReengineering pros and cons
Reengineering pros and consNeema Volvoikar
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentAdetula Bunmi
 
computer system validation
computer system validationcomputer system validation
computer system validationGopal Patel
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques_supriadi
 
Myths of validation
Myths of validationMyths of validation
Myths of validationJeff Thomas
 
Chapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning SystemChapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning SystemMuhammad Azmy
 
Best practices in networks and infrastructure
Best practices in networks and infrastructureBest practices in networks and infrastructure
Best practices in networks and infrastructurenicholas njoroge
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
Mainframe Sort Operations: Gaining the Insights You Need for Peak Performance
Mainframe Sort Operations: Gaining the Insights You Need for Peak PerformanceMainframe Sort Operations: Gaining the Insights You Need for Peak Performance
Mainframe Sort Operations: Gaining the Insights You Need for Peak PerformancePrecisely
 
3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdf3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdfNehemiah27
 
Software Engineering- Requirement Elicitation and Specification
Software Engineering- Requirement Elicitation and SpecificationSoftware Engineering- Requirement Elicitation and Specification
Software Engineering- Requirement Elicitation and SpecificationNishu Rastogi
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches Jim Kaplan CIA CFE
 

Similar to Chapter 2 auditing it governance controls (20)

CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
 
Robert Williams Final Project
Robert Williams Final Project Robert Williams Final Project
Robert Williams Final Project
 
Robert Williams Final Project
Robert Williams Final Project Robert Williams Final Project
Robert Williams Final Project
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
 
Reengineering pros and cons
Reengineering pros and consReengineering pros and cons
Reengineering pros and cons
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
 
computer system validation
computer system validationcomputer system validation
computer system validation
 
A075434624
A075434624A075434624
A075434624
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
 
Myths of validation
Myths of validationMyths of validation
Myths of validation
 
Itrisksisaudit1
Itrisksisaudit1Itrisksisaudit1
Itrisksisaudit1
 
Chapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning SystemChapter 11 Enterprise Resource Planning System
Chapter 11 Enterprise Resource Planning System
 
3. 1 req elicitation
3. 1 req elicitation3. 1 req elicitation
3. 1 req elicitation
 
Best practices in networks and infrastructure
Best practices in networks and infrastructureBest practices in networks and infrastructure
Best practices in networks and infrastructure
 
auditing-190520092523.pdf
auditing-190520092523.pdfauditing-190520092523.pdf
auditing-190520092523.pdf
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1
 
Mainframe Sort Operations: Gaining the Insights You Need for Peak Performance
Mainframe Sort Operations: Gaining the Insights You Need for Peak PerformanceMainframe Sort Operations: Gaining the Insights You Need for Peak Performance
Mainframe Sort Operations: Gaining the Insights You Need for Peak Performance
 
3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdf3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdf
 
Software Engineering- Requirement Elicitation and Specification
Software Engineering- Requirement Elicitation and SpecificationSoftware Engineering- Requirement Elicitation and Specification
Software Engineering- Requirement Elicitation and Specification
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
 

Recently uploaded

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 

Recently uploaded (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 

Chapter 2 auditing it governance controls

  • 1. Chapter 2: Auditing IT Governance Controls IT Auditing, Hall, 4e © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use. 0
  • 2. Learning Objectives • Understand the risks of incompatible functions and how to structure the IT function. • Be familiar with the controls and precautions required to ensure the security of an organization’s computer facilities. • Understand the key elements of a disaster recovery plan. • Be familiar with the benefits, risks, and audit issues related to IT outsourcing. 1
  • 3. IT Governance • Subset of corporate governance that focuses on the management and assessment of strategic IT resources. • Key objects are to reduce risk and ensure investments in IT resources add value to the corporation. • All corporate stakeholders must be active participants in key IT decisions. 2
  • 4. IT Governance Controls • Three IT governance issues addressed by SOX and the COSO internal control framework: • Organizational structure of the IT function. • Computer center operations. • Disaster recovery planning. 3
  • 5. Structure of the Corporate IT Function • Under the centralized data processing model, all data processing performed at a central site. • End users compete for resources based on need. • Operating costs charged back to end user. • Primary service areas: • Database administrator. • Data processing consisting of data control/data entry, computer operations and data library. • System development and maintenance • Participation in systems development activities include system professional, end users and stakeholders. 4
  • 6. Structure of the Corporate IT Function 5
  • 8. Alternative Organization of Systems Development Problems • Two control problems with segregating systems analysis from applications programming. • Inadequate documentation a chronic problem. • Documenting systems is not an interesting task. • Lack of documentation provides job security for the programmer who coded it. • When system programmer has maintenance responsibilities, potential for fraud is increased. • May have concealed fraudulent code in the system. • Having sole responsibility for maintenance may allow the programmer to conceal the code for years. 7
  • 9. Structure of the Corporate IT Function 8
  • 10. Segregation of Incompatible IT Functions • Systems development from computer operations. • Relationship between groups should be formal and responsibilities should not be comingled. • Database administration from other functions. • DBA function responsible for many critical tasks and needs to be organizationally independent of operations, systems development and maintenance. • New systems development from maintenance. • Improves documentation standards because maintenance group requires documentation. • Denying original programmer future access deters program fraud. 9
  • 11. The Distributed Model • Distributed Data Processing (DDP) involves reorganizing central IT function into small IT units that are placed under the control of end users. • Two alternatives: • Alternative A: Variant of centralized model with terminals or microcomputers distributed to end users for handling input and output. • Alternative B: Distributes all computer services to the end users where they operate as stand alone units. 10
  • 13. Management Assertions Audit Objectives Audit Procedure Existence or occurrence Inventories listed on the balance sheet exist. Observe the counting of physical inventory. Completeness Accounts payable include all obligations to vendors for the period. Compare receiving reports, supplier invoices, purchase orders, and journal entries for the period and the beginning of the next period. Rights and obligations Plant and equipment listed in the balance sheet are owned by the entity. Review purchase agreements, insurance policies, and related documents. Valuation or allocation Accounts receivable are stated at net realizable value. Review entity’s aging of accounts and evaluate the adequacy of the allowance for uncorrectable accounts. Presentation and disclosure Contingencies not reported in financial accounts are properly disclosed in footnotes. Obtain information from entity lawyers about the status of litigation and estimates of potential loss. Audit Objectives and Audit Procedures Based on Management Assertions 12
  • 14. Risks Associated with DDP • Inefficient use of resources: • Mismanagement of IT resources by end users. • Operational inefficiencies due to redundant tasks being performed. • Hardware and software incompatibility among end-user functions. • Destruction of audit trails. • Inadequate segregation of duties. • Hiring qualified professionals: • Risk of programming errors and system failures increase directly with the level of employee incompetence. • Lack of standards. 13
  • 15. Controlling the DDP Environment • Implement a corporate IT function: • Central testing of commercial software and hardware. • User services to provide technical help. • Standard-setting body. • Personnel review. 14
  • 16. Audit Procedures for the DDP • Audit procedures in a centralized IT organization: • Review relevant documentation to determine if individuals or groups are performing incompatible functions. • Review systems documentation and maintenance records to verify maintenance programmers are not designers. • Observe to determine if segregation policy is being followed. 15
  • 17. Audit Procedures for the DDP • Audit procedures in a distributed IT organization: • Review relevant documentation to determine if individuals or groups are performing incompatible duties. • Verify corporate policies and standards are published and provided to distributed IT units. • Verify compensating controls are in place when needed. • Review system documentation to verify applications, procedures and databased are in accordance with standards. 16
  • 18. The Computer Center • Physical location: • Directly affects risk of destruction from a disaster. • Away from hazards and traffic. • Construction: • Ideally: single-story, solidly constructed with underground utilities. • Windows should not open and an air filtration system should be in place. • Access: • Should be limited with locked doors, cameras, key card entrance and sign-in logs. 17
  • 19. The Computer Center • Air conditioning should provide appropriate temperature and humidity for computers. • Fire suppression: • Alarms, fire extinguishing system, appropriate construction, fire exits. • Fault tolerance is the ability of the system to continue operation when part of the system fails. • Total failure can occur only if multiple components fail. • Redundant arrays of independent disks (RAID) involves using parallel disks with redundant data and applications so if one disk fails, lost data can be reconstructed. • Uninterruptible power supplies. 18
  • 20. Audit Procedures: The Computer Center • Auditor must verify that physical controls and insurance coverage are adequate. • Procedures include: • Tests of physical construction. • Tests of the fire detection system. • Tests of access control. • Tests of RAID. • Tests of the uninterruptible power supply. • Tests of insurance coverage. 19
  • 21. Disaster Recovery Planning • A disaster recovery plan is a statement of all actions to be taken before, during and after any type of disaster. Four common features: • Identify critical applications: • Short-term survival requires restoration of cash flow generating functions. • Applications supporting those functions should be identified and prioritized in the restoration plan. • Task of identifying critical items and prioritizing applications requires active participation of user departments, accountants and auditors. 20
  • 22. Disaster Recovery Planning • Create a disaster recovery team: • Team members should be experts in their areas and have assigned tasks. • Provide second-site backup: • Necessary ingredient in a DRP is that it provides for duplicate data processing facilities following a disaster. • Specify back-up and off-site storage procedures: • All data files, applications, documentation and supplies needed to perform critical functions should be automatically backed up and stored at a secure off-site location. 21
  • 23. Second-Site Backups • Mutual aid pact is an agreement between organizations to aid each other with data processing in a disaster. • Empty shell or cold site plan involves obtaining a building to serve as a data center in a disaster. • Recovery depends on timely availability of hardware. • Recovery operations center or hot site plan is a fully equipped site that many companies share. • Internally provided backup may be preferred by organizations with many data processing centers. 22
  • 24. DRP Audit Procedures • To verify DRP is a realistic solution, the following tests may be performed: • Evaluate adequacy of backup site arrangements. • Review list of critical applications for completeness. • Verify copies of critical applications and operating systems are stored off-site. • Verify critical data files are backed up in accordance with the DRP. • Verify that types and quantities of items specified in the DRP exist in a secure location. • Verify disaster recovery team members are current employees and aware of their assigned responsibilities. 23
  • 25. Outsourcing the IT Function • Benefits of IT outsourcing include: • Improved core business processes. • Improved IT performance. • Reduced IT costs. • Logic underlying outsourcing follows from core competency theory which argues an organization should focus on its core business competencies. Ignores an important distinction between: • Commodity IT assets which are not unique to an organization and easily acquired in the marketplace. • Specific IT assets which are unique and support an organization’s strategic objectives. 24
  • 26. Outsourcing the IT Function • Transaction cost economics (TCE) suggests firms should retain specific non-core IT assets in house. • Those that cannot be easily replaced once they are given up in an outsourcing arrangement. • Cloud computing is location-independent computing whereby shared data centers deliver hosted IT services over the Internet. Offers three primary classes of computing services: • Software-as-a-Service (SaaS). • Infrastructure-as-a-Service (IaaS). • Platform-as-a-Service (PaaS). 25
  • 27. Outsourcing the IT Function • Virtualization has unleashed cloud computing. • Network virtualization increases effective network bandwidth, optimizes network speed, flexibility, and reliability, and improves network scalability. • Storage virtualization is the pooling of physical storage from multiple devices into what appears to be a single virtual storage device. • Cloud computing not realistic for large firms. • Typically have massive IT investments and therefore not inclined to turn over their IT operations to a could vendor. • May have critical functions running on legacy systems that could not be easily migrated to the cloud. • Commodity provision approach of the cloud incompatible with the need for unique strategic information. 26
  • 28. Risks Inherent to IT Outsourcing • Failure to perform. • Vendor exploitation. • Outsourcing costs exceed benefits. • Reduced security. • Loss of strategic advantage. 27
  • 29. Audit Implications of IT Outsourcing • Use of a service organization does not reduce management’s responsibilities under SOX for ensuring adequate IT internal controls. • SSAE 16 replaced SAS 70 and is the definitive standard by which auditors can gain knowledge that processes and controls at third-party vendors are adequate to prevent or detect material errors. • Report provides a description of service provider’s description using either the carve-out or the inclusive method 28
  • 30. Audit Implications of IT Outsourcing 29