Scribd
Upload
120 views24 pages

Chapter 2 090716 PDF

This document discusses several topics related to auditing IT governance controls, including: 1. IT audit objectives, risks of IT reliance, and IT governance. 2. IT organizational structures, including centralized vs distributed models and segregation of duties. 3. Key aspects of disaster recovery planning like identifying critical systems and backup procedures. 4. Factors to consider with IT outsourcing like benefits, costs, and management's remaining responsibilities. 5. Audit procedures related to evaluating IT controls in areas like organizational structure, facilities, disaster recovery, and outsourcing arrangements.

Uploaded by

Ken Pio
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
120 views24 pages

Chapter 2 090716 PDF

This document discusses several topics related to auditing IT governance controls, including: 1. IT audit objectives, risks of IT reliance, and IT governance. 2. IT organizational structures, including centralized vs distributed models and segregation of duties. 3. Key aspects of disaster recovery planning like identifying critical systems and backup procedures. 4. Factors to consider with IT outsourcing like benefits, costs, and management's remaining responsibilities. 5. Audit procedures related to evaluating IT controls in areas like organizational structure, facilities, disaster recovery, and outsourcing arrangements.

Uploaded by

Ken Pio
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

BA 120.

2: Auditing Theory and Practice II


Eirene Tinitigan
September 7, 2016
Learning
Objectives

IT Structure and
Governance

Disaster
Recovery
Planning

IT Outsourcing

Auditing IT Governance Controls


Audit Objectives BA 120.2: Auditing Theory and Practice II
and Procedures September 7, 2016
Learning objectives

•  Gain understanding of the ff:


•  IT audit
•  Structure of the IT function
•  Segregation of duties in the IT function
•  IT Governance Controls
•  Controls and precautions in the computer
facilities
•  Key elements of disaster recovery planning
•  IT outsourcing
Learning
Objectives

IT Structure and
Governance

Disaster
Recovery
Planning

IT Outsourcing

Auditing IT Governance Controls


Audit Objectives BA 120.2: Auditing Theory and Practice II
and Procedures September 7, 2016
What is IT audit?

An IT audit is the examination and evaluation of an


organization's information technology infrastructure,
policies and operations.
Risks of IT reliance
•  Reliance on system or programs that are
inaccurately processing data or processing
inaccurate data or both
•  Unauthorized access to data that may result in
destruction of data, improper changes to data,
including recording of unauthorized transactions
•  IT personnel gaining access privilege beyond
those necessary to perform their assigned duties
•  Unauthorized changes to data in master files and
to systems and program
•  Failure to make necessary changes to systems
•  Inappropriate manual intervention
•  Potential loss of data
Objectives of IT audit

•  Evaluate systems and processes in place that


secure company data
•  Determine risks to a company's information
assets, and help identify methods to minimize
those risks.
•  Ensure information management processes are
in compliance with IT-specific laws, policies and
standards.
•  Determine inefficiencies in IT systems and
associated management.
What is IT governance?

•  Subset of corporate governance that focuses on


the management and assessment of strategic
IT resources.

•  Key objectives:

1 Reduce risks

2 Ensure IT investments are value-adding


SOX and IT governance

Reduces
risk

Involvement
of all
stakeholders Users Strategic

In needs ini=a=ves

complia
nce
with: Corp.
policies
SOX
Centralized data processing

James A. Hall Accoun/ng Informa/on Systems 6th Edi/on


Centralized data processing

Segregation of duties:
a.  Systems development and Computer operations
b.  Database administration and all other functions
c.  Systems development and maintenance
•  Inadequate documentation
•  Program fraud
Distributed data processing

Reorganizing the IT function into smaller IT units.


IT org structure

Features Centralized Distributed


Data One or more large Distributed according to
Processing computers at a central business function,
site geographic location, etc.
Pros •  Economies of scale •  Lower capital
•  Greater control over expenditures
potential risk areas •  Cost control responsibility
•  Lower overhead costs •  User satisfaction
•  Backup flexibility
Cons •  Sophisticated backup •  Inefficiencies
plan •  Destruction of audit trails
•  Huge capital •  Inadequate SOD
expenditures •  Hiring qualified
professionals
•  Lack of standards
Computer center

•  Physical Location
•  Construction
•  Temperature
•  Fire suppression
•  Access
•  Fault tolerance
Learning
Objectives

IT Structure and
Governance

Disaster
Recovery
Planning

IT Outsourcing

Auditing IT Governance Controls


Audit Objectives BA 120.2: Auditing Theory and Practice II
and Procedures September 7, 2016
Disaster Recovery Planning (DRP)

1.  Identify critical applications


2.  Create disaster recovery
team
3. Provide site backup
•  Mutual aid pact – Trust
•  Empty shell – Cold site
•  ROC – Hot site
X
•  Internally provided
4. Specify backup and off-site
storage procedures
Learning
Objectives

IT Structure and
Governance

Disaster
Recovery
Planning

IT Outsourcing

Auditing IT Governance Controls


Audit Objectives BA 120.2: Auditing Theory and Practice II
and Procedures September 7, 2016
IT outsourcing

Outsource In-house
Theory Core competency Transaction cost economics
Pros •  Improved core business •  Greater control on every
performance aspect of IT function
•  Improved IT performance •  Tailor-fit to company
•  Cost reductions needs

Cons •  Failure to perform •  Costly


•  Vendor exploitation •  High bargaining power of
•  Outsourcing costs > people in the IT function
benefits
•  Reduced security
•  Loss of strategic
advantage
Learning
Objectives

IT Structure and
Governance

Disaster
Recovery
Planning

IT Outsourcing

Auditing IT Governance Controls


Audit Objectives BA 120.2: Auditing Theory and Practice II
and Procedures September 7, 2016
Audit: IT org structure

Objective: Verify proper segregation of duties


Procedures:
Centralized Distributed
Review relevant documentation Review relevant documentation
Review systems documentation and Verify if corporate policies and
maintenance records for a sample of standards on IT are published and
applications distributed to IT units
Verify computer operators do not have Verify in compensating controls are
access to operational details employed when segregation of
of system’s internal logic incompatible duties is economically
infeasible
Observe if segregation policy is being Review systems documentation to
followed in practice verify that applications,
procedures and database are designed
and functioning in accordance with
corporate standards
Audit: Computer center

Objective: Verify that there are adequate physical


security controls and insurance coverage to
compensate for destruction or damage

Procedures:
Test physical construction, fire detection/
suppression system, access controls, RAID, UPS,
insurance coverage
Audit: DRP

Objective: Verify that management’s disaster recovery


plan is adequate and feasible for dealing with a
catastrophe that could deprive the organization of its
computing resources
Procedures:
Test site backup, critical application
list, software backup, data backup,
backup supplies, documents and
documentation, disaster recovery
team
Audit: IT Outsourcing

Implication: Management can outsource IT function


but cannot outsource its responsibilities for ensuring
adequate IT control under SOX (PCAOB auditing
standard no. 2)

Objective: Evaluate the vendor organization’s


control or alternatively obtain a SAS 70 report from
the vendor organization
Thanks!

You might also like