CHAPTER 2: AUDITING IT GOVERNANCE CONTROLS P1

57問 • 1年前

問題一覧

is a relatively new subset of corporate gover- nance that focuses on the management and assessment of strategic IT resources.

Information Technology (IT) Governance

Key ob- jectives of IT governance are to:

1. reduce risk 2. ensure that investments in IT resources add value to the corporation

three IT governance issues that are addressed by SOX and the COSO internal control framework.

1. Organizational structure of the IT function 2. Computer center operations 3. Disaster recovery planning

In this section, some im- portant control issues related to IT structure are examined. These are illustrated through two extreme organizational models—

1. centralized approach 2. distributed approach

Under the _______ model, all data processing is performed by one or more large computers housed at a central site that serves users throughout the organization

centralized data processing model

function is usually treated as a cost center whose operating costs are charged back to the end users.

IT services

a central- ized IT services structure and shows its primary service areas: (3)

1. database administration 2. data processing 3. systems development and maintainance

Centrally organized companies maintain their data resources in a central location that is shared by all end users.

data administration

In this shared data arrangement, an independent group headed by the _______is responsible for the security and integrity of the database.

database administrator (DBA)

manages the computer resources used to perform the day- to-day processing of transactions.

data processing group

It consists of the following organizational functions: (3)

1. data conversion 2. computer operation 3. data library

transcribes transaction data from hard-copy source documents into computer input.

data conversion

The electronic files produced in data conversion are later processed by the central computer, which is managed by the computer operations groups.

computer operations

is a room adjacent to the computer center that provides safe storage for the off-line data files.

data library

library is used to store original copies of commercial software and their licenses for safekeeping.

data library

who is responsible for the receipt, storage, retrieval, and custody of data files, controls access to the library.

data librarian

The information systems needs of users are met by two related functions:

1. system development 2. systems maintenance

is responsible for analyzing user needs and for designing new systems to satisfy those needs.

system development

The participants in system development activities include: (3)

1. systems professional 2. end users 3. stakeholders

include systems analysts, database designers, and programmers who design and build the system.

systems professionals

gather facts about the user’s problem, analyze the facts, and formulate a solution. The product of their ef- forts is a new information system

systems professionals

are those for whom the system is built. They are the managers who re- ceive reports from the system and the operations personnel who work directly with the system as part of their daily responsibilities.

end users

are individuals inside or outside the firm who have an interest in the system, but are not end users.

stakeholders

refers to making changes to program logic to accommodate shifts in user needs over time.

maintenance

The previous chapter stressed the importance of segregating incompatible duties within manual activities. Specifically, operational tasks should be segregated to:

1. separate transaction authorization from transaction processing 2. separate record keeping from asset custod 3. divide transaction-processing tasks among individuals.

is responsible for a number of critical tasks pertaining to database security, including creating the database schema and user views, assigning database access authority to users, monitoring database usage, and planning for future expansion.

DBA function

Some companies organize their in-house systems development function into two groups:

1. systems analysis 2. programming

works with the users to produce detailed designs of the new systems.

systems analysis

codes the programs according to these design specifications.

programming group

Although a common arrangement, this approach is associated with two types of control problems: (2)

1. inadequate documentation 2. program fraud

Poor-quality systems documentation is a chronic IT problem and a significant challenge for many organizations seeking SOX compliance. There are at least two explanations for this phenomenon. First, documenting systems is not as interesting as designing, testing, and implementing them. Systems professionals much prefer to move on to an exciting new project rather than document one just completed.

inadeqate documentation

The second possible reason for poor documentation is

job security

When the original programmer of a system is also assigned mainte- nance responsibility, the potential for fraud is increased.

program fraud

involves making unauthorized changes to program modules for the purpose of committing an illegal act.

program fraud

Figure 2.2 presents a superior organizational structure in which the systems development function is separated into two different groups:

1. new systems development 2. systems maintenance

is responsible for designing, pro- gramming, and implementing new systems projects.

new systems development

Upon successful implementation, responsibility for the system’s ongoing maintenance falls to the

systems maintenance group

This restructuring has implications that directly address the two control problems just described:

1. First, documentation standards are improved 2. Second, denying the original programmer future access to the program deters pro- gram fraud.

An alternative to the centralized model is the concept of:

distributed data processing (DDP)

The topic of DDP is quite broad, touching upon such related topics as:

1. end-user computing 2. commercial software 3. networking 4. office automation

The IT units may be distributed according to:

1. business function 2. geographic location

Risks Associated with DDP (5)

1. inefficient use of resources 2. destruction of audit trails 3. inadequate segregation of duties 4. increased potential for programming errors and systems failure 5. lack of standards

three types of risks associated with inefficient use of organizational resources.

1. risk of mismanagement of organization-wide IT resources by end users. 2. redundant tasks being performed within the end-user committee. 3. risk of incompatible hardware and software among end-user functions.

Advantages of DDP

1. cost reduction 2. improved cost control 3. improved user satisfaction 4. backup

Controlling the DDP environment

1. central testing of commercial software and hardware 2. user services 3. standard-setting body 4. personnel review

The follow- ing are areas of potential exposure that can impact the quality of information, accounting records, transaction processing, and the effectiveness of other more conventional internal controls. (6)

1. physical location 2. construction 3. access 4. air conditioning 5. fire suppression 6. fault tolerance

Two examples of fault tolerance technologies are:

1. Redundant arrays of independent disks (RAID) 2. uninterruptable power supplies

Audit objectives under the computer center (tests of physical security controls)

1. test of physical construction 2. test of the fire detection system 3. test of access control 4. test of raid 5. test of the uninterruptible power supply 6. test for insurance coverage

Three catergories of disaster that can rob an organization of its IT resources

1. natural 2. human-made 3. system failure

Natural disaster

fire flood tornado

Human-made

sabotage error

System failure

power outages drive failure crash/lock

This is a comprehensive statement of all actions to be taken before, during, and after any type of disaster.

Disaster Recovery Plan

4 common features of DRP

1. identify critical applications 2. create disaster recovery team 3. provide site backup 4. specify backup and offsite storage procedures

Options available that are most common in providing second-site backup

1. mutual aid pact 2. empty shell 3. recovery operations center 4. internally provided backup

Backup and offsite storage procedures

1. operating system backup 2. application backup 3. backup data files 4. backup documentation 5. backup supplies and source documents 6. testing the DRP

Audit procedures under disaster recovery plan

1. site backup 2. critical application list 3. software backup 4. data backup 5. backup supplies, document, and documentation 6. disaster recovery team

HBO

Charles Jaojao · 26問 · 1年前

HBO