Anda di halaman 1dari 9

44 Chapter 2: Auditing IT Governance Controls Structure of the Information Technology Function 45

and general ledger accounts that recorded the events, and ultimately to the financial their overall success. When managers are precluded from making the decisions necessary
statement themselves. The audit trail is critical to the auditors attest service. to achieve their goals, their performance can be negatively influenced. A less aggressive
In DDP systems, the audit trail consists of a set of digital transaction files and mas- and less effective management may evolve.
ter files (Chapter 6 deals with transaction processing techniques) that reside in part or Proponents of DDP contend that the benefits of improved management attitudes
entirely on end-user computers. Should an end user inadvertently delete one of the files, more than outweigh any additional costs incurred from distributing these resources.
the audit trail could be destroyed and unrecoverable. Similarly, if an end user inadver- They argue that if IT capability is indeed critical to the success of a business operation,
tently inserts transaction errors into an audit trail file, it could become corrupted. then management must be given control over these resources. This argument counters
the earlier discussion favoring the centralization of organization-wide resources.
Inadequate Segregation of Duties. Achieving an adequate segregation of duties
may not be possible in some distributed environments. The distribution of the IT ser- Improved User Satisfaction. Perhaps the most often cited benefit of DDP is im-
vices to users may result in the creation of small independent units that do not permit proved user satisfaction. DDP proponents claim that distributing system to end users
the desired separation of incompatible functions. For example, within a single unit the improves three areas of need that too often go unsatisfied in the centralized model: (1) as
same person may write application programs, perform program maintenance, enter previously stated, users desire to control the resources that influence their profitability;
transaction data into the computer, and operate the computer equipment. Such a situa- (2) users want systems professionals (analysts, programmers, and computer operators) to
tion would be a fundamental violation of internal control. be responsive to their specific situation; and (3) users want to become more actively
Hiring Qualified Professionals. End-user managers may lack the IT knowledge to involved in developing and implementing their own systems.
evaluate the technical credentials and relevant experience of candidates applying for IT Backup Flexibility. The final argument in favor of DDP is the ability to back up
professional positions. Also, if the organizational unit into which a new employee is en- computing facilities to protect against potential disasters such as fires, floods, sabotage,
tering is small, the opportunity for personal growth, continuing education, and promo- and earthquakes. The only way to back up a central computer site against such disasters
tion may be limited. For these reasons, managers may experience difficulty attracting is to provide a second computer facility. Later in the chapter we examine disaster recov-
highly qualified personnel. The risk of programming errors and system failures increases ery planning for such contingencies. The distributed model offers organizational flexibil-
directly with the level of employee incompetence. ity for providing backup. Each geographically separate IT unit can be designed with
Lack of Standards. Because of the distribution of responsibility in the DDP environ- excess capacity. If a disaster destroys a single site, the other sites can use their excess
ment, standards for developing and documenting systems, choosing programming lan- capacity to process the transactions of the destroyed site. Naturally, this setup requires
guages, acquiring hardware and software, and evaluating performance may be unevenly close coordination between the end-user managers to ensure that they do not implement
applied or even nonexistent. Opponents of DDP argue that the risks associated with the incompatible hardware and software.
design and operation of a DDP system are made tolerable only if such standards are con-
sistently applied.
Controlling the DDP Environment
Advantages of DDP DDP carries a certain leading-edge prestige value that, during an analysis of its pros and
This section considers potential advantages of DDP, including cost reductions, improved cons, may overwhelm important considerations of economic benefit and operational fea-
cost control, improved user satisfaction, and backup. sibility. Some organizations have made the move to DDP without considering fully
whether the distributed organizational structure will better achieve their business objec-
Cost Reductions. For many years, achieving economies of scale was the principal justifi- tives. Many DDP initiatives have proven to be ineffective, and even counterproductive,
cation for the centralized data processing approach. The economics of data processing fa-
because decision makers saw in these systems virtues that were more symbolic than
vored large, expensive, powerful computers. The wide variety of needs that centralized real. Before taking an irreversible step, decision makers must assess the true merits of
systems were expected to satisfy also called for computers that were highly generalized and DDP for their organization. Nevertheless, careful planning and implementation of con-
employed complex operating systems. The overhead associated with running such a system,
trols can mitigate some of the DDP risks previously discussed. This section reviews sev-
however, can diminish the advantages of its raw processing power. Thus, for many users, eral improvements to the strict DDP model.
large centralized systems represented expensive overkill that they should escape.
Powerful and inexpensive microcomputers and minicomputers that can perform spe-
cialized functions have changed the economics of data processing dramatically. In addition, Implement a Corporate IT Function
the unit cost of data storage, which was once the justification for consolidating data in a The completely centralized model and the distributed model represent extreme positions
central location, is no longer a prime consideration. Moreover, the move to DDP has re- on a continuum of structural alternatives. The needs of most firms fall somewhere be-
duced costs in two other areas: (1) data can be edited and entered by the end user, thus tween these end points. Often, the control problems previously described can be ad-
eliminating the centralized task of data preparation; and (2) application complexity can be dressed by implementing a corporate IT function such as that illustrated in Figure 2.5.
reduced, which in turn reduces systems development and maintenance costs. This function is greatly reduced in size and status from that of the centralized model
shown in Figure 2.2. The corporate IT group provides systems development and data-
Improved Cost Control Responsibility. End-user managers carry the responsibility base management for entity-wide systems in addition to technical advice and expertise
for the financial success of their operations. This responsibility requires that they be to the distributed IT community. This advisory role is represented by the dotted lines
properly empowered with the authority to make decisions about resources that influence in Figure 2.5. Some of the services provided are described next.

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
46 Chapter 2: Auditing IT Governance Controls The Computer Center 47

Central Testing of Commercial Software and Hardware. A centralized corporate Through observation, determine that segregation policy is being followed in practice.
IT group is better equipped than are end users to evaluate the merits of competing com- Review operations room access logs to determine whether programmers enter the
mercial software and hardware products under consideration. A central, technically as- facility for reasons other than system failures.
tute group such as this can evaluate systems features, controls, and compatibility with
The following audit procedures would apply to an organization with a distributed
industry and organizational standards. Test results can then be distributed to user areas
IT function:
as standards for guiding acquisition decisions. This allows the organization to effectively
centralize the acquisition, testing, and implementation of software and hardware and Review the current organizational chart, mission statement, and job descriptions for
avoid many problems discussed earlier. key functions to determine if individuals or groups are performing incompatible
duties.
User Services. A valuable feature of the corporate group is its user services function. Verify that corporate policies and standards for systems design, documentation, and
This activity provides technical help to users during the installation of new software and hardware and software acquisition are published and provided to distributed IT
in troubleshooting hardware and software problems. The creation of an electronic bulle- units.
tin board for users is an excellent way to distribute information about common problems Verify that compensating controls, such as supervision and management monitor-
and allows the sharing of user-developed programs with others in the organization. In ing, are employed when segregation of incompatible duties is economically
addition, a chat room could be established to provide threaded discussions, frequently infeasible.
asked questions (FAQs), and intranet support. The corporate IT function could also pro- Review systems documentation to verify that applications, procedures, and databases
vide a help desk, where users can call and get a quick response to questions and pro- are designed and functioning in accordance with corporate standards.
blems. In many organizations user services staff teach technical courses for end users as
well as for computer services personnel. This raises the level of user awareness and pro-
motes the continued education of technical personnel.
THE COMPUTER CENTER
Standard-Setting Body. The relatively poor control environment imposed by the
DDP model can be improved by establishing some central guidance. The corporate Accountants routinely examine the physical environment of the computer center as part
group can contribute to this goal by establishing and distributing to user areas appropri- of their annual audit. The objective of this section is to present computer center risks
ate standards for systems development, programming, and documentation. and the controls that help to mitigate risk and create a secure environment. The follow-
ing are areas of potential exposure that can impact the quality of information, accounting
Personnel Review. The corporate group is often better equipped than users to evalu- records, transaction processing, and the effectiveness of other more conventional internal
ate the technical credentials of prospective systems professionals. Although the systems controls.
professional will actually be part of the end-user group, the involvement of the corporate
group in employment decisions can render a valuable service to the organization.
Physical Location
Audit Objective The physical location of the computer center directly affects the risk of destruction to a
The auditors objective is to verify that the structure of the IT function is such that in- natural or man-made disaster. To the extent possible, the computer center should be
dividuals in incompatible areas are segregated in accordance with the level of potential away from human-made and natural hazards, such as processing plants, gas and water
risk and in a manner that promotes a working environment. This is an environment in mains, airports, high-crime areas, flood plains, and geological faults. The center should
which formal, rather than casual, relationships need to exist between incompatible tasks. be away from normal traffic, such as the top floor of a building or in a separate, self-
contained building. Locating a computer in the basement building increases its risk to
Audit Procedures floods.
The following audit procedures would apply to an organization with a centralized IT
function: Construction
Review relevant documentation, including the current organizational chart, mission Ideally, a computer center should be located in a single-story building of solid construc-
statement, and job descriptions for key functions, to determine if individuals or tion with controlled access (discussed next). Utility (power and telephone) lines should
groups are performing incompatible functions. be underground. The building windows should not open and an air filtration system
Review systems documentation and maintenance records for a sample of applica- should be in place that is capable of extracting pollens, dust, and dust mites.
tions. Verify that maintenance programmers assigned to specific projects are not
also the original design programmers.
Verify that computer operators do not have access to the operational details of a Access
systems internal logic. Systems documentation, such as systems flowcharts, logic Access to the computer center should be limited to the operators and other employees
flowcharts, and program code listings, should not be part of the operations docu- who work there. Physical controls, such as locked doors, should be employed to limit
mentation set. access to the center. Access should be controlled by a keypad or swipe card, though fire

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
48 Chapter 2: Auditing IT Governance Controls The Computer Center 49

exits with alarms are necessary. To achieve a higher level of security, access should be 2. Uninterruptible power supplies. Commercially provided electrical power presents sev-
monitored by closed-circuit cameras and video recording systems. Computer centers eral problems that can disrupt the computer center operations, including total power
should also use sign-in logs for programmers and analysts who need access to correct failures, brownouts, power fluctuations, and frequency variations. The equipment
program errors. The computer center should maintain accurate records of all such used to control these problems includes voltage regulators, surge protectors, genera-
traffic. tors, and backup batteries. In the event of a power outage, these devices provide
backup power for a reasonable period to allow commercial power service restora-
Air Conditioning tion. In the event of an extended power outage, the backup power will allow the
computer system to shut down in a controlled manner and prevent data loss and
Computers function best in an air-conditioned environment, and providing adequate air corruption that would otherwise result from an uncontrolled system crash.
conditioning is often a requirement of the vendors warranty. Computers operate best in
a temperature range of 70 to 75 degrees Fahrenheit and a relative humidity of 50 per-
cent. Logic errors can occur in computer hardware when temperatures depart signifi- Audit Objectives
cantly from this optimal range. Also, the risk of circuit damage from static electricity is
increased when humidity drops. In contrast, high humidity can cause molds to grow and The auditors objective is to evaluate the controls governing computer center security.
paper products (such as source documents) to swell and jam equipment. Specifically, the auditor must verify that:
Physical security controls are adequate to reasonably protect the organization from
Fire Suppression physical exposures
Insurance coverage on equipment is adequate to compensate the organization for
Fire is the most serious threat to a firms computer equipment. Many companies that the destruction of, or damage to, its computer center
suffer computer center fires go out of business because of the loss of critical records,
such as accounts receivable. The implementation of an effective fire suppression system
requires consultation with specialists. However, some of the major features of such a sys- Audit Procedures
tem include the following:
The following are tests of physical security controls.
1. Automatic and manual alarms should be placed in strategic locations around the in-
Tests of Physical Construction. The auditor should obtain architectural plans to de-
stallation. These alarms should be connected to permanently staffed fire-fighting
termine that the computer center is solidly built of fireproof material. There should be
stations.
adequate drainage under the raised floor to allow water to flow away in the event of
2. There must be an automatic fire extinguishing system that dispenses the appropriate
water damage from a fire in an upper floor or from some other source. In addition, the
type of suppressant for the location.2 For example, spraying water and certain che-
auditor should assess the physical location of the computer center. The facility should
micals on a computer can do as much damage as the fire.
be located in an area that minimizes its exposure to fire, civil unrest, and other
3. Manual fire extinguishers should be placed at strategic locations.
hazards.
4. The building should be of sound construction to withstand water damage caused by
fire suppression equipment. Tests of the Fire Detection System. The auditor should establish that fire detection
5. Fire exits should be clearly marked and illuminated during a fire. and suppression equipment, both manual and automatic, are in place and tested regu-
larly. The fire-detection system should detect smoke, heat, and combustible fumes. The
evidence may be obtained by reviewing official fire marshal records of tests, which are
Fault Tolerance stored at the computer center.
Fault tolerance is the ability of the system to continue operation when part of the sys- Tests of Access Control. The auditor must establish that routine access to the com-
tem fails because of hardware failure, application program error, or operator error. Im- puter center is restricted to authorized employees. Details about visitor access (by pro-
plementing fault tolerance control ensures that no single point of potential system failure grammers and others), such as arrival and departure times, purpose, and frequency of
exists. Total failure can occur only if multiple components fail. Two examples of fault access, can be obtained by reviewing the access log. To establish the veracity of this doc-
tolerance technologies are discussed next. ument, the auditor may covertly observe the process by which access is permitted, or
1. Redundant arrays of independent disks (RAID). Raid involves using parallel disks review videotapes from cameras at the access point, if they are being used.
that contain redundant elements of data and applications. If one disk fails, the lost Tests of Raid. Most systems that employ RAID provide a graphical mapping of their
data are automatically reconstructed from the redundant components stored on the redundant disk storage. From this mapping, the auditor should determine if the level of
other disks.
RAID in place is adequate for the organization, given the level of business risk associated
with disk failure. If the organization is not employing RAID, the potential for a single
point of system failure exists. The auditor should review with the system administrator
2 Some fire-fighting gases, such as halon, have been outlawed by the federal government. Make sure any alternative procedures for recovering from a disk failure.
gas used does not violate federal law.

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
50 Chapter 2: Auditing IT Governance Controls Disaster Recovery Planning 51

Tests of the Uninterruptible Power Supply. The computer center should perform natural disasters, human-made disasters, and system failure. Natural disaster such as
periodic tests of the backup power supply to ensure that it has sufficient capacity to run hurricanes, wide-spread flooding, and earthquakes are the most potentially devastating
the computer and air conditioning. These are extremely important tests, and their results of the three from a societal perspective because they can simultaneously impact many
should be formally recorded. As a firms computer systems develop, and its dependency organizations within the affected geographic area. Human-made disasters, such as sabo-
increases, backup power needs are likely to grow proportionally. Indeed, without such tage or errors, can be just as destructive to an individual organization, but tend to be
tests, an organization may be unaware that it has outgrown its backup capacity until it limited in their scope of impact. System failures such as power outages or a hard-drive
is too late. failure are generally less severe, but are the most likely to occur.
All of these disasters can deprive an organization of its data processing facilities,
Tests for Insurance Coverage. The auditor should annually review the organiza-
halt those business functions that are performed or aided by computers, and impair
tions insurance coverage on its computer hardware, software, and physical facility. The
the organizations ability to deliver its products or services. In other words, the com-
auditor should verify that all new acquisitions are listed on the policy and that obsolete
pany loses its ability to do business. The more dependent an organization is on tech-
equipment and software have been deleted. The insurance policy should reflect manage-
nology, the more susceptible it is to these types of risks. For businesses such as
ments needs in terms of extent of coverage. For example, the firm may wish to be par-
Amazon.com or eBay, the loss of even a few hours of computer processing capability
tially self-insured and require minimum coverage. On the other hand, the firm may seek
can be catastrophic.
complete replacement-cost coverage.
Disasters of the sort outlined above usually cannot be prevented or evaded. Once
stricken, the victim firms survival will be determined by how well and how quickly it
reacts. Therefore, with careful contingency planning, the full impact of a disaster can be
DISASTER RECOVERY PLANNING absorbed and the organization can recover. To survive such an event, companies develop
Disasters such as earthquakes, floods, sabotage, and even power failures can be recovery procedures and formalize them into a disaster recovery plan (DRP). This is a
catastrophic to an organizations computer center and information systems. Figure 2.6 comprehensive statement of all actions to be taken before, during, and after any type of
depicts three categories of disaster that can rob an organization of its IT resources: disaster. Although the details of each plan are unique to the needs of the organization, all
workable plans possess four common features:
1. Identify critical applications
FIGURE 2.6 2. Create a disaster recovery team
Fire 3. Provide site backup
Types of 4. Specify backup and off-site storage procedures
Disasters
Natural Flood
The remainder of this section is devoted to a discussion of the essential elements of an
effective DRP.

Tornado Identify Critical Applications


The first essential element of a DRP is to identify the firms critical applications and
associated data files. Recovery efforts must concentrate on restoring those applications
that are critical to the short-term survival of the organization. Obviously, over the long
Sabotage
term, all applications must be restored to predisaster business activity levels. The DRP,
Disaster Human-Made however, is a short-term document that should not attempt to restore the organiza-
tions data processing facility to full capacity immediately following the disaster. To
Error
do so would divert resources away from critical areas and delay recovery. The plan
should therefore focus on short-term survival, which is at risk in any disaster
scenario.
Power For most organizations, short-term survival requires the restoration of those func-
Outages tions that generate cash flows sufficient to satisfy short-term obligations. For example,
assume that the following functions affect the cash flow position of a particular firm:

System Failure
Drive Customer sales and service
Failure
Fulfillment of legal obligations
Accounts receivable maintenance and collection
O/S Production and distribution decisions
Crash/Lock
Purchasing functions
Cash disbursements (trade accounts and payroll)

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
52 Chapter 2: Auditing IT Governance Controls Disaster Recovery Planning 53

The computer applications that support these business functions directly are critical.
Hence, these applications should be identified and prioritized in the restoration plan. FIGURE 2.7
Application priorities may change over time, and these decisions must be reassessed DRP Team Coordinator
Disaster VP Operations
regularly. Systems are constantly revised and expanded to reflect changes in user require- Recovery Team
ments. Similarly, the DRP must be updated to reflect new developments and identify
critical applications. Up-to-date priorities are important, because they affect other aspects
of the strategic plan. For example, changes in application priorities may cause changes in
the nature and extent of second-site backup requirements and specific backup proce-
Program Data Conversion
dures, which are discussed later. Second-Site
and and
Facilities
The task of identifying critical items and prioritizing applications requires the active Data Backup Data Control
Group
participation of user departments, accountants, and auditors. Too often, this task is in- Group Group
correctly viewed as a technical computer issue and therefore delegated to IT profes-
sionals. Although the technical assistance of IT professionals will be required, this task Systems Development Manager Data
is a business decision and should be made by those best equipped to understand the DP Manager Manager Control
business problem.
Systems Maintenance Manager Data
Plant Engineer Manager Conversion
Creating a Disaster Recovery Team
Computer Operations Senior Systems Data Conversion
Recovering from a disaster depends on timely corrective action. Delays in performing Manager Programmer Shift Supervisor
essential tasks prolongs the recovery period and diminishes the prospects for a successful
recovery. To avoid serious omissions or duplication of effort during implementation of
the contingency plan, task responsibility must be clearly defined and communicated to Teleprocessing Senior Maintenance User Department
Manager Programmer Representatives
the personnel involved.
Figure 2.7 presents an organizational chart depicting the composition of a disaster
recovery team. The team members should be experts in their areas and have assigned User Departments Internal Audit
tasks. Following a disaster, team members will delegate subtasks to their subordinates. Representative Representative
It should be noted that traditional control concerns do not apply in this setting. The en-
vironment created by the disaster may make it necessary to violate control principles Internal Audit
such as segregation of duties, access controls, and supervision. Representative

Providing Second-Site Backup Objective: Prepare backup site Objective: Provide current Objective: Reestablish the
for operation and acquire versions of all critical data conversion and data
A necessary ingredient in a DRP is that it provides for duplicate data processing facilities hardware from vendors. applications, data files, control functions necessary
and documentation. to process critical
following a disaster. Among the options available the most common are mutual aid applications.
pact; empty shell or cold site; recovery operations center or hot site; and internally pro-
vided backup. Each of these is discussed in the following sections.
Mutual Aid Pact. A mutual aid pact is an agreement between two or more organiza-
tions (with compatible computer facilities) to aid each other with their data processing Empty Shell. The empty shell or cold site plan is an arrangement wherein the com-
needs in the event of a disaster. In such an event, the host company must disrupt its pany buys or leases a building that will serve as a data center. In the event of a disaster,
processing schedule to process the critical transactions of the disaster-stricken company. the shell is available and ready to receive whatever hardware the temporary user needs to
In effect, the host company itself must go into an emergency operation mode and cut run essential systems. This approach, however, has a fundamental weakness. Recovery
back on the processing of its lower-priority applications to accommodate the sudden in- depends on the timely availability of the necessary computer hardware to restore the
crease in demand for its IT resources. data processing function. Management must obtain assurances through contracts with
The popularity of these reciprocal agreements is driven by economics; they are rela- hardware vendors that, in the event of a disaster, the vendor will give the companys
tively cost-free to implement. In fact, mutual aid pacts work better in theory than in needs priority. An unanticipated hardware supply problem at this critical juncture could
practice. In the event of a disaster, the stricken company has no guarantee that the part- be a fatal blow.
ner company will live up to its promise of assistance. To rely on such an arrangement for Recovery Operations Center. A recovery operations center (ROC) or hot site is a
substantive relief during a disaster requires a level of faith and untested trust that is un- fully equipped backup data center that many companies share. In addition to hardware
characteristic of sophisticated management and its auditors. and backup facilities, ROC service providers offer a range of technical services to their

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
54 Chapter 2: Auditing IT Governance Controls Disaster Recovery Planning 55

clients, who pay an annual fee for access rights. In the event of a major disaster, a Application Backup. Based on results obtained in the critical applications step dis-
subscriber can occupy the premises and, within a few hours, resume processing critical cussed previously, the DRP should include procedures to create copies of current versions
applications. of critical applications. In the case of commercial software, this involves purchasing
September 11, 2001, was a true test of the reliability and effectiveness of the ROC backup copies of the latest software upgrades used by the organization. For in-house de-
approach. Comdisco, a major ROC provider, had 47 clients who declared 93 separate veloped applications, backup procedures should be an integral step in the systems devel-
disasters on the day of the attack. All 47 companies relocated and worked out of Com- opment and program change process, which is discussed in detail in Chapter 5.
discos recovery centers. At one point, 3,000 client employees were working out of the
centers. Thousands of computers were configured for clients needs within the first 24 Backup Data Files. The state-of-the-art in database backup is the remote mirrored
hours, and systems recovery teams were on-site wherever police permitted access. By site, which provides complete data currency. Not all organizations are willing or able to
September 25, nearly half of the clients were able to return to their facilities with a fully invest in such backup resources. As a minimum, however, databases should be copied
functional system. daily to high-capacity, high-speed media, such as tape or CDs/DVDs and secured off-
Although the Comdisco story illustrates a ROC success, it also points to a potential site. In the event of a disruption, reconstruction of the database is achieved by updating
problem with this approach. A widespread natural disaster, such as a flood or an earth- the most current backed-up version with subsequent transaction data. Likewise, master
quake, may destroy the data processing capabilities of several ROC members located in files and transaction files should be protected.
the same geographic area. All the victim companies will find themselves vying for access
to the same limited facilities. Because some ROC service providers oversell their capacity
Backup Documentation. The system documentation for critical applications should
be backed up and stored off-site along with the applications. System documentation can
by a ratio of 20:1, the situation is analogous to a sinking ship that has an inadequate
constitute a significant amount of material and the backup process is complicated further
number of lifeboats.
by frequent application changes (see Chapter 5). Documentation backup may, however,
The period of confusion following a disaster is not an ideal time to negotiate prop-
be simplified and made more efficient through the use of Computer Aided Software En-
erty rights. Therefore, before entering into a ROC arrangement, management should
gineering (CASE) documentation tools. The DRP should also include a provision back-
consider the potential problems of overcrowding and geographic clustering of the cur-
ing up end-user manuals because the individuals processing transactions under disaster
rent membership.
conditions may not be usual staff who are familiar with the system.
Internally Provided Backup. Larger organizations with multiple data processing
centers often prefer the self-reliance that creating internal excess capacity provides. This
Backup Supplies and Source Documents. The organization should create backup
inventories of supplies and source documents used in processing critical transactions.
permits firms to develop standardized hardware and software configurations, which en-
Examples of critical supplies are check stocks, invoices, purchase orders, and any other
sure functional compatibility among their data processing centers and minimize cutover
special-purpose forms that cannot be obtained immediately. The DRP should specify the
problems in the event of a disaster.
types and quantities needed of these special items. Because these are such routine ele-
Pershing, a division of Donaldson, Lufkin & Jenrette Securities Corporation, pro-
ments of the daily operations, they are often overlooked by disaster contingency plan-
cesses more than 36 million transactions per day, about 2,000 per second. Pershing man-
ners. At this point, it is worth noting that a copy of the current DRP document should
agement recognized that a ROC vendor could not provide the recovery time they wanted
also be stored off-site at a secure location.
and needed. The company, therefore, built its own remote mirrored data center. The
facility is equipped with high-capacity storage devices capable of storing more than 20 Testing the DRP. The most neglected aspect of contingency planning is testing
terabytes of data and two IBM mainframes running high-speed copy software. All trans- the DRP. Nevertheless, DRP tests are important and should be performed periodically.
actions that the main system processes are transmitted in real time along fiber-optic Tests measure the preparedness of personnel and identify omissions or bottlenecks in
cables to the remote backup facility. At any point in time, the mirrored data center re- the plan.
flects current economic events of the firm. The mirrored system has reduced Pershings A test is most useful when the simulation of a disruption is a surprise. When the
data recovery time from 24 hours to 1 hour. mock disaster is announced, the status of all processing affected by it should be docu-
mented. This approach provides a benchmark for subsequent performance assessments.
Backup and Off-Site Storage Procedures The plan should be carried through as far as is economically feasible. Ideally, that would
All data files, applications, documentation, and supplies needed to perform critical func- include the use of backup facilities and supplies.
tions should be automatically backed up and stored at a secure off-site location. Data The progress of the plan should be noted at key points throughout the test period.
processing personnel should routinely perform backup and storage procedures to obtain At the conclusion of the test, the results can then be analyzed and a DRP performance
and secure these critical resources. report prepared. The degree of performance achieved provides input for decisions to
modify the DRP or schedule additional tests. The organizations management should
Operating System Backup. If the company uses a cold site or other method of site seek measures of performance in each of the following areas: (1) the effectiveness of
backup that does not include a compatible operating system (O/S), procedures for ob- DRP team personnel and their knowledge levels; (2) the degree of conversion success
taining a current version of the operating system need to be clearly specified. The data (i.e., the number of lost records); (3) an estimate of financial loss due to lost records or
librarian, if one exists, would be a key person to involve in performing this task in addi- facilities; and (4) the effectiveness of program, data, and documentation backup and
tion to the applications and data backups procedures discussed next. recovery procedures.

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
56 Chapter 2: Auditing IT Governance Controls Outsourcing the IT Function 57

Audit Objective
The auditor should verify that managements disaster recovery plan is adequate and fea- OUTSOURCING THE IT FUNCTION
sible for dealing with a catastrophe that could deprive the organization of its computing
resources. The costs, risks, and responsibilities associated with maintaining an effective corporate
IT function are significant. Many executives have therefore opted to outsource their IT
functions to third-party vendors who take over responsibility for the management of IT
Audit Procedures assets and staff and for delivery of IT services, such as data entry, data center operations,
In verifying that managements DRP is a realistic solution for dealing with a catastrophe,
applications development, applications maintenance, and network management. Often-
the following tests may be performed.
cited benefits of IT outsourcing include improved core business performance, improved
Site Backup. The auditor should evaluate the adequacy of the backup site arrange- IT performance (because of the vendors expertise), and reduced IT costs. By moving IT
ment. System incompatibility and human nature both greatly reduce the effectiveness of facilities offshore to low labor-cost areas and/or through economies of scale (by combin-
the mutual aid pact. Auditors should be skeptical of such arrangements for two reasons. ing the work of several clients), the vendor can perform the outsourced function more
First, the sophistication of the computer system may make it difficult to find a potential cheaply than the client firm could have otherwise. The resulting cost savings are then
partner with a compatible configuration. Second, most firms do not have the necessary passed to the client organization. Furthermore, many IT outsourcing arrangements in-
excess capacity to support a disaster-stricken partner while also processing their own volve the sale of the client firms IT assetsboth human and machineto the vendor,
work. When it comes to the crunch, the management of the firm untouched by disaster which the client firm then leases back. This transaction results in a significant one-time
will likely have little appetite for the sacrifices that must be made to honor the cash infusion to the firm.
agreement. The logic underlying IT outsourcing follows from core competency theory, which
More viable but expensive options are the empty shell and recovery operation center. argues that an organization should focus exclusively on its core business competencies,
These too must be examined carefully. If the client organization is using the empty shell while allowing outsourcing vendors to efficiently manage the noncore areas such as
method, then the auditor needs to verify the existence of valid contracts with hardware the IT functions. This premise, however, ignores an important distinction between com-
vendors that guarantee delivery of needed computer hardware with minimum delay after modity and specific IT assets.
the disaster. If the client is a member of a ROC, the auditor should be concerned about Commodity IT assets are not unique to a particular organization and are thus
the number of ROC members and their geographic dispersion. A widespread disaster easily acquired in the marketplace. These include such things as network management,
may create a demand that cannot be satisfied by the ROC facility. systems operations, server maintenance, and help-desk functions. Specific IT assets, in
contrast, are unique to the organization and support its strategic objectives. Because of
Critical Application List. The auditor should review the list of critical applications their idiosyncratic nature, specific assets have little value outside their current use. Such
to ensure that it is complete. Missing applications can result in failure to recover. The assets may be tangible (computer equipment), intellectual (computer programs), or
same is true, however, for restoring unnecessary applications. To include applications human. Examples of specific assets include systems development, application mainte-
on the critical list that are not needed to achieve short-term survival can misdirect re- nance, data warehousing, and highly skilled employees trained to use organization-
sources and distract attention from the primary objective during the recovery period. specific software.
Transaction Cost Economics (TCE) theory is in conflict with the core competency
Software Backup. The auditor should verify that copies of critical applications and
school by suggesting that firms should retain certain specific noncore IT assets in-
operating systems are stored off-site. The auditor should also verify that the applications
house. Because of their esoteric nature, specific assets cannot be easily replaced once
stored off-site are current by comparing their version numbers with those of the actual
they are given up in an outsourcing arrangement. Therefore, if the organization should
applications in use. Application version numbers is explained in detail in Chapter 5.
decide to cancel its outsourcing contract with the vendor, it may not be able to return to
Data Backup. The auditor should verify that critical data files are backed up in ac- its preoutsource state. On the other hand, TCE theory supports the outsourcing of com-
cordance with the DRP. Specific data backup procedures for both flat files and relational modity assets, which are easily replaced or obtained from alternative vendors.
databases are discussed in detail in Chapter 4. Naturally, a CEOs perception of what constitutes a commodity IT assets plays an
important role in IT outsourcing decisions. Often this comes down to a matter of defini-
Backup Supplies, Documents, and Documentation. The system documentation, tion and interpretation. For example, most CEOs would define their IT function as a
supplies, and source documents needed to process critical transactions should be backed noncore commodity, unless they are in the business of developing and selling IT appli-
up and stored off-site. The auditor should verify that the types and quantities of items cations. Consequently, a belief that all IT can, and should, be managed by large service
specified in the DRP such as check stock, invoices, purchase orders, and any special- organizations tends to prevail. Such misperception reflects, in part, both lack of executive
purpose forms exist in a secure location. education and dissemination of faulty information regarding the virtues and limitations
of IT outsourcing.3
Disaster Recovery Team. The DRP should clearly list the names, addresses, and
emergency telephone numbers of the disaster recovery team members. The auditor
should verify that members of the team are current employees and are aware of their
assigned responsibilities. On one occasion, while reviewing a firms DRP, the author dis-
covered that a team leader listed in the plan had been deceased for nine months. 3 This knowledge disconnect is not unique to IT outsourcing; it has been observed by Ramiller and Swanson
in their research on how executives respond to what is termed organizing visions for IT [101].

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
58 Chapter 2: Auditing IT Governance Controls Outsourcing the IT Function 59

Risks Inherent to IT Outsourcing Asia and the Middle East raises additional security concerns for companies outsourcing
technology offshore. For example, on March 5, 2005, police in Delhi, India, arrested a
Large-scale IT outsourcing events are risky endeavors, partly because of the sheer size of cell of suspected terrorists who were planning to attack outsourcing firms in Bangalore,
these financial deals, but also because of their nature. The level of risk is related to the India.
degree of asset specificity of the outsourced function. The following sections outline
some well-documented issues. Loss of Strategic Advantage
IT outsourcing may affect incongruence between a firms IT strategic planning and its
Failure to Perform business planning functions. Organizations that use IT strategically must align business
Once a client firm has outsourced specific IT assets, its performance becomes linked to strategy and IT strategy or run the risk of decreased business performance. To promote
the vendors performance. The negative implications of such dependency are illustrated such alignment, firms need IT managers and chief information officers (CIOs) who have
in the financial problems that have plagued the huge outsourcing vendor Electronic Data a strong working knowledge of the organizations business. A survey of 213 IT managers
Systems Corp. (EDS). In a cost-cutting effort, EDS terminated seven thousand employ- in the financial services industry confirmed that a firms IT leadership needs to be closely
ees, which impacted its ability to serve other clients. Following an 11-year low in share aligned with the firms competitive strategy. Indeed, some argue that the business com-
prices, EDS stockholders filed a class-action lawsuit against the company. Clearly, ven- petence of CIOs is more important than their IT competence in facilitating strategic
dors experiencing such serious financial and legal problems threaten the viability of their congruence.
clients also. To accomplish such alignment necessitates a close working relationship between
corporate management and IT management in the concurrent development of business
Vendor Exploitation and IT strategies. This, however, is difficult to accomplish when IT planning is geograph-
Large-scale IT outsourcing involves transferring to a vendor specific assets, such as the ically redeployed offshore or even domestically. Further, because the financial justifica-
design, development, and maintenance of unique business applications that are critical to tion for IT outsourcing depends upon the vendor achieving economies of scale, the
an organizations survival. Specific assets, while valuable to the client, are of little value to vendor is naturally driven to toward seeking common solutions that may be used by
the vendor beyond the immediate contract with the client. Indeed, they may well be val- many clients rather than creating unique solutions for each of them. This fundamental
ueless should the client organization go out of business. Because the vendor assumes risk underpinning of IT outsourcing is inconsistent with the clients pursuit of strategic ad-
by acquiring the assets and can achieve no economies of scale by employing them else- vantage in the marketplace.
where, the client organization will pay a premium to transfer such functions to a third
party. Further, once the client firm has divested itself of such specific assets it becomes
Audit Implications of IT Outsourcing
dependent on the vendor. The vendor may exploit this dependency by raising service
rates to an exorbitant level. As the clients IT needs develop over time beyond the origi- Management may outsource its organizations IT functions, but it cannot outsource its
nal contract terms, it runs the risk that new or incremental services will be negotiated at management responsibilities under SOX for ensuring adequate IT internal controls. The
a premium. This dependency may threaten the clients long-term flexibility, agility, and PCAOB specifically states in its Auditing Standard No. 2, The use of a service organiza-
competitiveness and result in even greater vendor dependency. tion does not reduce managements responsibility to maintain effective internal control
over financial reporting. Rather, user management should evaluate controls at the service
Outsourcing Costs Exceed Benefits organization, as well as related controls at the user company, when making its assess-
IT outsourcing has been criticized on the grounds that unexpected costs arise and the ment about internal control over financial reporting. Therefore, if an audit client firm
full extent of expected benefits are not realized. One survey revealed that 47 percent of outsource its IT function to a vendor that processes its transactions, hosts key data, or
66 firms surveyed reported that the costs of IT outsourcing exceeded outsourcing bene- performs other significant services, the auditor will need to conduct an evaluation of
fits. One reason for this is that outsourcing clients often fail to anticipate the costs of the vendor organizations controls, or alternatively obtain a SAS No. 70 auditors report
vendor selection, contracting, and the transitioning of IT operations to the vendors. from the vendor organization.
Statement on Auditing Standard No. 70 (SAS 70) is the definitive standard by
Reduced Security which client organizations auditors can gain knowledge that controls at the third-party
Information outsourced to offshore IT vendors raises unique and serious questions re- vendor are adequate to prevent or detect material errors that could impact the clients
garding internal control and the protection of sensitive personal data. When corporate financial statements. The SAS 70 report, which is prepared by the vendors auditor, at-
financial systems are developed and hosted overseas, and program code is developed tests to the adequacy of the vendors internal controls. This is the means by which an
through interfaces with the host companys network, U.S. corporations are at risk of los- outsourcing vendor can obtain a single audit report that may be used by its clients audi-
ing control of their information. To a large degree U.S. firms are reliant on the outsour- tors and thus preclude the need for each client firm auditor to conduct its own audit of
cing vendors security measures, data-access policies, and the privacy laws of the host the vendor organizations internal controls.
country. For example, a woman in Pakistan obtained patient-sensitive medical data Figure 2.8 illustrates how a SAS 70 report works in relation to the vendor, the client
from the University of California Medical Center in San Francisco. She gained access to firms, and their respective auditors. The outsourcing vendor serves clients 1, 2, 3, and 4
the data from a medical transcription vendor for whom she worked. The woman threat- with various IT services. The internal controls over the outsourced services reside at the
ened to publish the records on the Internet if she did not get a raise in pay. Terrorism in vendor location. They are audited by the vendors auditor, who expresses an opinion and

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
60 Chapter 2: Auditing IT Governance Controls

FIGURE 2.8
Client Client
SAS 70 Report
SAS 70 1 Auditor A
Overview
rt
po
Re
70
S
SA
Client Client
2 SAS 70 Report Auditor B
ep ort
70 R
Outsourcing SAS
Vendor

SA
S7
0R
ols

epo
rt
ntr

rt

Client
Co

SA
po

SAS 70 Report Client


3
S
Re
w

Auditor C
70
vie

70

Re
Re

po
S
SA

r
t

Vendor Client
Auditor SAS 70 Report Client
4 Auditor D

issues a SAS 70 report on the control adequacy. Each of the client firms is audited by
different auditors A, B, C, and D, respectively, who as part of their respective audits,
rely on the vendors SAS 70 report and are thus not compelled to individually test the
vendors controls. Given that a vendor may have hundreds or even thousands of clients,
individual testing under SOX would be highly disruptive to the vendors operations,
costly to the client, and impractical.
Service provider auditors issue two types of SAS 70 reports. An SAS 70 Type I re-
port is the less rigorous of the two and comments only on the suitability of the controls
design. An SAS 70 Type II report goes further and assesses whether the controls are op-
erating effectively based on tests conducted by the vendor organizations auditor. The
vast majority of SAS 70 reports issued are Type II. Because Section 404 requires the ex-
plicit testing of controls, SAS 70 Type I reports are of little value in a post-SOX world.

SUMMARY
This chapter presented risks and controls related to IT governance. It began with a brief
definition of IT governance and identified its implications for internal control and finan-
cial reporting. Next it presented exposures that can arise from inappropriate structuring
of the IT function within the organization. The chapter turned to a review of computer
center threats and controls, which include protecting it from damage and destruction
from natural disasters, fire, temperature, and humidity. The chapter then presented the
key elements of a disaster recovery plan. Several factors need to be considered in such a
plan, including providing second-site backup, identifying critical applications, perform-
ing backup and off-site storage procedures, creating a disaster recovery team, and testing
the DRP. The final section of the chapter examined issues surrounding the growing

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.