Auditing IT Controls Part I: Sarbanes-Oxley and IT Governance
Auditing IT Controls Part I: Sarbanes-Oxley and IT Governance
Auditing IT Controls Part I: Sarbanes-Oxley and IT Governance
Systematic
Process
Objectively
obtaining and
Evaluating To ascertain
Evidence the degree of
correspondence
regarding
Assertions
- Structured
- Logical process
- Organized series of steps
Assess Detailed
investigation
UNDERSTAND quality
of specific
your client’s of account
business Internal balances and
control transactions
An auditor must:
Be INDEPENDENT and COMPETENT
Follow 10 Generally Accepted Auditing Standards (GAAS)
How to obtain
Evidence?
By conducting AUDIT
PROCEDURES,
Objectively auditors will be able
to gather evidence
obtaining and
that will corroborate
Evaluating or refute
Evidence management’s
assertions.
Evaluate Evidence:
Is it Sufficient?
Is it Appropriate?
MANAGEMENT ASSERTIONS
Are claims made by management regarding the
content of their issued financial statements
1. Assertions about classes of transactions and
events for the period under audit
2. Assertions about account balances at the end
of the period
3. Assertions about the presentation and disclosure
Examples:
Cash disbursement batch balancing technique
Accounts receivable check digit procedure
Payroll system limit check
PCAOB Standard
No. 5 specifically
requires auditors to
understand the
transaction flows,
including the
controls to how
transactions are
initiated, authorized,
recorded and
reported.
Computer Fraud
- act of using a computer to take or alter electronic
data, or to gain unlawful use of a computer or system.
1. DATA COLLECTION
- is the first operational stage in the information system.
3. DATA PROCESSING
Database Management Fraud
includes: altering, deleting, corrupting, destroying and
stealing an organization’s database.
Destructive routine called “logic bomb”
4. INFORMATION GENERATION
- is the process of compiling, arranging, formatting
and presenting information.
IT FUNCTION
Five IT functions in an organization:
a) Communication
b) Data Management
c) Marketing
d) Process Improvement
e) Enterprise Resource Planning
COMPUTER FUNCTION
PHYSICAL LOCATION
-directly affects risk of destruction from a disaster.
-away from hazards and traffic.
CONSTRUCTION
-ideally, single-story, solidly constructed with underground utilities.
-windows should not open and an filtration system should be in place.
ACCESS
-should be limited with locked doors, cameras, key card entrance and
sign-in logs.
AIR CONDITIONING SHOULD PROVIDE APPROPRIATE TEMPERATURE AND
HUMIDITY FOR COMPUTERS
FIRE SUPPRESSION
-alarms, fire extinguishing systems, appropriate construction, fire exits.
FAULT TOLERANCE
– is the ability of the system to continue operation wen part of the
system fails.
-total failure can occur only if multiple components fail.
-redundant arrays of independent disks (RAID) involves using parallel
disks with redundant data and application so if one disks fails, lost data can
be reconstructed.
-uninterruptible power supplies.
AUDIT PROCEDURES:
To verify DRP is a realistic solution, the following tests may be performed:
Evaluate adequacy of backup site arrangements.
Review list of critical applications for completeness.
Verify copies of critical applications and operating systems are stored off-
site.
Verify critical data files are backed up in accordance with DRP.
Verify that types and quantities of items specified in the DRP exist in a
secure location.
Verify disaster recovery team members are current employees and aware
of their assigned responsibilities.
Organizational Structure Control
Organizational Structure
Specifies the firms formal reporting, relationship,
procedures, controls and authority and decision
making process.
Inadequate Documentation
Poor quality systems documentation is a chronic IT
problem and a significant challenge for many
organizations seeking SOX compliance. Program Fraud
Involves making unathorized changes to program
modules for the purpose of committing an illegal act.
THE DISTRIBUTED MODEL
Distributed Data Processing (DDP)
Early days
Centralized processing
Centralized databases
Today’s IT Environment
Distributed data
processing (DDP)
Distributed
databases (DDB)
The Computer Services Function
Distributed Data Centralized Data
Processing Processing
In Distributed processing Central processing is when all
the data will be stored the data are brought to the
in different location common place (Server) and
(Distributed) and for is processed by the processor
processing the Program (CPU). So basically all the
needs to access the data from hard disk will be
data from different brought to a server consisting
location and process it. of a RAM (Storage) and CPU
(Processing).
Organizational Structure for a
Distributed System
Advantages and
Disadvantages of DDP
ADVANTAGES: DISADVANTAGES:
Cost reductions Inefficient use of
resources
Improved cost
control Destruction of audit trails
Improved user Inadequate segregation
satisfaction of duties
Backup of data Hiring qualified
professionals
Lack of standards
Distributed Organization with
Corporate IT Function
CREATING A CORPORATE IT
FUNCTION
Implement a Corporate IT Function:
Central Testing of Commercial
Hardware and Software
User Services
Standard-setting body
Personnel Review
AUDIT OBJECTIVES RELATING TO
ORGANIZATIONAL STRUCTURE
If DDP used:
Review relevant documentation to determine if individuals or
groups are performing incompatible duties.
Verify corporate policies and standards are published and
provided to distributed IT units.
Verify compensating controls, are in place when needed.
Review systems documentation to verify applications, procedures
and data based are in accordance with standards.
Computer Center Security
and Controls
What is Security Control?
Security controls are safeguards or countermeasures to
avoid, detect, counteract, or minimize security risks to
physical property, information, computer systems, or
other assets.
Factors that can affect data processing
Fires
Floods
Wind
Sabotage
Earthquakes
Computer Center Controls
Control Issues:
Providing second-site backup
Identifying critical applications
Performing backup and off-site storage procedures,
Creating a disaster recovery team
Testing the DRP
CONTROL ISSUE
PROVIDING SECOND-SITE BACKUP
A necessary ingredient in a DRP is that it provides for
duplicate data processing facilities following a disaster. The
viable options available include the empty shell, recovery
operations center and internally provided backup.
THE EMPTY SHELL or cold site plan is an arrangement
wherein the company buys, or leases a building that will
s erve as a data center.
THE RECOVERY OPERATIONS CENTER (ROC) or hot site is a
fully equipped back up data center that many
companies share.
INTERNALLY PROVIDED BACKUP - Larger organizations
with multiple data processing centers often prefer the
self- reliance that creating internal excess capacity
provides.
CONTROL ISSUE
IDENTIFYING CRITICAL APPLICATIONS
All applications and data must be restored to pre-disaster
business activity levels. The task of identifying and
prioritizing critical applications requires active
participations of management, user department and
internal auditors
Client Client
SSAE 16 report
3 Auditor C
Vendor Auditor
Process:
1. The outsourcing vendor serves client 1, 2,3 and 4. The system
process and internal controls resides at the vendor location.
2. They are then audited by the vendor’s auditor who then
expresses and opinion and issues SSAE 16 report.
3. Each of the client firms is audited by different auditor A, B, C and
D which rely on the SSAE 16 report by the vendor.
4. Service provider auditor issues two types of SSAE 16 report:
Type 1: Attests to the vendor management’s description of their
system and the sustainability of the design of controls.
Less rigorous than Type 2 and comments only on the
sustainability of the control’s design.
Type 2: Attests to the management’s description of their system,
the sustainability of the
design of controls, and the operating effectiveness of controls.
SSAE 16 REPORT CONTENTS
Provides description of the service provider’s system including
details of how transactions are processed and results are
communicated to their client organization.
END OF THE
CHAPTER