CHAPTER 2:

IT GOVERNANCE
CSI4601851
Dasar-Dasar Audit SI
Semester Genap 2013/2014
Fakultas Ilmu Komputer
Universitas Indonesia
Learning Objectives
Understand the risk of incompatible functions
and how to structure the IT function
Be familiar with the controls and precautions
required to ensure the security of an
organizations computer facilities
Be familiar with the benefits, risks and audit
issues related to IT outsourcing
Outline
1. Information Technology Governance
2. Structure of the Information Technology Function
3. The Computer Center
4. Outsourcing the IT Function
IT Governance
IT Governance: subset of corporate governance that
focuses on the management and assessment of strategic
IT resources
Key objects:
Reduce risk
Ensure investments in IT resources add value to the corporation
All employees and stakeholders must be active
participants in key IT decisions

IT Governance Controls
Three IT governance issues addressed by SOX and the
COSO internal control framework:
Organizational structure of the IT function
Computer center operations
Disaster recovery planning
It begins with a explanation of the nature of risk
associated with each issue
The description of the controls needed to mitigate risk
Present audit objectives, to define what needs to be
verified regarding the function of the controls in place
Example of tests of controls to satisfy the audit objectives
Structuring the IT Function
The organization of the IT Function has implications for
the nature and effectiveness of internal control
IT Structure models:
Centralized Data Processing Approach
Distributed Data Processing Approach
Centralized Data Processing
All data processing is performed by one or more large
computers housed at a central site that serves users
throughout the organization
IT services activities are consolidated and managed as a
shared organization resource
The IT Services function is usually treated as a cost
center whose operating costs are charged back to the end
users
Centralized Data Processing Approach
Organizational Chart of Centralized Data
Processing Approach
Primary Services Areas
Database Administration
Headed by database Administrator, responsible for the security and
integrity of the database
Data Processing
Manages the computer resources used to perform the day-to-day
processing of transactions
Consists of:
Data conversion. Convert hard-copy source into computer input
Computer Operations. Manage electronic files and control applications
Data library. A Room adjacent to the computer center that provide safe
storage for the off-line data files.

Primary Services Areas
Systems development and maintenance
Accommodate the user needs of information systems
System Development. Responsible for analyzing user needs and
designing new systems to satisfy those needs. Participants:
System professionals, end users and stakeholders.
Systems maintenance. Keeping the information systems current
with user needs

Structuring the IT Function
Segregation of incompatible IT functions
Objectives:
Segregate transaction authorization from transaction processing
Segregate record keeping from asset custody
Divide transaction processing steps among individuals to force collusion
to perpetrate fraud
Separating systems development from computer
operations
Systems development and professional cannot enter data or run
applications
Operation staff have no involvement in application design
Structuring the IT Function
Separating DBA from other functions. DBA is responsible
for several critical tasks:
Database security
Creating database schema and
user views
Assigning database access authority to users
Monitoring database usage
Planning for future changes
Separating new systems development from maintenance
Systems development group: system analysis and programming
Inadequate Documentation. Reasons: not an interesting task and job
security
Program Fraud. Unauthorized changes to program module. Example:
Salami slicing, trap doors





System development
Structuring the IT Function
A superior structure for systems development
Separate new systems development and systems maintenance
functions. Reasons:
To improve documentation standard
To block original programmer future access to the program
The Distributed Model
Distributed Data Processing (DDP) involves reorganizing
the central IT function into small IT units that are placed
under the control of end users
Two alternative approach:
Alternative A: variant of centralized model
Systems development. Computer operations and database
administration remain centralized
Alternative B: decentralized
Need a networking arrangement that permits communication and data
transfers between the units

Two Distributed Data Processing
Approach
Risks Associated with DDP
Inefficient use of resources
Mismanagement of resources by end users
Redundant tasks
Hardware and software incompatibility
Destruction of audit trails.
Users inadvertently delete files or transactions
Inadequate segregation of duties
One person has several duties
Hiring qualified professionals
Manager may lack the IT Knowledge to select IT Professional
Programming errors and system failures due to incompetence
employee
Lack of standards.
e.g.: in developing & documenting systems, choosing program
language, evaluating performance, acquiring hardware/software



Advantages of DDP
Cost reduction
Data can be edited and entered by end user, eliminating the
centralized task of data preparation
Application complexity can be reduced, which in turn reduces systems
development and maintenance costs
Improved cost control responsibility
Managers have more control on IT resource
Improved user satisfaction
Users are not hindered in controlling resource
Users wants systems professionals (analysts, programmer, and
computer operators) be responsive in any situation
User can actively involved in developing their own system
Backup Flexibility
Ability to do backup computing facilities





Controlling the DDP Environment
Need for careful analysis to decide whether centralized or
distributed.

Several Improvements to the strict DDP model:
Implement a corporate IT function
Central Testing of Commercial software and Hardware
Evaluate systems features, controls, and compatibility with industry and
organizational standard
User services
Help desk: technical support, FAQs, chat room, etc.
Standard-testing body
Distribute standard in system development, programming and
documentation
Personnel review
Involvement of IT staff in employment decision



Organization Chart for DDP
Audit Objectives: DDP Environment
Verify that the structure of the IT function is such that
individuals in incompatible areas are segregated:
In accordance with the level of potential risk
And in a manner that promotes a working environment
Verify that formal relationships needs to exist between
incompatible tasks

Audit Procedures: Centralized IT
Functions
Review relevant documentation to determine if individuals or
groups are performing incompatible functions
Including organizational chart, mission statement and job desc
Review systems documentation and maintenance records for a
sample of applications
Verify that maintenance programmers for specific
projects are not also the original design programmers
Verify that computer operators do not have access to the
operational detail of systems internal logic
Including systems documentations, such as systems flowcharts, etc
Determine that segregation policy is being followed
Review operation room access logs, determine whether
programmers entry because of system failures or for other
reasons.
Audit Procedures: Distributed IT Function
Review the current organizational chart, mission
statement and job descriptions for key functions to
determine if individuals or groups are performing
incompatible duties
Verify that corporate policies and standards are published
and provided to distributed IT Units
Verify that compensating controls are employed when
segregation of incompatible duties infeasible
Review systems documentation to verify that applications,
procedures, and database are designed and functioning
in accordance with corporate standards
The Computer Center
Here are the list of computer center risks and the controls
that help to mitigate risk and create a secure environment
Physical location
Avoid human-made hazard, system failure and natural hazards
Construction
Ideally: single-story, underground utilities, windowless. air filtration
system
If multi-storied building, use middle floor (away from traffic flows,
and potential flooding in a basement)
Access
Physical: Locked doors, cameras
Manual: Access log of visitors


Data Center Construction
The Computer Center
Air conditioning
Best in temperature range of 70-75 Fahrenheit
Relative humidity 50%
Fire suppression
Placed in strategic locations
Automatic fire extinguishing system:
Sprinklers (using water)
halon gas (removing oxygen)
FM200-TM (Safe fire suppression)
Strong contruction building
Fire exits should be clearly marked and illuminated during a fire
Air conditioning
The Computer Center
Fault Tolerance
Redundant Arrays of Independent Disks (RAID)
Using parallel disks
Power supply
Need for clean power
Backup power: uninterrupted power supply

Audit Objectives: The Computer
Center
Physical security controls are adequate to reasonably
protect the organization from physical exposures
Insurance coverage on equipment is adequate to
compensate the organization for damage to the computer
center
Audit Procedures: The Computer Center
Tests of Physical Construction
Obtain architectural plans to determine the building is solidly built
and fireproof material
Ensure adequate drainage
Assess the physical location
Tests of the Fire Detection System
Ensure fire detection and suppression equipment are in place and
tested regularly
Review official fire marshal records of tests
Audit Procedures: The Computer Center
Tests of Access Control
Computer center is restricted to authorized employees
Review access log
Observe the process by which access permitted
Review camera videotapes
Test of Raid
Determine if the RAID level adequate for the organization, give the
level if business risk associated with disk failure
If no RAID, review the procedure for recovering from a disk failure

Audit Procedures: The Computer Center
Test of the Uninterruptible Power Supply
Do periodic tests to ensure its capacity to run the computer and air
conditioning
Record the result
Test of Insurance Coverage
Annually review the insurance coverage on computer hardware,
software and physical facility
Verify all new acquisitions
Verify deleted obsolete equipment and software
Verify insurance policy

Disaster Recovery Planning
Disasters such as earthquakes, floods, or power failure
can be catastrophic to an organizations computer center
and information systems
The more dependent on technology, the more susceptible
to the risks
DRP common feature
Identify critical applications
Create a disaster recovery team
Provide site backup
Specify backup and off-site storage procedures
Types of
Disaster
Identify Critical Applications
Concentrate on restoring those applications that are
critical to the short-term survival of the organization
Not means to immediately restore data processing facility
in full capacity
Application priorities may change overtime. DRP must be
updated
Participation of user departments, accountants and
auditors needed to identify critical items and application
priorities
Creating a Disaster Recovery Team
Recovering from a disaster depends on timely corrective
action
Delays makes unsuccessful recovery
Task responsibility must be clearly defined and
communicated to the personnel involved
Each member has expertise in each area
In case of disaster, one may violate control principles
such as segregation of duties, access controls and
supervision

Disaster Recovery Team
Providing Second-Site Backup
Duplicate data processing models
Mutual aid impact
Agreement between two or more organization to aid each other in the
event of disaster
Driven by economics
Empty shell or cold site
Involves two or more organizations that buy or lease a building and
remodel it into a computer site, but without computer equipment
Recovery operations center or hot site
A completely equipped site; very costly and typically shared among
many companies
Warm site
Hardware exist but backup may not be complete.
Internally provided backup
Self-backup
Comparison
Backup and Off-site Storage Procedures
Operating system backup
If operating system not included, specify current operating systems
in procedure
Application backup
Include procedure to create copies of current versions of critical
application
Backup data files
At minimum, backup daily. At best: remote mirrored
Backup documentation
Backed up critical system documentation
May be simplified by using Computer Aided Software Engineering
(CASE) documentation tools
Backup and Off-site Storage Procedures
Backup supplies and source documents
Example: check stocks, invoices, purchase orders, etc
Testing the DRP
Should performed periodically
Surprise simulation
Document the status of all processing that affected by the test
Ideally include backup facilities and supplies
Measure performance of below areas:
The effectiveness of DRP team personnel and their knowledge area
The degree of conversion success (i.e., the number of lost records)
An estimate of financial loss due to lost records or facilities
The effectiveness of program, data, and documentation backup and
recovery procedures

Disaster Recovery Plan
1. Critical Applications Rank critical applications so an orderly and effective restoration of
computer systems is possible.
2. Create Disaster Recovery Team Select team members, write job descriptions, describe
recovery process in terms of who does what.
3. Site Backup a backup site facility including appropriate furniture, housing, computers, and
telecommunications. Another valid option is a mutual aid pact where a similar business or
branch of same company swap availability when needed.
4. Hardware Backup Some vendors provide computers with their site known as a hot site
or Recovery Operations Center. Some do not provide hardware known as a cold site. When
not available, make sure plan accommodates compatible hardware (e.g., ability to lease
computers).
5. System Software Backup Some hot sites provide the operating system. If not included in
the site plan, make sure copies are available at the backup site.
6. Application Software Backup Make sure copies of critical applications are available at the
backup site
7. Data Backup One key strategy in backups is to store copies of data backups away from
the business campus, preferably several miles away or at the backup site. Another key is to
test the restore function of data backups before a crisis.
8. Supplies A modicum inventory of supplies should be at the backup site or be able to be
delivered quickly.
9. Documentation An adequate set of copies of user and system documentation.
10. TEST! The most important element of an effective Disaster Recovery Plan is to test it
before a crisis occurs, and to test it periodically (e.g., once a year).
Audit Objective
Audit objective verify that DRP is adequate and feasible
for dealing with disasters

DRP Audit Procedures
Evaluate adequacy of second-site backup arrangements
Partner of mutual aid pact: system compatible? Excess capacity
support?
ROC: how many members? Members location?
Empty shell: is the contract with hardware vendors valid? Minimum
delay after the disaster specified?
Review list of critical applications for completeness and
currency
Verify that procedures are in place for storing off-site
copies of applications and data
Check currency back-ups and copies

DRP Audit Procedures
Verify that documentation, supplies, etc., are stored off-
site
Check stock, invoices, purchase orders and any special forms exist
in secure location
Verify that the disaster recovery team knows its
responsibilities
Clearly list names, addresses and telephone numbers of disaster
recovery team members
Check frequency of testing the DRP

Benefits of IT Outsourcing
Improved core business processes
Improved IT performance
Reduced IT costs



Risks of IT Outsourcing
Failure to perform
Vendor bad performance
Vendor exploitation
Vendor dependency
Costs exceed benefits
Fail to anticipate the cost of vendor selection, contracting and the
transitioning of IT operations to the vendors
Reduced security
Sensitive data owned by vendor
Loss of strategic advantage
Close working relationship between corporate management and IT
Management difficult to happen
Audit Implications of IT Outsourcing
Management retains SOX responsibilities for ensuring
adequate IT internal controls
SAS No. 70 report or audit of vendor will be required
Audit Implications of IT Outsourcing
Question - 01
Segregation of duties in the computer-based information
system includes
a. separating the programmer from the computer operator.
b. preventing management override.
c. separating the inventory process from the billing
process.
d. performing independent verifications by the computer
operator.
Question - 02
A disadvantage of distributed data processing is
a. the increased time between job request and job
completion.
b. the potential for hardware and software incompatibility
among users.
c. the disruption caused when the mainframe goes down.
d. that users are not likely to be involved.
e. that data processing professionals may not be properly
involved.
Question - 03
Which of the following is an advantage distributed data
processing?
a. Redundancy
b. user satisfaction
c. Incompatibility
d. lack of standards
Question - 04
Which of the following disaster recovery techniques may be
least optimal in the case of a disaster?
a. empty shell
b. mutual aid pact
c. internally provided backup
d. they are all equally beneficial
Question - 05
Which of the following is a feature of fault tolerance
control?
a. interruptible power supplies
b. RAID
c. Distributed Data Processing
d. Centralized Data Processing
Question - 06
Which of the following disaster recovery techniques is has
the least risk associated with it?
a. empty shell (cold site)
b. Recovery Operation Center (hot site)
c. Internally provided backup
d. they are all equally risky
Question - 07
Which of the following is NOT a potential threat to computer
hardware and peripherals?
a. low humidity
b. high humidity
c. carbon dioxide fire extinguishers
d. water sprinkler fire extinguishers
Question - 08
Which of the following would strengthen organizational
control over a large-scale data processing center?
a. requiring the user departments to specify the general
control standards necessary for processing transactions
b. requiring that requests and instructions for data
processing services be submitted directly to the
computer operator in the data center
c. having the database administrator report to the
manager of computer operations.
d. assigning maintenance responsibility to the original
system designer who best knows its logic
Question - 09
The following are the benefits of IT Outsourcing EXCEPT
a. Improved core business processes
b. Improved IT performance
c. Reduced IT costs
d. Vendor dependency
Question - 10
Which of the following is true?
a. Core competency theory argues that an organization
should outsource specific core assets.
b. Core competency theory argues that an organization
should focus exclusively on its core business
competencies.
c. Core competency theory argues that an organization
should not outsource specific commodity assets.
d. Core competency theory argues that an organization
should retain certain specific non-core assets in-house.