AUDITING

IT GOVERNANCE CONTROLS
LESSON
OBJECTIVES
LESSON OBJECTRIVES

Understand the risks of incompatible

functions and how to structure the IT
function.
LESSON OBJECTRIVES

Understand the risks of incompatible

functions and how to structure the IT
function.
Be familiar with the controls and
precautions required to ensure the
security of an organization’s
computer facilities.
LESSON OBJECTRIVES

Understand the risks of incompatible

functions and how to structure the IT
function.
Be familiar with the controls and
precautions required to ensure the
security of an organization’s
computer facilities.
Understand the key elements of a
disaster recovery plan.
LESSON OBJECTRIVES

Understand the risks of incompatible

functions and how to structure the IT
function.
Be familiar with the controls and
precautions required to ensure the
security of an organization’s
computer facilities.
Understand the key elements of a
disaster recovery plan.
Be familiar with the benefits, risks,
and audit issues related to IT
outsourcing.
IT Governance
INFORMATION TECHNOLOGY
GOVERNANCE
is a relatively new subset of corporate
governance that focuses on the
management and assessment of
strategic IT resources. Key objectives of IT
governance are to reduce risk and
ensure that investments in IT resources
add value to the corporation.
IT Governance
controls
ORGANIZATIONAL STRUCTURE
OF THE IT FUNCTION

COMPUTER CENTER OPERATIONS

DISASTER RECOVERY PLANNING

 STRUCTURE OF THE
INFORMATION TECHNOLOGY FUNCTION
The organization of the IT function has
implications for the nature and effectiveness
of internal controls, which, in turn, has
implications for the audit.
CENTRALIZED
DATA PROCESSING
CENTRALIZED
DATA
PROCESSING
Under the centralized data processing
model, all data processing is performed
by one or more large computers housed
at a central site that serves users
throughout the organization.
CENTRALIZED DATA PROCESSING APPROACH
ORG CHART OF CENTRALIZED IT FUNCTION
RELATED TERMS
DATABASEADMINISTRATION

Centrally organized companies

maintain their data resources in a
central location that is shared by all end
users. In this shared data arrangement,
an independent group headed by the
database administrator (DBA) is
responsible for the security and integrity
of the database.
DATA PROCESSING

The data processing group manages

the computer resources used to
perform the day-to-day processing of
transactions. It consists of the following
organizational functions: data
conversion, computer operations, and
the data library.
DATA CONVERSION

The data conversion function transcribes

transaction data from hard-copy source
documents into computer input. For example,
data conversion could involve keystroking
sales orders into a sale order application in
modern systems, or transcribing data into
magnetic media (tape or disk) suitable for
computer processing in legacy type systems.
COMPUTEROPERATIONS

The electronic files produced in data

conversion are later processed by the
central computer, which is managed by
the computer operations groups.
Accounting applications are usually
executed according to a strict schedule
that is controlled by the central computer’s
operating system.
DATA LIBRARY

The data library is a room adjacent to

the computer center that provides safe
storage for the off-line data files. Those
files could be backups or current data
files. For instance, the data library could
be used to store backup data on DVDs,
CD-ROMs, tapes, or other storage
devices.
SYSTEMS
DEVELOPMENT
SYSTEMS
DEVELOPMENT
The information systems needs of users
are met by two related functions: system
development and systems maintenance.
SYSTEMS
DEVELOPMENT
is responsible for analyzing user needs
and for designing new systems to satisfy
those needs. The participants in system
development activities include systems
professionals, end users, and
stakeholders.
SYSTEMS
PROFESSIONALS
SYSTEMS
PROFESSIONALS
include systems analysts, database
designers, and programmers who design
and build the system. Systems
professionals gather facts about the
user’s problem, analyze the facts, and
formulate a solution. The product of their
efforts is a new information system.
END USERS
END USERS
are those for whom the system is built.
They are the managers who receive
reports from the system and the
operations personnel who work directly
with the system as part of their daily
responsibilities.
STAKEHOLDERS
STAKEHOLDERS
are individuals inside or outside the firm
who have an interest in the system, but
are not end users. They include
accountants, internal auditors, external
auditors, and others who oversee
systems development.
SYSTEMS
MAINTENANCE
SYSTEMS
MAINTENANCE
Once a new system has been designed and
implemented, the systems maintenance group
assumes responsibility for keeping it current with
user needs.

The term maintenance refers to making

changes to program logic to accommodate
shifts in user needs over time.
SEGREGATION OF
INCOMPATIBLE FUNCTIONS
Operational tasks should
be segregated to:

Separate transaction authorization

from transaction processing.

Separate record keeping from

asset custody.

Divide transaction-processing tasks among

individuals such that short of collusion
between two or more individuals fraud
would not be possible.
DISTRIBUTED
DATA PROCESSING
DISTRIBUTED
DATA
PROCESSING
An alternative to the centralized
model is the concept of distributed
data processing (DDP). The topic of
DDP is quite broad, touching upon
such related topics as end-user
computing, commercial software,
networking, and office automation.
DISTRIBUTED
DATA
PROCESSING
Simply stated, DDP involves
reorganizing the central IT function
into small IT units that are placed
under the control of end users.
RISKS ASSOCIATED

WITH DDP
ONE | INEFFICIENT USE OF RESOURCES

risk of mismanagement of organization-

wide IT resources by end users
ONE | INEFFICIENT USE OF RESOURCES

risk of mismanagement of organization-

wide IT resources by end users
risk of operational inefficiencies
because of redundant tasks being
performed within the end-user committee
ONE | INEFFICIENT USE OF RESOURCES

risk of mismanagement of organization-

wide IT resources by end users
risk of operational inefficiencies
because of redundant tasks being
performed within the end-user committee
risk of incompatible hardware and
software among end-user functions
ONE | INEFFICIENT USE OF RESOURCES

TWO | DESTRUCTION OF AUDIT TRAILS

ONE | INEFFICIENT USE OF RESOURCES

TWO | DESTRUCTION OF AUDIT TRAILS

THREE | INADEQUATE SEGREGATION OF DUTIES

ONE | INEFFICIENT USE OF RESOURCES

TWO | DESTRUCTION OF AUDIT TRAILS

THREE | INADEQUATE SEGREGATION OF DUTIES

FOUR | DIFFICULTY IN HIRING QUALIFIED

PERSONNEL
ONE | INEFFICIENT USE OF RESOURCES

TWO | DESTRUCTION OF AUDIT TRAILS

THREE | INADEQUATE SEGREGATION OF DUTIES

FOUR | DIFFICULTY IN HIRING QUALIFIED

PERSONNEL

FIVE | LACK OF STANDARDS

ADVANTAGES
OF DDP
ADVANTAGES OF DDP

Cost Control

Improved Cost Control

Responsibility

Improved User
Satisfaction
ADVANTAGES OF DDP

Backup Flexibility
CONTROLLING
THE DDP ENVIRONMENT
Implement a Corporate IT Function:

Central Testing of Commercial

Hardware and Software

User Services

Standard-Setting Body

Personnel Review
AUDIT OBJECTIVE
Audit Objective
The auditor’s objective is to verify that the
structure of the IT function is such that
individuals in incompatible areas are
segregated in accordance with the level of
potential risk and in a manner that
promotes a working environment. This is an
environment in which formal, rather than
casual, relationships need to exist between
incompatible tasks.
Audit Procedures
If a company uses Centralized IT Function

• Review relevant documentation, including the

current organizational chart, mission statement,
and job descriptions for key functions, to
determine if individuals or groups are
performing incompatible functions.
• Review systems documentation and
maintenance records for a sample of
applications.Verify that maintenance
programmers assigned to specific projects are
not also the original design programmers.
• Verify that computer operators do not have
access to the operational details of a system’s
internal logic. Systems documentation, such as
systems flowcharts, logic flowcharts, and
program code listings, should not be part of
the operation’s documentation set.
• Through observation, determine that
segregation policy is being followed in practice.
Review operations room access logs to
determine whether programmers enter the
facility for reasons other than system failures.
If DDP is used:
 Review the current organizational chart,
mission statement, and job descriptions for
key functions to determine if individuals or
groups are performing incompatible duties.
 Verify that corporate policies and standards
for systems design, documentation, and
hardware and software acquisition are
published and provided to distributed IT
units.
 Verify that compensating controls, such as
supervision and management monitoring,
are employed when segregation of
incompatible duties is economically
infeasible.
 Review systems documentation to verify
that applications, procedures, and
databases are designed and functioning in
accordance with corporate standards.
THE COMPUTER CENTER
Accountants routinely examine the physical
environment of the computer center as
part of their annual audit. The objective of
this section is to present computer center
risks and the controls that help to mitigate
risk and create a secure environment.
Physical Location
 The physical location of the computer center
directly affects the risk of destruction to a natural
or man-made disaster. To the extent possible, the
computer center should be away from human-
made and natural hazards, such as processing
plants, gas and water mains, airports, high-crime
areas, flood plains, and geological faults. The
center should be away from normal traffic, such
as the top floor of a building or in a separate, self-
contained building. Locating a computer in the
basement building increases its risk to floods.
Construction
 Ideally, a computer center should be
located in a single-story building of solid
construction with controlled access
(discussed next). Utility (power and
telephone) lines should be underground.
The building windows should not open
and an air filtration system should be in
place that is capable of extracting pollens,
dust, and dust mites.
Access
 Access to the computer center should be
limited to the operators and other
employees who work there. Physical
controls, such as locked doors, should be
employed to limit access to the center.
Access should be controlled by a keypad or
swipe card, though fire exits with alarms are
necessary. To achieve a higher level of
security, access should be monitored by
closed-circuit cameras and video recording
systems.
Air Conditioning
 Computers function best in an air-
conditioned environment, and providing
adequate air conditioning is often a
requirement of the vendor’s warranty.
Computers operate best in a temperature
range of 70 to 75 degrees Fahrenheit and
a relative humidity of 50 percent. Logic
errors can occur in computer hardware
when temperatures depart significantly
from this optimal range.
Fire Suppression
 Fire is the most serious threat to a firm’s
computer equipment. Many companies
that suffer computer center fires go out
of business because of the loss of critical
records, such as accounts receivable. The
implementation of an effective fire
suppression system requires consultation
with specialists.
Fault Tolerance
 Fault tolerance is the ability of the
system to continue operation when part
of the system fails because of hardware
failure, application program error, or
operator error.
 1. Redundant arrays of independent
disks (RAID). Raid involves using parallel
disks that contain redundant elements of
data and applications. If one disk fails, the
lost data are automatically reconstructed
from the redundant components stored
on the other disks.
 2. Uninterruptible power supplies.
Commercially provided electrical power
presents several problems that can
disrupt the computer center operations,
including total power failures, brownouts,
power fluctuations, and frequency
variations. The equipment used to control
these problems includes voltage
regulators, surge protectors, generators,
and backup batteries.
Audit Objectives
The auditor must verify that:
• Physical security controls are adequate to
reasonably protect the organization from
physical exposures
• Insurance coverage on equipment is
adequate to compensate the organization
for the destruction of, or damage to, its
computer center
Audit Procedures
 Test of Physical Construction
 Test of Fire Detection System
 Test of Access Control
 Rest of RAID
 Test of Uninterruptible Power Supply
 Test of Insurance Coverage
 DISASTER
RECOVERY PLANNING
Disasters such as earthquakes, floods,
sabotage, and even power failures can
be catastrophic to an organization’s
computer center and information
systems. Disasters may be natural, human-
made or system failure.
Features of a DRP
 1. Identify critical applications
 2. Create a disaster recovery team
 3. Provide site backup
 4. Specify backup and off-site storage
procedures
Identify Critical Applications
 The first essential element of a DRP is to
identify the firm’s critical applications and
associated data files. Recovery efforts
must concentrate on restoring those
applications that are critical to the short-
term survival of the organization.
Create a Disaster Recovery Team
 Recovering from a disaster depends on
timely corrective action. Delays in
performing essential tasks prolongs the
recovery period and diminishes the
prospects for a successful recovery. To
avoid serious omissions or duplication of
effort during implementation of the
contingency plan, task responsibility must
be clearly defined and communicated to
the personnel involved.
Provide Site Backup
 A necessary ingredient in a DRP is that it
provides for duplicate data processing
facilities following a disaster. Among the
options available the most common are
mutual aid pact; empty shell or cold
site; recovery operations center or hot
site; and internally provided backup.
 Mutual Aid Pact. A mutual aid pact is an
agreement between two or more
organizations (with compatible computer
facilities) to aid each other with their data
processing needs in the event of a
disaster.
 Empty Shell. The empty shell or cold site
plan is an arrangement wherein the
company buys or leases a building that
will serve as a data center. In the event of
a disaster, the shell is available and ready
to receive whatever hardware the
temporary user needs to run essential
systems.
 Recovery Operations Center. A
recovery operations center (ROC) or hot
site is a fully equipped backup data center
that many companies share. In addition to
hardware and backup facilities, ROC
service providers offer a range of
technical services to their clients, who pay
an annual fee for access rights.
 Internally Provided Backup. Larger
organizations with multiple data
processing centers often prefer the self-
reliance that creating internal excess
capacity provides. This permits firms to
develop standardized hardware and
software configurations, which ensure
functional compatibility among their data
processing centers and minimize cutover
problems in the event of a disaster.
Backup and Off-Site Storage
Procedures
 Operating System Backup
 Application Backup
 Backup Data Files
 Backup Documentation
 Backup Supplies and Source Documents
 Test the DRP
Audit Objective
 The auditor should verify that
management’s disaster recovery plan is
adequate and feasible for dealing with a
catastrophe that could deprive the
organization of its computing resources.
Audit Procedures
The auditor may perform the following
tests:
 Site Backup. The auditor should evaluate
the adequacy of the backup site
arrangement. System incompatibility and
human nature both greatly reduce the
effectiveness of the mutual aid pact.
 Critical Application List. The auditor
should review the list of critical
applications to ensure that it is complete.
Missing applications can result in failure to
recover. The same is true, however, for
restoring unnecessary applications.
 Software Backup. The auditor should
verify that copies of critical applications
and operating systems are stored off-site.
 Data Backup. The auditor should verify
that critical data files are backed up in
accordance with the DRP.
 Backup Supplies, Documents, and
Documentation. The system
documentation, supplies, and source
documents needed to process critical
transactions should be backed up and
stored off-site.
 Disaster Recovery Team. The DRP
should clearly list the names, addresses,
and emergency telephone numbers of the
disaster recovery team members. The
auditor should verify that members of the
team are current employees and are
aware of their assigned responsibilities.
IT SOURCING
 The costs, risks, and responsibilities
associated with maintaining an effective
corporate IT function are significant. Many
executives have therefore opted to
outsource their IT functions to third-party
vendors who take over responsibility for the
management of IT assets and staff and for
delivery of IT services, such as data entry,
data center operations, applications
development, applications maintenance, and
network management.
Risk Inherent to IT Sourcing
 Failure to perform
 Vendor Exploitation
 Outsourcing costs exceed benefits
 Reduced Security
 Loss of Strategic Advantage
Audit Implications of Sourcing IT
Functions
 An auditor should consider PSA 402,
AUDIT CONSIDERATIONS RELATING
TO ENTITIES USING SERVICE
ORGANIZATIONS, in conducting the
audit of a client that outsourced its IT
functions
COBIT 4.1 VS COBIT 5
WHAT IS COBIT?

 a framework and supporting tool set that allow

managers to bridge the gap with respect to control
requirements, technical issues and business risks, and
communicate that level of control to stakeholders.
WHAT IS COBIT?
 It enables the development of clear policies and
good practice for IT control throughout
enterprises.
 It is continuously kept up to date and
harmonized with other standards and guidance.
ROLE OF COBIT
 integrator for IT good practices

 the umbrella framework for IT governance that

helps in understanding and managing the risks
and benefits associated with IT
BENEFITS OF COBIT
 Better alignment, based on a business focus
 A view, understandable to management, of what
IT does
 Clear ownership and responsibilities, based on
process orientation
 General acceptability with third parties and
regulators
 Shared understanding amongst all stakeholders,
based on a common language.
COBIT 4.1 TO COBIT 5
 separation of governance and management
domains

Governance COBIT 5 Management

GOVERNANCE AND MANAGEMENT
AREAS OF CHANGE
1. New GEIT Principles
2. Increased Focus on Enablers
3. New Process Reference Model(PRM)
4. Updated Control Objectives
5. New and Modified Processes
6. Practices and Activities
7. Goals and Metrics
8. Inputs and Outputs at the Practice Level
9. Expanded RACI Charts with Business and IT
Roles
1. NEW GEIT PRINCIPLES
 Val IT and
Risk IT
frameworks
are
principles-
based.
2. INCREASED FOCUS ON ENABLERS
 Seven new enablers was introduced by COBIT
5
2. INCREASED FOCUS ON ENABLERS
 COBIT 4.1 resources were known as Services and
People; COBIT 5 has further defined and detailed
these categories.
 Principles, Policies and Frameworks were
mentioned in a few COBIT 4.1 processes, and
Processes were central to COBIT 4.1 use.
 COBIT 5’s organizational structure was implied
through the responsible, accountable, consulted
or informed (RACI) roles and their definitions
found in COBIT 4.1
 Culture, Ethics and Behavior were also
mentioned in a few COBIT 4.1 processes.
3. NEW PROCESS REFERENCE MODEL
 COBIT 5 is based on a revised process reference
model with a new governance domain and several
new and modified processes that now cover
enterprise activities end-to-end.
3. NEW PROCESS REFERENCE MODEL
 COBIT 5 consolidates COBIT 4.1, Val IT, and
Risk IT into one framework.

Aligned with current best

practices
4. UPDATED CONTROL OBJECTIVES
 “Management practices”
 The content was expanded, and the COBIT
4.1 control practices were updated and moved
into the PRM for user convenience.
5. NEW AND MODIFIED PROCESSES
 COBIT 5 introduces five new governance
processes that have leveraged and improved
COBIT 4.1, Val IT and Risk IT governance
approaches.
This guidance:
 Helps enterprises to further refine and
strengthen executive management-level GEIT
practices and activities
 Supports GEIT integration with existing
enterprise governance practices and is aligned
with
ISO/IEC 38500
5. NEW AND MODIFIED PROCESSES
There are several new and modified processes that reflect
current thinking, in particular:
 APO03 Manage enterprise architecture.
 APO04 Manage innovation.
 APO05 Manage portfolio.
 APO06 Manage budget and costs.
 APO08 Manage relationships.
 APO13 Manage security.
 BAI05 Manage organisational change
enablement.
 BAI08 Manage knowledge.
 BAI09 Manage assets.
 DSS05 Manage security service.
 DSS06 Manage business process controls.
5. NEW AND MODIFIED PROCESSES

 COBIT 5 processes now cover end-to-end

business and IT activities, i.e., a full enterprise-
level view.
6. PRACTICES AND ACTIVITIES
 The COBIT 5 governance or management
practices are related to the COBIT 4.1 control
objectives and Val IT and Risk IT processes.
 The COBIT 5 activities are equivalent to the
COBIT 4.1 control practices and Val IT and Risk
IT management practices.
 COBIT 5 integrates and updates all of the
previous content into the one new model.
7. GOALS AND METRICS
 COBIT 5 follows the same goal and metric
concepts as COBIT 4.1, Val IT and Risk IT, but
these are renamed enterprise goals, IT-related
goals and process goals, reflecting an enterprise
level view.
 COBIT 5 provides examples of goals and metrics
at the enterprise, process and management
practice levels.
8. INPUTS AND OUTPUTS AT THE
PRACTICE LEVEL

 COBIT 5 provides inputs and outputs for every

management practice, whereas COBIT 4.1
only provided these at the process level.
9. EXPANDED RACI CHARTS WITH
BUSINESS AND IT ROLES
 COBIT 5 provides a more complete, detailed and
clearer range of generic business and IT role
players and charts than COBIT 4.1 for each
management practice, enabling better definition
of role player responsibilities or level of
involvement when designing and implementing
processes.
IT AUDIT
 An IT audit focuses on the computer-based
aspects of an organization’s information system;
and modern systems employ significant levels of
technology.
IT AUDIT

Functions
 The primary function of an IT Audit is to
evaluate the systems that are in place to guard
an organization’s information.
 Internal control design and effectiveness.
THE STRUCTURE OF AN IT AUDIT
IT AUDIT
 The primary role of the internal IT audit staff is
to independently and objectively assess the
controls, reliability and integrity of the
company’s IT environment.
ROLE OF IT AUDITOR
 Assessment of Risk
 Preliminary Work

 Audit Fieldwork
WORKS OF AN IT AUDITOR

 Evaluate IT plans, strategies, policies and

procedures.
 Make recommendations to management about
procedures that affect IT controls.
WORKS OF AN IT AUDITOR
IT auditing plays an integral role in
 Financial auditing
 analyzes, reviews and tests the systems
 Operational auditing
 Effectiveness and efficiency
 Compliance auditing
 comprehensive review of an organization’s adherence
to regulatory guidelines
IT AUDIT SKILLS
BUSINESS SKILLS NEEDED BY AN IT
AUDITOR
1. ESTABLISHING GOALS
IT audit and assurance professionals should
have the skills to understand underlying business
processes, which will enable them to convey their
technical findings with a business focus.
2. Relevant Business Knowledge

Business knowledge encompasses an

understanding of businesses, what the business is,
including legal status, organization, governance,
structure, culture, risk tolerance or appetite, operations,
and uses technology in providing services to business
units.
3. Impact of Business Knowledge of an IT Audit

Greater business knowledge will likely increase

the relevance and practicality of IT audit findings and
recommendations, in that they will address business
impacts in terms that can be understood and assessed by
management and others not possessing a detailed
understanding of technology.
4. Eight Business Knowledge Areas

• How is the enterprise organized?

• How is the enterprise governed?
• Under what laws/regulations does the enterprise
operate?
• What are the enterprise’s business processes?
• How does the enterprise operate?
• How does the enterprise use technology?
• How does the enterprise finance itself?
• How does the enterprise measure business success?
5. Understanding Important Internal and External
Aspects
 Organization
 Governance
 Laws and Regulations
 Business Processes
 Operations
 Financial
SOURCE: https://www.isaca.org/Journal/archives/2010/Volume-3/Pages/Business-Skills-for-
the-IT-Audit-and-Assurance-Professional.aspx
CERTIFIED INFORMATION
SYSTEMS AUDITOR
EXAMINATION
 DESCRIPTION
The CISA designation is a globally recognized
certification for IS audit control, and security
professionals.

 Eligibility
Five (5) or more years of experience in IS audit,
control, assurance, or security. Waivers are available for
a maximum of three (3)years.
 DOMAIN

1. Domain 1-The Process of Auditing Information

Systems （21%）
2. Domain 2-Governance and Management of IT (16%)
3. Domain 3-Information Systems Acquisition,
Development and Implementation (18%)
4. Domain 4-Information Systems Operations,
Maintenance and Service Management (20%）
5. Domain 5-Protection of Information Assets (25%)
 150 exam questions; 4 hours
 Exam Languages:

Chinese, Traditional Chinese, Simplified English,

French, German, Hebrew, Italian, Japanese, Korean,
Spannish and Turkish
 Fees

ISACA Member: $575

ISACA Nonmember: $760
REFERENCES:
Hall, J. (2011). Infomation Technology Auditing and Assurance.

https://www.isaca.org/Journal/archives/2010/Volume-3/Pages/Business-Skills-for-the-IT-Audit-
and-Assurance-Professional.aspx

http://searchcompliance.techtarget.com/definition/IT-audit-information-technology-audit

http://topaccountingdegrees.org/faq/it-audit

http://www.isaca.org/Certification/Documents/Candidates-Guide-2017_exp_Eng_1116.pdf