Chapter 2: Auditing IT Governance Controls

IT Governance: Definition and Objectives

  • IT governance is a relatively new subset of corporate governance focusing on the management and assessment of strategic IT resources.

  • Key objectives:

    • Reduce risk

    • Ensure IT investments add value to the corporation

  • Before the Sarbanes–Oxley (SOX) Act, IT decisions were typically deferred to corporate IT professionals.

  • Modern IT governance invites broad participation from all corporate stakeholders, including boards of directors, top management, and departmental users (e.g., accounting and finance).

  • Broad involvement reduces risk and increases the likelihood that IT decisions align with user needs, corporate policies, strategic initiatives, and internal control requirements under SOX.

IT Governance Controls and SOX COSO Framework

  • The chapter highlights three IT governance issues that are addressed by SOX and the COSO internal control framework:
    1) Organizational structure of the IT function
    2) Computer center operations
    3) Disaster recovery planning

  • For each issue:

    • Explain the nature of risk

    • Describe the controls needed to mitigate the risk

    • State the audit objectives (what needs to be verified regarding the control)

    • Offer example tests of controls to show how evidence might be gathered

  • Tests of controls can be performed by external auditors (attest services) or internal auditors or advisory services professionals; there is no distinction made between these service types in this chapter.

STRUCTURE OF THE CORPORATE IT FUNCTION

  • The IT function’s organization affects internal controls and audit effectiveness.

  • Two extreme models are discussed, with most real-world structures showing elements of both:

    • Centralized data processing

    • Distributed data processing (DDP)

  • The chapter analyzes risks, controls, and audit issues for each model and notes that many structures are hybrids.

Centralized Data Processing

  • All data processing is performed at one or more large central computers serving the entire organization.

  • IT services are consolidated and managed as a shared resource; end users compete for resources based on need.

  • The IT services function is usually treated as a cost center with costs charged back to end users (cost allocation).

  • Primary service areas in centralized IT: database administration, data processing, systems development and maintenance.

  • Key functional components:

    • Data Control / Data Entry: receives hard copy source documents, transcribes to digital format (e.g., keystrokes of sales orders), and disseminates finished reports to end users (e.g., marketing).

    • Computer Operations: executes applications on the central computer according to a strict schedule controlled by the operating system.

    • Data Library: stores offline data files (backups and current data), stores original copies of software licenses; access controlled by a data librarian; role increasingly reduced with real-time processing.

  • Systems Development and Maintenance: two groups collaborate to meet user needs. Participants include systems professionals (analysts, database designers, programmers), end users (managers and operations personnel who receive reports), and stakeholders (inside or outside the firm, such as accountants and auditors).

  • Value and risk implications: centralized structures can automate data processing but create concentration of risk if incompatible duties are not properly separated.

Segregation of Incompatible IT Functions under Centralization

  • Segregation of incompatible IT duties is essential in both manual and IT-enabled processes.

  • In IT environments, consolidation can occur across the following relationships; the chapter emphasizes the need to separate these functions to prevent fraud and errors:

    • Separating Systems Development from Computer Operations: development and maintenance should design and maintain systems; operations should run systems; neither group should be involved in the other’s core tasks. Detailed knowledge of application logic and access to OS utilities by operations personnel could enable unauthorized changes during execution.

    • Separating Database Administration from Other Functions: DBA handles database security (schema, user views, access control, monitoring, and future expansion). Delegating DBA tasks to incompatible areas (e.g., operations) threatens database integrity.

    • Separating New Systems Development from Maintenance: a common approach splits into systems analysis (design) and programming (coding). If a programmer also maintains the system, it can lead to inadequate documentation and opportunities for program fraud.

  • A superior design prefers to separate systems development from maintenance, with a dedicated maintenance group requiring documentation and reducing programmer access to deployed code, deterring fraud.

  • The distributed model (DDP) is an alternative to centralized data processing.

The Distributed Data Processing (DDP) Model

  • DDP reorganizes the central IT function into smaller IT units under end-user control; distribution can be by function, geography, or both.

  • Two alternative DDP approaches:

    • Alternative A (Variant of centralized): End users receive distributed terminals for input/output; central development, operations, and DBA remain, but data entry is performed by end users.

    • Alternative B: All IT functions are distributed to end users; units operate as standalone entities with interconnections to allow data and data transfers.

  • DDP advantages include potential cost reductions and improved backup flexibility, but the model also introduces significant risks.

Risks Associated with DDP

  • Organizational risks in DDP include:

    • Inefficient use of resources: potential mismanagement when IT resources exceed a threshold (often cited as about 5 ext{ extbackslash%} of total operations budget); central governance may still be required for larger IT footprints.

    • Destruction of audit trails: audit trails may be stored on end-user machines, risking deletion or corruption; undermines traceability of transactions.

    • Inadequate segregation of duties: small, autonomous end-user units may not separate incompatible duties, enabling fraud or errors.

    • Hiring qualified professionals: end-user units may lack IT expertise, risking higher rates of programming errors.

    • Lack of standards: uneven application of development, documentation, and hardware/software standards across distributed units.

  • Advantages of DDP (balanced view):

    • Cost reductions: use of inexpensive microcomputers/minicomputers; reduced central data preparation; simpler application development/maintenance.

    • Improved cost control: end-user managers gain authority to allocate resources affecting profitability.

    • Improved user satisfaction: four potential benefits (user control, responsiveness to specific situations, active user involvement in development).

    • Backup flexibility: distributed units can carry excess capacity to support each other in a disaster; requires close coordination to avoid incompatible hardware/software.

  • Controlling the DDP environment: implement a Corporate IT Function that provides advisory support, standards, testing, and governance to mitigate DDP risks.

  • Corporate IT Function (Figure 2.5) services include:

    • Central Testing of Commercial Software and Hardware: evaluate products for features, controls, and compatibility; set standards for acquisition decisions.

    • User Services: help desk, knowledge sharing (electronic bulletin boards, FAQs, intranet support), training for end users and IT staff.

    • Standard-Setting Body: publish standards for systems development, documentation, and hardware/software acquisition.

    • Personnel Review: assist in evaluating credentials of prospective IT staff by corporate group.

AUDIT OBJECTIVES AND PROCEDURES: CENTRALIZED AND DISTRIBUTED IT

  • Auditor’s objective for centralized IT: verify that incompatible duties are segregated; ensure formal relationships exist between incompatible tasks; ensure design and operational separation.

  • Audit procedures for centralized IT include:

    • Review organizational documents (org chart, mission statements, job descriptions) to identify incompatible duties.

    • Review systems documentation and maintenance records for a sample of applications; verify that maintenance programmers are not the original design programmers.

    • Ensure operators do not have access to the system’s internal logic; ensure system documentation (flowcharts, logic listings) is not part of operations documentation.

    • Observe and verify that segregation policy is followed in practice (e.g., access logs, observer verification).

  • Audit procedures for distributed IT include:

    • Review organizational documents to determine if incompatible duties exist.

    • Verify that corporate policies and standards for systems design, documentation, and hardware/software acquisition are published to distributed units.

    • Verify compensating controls (e.g., supervision, management oversight) when segregation of duties is economically infeasible.

    • Review systems documentation to ensure applications and databases adhere to corporate standards.

THE COMPUTER CENTER

  • Accountants routinely audit the physical environment of the computer center; the objective is to mitigate risks to information quality, processing, and internal controls.

  • Potential exposures covered:

    • Physical location: should be away from hazards (natural and man-made) such as processing plants, water mains, airports, flood plains; avoid basements due to flood risk; consider self-contained, separate buildings when possible.

    • Construction: single-story, solid construction; underground power/telecom lines; no open windows; air filtration; appropriate climate control.

    • Access: restrict entry to operators and authorized personnel; use locked doors, keypads or swipe cards; CCTV monitoring and sign-in logs; maintain traffic records.

    • Air-conditioning: target around 70^\ ext{o} F to 75^\ ext{o} F with approximately 50 ext{%} relative humidity to optimize hardware operation and minimize static risk and moisture-related damage.

    • Fire suppression: require automatic and manual alarms; automatic extinguishing systems with appropriate suppressant types; clearly marked and illuminated exits.

    • Fault tolerance: avoid single points of failure; implement fault-tolerant technologies such as

    • Redundant arrays of independent disks (RAID): multiple disks with redundancy to reconstruct lost data from remaining disks.

    • Uninterruptible power supplies (UPS): provide backup power to maintain operations during outages and allow controlled shutdown to prevent data loss.

  • Audit objectives for the computer center:

    • Verify physical security controls are adequate to protect against physical exposures.

    • Confirm that insurance coverage on equipment is adequate to cover destruction or damage.

  • Audit procedures for the computer center include:

    • Tests of physical construction: review architectural plans; ensure solid construction and adequate drainage for water damage, evaluate location relative to hazards.

    • Tests of the Fire Detection System: verify fire detection/suppression equipment exists and is tested regularly; review fire marshal records.

    • Tests of Access Control: confirm routine access is restricted; review visitor logs; observe access control processes and review CCTV if used.

    • Tests of RAID: map RAID configuration to confirm adequate protection given business risk; review alternative recovery procedures if RAID is not employed.

    • Tests of the Uninterruptible Power Supply: verify periodic testing and capacity.

    • Tests of Insurance Coverage: annually review hardware, software, and facility coverage; ensure new acquisitions are listed and obsolete items removed.

DISASTER RECOVERY PLANNING (DRP)

  • Disasters are categorized as natural, man-made, and system failures, each threatening IT resources.

  • A DRP is a comprehensive plan detailing actions before, during, and after a disaster, with four common features:
    1) Identify critical applications
    2) Create a disaster recovery team
    3) Provide site backup (second-site) facilities
    4) Specify backup and off-site storage procedures

  • Identify Critical Applications:

    • Prioritize applications and data essential to short-term survival (e.g., those supporting cash flow, legal obligations, accounts receivable, production/distribution decisions, purchasing, and payroll).

    • Focus on short-term survival; plan should not attempt instant full resumption; priorities may change over time and require regular reassessment.

    • Identification should involve business units, accountants, and auditors, not just IT.

  • Creating a Disaster Recovery Team:

    • Define roles clearly; after a disaster, team members delegate to subordinates.

    • The DRP environment may require bending some traditional control principles (e.g., segregation) during a disaster.

  • Providing Second-Site Backup:

    • Options include: mutual aid pact, empty shell (cold site), recovery operations center (ROC/hot site), and internally provided backup.

    • Mutual Aid Pact: cross-organization aid to process critical transactions; risk: no guaranteed performance; depends on partner’s willingness and capacity.

    • Empty Shell (Cold Site): pre-arranged space ready to receive hardware; risk: timely hardware availability and vendor prioritization; must secure hardware delivery assurances.

    • ROC/Hot Site: fully equipped backup data center shared by clients; service providers offer facilities and services; risk of concurrent demand in a widespread disaster; capacity might be oversold (e.g., 20:1 ratio in some cases).

    • Internally Provided Backup: internal mirrored data center with standardized hardware/software; example: Pershing’s remote mirrored data center; real-time data replication and small recovery time (e.g., from 24 hours to 1 hour).

  • Backup and Off-Site Storage Procedures:

    • Regular backups of operating systems, critical applications, data files, and documentation to off-site locations.

    • For cold sites, ensure current OS copies are available; for applications, ensure current versions are backed up.

    • Use remote mirrored databases when possible; otherwise, daily backups to tapes/CDs/DVDs stored off-site.

    • Include end-user manuals and disaster documentation in backups.

  • Testing the DRP:

    • DRP testing should be performed regularly; surprise tests are most useful.

    • Tests should simulate disruptions and assess processing affected by the disruption.

    • Measures of performance to be tracked include: effectiveness of DRP team, conversion success (loss of records), estimated financial loss due to lost records or facilities, and effectiveness of backup/recovery procedures.

  • DRP Audit: verify that the DRP is realistic and adequate, including:

    • Site backup arrangements (evaluate risk of mutual aid and practical viability of hot/cold sites).

    • Critical application lists for completeness and relevance.

    • Software and data backups: ensure current versions exist off-site; verify version numbers align with in-use systems.

    • Data backups: ensure databases and master/transaction files are backed up and restorable.

    • Backup documentation and supplies: ensure necessary forms and documents exist; ensure a copy of the DRP is off-site.

    • Disaster Recovery Team: verify current roster and contact information; verify team members are current employees aware of responsibilities.

  • Real-world examples:

    • September 11, 2001: ROC providers (e.g., Comdisco) supported multiple client disasters; demonstrated rapid mobilization and recovery, but also illustrated potential clustering risk in geographically proximate ROC facilities.

OUTSOURCING THE IT FUNCTION

  • IT outsourcing involves transferring IT assets, staff, and services to a third-party vendor (e.g., data entry, data center operations, applications development/maintenance, network management).

  • Claimed benefits:

    • Improved core business performance and IT performance due to vendor expertise

    • Reduced IT costs through economies of scale and offshore/offshore labor advantages

    • One-time cash infusion from asset sale and lease-back to the vendor

  • Theoretical foundations:

    • Core competency theory: firms should focus on core business competencies; outsource non-core IT activities.

    • Transaction Cost Economics (TCE) theory: supports outsourcing commodity IT assets while keeping specific assets in-house (to preserve flexibility and unique capabilities).

  • Distinctions between commodity assets and specific assets:

    • Commodity IT assets: network management, data center operations, server maintenance, help-desk

    • Specific IT assets: systems development, application maintenance, data warehousing, highly skilled employees, unique to the organization

  • Cloud computing as a variant of outsourcing:

    • Location-independent computing; shared data centers; on-demand resources via the Internet

    • Risks include lack of visibility into data location and potential data privacy concerns; advantages include scalable resources and flexible contracts

  • Three classes of cloud services:
    1) Software-as-a-Service (SaaS)
    2) Infrastructure-as-a-Service (IaaS)
    3) Platform-as-a-Service (PaaS)

  • SaaS: vendor-hosted software accessed over the Internet; often subscription-based; differs from traditional ASP (Application Service Provider) models in licensing and delivery

  • IaaS: provider offers compute power and storage; client pays per use; provider owns and maintains hardware

  • PaaS: client develops and deploys applications on vendor-provided infrastructure; includes development tools, testing, security, and documentation facilities

  • Virtualization and related technologies:

    • Virtualization enables multiple virtual machines on a single physical host; increases hardware utilization

    • Network virtualization increases bandwidth and reliability by creating independent channels

    • Storage virtualization pools multiple storage devices into a single virtual pool managed centrally

  • Cloud computing implementation issues:

    • Not all firms are suitable for cloud adoption (especially large, legacy, or mission-critical systems)

    • Cloud models assume standardized, commodity-like resources, which may conflict with a firm’s unique needs or competitive advantages

    • Internal control and security concerns arise when data reside outside corporate boundaries; vendor controls and privacy laws of host country become critical

  • Risks inherent to IT outsourcing:

    • Failure to perform: dependency on vendor performance (e.g., major vendor bankruptcies or layoffs affecting service); example: EDS faced layoffs after a long downturn, triggering customer lawsuits

    • Vendor exploitation: loss of strategic advantage due to commoditized services and dependency on vendor pricing and capabilities; risk of rising costs for new services

    • Reduced security: offshore data hosting raises concerns about data privacy and control; cross-border data handling and legal compliance

    • Loss of strategic advantage: misalignment between IT and business strategy if cloud/outsourcing focuses on standard solutions rather than bespoke, strategic capabilities

  • SSAE 16 and outsourcing audit implications (service organization controls):

    • SOX 404 requires management to evaluate controls at vendor organizations as well as at the user company

    • SSAE 16 (replacing SAS 70 in 2011) provides attestation on vendor controls and systems; reports come in two types:

    • Type 1: design of controls and suitability of control design

    • Type 2: design, suitability, and operating effectiveness over a period

    • Carve-out vs inclusive reporting regarding subservice organizations:

    • Carve-out: subservice organization controls are described but not included in the main description; vendor monitors subservice controls independently

    • Inclusive: subservice organization controls are included in the report

    • The SSAE 16 report provides a framework for client auditors to rely on vendor controls without performing their own tests, significantly reducing audit effort when vendors are properly attested

  • Diagrammatic relationship (Vendor-Client-Auditor interactions):

    • A vendor serves multiple clients; each client auditor relies on the vendor’s SSAE 16 report; subservice organizations may be involved, potentially requiring a carve-out or inclusive approach

CLOUD COMPUTING: DETAILS AND KEY CONCEPTS

  • Cloud computing is location-independent computing with shared data centers delivering hosted IT services over the Internet; akin to electricity where demand is met from a broader grid.

  • Core characteristics:

    • On-demand resource provisioning; scalable and elastic; pay-for-use pricing

    • Resources delivered over a network and accessed via network terminals

  • Primary service classes (SaaS, IaaS, PaaS) summarized above

  • Virtualization as the enabling technology:

    • Multiplies computing power by running multiple virtual machines on a single physical machine

    • Also enables network and storage virtualization to optimize capacity and flexibility

  • Implementation issues and considerations:

    • Not all firms are suitable for cloud adoption, especially those with heavy legacy systems, high customization needs, or strategic information concerns

    • Cloud offerings emphasize commodity-like services; this can conflict with a firm’s need for bespoke solutions and competitive differentiation

    • Security and regulatory concerns persist; outsourcing critical data means relying on vendor controls and jurisdictional privacy laws

RISKS IN IT OUTSOURCING AND CONTROLS

  • Major outsourcing risk categories:

    • Failure to perform: dependency on vendor’s performance; financial distress or operational restructuring at vendor can impact clients

    • Vendor exploitation: risk of rising costs for incremental services, reliance on vendor for specialized capabilities, potential loss of flexibility

    • Reduced security: offshore or offshore-like arrangements may raise privacy, data protection, and regulatory concerns; data may be stored or processed in jurisdictions with weaker protections

    • Loss of strategic advantage: misalignment between client business strategy and vendor-driven standard solutions; reduced ability to pursue unique competitive capabilities

  • Outsourcing decisions should consider the difference between commodity assets and specific assets, as per TCE:

    • Commodity assets are easily replaceable and can be outsourced to reduce cost

    • Specific assets represent unique capabilities (e.g., data warehousing, bespoke applications, highly skilled staff) that are hard to replace and often should be retained in-house to preserve competitive advantage

  • SOX and outsourcing: management cannot outsource responsibility for internal controls over financial reporting (ICFR). The PCAOB requires evaluation of vendor controls and, where appropriate, reliance on SSAE 16 reports to assess control adequacy.

  • SSAE 16: framework for service organizations to attest to their controls; essential for auditors to obtain evidence about third-party service providers in financial statement audits

SUMMARY AND KEY TERMS

  • IT governance ties internal control and financial reporting to the broader governance of IT resources.

  • Three core governance issues: organizational IT structure, computer center operations, disaster recovery planning.

  • Centralized vs distributed data processing models offer different control challenges and require different audit approaches; many firms use a hybrid with a corporate IT function to coordinate standards, testing, and advisory services.

  • Physical security, environmental controls, and fault tolerance are essential for the computer center; RAID and UPS are key fault tolerance technologies.

  • DRP requires identification of critical applications, a defined disaster recovery team, second-site backup arrangements, and tested backup procedures.

  • Outsourcing and cloud computing bring potential cost and access benefits but introduce risks around control, data security, and strategic alignment; SSAE 16 provides a framework for auditors to assess service providers’ controls in outsourcing arrangements.

  • For further reading, the chapter discusses in detail: the SSAE 16 reporting process (Type 1 vs Type 2), carve-out vs inclusive subservice organization reporting, and the risk considerations around ROC and cold shell backups.

KEY TERMS (selected)

  • ext{carve-out method}, ext{centralized data processing}, ext{computer operations}, ext{cloud computing}, ext{core competency}, ext{commodity IT assets}, ext{data conversion}, ext{data library}, ext{disaster recovery plan}, ext{distributed data processing (DDP)}, ext{empty shell}, ext{fault tolerance}, ext{inadequate documentation}, ext{inclusive method}, ext{information technology (IT) governance}, ext{Infrastructure-as-a-Service (IaaS)}, ext{IT outsourcing}, ext{mirrored data center}, ext{mutual aid pact}, ext{network virtualization}, ext{Platform-as-a-Service (PaaS)}, ext{program fraud}, ext{recovery operations center (ROC)}, ext{redundant arrays of independent disks (RAID)}, ext{Software-as-a-Service (SaaS)}, ext{SSAE 16}, ext{storage virtualization}, ext{Transaction Cost Economics (TCE)}, ext{virtualization}, ext{virtualization (network/storage)}, ext{Type 1 SSAE 16}, ext{Type 2 SSAE 16}, ext{subservice organization}, ext{SaaS}, ext{SAS 70} (historical reference)

REVIEW QUESTIONS (selected topics for study)

  • What is IT governance and its objectives? How does SOX/COSO relate to IT governance?

  • What is distributed data processing (DDP) and what are its advantages and disadvantages?

  • What risks arise from consolidating incompatible IT functions in one location, and how can they be mitigated?

  • Explain RAID and UPS as fault tolerance strategies.

  • What are the four common features of a DRP, and how should critical applications be identified and prioritized?

  • What is cloud computing, what are the three service classes, and what are the main risk considerations for large enterprises?

  • What is SSAE 16, and how do Type 1 and Type 2 reports differ? What are carve-out vs inclusive reporting?

  • What are commodity IT assets vs specific IT assets? How does this distinction affect outsourcing decisions (core competencies vs TCE)?

DISCUSSION AND PRACTICAL SCENARIOS (highlights)

  • A distributed data processing setup can offer cost savings but might destroy audit trails if end-user devices store transaction data. What compensating controls could a company implement?

  • Consider a DRP test; design a surprise drill that measures DRP team effectiveness, conversion success, and the financial impact of potential losses.

  • In cloud outsourcing, what due diligence steps should a company take to evaluate a vendor’s SSAE 16 Type 2 report and subservice organization controls? How should management address potential data location and privacy concerns?

  • For a firm with legacy systems, what factors would justify maintaining in-house non-core IT assets (per TCE theory) versus moving to cloud services or outsourcing?