44 Chapter 2: Auditing IT Governance Controls
and general ledger accounts that recorded the events, and ultimately to the financial
statement themselves. The audit trail is critical to the auditors attest service.
In DDP systems, the audit trail consists of a set of digital transaction files and mas-
ter files (Chapter 6 deals with transaction processing techniques) that reside in part or
entirely on end-user computers. Should an end user inadvertently delete one of the files,
the audit trail could be destroyed and unrecoverable. Similarly, if an end user inadver-
tently inserts transaction errors into an audit trail file, it could become corrupted.
Inadequate Segregation of Duties. Achieving an adequate segregation of duties
may not be possible in some distributed environments. The distribution of the IT ser-
vices to users may result in the creation of small independent units that do not permit
the desired separation of incompatible functions. For example, within a single unit the
same person may write application programs, perform program maintenance, enter
transaction data into the computer, and operate the computer equipment. Such a situa-
tion would be a fundamental violation of internal control.
Hiring Qualified Professionals. End-user managers may lack the IT knowledge to
evaluate the technical credentials and relevant experience of candidates applying for IT
professional positions. Also, if the organizational unit into which a new employee is en-
tering is small, the opportunity for personal growth, continuing education, and promo-
tion may be limited. For these reasons, managers may experience difficulty attracting
highly qualified personnel. The risk of programming errors and system failures increases
directly with the level of employee incompetence.
Lack of Standards. Because of the distribution of responsibility in the DDP environ-
ment, standards for developing and documenting systems, choosing programming lan-
guages, acquiring hardware and software, and evaluating performance may be unevenly
applied or even nonexistent. Opponents of DDP argue that the risks associated with the
design and operation of a DDP system are made tolerable only if such standards are con-
sistently applied.
Advantages of DDP
This section considers potential advantages of DDP, including cost reductions, improved
cost control, improved user satisfaction, and backup.
Cost Reductions. For many years, achieving economies of scale was the principal justifi-
cation for the centralized data processing approach. The economics of data processing fa-
vored large, expensive, powerful computers. The wide variety of needs that centralized
systems were expected to satisfy also called for computers that were highly generalized and
employed complex operating systems. The overhead associated with running such a system,
however, can diminish the advantages of its raw processing power. Thus, for many users,
large centralized systems represented expensive overkill that they should escape.
Powerful and inexpensive microcomputers and minicomputers that can perform spe-
cialized functions have changed the economics of data processing dramatically. In addition,
the unit cost of data storage, which was once the justification for consolidating data in a
central location, is no longer a prime consideration. Moreover, the move to DDP has re-
duced costs in two other areas: (1) data can be edited and entered by the end user, thus
eliminating the centralized task of data preparation; and (2) application complexity can be
reduced, which in turn reduces systems development and maintenance costs.
Improved Cost Control Responsibility. End-user managers carry the responsibility
for the financial success of their operations. This responsibility requires that they be
properly empowered with the authority to make decisions about resources that influence
Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
Structure of the Information Technology Function 45
their overall success. When managers are precluded from making the decisions necessary
to achieve their goals, their performance can be negatively influenced. A less aggressive
and less effective management may evolve.
Proponents of DDP contend that the benefits of improved management attitudes
more than outweigh any additional costs incurred from distributing these resources.
They argue that if IT capability is indeed critical to the success of a business operation,
then management must be given control over these resources. This argument counters
the earlier discussion favoring the centralization of organization-wide resources.
Improved User Satisfaction. Perhaps the most often cited benefit of DDP is im-
proved user satisfaction. DDP proponents claim that distributing system to end users
improves three areas of need that too often go unsatisfied in the centralized model: (1) as
previously stated, users desire to control the resources that influence their profitability;
(2) users want systems professionals (analysts, programmers, and computer operators) to
be responsive to their specific situation; and (3) users want to become more actively
involved in developing and implementing their own systems.
Backup Flexibility. The final argument in favor of DDP is the ability to back up
computing facilities to protect against potential disasters such as fires, floods, sabotage,
and earthquakes. The only way to back up a central computer site against such disasters
is to provide a second computer facility. Later in the chapter we examine disaster recov-
ery planning for such contingencies. The distributed model offers organizational flexibil-
ity for providing backup. Each geographically separate IT unit can be designed with
excess capacity. If a disaster destroys a single site, the other sites can use their excess
capacity to process the transactions of the destroyed site. Naturally, this setup requires
close coordination between the end-user managers to ensure that they do not implement
incompatible hardware and software.
Controlling the DDP Environment
DDP carries a certain leading-edge prestige value that, during an analysis of its pros and
cons, may overwhelm important considerations of economic benefit and operational fea-
sibility. Some organizations have made the move to DDP without considering fully
whether the distributed organizational structure will better achieve their business objec-
tives. Many DDP initiatives have proven to be ineffective, and even counterproductive,
because decision makers saw in these systems virtues that were more symbolic than
real. Before taking an irreversible step, decision makers must assess the true merits of
DDP for their organization. Nevertheless, careful planning and implementation of con-
trols can mitigate some of the DDP risks previously discussed. This section reviews sev-
eral improvements to the strict DDP model.
Implement a Corporate IT Function
The completely centralized model and the distributed model represent extreme positions
on a continuum of structural alternatives. The needs of most firms fall somewhere be-
tween these end points. Often, the control problems previously described can be ad-
dressed by implementing a corporate IT function such as that illustrated in Figure 2.5.
This function is greatly reduced in size and status from that of the centralized model
shown in Figure 2.2. The corporate IT group provides systems development and data-
base management for entity-wide systems in addition to technical advice and expertise
to the distributed IT community. This advisory role is represented by the dotted lines
in Figure 2.5. Some of the services provided are described next.
Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
46 Chapter 2: Auditing IT Governance Controls
Central Testing of Commercial Software and Hardware. A centralized corporate
IT group is better equipped than are end users to evaluate the merits of competing com-
mercial software and hardware products under consideration. A central, technically as-
tute group such as this can evaluate systems features, controls, and compatibility with
industry and organizational standards. Test results can then be distributed to user areas
as standards for guiding acquisition decisions. This allows the organization to effectively
centralize the acquisition, testing, and implementation of software and hardware and
avoid many problems discussed earlier.
User Services. A valuable feature of the corporate group is its user services function.
This activity provides technical help to users during the installation of new software and
in troubleshooting hardware and software problems. The creation of an electronic bulle-
tin board for users is an excellent way to distribute information about common problems
and allows the sharing of user-developed programs with others in the organization. In
addition, a chat room could be established to provide threaded discussions, frequently
asked questions (FAQs), and intranet support. The corporate IT function could also pro-
vide a help desk, where users can call and get a quick response to questions and pro-
blems. In many organizations user services staff teach technical courses for end users as
well as for computer services personnel. This raises the level of user awareness and pro-
motes the continued education of technical personnel.
Standard-Setting Body. The relatively poor control environment imposed by the
DDP model can be improved by establishing some central guidance. The corporate
group can contribute to this goal by establishing and distributing to user areas appropri-
ate standards for systems development, programming, and documentation.
Personnel Review. The corporate group is often better equipped than users to evalu-
ate the technical credentials of prospective systems professionals. Although the systems
professional will actually be part of the end-user group, the involvement of the corporate
group in employment decisions can render a valuable service to the organization.
Audit Objective
The auditors objective is to verify that the structure of the IT function is such that in-
dividuals in incompatible areas are segregated in accordance with the level of potential
risk and in a manner that promotes a working environment. This is an environment in
which formal, rather than casual, relationships need to exist between incompatible tasks.
Audit Procedures
The following audit procedures would apply to an organization with a centralized IT
function:
Review relevant documentation, including the current organizational chart, mission
statement, and job descriptions for key functions, to determine if individuals or
groups are performing incompatible functions.
Review systems documentation and maintenance records for a sample of applica-
tions. Verify that maintenance programmers assigned to specific projects are not
also the original design programmers.
Verify that computer operators do not have access to the operational details of a
systems internal logic. Systems documentation, such as systems flowcharts, logic
flowcharts, and program code listings, should not be part of the operations docu-
mentation set.
Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
The Computer Center 47
Through observation, determine that segregation policy is being followed in practice.
Review operations room access logs to determine whether programmers enter the
facility for reasons other than system failures.
The following audit procedures would apply to an organization with a distributed
IT function:
Review the current organizational chart, mission statement, and job descriptions for
key functions to determine if individuals or groups are performing incompatible
duties.
Verify that corporate policies and standards for systems design, documentation, and
hardware and software acquisition are published and provided to distributed IT
units.
Verify that compensating controls, such as supervision and management monitor-
ing, are employed when segregation of incompatible duties is economically
infeasible.
Review systems documentation to verify that applications, procedures, and databases
are designed and functioning in accordance with corporate standards.
THE COMPUTER CENTER
Accountants routinely examine the physical environment of the computer center as part
of their annual audit. The objective of this section is to present computer center risks
and the controls that help to mitigate risk and create a secure environment. The follow-
ing are areas of potential exposure that can impact the quality of information, accounting
records, transaction processing, and the effectiveness of other more conventional internal
controls.
Physical Location
The physical location of the computer center directly affects the risk of destruction to a
natural or man-made disaster. To the extent possible, the computer center should be
away from human-made and natural hazards, such as processing plants, gas and water
mains, airports, high-crime areas, flood plains, and geological faults. The center should
be away from normal traffic, such as the top floor of a building or in a separate, self-
contained building. Locating a computer in the basement building increases its risk to
floods.
Construction
Ideally, a computer center should be located in a single-story building of solid construc-
tion with controlled access (discussed next). Utility (power and telephone) lines should
be underground. The building windows should not open and an air filtration system
should be in place that is capable of extracting pollens, dust, and dust mites.
Access
Access to the computer center should be limited to the operators and other employees
who work there. Physical controls, such as locked doors, should be employed to limit
access to the center. Access should be controlled by a keypad or swipe card, though fire
Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
48 Chapter 2: Auditing IT Governance Controls
exits with alarms are necessary. To achieve a higher level of security, access should be
monitored by closed-circuit cameras and video recording systems. Computer centers
should also use sign-in logs for programmers and analysts who need access to correct
program errors. The computer center should maintain accurate records of all such
traffic.
Air Conditioning
Computers function best in an air-conditioned environment, and providing adequate air
conditioning is often a requirement of the vendors warranty. Computers operate best in
a temperature range of 70 to 75 degrees Fahrenheit and a relative humidity of 50 per-
cent. Logic errors can occur in computer hardware when temperatures depart signifi-
cantly from this optimal range. Also, the risk of circuit damage from static electricity is
increased when humidity drops. In contrast, high humidity can cause molds to grow and
paper products (such as source documents) to swell and jam equipment.
Fire Suppression
Fire is the most serious threat to a firms computer equipment. Many companies that
suffer computer center fires go out of business because of the loss of critical records,
such as accounts receivable. The implementation of an effective fire suppression system
requires consultation with specialists. However, some of the major features of such a sys-
tem include the following:
1. Automatic and manual alarms should be placed in strategic locations around the in-
stallation. These alarms should be connected to permanently staffed fire-fighting
stations.
2. There must be an automatic fire extinguishing system that dispenses the appropriate
type of suppressant for the location.2 For example, spraying water and certain che-
micals on a computer can do as much damage as the fire.
3. Manual fire extinguishers should be placed at strategic locations.
4. The building should be of sound construction to withstand water damage caused by
fire suppression equipment.
5. Fire exits should be clearly marked and illuminated during a fire.
Fault Tolerance
Fault tolerance is the ability of the system to continue operation when part of the sys-
tem fails because of hardware failure, application program error, or operator error. Im-
plementing fault tolerance control ensures that no single point of potential system failure
exists. Total failure can occur only if multiple components fail. Two examples of fault
tolerance technologies are discussed next.
1. Redundant arrays of independent disks (RAID). Raid involves using parallel disks
that contain redundant elements of data and applications. If one disk fails, the lost
data are automatically reconstructed from the redundant components stored on the
other disks.
2 Some fire-fighting gases, such as halon, have been outlawed by the federal government. Make sure any
gas used does not violate federal law.
Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
The Computer Center 49
2. Uninterruptible power supplies. Commercially provided electrical power presents sev-
eral problems that can disrupt the computer center operations, including total power
failures, brownouts, power fluctuations, and frequency variations. The equipment
used to control these problems includes voltage regulators, surge protectors, genera-
tors, and backup batteries. In the event of a power outage, these devices provide
backup power for a reasonable period to allow commercial power service restora-
tion. In the event of an extended power outage, the backup power will allow the
computer system to shut down in a controlled manner and prevent data loss and
corruption that would otherwise result from an uncontrolled system crash.
Audit Objectives
The auditors objective is to evaluate the controls governing computer center security.
Specifically, the auditor must verify that:
Physical security controls are adequate to reasonably protect the organization from
physical exposures
Insurance coverage on equipment is adequate to compensate the organization for
the destruction of, or damage to, its computer center
Audit Procedures
The following are tests of physical security controls.
Tests of Physical Construction. The auditor should obtain architectural plans to de-
termine that the computer center is solidly built of fireproof material. There should be
adequate drainage under the raised floor to allow water to flow away in the event of
water damage from a fire in an upper floor or from some other source. In addition, the
auditor should assess the physical location of the computer center. The facility should
be located in an area that minimizes its exposure to fire, civil unrest, and other
hazards.
Tests of the Fire Detection System. The auditor should establish that fire detection
and suppression equipment, both manual and automatic, are in place and tested regu-
larly. The fire-detection system should detect smoke, heat, and combustible fumes. The
evidence may be obtained by reviewing official fire marshal records of tests, which are
stored at the computer center.
Tests of Access Control. The auditor must establish that routine access to the com-
puter center is restricted to authorized employees. Details about visitor access (by pro-
grammers and others), such as arrival and departure times, purpose, and frequency of
access, can be obtained by reviewing the access log. To establish the veracity of this doc-
ument, the auditor may covertly observe the process by which access is permitted, or
review videotapes from cameras at the access point, if they are being used.
Tests of Raid. Most systems that employ RAID provide a graphical mapping of their
redundant disk storage. From this mapping, the auditor should determine if the level of
RAID in place is adequate for the organization, given the level of business risk associated
with disk failure. If the organization is not employing RAID, the potential for a single
point of system failure exists. The auditor should review with the system administrator
alternative procedures for recovering from a disk failure.
Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
50 Chapter 2: Auditing IT Governance Controls Disaster Recovery Planning 51

Tests of the Uninterruptible Power Supply. The computer center should perform
periodic tests of the backup power supply to ensure that it has sufficient capacity to run
the computer and air conditioning. These are extremely important tests, and their results
should be formally recorded. As a firms computer systems develop, and its dependency
increases, backup power needs are likely to grow proportionally. Indeed, without such
tests, an organization may be unaware that it has outgrown its backup capacity until it
is too late.
Tests for Insurance Coverage. The auditor should annually review the organiza-
tions insurance coverage on its computer hardware, software, and physical facility. The
auditor should verify that all new acquisitions are listed on the policy and that obsolete
equipment and software have been deleted. The insurance policy should reflect manage-
ments needs in terms of extent of coverage. For example, the firm may wish to be par-
tially self-insured and require minimum coverage. On the other hand, the firm may seek
complete replacement-cost coverage.
DISASTER RECOVERY PLANNING
Disasters such as earthquakes, floods, sabotage, and even power failures can be
catastrophic to an organizations computer center and information systems. Figure 2.6
depicts three categories of disaster that can rob an organization of its IT resources:
FIGURE 2.6
Fire
Types of
Disasters
Natural Flood
natural disasters, human-made disasters, and system failure. Natural disaster such as
hurricanes, wide-spread flooding, and earthquakes are the most potentially devastating
of the three from a societal perspective because they can simultaneously impact many
organizations within the affected geographic area. Human-made disasters, such as sabo-
tage or errors, can be just as destructive to an individual organization, but tend to be
limited in their scope of impact. System failures such as power outages or a hard-drive
failure are generally less severe, but are the most likely to occur.
All of these disasters can deprive an organization of its data processing facilities,
halt those business functions that are performed or aided by computers, and impair
the organizations ability to deliver its products or services. In other words, the com-
pany loses its ability to do business. The more dependent an organization is on tech-
nology, the more susceptible it is to these types of risks. For businesses such as
Amazon.com or eBay, the loss of even a few hours of computer processing capability
can be catastrophic.
Disasters of the sort outlined above usually cannot be prevented or evaded. Once
stricken, the victim firms survival will be determined by how well and how quickly it
reacts. Therefore, with careful contingency planning, the full impact of a disaster can be
absorbed and the organization can recover. To survive such an event, companies develop
recovery procedures and formalize them into a disaster recovery plan (DRP). This is a
comprehensive statement of all actions to be taken before, during, and after any type of
disaster. Although the details of each plan are unique to the needs of the organization, all
workable plans possess four common features:
1. Identify critical applications
2. Create a disaster recovery team
3. Provide site backup
4. Specify backup and off-site storage procedures
The remainder of this section is devoted to a discussion of the essential elements of an
effective DRP.

Tornado Identify Critical Applications

The first essential element of a DRP is to identify the firms critical applications and
associated data files. Recovery efforts must concentrate on restoring those applications
that are critical to the short-term survival of the organization. Obviously, over the long
Sabotage
term, all applications must be restored to predisaster business activity levels. The DRP,
Disaster Human-Made however, is a short-term document that should not attempt to restore the organiza-
tions data processing facility to full capacity immediately following the disaster. To
Error
do so would divert resources away from critical areas and delay recovery. The plan
should therefore focus on short-term survival, which is at risk in any disaster
scenario.
Power For most organizations, short-term survival requires the restoration of those func-
Outages tions that generate cash flows sufficient to satisfy short-term obligations. For example,
assume that the following functions affect the cash flow position of a particular firm:

System Failure
Drive Customer sales and service
Failure
Fulfillment of legal obligations
Accounts receivable maintenance and collection
O/S Production and distribution decisions
Crash/Lock
Purchasing functions
Cash disbursements (trade accounts and payroll)

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
52 Chapter 2: Auditing IT Governance Controls Disaster Recovery Planning 53

The computer applications that support these business functions directly are critical.
Hence, these applications should be identified and prioritized in the restoration plan. FIGURE 2.7
Application priorities may change over time, and these decisions must be reassessed DRP Team Coordinator
Disaster VP Operations
regularly. Systems are constantly revised and expanded to reflect changes in user require- Recovery Team
ments. Similarly, the DRP must be updated to reflect new developments and identify
critical applications. Up-to-date priorities are important, because they affect other aspects
of the strategic plan. For example, changes in application priorities may cause changes in
the nature and extent of second-site backup requirements and specific backup proce-
Program Data Conversion
dures, which are discussed later. Second-Site
and and
Facilities
The task of identifying critical items and prioritizing applications requires the active Data Backup Data Control
Group
participation of user departments, accountants, and auditors. Too often, this task is in- Group Group
correctly viewed as a technical computer issue and therefore delegated to IT profes-
sionals. Although the technical assistance of IT professionals will be required, this task Systems Development Manager Data
is a business decision and should be made by those best equipped to understand the DP Manager Manager Control
business problem.
Systems Maintenance Manager Data
Plant Engineer Manager Conversion
Creating a Disaster Recovery Team
Computer Operations Senior Systems Data Conversion
Recovering from a disaster depends on timely corrective action. Delays in performing Manager Programmer Shift Supervisor
essential tasks prolongs the recovery period and diminishes the prospects for a successful
recovery. To avoid serious omissions or duplication of effort during implementation of
the contingency plan, task responsibility must be clearly defined and communicated to Teleprocessing Senior Maintenance User Department
Manager Programmer Representatives
the personnel involved.
Figure 2.7 presents an organizational chart depicting the composition of a disaster
recovery team. The team members should be experts in their areas and have assigned User Departments Internal Audit
tasks. Following a disaster, team members will delegate subtasks to their subordinates. Representative Representative
It should be noted that traditional control concerns do not apply in this setting. The en-
vironment created by the disaster may make it necessary to violate control principles Internal Audit
such as segregation of duties, access controls, and supervision. Representative

Providing Second-Site Backup Objective: Prepare backup site Objective: Provide current Objective: Reestablish the
for operation and acquire versions of all critical data conversion and data
A necessary ingredient in a DRP is that it provides for duplicate data processing facilities hardware from vendors. applications, data files, control functions necessary
and documentation. to process critical
following a disaster. Among the options available the most common are mutual aid applications.
pact; empty shell or cold site; recovery operations center or hot site; and internally pro-
vided backup. Each of these is discussed in the following sections.
Mutual Aid Pact. A mutual aid pact is an agreement between two or more organiza-
tions (with compatible computer facilities) to aid each other with their data processing Empty Shell. The empty shell or cold site plan is an arrangement wherein the com-
needs in the event of a disaster. In such an event, the host company must disrupt its pany buys or leases a building that will serve as a data center. In the event of a disaster,
processing schedule to process the critical transactions of the disaster-stricken company. the shell is available and ready to receive whatever hardware the temporary user needs to
In effect, the host company itself must go into an emergency operation mode and cut run essential systems. This approach, however, has a fundamental weakness. Recovery
back on the processing of its lower-priority applications to accommodate the sudden in- depends on the timely availability of the necessary computer hardware to restore the
crease in demand for its IT resources. data processing function. Management must obtain assurances through contracts with
The popularity of these reciprocal agreements is driven by economics; they are rela- hardware vendors that, in the event of a disaster, the vendor will give the companys
tively cost-free to implement. In fact, mutual aid pacts work better in theory than in needs priority. An unanticipated hardware supply problem at this critical juncture could
practice. In the event of a disaster, the stricken company has no guarantee that the part- be a fatal blow.
ner company will live up to its promise of assistance. To rely on such an arrangement for Recovery Operations Center. A recovery operations center (ROC) or hot site is a
substantive relief during a disaster requires a level of faith and untested trust that is un- fully equipped backup data center that many companies share. In addition to hardware
characteristic of sophisticated management and its auditors. and backup facilities, ROC service providers offer a range of technical services to their

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
54 Chapter 2: Auditing IT Governance Controls
clients, who pay an annual fee for access rights. In the event of a major disaster, a
subscriber can occupy the premises and, within a few hours, resume processing critical
applications.
September 11, 2001, was a true test of the reliability and effectiveness of the ROC
approach. Comdisco, a major ROC provider, had 47 clients who declared 93 separate
disasters on the day of the attack. All 47 companies relocated and worked out of Com-
discos recovery centers. At one point, 3,000 client employees were working out of the
centers. Thousands of computers were configured for clients needs within the first 24
hours, and systems recovery teams were on-site wherever police permitted access. By
September 25, nearly half of the clients were able to return to their facilities with a fully
functional system.
Although the Comdisco story illustrates a ROC success, it also points to a potential
problem with this approach. A widespread natural disaster, such as a flood or an earth-
quake, may destroy the data processing capabilities of several ROC members located in
the same geographic area. All the victim companies will find themselves vying for access
to the same limited facilities. Because some ROC service providers oversell their capacity
by a ratio of 20:1, the situation is analogous to a sinking ship that has an inadequate
number of lifeboats.
The period of confusion following a disaster is not an ideal time to negotiate prop-
erty rights. Therefore, before entering into a ROC arrangement, management should
consider the potential problems of overcrowding and geographic clustering of the cur-
rent membership.
Internally Provided Backup. Larger organizations with multiple data processing
centers often prefer the self-reliance that creating internal excess capacity provides. This
permits firms to develop standardized hardware and software configurations, which en-
sure functional compatibility among their data processing centers and minimize cutover
problems in the event of a disaster.
Pershing, a division of Donaldson, Lufkin & Jenrette Securities Corporation, pro-
cesses more than 36 million transactions per day, about 2,000 per second. Pershing man-
agement recognized that a ROC vendor could not provide the recovery time they wanted
and needed. The company, therefore, built its own remote mirrored data center. The
facility is equipped with high-capacity storage devices capable of storing more than 20
terabytes of data and two IBM mainframes running high-speed copy software. All trans-
actions that the main system processes are transmitted in real time along fiber-optic
cables to the remote backup facility. At any point in time, the mirrored data center re-
flects current economic events of the firm. The mirrored system has reduced Pershings
data recovery time from 24 hours to 1 hour.
Backup and Off-Site Storage Procedures
All data files, applications, documentation, and supplies needed to perform critical func-
tions should be automatically backed up and stored at a secure off-site location. Data
processing personnel should routinely perform backup and storage procedures to obtain
and secure these critical resources.
Operating System Backup. If the company uses a cold site or other method of site
backup that does not include a compatible operating system (O/S), procedures for ob-
taining a current version of the operating system need to be clearly specified. The data
librarian, if one exists, would be a key person to involve in performing this task in addi-
tion to the applications and data backups procedures discussed next.
Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
Disaster Recovery Planning 55
Application Backup. Based on results obtained in the critical applications step dis-
cussed previously, the DRP should include procedures to create copies of current versions
of critical applications. In the case of commercial software, this involves purchasing
backup copies of the latest software upgrades used by the organization. For in-house de-
veloped applications, backup procedures should be an integral step in the systems devel-
opment and program change process, which is discussed in detail in Chapter 5.
Backup Data Files. The state-of-the-art in database backup is the remote mirrored
site, which provides complete data currency. Not all organizations are willing or able to
invest in such backup resources. As a minimum, however, databases should be copied
daily to high-capacity, high-speed media, such as tape or CDs/DVDs and secured off-
site. In the event of a disruption, reconstruction of the database is achieved by updating
the most current backed-up version with subsequent transaction data. Likewise, master
files and transaction files should be protected.
Backup Documentation. The system documentation for critical applications should
be backed up and stored off-site along with the applications. System documentation can
constitute a significant amount of material and the backup process is complicated further
by frequent application changes (see Chapter 5). Documentation backup may, however,
be simplified and made more efficient through the use of Computer Aided Software En-
gineering (CASE) documentation tools. The DRP should also include a provision back-
ing up end-user manuals because the individuals processing transactions under disaster
conditions may not be usual staff who are familiar with the system.
Backup Supplies and Source Documents. The organization should create backup
inventories of supplies and source documents used in processing critical transactions.
Examples of critical supplies are check stocks, invoices, purchase orders, and any other
special-purpose forms that cannot be obtained immediately. The DRP should specify the
types and quantities needed of these special items. Because these are such routine ele-
ments of the daily operations, they are often overlooked by disaster contingency plan-
ners. At this point, it is worth noting that a copy of the current DRP document should
also be stored off-site at a secure location.
Testing the DRP. The most neglected aspect of contingency planning is testing
the DRP. Nevertheless, DRP tests are important and should be performed periodically.
Tests measure the preparedness of personnel and identify omissions or bottlenecks in
the plan.
A test is most useful when the simulation of a disruption is a surprise. When the
mock disaster is announced, the status of all processing affected by it should be docu-
mented. This approach provides a benchmark for subsequent performance assessments.
The plan should be carried through as far as is economically feasible. Ideally, that would
include the use of backup facilities and supplies.
The progress of the plan should be noted at key points throughout the test period.
At the conclusion of the test, the results can then be analyzed and a DRP performance
report prepared. The degree of performance achieved provides input for decisions to
modify the DRP or schedule additional tests. The organizations management should
seek measures of performance in each of the following areas: (1) the effectiveness of
DRP team personnel and their knowledge levels; (2) the degree of conversion success
(i.e., the number of lost records); (3) an estimate of financial loss due to lost records or
facilities; and (4) the effectiveness of program, data, and documentation backup and
recovery procedures.
Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
56 Chapter 2: Auditing IT Governance Controls
Audit Objective
The auditor should verify that managements disaster recovery plan is adequate and fea-
sible for dealing with a catastrophe that could deprive the organization of its computing
resources.
Audit Procedures
In verifying that managements DRP is a realistic solution for dealing with a catastrophe,
the following tests may be performed.
Site Backup. The auditor should evaluate the adequacy of the backup site arrange-
ment. System incompatibility and human nature both greatly reduce the effectiveness of
the mutual aid pact. Auditors should be skeptical of such arrangements for two reasons.
First, the sophistication of the computer system may make it difficult to find a potential
partner with a compatible configuration. Second, most firms do not have the necessary
excess capacity to support a disaster-stricken partner while also processing their own
work. When it comes to the crunch, the management of the firm untouched by disaster
will likely have little appetite for the sacrifices that must be made to honor the
agreement.
More viable but expensive options are the empty shell and recovery operation center.
These too must be examined carefully. If the client organization is using the empty shell
method, then the auditor needs to verify the existence of valid contracts with hardware
vendors that guarantee delivery of needed computer hardware with minimum delay after
the disaster. If the client is a member of a ROC, the auditor should be concerned about
the number of ROC members and their geographic dispersion. A widespread disaster
may create a demand that cannot be satisfied by the ROC facility.
Critical Application List. The auditor should review the list of critical applications
to ensure that it is complete. Missing applications can result in failure to recover. The
same is true, however, for restoring unnecessary applications. To include applications
on the critical list that are not needed to achieve short-term survival can misdirect re-
sources and distract attention from the primary objective during the recovery period.
Software Backup. The auditor should verify that copies of critical applications and
operating systems are stored off-site. The auditor should also verify that the applications
stored off-site are current by comparing their version numbers with those of the actual
applications in use. Application version numbers is explained in detail in Chapter 5.
Data Backup. The auditor should verify that critical data files are backed up in ac-
cordance with the DRP. Specific data backup procedures for both flat files and relational
databases are discussed in detail in Chapter 4.
Backup Supplies, Documents, and Documentation. The system documentation,
supplies, and source documents needed to process critical transactions should be backed
up and stored off-site. The auditor should verify that the types and quantities of items
specified in the DRP such as check stock, invoices, purchase orders, and any special-
purpose forms exist in a secure location.
Disaster Recovery Team. The DRP should clearly list the names, addresses, and
emergency telephone numbers of the disaster recovery team members. The auditor
should verify that members of the team are current employees and are aware of their
assigned responsibilities. On one occasion, while reviewing a firms DRP, the author dis-
covered that a team leader listed in the plan had been deceased for nine months.
Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
Outsourcing the IT Function 57
OUTSOURCING THE IT FUNCTION
The costs, risks, and responsibilities associated with maintaining an effective corporate
IT function are significant. Many executives have therefore opted to outsource their IT
functions to third-party vendors who take over responsibility for the management of IT
assets and staff and for delivery of IT services, such as data entry, data center operations,
applications development, applications maintenance, and network management. Often-
cited benefits of IT outsourcing include improved core business performance, improved
IT performance (because of the vendors expertise), and reduced IT costs. By moving IT
facilities offshore to low labor-cost areas and/or through economies of scale (by combin-
ing the work of several clients), the vendor can perform the outsourced function more
cheaply than the client firm could have otherwise. The resulting cost savings are then
passed to the client organization. Furthermore, many IT outsourcing arrangements in-
volve the sale of the client firms IT assetsboth human and machineto the vendor,
which the client firm then leases back. This transaction results in a significant one-time
cash infusion to the firm.
The logic underlying IT outsourcing follows from core competency theory, which
argues that an organization should focus exclusively on its core business competencies,
while allowing outsourcing vendors to efficiently manage the noncore areas such as
the IT functions. This premise, however, ignores an important distinction between com-
modity and specific IT assets.
Commodity IT assets are not unique to a particular organization and are thus
easily acquired in the marketplace. These include such things as network management,
systems operations, server maintenance, and help-desk functions. Specific IT assets, in
contrast, are unique to the organization and support its strategic objectives. Because of
their idiosyncratic nature, specific assets have little value outside their current use. Such
assets may be tangible (computer equipment), intellectual (computer programs), or
human. Examples of specific assets include systems development, application mainte-
nance, data warehousing, and highly skilled employees trained to use organization-
specific software.
Transaction Cost Economics (TCE) theory is in conflict with the core competency
school by suggesting that firms should retain certain specific noncore IT assets in-
house. Because of their esoteric nature, specific assets cannot be easily replaced once
they are given up in an outsourcing arrangement. Therefore, if the organization should
decide to cancel its outsourcing contract with the vendor, it may not be able to return to
its preoutsource state. On the other hand, TCE theory supports the outsourcing of com-
modity assets, which are easily replaced or obtained from alternative vendors.
Naturally, a CEOs perception of what constitutes a commodity IT assets plays an
important role in IT outsourcing decisions. Often this comes down to a matter of defini-
tion and interpretation. For example, most CEOs would define their IT function as a
noncore commodity, unless they are in the business of developing and selling IT appli-
cations. Consequently, a belief that all IT can, and should, be managed by large service
organizations tends to prevail. Such misperception reflects, in part, both lack of executive
education and dissemination of faulty information regarding the virtues and limitations
of IT outsourcing.3
3 This knowledge disconnect is not unique to IT outsourcing; it has been observed by Ramiller and Swanson
in their research on how executives respond to what is termed organizing visions for IT [101].
Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
58 Chapter 2: Auditing IT Governance Controls
Risks Inherent to IT Outsourcing
Large-scale IT outsourcing events are risky endeavors, partly because of the sheer size of
these financial deals, but also because of their nature. The level of risk is related to the
degree of asset specificity of the outsourced function. The following sections outline
some well-documented issues.
Failure to Perform
Once a client firm has outsourced specific IT assets, its performance becomes linked to
the vendors performance. The negative implications of such dependency are illustrated
in the financial problems that have plagued the huge outsourcing vendor Electronic Data
Systems Corp. (EDS). In a cost-cutting effort, EDS terminated seven thousand employ-
ees, which impacted its ability to serve other clients. Following an 11-year low in share
prices, EDS stockholders filed a class-action lawsuit against the company. Clearly, ven-
dors experiencing such serious financial and legal problems threaten the viability of their
clients also.
Vendor Exploitation
Large-scale IT outsourcing involves transferring to a vendor specific assets, such as the
design, development, and maintenance of unique business applications that are critical to
an organizations survival. Specific assets, while valuable to the client, are of little value to
the vendor beyond the immediate contract with the client. Indeed, they may well be val-
ueless should the client organization go out of business. Because the vendor assumes risk
by acquiring the assets and can achieve no economies of scale by employing them else-
where, the client organization will pay a premium to transfer such functions to a third
party. Further, once the client firm has divested itself of such specific assets it becomes
dependent on the vendor. The vendor may exploit this dependency by raising service
rates to an exorbitant level. As the clients IT needs develop over time beyond the origi-
nal contract terms, it runs the risk that new or incremental services will be negotiated at
a premium. This dependency may threaten the clients long-term flexibility, agility, and
competitiveness and result in even greater vendor dependency.
Outsourcing Costs Exceed Benefits
IT outsourcing has been criticized on the grounds that unexpected costs arise and the
full extent of expected benefits are not realized. One survey revealed that 47 percent of
66 firms surveyed reported that the costs of IT outsourcing exceeded outsourcing bene-
fits. One reason for this is that outsourcing clients often fail to anticipate the costs of
vendor selection, contracting, and the transitioning of IT operations to the vendors.
Reduced Security
Information outsourced to offshore IT vendors raises unique and serious questions re-
garding internal control and the protection of sensitive personal data. When corporate
financial systems are developed and hosted overseas, and program code is developed
through interfaces with the host companys network, U.S. corporations are at risk of los-
ing control of their information. To a large degree U.S. firms are reliant on the outsour-
cing vendors security measures, data-access policies, and the privacy laws of the host
country. For example, a woman in Pakistan obtained patient-sensitive medical data
from the University of California Medical Center in San Francisco. She gained access to
the data from a medical transcription vendor for whom she worked. The woman threat-
ened to publish the records on the Internet if she did not get a raise in pay. Terrorism in
Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
Outsourcing the IT Function 59
Asia and the Middle East raises additional security concerns for companies outsourcing
technology offshore. For example, on March 5, 2005, police in Delhi, India, arrested a
cell of suspected terrorists who were planning to attack outsourcing firms in Bangalore,
India.
Loss of Strategic Advantage
IT outsourcing may affect incongruence between a firms IT strategic planning and its
business planning functions. Organizations that use IT strategically must align business
strategy and IT strategy or run the risk of decreased business performance. To promote
such alignment, firms need IT managers and chief information officers (CIOs) who have
a strong working knowledge of the organizations business. A survey of 213 IT managers
in the financial services industry confirmed that a firms IT leadership needs to be closely
aligned with the firms competitive strategy. Indeed, some argue that the business com-
petence of CIOs is more important than their IT competence in facilitating strategic
congruence.
To accomplish such alignment necessitates a close working relationship between
corporate management and IT management in the concurrent development of business
and IT strategies. This, however, is difficult to accomplish when IT planning is geograph-
ically redeployed offshore or even domestically. Further, because the financial justifica-
tion for IT outsourcing depends upon the vendor achieving economies of scale, the
vendor is naturally driven to toward seeking common solutions that may be used by
many clients rather than creating unique solutions for each of them. This fundamental
underpinning of IT outsourcing is inconsistent with the clients pursuit of strategic ad-
vantage in the marketplace.
Audit Implications of IT Outsourcing
Management may outsource its organizations IT functions, but it cannot outsource its
management responsibilities under SOX for ensuring adequate IT internal controls. The
PCAOB specifically states in its Auditing Standard No. 2, The use of a service organiza-
tion does not reduce managements responsibility to maintain effective internal control
over financial reporting. Rather, user management should evaluate controls at the service
organization, as well as related controls at the user company, when making its assess-
ment about internal control over financial reporting. Therefore, if an audit client firm
outsource its IT function to a vendor that processes its transactions, hosts key data, or
performs other significant services, the auditor will need to conduct an evaluation of
the vendor organizations controls, or alternatively obtain a SAS No. 70 auditors report
from the vendor organization.
Statement on Auditing Standard No. 70 (SAS 70) is the definitive standard by
which client organizations auditors can gain knowledge that controls at the third-party
vendor are adequate to prevent or detect material errors that could impact the clients
financial statements. The SAS 70 report, which is prepared by the vendors auditor, at-
tests to the adequacy of the vendors internal controls. This is the means by which an
outsourcing vendor can obtain a single audit report that may be used by its clients audi-
tors and thus preclude the need for each client firm auditor to conduct its own audit of
the vendor organizations internal controls.
Figure 2.8 illustrates how a SAS 70 report works in relation to the vendor, the client
firms, and their respective auditors. The outsourcing vendor serves clients 1, 2, 3, and 4
with various IT services. The internal controls over the outsourced services reside at the
vendor location. They are audited by the vendors auditor, who expresses an opinion and
Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
60 Chapter 2: Auditing IT Governance Controls

FIGURE 2.8
Client Client
SAS 70 Report
SAS 70 1 Auditor A
Overview
rt
po
Re
70
S
SA
Client Client
2 SAS 70 Report Auditor B
ep ort
70 R
Outsourcing SAS
Vendor

SA
S7
0R
ols

epo
rt
ntr

rt

Client
Co

SA
po

SAS 70 Report Client

3
S
Re
w

Auditor C
70
vie

70

Re
Re

po
S
SA

r
t

Vendor Client
Auditor SAS 70 Report Client
4 Auditor D

issues a SAS 70 report on the control adequacy. Each of the client firms is audited by
different auditors A, B, C, and D, respectively, who as part of their respective audits,
rely on the vendors SAS 70 report and are thus not compelled to individually test the
vendors controls. Given that a vendor may have hundreds or even thousands of clients,
individual testing under SOX would be highly disruptive to the vendors operations,
costly to the client, and impractical.
Service provider auditors issue two types of SAS 70 reports. An SAS 70 Type I re-
port is the less rigorous of the two and comments only on the suitability of the controls
design. An SAS 70 Type II report goes further and assesses whether the controls are op-
erating effectively based on tests conducted by the vendor organizations auditor. The
vast majority of SAS 70 reports issued are Type II. Because Section 404 requires the ex-
plicit testing of controls, SAS 70 Type I reports are of little value in a post-SOX world.

SUMMARY
This chapter presented risks and controls related to IT governance. It began with a brief
definition of IT governance and identified its implications for internal control and finan-
cial reporting. Next it presented exposures that can arise from inappropriate structuring
of the IT function within the organization. The chapter turned to a review of computer
center threats and controls, which include protecting it from damage and destruction
from natural disasters, fire, temperature, and humidity. The chapter then presented the
key elements of a disaster recovery plan. Several factors need to be considered in such a
plan, including providing second-site backup, identifying critical applications, perform-
ing backup and off-site storage procedures, creating a disaster recovery team, and testing
the DRP. The final section of the chapter examined issues surrounding the growing

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.