Scribd
Upload
12 views4 pages

Acctg 109 Outline

Research

Uploaded by

Zen1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
12 views4 pages

Acctg 109 Outline

Research

Uploaded by

Zen1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

6.3.1.

Computer Center Controls

Weaknesses in computer center security have a potential impact on the function of application controls
related to the financial reporting process. Therefore, this physical environment is a control issue for SOX
compliance.

The following are some of the control features that contribute directly to computer center security.

A. Physical Location
The physical location selected for a computer center can influence the risk of disaster. To the
extent possible, the computer center should be located away from human-made and natural
hazards, such as processing plants, gas and water mains, airports, high-crime areas, flood plains,
and geological faults.
B. Construction
Ideally, a computer center should be located in a single-story building of solid construction with
controlled access.
C. Access
Access to the computer center should be limited to the operators and other employees who
work there. Programmers and analysts who occasionally need to correct program errors should
be required to sign in and out.
D. Air-Conditioning
Computers function best in an air-conditioned environment. For mainframe computers,
providing adequate air-conditioning is often a requirement of the vendor’s warranty. Computers
operate best in a temperature range of 70 to 75 degrees Fahrenheit and a relative humidity of
50 percent.
E. Fire Suppression
The most common threat to a firm’s computer equipment is fire. Half of the companies that
suffer fires go out of business because of the loss of critical records, such as accounts receivable.
F. Fault Tolerance Controls
Fault tolerance is the ability of the system to continue operation when part of the system fails
because of hardware failure, application program error, or operator error. Implementing
redundant system components can achieve various levels of fault tolerance.

Redundant disks and power supplies are two common examples.

 Redundant arrays of independent disks (RAID: involves using parallel disks that contain
redundant elements of data and applications.
 Uninterruptible power supplies help prevent data loss and system corruption.

6.3.2. Disaster Recovery planning (DRP)

A disaster recovery plan (DRP) is a comprehensive statement of all actions to be taken before.
During, and after a disaster, along with documented, tested procedures that will ensure the
continuity of operations.
1.Providing Second-Site Backup

A necessary ingredient in a DRP is that it provides for duplicate data processing facilities
following a disaster. The viable options available include the empty shell, recovery operations
center, and internally provided backup.

A. The Empty Shell


The empty shell or cold site plan is an arrangement where the company buys or leases a building
that will serve as a data center. In the event of a disaster, the shell is available and ready to
receive whatever hardware the temporary user needs to run essential systems.
B. The Recovery Operations Center
A recovery operations center (ROC) or hot site is a fully equipped backup data center that many
companies share. In addition to hardware and backup facilities, ROC service providers offer a
range of technical services to their clients, who pay an annual fee for access rights.
C. Internally Provided Backup
Larger organizations with multiple data processing centers often prefer the self-reliance that
creating internal excess capacity provides. This permits firms to develop standardized hardware
and software configurations, which ensure functional compatibility among their data processing
centers and minimize cutover problems in the event of a disaster.

2. Identifying Critical Applications

Another essential element of a DRP involves procedures to identify the critical applications and
data files of the firm to be restored. Eventually, all applications and data must be restored to pre
disaster business activity levels. Immediate recovery efforts, however, should focus on restoring
those applications and data that are critical to the organization’s short-run survival.

3. Performing Backup and Off-Site Storage Procedures

All data files, application documentation, and supplies needed to perform critical functions
should be specified in the DRP. Data processing personnel should routinely perform backup and
storage procedures to safeguard these critical resources.

A. Backup Data Files


Databases should be copied daily to tape or disks and secured off-site. In the event of a
disruption, reconstruction of the database is achieved by updating the most current backup
version with subsequent transaction data. Likewise, master files and transaction files should be
protected.
B. Backup Documentation
The system documentation for critical applications should be backed up and stored offsite in
much the same manner as data files. The large volumes of material involved and constant
application revisions complicate the task.
C. Backup Supplies and Source Documents
The firm should maintain backup inventories of supplies and source documents used in the
critical applications.

4. Creating a Disaster Recovery Team

Recovering from a disaster depends on timely corrective action. Failure to perform essential tasks
(such as obtaining backup files for critical applications) prolongs the recovery period and diminishes
the prospects for a successful recovery.

5. Testing the DRP

The most neglected aspect of contingency planning is testing the plans. Nevertheless, DRP tests
are important and should be performed periodically. Tests provide measures of the
preparedness of personnel and identify omissions or bottlenecks in the plan.

6.4. Overview of Auditing of Computer Based IS

This section presented the audit objective in computer based information systems. This
establishes what needs to be verified regarding the function of the control in place. These
control objectives and associated tests may be performed by internal auditors providing
evidence of management’s compliance with SOX or by external auditors as part of their attest
function.

6.4.1. Audit Objectives Relating to Organizational Structure

The auditor’s objective is to verify that individuals in incompatible areas are segregated in
accordance with the level of potential risk and in a manner that promotes a working
environment.

Audit Procedures Relating to Organizational Structure

The following tests of controls would enable the auditor to achieve the control objectives.

➤ Obtain and review the corporate policy on computer security. Verify that the security policy is
communicated to responsible employees and supervisors.
➤ Review relevant documentation, including the current organizational chart, mission statement, and
job descriptions for key functions, to determine if individuals or groups are performing incompatible
functions.

➤ Review systems documentation and maintenance records for a sample of applications. Verify that
maintenance programmers assigned to specific projects are not also the original design programmers.

➤ Through observation, determine that the segregation policy is being followed in practice. Review
operations room access logs to determine whether programmers enter the facility for reasons other
than system failures.

➤ Review user rights and privileges to verify that programmers have access privileges consistent with
their job descriptions.

You might also like