RISKS ASSOCIATED WITH DDP

5 potential problems
1. INEFFICIENT USE OF RESOURCE
 3 TYPES OF RISKS
a. Risk of management of organization-wide IT resources by end users.

b. Risk of operational inefficiencies

c. Risk of incompatible hardware & software among end-user functions.

2. DESTRUCTION OF AUDIT TRAIL

AUDIT TRAIL
 provides the linkage between a company’s financial activities (transactions) and the
financial statements that report on those activities.

 Critical to the auditors attest service.

 Consist of set of DIGITAL TRANSACTION FILES and MASTER FILES.

3. INADEQUATE SEGREGATION OF DUTIES
 The distribution of IT services to users may result in the creation of small independent units that do
not permit the desire separation of incompatible functions.

4. HIRING QUALIFIED PROFESSIONAL

5. LACK OF STANDARDS

ADVANTAGE OF DDP
 Cost reductions, improved cost control, improved user satisfaction, back up.
COST REDUCTIONS
1. Data can be edited and entered by the end user, thus eliminating the centralized task of data
preparation.
2. Application complexity can be reduced, which in turn reduces systems development and
maintenance cost.

IMPROVED COST CONTROL RESPONSIBILITY

 This responsibility requires that they properly empowered with the authority to make
decision about resources that influence their overall success.
IMPROVED USER SATISFACTION
 Most often cited benefit of DDP
1. User desire to control the resources that influence their profitability
2. Users want systems professional ( analyst, programmers, and computer operators) to be responsive
to their specific situation
3. Users want to become more actively involved in developing and implementing their own systems.

BACK UP FLEXIBILITY
 The final argument in favor of DDP is the ability to back up computing facilities to protect against
potential disasters (fires, floods, sabotage, and earthquake)
 CONTROLLING THE DDP ENVIRONMENT

IMPLEMENT A CORPORATE IT FUNCTION

 The corporate IT groups provides systems development and data base management for entity-wide
systems in addition to technical advice and expertise to the distributed IT community.

CENTRAL TESTING OF COMMERCIAL SOFTWARE AND HARDWARE

USER SERVICES
 A valuable feature of the corporate group.
 Provides technical help to users during the installation of new software and in troubleshooting
hardware and software problems.
STANDARD-SETTING BODY
PERSONNEL REVIEW
AUDIT OBJECTIVE
 Is to verify that the structure of the IT function is such that individuals in incompatible areas
are segregated in accordance with the level of potential risk and in a manner that
promotes a working environment.
 This is an environment in which formal, rather than casual, relationship need to exist
between incompatible tasks.
 AUDIT PROCEDURE
 Review relevant Documentation
 Review systems documentation and maintenance records for a sample of applications
 Verify that computer operators do not have access to the operational details of a system’s
internal logic.
 Through observation, determine that segregation policy is being followed in practice
 Review the current organizational chart, mission statement, and job description for key
functions to determine if individuals or groups are performing incompatible duties.
 Verify that corporate policies and standards for systems design, documentation, and
hardware and software acquisition are published and provided to distributed IT units.
 Verify that compensating controls such as supervision and management monitoring, are
employed when segregation od incompatible duties is economically infeasible.
 Review system documentation to verify that applications, procedures, and databases are
designed and functioning in accordance with corporate standards.
 THE COMPUTER CENTER

 Objective:
to present computer center risks and the controls that help to mitigate risk and create a secure
environment.

PHYSICAL LOCATION
 Directly affects the risk of destruction to a natural or man made disaster.
CONSTRUCTION
 Should be located in a single-story building of solid construction with controlled access.
ACCESS
 Should be limited to the operators and other employees who work there.
AIR CONDITIONING
.
FIRE SUPPRESSION
 Is the most serious threat to a firm’s computer equipment.
MAJOR FEATURES:
1. Automatic & manual alarms should be placed in strategic location around the installation.
2. There must be an automatic fire extinguishing system that dispenses the appropriate type of suppressant
for the location.
3. Manual fire extinguisher should be placed at strategic locations.
4. The building should be of sound construction to withstand water damage caused by fire suppression
equipment.
5. Fire exist should be clearly marked and illuminated during a fire.
FAULT TOLERANCE
 Is the ability of the system to continue operation when part of the system fails because of
hardware failure, application program error, or operation error.
2 examples of fault tolerance
1. Redundant arrays of independent disks (RAID) involves using parallel disks that contain redundant
elements of data applications. If one fails, the lost data are automatically reconstructed from the
redundant components stored on the other disks.
2. UNINTERRUPTIBLE POWER SUPPLIES
AUDIT OBJECTIVES:
 is to evaluate the controls governing computer center security.
1. Physical security controls are adequate to reasonably protect the organization
from physical exposure.

2. Insurance coverage on equipment is adequate to compensate the organization

for the destruction of, or damage to, its computer center.
 AUDIT PROCEDURES
 TESTS OF PHYSICAL CONSTRUCTION

 TESTS OF THE FIRE DETECTION SYSTEM

 TESTS OF ACCESS CONTROL

 TESTS OF RAID

 TESTS OF THE UNINTERRUPTIBLE POWER SUPPLY

 TESTS FOR INSURANCE COVERAGE

 DISASTER RECOVERY PLANNING
Disaster Recovery Plan (DRP)

Four common features:

1. Identify critical application
2. Create disaster recovery team
3. Provide site backup
4. Specify backup and off-site storage procedure
 FIRE

NATURAL FLOOD

TORNATO

SOBATAGE
HUMAN-
DISASTER
MADE
ERROR

POWER OUTAGE
SYSTEM
FAILURE DRIVE FAILURE

O/S CASH/LOCK

TYPES OF DISASTER
 IDENTIFY CRITICAL APPLICATIONS
 Customer sales & service
 Fulfillment of legal obligations
 Accounts receivable
 Maintenance and collection
 Production and distribution decisions
 Purchasing functions
 Cash disbursements (trade accounts and payroll)