SM-15-new CHAPTER 15
Transcript of SM-15-new CHAPTER 15
-
8/10/2019 SM-15-new CHAPTER 15
1/41
Chapter 15 Page 33
CHAPTER 15
IT CONTROLS PART I: SARBANES-OXLEY
AND IT GOVERNANCE
REVIEW QUESTIONS
1. The chapter concentrates on internal control and audit responsibilities pursuant
to Sections 302 and 404.
2. The PCAOBs Auditing Standard !o. 5 endorses the use o" COSO as the
"ra#e$or% "or control assess#ent.
3. Application controls and general controls
4. The ob&ecti'es o" applicai!" c!"#!l$ are to ensure the 'alidit()
co#pleteness) and accurac( o" "inancial transactions.
5. *+a#ples include,
A cash disburse#ents batch-balancing routine that 'eri"ies that the total
pa(#ents to 'endors reconciles $ith the total postings to the accounts pa(able
subsidiar( ledger.
An account recei'able chec% digits procedure that 'alidates custo#er account
nu#bers on sales transactions.
A pa(roll s(ste# li#it chec% that identi"ies e#plo(ee ti#e card records $ith
reported hours $or%ed in e+cess o" the predeter#ined nor#al li#it.
-
8/10/2019 SM-15-new CHAPTER 15
2/41
Chapter 15 Page 34
. /eneral controls appl( to all s(ste#s. The( are not application speci"ic.
/eneral controls include controls o'er T go'ernance) the T in"rastructure)
securit( and access to operating s(ste#s and databases) application
acuisition and de'elop#ent) and progra# changes.
. Co#puter "raud re"ers to using hard$are and so"t$are to di'ert or acuire the
assets o" the "ir#. ts acti'ities include,
a. the the"t) #isuse) or #isappropriation o" assets b( altering co#puter
records and "iles
b. the the"t) #isuse) or #isappropriation o" assets b( altering the logic o"
co#puter so"t$are
c. the the"t or illegal use o" co#puter records and "iles
d. the the"t) corruption) illegal cop(ing or the intentional destruction o"
co#puter so"t$are and
e. the the"t) #isuse) or #isappropriation o" co#puter hard$are.
. The data-collection or data-entr( stage is the si#plest $a( to co##it
co#puter "raud since the perpetrator need onl( understand ho$ the
s(ste# $or%s to enter data that it $ill process.
-
8/10/2019 SM-15-new CHAPTER 15
3/41
Chapter 15 Page 35
. n a #anual authori6ation s(ste#) #anage#ent and auditors can 'eri"(
co#pliance $ith established authori6ation rules b( obser'ing the e#plo(ees
in'ol'ed and re'ie$ing their $or%. n an auto#ated authori6ation s(ste#) the
authori6ation is unobser'ed b( #anage#ent and control "ailure #a( go
unnoticed until the "ir# e+periences so#e undesirable s(#pto#s.
10. n a CBS en'iron#ent) it $ould be ine""icient and contrar( to the ob&ecti'es o"
auto#ation to separate such tas%s and processing and recoding a transaction
a#ong se'eral di""erent application progra#s #erel( to e#ulate a #anual
control #odel. 7urther) the reason "or separating tas%s is to control against the
negati'e beha'ior o" hu#ans in a CBS the co#puter per"or#s the tas%s) not
hu#ans.
11. a. Separating s(ste#s de'elop#ent "ro# co#puter operations
b. Separating the database ad#inistrator "ro# other "unctions and s(ste#s
de'elop#ent
c. Separating ne$ s(ste#s de'elop#ent "ro# #aintenance
-
8/10/2019 SM-15-new CHAPTER 15
4/41
Chapter 15 Page 3
12. Co#puter "raud and losses "ro# disaster
13. /eneral controls appl( to a $ide range o" e+posures that s(ste#aticall(
threaten the integrit( o" all applications processed $ithin the CBS en'iron#ent.
So#e e+a#ples o" general controls are controls against 'iruses and controls to
protect the hard$are "ro# 'andalis#. Application controls are narro$l( "ocused
on e+posures $ithin speci"ic s(ste#s. So#e e+a#ples o" application controls
are controls to #a%e sure that each e#plo(ee onl( recei'es one pa(chec% per
pa( period and controls to ensure that each in'oice gets paid onl( once.
14. The operations acti'ities should be separated "ro# s(ste#s de'elop#ent and
#aintenance acti'ities) and an( relationships bet$een these t$o groups should
be through "or#al and controlled channels. The s(ste#s de'elop#ent and
#aintenance groups create and #aintain the applications. The operations
personnel run the s(ste#s and should ha'e no input in their design. The less
the operations personnel %no$ about the applications logic and control
para#eters) the less li%el( the( are to #a%e unauthori6ed changes to these
applications "or personal gain.
-
8/10/2019 SM-15-new CHAPTER 15
5/41
Chapter 15 Page 3
15. One proble# that #a( occur is inadeuate docu#entation. 8ocu#enting is not
considered as interesting a tas% as designing) testing) and i#ple#enting a ne$
s(ste#) thus a s(ste#s pro"essional #a( #o'e on to a ne$ pro&ect rather than
spend ti#e docu#enting an al#ost co#plete pro&ect. 9ob securit( #a( be
another reason a progra##er #a( not "ull( docu#ent his or her $or%. Another
proble# that #a( occur is the increased potential "or "raud. " the original
progra##er generates "raudulent code during de'elop#ent) then this
progra##er) through #aintenance procedures) #a( disable the code prior to
audits. Thus) the progra##er can continue to co'er his or her trac%s.
1. :an( "ir#s that do not use CAS* tools $ith auto#atic docu#entation "eatures
"ace this proble# because the s(ste#s pro"essionals do not "ind this tas% as
interesting as the design) testing) and i#ple#entation steps. 7urther) the
s(ste#s pro"essionals are t(picall( eager or pressured to #o'e on to another
pro&ect be"ore docu#entation is co#plete. 9ob securit( is another reason "or
poor s(ste#s docu#entation.
-
8/10/2019 SM-15-new CHAPTER 15
6/41
Chapter 15 Page 3
1. The role o" a corporate co#puter ser'ices depart#ent di""ers in that it is not a
co#pletel( centrali6ed #odel. nstead) the group pla(s the role o" pro'ider o"
technical ad'ice and e+pertise to distributed co#puter ser'ices. Thus) it
pro'ides #uch #ore support than $ould be recei'ed in a co#pletel( distributed
#odel. A corporate co#puter ser'ices depart#ent pro'ides a #eans "or central
testing o" co##ercial hard$are and so"t$are in an e""icient #anner. 7urther)
the corporate group can pro'ide users $ith ser'ices such as installation o" ne$
so"t$are and troubleshooting hard$are and so"t$are proble#s. The corporate
group can establish s(ste#s de'elop#ent) progra##ing) and docu#entation
standards. The corporate group can aid the user groups in e'aluating the
technical credentials o" prospecti'e s(ste#s pro"essionals.
1. nco#patibilit() redundanc() consolidating inco#patible acti'ities) acuiring
uali"ied pro"essionals) and lac% o" standards
1. a. ph(sical location controls
b. construction controls
c. access controls
d. air conditioning controls
e. "ire suppression controls
". "ault tolerance controls
20. 7ault tolerance is the abilit( o" the s(ste# to continue operation $hen part
o" the s(ste# "ails due to hard$are "ailure) application progra# error) or
operator error. ;arious le'els o" "ault tolerance can be achie'ed b(
-
8/10/2019 SM-15-new CHAPTER 15
7/41
Chapter 15 Page 3
i#ple#enting redundant s(ste# co#ponents.
-
8/10/2019 SM-15-new CHAPTER 15
8/41
Chapter 15 Page 40
21. e'aluating internal controls) and 3> anal(6ing
"inancial data. Conceptuall() no di""erence e+ists bet$een T auditing and
general auditing. T auditing is t(picall( a subset o" the o'erall audit the portion
that in'ol'es co#puter technolog( is the subset.
-
8/10/2019 SM-15-new CHAPTER 15
9/41
Chapter 15 Page 41
2. *+ternal auditors represent the interests o" third-part( sta%eholders in the
organi6ation) such as stoc%holders) creditors) and go'ern#ent agencies.
*+ternal auditing is conducted b( certi"ied public accountants $ho are
independent o" the organi6ations #anage#ent. nternal auditors represent the
interests o" #anage#ent. nternal auditing tas%s include conducting "inancial
audits) e+a#ining an operations co#pliance $ith legal obligations) e'aluating
operational e""icienc() detecting and pursuing "raud $ithin the "ir#) and
conducting *8P audits.
2. a. s(ste#atic process
b. obtaining e'idence
c. ascertaining the degree o" correspondence $ith established criteria
d. co##unicating results
-
8/10/2019 SM-15-new CHAPTER 15
10/41
Chapter 15 Page 42
2. :aterialit( re"ers to the si6e o" the e""ect o" a transaction. 7ro# a cost-bene"it
point o" 'ie$) a threshold is set) abo'e $hich the auditor is concerned $ith the
correct recording and e""ects o" transactions.
30. The auditors per"or# an anal(sis and assess#ent o" audit ris% that includes an
in'estigation o" the organi6ations general controls and application controls. The
pri#ar( techniues "or gathering e'idence at this phase are using
uestionnaires) inter'ie$ing #anage#ent) re'ie$ing s(ste#s docu#entation)
and obser'ing acti'ities.
31. The tests o" controls phase in'ol'es deter#ining $hether adeuate internal
controls are in place and $hether the( "unction properl(. The substanti'e
testing phase in'ol'es a detailed in'estigation o" speci"ic account balances and
transactions.
32. Audit ris% is the probabilit( that the auditor $ill render an unuali"ied =clean>
opinion on "inancial state#ents that are) in "act) #ateriall( #isstated.
-
8/10/2019 SM-15-new CHAPTER 15
11/41
Chapter 15 Page 43
33. *rrors are unintentional #ista%es $hile irregularities are intentional
#isrepresentations to perpetrate a "raud or #islead the users o" "inancial
state#ents. *rrors are a concern i" the( are nu#erous or si6able enough to
cause the "inancial state#ents to be #ateriall( #isstated. Processes that
in'ol'e hu#an actions $ill contain so#e a#ount o" hu#an error. Co#puter
processes should onl( contain errors i" the progra#s are erroneous) or i"
s(ste#s operating procedures are not being closel( and co#petentl( "ollo$ed.
*rrors are t(picall( #uch easier to unco'er than #isrepresentations) thus
auditors t(picall( are #ore concerned $ith $hether the( ha'e unco'ered an(
and all irregularities.
34. nherent ris% is associated $ith the uniue characteristics o" the business or
industr( o" the client. 7ir#s in declining industries are considered to ha'e #ore
inherent ris% than "ir#s in stable or thri'ing industries. nherent ris% $ill not be
reduced b( internal control. Control ris% is the li%elihood that the control
structure is "la$ed because internal controls are either absent or inadeuate to
pre'ent or detect errors in the accounts. nternal controls #a( be present in
"ir#s) (et the "inancial state#ents #a( be #ateriall( #isstated due to
circu#stances outside the control o" the "ir#. 7or e+a#ple) a custo#er) on the
'erge o" ban%ruptc() has an outstanding Accounts
-
8/10/2019 SM-15-new CHAPTER 15
12/41
Chapter 15 Page 44
35. The relationship bet$een tests o" controls and substanti'e testing is directl(
related the auditors ris% assess#ent. The stronger the internal controls) the
less substanti'e testing the auditor #ust do.
3. The "ollo$ing are e+a#ples o" general control areas,
a. operating s(ste# controls
b. data #anage#ent controls
c. organi6ational structure controls
d. s(ste#s de'elop#ent controls
e. s(ste#s #aintenance controls
". co#puter center securit( and controls
g. nternet and intranet controls
h. electronic data interchange controls
3. The auditor should re'ie$ the current organi6ation chart) #ission state#ents)
&ob descriptions o" %e( "unctions) s(ste#s #aintenance records) and
progra##er authorit( tables. Actual beha'ior should be obser'ed to see
$hether the &ob descriptions are in line $ith the tas%s people are actuall(
per"or#ing. So#eti#es) &ob descriptions #a( turn out be theoretical in nature)
$hile the realit( is uite di""erent.
3. a. tests o" ph(sical construction
b. tests o" the "ire detection s(ste#
c. tests o" access control
d. tests o" the bac%up po$er suppl(
-
8/10/2019 SM-15-new CHAPTER 15
13/41
Chapter 15 Page 45
3. O"ten-cited bene"its o" T outsourcing include i#pro'ed core business
per"or#ance) i#pro'ed T per"or#ance =due to the 'endors e+pertise>) and
reduced T costs.
40. Co##odit( T assets are not uniue to a particular organi6ation and are thus
easil( acuired in the #ar%etplace. These include such things as net$or%
#anage#ent) s(ste#s operations) ser'er #aintenance) and help-des%
"unctions.
41. Speci"ic T assets) in contrast) are uniue to the organi6ation and support its
strategic ob&ecti'es. Because o" their idios(ncratic nature) speci"ic assets ha'e
little 'alue outside o" their current use.
42. 7i'e ris%s associated $ith T outsourcing are, 7ailure to Per"or#) ;endor
*+ploitation) Outsourcing Costs *+ceed Bene"its)
-
8/10/2019 SM-15-new CHAPTER 15
14/41
Chapter 15 Page 4
2. Section 404 reuires the #anage#ent o" public co#panies to assess the
e""ecti'eness o" their organi6ations internal controls o'er "inancial reporting
and pro'ide an annual report addressing the "ollo$ing points, 1> A state#ent o"
#anage#ents responsibilit( "or establishing and #aintaining adeuate internal
control. 2> An assess#ent o" the e""ecti'eness o" the co#pan(s internal
controls o'er "inancial reporting. 3> A state#ent that the organi6ations e+ternal
auditors has issued an attestation report on #anage#ents assess#ent o" the
co#panies internal controls. 4> An e+plicit $ritten conclusion as to the
e""ecti'eness o" internal control o'er "inancial reporting. 5> A state#ent
identi"(ing the "ra#e$or% used b( #anage#ent to conduct their assess#ent o"
internal controls.
3. The S*C has #ade speci"ic re"erence to the Co##ittee o" the Sponsoring
Organi6ations o" the Tread$a( Co##ission =COSO> as a reco##ended
control "ra#e$or%. 7urther#ore) the PCAOBs Auditing Standard !o. 5
endorses the use o" COSO as the "ra#e$or% "or control assess#ent. Although
other suitable "ra#e$or%s ha'e been published) according to Standard !o. 5)
an( "ra#e$or% used should enco#pass all o" COSOs general the#es.
4. Consider an organi6ation $ith poor database securit( controls. n such a
situation) e'en data processed b( s(ste#s $ith adeuate built-in application
controls #a( be at ris%. An indi'idual $ho can circu#'ent database securit(
#a( then change) steal) or corrupt stored transaction data. Thus) general
controls are needed to support the "unctioning o" application controls) and both
are needed to ensure accurate "inancial reporting.
-
8/10/2019 SM-15-new CHAPTER 15
15/41
Chapter 15 Page 4
5. Auditors had the option o" not rel(ing on internal controls in the conduct o" an
audit and there"ore did not need to test the#. nstead) auditors could "ocus
pri#aril( on substanti'e tests. @nder SO) #anage#ent is reuired to #a%e
speci"ic assertions regarding the e""ecti'eness o" internal controls. To attest to
the 'alidit( o" these assertions) auditors are reuired to test the controls.
. !o. Auditors are per#itted to si#ultaneousl( render a uali"ied opinion on
#anage#ents assess#ent o" internal controls and render an unuali"ied
opinion on the "inancial state#ents. n other $ords) it is technicall( possible "or
auditors to "ind internal controls o'er "inancial reporting to be $ea%) but
conclude through substanti'e tests that the $ea%ness did not cause the
"inancial state#ents to be #ateriall( #isrepresented.
. This in'ol'es,
a. Selecting the "inancial accounts that ha'e #aterial i#plications "or "inancial
reporting.
b. denti"(ing the application controls related to those accounts.
c. denti"(ing the general controls that support the application controls. The
su# o" these controls) both application and general) constitute the
rele'ant internal controls o'er "inancial reporting that need to be
re'ie$ed.
. Standard !o. 2 places ne$ responsibilit( on auditors to detect "raudulent
acti'it(. The standard e#phasi6es the i#portance o" controls designed to
pre'ent or detect "raud that could lead to #aterial #isstate#ent o" the
"inancial state#ents. :anage#ent is responsible "or i#ple#enting such
-
8/10/2019 SM-15-new CHAPTER 15
16/41
Chapter 15 Page 4
controls and auditors are e+pressl( reuired to test the#.
. Co#puter "raud can occur at 'arious points during co#puter processing. The
"ollo$ing su##ari6es the %e( areas o" ris%,
Daa C!ll%ci!"a'(in'ol'es the data entr( stage o" the process. 7rauds o" this
t(pe reuire little or no co#puter s%ills. The perpetrator need onl( understand
ho$ the s(ste# $or%s to enter data that it $ill process. The "raudulent act
in'ol'es "alsi"(ing data as it enters the s(ste#. This can be to delete) alter) or
add a transaction. 7or e+a#ple) to co##it a pa(roll "raud) the perpetrator #a(
insert a "raudulent pa(roll transaction along $ith other legiti#ate transactions.
P#!)#a* a'(includes the "ollo$ing techniues, =1> creating illegal progra#s that
can access data "iles to alter) delete) or insert 'alues into accounting records
=2> destro(ing or corrupting a progra#s logic using a co#puter 'irus or =3>
altering progra# logic to cause the application to process data incorrectl(.
Altering the logic to the rounding progra# used b( ban%s uses to calculate
interest on its custo#ers accounts is an e+a#ple o" progra# "raud.
Op%#ai!"$ a'( is the #isuse or the"t o" the "ir#s co#puter resources. This
o"ten in'ol'es using the co#puter to conduct personal business. 7or e+a#ple)
a progra##er #a( use the "ir#s co#puter ti#e to $rite so"t$are that he or she
sells co##erciall(.
Daa+a$% ,a"a)%*%" a'(includes altering) deleting) corrupting) destro(ing)
or stealing an organi6ations data. The #ost co##on techniue is to access
-
8/10/2019 SM-15-new CHAPTER 15
17/41
Chapter 15 Page 4
the database "ro# a re#ote site and bro$se the "iles "or use"ul in"or#ation that
can be copied and sold to co#petitors. 8isgruntled e#plo(ees ha'e been
%no$n to destro( co#pan( data "iles si#pl( to har# the organi6ation. ;iruses
and logic bo#bs designed to destro( databases are also "or#s o" database
"raud.
I"&!#*ai!" G%"%#ai!" a'( is stealing) #isdirecting) or #isusing co#puter
output. One techniue called $ca%")i")in'ol'es searching through the trash
cans o" the co#puter center "or discarded output. A perpetrator can o"ten obtain
use"ul in"or#ation "ro# the carbon sheets re#o'ed "ro# #ultipart reports or
"ro# paper reports that $ere re&ected during processing.
Ea%$(#!ppi") in'ol'es listening to output trans#issions o'er
teleco##unications lines. A'ailable technologies enable perpetrators to
intercept #essages being sent o'er unprotected telephone lines and
#icro$a'e channels. :ost e+perts agree that it is practicall( i#possible to
pre'ent a deter#ined perpetrator "ro# accessing data co##unication
channels. 8ata encr(ption can) ho$e'er) render useless an( data captured
through ea'esdropping.
-
8/10/2019 SM-15-new CHAPTER 15
18/41
-
8/10/2019 SM-15-new CHAPTER 15
19/41
Chapter 15 Page 51
11. The lo$est cost #ethod is internall( pro'ided bac%up. ith this #ethod)
organi6ations $ith #ultiple data-processing centers #a( in'est in internal
e+cess capacit( and support the#sel'es in the case o" disaster in one data
processing center. n ter#s o" cost) the ne+t highest #ethod is the e#pt( shell
$here t$o or #ore organi6ations bu( or lease space "or a data-processing
center. The space is #ade read( "or co#puter installation ho$e'er) no
co#puter euip#ent is installed. This #ethod reuires lease or #ortgage
pa(#ents) as $ell as pa(#ent "or air conditioning and raised "loors. The ris% o"
this #ethod is that the hard$are) so"t$are) and technicians #a( be di""icult) i"
not i#possible) to ha'e a'ailable in the case o" a natural disaster. 7urther) i"
#ultiple #e#bers s(ste#s crash si#ultaneousl() an allocation proble# e+ists.
The #ethod $ith lo$est ris%) and also the highest cost) is the reco'er(
operations center. This #ethod ta%es the e#pt( shell concept one step "urther
the co#puter euip#ent is actuall( purchased and so"t$are #a( e'en be
installed. Assu#ing that this site is "ar enough a$a( "ro# the disaster-stric%en
area not to be a""ected b( the disaster) this #ethod can be a 'er( good
sa"eguard.
12. The critical applications should be identi"ied and prioriti6ed b( #anage#ent)
user depart#ents) and auditors. The applications should be prioriti6ed based
on the i#pact to the short-run sur'i'al o" the "ir#. The "reuenc( $ith $hich the
priorities need to be assessed depends on the a#ount and %inds o" changes
that are #ade to s(ste#s o'er ti#e. 7ir#s that #a%e changes "reuentl(
should reassess priorities "reuentl(.
-
8/10/2019 SM-15-new CHAPTER 15
20/41
Chapter 15 Page 52
13. The attest ser'ice is de"ined as an engage#ent in $hich a practitioner is
engaged to issue) or does issue) a $ritten co##unication that e+presses a
conclusion about the reliabilit( o" a $ritten assertion that is the responsibilit( o"
another part(. The "ollo$ing reuire#ents appl( to attestation ser'ices,
o Attestation ser'ices reuire $ritten assertions and a practitioners
$ritten report.
o Attestation ser'ices reuire the "or#al establish#ent o" #easure#ent
criteria or their description in the presentation.
o The le'els o" ser'ice in attestation engage#ents are li#ited to
e+a#ination) re'ie$) and application o" agreed-upon procedures.
Assurance ser'ices constitute a broader concept that enco#passes) but is not
li#ited to) attestation. Assurance ser'ices are pro"essional ser'ices that are
designed to i#pro'e the ualit( o" in"or#ation) both "inancial and non"inancial)
used b( decision #a%ers. Assurance ser'ices are intended help people #a%e
better decisions b( i#pro'ing in"or#ation. This in"or#ation #a( co#e as a b(-
product o" the attest "unction or it #a( ensue "ro# an independentl( #oti'ated
re'ie$.
14. The existence or occurrenceassertion a""ir#s that all assets and euities
contained in the balance sheet e+ist and that all transactions in the inco#e
state#ent actuall( occurred.
The completeness assertion declares that no #aterial assets) euities) or
transactions ha'e been o#itted "ro# the "inancial state#ents.
-
8/10/2019 SM-15-new CHAPTER 15
21/41
Chapter 15 Page 53
The rights and obligations assertion #aintains that assets appearing on the
balance sheet are o$ned b( the entit( and that the liabilities reported are
obligations.
Thevaluation or allocationassertion states that assets and euities are 'alued in
accordance $ith generall( accepted accounting principles and that allocated
a#ounts such as depreciation e+pense are calculated on a s(ste#atic and
rational basis.
Thepresentation and disclosureassertion alleges that "inancial state#ent ite#s
are correctl( classi"ied =e.g.) long-ter# liabilities $ill not #ature $ithin one (ear>
and that "ootnote disclosures are adeuate to a'oid #isleading the users o"
"inancial state#ents.
-
8/10/2019 SM-15-new CHAPTER 15
22/41
Chapter 15 Page 54
15. Da'ing the internal auditing "unction report to the controller is unacceptable. "
the controller is a$are o" or in'ol'ed in a "raud or de"alcation) then heEshe #a(
gi'e "alse or inaccurate in"or#ation to the auditors. The possibilit( that the
auditors #a( lose their &obs i" the( do not %eep certain #atters uiet also e+ists.
7urther) the "raud #a( be occurring at a le'el higher than the controller) and the
controller #a( "ear losing hisEher &ob i" the #atter is pursued. The best route is
to ha'e the internal auditing "unction report directl( to the board o" directors.
1. ;irtuall( all audits in'ol'e so#e "or# o" co#puter-based s(ste#. Thus) "inancial
auditing #ust include the T auditing.
1. n the CBS en'iron#ent) the data needed to per"or# audit tests are contained
in co#puter "iles that #ust be e+tracted using speciali6ed audit so"t$are.
1. Assessing s(ste#s de'elop#ent controls reuire #ore &udg#ent than so#e o"
the other areas.
1. *+posureunauthori6ed progra# changes
Controlsegregation o" duties
Audit Ob&ecti'eto 'eri"( that progra##ers and operators do not per"or#
inco#patible tas%s
Test o" Controlre'ie$ o" organi6ation chart) &ob descriptions) pass$ord
controls) and ph(sical access controls
-
8/10/2019 SM-15-new CHAPTER 15
23/41
Chapter 15 Page 55
20. Co#puting center securit( is an area $here &udg#ent is necessar( to
deter#ine i" the controls in place are adeuate "ro# a cost bene"it standpoint.
Preparing "or disasters is di""icult since one can onl( speculate as to the
disaster and its conseuences.
21. Once a client "ir# has outsourced speci"ic T assets) its per"or#ance beco#es
lin%ed to the 'endors per"or#ance. The negati'e i#plications o" such
dependenc( are illustrated in the "inancial proble#s that ha'e plagued the huge
outsourcing 'endor *lectronic 8ata S(ste#s Corp. =*8S>. n a cost-cutting
e""ort) *8S ter#inated se'en thousand e#plo(ees) $hich i#pacted its abilit( to
ser'e other clients. 7ollo$ing an ele'en-(ear lo$ in share prices) *8S
stoc%holders "iled a class-action la$suit against the co#pan(. Clearl() 'endors
e+periencing such serious "inancial and legal proble#s threaten the 'iabilit( o"
their clients also.
22. Once the client "ir# has di'ested itsel" o" speci"ic assets it beco#es dependent
on the 'endor. The 'endor #a( e+ploit this dependenc( b( raising ser'ice
rates to an e+orbitant le'el. As the clients T needs de'elop o'er ti#e be(ond
the original contract ter#s) it runs the ris% that ne$ or incre#ental ser'ices $ill
be negotiated at a pre#iu#. This dependenc( #a( threaten the clients long
ter# "le+ibilit() agilit( and co#petiti'eness and result in e'en greater 'endor
dependenc(.
23. n"or#ation outsourced to o""-shore T 'endors raises uniue and serious
uestions regarding internal control and the protection o" sensiti'e personal
data. hen corporate "inancial s(ste#s are de'eloped and hosted o'erseas)
-
8/10/2019 SM-15-new CHAPTER 15
24/41
Chapter 15 Page 5
and progra# code is de'eloped through inter"aces $ith the host co#pan(Fs
net$or%) @S corporations are at ris% o" losing control o" their in"or#ation. To a
large degree @S "ir#s are reliant on the outsourcing 'endors securit(
#easures) data-access policies and the pri'ac( la$s o" the host countr(.
24. Align#ent bet$een T strateg( and business strateg( reuires a close $or%ing
relationship bet$een corporate #anage#ent and T #anage#ent in the
concurrent de'elop#ent o" business and T strategies. This) ho$e'er) is
di""icult to acco#plish $hen T planning is geographicall( redeplo(ed o""-shore
or e'en do#esticall(. 7urther) since the "inancial &usti"ication "or T outsourcing
depends upon the 'endor achie'ing econo#ies o" scale) the 'endor is naturall(
dri'en to to$ard see%ing co##on solutions that #a( be used b( #an( clients
rather than creating uniue solutions "or each o" the#. This "unda#ental
underpinning o" T outsourcing is inconsistent $ith the clients pursuit o"
strategic ad'antage in the #ar%etplace.
25. SAS 0 report is the #eans b( $hich an outsourcing 'endor can obtain a single
audit report that #a( be used b( its clients auditors and thus preclude the need
"or each client "ir# auditor to conduct its o$n audit o" the 'endor organi6ations
internal controls.
,ULTIPLE CHOICE
1. B
2. C
3. 8
-
8/10/2019 SM-15-new CHAPTER 15
25/41
Chapter 15 Page 5
4. B
5. B
. C
. B
. B
. A
10. *
PROBLE,S
1. a. hen tal%ing o" the ph(sical en'iron#ent) the auditors are not &ust tal%ing
o" the potential threat o" ph(sical intruders and sabotage) but also o"
en'iron#ental ha6ards such as "ires) "loods) $ind) earthua%es or po$er
outages. Though these occurrences are relati'el( rare) the( still should be
accounted "or) as the( can seriousl( ha#per operations. The co#pan(
$ould not onl( &ust lose the in'est#ent in the ser'ers and co#puter
s(ste#s but also the data and abilit( to do business. As is e'ident so"t$are
chec%s cannot pre'ent such losses.
b. These are the si+ control "eatures that contribute directl( to the securit( o"
the co#puter ser'er en'iron#ent,
i. Physical Location, The ph(sical location o" the co#puter center a""ects
the ris% o" disaster directl(. The co#puter center should be a$a( "ro#
hu#an-#ade and natural ha6ards as #uch as possible) such as
processing plants) gas and $ater #ains) airports) high-cri#e areas)
"lood plains) and geological "aults.
-
8/10/2019 SM-15-new CHAPTER 15
26/41
Chapter 15 Page 5
ii. Construction, deall() a co#puter center should be located in a single-
stor( building o" solid concrete $ith controlled access. @tilit( and
co##unication lines should be underground. The building $indo$s
should not open. An air "iltration s(ste# should be in place that is
capable o" e+cluding dust) pollen) and dust #ites.
iii. Access, Access should be li#ited to operators and other e#plo(ees
$ho $or% there. Progra##ers and anal(sts $ho need access to
correct progra# errors should be reuired to sign in and out. The
co#puter center should #aintain accurate records o" all such e'ents to
'eri"( access control. The #ain entrance to the co#puter center should
be through a single door) though "ire e+its $ith alar#s are i#portant.
?ose circuit ca#era $ith 'ideo recording is also highl( ad'isable.
i'. Air Conditioning, :ain"ra#es and ser'ers) as in the case $ith A'atar)
ha'e hea'( processing 'olu#es. These are designed to $or% at their
opti#al le'els onl( $ithin a narro$ range o" conditions) #ost i#portantl(
the te#perature. Co#puters operate best in a te#perature range o" 0 to
5 degrees 7ahrenheit and a relati'e hu#idit( o" 50 percent. ?ogic errors
and static electricit( ris%s can be #itigated b( proper use o" air
conditioning.
'. Fire Suppression, #a&or "eatures should include,
1. Auto#atic and #anual alar#s, Placed in strategic locations
connected to "ire stations.
2. Auto#atic "ire e+tinguishing s(ste#, These should not be $ater
-
8/10/2019 SM-15-new CHAPTER 15
27/41
Chapter 15 Page 5
sprin%lers use carbon dio+ide or halon e+tinguishers.
3. :anual "ire e+tinguisher.
4. 7ire e+its, Clearl( #ar%ed and illu#inated.
'i. Fault Tolerance Controls, Co##erciall( pro'ided electrical po$er
presents se'eral proble#s that can disrupt the co#puter centers
operations including total po$er "ailures bro$nouts and po$er "luctuation
all o" $hich could ha'e se'erel( detri#ental e""ects to the ser'er
s(ste#. The co#pan( should loo% into surge protectors) generators)
batteries) and 'oltage regulators.
2. Progra##ers should ha'e li#ited access to co#puters to include onl(
testing and debugging acti'ities.
The co#puter operators super'isor should ha'e access to the co#puter
roo#.
The tas%s o" progra##ing) operations) and control should be separated.
-
8/10/2019 SM-15-new CHAPTER 15
28/41
Chapter 15 Page 0
Control totals) hash totals) and record counts should be i#ple#ented to
ensure the authori6ation o" data and to pre'ent data losses "ro# going
unnoticed or being i#properl( changed.
The nu#erical seuence o" shipping notices should be chec%ed b( the
co#puter to report an( #issing nu#bers.
Billing and cash collections should be separate "ro# accounts recei'able.
The in'oices should not be "or$arded to the billing cler% the( should be
"or$arded to so#eone else) such as the #ailroo# cler%) to #ail to the
custo#ers.
The billing cler% should #aintain a cop( o" the adding #achine tapes to
reconcile $ith the dail( sales register.
3. a. hen setting s(ste#s standards in a distributed processing en'iron#ent)
discuss the pertinent "actors about,
1. Co#puter hard$are "actors that need to be considered include,
understanding the pri#ar( applications "or $hich the euip#ent $ill
be used.
the operating s(ste# "or each t(pe o" hard$are and $hether
appropriate so"t$are is a'ailable "or the desired applications.
"ile options such as hard dis% dri'es) Gip dri'e) "lopp( dis%ettes) or
C8-
-
8/10/2019 SM-15-new CHAPTER 15
29/41
Chapter 15 Page 1
and uploading in"or#ation) and technical speci"ications o"
co##unication protocol.
2. Controls considerations include,
clear) $ell-$ritten) tested docu#entation "or hard$are and so"t$are
adeuate #aintenance contracts) and so"t$are support
adeuate user training
adeuate securit( pro'isions "or "ile protection) e""ecti'e pass$ord
polic() appropriate database access authorit() bac%up procedures
"or internal record integrit() and o""-site storage procedures "or
disaster reco'er(
a. The bene"its o" ha'ing standardi6ed hard$are and so"t$are include,
cost sa'ings "ro# uantit( discounts and #ultiple use o" so"t$are
licensing agree#ents.
technological gro$th capabilities such as net$or% co#patibilit(.
standardi6ed and centrali6ed s(ste# bac%up procedures "or both
hard$are and so"t$are and pro'isions "or "acilit( sharing in the e'ent
o" brea%do$ns.
i#pro'ed standard operating procedures and so"t$are i#ple#entation
through e+perience b( a large user base $ith distributed %no$ledge.
b. The #e#orandu# is li%el( to create the "ollo$ing concerns,
-
8/10/2019 SM-15-new CHAPTER 15
30/41
Chapter 15 Page 2
The #e#orandu# suggests a lac% o" understanding o" user needs that
#a( inhibit their cooperation.
The ne$ polic( does not pro'ide "or an adeuate transition period "or
con'erting e+isting depart#ent applications to the prescribed ones.
4. Co#pensating controls that /usta'e #ost li%el( "ound include,
#andator( 'acations "or all e#plo(ees.
&oint operation b( t$o or #ore operators.
rotation o" operator duties.
adeuate super'ision o" all *8P operations.
co#parison o" actual co#puter ti#es to an a'erage or nor#.
in'estigation o" all e+cess co#puter ti#e =errors>.
periodic co#parison o" progra# code to an archi'ed cop(.
use o" a co#puter acti'it( log.
5. a. The co#puter securit( $ea%nesses present at Dill Crest Corporation that
#ade it possible "or a disastrous data loss to occur include,
not housing the data-processing "acilit( in a building constructed o"
"ire-retardant #aterials) instead using one $ith e+posed $ooden
bea#s and a $ooden-shingled e+terior.
the absence o" a sprin%ler =halon> s(ste# and a "ire-suppression
s(ste# under a raised "loor "ire doors.
an online s(ste# $ith in"reuent =$ee%l(> tape bac%ups. Bac%ups)
$ith chec%points and restarts) should be per"or#ed at least dail(.
-
8/10/2019 SM-15-new CHAPTER 15
31/41
Chapter 15 Page 3
H/rand"atherI and H7atherI bac%up "iles should be retained at a
secure o""-site storage location.
data and progra#s should ha'e been %ept in a librar( separate "ro#
the data-processing roo#) $ith the librar( area constructed o" "ire-
retardant #aterials.
lac% o" a $ritten disaster reco'er( plan $ith arrange#ents in place to
use an alternate o""-site co#puter center in the e'ent o" a disaster or
an e+tended ser'ice interruption. There $as a phone list o" 8P
personnel) but $ithout assigned responsibilities as to actions to be
ta%en $hen needed.
lac% o" co#plete s(ste#s docu#entation %ept outside the data-
processing area.
b. The co#ponents that should ha'e been included in the disaster reco'er(
plan at Dill Crest Corporation to ensure co#puter reco'er( $ithin 2
hours include the "ollo$ing,
A $ritten disaster reco'er( plan should be de'eloped $ith re'ie$
and appro'al b( senior #anage#ent) data-processing #anage#ent)
end-user #anage#ent) and internal audit.
Bac%up data and progra#s should be stored at an o""-site location
that $ill be uic%l( accessible in an e#ergenc() should be pro'ided.
The disaster reco'er( tea# should be organi6ed. Select the disaster
reco'er( #anager) identi"( the tas%s) segregate into tea#s) de'elop
an organi6ation chart "or disaster procedures) #atch personnel to
-
8/10/2019 SM-15-new CHAPTER 15
32/41
Chapter 15 Page 4
tea# s%ills and "unctions) and assign duties and responsibilities to
each #e#ber.
The duties and responsibilities o" the reco'er( tea# include,
obtaining use o" a pre'iousl( arranged alternate data-processing
"acilit( acti'ating the bac%up s(ste# and net$or%.
retrie'ing bac%up data "iles and progra#s) restoring progra#s and
data) processing critical applications) and reconstructing data
entered into the s(ste# subseuent to latest sa'ed bac%upErestart
point.
c. 7actors) other than those included in the disaster reco'er( plan itsel") that
should be considered $hen "or#ulating the plan include,
arranging business interruption insurance in addition to liabilit(
insurance.
ensuring that all s(ste#s and operations docu#entation is %ept up
to date and is easil( accessible "or use in case o" a disaster.
per"or#ing a ris%Ecost anal(sis to deter#ine the le'el o" e+pense
that #a( be &usti"ied to obtain reasonable) as opposed to certain)
assurance that reco'er( can be acco#plished in 2 hours.
-
8/10/2019 SM-15-new CHAPTER 15
33/41
Chapter 15 Page 5
. Since the e#plo(ee $ill ha'e per"or#ed se'eral highl( inco#patible tas%s) this
co#pan( needs to e#plo( strong pass$ord access controls and constantl(
reuire their e#plo(ees to change their pass$ords) especiall( since the( ha'e
had the opportunit( to either design or 'ie$ authori6ation access tables.
7urther) strong controls o'er progra# #aintenance) such as progra#
#odi"ication reports) are also a necessit(. The %e( is that $hen an e#plo(ee
trans"ers "ro# one &ob to another) heEshe should absolutel( ha'e no access to
per"or# an( "unctions in an( o" the pre'ious positions.
. Sun/ard separates its reco'er( ser'ices into three groups, high a'ailabilit()
s(ste#s reco'er() and end-user reco'er(. *ach contains speci"ic ser'ices
co#panies can utili6e to ensure continuit( under the #ost drastic situations.
Together) the ser'ices support the #ost e+tensi'e disaster reco'er( plan.
The goal o" high a'ailabilit( is to ensure the ongoing a'ailabilit( o"
in"or#ation) to eli#inate e+posure to lost in"or#ation) to reduce o'erall
business ris%) and to help ensure that the re'enue strea# $ill sta( intact. :an(
co#panies rel( on redundant storage to ensure the a'ailabilit( o" in"or#ation
under uncertaint(. " data is da#aged or erased) the co#pan( can use the
bac%up in"or#ation to reco'er lost records and continue nor#al processing.
The proble# that e+ists is that #an( "ir#s process and store "iles at the sa#e
location. This e+poses bac%up "iles to the sa#e ris%s as the in"or#ation s(ste#.
To re#ed( this proble# Sun/ard o""ers a data #irroring s(ste# $here data
"ro# a clients in"or#ation s(ste# is sent directl( to a Sun/ard location "or
-
8/10/2019 SM-15-new CHAPTER 15
34/41
Chapter 15 Page
bac%up and storage. ithin #inutes a"ter a disaster occurs) clients can access
up-to-date in"or#ation that $as lost or da#aged.
S(ste# reco'er( "ocuses on reco'ering #ain"ra#e andEor distributed
s(ste#s uic%l( and e""icientl(. To do this) Sun/ard pro'ides speciali6ed tea#s
o" up to 2)000 technicians $or%ing around the cloc% to get clients s(ste#s
running properl(. These tea#s use a process called Silhouette OS to
understand and repair indi'idual s(ste#s. Silhouette OS auto#aticall( #onitors
each clients operating s(ste# en'iron#ent) and regularl( trans#its a s(ste#
pro"ile to a repositor( at Sun/ard. The pro"ile is created using the "ollo$ing
in"or#ation, operating s(ste# data) hard$are con"iguration) storage de'ices)
per"or#ance tuning para#eters) net$or%s) s(ste# boot "iles) and con"iguration
"iles. The ser'er can then be rebuilt an( ti#e in a reliable) repeatable #anner at
a Sun/ard site. This reduces reco'er( ti#e and "inancial losses "ro#
do$nti#e.
*nd-user reco'er( is dedicated to #aintain e#plo(ee producti'it( until
s(ste#s are repaired and "unctional. One techniue used is to pro'ide a disaster
reco'er( center. These centers pro'ide "ull( "urnished $or%stations) high-speed
nternet access) all necessar( hard$are and so"t$are) and co##unication de'ices "or
the clients use. *ach center is secure and #aintains a bac%up po$er suppl(. Si#ilar
to the disaster reco'er( center is the #obile reco'er(. Sun/ard #aintains a "leet o"
o'er 40 #obile reco'er( centers that pro'ide the sa#e bene"its as the traditional
reco'er( center) but can be brought directl( to the client. The #obile centers
pro'ide $or%stations "or up to 50 e#plo(ees) and are guaranteed to be at the
-
8/10/2019 SM-15-new CHAPTER 15
35/41
Chapter 15 Page
clients site $ithin 4 hours o" the disaster. Together) the disaster reco'er(
center and the #obile center $ill reduce e#plo(ee do$nti#e during a disaster
and #ini#i6e losses.
. a. The role o" each o" the "ollo$ing in the establish#ent) #aintenance) and
e'aluation o" :icro 8(na#ics s(ste# o" internal control is as "ollo$s,
i. :anage#ent has the o'erall responsibilit( "or protecting co#pan(
assets and) there"ore) "or establishing) #aintaining) and e'aluating the
internal control s(ste#.
ii. The audit co##ittees pri#ar( responsibilit( in'ol'es assisting the
board o" directors in carr(ing out its responsibilities as the( relate to the
organi6ations accounting policies) internal control) and "inancial
reporting practices. The audit co##ittee assists #anage#ent and the
board in "ul"illing its "iduciar( and accountabilit( responsibilities) and
helps #aintain a direct line o" co##unication bet$een the board and
the e+ternal and internal auditors.
iii. The e+ternal auditor re'ie$s the organi6ations control structure)
including the control en'iron#ent) accounting s(ste#s) and control
procedures) to assess the control ris%s "or "inancial state#ent
assertions. n addition) the e+ternal auditor $ould in"or# the co#pan(
o" an( #aterial $ea%nesses "ound during the re'ie$.
i'. The internal audit depart#ent per"or#s both operational and "inancial
audits to deter#ine co#pliance $ith established policies and
procedures) and reports its "indings and reco##endations to
-
8/10/2019 SM-15-new CHAPTER 15
36/41
Chapter 15 Page
#anage#ent or the audit co##ittee "or e'aluation and correcti'e
action. The internal audit depart#ent #a( also assist the e+ternal
auditors $ith their re'ie$ o" the internal control s(ste#.
b. The responsibilities o" the :icro 8(na#ics audit co##ittee in the "inancial
reporting process include,
obtaining assurance that the organi6ations control s(ste# is adeuate
and e""ecti'e) to identi"( ris% and e+posure) and that the "inancial
disclosures #ade b( #anage#ent reasonabl( re"lect the "inancial
position) results o" operations) and changes in cash "lo$.
re'ie$ing the progress o" the audit and the "inal audit "indings.
acting as a liaison bet$een the auditors and the board o" directors.
. a. The internal auditor #ust ha'e and #aintain ob&ecti'it() $hich i#plies no
subordination o" &udg#ent to another and arises "ro# an independent
#ental attitude $hich 'ie$s e'ents on a "actual basis $ithout in"luence
"ro# "eelings) pre&udice) opinions) or interests.
b. The anal(sis is as "ollo$s,
i. The internal auditors ob&ecti'it( is not i#paired b( the preparation o"
polic( state#ents on internal control. The preparation o" polic(
state#ents to guide others in the de'elop#ent and i#ple#entation o"
internal controls is a responsibilit( o" the internal audit sta"".
ii. The internal auditors ob&ecti'it( is i#paired. To #aintain ob&ecti'it() the
auditor should not per"or# operational assign#ents that are included as
-
8/10/2019 SM-15-new CHAPTER 15
37/41
Chapter 15 Page
part o" the independent e'aluation and 'eri"ication o" a proper s(ste# o"
internal control. Separation o" duties #ust be #aintained.
iii. Ob&ecti'it( is not i#paired in the re'ie$ o" the budget "or rele'ance and
reasonableness i" the internal auditor has no responsibilit( "or
establishing or i#ple#enting the budget. Do$e'er) the re'ie$ o"
'ariances and e+planations $ould i#pair ob&ecti'it() as this is an area
that $ould nor#all( be re'ie$ed during an operational audit.
i'. Ob&ecti'it( is i#paired to the e+tent that the internal auditor has been
in'ol'ed in the design and installation o" internal accounting controls as
there $ill be little con"idence in audit "indings issued b( the indi'idual
$ho designed and installed the s(ste# being audited.
'. The preparation o" accounting records $ill #ateriall( i#pair the internal
auditors ob&ecti'it( b( in'ol'ing the auditor in da(-to-da( operations.
c. The director o" internal audit reports directl( to the corporate controller.
i. This reporting relationship ad'ersel( a""ects the ob&ecti'it( o" the
internal audit depart#ent. The corporate controller is responsible "or
the accounting s(ste# and related operational transactions. The
internal audit sta"" is responsible "or the independent and ob&ecti'e
re'ie$ and e+a#ination o" the accounting s(ste# and related
operational transactions. ndependence and ob&ecti'it( #a( not e+ist
because the internal audit sta"" is responsible "or re'ie$ing the $or% o"
the corporate controller) the person to $ho# it reports.
-
8/10/2019 SM-15-new CHAPTER 15
38/41
Chapter 15 Page 0
ii. !o) the responses "or reuire#ent =b> $ould not be a""ected b( the
internal audit sta"" reporting to an audit co##ittee rather than the
corporate controller. n order to #aintain ob&ecti'it() the internal audit
sta"" should re"rain "ro# per"or#ing non-audit "unctions such as
#anage#ent decision #a%ing) design and installation o" s(ste#s)
record %eeping) operational duties) etc.
10. a. This co#pan( needs to #a%e sure that the "ollo$ing ite#s are included in
their ?A! and PC design.
i. 8ata encr(ption techniues "or the sending o" sensiti'e data "ro# one
"ile to another o'er the ?A!.
ii. Access controls "or "iles on the ?A! "ile ser'er.
iii. Access controls "or data on hard dri'es o" the personal co#puters.
i'. Bac%up polic( and procedures "or data on the "ile ser'er and the PCs.
'. So"t$are support polic(.
'i. ;irus protection "or the ?A! and "or the PCs.
'ii. Output polic( regarding $hich docu#ents #a( be printed on the ser'er
printer.
b. " the "ollo$ing controls are not i#ple#ented) the "ollo$ing e+posures #a(
sur"ace,
i. sensiti'e "iles #a( be intercepted as the( are tra'eling around the ?A!
cabling de'ices.
ii. unauthori6ed access to sensiti'e "iles on the "ile ser'er and user PCs.
iii. data loss "ro# poor bac%up.
-
8/10/2019 SM-15-new CHAPTER 15
39/41
Chapter 15 Page 1
i'. inco#patible "ile "or#ats bet$een $or%ers.
'. data loss "ro# 'iruses.
'i. pass$ords stolen "ro# tro&an horse de'ices.
'ii. sensiti'e printouts being printed on a co##on printer.
11. I"%#"al C!"#!l R%$p!"$i+ili/ &!# O'$!'#c%( IT
:anage#ent #a( outsource their organi6ations T "unctions) but the( cannot
outsource their #anage#ent responsibilities under SO "or ensuring adeuate T
internal controls. The PCAOB speci"icall( states in its Auditing Standard !o. 2)
HThe use o" a ser'ice organi6ation does not reduce #anage#ents responsibilit(
to #aintain e""ecti'e internal control o'er "inancial reporting.
-
8/10/2019 SM-15-new CHAPTER 15
40/41
Chapter 15 Page 2
This pre#ise) ho$e'er) ignores an i#portant distinction bet$een co##odit(
and speci"ic T assets.
C!**!(i/ IT a$$%$are not uniue to a particular organi6ation and
are thus easil( acuired in the #ar%etplace. These include such things as
net$or% #anage#ent) s(ste#s operations) ser'er #aintenance) and help-
des% "unctions. Sp%ci&ic IT a$$%$) in contrast) are uniue to the
organi6ation and support its strategic ob&ecti'es. Because o" their
idios(ncratic nature) speci"ic assets ha'e little 'alue outside o" their current
use. Such assets #a( be tangible =co#puter euip#ent>) intellectual
=co#puter progra#s>) or hu#an. *+a#ples o" speci"ic assets include s(ste#s
de'elop#ent) application #aintenance) data $arehousing) and highl(-s%illed
e#plo(ees trained to use organi6ation-speci"ic so"t$are.
T#a"$aci!" C!$ Ec!"!*ic$ 2TCE3theor( is in con"lict $ith the core
co#petenc( school b( suggesting that "ir#s should retain certain speci"ic
non-core T assets in house. Because o" their esoteric nature speci"ic assets
cannot be easil( replaced once the( are gi'en up in an outsourcing
arrange#ent. There"ore) i" the organi6ation should decide to cancel its
outsourcing contract $ith the 'endor) it #a( not be able to return to its pre-
outsource state. On the other hand) TC* theor( supports the outsourcing o"
co##odit( assets) $hich are easil( replaced or obtained "ro# alternati'e
'endors.
-
8/10/2019 SM-15-new CHAPTER 15
41/41
Chapter 15 Page 3
!aturall() a C*Os perception o" $hat constitutes co##odit( T assets pla(s
an i#portant role in T outsourcing decisions. O"ten this co#es do$n to a
#atter o" de"inition and interpretation. 7or e+a#ple) #ost C*Os $ould de"ine
their T "unction as a non-core co##odit() unless the( are in the business o"
de'eloping and selling T applications. Conseuentl() a belie" that allT can)
and should) be #anaged b( large ser'ice organi6ations tends to pre'ail.
Such #isperception re"lects) in part) both lac% o" e+ecuti'e education and
disse#ination o" "ault( in"or#ation regarding the 'irtues and li#itations o" T
outsourcing.