Auditing Utility (On-Demand) and Service Organization Applications Utility Computing: Auditing a Disruptive Innovation Practicum: Evaluating a Prospective Audit Client – Ocean Manufacturing
Schedule Week Topic Readings Practicum 12-Sep-05 Identifying Computer Systems Chapter 2 Evaluating IT Benefits and Risks Jacksonville Jaguars 19-Sep-05 IS Audit Programs Chapter 3 The Job of the Staff Auditor A Day in the Life of Brent Dorsey 26-Sep-05 IS Security Chapter 4 Recognizing Fraud The Anonymous Caller 3-Oct-05 Utility Computing and IS Service Organizations Chapter 5 Evaluating a Prospective Audit Client Ocean Manufacturing 10-Oct-05 Physical Security Chapter 6 Inherent Risk and Control Risk Comptronix Corporation 17-Oct-05 Logical Security Chapter 7 & 8 Evaluating the Internal Control Environment Easy Clean 24-Oct-05 IS Operations Chapter 9 Fraud Risk and the Internal Control Environment Cendant Corporation 31-Oct-05 Controls Assessment Chapter 10 IT-based vs. Manual Accounting Systems St James Clothiers 7-Nov-05 Encryption and Cryptography Chapter 11 Materiality / Tolerable Misstatement Dell Computer 14-Nov-05 Computer Forensics Chapter 12 Analytical Procedures as Substantive Tests Burlington Bees 21-Nov-05 New Challenges from the Internet: Privacy, Piracy, Viruses and so forth Chapter 13 Information Systems and Audit Evidence Henrico Retail 28-Nov-05 Auditing and Future Technologies Chapter 16 Flowcharting Transaction Cycles Southeast Shoe Distributor
Old and New Service Organizations like EDS Are in the business of running IS shops Only the transactions are handled by the client They are being replaced by Utility Computing Which is an outgrowth of software vending business models Particularly those of Oracle, SAP and Salesforce.com
What is Utility Computing? Utility-based computing provides a mix of the following businesses: Storage and server virtualization. Software that can contribute to higher utilization of IT resources. Automated infrastructure provisioning. Software capable of improving manageability of the data center while eliminating many manual and error-prone procedures and saving costs. Grid tools. Software capable of providing for geographically distributed processing for a range of compute-intensive applications. Blade servers. A server packaging concept that emphasizes lower space and power requirements while promising greater manageability in conjunction with automated infrastructure provisioning software. IT and systems management software. Software solutions that contribute to greater manageability of utility-based computing technologies and provide for metering and billing of IT resources for the purpose of chargeback. Business applications on demand . The delivery of preconfigured business applications form a remote location over an IP network on a subscription-based outsourcing contract. IT and business service providers. Providers of IT and business services that offer their solutions on a pay-as-you-go basis, including not only providers of IT services such as outsourcing and web hosting, but also emerging providers of business process outsourcing services.
Why do firms choose Utility computing? Utility computing offers greater flexibility in the creation of computing environments when they are needed. It opens up usage-based pricing and reduces users' use of capital. Utility Computing allows an organization to have the ability to harness latent computing power and resources, regardless of application or other physical or organizational boundaries. It allows an organization to virtually repurpose operating systems, application mix, processing power, and storage to the immediate needs of the corporation, to meet new demand or to rapidly create computing environments for projects.
When to Use Utility Computing Utility computing should be used to bypass IT when it stands in the way of the business for any number of reasons To serve as a temporary innovation fix if functionality is not available from a large suite vendor When the underlying process is outsourced such as call center support applications. Utility computing should not be used when you are dealing with transactional-intensive applications such as in a warehouse management system when data is exceptionally sensitive when on-demand service providers don’t have the deep functionality or provide the level of customization required,
Pervasiveness of Utility Computing Recent moves like Oracle's acquisition of Siebel, And The growing popularity of software-as-a-service vendors like Salesforce.com are indicators that the software industry is tilting toward an on-demand future Still, on-demand services are likely to account for less than 10 percent of business application use through 2010 (Gartner) The reason why the on-demand model is not suitable for complex business uses like logistics support and order handling nor for large complex companies requiring business process support But the "complexity constraint bar" will rise over time since on-demand vendors can add functionality easily
Consequences: License Fees Previously, hardware and software were purchased, and budgeted for, in large, predictable chunks. For software licensing, the most common way today was for the customer to pay a fixed fee according to the processing power of the machine or machines being used Or for the licensee to pay a fixed fee according to number of users (or seats) accessing the software. With utility computing, processing power is purchased and paid for according to demand. The emergence of the service-oriented architecture (SOA), and the development of virtualised computing, have introduced the notion of almost complete flexibility in which systems or services are used That creates all kinds of problems. If something is not used, for example, then, increasingly, customers do not expect to be charged for it. But if something is used, how is it measured? And what if resources are allocated on a provisional basis, but not used?
Consequences: Control of Data and Programs Copies of data outside the organization Accounting transactions (fraud, loss, alteration) Personnel and customer records (privacy, theft) Operation of programs may be less well understood since there are no in-house experts This may lead to more audit exceptions
Example: Salesforce.com Salesforce.com's products fall into a broad category of software called customer relationship management, or CRM They help companies manage all sorts of customer relations, such as letting salespeople keep track of leads or helping execs judge the success of marketing campaigns Allows customers and software makers to turn Salesforce.com into a platform for others to build upon -- much like Microsoft Corp.'s (MSFT ) Windows. Last month introduced AppExchange, Concept: provide an eBay of corporate software. an online marketplace where software makers and customers can swap and sell applications they develop could eventually change the structure of his industry. Software over the Web -- commonly called on-demand -- accounted for less than 10% of the $46 billion in corporate software sold last year. creating an open marketplace for on-demand software will help cause the decline of the big, complex, and expensive corporate applications sold by the likes of SAP (SAP ) and Oracle Corp. (ORCL ).
Oracle is promoting “Grid systems” Example: Oracle Oracle is promoting “Grid systems” the grid is treated as a utility like electricity It is one of the various approaches to on-demand computing, pool storage and other resources across the whole network so that complex programs can harness huge amounts of power, and applications can draw on resources from anywhere on the system as they need them.
Example: Oracle Oracle picks out various trends that it believes make grids "unstoppable": * Blades: low cost computing blades can be assembled into 'blade farms' that can then be interconnected, for scalable commodity computing clusters costing up to 80% less than conventional systems. * Linux: Oracle is firmly behind Linux as an enterprise system and claims that blades enable Linux, with all its cost advantages, to play in grids. Linux' main disadvantage is that it does not scale far in symmetric multiprocessing environments, but it can work efficiently an blades, which are typically only two to four processors each, this making it suitable for mass computing. * Virtualization: Virtualization techniques, especially in storage, make the grid a reality by creating 'virtual' servers and storage farms regardless of where the resources are physically located. * Standards: As well as Globus, which drives grid developments in their original academic home, there is now the Grid Computing Forum, a formal standards body.
Example: Oracle Enterprises implement grids in 3 stages 1. Scavenging resources: This is attractive because it involves reclaiming unused resources to carry out computing tasks for instance, PCs lying idle at night. 2. Sharing resources: With a shared grid, applications and data are moved around to use any available resources on the grid, with schedulers assigning tasks. Like scavenging grids, the appeal is that existing resources are used more efficiently, so investment in new technology is minimal. 3. Dedicating resources: Resource sharing is not always practical because of administrative, political, trust and bandwidth constraints. Instead, organizations can dedicate resources to grid computing rather than incorporating all existing systems in a grid structure.
Audit Challenges of Utility Computing Data, Software and Hardware are held by 3rd party Auditors do not have unrestricted access Need to rely on 3rd party’s auditor reports Which probably will not address control over your company’s transactions directly Asset ownership / security problems Should a company run into claims concerning ownership of data (journalists reports, patents, etc.) Existence of records at a 3rd party site may cause problems
Audit Challenges of Utility Computing Audit Control over Transactions may be inadvertently weakened Because Utility software is not customized for the audit client’s business, and End users may be more likely to make errors with software that they don’t fully understand and control
“Service Organization” Audits Service Organizations must hire independent external auditors (Dictated by SAS 70 “Service Organizations” in the US; Sec 5900 in CA, AGS in Oz and FIT 1&2/94 in UK) to express one of two types of opinions relevant to adequacy of internal control (1) “relevant policies and procedures were in place at some date” (2) item (1) plus “they are in fact operating effectively” Obviously the auditor has to do more work if the opinion is of type (1) than of type (2) But both are very weak requirements And place the burden on the auditor of the firm.
Service Audit Report Contents Report of Independent Auditors Description of relevant Policies and Procedures Operations (org chart) Control Environment Transaction flow (with flowcharts) Applications Program maintenance / change procedures Regulatory compliance Control objectives set by Service Org Management Client control considerations
Ocean Manufacturing, Inc. The New-Client Acceptance Decision Understand the types of information relevant to evaluating a prospective audit client List some of the steps an auditor should take in deciding whether to accept a prospective client Identify and evaluate factors important in the decision to accept or reject a prospective client Understand the process of making and justifying a recommendation regarding client acceptance
Case Study 5.2 Significant Risk with Service Organization Application Read pp. 61-64, the review of the Audit report of the service organization Questions: (1) What transaction flows and assets are affected by The flaws in the ‘old’ password system The flaws in the hierarchical security levels (2) What is the expected financial risk (loss or misstatement of accounts) from each one of these flaws
Case Study 5.3 A Qualified Opinion: ATM Network Service Organization Read pp. 66-67 Questions: (1) What should the internal auditors of your client conclude from this opinion (a) that significant control weaknesses at the service organization would affect the internal control environment at their own (your client’s) firm (b) that alternative test (i.e., extensive testing of internal ATM procedures was performed) substituted for the lack of a description of the firms control objectives and procedures (2) What is the expected financial risk (loss or misstatement of accounts) from each one of these flaws
Case Study 5.4 A Qualified Opinion: Credit Card Service Organization Read pp. 67-71 Questions: (1) What should the internal auditors of your client conclude from this opinion (a) that significant control weaknesses at the service organization would affect the internal control environment at their own (your client’s) firm (b) that alternative test (i.e., extensive testing of internal ATM procedures was performed) substituted for the lack of a description of the firms control objectives and procedures (2) What is the expected financial risk (loss or misstatement of accounts) from each one of these flaws
Control Objectives Read through Exhibit 5.1 How do you think management came up with this list? How might you decide whether these ‘Control Objectives’ are adequate?
Risk Assessment (Ex. 2.2 with improvements) How to determine Appropriate ‘Control Objectives’ (Your Toolkit: Risk Assessment Matrix, Dataflow Diagrams and Systems Components Hierarchy Your Toolkit: Computer Inventory, Risk Assessment Matrix, Dataflow Diagrams and Systems Components Hierarchy Asset (Ex 2.1) Risk Assessment (Ex. 2.2 with improvements) Primary OS Owner Application Asset Value ($000,000 to Owner)* Transaction Flow Description Total Annual Transaction Value Flow managed by Asset($000,000)* Risk Description Probability of Occurrence (# per Year) Cost of single occurrence ($) Expected Loss Win XP Receiving Dock A/P 0.002 RM Received from Vendor 23 Theft 100 10000 Obsolescence and spoilage 35 350 12250
Alternatives to SAS 70 Type Audits An increasing number of corporate functions are handled on the Internet By small applications providers Or Web hosting companies That cannot afford SAS 70 audit compliance These problems are diminished by the use of 3rd party certification services E.g., CyberTrust (from the merger of Ubizen / Betrusted and TruSecure in Nov 2004) These services generally are much more effective at assuring security over Service Organization operations Than SAS 70 audits could ever hope to be
Cybertrust Large privately held security firm Certifying web service providers 4,000 customers Main role: provide clients (i.e., Service Operators) with intelligence, technology, and expertise to track threats, find security gaps, improve protection and enhance procedures . Areas of Focus » Identity management » Threat management » Vulnerability management » Compliance management
Cybertrust Services secure access to mission-critical information assets manage digital identities detect and prevent security threats and vulnerabilities improve security policies and infrastructures predict, prioritize and help organizations better adapt to risks assess security management needs institute metrics, baselines and guidelines necessary to help quantify enterprise security productivity