Chapter 11

Information Systems
Operations

LEARNING OBJECTIVES
1. Describe the importance of policies and procedures regarding information systems opera-
tions for both the organization and auditors.
2. Explain how data processing and output controls play a significant role in the completeness,
accuracy, and validity of information.
3. Discuss guidelines and controls to protect data files and programs.
4. Discuss controls and procedures related to physical security access.
5. Discuss controls and procedures related to environmental controls.
6. Discuss controls and procedures regarding storage and archival of information.
7. Describe what a business continuity plan is and its significance to the organization.
8. Explain what a disaster recovery plan is and its components. Discuss objectives and proce-
dures when auditing such plan.
9. Describe the importance of end-user computing groups and the steps performed when
auditing such groups.
10. Describe the audit involvement in an information systems operations examination.

Within an IT environment, controls related to information systems (IS) operations provide a

structure for the day-to-day management of operations and maintenance of existing systems. IS
operations is also one of the three major general computer controls used to assess organizations’
policies and procedures related to application systems in order to support the effective functioning
of application controls. Examples of general controls within IS operations address activities such
as job monitoring and tracking of exceptions to completion, access to the job scheduler, and data
backups and offsite storage, among others.
This chapter presents an overview of IS operations as a relevant component of the IT infra-
structure. Key objectives and controls assessed by both, organizations and IT auditors (consistent
with Appendix 3 from Chapter 3), relate to:

291
292 ◾ Information Technology Control and Audit

◾◾ Operating policies and procedures

◾◾ Data processing
◾◾ Protection of data files and programs
◾◾ Physical security and access controls
◾◾ Environmental controls
◾◾ Program and data backups
◾◾ Business continuity plan
◾◾ Disaster recovery plan

The chapter discusses the aforementioned, and provides sample objectives and control activities
the IT auditor should focus on when examining IS operations. The chapter also describes end-user
computing (EUC) groups, and provides guidelines when auditing such groups. Lastly, IT audit
involvement and procedures are described when examining IS operations.

Operating Policy and Procedures

Every IT environment should have specific policies and procedures in place covering IS operations
to ensure that, at a minimum:

◾◾ IS operations support the scheduling, execution, monitoring, and continuity of IT programs.

◾◾ IS operations promote the complete, accurate, and valid processing and recording of busi-
ness transactions.
◾◾ Existing facilities protect the integrity of business information.
◾◾ IS operations are adequate to safeguard the storage of data files and programs.

Managers should regard the creation, review, and update of operating policies and procedures as
a highly important control. Updates and reviews to these policies and procedures should be per-
formed periodically. This can be done through observing execution to determine if such existing
policies and procedures are actually being followed in day-to-day IS operations.
Audit objectives when assessing policies and procedures require organizations to provide stan-
dards for preparing documentation and ensuring the maintenance of such documentation. The
IT operations manager must set documentation standards so that when employees change jobs,
become ill, or leave the organization, replacement personnel can adequately perform the task of
that employee. The IT operations manager must also periodically test the documentation for clar-
ity, completeness, appropriateness, and accuracy.
Process and procedures related to an organization’s IS operations should be documented
in the form of an organizational policy. Appendix 7 illustrates an example of an IS operations
policy.

Data Processing
An example of data processing, specifically financial data processing, is the daily posting of
accounting journal entries to the organization’s general ledger. The processing (or posting) of these
journal entries typically starts with an unposted, approved batch of journal entries that is sched-
uled to run at night, or during off-peak hours. If processed successfully, the status of the journal
 Information Systems Operations ◾ 293

entry batch is changed to indicate that the journal entries have been posted. In other words, jour-
nal entries have updated the general ledger. If, on the contrary, errors were identified prohibiting
successful posting of the entries, reports should be generated detailing these errors or exceptions.
Effective data processing controls detect these as they occur and should prompt IS operators for
correction and resolution.
As seen, data processing controls play interdependent roles in the completeness, accuracy, and
validity of information. If one of these controls is not functioning properly or an unauthorized
intervention overrides complementary control processes, the data processing system becomes
vulnerable.
These controls can be oriented toward prevention, detection, or correction of errors and abuse.
Preventive controls ensure that events proceed as intended. Detective controls signal an alert or
terminate a function and stop further processing when the system is violated or an error occurs.
Corrective controls may perform an alert or terminate a function, but they also restore or repair
part of the system to its proper state.
Errors in data processing usually relate to job scheduling and actual monitoring of the job
processing. In fact, an important element of any set of policies and procedures should be the
requirement that IS operators maintain logs on which any unusual events or failures resulting
from the processing of data are recorded, according to time and in detail. These logs can be used to
identify unfavorable trends, detect unauthorized access, and provide a data source for determining
the root cause of system failures. Further, to address unusual events, failures, or errors, managers
should ask the following key questions:

1. Are there appropriate controls configured to reduce data processing errors and maintain the
integrity of data processed?
2. Is there an automated tool used to execute regularly scheduled jobs related to applications,
databases, and operating systems, such as scheduled interfaces of data, data purges, table
updates, etc.?
3. What are the types of jobs scheduled?
4. How are changes, such as adding, modifying, and deleting jobs and schedules made, and
who can make those changes?
5. Does the system use processing checks to detect errors or erroneous data during data pro-
cessing? If so, which checks?
6. What is the process used to monitor the successful completion of job processing?
7. How the monitoring and review process ensures that exceptions or failures identified during
job processing are timely resolved?
8. Are techniques available for detecting erroneous reprocessing of data?
9. Who is responsible for the review and exception tracking of erroneous reprocessing of data?
10. Which reports are reviewed, and what notification systems and mechanisms are currently in
place?

Controls that follow data processing and that are also critical in ensuring the accuracy, complete-
ness, and delivery of information are called output controls.
In today’s automated environment, most output is posted online or printed and processed
by machines. It is important to have completeness and accuracy controls from the time the
output is processed until it is posted online or delivered. In addition, security, confidential-
ity, and privacy need to be maintained from the time the output is created until delivered to
the appropriate party. Whether output of information processing is displayed online or on
294 ◾ Information Technology Control and Audit

paper form, traditional output controls are needed to ensure the accuracy and completeness of
the information. Output controls include balancing and completeness checks, for instance, to
confirm that the number of pages processed are created for online or paper printing. This can
be accomplished by creating a page total before and after posting or printing the output for
comparison. Accuracy can be confirmed by selecting key data fields for comparison before and
after output processing. The output controls should also be able to detect where information is
missing. It would be difficult to determine the problem from just page count when thousands
of pages are printed and there is no way to determine where the failure occurred. In addition,
a process needs to be in place to recreate all or a subset of documents where output errors are
discovered. Additional controls are needed for sensitive information (e.g., checks, customer
lists, trade secrets, payroll data, proprietary data, etc.) as the original documents may need to
be destroyed and this needs to be carefully controlled to verify the destruction of such sensitive
information.
In an IT audit, a common objective within this area would be to determine whether IS opera-
tions support the adequate scheduling, execution, monitoring, and continuity of systems, pro-
grams, and processes to ensure the complete, accurate, and valid processing and recording of
financial transactions. Some of the control activities the IT auditor can evaluate would relate to
whether (1) batch and/or online processing has been defined, timely executed, and monitored for
successful completion and whether (2) exceptions identified on batch and/or online processing
are timely reviewed and corrected to ensure accurate, complete, and authorized processing of the
financial information. Addressing these will ensure that data is validly processed, and that any
exceptions noted while processing have been detected and corrected.

Protection of Data Files and Programs

Each IT environment should have a data library that control access to data files, programs, and
documentation. An important data library control centers on assurance that all file media are
clearly and accurately labeled. That is, external labels should be affixed to or marked upon the data
media themselves. On tape cartridges and disk packs, pressure-sensitive labels are usually affixed
to identify both the volume and the file content. Procedures should be in place to assure that all
labels are current and that all information they contain is accurate.
The data library should assure that only authorized persons receive files, programs, or docu-
ments, and that these persons acknowledge their responsibility at the time of each issuance. Each
time a file is removed for processing, controls over data files should assure that a new file would be
generated and returned to the library. If appropriate to the backup system in place, both issued and
new files should be returned together with the prior version serving as backup.
Control is enhanced by maintaining an inventory of file media within the data library. In other
words, an inventory record should exist for each tape cartridge or disk pack. The record should
note any utilization or activity. After a given number of users, the file medium or device is cleaned
and recertified. Further, if any troubles are encountered in reading or writing to the device, main-
tenance steps are taken and noted.
Ideally, a full-time person independent of IS operations will be assigned as the data librarian.
In smaller IT environments, however, such assignment might not be economically feasible. When
an environment cannot afford a full-time data librarian, this custodial duty should be segregated
from operations. That is, for adequacy of control, the function of a librarian should be assigned as
a specific responsibility to someone who does not have access to the system.
 Information Systems Operations ◾ 295

Physical Security and Access Controls

The objective of physical security and access controls is to prevent or deter theft, damage, and
unauthorized access to data and software, and control movement of servers, network-related
equipment, and attached devices.
Physical security and access controls protect and restrict access to data centers (computer
rooms) and EUC areas where intruders could access information resources (i.e., office and network
equipment). Physical security and access controls usually include:

◾◾ Traditional locks
◾◾ Personnel badge-entry systems
◾◾ Magnetic doors with security code for the server room
◾◾ Closed-circuit television and video surveillance equipment
◾◾ Biometric authentication (e.g., retinal scans, fingerprints, etc.)
◾◾ Security alarms
◾◾ Visitors logs
◾◾ Security guards and receptionists to screen visitors

The authority to change the above physical security access controls should be adequately con-
trolled, and limited to appropriate personnel (e.g., Human Resources Management, etc.)
Other controls involve the placement of office and network equipment for further security.
For example, network equipment should be placed in areas where the office traffic is light. If pos-
sible, the servers, printers, and other equipment should be placed behind locked office doors. Data
center operations managers may want to use combination locks to prevent the duplication of keys;
another alternative is to use a locking device that operates on magnetic strips or plastic cards—a
convenient device when employees regularly carry picture identification badges.
Network equipment should be attached to heavy immovable office equipment, permanent
office fixtures, special enclosures, or special microcomputer workstations. The attachment can
be achieved with lockdown devices, which consist of a base attached to permanent fixtures and a
second interlocking base attached to the microcomputer equipment. The bases lock together, and
a key, combination, or extreme force is required to remove the equipment. All network equipment
should be locked down to prevent unauthorized movement, installation, or attachment.
Many microcomputers and other equipment attached to the network may contain expensive
hardware and security-sensitive devices. The removal of these devices not only incurs replacement
costs but could also cause software to fail and allow for unauthorized disclosure of company-
sensitive information. Internal equipment can be protected by lockdown devices, as previously
discussed, and special locks that replace one or more screws and secure the top of the equipment.
Cabling is also a source of exposure to accidental or intentional damage or loss. Cabling enables
users and peripheral equipment to communicate. In many networks, if the cable is severed or dam-
aged, the entire system will be impaired. Cabling should not be accessible to either the environ-
ment or individuals. The communications manager may want to route and enclose cabling in an
electrical conduit. If possible and if the exposure warrants the cost, cabling can also be encased in
concrete tubing. When the cable is encased, unauthorized access through attachment is lessened.
In addition, unauthorized movement of the cabling will not occur easily, and this situation will
enable the network manager to more efficiently monitor and control the network and access to
it. To alleviate potential downtime, cable may be laid in pairs. In this arrangement, if one set is
damaged, the alternate set can be readily attached. The second pair is usually protected in the same
296 ◾ Information Technology Control and Audit

manner as the original but is not encased in the same tubing, thus preventing a similar type of
accident from damaging both cables.
Notebook computers and mobile devices that are used for work purposes (e.g., tablets, smart-
phones, etc.) should also receive the same care and attention as cited earlier. These are even more
vulnerable in that they can be taken and used off-site by employees and then brought back into the
office and attached to the network. Off-site vulnerability to theft and sabotage, such as viruses or
theft of programs and data is reduced when protected in a secure off-site storage location.

Environmental Controls
All IT and network equipment operates under daily office conditions (e.g., humidity, temperature,
electrical flow, etc.). However, a specific office environment may not be suited to a microcomputer
because of geographical location, industrial facilities, or employee habits. A primary problem is the
sensitivity of microcomputer equipment to dust, water, food, and other contaminants. Water and
other substances can not only damage computer equipment, but also may cause electrocution or a
fire. To prevent such occurrences, the IS operations manager should adhere to a policy of prohibit-
ing food, liquids, and the like at or near the servers and network equipment.
Although most offices are air-conditioned and temperatures and humidity are usually con-
trolled, these conditions must nonetheless be evaluated by the IS operations manager. If for any
reason the environment is not controlled, the IS operations manager should take periodic readings
of the temperature and humidity. If the temperature or humidity is excessively high or low, the
server equipment and the network should be shut down to prevent loss of equipment, software,
and data. When server or network equipment is transported, either within the building or espe-
cially outdoors to a new location, the equipment should be left idle at its new location for a short
time to allow it to adjust to the new environmental conditions.
Airborne contaminants can enter the equipment and damage the circuitry. Hard disks are
susceptible to damage by dust, pollen, air sprays, and gas fumes. Excessive dust between the read/
write head and the disk platter can damage the platter or head or cause damage to the data or pro-
grams. If there is excessive smoke or dust, the servers should be moved to another location. Static
electricity is another air contaminant. Using antistatic carpeting can reduce static electricity as
well as pads placed around the server area, antistatic chair and keyboard pads, and special sprays
that can be applied to the bottoms of shoes. Machines can also be used to control static electricity
in an entire room or building.
Major causes of damage to servers or network equipment are power surges, blackouts, and
brownouts. Power surges, or spikes, are sudden fluctuations in voltage or frequency in the elec-
trical supply that originates in the public utility. They are more frequent when the data center is
located near an electrical generating plant or power substation. The sudden surge or drop in power
supply can damage the electronic boards and chips as well as cause a loss of data or software. If
power supply problems occur frequently, special electrical cords and devices can be attached to
prevent damage. These devices are commonly referred to as power surge protectors.
Blackouts are caused by a total loss of electrical power and can last seconds, hours, or days.
Brownouts occur when the electrical supply is diminished to below-normal levels for several hours
or days. Although blackouts and brownouts occur infrequently, they are disruptive to continu-
ing operations. If servers are essential and the organization’s normal backup power is limited to
necessary functions, special uninterruptible power supply (UPS) equipment can be purchased
specifically for the server or network equipment. UPS equipment can be either battery packs or
 Information Systems Operations ◾ 297

gas-powered generators. Battery packs are typically used for short-term tasks only (i.e., completing
a job in progress or supporting operations during a transition to generator power). Gas-powered
generators provide long-term power, and conceivably, could be used indefinitely.
To prevent loss of or damage to computer equipment, services, or facilities, organization should
implement safeguards or controls such as:

◾◾ Avoiding transient surges and outages in power supplies

◾◾ Providing alternative sources of power in the event of extended power failures
◾◾ Installing devices that stabilize power supplies
◾◾ Providing backup generators
◾◾ Protecting power cables

Other common and necessary environmental controls to prevent damage to computer equipment
include fire suppression equipment and raised floors. Fire suppression systems (e.g., fire sprinkler
system, gaseous fire suppression, condensed aerosol fire suppression, etc.) are automatic and do not
require human intervention to control and extinguish fires. Raised floors are constructed above
the building’s original concrete slab floor, leaving the open space created between the two for wir-
ing or cooling infrastructure.
An isolated holding area should be further used for deliveries to and loading from computer
rooms supporting critical business activities. All computer and network equipment should be
physically secured with antitheft devices if located in an open office environment. Servers and net-
work equipment should be placed in locked cabinets, locked closets, or locked computer rooms.

Program and Data Backups

Laws and regulations may require organizations to maintain or archive their information and
records for a specified period of time. Such archives, if containing financial or operational infor-
mation, allow management to execute useful analyses and comparisons on which to base projec-
tions of future operations. In an IT environment, these archives or backups consist of copies of
significant programs (i.e., operating systems, applications, and databases) and their related data
that are retained and stored in secure storage locations. If programs and data are not backed up
regularly nor stored in a secure location, they may not be recoverable in the event of a serious
system failure.
Depending on the type of data file being backed up, the retention period may vary. For exam-
ple, laws and regulations may require organizations to keep backups of general ledger data for a
specified number of years, while internal policy may allow certain detailed transaction data to
be deleted after a shorter period of time. Also, if data retention laws and regulations are violated,
organizations could be subject to regulatory penalties and/or fines.
Establishing backup policies, procedures, standards, and/or guidance ensures the availability
of data significant to the operation of the organization. The policies, procedures, standards, and/or
guidance should cover areas such as:

◾◾ Storage and retention of programs and data

◾◾ Backup scheduling and rotation
◾◾ Protection of backup media
◾◾ Backup monitoring, review, and resolution of exceptions
298 ◾ Information Technology Control and Audit

Organizations should store backups on-site (in a tape library, for example) and off-premises.
Typically, backups of programs and data files are stored on-site and off-site. The organization’s
policies and procedures should require that backup copies of programs and data reflect the latest
and updated versions. Organizations should use cycle retention systems to provide backup of cur-
rent data. Master files and transaction files that are sufficient to recreate the current day’s master
files should be stored both on and off premises. New backup files should be rotated to the off-
premises location before the old files are returned back to the data center.
Backups should be scheduled to run automatically during backup cycles (i.e., daily, weekly,
monthly, yearly, quarterly, and/or semiannually) depending on the type of data. Data can be clas-
sified as sensitive data, operational and financial data, general and public data, etc. For instance,
an organization may schedule partial incremental or differential backups of all financial data on
a daily basis, and a full system backup of all organization data every Friday and every last day of
the month. The same organization may schedule additional partial or full backups of sensitive and
confidential data every quarter and every year. Backups should also be rotated (ideally on a daily
basis) and stored off-site. Normally, backup tapes that have been stored on-site in a safe or a secure
vault for some time are taken to the off-site facility. The organization should maintain information
on which tapes are located on-site and off-site.
The protection of backup media (e.g., tape cartridges, disk packs containing data and soft-
ware, etc.) should be part of the organization’s backup policies. Onsite backups should be stored
at a computer center vault, which should be restricted to authorized personnel only (e.g., com-
puter operators, librarians, computer center supervisor, security officer, etc.). Unauthorized
personnel must sign a visitor’s log and be accompanied by authorized personnel before obtain-
ing access. The computer center vault should be protected with adequate physical and access
controls. Similarly, off-site backups should be stored in an area that is restricted to authorized
personnel only. The off-site location should also have adequate physical and access controls.
Backups stored on-site and off-site should be frequently checked for premature loss due to dete-
rioration of the media. Backup media is susceptible to gradual degradation as the physical mate-
rial decays. Procedures should be performed to identify possible media degradation or improper
creation of backups to prevent loss of data. Periodic scanning of the media, verification of the
backup creation, or restoration of the data, will usually indicate whether the data can be read.
When media degradation is discovered, the stored data should immediately be transferred to
new media. When backups are improperly written, a procedure should exist to correct and
reperform the process.
Backups should be monitored frequently and logs should be completed supporting such
monitoring and successful completion of the backup. Management should also review these
logs per company policy. For example, each morning an IS operator should be responsible
for checking his/her computer in order to confirm backup completion, or identify any error
messages displayed by the system that prevented the backup from completion. Additionally,
system generated logs should be examined by IS operations personnel in order to identify files
that might not have been backed up by the system. When exceptions to the backup process
are identified, the IS operator should attempt to perform restart procedures in order to resolve
them. If the operator is unable to do so, he/she should escalate the problem for resolution.
Finally, if unable to correct the exceptions, an external consultant or vendor should be con-
tacted for support. The IT or IS manager must review and maintain control logs of all backups,
as well as provide documentation, when necessary, regarding recovery procedures performed
and backup results.
 Information Systems Operations ◾ 299

Cloud Backups
Cloud backups may offer the perfect and ideal scenario for the future organization. With a cloud
backup, files are available everywhere and are no longer dependent on any single computer or
server, allowing for a quick and smooth restoring of the data in the event of a disaster. Additional
advantages of cloud backups include saving money on storage costs, and the ability to back up
more frequently as well as enjoy off-site, redundant storage of critical data. A further advantage is
that organizations can outsource cloud backup services from third-party entities that specialize in
data backup and protection. Organizations can then eliminate many of the headaches involved in
data backup without surrendering control of their most important asset, information. These spe-
cialized “outsource” entities also offer the latest advances in security, encryption, disaster recovery,
and continuous real-time data protection, among other services.
A research conducted by Forrester Consulting in 2014 concluded that more and more orga-
nizations are relying on cloud backups to assist with their continuity and disaster recovery tasks.
According to the research, an approximate 44% of the organizations surveyed have already either
transferred the majority of their continuity and disaster recovery tasks into the cloud (including
backups), or have plans to do so in the near future. Other respondents expressed concern that
moving their information in the cloud would still open up opportunities for privacy and security
issues, and would therefore remain with their current data environments. All respondents agree
that the ultimate goal, whether backing up to the cloud or not, is to have the confidence of know-
ing that, in the case of catastrophe, the information will be protected and available.

Business Continuity Plan

The objective of a business continuity plan (BCP) is to describe processes, steps, and/or procedures
to be carried out in the event of an emergency (i.e., natural disaster or an unplanned interruption
to normal business operations) to achieve a timely recovery and availability of all essential business
processes, including the information systems. The BCP normally addresses:

◾◾ Key computer processing locations

◾◾ Application systems and user requirements for key business processes
◾◾ End-user activities for key business processes
◾◾ Telecommunications and networks
◾◾ Key databases, information warehouses, etc.
◾◾ Human resources
◾◾ Personal safety of employees and others

The plan assists organizations to respond to emergencies while continuing core activities and oper-
ating critical business processes at a level acceptable to management.
The lack of a comprehensive BCP in the event of an emergency may translate into delayed
restoration of business processes and information systems. This may result in the inability of the
organization to continue operations; loss of revenues and incurring in unnecessary expenses; loss
of competitive advantage; loss of customer confidence and market share; and fines and sanctions;
among others. In the event of an emergency, degraded services may be acceptable for some period
of time. Nonetheless, the goal is to restore the affected systems and services to their optimum
levels as immediate as possible.
300 ◾ Information Technology Control and Audit

A common control activity tested by IT auditors within this area involves whether the organi-
zation’s BCP has been prepared and approved by management, based on a business impact assess-
ment. Other controls evaluate if the plan is regularly tested and updated to reflect the results of
such tests.

Disaster Recovery Plan

Disasters, whether natural (e.g., earthquakes, tsunamis, hurricanes, tornados, flood, fires, etc.) or
unnatural (e.g., cyberattacks, disruption of service, fraud, terrorism, market collapse, etc.) create
economic chaos and severe business interruptions. This is why having a Disaster Recovery Plan
(DRP) in place is such an important tool for businesses.
A DRP is a survival tool that helps businesses respond to threats and recover in the wake of an
event that disrupts normal business operations. Provided the plan is supported by management,
updated frequently, and tested and maintained accordingly, it offers the chance for businesses to
survive. Should a disaster occur, the payoff is to recover without significant business or operations
downtime and loss. Disasters can occur to businesses at any time and can impact them signifi-
cantly. For instance:

◾◾ On September 11, 2001, after the New York Twin Towers disaster, many firms lost con-
nectivity to banks, broker-dealers, and other financial institutions, disrupting their ability
to conduct business and determining whether financial transactions like buying and selling
stocks, etc., had been executed completely and accurately.
◾◾ On August 14, 2003, an enormous power failure blacked out population centers from New
York to Cleveland, Detroit, and Toronto, crippling transportation networks and trapping
tens of thousands of people in subways, elevators, and trains. Computers became useless to
those who did not have battery power.
◾◾ One of Japan’s major automakers, Honda, suffered a major drop (nearly 90%) in its second
quarter profit in 2011 after a massive tsunami and earthquake hammered its production and
sales. Small- and medium-sized business would not have been able to stand this type of loss.
◾◾ In 2013, part of the Chinese Internet went down in what the government called the largest
denial-of-service (DoS) attack it has ever faced. The attack made machines and networks
unavailable, and interrupted Internet services. According to the Wall Street Journal, the
attack was an indicator of how susceptible the global Internet infrastructure is.

The impact of these and many other related disasters are felt not only by the business, but also by
suppliers and customers who relied on that business for their products and sales.
One of the early critical steps in DRP is identifying who is responsible for distributed disaster
recovery. Is recovery of all technology the sole responsibility of IT or the business units? The answer
depends on who has control over the hardware, software, and data. In most cases, IT and users
must work together to identify critical information and resources that will need to be recovered
in the event of a disaster.
A DRP should address both partial and total destruction of computing resources. Distributed
systems and microcomputer systems should be included within the plan. Critical functions that
are performed on these platforms should be identified and procedures established for restoring
operations. Microcomputers are an important tool for daily work processing, and the recovery
of these tools should not be overlooked. Information on the basic microcomputer configuration,
 Information Systems Operations ◾ 301

including hardware and software, should be maintained for ease of recreating the processing envi-
ronment. In addition, a backup of critical data files should be kept off-site along with operating
and recovery procedures.
A DRP must be based on the assumption that any computer system is subject to several differ-
ent types of failures. In particular, procedures must exist and be tested for recovery from failures
or losses of equipment, programs, or data files. In the case of equipment failures, each installation
might have a contractual agreement covering the use of an alternate site with a comparable computer
configuration. Examples of these are cold sites and hot sites. A cold site is an empty building that
is prewired for necessary telephone and Internet access, plus a contract with one or more vendors
to provide all necessary equipment within a specified period of time. A hot site, on the other hand,
refers to a facility that is not only prewired for telephone and Internet access, but also contains all the
computing and office equipment the organization needs to perform its essential business activities.
Before assembling a DRP, the assets of the organization (e.g., hardware, software, facilities, per-
sonnel, administrative, data, etc.) and their replacement values should be identified. Specific risks
that would result in temporary or permanent loss of assets (say from fire, flood, sabotage, viruses,
etc.) should also be recognized. Next, the impact of these losses (e.g., modification, destruction, DoS,
etc.) must be assessed. Finally, the value of the asset should be compared against the frequency of loss
to justify the disaster recovery solution. Following completion of the above, a DRP can be assembled.

DRP Components
The DRP should identify various levels of recovery, from an isolated event to a widespread disas-
ter. The timeliness of recovery will depend on the loss of exposure for the particular program or
system. When the plan is completed, it should be tested to identify potential problems. Testing
should be conducted on a periodic basis to validate assumptions, and to update the plan based
on the constantly changing environment. Testing also provides the opportunity to practice the
recovery procedures and identify missing elements that may need to be added. The DRP should
address components, such as:

1. Objectives and mission statement

2. Key personnel involved
3. Full and incremental program and data backups
4. Tests and drills
5. Program and data backups stored off-site
6. Disaster recovery chairperson and committee appointed
7. Emergency telephone numbers
8. List of all critical hardware and software applications
9. Insurance coverage
10. Communication plans
11. Up-to-date system and operation documentation
12. Employee relocation plans to alternate work sites

All members of the organization should be familiarized with the DRP. If an emergency occurs,
it would be easy for staff members to execute their roles in the plan. Exercising the plan confirms
that efforts are not duplicated and all the necessary steps are taken. It is important to have a writ-
ten DRP with detailed steps as individuals unfamiliar with the process may need to perform the
disaster recovery process in a real emergency.
302 ◾ Information Technology Control and Audit

Auditing End-User Computing

EUC groups have grown rapidly in pervasiveness and importance. The knowledge worker’s appli-
cation of technology to help business solve problems has been one of the major forces of change
in business today. User dominance will prevail. Auditors, as knowledge workers and users, can
assist departments in identifying sensitive or critical PC applications that require special atten-
tion. In organizations where controls are inadequate or nonexistent, auditors can play a key role in
developing these controls for EUC groups. Once controls are in place, auditors can examine them
for adequacy and effectiveness. Auditing EUC groups can encompass the entire spectrum of IS
reviews from systems development to disaster recovery. Appendix 8 covers steps performed when
auditing EUC groups.

Audit Involvement in Information Systems Operations

An audit of an organization’s IS operations, for instance, would provide IT auditors assurance
that operations, including processing of data, are adequately designed and ensure the complete,
accurate, and valid processing and recording of financial transactions, for instance. Such examina-
tion would also provide assurance that financial information and relevant components of the IT
infrastructure are appropriately stored and managed.
Insufficient or inadequate IS operations and controls, however, may result in the following
risks:

◾◾ Incomplete or inaccurate processing of financial transactions whether executed online or

through a batch.
◾◾ Inability to reconstruct (or restore) financial data from source documentation following an
emergency or a serious systems incident or failure.
◾◾ Unauthorized personnel being able to access facilities, which may result in loss or substi-
tution of data, programs, and output or malicious damage to the computer facility and
equipment.

Common objectives of an IS operations audit include ensuring that:

◾◾ IT operations support adequate scheduling, execution, monitoring, and continuity of sys-

tems, programs, and processes to ensure the complete, accurate, and valid processing and
recording of financial transactions.
◾◾ Backups of financial information are appropriately scheduled, managed, and monitored,
ensuring information is accurate and complete. Backed up information is also readable and
restored effectively without major implications.
◾◾ Physical access is appropriately managed to safeguard relevant components of the IT infra-
structure and the integrity of financial information.

Without the implementation of appropriate controls, unnecessary damage or disruption to the

organization’s data processing could occur. Such damage could result in failure of the organiza-
tion’s critical processes. Control activities should be implemented to address risks such as the
above. For example, control activities would typically address the completeness of transactions
input for processing, including, among others, whether on-line transactions process to normal
 Information Systems Operations ◾ 303

completion, all necessary batch jobs are processed, processing is performed timely and in the
appropriate sequence, and whether inputting and processing transactions is valid and effective.
Examples of controls and procedures normally employed by IT auditors when examining data
processing include:

◾◾ Batch and/or online processing is defined, timely executed, and monitored for successful
completion.
◾◾ Exceptions identified on batch and/or online processing are timely reviewed and corrected
to ensure accurate, complete, and authorized processing of financial information.

To ensure backups are effective and information is accurate, complete, and restored without major
implications, IT auditors may evaluate and test control activities such as whether:

◾◾ Procedures for the restoration and recovery of financial information from backups have been
implemented in the event of processing disruption, shut-down, and restart procedures.
◾◾ Automated backup tools have been implemented to manage retention data plans and
schedules.
◾◾ Backups are controlled, properly labeled, stored in an off-site secured environmentally loca-
tion, and rotated to such facility on a periodic basis.
◾◾ Management plan and schedule (1) backup and retention of data and (2) erasure and release
of media when retention is no longer required.
◾◾ Management periodically reviews retention and release records.
◾◾ Backups are archived off-site to minimize risk that data is lost.
◾◾ Management periodically reviews completion of backups to ensure consistency with backup
and retention plans and schedules.
◾◾ Tests for the readability of backups are performed on a periodic basis. Results support timely
and successful restoration of backed up data.
◾◾ Procedures for the restoration and recovery of financial information from backups have
been implemented in the event of processing disruption, shut-down, and restart procedures
consistent with IT policies and procedures.

To ensure whether physical access is appropriately managed to safeguard relevant components of

the IT infrastructure and the integrity of financial information, IT auditors may evaluate and test
whether:

◾◾ Physical access is authorized, monitored, and restricted to individuals who require such
access to perform their job duties.
◾◾ Users have access to the data center or computer room. If so, which users.
◾◾ A physical access control mechanism (e.g., access cards, biometrics, traditional lock and key,
security guards, etc.) is used to restrict and record access to the building and to the computer
room, and authority to change such mechanism is limited to appropriate personnel.
◾◾ Biometrics authentication is employed through fingerprint, palm veins, face recognition, iris
recognition, retina scans, voice verification, etc.
◾◾ Entry of unauthorized personnel is supervised and logged, and such log is maintained and
regularly reviewed by IT management.
◾◾ Policies and procedures exist for granting access to the data center.
◾◾ Requests and approvals are required and completed before physical access is granted.
304 ◾ Information Technology Control and Audit

◾◾ There is a process in place for changing the access of transferred and/or terminated employ-
ees to the data center. Consider (1) naming the personnel involved; (2) how are they being
notified to remove such access to the data center; and (3) how timely access is changed to
reflect their new status.
◾◾ User access reviews occur frequently to support current physical access granted to the IT
environment, and the data center hosting relevant financial applications, databases, operat-
ing systems, and other repositories for financial information.

Other typical services provided by IT auditors in the area of IS operations and physical access
include examinations of data centers and DRPs.

Audit of Data Centers

Data center audits are performed to evaluate the administrative controls over data center resources
and data processing personnel (IS operations, systems analysis, and programming). The scope of
the audit may include an evaluation of the planning, staffing, policies/procedures, assignment
of responsibilities, budgets, management reports, and performance measures in areas, such as:
hardware management, software management, resource protection and recovery, access controls,
operations management, and network/communications management. A data center audit may
focus on any one of these accountabilities, or may include all of them depending on the size of the
data center, operations staff, and time budget. For example, for a large data center with multiple
computers and a large number of users, the audit may focus only on access controls and security
administration. For a small data center, the audit might include all of the accountabilities.
Common objectives for data center audits relate to the identification of audit risks in the oper-
ating environment and the controls in place to mitigate those audit risks in accordance with man-
agement’s intentions. The IT auditor must evaluate control mechanisms and determine whether
objectives have been achieved. Preaudit preparation is required for effective data center audits.
These include meeting with IT management to determine possible areas of concern. At this meet-
ing, the following information should be obtained:

◾◾ Current IT organization chart

◾◾ Current job descriptions for IT data center employees
◾◾ List of application software supported and the hardware hosting them
◾◾ IT policies and procedures
◾◾ Systems planning documentation and fiscal budget
◾◾ Business continuity and disaster recovery plans

IT audit personnel should review the preceding information and become familiar with the way
the data center provides IT services. In addition, auditors should become familiar with basic ter-
minology and resource definition methodology used in support of the operations environment.
Audit engagement personnel should review the audit program and become familiar with the areas
assigned for the completion of an audit task.

Audit of a DRP
As stated earlier, a DRP is a plan established to enable organizations and their IT environments to
quickly restore operations and resume business in the event of a disaster. The plan must be updated
 Information Systems Operations ◾ 305

on a regular basis to reduce the likelihood of incorrect decisions being made during the recovery
process, and decrease the level of stress that may be placed on the disaster recovery team members
during this process.
From an audit standpoint, the DRP to be evaluated and tested by the IT auditor must include
a mission statement and objectives. These objectives should be realistic, achievable, and economi-
cally feasible. The objectives provide direction in preparing the plan and in continually reevaluat-
ing its usefulness. Documentation supporting disaster simulation drills or tests conducted must
be available to assess technical and non-technical procedural aspects of the organization’s DRP.
Tests reduce the opportunity for miscommunication when the plan is implemented during a real
disaster. They also offer management an opportunity to spot weaknesses and improve procedures.
Some of the control activities the IT auditor can evaluate and test would relate to whether:

◾◾ All media (tapes, manuals, guides, etc.) are stored in a secured environmentally-controlled
location.
◾◾ Adequate insurance coverage has been acquired and maintained.
◾◾ On-going readability of backup and retained data is tested periodically through restoration
or other methods.
◾◾ Removable media are labeled to enable proper identification.

Unfortunately, organizations are often unwilling to carry out a test because of the disruption that
occurs to daily operations and the fear that a real disaster may arise as a result of the test proce-
dures. Therefore, a phased approach to testing would be helpful in building up to a full test. A
phased test approach would, for example, consider giving personnel prior notice of the test so that
they are prepared. The approach would also simulate the disaster with warning (i.e., at a conve-
nient time and during a slow period) and without warning.
Unless a DRP is tested, it seldom remains usable. A practice test of the plan could very well be
the difference between its success or failure. The process is parallel to the old adage about the three
things it takes for a retail business to be successful: location, location, location. What is needed for
an organization’s DRP to allow it to continue to stay in business is testing, testing, and more testing.
The audit of a DRP is an important check for both the IT auditor and management. The major
elements and areas of the plan should be validated and assessed to ensure that in the event of a
disaster, essential business processes and information systems can be recovered timely.

Audit Tools
Exhibit 11.1 illustrates a template of a standard audit checklist that can be used as a starting point
when assessing IS operations related to financial applications systems. Appendix 3 (discussed in
Chapter 3) also provides a sample IT audit program for the IS operations general control IT
area, which includes a complete list of audit control objectives and activities to be followed and
performed when conducting such an examination. Depending on the size and complexity of the
organization, these control objectives and activities may need to be revised or expanded to obtain
adequate audit coverage of the change control management function.

Conclusion
The chapter has provided an overview of IS operations as a relevant component of the IT
infrastructure. This overview includes key objectives and controls that relate to the significance
306 ◾ Information Technology Control and Audit

Exhibit 11.1 Sample ISO Audit Checklist

Information Systems Operations––Audit Checklist
[Name of] Financial Application System
Yes, No,
Task N/A Comments
OBJECTIVE 1: IT operations support adequate scheduling, execution,
monitoring, and continuity of systems, programs, and processes to
ensure the complete, accurate, and valid processing and recording of
financial transactions.
1. Interview users who are familiar with the control objective and
control activities listed below, and ask them to describe the steps
involved in achieving and performing such control objective and
activities, including but not limited to:
• reports used, and how they are used
• procedures performed when exceptions or unusual items (e.g.,
unexpected changes in personnel, etc.) prevent the control
objective and activity from being addressed
• how the control objective and activity are achieved in their
absence
2. Verify that automated job scheduling tools are implemented to
ensure completeness of the data flow processing.
3. Examine documentation supporting changes to the job schedule.
Obtain management’s authorization for those changes.
4. Observe whether logging of changes to the job schedule has
been enabled to confirm that such changes are adequately
monitored.
5. Review access of users that can define or modify production
schedules. Reassess the reasonableness of such access
privileges.
6. Ensure existing documentation defines batch and online
processing procedures.
7. Ensure that documentation is available supporting the scheduling
and timely execution of batch and/or online processing
procedures.
8. Ensure that batch and online processing is managed in
accordance with established policies and procedures.
9. Ensure batch and/or online processing procedures are monitored
for successful completion.
10. Examine entity documentation, such as completed processing
logs and access control listings, indicating that the processing is
monitored in accordance with established policies and
procedures.
(Continued)
 Information Systems Operations ◾ 307

Exhibit 11.1 (Continued) Sample ISO Audit Checklist

Information Systems Operations––Audit Checklist
[Name of] Financial Application System
Yes, No,
Task N/A Comments
11. Observe the execution of scheduled processing to confirm that
exceptions, if any, are properly recorded in logs.

12. Observe procedures performed to confirm that exceptions

identified on batch and/or online processing are timely reviewed
and corrected to ensure accurate, complete, and authorized
processing of financial information.

13. Ensure access to automated scheduling tools and executable

programs (i.e., execute, modify, delete, or create) is granted to
users consistent with their job tasks and responsibilities.

14. Sample documentation to be obtained to support the audit

procedures above may include:
• Operations schedules or task lists
• Sample of completed processing log
• Policies and procedures regarding job scheduling tools, as well
as detection and correction of processing exceptions
• Exception, error, or problem logs and reports
• Restart/recovery procedures
• Organization chart and access listings (e.g., job scheduler
function, master scheduler file, etc.)

OBJECTIVE 2: Storage of financial information is appropriately

managed, accurate, and complete.

1. Interview users who are familiar with the control objective and
control activities listed below, and ask them to describe the steps
involved in achieving and performing such control objective and
activities, including but not limited to:
• reports used, and how they are used
• procedures performed when exceptions or unusual items (e.g.,
unexpected changes in personnel, etc.) prevent the control
objective and activity from being addressed
• how the control objective and activity are achieved in their
absence

2. Procedures for the restoration and recovery of financial

information from backups have been implemented in the event
of processing disruption, shutdown, and restart procedures
consistent with IT policies and procedures.

3. Automated data retention tools (backups) have been

implemented to manage retention data plans and schedules.
(Continued)
308 ◾ Information Technology Control and Audit

Exhibit 11.1 (Continued) Sample ISO Audit Checklist

Information Systems Operations––Audit Checklist
[Name of] Financial Application System
Yes, No,
Task N/A Comments
4. Backup tools and online schedules have been reviewed and
approved by management.
5. Observe implementation and execution of backup tools.
6. For errors resulting from backups, examine evidence
supporting that such errors have been identified and timely
resolved.
7. Observe any on-site storage location, and ensure it is secured
and adequately controlled.
8. For off-site backups, ensure they are stored in a secured
environmentally location.
9. Verify the adequacy of the off-site facility location, including
physical security systems and environmental controls.
10. Ensure that backups are properly labeled and rotated to the
off-site facility on a periodic basis.
11. Make certain that tests for the readability of backups are
performed on a periodic basis. Results must support timely and
successful restoration of backed up data.
12. Examine data in storage and schedule erasure or disposal of such
data when no longer required.
13. Sample documentation to be obtained to support the audit
procedures above may include:
• Automated data retention tool documentation, including
configuration and parameter reports
• Examples of management reports generated from the
automated data retention tools
• Policies and procedures on automated backups, labeling,
erasure, retention, and disposal
• Job descriptions and responsibilities of records custodian
• Business impact analysis on availability of data
• Samples of backup logs and rotation schedules
• Inventory of on-site and off-site backups
OBJECTIVE 3: Physical access is appropriately managed to safeguard
relevant components of the IT infrastructure and the integrity of
financial information.
(Continued)
 Information Systems Operations ◾ 309

Exhibit 11.1 (Continued) Sample ISO Audit Checklist

Information Systems Operations––Audit Checklist
[Name of] Financial Application System
Yes, No,
Task N/A Comments
1. Interview users who are familiar with the control objective and
control activities listed below, and ask them to describe the steps
involved in achieving and performing such control objective and
activities, including but not limited to:
• reports used, and how they are used
• procedures performed when exceptions or unusual items (e.g.,
unexpected changes in personnel, etc.) prevent the control
objective and activity from being addressed
• how the control objective and activity are achieved in their
absence
2. Physical access control mechanisms are used to restrict and record
access to the building and to the computer room (i.e., data center).
3. Authority to change physical access control mechanisms is
limited to appropriate personnel.
4. Physical access is authorized and granted appropriately consistent
with job responsibilities.
5. Physical access is monitored and restricted to users who require
such access to perform their job duties.
6. Entry of unauthorized personnel is supervised and logged. The
log is maintained and regularly reviewed by IT management.
7. Observe (on an unannounced basis whenever possible) personnel
accessing the facilities through access control mechanisms.
8. Ensure management periodically performs a review of access listings
of personnel with authority to access IT resources/facilities and
change physical access mechanisms. Corroborate that such access is
authorized and granted consistent with job responsibilities, and that
unauthorized personnel are removed immediately.
9. Sample documentation to be obtained to support the audit
procedures above may include:
• Restricted area access policies and procedures
• Access control mechanism monitoring logs
• Policies and procedures related to granting/removing access to
IT resources and restricted areas, as well as to access to change
physical access mechanisms
• Listing of users who have access to IT resources and restricted
areas, and can change physical access mechanisms
• Evidence that violations in access have been timely corrected
310 ◾ Information Technology Control and Audit

of implementing effective policies and procedures; data processing; physical security; envi-
ronmental controls; storage of information; and continuity and recovery of operations. These
operational controls form an underlying foundation for the availability and security of the
entire system, and are extremely important in protecting the applications and support systems.
Any breakdown in their effectiveness can have a catastrophic impact to the programs and
applications.

Review Questions
1. Policies and procedures related to IS operations are considered essential for every IT environ-
ment, why?
2. Data processing controls help ensure that data is validly processed, and that any exceptions
noted while processing will be detected and corrected. What are some of the key questions
managers ask in order to address unusual events, failures, or errors resulting from data being
processed?
3. Why are physical security and access controls important to organizations? List at least six
examples of physical security and access controls.
4. Explain the purpose of data center audits.
5. Differentiate between blackouts and brownouts. Research the Internet and provide
one example where a blackout took place during the last five years. Do the same for a
brownout.
6. List potential areas that backup policies, procedures, standards, and/or guidance should
cover to ensure the availability of data significant to the operation of the organization.
7. What is the risk to organizations of not having a comprehensive business continuity plan in
place in the event of an emergency?
8. As the Senior IT auditor, you are having a planning meeting with the client’s IT manage-
ment. The IT manager is in the process of creating a disaster recovery plan (DRP) to put the
organization in a better position when responding to (and recovering from) threats that may
disrupt normal business operations. The IT manager asks you about the components that
should be included in a DRP. Provide your response.
9. List control activities the IT auditor can perform to evaluate and test an organization’s DRP.
10. Mention potential areas a company policy related to End-user Computing groups should
cover.

Exercises
1. List information that the IT auditor should request or obtain at the preaudit meeting in
order to conduct a data center audit. Why is this information important for the IT auditor?
2. Document common audit objectives the IT auditor should focus on when auditing storage
or archival of information. Also, list control activities that the IT auditor would need to test
in order to meet the audit objectives just listed.
3. One of the recommendations you made during last year’s IT audit was the implementation
of a disaster recovery plan. In performing the IT audit for this year, you find that although
a plan was in place, it has not been tested. Document your reasons why the disaster recovery
plan should be tested.
 Information Systems Operations ◾ 311

4. You are the Senior IT auditor conducting a planning audit meeting with your two IT staff
auditors. The main topic discussed at this planning meeting is the upcoming audit of a
company’s End-User Computing (EUC) groups. One of the staff IT auditors, recently hired
from college, is not sure about the specific objectives to include when auditing EUC groups.
Summarize and document these objectives to your staff IT auditor.

CASE—BUSINESS CONTINUITY AND DISASTER RECOVERY

SCENARIO: Business continuity and disaster recovery plans are required to counteract
interruptions to business activities and to protect critical business processes from the effects
of major failures or disasters. The Payroll Department (“Department”) of ISO Company,
Inc. is classified as a critical business process because of the sensitive, private, and confiden-
tial information it hosts. It would be disastrous for the Department if information gets lost
or if its business systems go off-line, even for a day. During planning meetings, IT auditors
kept the following objectives in mind:

◾◾ Are the Department’s business systems adequately backed up?

◾◾ Are backup copies of the Department’s data held in a secure and remote media store?
◾◾ Is there evidence that the current backup strategy works in practice?
◾◾ Is there an appropriate disaster recovery plan established as part of the company’s busi-
ness continuity plan?
◾◾ Is the disaster recovery plan based on a thorough risk assessment?

OBSERVATIONS: As part of the IT audit of ISO Company, Inc.’s Payroll Department, IT

auditors uncovered a number of problems with the company’s business continuity and disas-
ter recovery plans and practices. While conducting the audit, IT auditors observed that the
organization’s business continuity and disaster recovery plans, both established 10 years ago,
have not been updated to reflect continuity and disaster recovery practices for the current
environment. For example, although backup copies were made of the Department’s infor-
mation, upon inspection, IT auditors discovered that those backups were not maintained
at the off-site location where they were supposed to be stored. Moreover, when IT auditors
asked for documentation supporting the tests performed of the Department’s business conti-
nuity and disaster recovery plans, they discovered that the Department had never tested the
plans. The Department also had not conducted any risk assessment in support of the plans.
The Department’s information systems, Payroll System Application (PSA), is open to
external attacks since it is interconnected through the network. A collapse of the PSA would
bring dire consequences for the Department. In fact, in the event of a crash, switching over
to a manual system would not be an option. Manual handling of the company’s payroll
sensitive, private, and confidential information by staff personnel has resulted in previous
loss of such information. Hence, the PSA must operate online at all times. The auditors agree
that, based on the above observations, in the event of interruptions due to natural disasters,
accidents, equipment failures, and deliberate actions, the Department may not be able to
cope with the pressure.
TASK: List the risks the ISO Company, Inc.’s Payroll Department is exposed to as a result of
the observations. Also, document audit recommendations you would communicate to ISO
312 ◾ Information Technology Control and Audit

Company, Inc.’s management related to the lack of continuity and disaster recovery proce-
dures observed. Support your reasons and justifications with IT audit literature and/or any
other valid external source. Include examples, if appropriate, to evidence your case point.
Submit a word file with a cover page, responses to the tasks above, and a reference section at
the end. The submitted file should be at least five pages long (double line spacing), including
the cover page and the references page. Be ready to present your work to the class.

Further Reading
1. Barron, J. (August 15, 2003). The blackout of 2003: The overview; power surge blacks out Northeast,
hitting cities in 8 states and Canada; midday shutdowns disrupt millions. The New York Times.
Source: http://www.nytimes.com/2003/08/15/nyregion/blackout-2003-overview-power-surge-blacks-
northeast-hitting-cities-8-states.html
2. Bartholomew, D. (2014). Northridge earthquake: 1994 quake still fresh in Los Angeles
minds after 20 years. Los Angeles Daily News. http://www.dailynews.com/general-news/20140111/
northridge-earthquake-1994-disaster-still-fresh-in-los-angeles-minds-after-20-years
3. Forrester Research, Inc. (March 2014). Cloud backup and disaster recovery meets next-­generation
database demands public cloud can lower cost, improve SLAs and deliver on-demand scale. http://
scribd-download.com/cloud-backup-and-disaster-recovery-meets-next-generation-­d atabase-
demands_58c8d228ee34353a2ee07a3e_txt.html
4. Collins, T. (October 2015). Six reasons businesses should choose cloud backup. Atlantech Online,
Inc. Source: https://www.atlantech.net/blog/6-reasons-businesses-should-choose-cloud-backup
5. Cox, R. (2013). 5 notorious DDoS attacks in 2013: Big problem for the internet of things.
SiliconANGLE Media, Inc. http://siliconangle.com/blog/2013/08/26/5-notorious-ddos-attacks-in-
2013-big-problem-for-the-internet-of-things/
6. Deloitte LLP. (2014). IT Audit Work Papers. Unpublished internal document.
7. Dobson Technologies. (2013). Whitepaper: 7 reasons why businesses are shifting to cloud backup.
Source: http://www.dobson.net/wp-content/uploads/2013/04/7-Reasons-Businesses-are-Shifting-to-
Cloud-Backup-Dobson.pdf
8. Full, incremental or differential: How to choose the correct backup type. (August 2008).
TechTarget. Source: http://searchdatabackup.techtarget.com/feature/Full-incremental-or-differential-
How-to-choose-the-correct-backup-type
9. Govekar, M., Scott, D., Colville, R. J., Curtis, D., Cappelli, W., Adams, P., Brittain, K. et al. (July
7, 2006). Hype Cycle for IT Operations Management, 2006, Gartner Research G00141081, Stamford,
CT.
10. How long must you keep your data? Strategic Finance Magazine. January 2017 edition.
11. Kageyama, Y. (August 1, 2011). Honda’s quarterly profit plunges on disaster. The San Diego Union-
Tribune. Source: http://www.sandiegouniontribune.com/sdut-hondas-quarterly-profit-plunges-on-
disaster-2011aug01-story,amp.html
12. Microsoft’s Information Platform. (May 2014). Forrester Consulting study finds cost, business con-
tinuity benefits from cloud backup and disaster recovery. Source: https://blogs.technet.microsoft.
com/dataplatforminsider/2014/05/02/forrester-consulting-study-finds-cost-business-continuity-
benefitsfrom-cloud-backup-and-disaster-recovery/
13. Otero, A. R., (2015). An information security control assessment methodology for organizations’
financial information. International Journal of Accounting Information Systems, 18(1), 26–45.
14. Otero, A. R. (2015). Impact of IT auditors’ involvement in financial audits. International Journal of
Research in Business and Technology, 6(3), 841–849.
15. Otero, A. R., Tejay, G., Otero, L. D., and Ruiz, A. (2012). A fuzzy logic-based information security
control assessment for organizations, IEEE Conference on Open Systems, Kuala Lumpur, Malaysia.
 Information Systems Operations ◾ 313

16. Otero, A. R., Otero, C. E., and Qureshi, A. (2010). A multi-criteria evaluation of information security
controls using Boolean features. International Journal of Network Security & Applications, 2(4), 1–11.
17. Paquet, R. (September 5, 2002). The Best Approach to Improving IT Management Processes, Gartner
Research TU-17–3745, Stamford, CT.
18. Senft, S., Gallegos, F., and Davis, A. (2012). Information Technology Control and Audit. CRC Press/
Taylor & Francis, Boca Raton.
19. Summary of “lessons learned” from events of September 11 and implications for business continuity.
February 13, 2002. Securities and Exchange Commission. Source: https://www.sec.gov/divisions/
marketreg/lessonslearned.htm