Download - Chapter 15
![Page 1: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/1.jpg)
Chapter 15
IT Controls Part I: Sarbanes-Oxley
& IT GovernanceAccounting Information Systems, 5th editionJames A. Hall
![Page 2: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/2.jpg)
2
Objectives for Chapter 15 Key features of Sections 302 and 404 of
Sarbanes-Oxley Act Management and auditor responsibilities
under Sections 302 and 404 Risks of incompatible functions and how to
structure IT function Controls and security of organization’s
computer facilities Key elements of disaster recovery plan
![Page 3: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/3.jpg)
3
Sarbanes-Oxley Act
The 2002 Sarbanes-Oxley (SOX) Act established new corporate governance rules◦ Created company accounting oversight board◦ Increased accountability for company officers and
board of directors◦ Increased white collar crime penalties◦ Prohibits a company’s external audit firms from
providing financial information systems
![Page 4: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/4.jpg)
4
SOX Section 302
Section 302—in quarterly and annual financial statements, management must:◦ certify the internal controls over financial
reporting◦ state responsibility for internal control design ◦ provide reasonable assurance as to the reliability
of the financial reporting process◦ disclose any recent material changes in internal
controls
![Page 5: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/5.jpg)
5
SOX Section 404 Section 404—in annual report on internal
control effectiveness, management must:◦ state responsibility for establishing /maintaining
adequate financial reporting internal control◦ assess internal control effectiveness◦ Refer to the external auditors’ attestation report
on management’s internal control assessment◦ provide explicit conclusions on the effectiveness
of financial reporting internal control◦ Identify the framework management used to
conduct their internal control assessment Examples – COSO or COBIT
![Page 6: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/6.jpg)
6
http://www.microsoft.com/msft/reports/ar08/10k_fr_con.html
![Page 7: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/7.jpg)
7
IT Controls & Financial Reporting Modern financial reporting is driven by
information technology (IT) IT initiates, authorizes, records, and reports
the effects of financial transactions. ◦ Financial reporting internal controls are inextricably
integrated to IT. COSO identifies two groups of IT controls:
◦ application controls – apply to specific applications and programs, and ensure data validity, completeness and accuracy
◦ general controls – apply to all systems and address IT governance and infrastructure, security of operating systems and databases, and application and program acquisition and development
![Page 8: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/8.jpg)
8
SOX Audit Implications Pre-SOX, audits did not require internal control tests.
◦ Only required to be familiar with client’s internal control◦ Audit consisted primarily of substantive tests (tests of
account balances)
SOX – radically expanded scope of audit◦ Issue new audit opinion on management’s internal control
assessment◦ Required to test internal control affecting financial
information, especially internal control to prevent fraud◦ Collect documentation of management’s internal control
tests and interview management on internal control changes
![Page 9: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/9.jpg)
9
Types of Audit TestsTests of controls – tests to determine if appropriate internal controls are in place and functioning effectively
Substantive testing – detailed examination of account balances and transactions
![Page 10: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/10.jpg)
10
Organizational Structure IC
Audit objective – verify that individuals in incompatible areas are segregated to minimize risk while promoting operational efficiency
internal controls, especially segregation of duties, are affected by the type of organizational structure:◦ Centralized model◦ Distributed model
![Page 11: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/11.jpg)
President
VPMarketing
VP ComputerServices
VPOperations
VPFinance
SystemsDevelopment
DatabaseAdministration
DataProcessing
New SystemsDevelopment
SystemsMaintenance
DataControl
DataPreparation
ComputerOperations
DataLibrary
President
VPMarketing
VPFinance
VPOperations
Workstation
VPAdministration
Treasurer Controller ManagerPlant X
ManagerPlant Y
CENTRALIZED COMPUTER SERVICES FUNCTION
DISTRIBUTED ORGANIZATIONALSTRUCTURE
Workstation
Workstation
Workstation
Workstation
Workstation
![Page 12: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/12.jpg)
12
Need to separate:◦ systems development from computer
operations/processing◦ database administrator and other computer service
functions especially database administrator (DBA) and systems
development DBA authorizes access
◦ maintenance and new systems development◦ data library and operations
(assumes internally developed software)
Centralized DP Organizational Controls
![Page 13: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/13.jpg)
13
Many advantages to using DDP, yet there are control implications:◦ incompatible software among various work
centers ◦ data redundancy may result◦ consolidation of incompatible tasks◦ lack of standards
Distributed DP Organizational Controls
![Page 14: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/14.jpg)
14
Corporate computer services function/information center may help to alleviate potential problems associated with DDP by providing:◦ central testing of commercial hardware and
software◦ user services staff◦ standards setting body ◦ reviewing technical credentials of prospective
systems professionals
Organizational Structure Controls
![Page 15: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/15.jpg)
Operating System
Data Management
Systems Development
Systems Maintenance
Organizational Structure
Internet & Intranet
EDI Trading Partners
Personal Computers
Computer Center Security
Applications
Internet & Intranet
General Control Framework for CBIS Exposures
![Page 16: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/16.jpg)
16
Audit objectives:◦ physical security internal control protects the
computer center from physical exposures◦ insurance coverage compensates the organization
for damage to the computer center◦ operator documentation addresses routine
operations as well as system failures
Computer Center Internal Controls
(centralized or DDP)
![Page 17: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/17.jpg)
17
Considerations: location away from human-made and natural
hazards utility and communications lines underground keep windows closed – use air filtration systems access limited to operators and other necessary
workers; others required to sign in and out fire suppression systems should be installed backup power supplies
Computer Center Controls(assumes centralized processing)
(centralized or DDP)
![Page 18: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/18.jpg)
18
Segregation of Duties Transaction authorization is separate from
transaction processing. Asset custody is separate from record-
keeping responsibilities. The tasks needed to process the
transactions are subdivided so that fraud requires collusion.
![Page 19: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/19.jpg)
19
Audit Procedures Review corporate policy on computer security
◦ Verify that security policy is communicated to employees Review documentation to determine if individuals or groups
are performing incompatible functions Review systems documentation and maintenance records
◦ Verify that maintenance programmers are not also design programmers
Observe if segregation policies are followed in practice. ◦ Example: check operations room access logs to determine
if programmers enter for reasons other than system failures
Review user rights and privileges ◦ Verify that programmers have access privileges consistent
with their job descriptions
![Page 20: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/20.jpg)
20
Audit Procedures Review insurance coverage on hardware, software, and physical facility
Review operator documentation, run manuals, for completeness and accuracy
Verify that operational details of a system’s internal logic are not in the operator’s documentation
![Page 21: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/21.jpg)
21
Disaster Recovery Planning
Disaster recovery plans (DRP) identify:◦ actions before, during, and after the disaster◦ disaster recovery team◦ priorities for restoring critical applications
Audit objective – verify that DRP is adequate and feasible for dealing with disasters
![Page 22: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/22.jpg)
22
Disaster Recovery Planning
Major IC concerns: ◦second-site backups◦critical applications and databases including supplies and documentation
◦back-up and off-site storage procedures
◦disaster recovery team◦testing the DRP regularly
![Page 23: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/23.jpg)
23
Disaster Recovery Planning (DRP)
Disaster recovery plan◦ Include all actions to be taken
before, during, and after disaster◦ Disaster Recovery Team identified◦ critical applications
(modules/programs) must be identified restore these applications first
Backups and off-site storage procedures◦ databases and applications◦ documentation◦ supplies
![Page 24: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/24.jpg)
24
Mutual Aid Pact - agreement between two or more organizations (with compatible computer facilities) to aid each other with their data processing needs
Empty Shell/Cold Site - involves two or more user organizations that buy or lease building and remodel it into computer site, but without computer equipment
Recovery Operations Center/Hot Site - completely equipped site; very costly and typically shared among many companies
Internally Provided Backup - companies with multiple data processing centers may create internal excess capacity
Second-Site Disaster Backups
![Page 25: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/25.jpg)
25
Audit Procedures Evaluate adequacy of second-site
backup arrangements Review list of critical applications for
completeness and currency Verify procedures are in place for storing
off-site copies of applications/ data◦Check currency back-ups and copies
Verify that documentation, supplies, etc., are stored off-site
Verify that disaster recovery team knows its responsibilities◦Check frequency of testing DRP
![Page 26: Chapter 15](https://reader035.vdocument.in/reader035/viewer/2022062410/56816380550346895dd46274/html5/thumbnails/26.jpg)
26