Chapter 14

Auditing IT Controls Part I: Sarbanes-Oxley and IT Governance

Overview of Auditing
 External Auditor

- is a public accountant who conducts audits, reviews, and other works for his or her clients.

-is independent of all clients, and so is in a good position to make an impartial evaluation of
the financial statements and systems of internal controls of those clients.

 Objective
-assuring the fair representation of financial statements

-these audits are called Financial Audits

 Securities and Exchange Commission (SEC) requires all publicly traded companies be subject
to a financial audit annually
 CPA
-represent the interest of outsider
-role is to collect and evaluate evidence and render opinion
 Independence
-which a CPA should have
-wherein the judge must remain independent in his/her deliberations

External Auditor follows strict rules in conducting financial audits. These are authoritative rules have
been defined by the SEC, FASB, AICPA, and by federal law (Sarbanes-Oxley Act of 2002)

Example:

AICPA rules state that an accountant’s independence will be impaired if the accountant:

-makes investment decisions on behalf of audit clients or otherwise has discretionary authority over
an audit client’s investments.

-executes a transaction to buy or sell an audit client’s investment.

-has custody of assets of the audit client, such as taking temporary possession of securities
purchased by the audit client.

Financial Audit Components

The product of attestation function is a formal written report that expresses the opinion as
to whether the financial statements are in conformity with GAAP. Auditors are guided in their
professional responsibility by the 10 GAAS standards

Generally Accepted Auditing Standards

General Standards Standards of Field work Reporting Standards

  The auditor must have
adequate technical
training and proficiency
 The auditor must have
independence of
mental attitude
 The auditor must
exercise due
professional care in the
performance of the
audit and the
preparation of the
report
 Audit work must be
adequately planned
 The auditor must gain a
sufficient
understanding of the
internal control
structure
 The auditor must
obtain sufficient,
competent evidence
 The auditor must state
in the report whether
financial statements
were prepared in
accordance with GAAP
 The report must
identify those
circumstances in which
GAAP are not applied
 The report must
identify any items that
do not have adequate
informative disclosures
 The report shall contain
an expression of the
auditor’s opinion on
the financial
statements as a whole

Auditing Standards
are divided into 3 classes: General Qualification Standard, Field Work Standards, and
Reporting Standards. Although GAAS establishes the framework for prescribing auditor
performance, it is not sufficiently detailed to provide meaningful guidance in specific circumstances.

For specific guidance, the AICPA issues Statement on Auditing Standards (SASs) as
authoritative interpretations of GAAS

 SAS
-first SAS was issue by the AICPA in 1972
-provide auditors with guidance on a spectrum of topics, including methods of investigating
new clients, procedures for collecting information from attorneys regarding contingent
liability claims against clients, and techniques for obtaining background information on the
client’s industry.
-are regarded as authoritative pronouncements because every member of profession must
follow their recommendation or be able to show why a SAS does not apply in a given
situation

Structure of an Audit
Conducting audit is a systematic and logical process that consists of three conceptual
phases: Audit Planning, Tests of Control, and Substantive Testing.
 IT Audit-is the examination and evaluation of an organization's information technology
infrastructure, policies and operations. Information technology audits determine whether IT
controls protect corporate assets, ensure data integrity and are aligned with the business's
overall goals.

1. Audit planning
-first phase
-before the auditor can determine the nature and extent of the tests to be performed, he or
she must gain a thorough understanding of the client’s business
-auditor’s objective at this point is to obtain sufficient information about the firm to plan the
other phases of the audit

2. Test of Controls
-objective of this phase is to determine whether adequate internal controls are in place and
functioning properly
-evidence gathering techniques used in this phase include both manual techniques and
specialized computer audit techniques (Chapter 16)
-the auditor assesses the quality of the internal control by assigning a level of control risk

3. Substantive Control
-focuses on gathering evidence pertaining to financial data
-involves a detailed investigation of specific account balances and transactions through what
are called substantive control
-tend to be physical, labor incentive activities such as counting cash, counting inventories in
a warehouse, and verifying the existence of stock certificates in a safe
Much of the data needed to perform substantive tests are stored in digital form in data files
and must be extracted using CAATTs software (Computer Assisted Audit Tools and
Techniques)

The nature (what to examine), timing (when to examine), and extent (how many items to
examine) of substantive tests are audit decision that are driven by the concepts of
Management Assertions and Audit Risk.
  Management Assertions – are claims made by management regarding the content of the
issued financial statements. Through substantive procedures, auditors gather evidence to
test the validity of management assertions, which fall into the following general categories
1. Assertions about classes of transaction and events for the period under audit
a. Occurrence
b. Completeness
c. Accuracy
d. Cutoff
e. Classification
2. Assertions about account balances at the period end
a. Existence
b. Rights and obligation
c. Completeness
d. Valuation and allocation
3. Assertions about presentation and disclosure
a. Occurrence
b. Completeness
c. Classification and understandability
d. Accuracy and valuation

The auditors develop Audit Objectives and design Audit Procedures to gather evidence that
corroborates or refutes management’s assertions.

This table shows the relationship between management’s assertions, audit objectives, and audit
procedures

 Audit Risk – is the probability that the auditor will render an unqualified (clean) opinion on
financial statements that are, in fact, materially misstated because of undetected errors or
irregularities or both

Audit Risk Components

The auditor’s objective is to achieve level of audit risk that is acceptable to the
auditor. The auditor estimates acceptable audit risk (AR) based on the ex ante value of the
components of the audit risk model – Inherent Risk, Control Risk, and Detection Risk

1. Inherent Risk (IR)

 –is associated with the unique characteristic of the business or industry of the client
-is the risk posed by an error or omission in a financial statement due to a factor other
than a failure of internal control
-is most likely to occur when transactions are complex, or in situations that require a
high degree of judgment in regard to financial estimates.
2. Control Risk (CR)
-is the likelihood that the control structure is flawed because controls are either absent
or inadequate to prevent or detect errors in the accounts
-Example page 590
3. Detection Risk (DR)
-is the risk that auditors are willing to take that errors not detected or prevented by the
control structure will also go undetected by the auditor as he or she perform substantive
tests
-auditors predetermine an acceptable level of detection risk (called planned detection
risk), which influences the level of substantive test that they must perform
Audit Risk Model
AR = IR x Cr x Dr
Audit Report
-includes an opinion on the fair presentation of the financial statements and an opinion on
the quality of internal controls over financial reporting

Overview of SOX Sections 302 and 404

SOX of 2002 established corporate governance regulations and standards for public
companies registered with SEC. The two following chapters concentrate on internal control and
audit responsibilities pursuant to Sections 302 and 404.

Section 302 requires corporate management, including the CEO to certify financial and other
information contained in the organization’s quarterly and annual reports (and also the internal
controls over financial reporting). It is to provide reasonable assurance as to the reliability of the
financial reporting process.

Section 404 requires the management of public companies to assess the effectiveness of
their organization’s internal control over financial reporting. Under this section of the act,
management is required to provide an annual report addressing the following points:

1. Describe the flow transaction

2. Using risk-based approach
3. Assess the potential for fraud in the system
4. Evaluate and conclude on the adequacy of controls
5. Evaluate entity wide (general) controls

Relationship between IT controls and Financial Reporting

Information technology drives the financial reporting processes of modern organization.

Automated systems initiate, authorize, record and report the effects of financial transaction. The
COSO model identifies two broad groupings of IT control: Application controls and General controls.
These controls are designed to be application specific. Examples include the following:
  A cash disbursements batch balancing routine that verifies that the total payments to
vendors reconcile with the total postings to the accounts payable subsidiary ledgers
 An AR check digit procedure that validates customer account numbers on sales transactions
 A payroll system limit check that identifies employee time card records with reported hours
worked in excess of the predetermined normal limit

Audit Implications of Sections 302 and 404

Prior to SOX, external auditors were not required to test internal controls as part of their
attest function. They were required to be familiar with the client organization’s internal control.

SOX legislation dramatically expands the role of external auditors by mandating that they
attest to the quality of internal control, this constitutes the issuance of a separate audit opinion in
addition to the opinion on the fairness of the financial statements

As part of attestation responsibility, PCAOB Standard No. 5 specifically requires auditors to

understand transaction flows including the controls pertaining to how transaction are initiated,
authorized, recorded, and reported. The reliability of application controls rests on the IT general
controls that support them; these include controls over access to database, operating systems, and
networks.

IT control relationship

Compliance with Section 404 requires management to provide the external auditor with
documented evidence of functioning controls to relate to selected material accounts in its report on
control effectiveness.

Section 302 also carries significant auditor implications. Specifically, auditors must perform
the following procedures quarterly to identify any material modifications in controls over financial
reporting:

 Interview management regarding any significant changes

 Evaluate the implication of misstatement
 Determine whether changes in internal controls are likely to materially affect
internal control aver financial reporting

Management is responsible for implementing such controls, and auditors are specifically
required to test them. Because computer lie at the heart of the modern organization’s
 accounting and financial reporting system, the topic of computer fraud falls within the
management and audit responsibilities specified by SOX. The following section deals with
several computer fraud issues.

Computer Fraud

Regardless of how narrowly or broadly computer broad is defined, it is a rapidly growing

phenomenon. For purpose of our discussion, computer frauds include the following:

 The theft, misuse, or misappropriation of assets by altering computer-readable record and

files
 The theft, misuse, or misappropriation of assets altering the logic of computer software
 The theft or illegal use of computer-readable information
 The theft, corruption, illegal copying, or intentional destruction of computer software
 The theft, misuse, or misappropriation of computer hardware

The General Model for Accounting Information System conceptually portrays the key stages of
an information system. In this section, we examine only the general nature of the risk; specific
control techniques needed to reduce the risk.

DATA COLLECTION

-is the first operational stage in the information system.

-is to ensure that event data entering the system are valid, complete, and free from material
error

-most important stage in the system

DATA PROCESSING

-include mathematical algorithms used for production scheduling applications, statistical

techniques for sales forecasting, and posting and summarizing procedures used for accounting
applications.
Data processing fraud falls into two classes: Program Fraud and Operations Fraud

 Program Fraud
(1) Creating illegal programs
(2) Destroying or corrupting a program’s logic
(3) Altering program logic
 Operations Fraud
-is the misuse or theft of the firm’s computer resources
-often involves using the computer to conduct personal business

DATABASE MANAGEMENT

The organization’s data base is its physical repository for financial and non-financial data.
Database management fraud includes altering, deleting, corrupting, destroying, or stealing an
organization’s data.

INFORMATION GENERATION

-is the process of compiling, arranging, formatting, and presenting information to users

IT Governance Controls
-is a broad concept relating to the decision rights and accountability for encouraging
desirable behavior in the use of IT. In this chapter, we consider three governance issues that do
organizational structure of the IT function, computer operation, and disaster recovery planning

Organizational Structure Controls

Operational tasks should be separated to:

1. Segregate the task of transaction authorization from transaction processing

2. Segregate record keeping from asset custody
3. Divide transaction-processing tasks among individuals so that fraud will require collusion
between two or more individual

SEGREGATION OF DUTIES WITHIN THE CENTRALIZED FIRM

Organizational chart of a centralized IT function

 Separating Systems Development from Computer Operations
-segregation of system development (both new system development and maintenance) and
operations activities is of great importance
-these groups should not be commingled

 Separating the Database Administrator from Other Function

-another important organizational control is the segregation of the database administrator
(DBA) function from other IT functions
Separating the DBA from Systems Development
Programmers create applications that access, update, and retrieve data from the
database. (Discussed in Chapter 9) it illustrates how database access control is achieved
through the creation of user views, which is a DBA responsibility

 Separating New Systems Development from Maintenance

Some companies organize their systems development into two groups: System analysis and
Programming.

Although a popular arrangement, this approach promotes two potential problems:

Inadequate Documentation and Fraud

Inadequate Documentation
Poor quality systems documentation is a chronic IT problem and a significant
challenge for many organizations seeking SOX compliance
Program Fraud
 When the original programmer of a system is also assigned maintenance
responsibility, the potential fraud is increased. Program fraud involves making unauthorized
changes to program modules for the purpose of committing an illegal act
A Superior Structure for System Development
New System Development is responsible for designing, programming, and
implementing new systems project
System maintenance is responsible for the system’s ongoing maintenance upon
successful implementation

The Distributed Model

An alternative to the centralized model concept is the concept of distributed data
processing (DDP). DDP is involves reorganizing the IT function into small units that are distributed to
end users and placed under their control

Advantages of DDP

1. Cost Reduction- powerful yet inexpensive small-scale computer system, which can cost-
effectively perform specialized functions, have changed the economics of data processing
dramatically.