AUDITING IT GOVERNANCE CONTROLS

ACTIVITY No. 2
Chelsa Mae S. Antonio
BSA 4204

I. INTERNAL CONTROL

Conducting an internal audit, you will review and examine the systems, processes, procedures, and internal
controls of Steeplechase Enterprises to find the following practices. The modernization of the data processing system
used at Steeplechase had a significant impact on customers' billing and shipping records. For each step, there would
not be one but several behind-the-scenes computer operators who were assigned a permanent position in a specific
account receivable, billing, and shipment function. All three of the computer operators have the function of running
the program of transaction processing, enhancing the system’s software, and comparing the electronic logbook. To
make certain nobody, who is the operator of the system, has access to the tape and documents alone, these three
computer operators swap their duties every two weeks among themselves to release, hold, and create record Cards
carrying magnetic stripes and numbers as a digital code are used for the access control to the computer for every
operator. Addressing the security of the computer room, neither a systems analyst nor a computer operations
supervisor has access.

Documentation for the EDP system consists of layouts of data records, sample programs listings, logs as well
as error recordings. The accounting department receives the shipping information every time goods leave any of
Steeplechase's three warehouses, as the warehouse personnel inform the accounting department about the
departure. The document to be received by the billing clerk and put in the hands of the manual sequence of the
shipping documents is the shipping notice. Further investigation occurs when notices are missing (. On the other
hand, the billing clerk (who is located offsite) makes the pricing of respective items and creates an invoice along with
the machine tape copies of daily totals of shipped units and sales. Shipping notifications and gain catalog-related
tapes are directed to the computer department for data processing. The computer input gives a two-copy invoice
advice remittance and a daily sales journal. Both the invoices and remittance advice are forwarded to the ‘billing
clerk’ and then one duplicate is sent to the customer and the other duplicated it is kept in the open invoice file which
serves as the document for accounts receivable. The sales register would reveal daily the total number of shipped
units and also the corresponding sale amounts.

Required:
● Identify the control weaknesses present and make a specific recommendation for correcting each of them.

(1) Weakness: The use of one computer operator for each role (accounts receivable, billing, and shipping)
presents the opportunity for collusion and the possibility of making errors or fraud which can be passed
unnoticed.

Recommendation: Ensure adequate segregation! Individuals responsible for transaction processing should
not be the ones granted the right to change the program or to access the system logs for reconciliations. It
will be good if the position is interchanged among qualified personnel from time to time to minimize
exposure to fraud and discourage ludic errors.

(2) Weakness: Limiting access to such areas as the systems analyst and the job of computer operations
supervisor leaves the system manager out of oversight and increases the chances of going against the set
rules.
 AUDITING IT GOVERNANCE CONTROLS
ACTIVITY No. 2
Recommendation: Provide appropriate access credentials for the computer operations supervisor and
systems analyst, who will be checking people in the computer room and reviewing access logs regularly. The
authority of the supervisor is a tool to preserve the security and integrity of the computer system.

(3) Weakness: While weekly rotation of tasks most is a reasonable policy, the absence of more frequent rotation
may not decrease the risk adequately.

Recommendation: To additionally lessen the chances of unauthorized access or tampering, the frequency of
the thorough day-to-day tasks of changing tapes and archiving records should be increased to occur on a
weekly or even daily basis. Frequent change prevents the accumulation of authority tradition compared to
rotational command.
(4) Weakness: By making magnetic tapes and documentation available only to the computer operators there
arises a potential for malicious access or tampering with the information.

Recommendation: Introduce more stringent precautions by limiting the amount of video tapes and
documentation that only professionally trained and authorized personnel would be allowed to have for the
requirements of their job. Furthermore, adding dual authentication or supervisory verification which these
tasks are critical would promote transparency and oversight as well.

(5) Weakness: The manual entry of shipping notes, machine tapes, and data entry from scratch leads to the
incidence of errors, omissions, and manipulation.

Recommendation: Utilize automation in data entry where it can be implemented so that there is less manual
involvement to single out the risks. Moreover, you can install controls like ordinary barcode scanning or
electronic data interchange (EDI) to make the transition of information between the warehouse and
accounting a lot easier, thus reducing the dependence on solely manual handling, and increasing accuracy.

(6) Weakness: While manual reconciliation of tapes and totals from adding machines to computer-generated
sums increases the chance of the final sum not being accurate, the mistake may go undetected.

Recommendation: Utilize statements support processes or purchase third-party software tools that enable
comparison of data that comes from various sources (e.g., adding machine tapes versus computer-generated
totals) and highlight any differences for additional analysis. Such a role will be instrumental in securing the
reliability and correctness of financial records.

II. DISASTER RECOVERY PLANNING CONTROVERSY

The relevance of a disaster recovery plan (DRP) to a financial audit is a matter of debate. Some argue that the
existence of a DPR is irrelevant to the audit. Others argue that it is an important control that needs to be considered
in the assessment of internal control.
Required:

Argue both sides of this debate.

1. Provide a logical argument as to why a DRP should not be considered in the audit.
 AUDITING IT GOVERNANCE CONTROLS
ACTIVITY No. 2
The substantial argument opposing the inclusion of the Disaster Recovery Plan (DRP) in the financial
audit process stands on a few vital reasons, all of which are meant to provide grounds for the idea that the
existence of this plan has no relation to the audit process.

Firstly, a DRP has a lot to do with business continuity and disaster recovery. It just takes the
secondary side of impacting the financial reporting. The main purpose of a financial audit is to assess the
compliance with the accounting standards, the degree of consistency, and the objectivity of the financial
statements issued by an organization. It does not entail by itself the presence or quality of a robust recovery
plan and, therefore, the same accounting statements are presented with or without this plan. Accordingly,
the auditors may advocate for their proper focus to include the transactions, controls, and reporting
processes with management judgments being beyond their scope of the assessment.

Apart from that, the validity of the DRP can be a hard, subjective problem to evaluate. DRP always
has IT-related details such as things that include IT infrastructure, data backup procedures, disaster recovery
procedures, and emergency response plans. Auditors may discover the deficiencies in their knowledge and
experience of the DRPP in terms of their inability to evaluate the technical aspects of it in detail. Such an
event may create confusion as to the relevance and accuracy of the audit conclusions, leading to significant
doubts (relating to reliability) of the audit. Besides, while consideration of the DRP in the audit process may
differ, depending on the type of organization and the magnitude of the information technology systems in
the financial reporting, is a significant factor. For some areas of business, for example, where few systems
are relying on technology or that are operating in secure environments such as a DRP has a limited impact
during the assessment of internal controls on financial reporting. In this kind of situation, auditors would
state that resources should be directed towards these areas which results in an unquestionable impact on
financial statement integrity.

2. Argue why a DRP is an important control and should be reviewed within the conduct of a financial audit.

The ground for an audit of the Disaster Recovery Plan (DRP) is based on acknowledging its pivotal
role as an effective control mechanism for operation continuity the safety of assets and the guarantee of
financial reporting integrity. Some focal factors that underscore the need for DRP review are brought to light
by the conducting of a financial audit.

In any case, a DRP is an important instrument to deal with both operational risks and those that may
result in the business’s dysfunction due to disruptions like natural disasters, cyberattacks, or system
malfunction. The planning involves outlining the specified actions and steps necessary for responding to
emergencies and restoring operations into important business functions. Through this, the organization can
minimize the negative effects of disruptions on their systems for operations and finances. Audit of a DRP
includes an examination of the proper structure and prominent levels of effectiveness of the DRP framework
as well as rating an entity’s readiness to face unforeseen eventualities that might conflict with accurate
financial reports to an extent where the framework would malfunction.

First, the reliability and credibility of financial information are crucially dependent on the availability,
confidentiality, and accuracy of data, and IT systems. The underlying DRP dimensions comprise urgency in
keeping data backed up, restoring them, and making sure systems of financial importance are recovered
within the specified time frame when an event of disaster strikes, or the system suffers an outage. Auditors
ought to evaluate the effectiveness of these steps against the benchmark of a continuing process of the
 AUDITING IT GOVERNANCE CONTROLS
ACTIVITY No. 2
recording of financial reports and the organization's credibility to maintain uninterrupted data quality in
unhealthy circumstances. Overlooking all DRP considerations in the planning and execution of auditing
procedures may cause misstatements or inaccuracies to arise that lead to discrepancies in financial
statements.

On the other side, at times, regulatory requirements and industry standards could ask for Disaster
Recovery Plans as a part of comprehensive Governance, Risk Management, and Compliance regimes. The
Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB)
often give companies procedures under Disaster Response Plan (DRP) which describe compliance with such
guidelines and disclosure about their disaster preparedness to the public. Apart from performing financial
auditing for DRP compliance, auditors must check whether the defined procedures in the DRPs contain the
regulatory requirements and whether they are functioning to attain the predetermined goals or not. Besides
DRPs inducing more issues to conform with the framework, the effect goes further to embracing the inner
control and corporate governance principles. Organizations must strengthen their disaster recovery plan by
working in a coordinated manner across different functional departments, for instance, information
technology, finance, operations, and risk management, as this creates a collaborative environment for
employees to work together towards a common goal. One way of gaining such a level of insight is to include
DRP review as part of the financial audit process, whereby role segregation, system and data access controls,
and monitoring mechanisms will be leveled up.

III. ADVANTAGES AND DISADVANTAGES

Discuss the advantages and disadvantages of the second site backup options.

ADVANTAGES
Redundancy and Data Protection: Maintaining backups
offsite provides second-site redundancy and protects
against loss of data from disasters such as fire, flood, or
theft in either the original or secondary store. If a
disastrous failure or shutdown happens at the main
site, then the data and systems can be recovered at the
offsite backup locations on time which in turn helps to
eliminate downtime and maintain the business
continuity.
Geographic Diversity: Separately, distant backups are
often saved on sites that are in different geographical
locations from the main site, thus, negating the chances
of the disasters occurring at the same time to both
DISADVANTAGES
Cost: Installing a peer-to-peer system and managing a
second-site backup system require money, so this
process is challenging for organizations that are under-
resourced or have limited budgets. Costs may vary from
infrastructure investment, network connectivity,
periodic maintenance, and assessing the recovery plans
periodically.
Complexity: The management of a second-site backup
facility can complicate the organization's IT topography.
The recovery plan involves cooperation between
different departments, seamless data synchronization

sites. This enormous extent of dispersion into a few
areas improves resilience and additionally makes data
remain reachable even if one portion of the geography
arises a local hazard.
Compliance and Regulatory Requirements: Much of the
business and regulatory communities require the
companies to possess offsite backups so that some of
the most pressing data protection and disaster recovery
problems can be solved. A scheme of site backup
solution number two is designable so that all personal
data security requirements can be fulfilled, and
organizations can show that they care.
Scalability and Flexibility: Second backup sites can be
tuned, not only to specify needs but also to suit the size
of the organization. For instance, a replication of data
in real-time is available for the organizations, while the
periodical back-ups can be performed by the latter but
with all the frequency and granularity levels based on
the recovery objectives and constraints of the
resourceful aspect.
AUDITING IT GOVERNANCE CONTROLS
ACTIVITY No. 2
between the sites, and periodic tests that should be
held regularly to determine the backup usability and
restoration progress in case of a catastrophe.
Data Transfer and Latency: Coping with high latency
and delay issues of data replicating over a wide area
network (WAN), into an outside site that suitability is
for those having large datasets or having tight
requirements on real-time data replication. Ensuring
there is enough bandwidth, and the network sends data
at an excellent rate helps to reduce data transfer
delays.
Security Risks: One of the above possible threats is the
risk of unauthorized access while data is being used.
Furthermore, data's external channeling poses an
additional risk. There might also be a security breach at
the off-site backup server. All of these, including but not
limited to, strong encryption, access control, and
monitoring mechanisms are integral to protecting the
data saved at the secondary site in any organization's IT
infrastructure.
Dependency on Service Providers: Organizations that
rely on service providers of third-party service providers
for site backup may be exposed to risks of reliability of
the seller, outages of the service, and clashes of
contract terms. It is necessary to go thorough among
the SLAs and have vendors meet the security,
regulation, and performance aspects as well.

IV. ISEGRAGATION OF DUTIES

The management believes that a job rotation deters employees from feeling that they are stagnating in their jobs
and promotes a better understanding of the company. An IT employee may work for six months as a data librarian,
one year as a system developer, one year as a database administrator, and one year in system maintenance.

Required:
● Discuss the importance of separation of duties within the information system department.

The segmentation of responsibilities within the information system’s department is essential for maintaining
robust internal controls and identifying, and dealing with the risks that endanger the integrity, confidentiality, and
availability of the data and systems of the organization. This is essential to prevent any one person from holding all
the responsibility for the crucial procedures. It prevents cheating, systematic errors, or dishonest users from
manually messing with the automated ledger or system to gain personal advantage. Aside from that different people
 AUDITING IT GOVERNANCE CONTROLS
ACTIVITY No. 2
responsible for different areas operation system suspect activity grants an opportunity to track down the offender,
the straightforward way out. As an illustration of this, if a previous task submits the data and the following one
reviews the data the inconsistencies in the data will be detected more easily.

Moreover, the principle of segregation of duties assists in identifying and tackling such cases of conflict of
interest where two or more individuals may be engaged in roles that are conflicting or have access to valuable
information. Segregation allows accountability in the information system department due to a clarified description of
roles and responsibilities for everyone within the departmental team. Thus, there is a better form of control and
supervising of operations, and employees can be responsible for the particulars and actions that they have done.
Lastly, disseminating the burden among different people throughout the organization could help organizations avoid
single points of failure and mitigate the scope for various errors such as omissions, mistakes, or security breaches. It
is therefore a method that strengthens information system operations.

● How does the management have both job rotation and well–separated duties?

Management can have job rotation and well–separated duties through numerous methods: Employees need to
know in which role they can do which duties and what is or is not their authority in those roles. A job rotation plan
might be a suitable solution that allows employees to move from one position to another in a structured rotation
scheme that ensures each employee spends enough time in each position. Think about the optimal length for each
rotation that ensures the alternation of jobs features job variety while providing continuity and clear tasks within
specific positions. In addition, the management can strictly document the access controls and finely tune the
entitlement chain of the employee during his rotations to make certain that they know their roles and that privileges
are granted and revoked appropriately upon respective shifts. Another way is to make available adequate choices of
staff and education so that its members can quickly take on new jobs and conduct their tasks efficiently. Provide
mentorship programs, role model forums, and support services that help knowledge sharing and skills training across
different functional areas. Most importantly, provides supervisory surveillance and monitoring tools meant to check
adherence to the separation of duties as well as to identify any conflict of interests and unauthorized activities.
Supervisors must conduct periodic reviews and assessments of employee activities, as well as treatments in accord
with the developed procedures.