Chapter 15 IT Controls Part I: Sarbanes Oxley & IT Governance

Chapter15
ITControlsPartI:
SarbanesOxley&
ITGovernance
Accounting Information Systems, 7e

James A. Hall
Hall, Accounting Information Systems, 7e
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Objectives for Chapter 15
Understand the key features of Sections 302 and 404
of the Sarbanes-Oxley Act.
Understand management and auditor responsibilities
under Sections 302 and 404.
Understand the risks of incompatible functions and how
to structure the IT function.
Be familiar with the controls and precautions required
to ensure the security of an organizations computer
facilities.
Understand the key elements of a disaster recovery
plan.
Be familiar with the benefits, risks and audit issues
related to IT Outsourcing.
Hall, Accounting Information Systems, 7e 2
Sarbanes-Oxley Act
The 2002 Sarbanes-Oxley (SOX) Act
established new corporate governance rules
Created company accounting oversight board
Increased accountability for company officers
and board of directors
Increased white collar crime penalties
Prohibits a companys external audit firms from
designing and implementing financial
information systems

SOX Section 302
Section 302in quarterly and annual financial

statements, management must:
certify the internal controls (IC) over financial
reporting
state responsibility for IC design
provide reasonable assurance as to the reliability
of the financial reporting process
disclose any recent material changes in IC

SOX Section 404
Section 404in the annual report on IC
effectiveness, management must:
state responsibility for establishing and
maintaining adequate financial reporting IC
assess IC effectiveness
reference the external auditors attestation report
on managements IC assessment
provide explicit conclusions on the effectiveness of
financial reporting IC
identify the framework management used to
conduct their IC assessment, e.g., COBIT
IT Controls & Financial Reporting
Modern financial reporting is driven

by information technology (IT)
IT initiates, authorizes, records, and
reports the effects of financial
transactions.
Financial reporting IC are
inextricably integrated to IT.

COSO identifies two groups of IT
controls:
application controls apply to specific
applications and programs, and ensure
data validity, completeness and accuracy
general controls apply to all systems
and address IT governance and
infrastructure, security of operating
systems and databases, and application
and program acquisition and
development
Significant
Sales CGS Inventory AP Cash Financial
Accounts
Related
Order Entry Purchases Cash Disbursements
Application
Application Controls Application Controls Application Controls
Controls
Controls
for
Review
Systems Development and Program Change Control

Supporting
General
Database Access Controls Controls
Operating System Controls

SOX Audit Implications
Pre-SOX, audits did not require IC tests.
Only required to be familiar with clients IC
Audit consisted primarily of substantive tests
SOX radically expanded scope of audit
Issue new audit opinion on managements IC
assessment
Required to test IC affecting financial
information, especially IC to prevent fraud
Collect documentation of managements IC
tests and interview management on IC
changes
Types of Audit Tests
Tests of controls tests to determine if

appropriate IC are in place and
functioning effectively
Substantive testing detailed
examination of account balances and
transactions

Organizational Structure IC
Audit objective verify that individuals in
incompatible areas are segregated to
minimize risk while promoting operational
efficiency
IC, especially segregation of duties,
affected by which of two organizational
structures applies:
Centralized model
Distributed model

Organizational Chart of a Centralized
Information Technology Function
Figure 15-3

Distributed Organization with Corporate
Information Technology Function
Figure 15-5

Segregation of Duties
Transaction authorization is separate

from transaction processing.
Asset custody is separate from record-
keeping responsibilities.
The tasks needed to process the
transactions are subdivided so that fraud
requires collusion.

Segregation of Duties Objectives
Nested Control Objectives for Transactions
TRANSACTION
Control Authorization Processing

Objective 1
Control Authorization Custody Recording

Objective 2
Control Journals Subsidiary Ledgers General Ledger

Objective 3
Figure 3-4

Centralized IT Structure
Critical to segregate:
systems development from computer
operations
database administrator (DBA) from other
computer service functions
DBAs authorizing and systems
developments processing
DBA authorizes access
maintenance from new systems
development
data library from operations
Distributed IT Structure
Despite its many advantages, important
IC implications are present:
incompatible software among the
various work centers
data redundancy may result
consolidation of incompatible tasks
difficulty hiring qualified professionals
lack of standards

Organizational Structure IC
A corporate IT function alleviates
potential problems associated with
distributed IT organizations by
providing:
central testing of commercial hardware
and software
a user services staff
a standard-setting body
reviewing technical credentials of
prospective systems professionals
Audit Procedures
Review the corporate policy on computer
security
Verify that the security policy is communicated
to employees
Review documentation to determine if
individuals or groups are performing
incompatible functions
Review systems documentation and
maintenance records
Verify that maintenance programmers are not
also design programmers
Audit Procedures
Observe if segregation policies are followed in
practice.
E.g., check operations room access logs to
determine if programmers enter for reasons
other than system failures
Review user rights and privileges
Verify that programmers have access
privileges consistent with their job descriptions

Computer Center IC
Audit objectives:
physical security IC protects the computer
center from physical exposures
insurance coverage compensates the
organization for damage to the computer
center
operator documentation addresses routine
operations as well as system failures

Computer Center IC
Considerations:
man-made threats and natural hazards
underground utility and communications lines
air conditioning and air filtration systems
access limited to operators and computer center
workers; others required to sign in and out
fire suppression systems installed
fault tolerance
redundant disks and other system components
backup power supplies

Audit Procedures
Review insurance coverage on
hardware, software, and physical facility
Review operator documentation, run
manuals, for completeness and accuracy
Verify that operational details of a
systems internal logic are not in the
operators documentation

Disaster Recovery Planning
Disaster recovery plans (DRP) identify:
actions before, during, and after the
disaster
disaster recovery team
priorities for restoring critical applications
Audit objective verify that DRP is
adequate and feasible for dealing with
disasters

Disaster Recovery Planning
Major IC concerns:
second-site backups
critical applications and databases
including supplies and documentation
back-up and off-site storage procedures
disaster recovery team
testing the DRP regularly

Second-Site Backups
Empty shell - involves two or more user
organizations that buy or lease a building
and remodel it into a computer site, but
without computer equipment
Recovery operations center - a
completely equipped site; very costly and
typically shared among many companies
Internally provided backup - companies
with multiple data processing centers may
create internal excess capacity
DRP Audit Procedures
Evaluate adequacy of second-site
backup arrangements
Review list of critical applications for
completeness and currency
Verify that procedures are in place for
storing off-site copies of applications
and data
Check currency back-ups and copies

DRP Audit Procedures
Verify that documentation, supplies, etc.,

are stored off-site
Verify that the disaster recovery team
knows its responsibilities
Check frequency of testing the DRP

Benefits of IT Outsourcing
Improved core business processes

Improved IT performance
Reduced IT costs

Risks of IT Outsourcing
Failure to perform
Vendor exploitation
Costs exceed benefits
Reduced security
Loss of strategic advantage

Audit Implications of IT
Outsourcing
Management retains SOX responsibilities
SAS No. 70 report or audit of vendor will be
required

From Appendix Audit
Background
Material
Accounting Information Systems, 7e

James A. Hall
Hall, Accounting Information Systems, 7e
Attestation versus Assurance
Attestation:
practitioner is engaged to issue a written
communication that expresses a conclusion
about the reliability of a written assertion that
is the responsibility of another party.
Assurance:
professional services that are designed to
improve the quality of information, both
financial and non-financial, used by decision-
makers
includes, but is not limited to attestation
Attest and Assurance Services
Figure 15-8

What is an External Financial
Audit?
An independent attestation by a
professional (CPA) regarding the faithful
representation of the financial statements
Three phases of a financial audit:
familiarization with client firm
evaluation and testing of internal controls
assessment of reliability of financial data

Generally Accepted Auditing
Standards (GAAS)

Auditing
Managements Assertions

External versus Internal Auditing
External auditors represent the

interests of third party stakeholders
Internal auditors serve an independent
appraisal function within the organization
Often perform tasks which can reduce
external audit fees and help to achieve
audit efficiency

What is an IT Audit?
Since most information systems employ IT, the IT

audit is a critical component of all external and
internal audits.
IT audits:
focus on the computer-based aspects of an
organizations information system
assess the proper implementation, operation,
and control of computer resources

Elements of an IT Audit
Systematic procedures are used

Evidence is obtained
tests of internal controls
substantive tests
Determination of materiality for
weaknesses found
Prepare audit report & audit opinion

Phases of an IT Audit
Figure 15-9

Audit Risk is...
the probability the auditor will issue an
unqualified (clean) opinion when in
fact the financial statements are
materially misstated.

Three Components of Audit Risk
Inherent risk associated with the unique
characteristics of the business or industry of
the client
Control risk the likelihood that the control
structure is flawed because controls are either
absent or inadequate to prevent or detect
errors in the accounts
Detection risk the risk that errors not
detected or prevented by the control structure
will also not be detected by the auditor
Computer Fraud Schemes
Theft, misuse, or misappropriation of assets by
altering computer-readable records and files
Theft, misuse, or misappropriation of assets by
altering logic of computer software
Theft or illegal use of computer-readable
information
Theft, corruption, illegal copying or intentional
destruction of software
Theft, misuse, or misappropriation of computer
hardware
Using the general IS model,
explain how fraud can occur at the different
stages of information processing?

Data Collection Fraud
This aspect of the system is the most

vulnerable because it is relatively easy to
change data as it is being entered into the
system.
Also, the GIGO (garbage in, garbage out)
principle reminds us that if the input data is
inaccurate, processing will result in inaccurate
output.

Data Processing Fraud
Program Frauds
altering programs to allow illegal access to
and/or manipulation of data files
destroying programs with a virus
Operations Frauds
misuse of company computer resources, such
as using the computer for personal business

Database Management Fraud
Altering, deleting, corrupting, destroying, or

stealing an organizations data
Oftentimes conducted by disgruntled or ex-
employee

Information Generation Fraud
Stealing, misdirecting, or misusing computer

output
Scavenging
searching through the trash cans on the
computer center for discarded output (the
output should be shredded, but frequently is
not)


Chapter 15 IT Controls Part I: Sarbanes Oxley & IT Governance

Uploaded by

Copyright:

Available Formats

Chapter 15 IT Controls Part I: Sarbanes Oxley & IT Governance

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 15 IT Controls Part I: Sarbanes Oxley & IT Governance

Uploaded by

Copyright:

Available Formats

What are the main provisions of the Sarbanes-Oxley Act?

What are the main provisions of the Sarbanes-Oxley Act?

What are the main requirements for management under Section 302 and 404 of the Sarbanes-Oxley Act?

What are the main requirements for management under Section 302 and 404 of the Sarbanes-Oxley Act?

Chapter15

Accounting Information Systems, 7e

Hall, Accounting Information Systems, 7e 3

Section 302in quarterly and annual financial

Hall, Accounting Information Systems, 7e 4

Modern financial reporting is driven

Hall, Accounting Information Systems, 7e 6

Systems Development and Program Change Control

Operating System Controls

Tests of controls tests to determine if

Hall, Accounting Information Systems, 7e 10

Hall, Accounting Information Systems, 7e 11

Hall, Accounting Information Systems, 7e 12

Hall, Accounting Information Systems, 7e 13

Transaction authorization is separate

Hall, Accounting Information Systems, 7e 14

Control Authorization Processing

Control Authorization Custody Recording

Control Journals Subsidiary Ledgers General Ledger

Hall, Accounting Information Systems, 7e 15

Hall, Accounting Information Systems, 7e 17

Hall, Accounting Information Systems, 7e 20

Hall, Accounting Information Systems, 7e 21

Hall, Accounting Information Systems, 7e 22

Hall, Accounting Information Systems, 7e 23

Hall, Accounting Information Systems, 7e 24

Hall, Accounting Information Systems, 7e 25

Hall, Accounting Information Systems, 7e 27

Verify that documentation, supplies, etc.,

Hall, Accounting Information Systems, 7e 28

Improved core business processes

Hall, Accounting Information Systems, 7e 29

Hall, Accounting Information Systems, 7e 30

Hall, Accounting Information Systems, 7e 31

Accounting Information Systems, 7e

Hall, Accounting Information Systems, 7e 34

Hall, Accounting Information Systems, 7e 35

Hall, Accounting Information Systems, 7e 36

Hall, Accounting Information Systems, 7e 37

External auditors represent the

Hall, Accounting Information Systems, 7e 38

Since most information systems employ IT, the IT

Hall, Accounting Information Systems, 7e 39

Systematic procedures are used

Hall, Accounting Information Systems, 7e 40

Hall, Accounting Information Systems, 7e 41

Hall, Accounting Information Systems, 7e 42

Hall, Accounting Information Systems, 7e 45

This aspect of the system is the most

Hall, Accounting Information Systems, 7e 46

Hall, Accounting Information Systems, 7e 47

Altering, deleting, corrupting, destroying, or

Hall, Accounting Information Systems, 7e 48

Stealing, misdirecting, or misusing computer

Hall, Accounting Information Systems, 7e 49