Auditing IT Controls Part I:

Sarbanes- Oxley and IT

Governance
Nadiatul Qalbi Amalia Rizqi
(041911333077)
 Overview of Audit
 An external audit is an independent attestation performed by
an expert-the auditor-who expresses an opinion regarding the
presentation of financial statements.
 The audit objective is always associated with assuring the
fair presentation of financial statements.
 The key concept in audit is independence.
 The auditor must collect and evaluates evidence, and renders
an opinion based on the evidence.
 Financial Audit Components
 The product of the attestation in a formal written report that
expresses an opinion as to whether the financial statements
are align with the standards.
 Structure of an Audit
 Conducting an audit is a systematic and logical process that
consists of three conceptual phases audit planning, tests of
controls, and substantive testing.
 Audit Planning; the objective in this phase is to obtain sufficient
information about the firm to plan the other phases of the audit.
 ToC; the objective in this phase is to determine whether adequate
internal control are in place and functioning properly.
 Substantive testing; in this phase the auditor involves a detailed
investigation of specific account balances and transactions
through what are called substantive tests.
 Audit Risk
 Audit risk is the probability that the auditor will render an
unqualified opinion on financial statements.
 AR = IR X CR X DR
 Audit Risk Components :
 Inherent Risk; associated with the unique characteristics of the
business or industry of the client.
 Control Risk; is the likelihood that the control structure is flawed
because controls are either absent or inadequate to prevent and detect
errors in the accounts.
 Detection Risk; is the risk that auditors are willing to take that errors
not detected or prevented by the control structure .
 Audit Report
 The audit report includes an opinion on the fair presentation
of the financial statements and an opinion on the quality of
internal controls over financial reporting.
 Overfiew of SOX Section 302 and
304
 Section 302 requires corporate management, including the
CEO, to certify financial and other information contained in
the organization’s quarterly and annual reports.
 Section 404 requires the management of public companies to
assess the effectiveness of their organization’s internal
control over financial reporting.
Relationship between IT controls and
financial reporting
 The COSO model identifies two broad groupings of IT
controls : application controls and general controls.
 Application controls ensure the validity, completeness, and
accuracy of financial transactions.
 General controls include controls over IT Governance, IT
infrastructure, network and operating system security, database
access, application acquisition and development, and program
changes
 Audit Implications of Section 302
and 404
 SOX legislation dramatically expand the role of external
auditors by mandating that they attest to the quality of
internal controls.
 The auditor is precluded from issuing an unqualified opinion
if only one material weakness in internal control is detected
 Auditors are permitted to simultaneously render a qualifies
opinion on controls and an unqualified opinion on the
financial statements when they conclude through substantive
tests that the control weakness(es) did not cause the financial
statements to be materially mispresented.
 Computer Fraud
Computer form can be done in any method :
• The theft, misuse, or missapropriation of assets by altering computer-
readable records and files

• The theft, misuse, or misappropriation of assets by

altering the logic of computer software.
• The theft or illegal use of computer-readable information.
• The theft, corruption, illegal copying, or intentional
destruction of computer software.
• The theft, misuse, or misappropriation of computer
hardware.
 The General Model for Accouonting
Information System
 Data Collection; is the first operational stage in the
information system. The objective is to ensure that event
data entering the system are valid, complete, and free from
material errors
 Data Processing; after collected the data being processed to
produce information.
 Data Processing Fraud :
 Program Fraud
 Operational Fraud
 Program Fraud
 Creating illegal programs that can access data files to alter,
delete, or insert values into accounting records
 Destroying or corrupting a program’s logic using a computer
virus
 Altering program logic to cause the application to process
data incorrectly
 Operations Fraud
 The misuse or theft of the firm;s computer resources.
 Example : A programmer may ise the firm’s computer time
to write software that he/she sells commercially.
 The General Model for Accouonting
Information System
 Data Management; the organizations’s database is its physical
repository for financial and nonfinancial data.
 Database Fraud include altering, deleting, corrupting, destroying,
or stealing an organization’s data.

 Information Generation; information generation is the process

of compiling, arranging, formatting, and presenting
information to users.
 A common fraud at the information generation :
 Scavenging; involves searching through the trash of the computer
center for discarded output
 Eavesdropping; involves listening to output transmission over
telecommunication lines
 IT Governance Controls
 IT Governance is a broad concept relating to the decision
rights and accountability for encouraging desirable
behaviour in the use of IT.
 Segregation of Duty
in Centralized Models
 Separating systems development from computer operations
 Consolidating these functions invites fraud. With detailed
knowledge of an application’s logic and control parameters
along with access to the computer operations, an individual
could make unauthorized changes to application logic during
program execution.
 Segregation of Duty
in Centralized Models
 Separating the DBA from other functions
 The DBA is responsible for a number of critical tasks pertaining
to database security, including creating the database schema,
creating user views (subschemas), assigning access authority to
users, monitoring database usage, and planning for future
expansion.
 Segregation of Duty
in Centralized Models
 Separating the DBA from systems development
 Programmers create applications that access, update, and
retrieve data from the database. To achieve database access,
therefore, both the programmer and the DBA need to agree as
to the attributes and tables (the user view) to make available to
the application (or user) in question. If done properly, this
permits and requires a formal review of the user data needs and
security issues surrounding the request.
 Segregation of Duty
in Centralized Models
 Separating New Systems Development from Maintanance
 The systems analy- sis group works with the user to produce a
detailed design of the new system. The programming group
codes the programs according to these design specifications.
Although a popular arrangement, this approach promotes two
potential problems: inadequate documentation and fraud.
 Inadequate Documentation
 Program Fraud
 Alternative Organization of Systems
Development
 A superior Structure for Systems Development
 The new systems development group is responsible for designing,
programming, and implementing new systems projects. This
structure helps resolve the two control problems described
previously.
 First, documentation standards are improved because the
maintenance group will require adequate documentation to
perform their maintenance duties.
 Second, denying the original programmer future access to the
application code deters program fraud. Fraudulent code within an
application, which is out of the perpetrator’s control, increases the
risk that the fraud will be discovered. The success of this control
depends on the existence of other controls that limit, prevent, and
detect unauthorized access to programs.
The distributed model
 Advantage
 Cost Reduction
 Improved cost control responsibility
 Improved user satisfaction
 Back up
 Disadvantages
 Mismanagement of organization-wide resources
 Hardware and software incompatibility
 Redundant tasks
 Consolidating incompatible activities
 Hiring qualified professionals
 Lack of standards
 etc
 Computer Center Security and
Controls
 The objective of this section is to present computer center
controls that help create a secure environment.
 The following are some of the control features that
contribute directly to computer security :
 Physical location
 Construstion
 Access
 Air conditioning
 Fire Suppression
 Fault tolerance controls
 Audit objectives to computer center
security
 Controls governing computer center security are adequate to
reasonably protect from physical damage or loss
 insurance coverage on equipment is adequate to compensate
the organization for the destruction of, or damage to, its
computer center
 operator documentation is adequate to deal with system
failures as well as routine operations.
 DRP
 A disaster recovery plan (DRP) is a comprehensive statement
of all actions to be taken before, during, and after a disaster,
along with documented, tested procedures that will ensure
the continuity of operations.
 DRP
 Empty Shell; The empty shell or cold site plan is an arrangement
wherein the company buys or leases a building that will serve as a
data center. In the event of a disaster, the shell is available and
ready to receive whatever hardware the temporary user needs to
run essential systems.
 Recovery Operations Center; A recovery operations center (ROC)
or hot site is a fully equipped backup data center that many
companies share. In addition to hardware and backup facilities,
ROC service providers offer a range of technical services to their
clients, who pay an annual fee for access rights. In the event of a
major disaster, a subscriber can occupy the premises and, within a
few hours, resume processing critical applications.
 Audit Objectives to Assessing
Disaster Recovery Planning
The auditor should verify that management’s disaster recovery
plan is adequate and feasible for dealing with a catastrophe that
could deprive the organization of its computing resources