1 / 38

Chapter 15

Chapter 15. IT Controls Part I: Sarbanes-Oxley & IT Governance. Accounting Information Systems, 5 th edition James A. Hall. Objectives for Chapter 15. Key features of Sections 302 and 404 of Sarbanes-Oxley Act Management and auditor responsibilities under Sections 302 and 404

penda
Download Presentation

Chapter 15

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 15 IT Controls Part I: Sarbanes-Oxley & IT Governance Accounting Information Systems, 5th edition James A. Hall

  2. Objectives for Chapter 15 • Key features of Sections 302 and 404 of Sarbanes-Oxley Act • Management and auditor responsibilities under Sections 302 and 404 • Risks of incompatible functions and how to structure IT function • Controls and security of organization’s computer facilities • Key elements of disaster recovery plan

  3. Sarbanes-Oxley Act • The 2002 Sarbanes-Oxley (SOX) Act established new corporate governance rules • Created company accounting oversight board • Increased accountability for company officers and board of directors • Increased white collar crime penalties • Prohibits a company’s external audit firms from providing financial information systems

  4. SOX Section 302 • Section 302—in quarterly and annual financial statements, management must: • certify the internal controls over financial reporting • state responsibility for internal control design • provide reasonable assurance as to the reliability of the financial reporting process • disclose any recent material changes in internal controls

  5. SOX Section 404 • Section 404—in annual report on internal control effectiveness, management must: • state responsibility for establishing and maintaining adequate financial reporting internal control • assess internal control effectiveness • reference the external auditors’ attestation report on management’s internal control assessment • provide explicit conclusions on the effectiveness of financial reporting internal control • Identify the framework management used to conduct their internal control assessment • For example - COBIT

  6. IT Controls & Financial Reporting • Modern financial reporting is driven by information technology (IT) • IT initiates, authorizes, records, and reports the effects of financial transactions. • Financial reporting internal control are inextricably integrated to IT. • COSO identifies two groups of IT controls: • application controls – apply to specific applications and programs, andensure data validity, completeness and accuracy • general controls – apply to all systems and address IT governance and infrastructure, security of operating systems and databases, and application and program acquisition and development

  7. SOX Audit Implications • Pre-SOX, audits did not requireinternal control tests. • Only required to be familiar with client’s internal control • Audit consisted primarily of substantive tests • SOX – radically expanded scope of audit • Issue new audit opinion on management’s internal control assessment • Required to test internal control affecting financial information, especially internal control to prevent fraud • Collect documentation of management’s internal control tests and interview management on internal control changes

  8. Types of Audit Tests • Tests of controls – tests to determine if appropriate internal controls are in place and functioning effectively • Substantive testing – detailed examination of account balances and transactions

  9. Organizational Structure IC • Audit objective – verify that individuals in incompatible areas are segregated to minimize risk while promoting operational efficiency • internal controls, especially segregation of duties, are affected by the type of organizational structure: • Centralized model • Distributed model

  10. President CENTRALIZED COMPUTER SERVICES FUNCTION VP Marketing VP Computer Services VP Operations VP Finance Systems Development Database Administration Data Processing New Systems Development Data Control Data Preparation Data Library Systems Maintenance Computer Operations DISTRIBUTED ORGANIZATIONAL STRUCTURE President VP Marketing VP Finance VP Administration VP Operations Manager Plant X Manager Plant Y Treasurer Controller Work station Work station Work station Work station Work station Work station

  11. Centralized DP Organizational Controls • Need to separate: • systems development from computer operations/processing • database administrator and other computer service functions • especially database administrator (DBA) and systems development • DBA authorizes access • maintenance and new systems development • data library and operations

  12. Distributed DP Organizational Controls • Many advantages to using DDP, yet there are control implications: • incompatible software among various work centers • data redundancy may result • consolidation of incompatible tasks • lack of standards

  13. Organizational Structure Controls • Corporate computer services function/information center may help to alleviate potential problems associated with DDP by providing: • central testing of commercial hardware and software • user services staff • standards setting body • reviewing technical credentials of prospective systems professionals

  14. Organizational Structure Internet & Intranet Internet & Intranet Data Management Operating System Systems Development Personal Computers Systems Maintenance EDI Trading Partners Applications Computer Center Security General Control Framework for CBIS Exposures

  15. Computer Center Internal Controls Audit objectives: • physical security internal control protects the computer center from physical exposures • insurance coverage compensates the organization for damage to the computer center • operator documentation addresses routine operations as well as system failures

  16. Computer Center Controls(assumes centralized processing) Considerations: • location away from human-made and natural hazards • utility and communications lines underground • keep windows closed – use air filtration systems • access limited to operators and other necessary workers; others required to sign in and out • fire suppression systems should be installed • backup power supplies

  17. Segregation of Duties • Transaction authorization is separate from transaction processing. • Asset custody is separate from record-keeping responsibilities. • The tasks needed to process the transactions are subdivided so that fraud requires collusion.

  18. Authorization Authorization Authorization Task 1 Task 2 Segregation of Duties Processing Control Objective 1 Control Objective 2 Custody Recording Custody Recording Control Objective 3 Task 3 Task 4 TRANSACTION

  19. Audit Procedures • Review corporate policy on computer security • Verify that security policy is communicated to employees • Review documentation to determine if individuals or groups are performing incompatible functions • Review systems documentation and maintenance records • Verify that maintenance programmers are not also design programmers • Observe if segregation policies are followed in practice. • Example: check operations room access logs to determine if programmers enter for reasons other than system failures • Review user rights and privileges • Verify that programmers have access privileges consistent with their job descriptions

  20. Audit Procedures • Review insurance coverage on hardware, software, and physical facility • Review operator documentation, run manuals, for completeness and accuracy • Verify that operational details of a system’s internal logic are not in the operator’s documentation

  21. Disaster Recovery Planning • Disaster recovery plans (DRP) identify: • actions before, during, and after the disaster • disaster recovery team • priorities for restoring critical applications • Audit objective – verify that DRP is adequate and feasible for dealing with disasters

  22. Disaster Recovery Planning • Major IC concerns: • second-site backups • critical applications and databases • including supplies and documentation • back-up and off-site storage procedures • disaster recovery team • testing the DRP regularly

  23. Disaster Recovery Planning (DRP) • Disaster recovery plan • Include all actions to be taken before, during, and after disaster • Disaster Recovery Team identified • critical applications (modules/programs) must be identified • restore these applications first • Backups and off-site storage procedures • databases and applications • documentation • supplies

  24. Second-Site Disaster Backups • Mutual Aid Pact - agreement between two or more organizations (with compatible computer facilities) to aid each other with their data processing needs • Empty Shell/Cold Site- involves two or more user organizations that buy or lease building and remodel it into computer site, but without computer equipment • Recovery Operations Center/Hot Site- completely equipped site; very costly and typically shared among many companies • Internally Provided Backup - companies with multiple data processing centers may create internal excess capacity

  25. Audit Procedures • Evaluate adequacy of second-site backup arrangements • Review list of critical applications for completeness and currency • Verify that procedures are in place for storing off-site copies of applications and data • Check currency back-ups and copies • Verify that documentation, supplies, etc., are stored off-site • Verify that disaster recovery team knows its responsibilities • Check frequency of testing the DRP

  26. Audit Background Material From Appendix

  27. Is it Attestation or Assurance? • Attestation: • CPA is engaged to issue written communication that expresses conclusion about reliability of written assertion that is responsibility of another party. • Assurance: • professional services that are designed to improve quality of information, both financial and non-financial, used by decision-makers • includes, but is not limited to attestation

  28. Attest and Assurance Services

  29. What is an External Financial Audit? • An independent attestation by professional (CPA) regarding the faithful representation of the financial statements • Three phases of a financial audit: • familiarization with client firm • evaluation and testing of internal controls • assessment of reliability of financial data

  30. Generally Accepted Auditing Standards (GAAS)

  31. Auditing Management’s Assertions

  32. External versus Internal Auditing • External auditors – represent interests of third party stakeholders (financial institutions, shareholders, other creditors, etc.) • Internal auditors – serve an independent appraisal function within the organization • Often perform tasks which can reduce external audit fees and help to achieve audit efficiency and reduce audit fees

  33. What is an IT Audit? Since most information systems employ IT, the IT audit is a critical component of all external and internal audits. • IT audits: • focus on the computer-based aspects of an organization’s information system • assess the proper implementation, operation, and control of computer resources

  34. Elements of an IT Audit • Systematic procedures are used • Evidence is obtained • tests of internal controls • substantive tests • Determination of materiality for weaknesses found • Prepare audit report & audit opinion

  35. Phases of an IT Audit

  36. Audit Risk is... the probability the auditor will issue an unqualified (clean) opinion when in fact the financial statements really are materially misstated.

  37. Three Components of Audit Risk • Inherent riskis associated with unique characteristics of business/industry of client. • Control riskis likelihood that the control structure is flawed because controls are either absent or inadequate to prevent/detect errors in the accounts. • Detection risk:the risk that auditors are willing to take that errors not detected/ prevented by the control structure, and will also not be detected by the auditor.

  38. The End

More Related