Deck 15: IT Controls Part I: Sarbanes-Oxley and It Governance

INTERNAL CONTROL
Gustave, CPA, during its preliminary review of the financial statements of Comet, Inc., found a lack of proper segregation of duties between the programming and operating functions. Comet owns its own computing facilities. Gustave diligently intensified the internal control study and assessment tasks relating to the computer facilities. Gustave concluded in its final report that sufficient compensating general controls provided reasonable assurance that the internal control objectives were being met.
Required
What compensating controls are most likely in place?

Internal Controls:
• Internal controls are generally divided into two types of controls: application and general.
• Application controls deal with the completeness, accuracy and validity of financial transactions.
• General controls are related to the entire system. They include controls on IT governance, IT infrastructure, security of network and operating system, access on database, acquisition and development of applications and changes in program.
Following compensating general controls are most likely in place:
• Adequate documentation must be there.
• IT infrastructure deals with the physical security of the computer center that is the systems of room temperature, fire extinguishers and fault tolerance control must be there.
• There should be security provisions for networks and operating system. There must be policies for computer security.
• Database access must be limited and by authorized personnel only.
• Verification of user rights and access privileges must be done.

PHYSICAL SECURITY OF DATA CENTER
Big Apple Financials, Inc., is a financial services firm located in New York City. The company keeps client investment and account information on a server at its Brooklyn data center. This information includes the total value of the portfolio, type of investments made, the income structure of each client, and associated tax liabilities. The company has recently upgraded its Web site to allow clients to access their investment information.
The company's data center is in the basement of a rented building. Company management believes that the location is secure enough to protect their data from physical threats. The servers are housed in a room that has smoke detectors and associated sprinklers. It is enclosed, with no windows, and has temperature-controlled air conditioning. The company's auditors, however, have expressed concern that some of the measures at the current location are inadequate and that newer alternatives should be explored. Management has expressed counter concerns about the high cost of purchasing new equipment and relocating its data center.
Required
a. Why are Big Apple's auditors stressing the need to have a better physical environment for the server?
b. Describe six control features that contribute to the physical security of the computer center.
c. Big Apple management is concerned about the cost of relocating the data center. Discuss some options open to them that could reduce their operating costs and provide the security the auditors seek.

Physical Security:
The physical security of data center is very necessary because the client's data is very critical element for any business and to be secured. If it was leaked, the trust of the clients is lost and business suffers the problem of declination.
• Physical security concerns with the location of and equipment for security at the data center.
• AV Financials set up its data server at the place where the production plan was running and it allowed the free access also.
(a) Need of having a better physical environment for server:
Although the center is working on the specialized temperature secured from physical intruders and has detectors for smoking and sprinkles. There is need of better environment for the server because of following reasons:
• Access must be limited to the server operators and the employees, presently working there. Even, the analysts and the maintenance programmers, sometimes for detecting and correcting errors, must be allowed access by signing in and out. The record of outsiders' access must be maintained.
• Hidden cameras and the video recording system must be there.
• Any specialized type of fault tolerance controls. RAID (Redundant Array of Independent disks) or uninterrupted power supply backup must be installed.
AV has proper software controls there but it is not enough for securing the information because if the outsiders get the access anytime on that then they can change or damage the information.
(b) Six control features that contribute to the physical security:
The important control features which are responsible for contributing computer server environment are described below:
• Physical construction: The auditor must test the architectural overview and controls set for the physical security of the server room.
• Fire Detection System and Room Temperature: The auditor must test the controls set for detecting any type of sprinkles and specified room temperature because if any of the both is not there then the server could fail or corrupt anytime.
• Access Controls: outsiders must not be allowed for accessing the server without special grants.
(c) Some options that are open to B A Management that reduces their operating costs and provide security:
(1) Any specialized type of fault tolerance controls. RAID or uninterrupted power supply backup, must be installed.
(2) Controls over electronic information security through anti-viruses or other specialized programs.
(3) Controls on operator documentation that is run manual.

Discuss the differences between the attest function and assurance services.

Attest Functions and Assurance Services
The primary differences between attest function and assurance services are described below:

What is fault tolerance?

Explain the concept of materiality.

Distinguish between inherent risk and control risk. How do internal controls affect inherent risk and control risk, if at all? What is the role of detection risk?

At which stage of the general accounting model is it easiest to commit computer fraud?

DISTRIBUTED DATA PROCESSING
Explain why an organization would choose to install a distributed instead of a centralized computer system.

Explain the outsourcing risk of failure to perform.

What tasks do auditors perform during audit planning, and what techniques are used?

Discuss the key features of Section 302 of SOX.

Prior to SOX, external auditors were required to be familiar with the client organization's internal controls, but not to test them. Explain why.

Explain at least three forms of computer fraud.

Differentiate between general and application controls. Give two examples of each.

What is RAID?

Distinguish between tests of controls and substantive testing.

Define the management assertions of existence or occurrence, completeness, rights and obligations, valuation or allocation, and presentation and disclosure.

Explain vendor exploitation.

What is audit risk?

SERVICE PROVIDER AUDIT
The Harvey Manufacturing Company is undergoing its annual financial statement audit. Last year the company purchased an SaaS application from Excel Systems (a cloud service provider) to run mission critical financial transactions. The SaaS application runs on an IaaS server, which Excel Systems outsourced to another service provider.
Required
Explain how the Harvey Manufacturing auditors will assess the relevant internal controls related to these mission critical transactions.

DISASTER RECOVERY PLANNING CONTROVERSY
The relevance of a disaster recovery plan (DRP) to a financial statement audit is a matter of debate. Some argue that the existence of a DRP is irrelevant to the audit. Others argue that it is an important control that needs to be considered in the assessment of internal control.
Required
Address both sides of this debate.
a. Provide a logical argument why a DRP should not be considered in the audit.
b. Argue why a DRP is an important control and should be reviewed within the conduct of a financial audit.

DISASTER RECOVERY PLAN
Hexagon is an online retailer of exotic foods including spices from around the world, canned sauces, and prepackaged breads such as tortillas and naan. The company does 100% of its business over the Internet to consumers and through private networks with retail trading partners. Recently, Hexagon moved its sales and business headquarters functions into a warehouse on the outskirts of San Francisco. Prior to the move, the company engaged the services of an architect to redesign the facility to be modern yet in keeping with the original character of the building. While remodeling the warehouse, the architects retained the wooden-shingled exterior and the exposed wooden beams throughout the interior. The data processing center, which contained the servers and networked terminals were situated in a large open area with high ceilings and skylights. The center was made accessible to the rest of the staff to be consistent with the firm's philosophy of removing barriers and encouraging a team approach to problem solving. Before occupying the new facility, city inspectors declared the building to be compliant with all relevant building codes.
In a recent compliance audit, Hexagon's auditors advised the company's management to develop a disaster recovery plan. Toward this end, the company entered into a mutual aid agreement with several other firms in the area that had similar technology systems. These firms all agreed verbally to provide emergency assistance to each other in the event of disasters or emergencies. In addition, Hexagon implemented a data backup system in which all files are copied daily to tapes and disks and each week the backup storage devices are taken to an offsite facility where they are secured.
The operator's manual with instructions on how to restore the system is stored in the main data processing area along with a list of names and phone numbers of key IT professionals to contact in case of an emergency.
Required
a. Describe the internal control weaknesses present at Hexagon.
b. List the components that should be included in a disaster recovery plan for a company like Hexagon.
c. What factors, other than those included in the plan itself, should a company consider when formulating a disaster recovery plan?

What are the primary reasons for separating operational tasks?

What is the purpose of an audit?

Distinguish between errors and irregularities. Which do you think concerns auditors the most?

SOX contains many sections. Which sections are the focus of this chapter?

What is the relationship between tests of controls and substantive tests?

How do automated authorization procedures differ from manual authorization procedures?

An organization's internal audit department is usually considered an effective control mechanism for evaluating the organization's internal control structure. Birch Company's internal auditing function reports directly to the controller. Comment on the effectiveness of this organizational structure.

Explain why reduced security is an outsourcing risk.

List the four general control areas.

Discuss the key features of Section 404 of SOX.

Does a qualified opinion on internal controls over the financial reporting system necessitate a qualified opinion on the financial statements? Explain why or why not.

A bank in California has 13 branches spread throughout northern California, each with its own minicomputer where its data are stored. Another bank has 10 branches spread throughout California, with the data being stored on a mainframe in San Francisco. Which system do you think is more vulnerable to unauthorized access? Excessive losses from disaster?

What problems may occur as a result of combining applications programming and maintenance tasks into one position?

Discuss the concept of independence within the context of an audit.

What types of documents would an auditor review in testing organizational structure controls? Why is it also important to observe actual behavior?

Discuss why any distinction between IT auditing and financial auditing is not meaningful.

Explain how IT outsourcing can lead to loss of strategic advantage.

What are some tests of physical security controls?

INTERNAL CONTROL
During the past year, Howard Industries has experienced excessive employee turnover in their IT function. Exit interviews with employees revealed that they were dissatisfied with the working environment. Howard employed the services of a management consulting firm that had expertise in employee relationship management. The consulting firm made recommendation to restructure IT operations to create a greater sense of "ownership" among the IT staff. After three months, under the new operation a survey indicated a marked increase in the level of job satisfaction among the IT group.
During the conduct of the audit planning phase of the annual financial audit, the auditor observed the following practices: Individual IT professionals are assigned exclusively to support specific business functions such as sales processing, billing, customer account maintenance, etc. Each professional provides a range of IT services for their respective users including computer operations, program changes, and documenting the system through record layouts, system flowcharts, and program listings. They also reconcile computer output reports and logs of transactions errors.
Required
a. Identify and explain any control concerns you have with the new operations.
b. What potential computer fraud might this operational approach permit?

SEPARATION OF DUTIES
Transferring people from job to job within the organization is the philosophy at Arcadia Plastics. Management believes that job rotation deters employees from feeling that they are stagnating in their jobs and promotes a better understanding of the company. The computer services personnel typically work for six months as an operator, one year as a systems developer, six months as a database administrator, and one year in systems maintenance. At that point, they are assigned to a permanent position.
Required
Discuss the importance of separation of duties within the information systems department. How can Arcadia Plastics have both job rotation and well-separated duties?

INTERNAL CONTROL AND DISTRIBUTED SYSTEM
Until a year ago, Dagwood Printing Company had always operated in a centralized computer environment. Now, 75 percent of the office employees have a PC. Users have been able to choose their own software packages, and no documentation of end user- developed applications has been required. Next month, each PC will be linked into a local area network and to the company's mainframe.
Required
a. Outline a plan of action for Dagwood Printing Company to ensure that the proper controls over hardware, software, data, people, procedures, and documentation are in place.
b. Discuss any risks the company may face if the devised plan is not implemented.

Why is poor-quality systems documentation a prevalent problem?

What is the meaning of the term attest service?

What are the often-cited benefits of IT outsourcing?

Define audit risk.

Define general controls.

Explain why certain duties that are deemed incompatible in a manual system may be combined in a computer-based information system environment. Give an example.

Discuss how the process of obtaining audit evidence in a IT environment is inherently different from obtaining it in a manual system.

Explain the role of Statement on Standards for Attestation Engagements No. 16 (SSAE 16) report in the review of internal controls.

Define commodity IT asset.

404 requires management to make a statement identifying the control framework used to conduct the assessment of internal controls. Discuss the options in selecting a control framework.

The PCAOB Standard No. 5 specifically requires auditors to understand transaction flows in designing their tests of controls. What steps does this entail?

Compare and contrast the following disaster recovery options: empty shell, recovery operations center, and internally provided backup. Rank them from most risky to least risky, as well as from most costly to least costly.

What is the role of a corporate computer services department? How does this differ from other configurations?

What are assurance services?

Define specific asset.

INTERNAL CONTROL RESPONSIBILITY FOR OUTSOURCED IT
Explain why managers who outsource their IT function may or may not also outsource responsibility for IT controls. What options are open to auditors regarding expressing an opinion on the adequacy of internal controls?

Some internal controls can be tested objectively. Discuss some internal controls that you think are relatively more subjective to assess in terms of adequacy than others.

How do SSAE 16 Type 1 and Type 2 differ?

List five risks associated with IT outsourcing.

DISTRIBUTED PROCESSING SYSTEM
The internal audit department of a manufacturing company conducted a routine examination of the company's distributed computer facilities. The auditor's report was critical of the lack of coordination in the purchase of PC systems and software that individual departments use. Several different hardware platforms, operating systems, spreadsheet packages, database systems, and networking applications were in use. In response to the internal audit report, and without consulting with department users regarding their current and future systems needs, Mr. Marten, the vice president of Information Services, issued a memorandum to all employees stating the following new policies:
1. The Micromanager Spreadsheet package has been selected to be the standard for the company, and all employees must switch to it within the month.
2. All future PC purchases must be Megasoft compatible.
3. All departments must convert to the Megasoft Entree database package.
4. The office of the vice president of Information Services must approve all new hardware and software purchases.
Several managers of other operating departments have complained about Marten's memorandum.
Required
a. Regarding setting systems standards in a distributed processing environment, discuss factors pertinent to:
1. Computer hardware and software considerations
2. Controls considerations
b. Discuss the benefits of having standardized hardware and software distributed across departments in the firm.
c. Discuss the concerns that the memorandum is likely to create for distributed users in the company.

DISASTER RECOVERY SERVICE PROVIDERS
Visit SunGard's website, http://www.sungard.com, and research its recovery services offered for the following classes: High Availability, System Recovery, and End-User Recovery. Write a report of your findings.

What are the three primary IT functions that must be separated?

What are the five control implications of distributed data processing?

What are the conceptual phases of an audit? How do they differ between general auditing and IT auditing?

Distinguish between errors and irregularities.

What is computer fraud, and what types of activities does it include?

Who should determine and prioritize the critical applications? How is this done? How frequently is it done?

Give a specific example, other than the one in the chapter, to illustrate the relationship between risk, control, audit objective, and tests of control.

How are the carve-out and inclusive methods of reporting on subservice organizations different?