Deck 15: It Controls Part I: Sarbanes-Oxley and It Governance

What fraud detection responsibilities (if any) does SOX impose on auditors?

COMPETING SCHOOLS OF THOUGHT REGARDING OUTSOURCING
Explain the core competency argument for outsourcing and compare/contrast it with TCE theory. Why does one theory tend to prevail over the other in making outsourcing decisions?

Discuss the subjective nature of auditing computer center security.

What tasks do auditors perform during audit planning, and what techniques are used?

What exposures does data consolidation in a IT environment pose?

What is fault tolerance?

Distinguish between tests of controls and substantive testing.

INTERNAL CONTROL
Gustave, CPA, during its preliminary review of the financial statements of Comet, Inc., found a lack of proper segregation of duties between the programming and operating functions. Comet owns its own computing facilities. Gustave diligently intensified the internal control study and assessment tasks relating to the computer facilities. Gustave concluded in its final report that sufficient compensating general controls provided reasonable assurance that the internal control objectives were being met.
Required
What compensating controls are most likely in place?

AUDIT COMMITTEE
Micro Systems, a developer of database software packages, is a publicly held company and is listed with the SEC. The company has no internal audit function. In complying with SOX, Micro Systems has agreed to establish an internal audit function and strengthen its audit committee to include all outside directors. Micro Systems has held its initial planning meeting to discuss the roles of the various participants in the internal control and financial reporting process. Participants at the meeting included the company president, the chief financial officer, a member of the audit committee, a partner from Micro Dynamics' external audit firm, and the newly appointed manager of the internal audit department. Comments from the various meeting participants are presented below.
President: We want to ensure that Micro Systems complies with SOX. The internal audit department should help to strengthen our internal control system by correcting problems. I would like your thoughts on the proper reporting relationship for the manager of the internal audit department.
CFO: I think the manager of the internal audit department should report to me because much of the department's work is related to financial issues. The audit committee should have oversight responsibilities.
Audit committee member: I believe we should think through our roles more carefully. The Treadway Commission has recommended that the audit committee play a more important role in the financial reporting process; the duties of today's audit committee have expanded beyond mere rubber-stamp approval. We need to have greater assurance that controls are in place and being followed.
External audit firm partner: We need a close working relationship among all of our roles. The internal audit department can play a significant role in monitoring the control systems on a continuing basis and should have strong ties to your external audit firm.
Internal audit department manager: The internal audit department should be more involved in operational auditing, but it also should play a significant monitoring role in the financial reporting area.
Required
a. Describe the role of each of the following in the establishment, maintenance, and evaluation of Micro Systems' internal control. Management Audit committee External auditor Internal audit department
b. Describe the responsibilities that Micro Systems' audit committee has in the financial reporting process.

Discuss the differences between the attest function and assurance services.

Explain the outsourcing risk of failure to perform.

What is audit risk?

What are the objectives of application controls?

At which stage of the general accounting model is it easiest to commit computer fraud?

Differentiate between general and application controls. Give two examples of each.

What is RAID?

Distinguish between errors and irregularities. Which do you think concerns auditors the most?

Discuss the key features of Section 302 of SOX.

Prior to SOX, external auditors were required to be familiar with the client organization's internal controls, but not to test them. Explain why.

Explain at least three forms of computer fraud.

Define the management assertions of existence or occurrence, completeness, rights and obligations, valuation or allocation, and presentation and disclosure.

Explain vendor exploitation.

Distinguish between inherent risk and control risk. How do internal controls affect inherent risk and control risk, if at all? What is the role of detection risk?

What are the primary reasons for separating operational tasks?

What is the purpose of an audit?

What is the relationship between tests of controls and substantive tests?

PHYSICAL SECURITY
Avatar Financials, Inc., located on Madison Avenue, New York City, is a company that provides financial advice to individuals and small- to mid-sized businesses. Its primary operations are in wealth management and financial advice. Each client has an account in which basic personal information is stored on a server within the main office in New York City. The company also keeps the information about the amount of investment of each client on a separate server at its data center in Bethlehem, Pennsylvania. This information includes the total value of the portfolio, type of investments made, the income structure of each client, and associated tax liabilities.
In the last few years, larger commercial banks have started providing such services and are competing for the same set of customers. Avatar, which prides itself on personal consumer relations, is now trying to set up additional services to keep its current customers. It has recently upgraded its website, which formerly only allowed clients to update their personal information. Now clients can access information about their investments, income, and tax liabilities that is stored at the data center in Pennsylvania.
As a result of previous dealings, Avatar has been given free access to use the computer room of an older production plant. The company believes that this location is secure enough and would keep the data intact from physical intruders. The servers are housed in a room that the production plant used to house its legacy system. The room has detectors for smoke and associated sprinklers. It is enclosed, with no windows, and has specialized temperature-controlled air ducts.
Management has recently started looking at other alternatives to house the server because the plant is going to be shut down. Management has major concerns about the secrecy of the location and the associated measures. They want to incorporate newer methods of physical data protection. The company's auditors have also expressed a concern that some of the measures at the current location are inadequate and that newer alternatives should be found.
Required
1. Why are the auditors of Avatar stressing the need to have a better physical environment for the server? If Avatar has proper software controls in place, would that not be enough to secure the information?
2. Name the six essential control features that contribute directly to the security of the computer server environment.

DISASTER RECOVERY PLAN
The headquarters of Hill Crest Corporation, a private company with $15.5 million in annual sales, is located in California. Hill Crest provides for its 150 clients an online legal software service that includes data storage and administrative activities for law offices. The company has grown rapidly since its inception three years ago, and its data processing department has expanded to accommodate this growth. Because Hill Crest's president and sales personnel spend a great deal of time out of the office soliciting new clients, the planning of the IT facilities has been left to the data processing professionals.
Hill Crest recently moved its headquarters into a remodeled warehouse on the outskirts of the city. While remodeling the warehouse, the architects retained much of the original structure, including the wooden-shingled exterior and exposed wooden beams throughout the interior. The mini-computer distributive processing hardware is situated in a large open area with high ceilings and skylights. The openness makes the data processing area accessible to the rest of the staff and encourages a team approach to problem solving. Before occupying the new facility, city inspectors declared the building safe; that is, it had adequate fire extinguishers, sufficient exits, and so on.
In an effort to provide further protection for its large database of client information, Hill Crest instituted a tape backup procedure that automatically backs up the database every Sunday evening, avoiding interruption in the daily operations and procedures. All tapes are then labeled and carefully stored on shelves reserved for this purpose in the data processing department. The departmental operator's manual has instructions on how to use these tapes to restore the database, should the need arise. A list of home phone numbers of the individuals in the data processing department is available in case of an emergency. Hill Crest has recently increased its liability insurance for data loss from $50,000 to $100,000.
This past Saturday, the Hill Crest headquarters building was completely ruined by fire, and the company must now inform its clients that all of their information has been destroyed.
Required
a. Describe the computer security weaknesses present at Hill Crest Corporation that made possible a disastrous data loss.
b. List the components that should have been included in the disaster recovery plan at Hill Crest Corporation to ensure computer recovery within 72 hours.
c. What factors, other than those included in the plan itself, should a company consider when formulating a disaster recovery plan?

CMA 1290 4-Y8
Role of Internal Auditor
Leigh Industries has an internal audit department consisting of a director and four staff auditors. The director of internal audit, Diane Bauer, reports to the corporate controller, who receives copies of all internal audit reports. In addition, copies of all internal audit reports are sent to the audit committee of the board of directors and the individual responsible for the area of activity being audited.
In the past, the company's external auditors have relied on the work of the internal audit department to a substantial degree. However, in recent months, Bauer has become concerned that the objectivity of the non-audit work that the department has performed is affecting the internal audit function. This possible loss of objectivity could result in external auditors performing more extensive testing and analysis. The percentage of non-audit work that the internal auditors perform has steadily increased to about 25 percent of the total hours worked. A sample of five recent non-audit activities is presented in the following section.
• One of the internal auditors assisted in the preparation of policy statements on internal control. These statements included such things as policies regarding sensitive payments and the safeguarding of assets.
• Reconciling the bank statements of the corporation each month is a regular assignment of one of the internal auditors. The corporate controller believes this strengthens the internal control function because the internal auditor is not involved in either the receipt or the disbursement of cash.
• The internal auditors are asked to review the annual budget each year for relevance and reasonableness before the budget is approved. At the end of each month, the corporate controller's staff analyzes the variances from budget and prepares explanations of these variances. The internal audit staff then reviews these variances and explanations.
• One of the internal auditors has been involved in the design, installation, and initial operation of a new computerized inventory system. The auditor was primarily concerned with the design and implementation of internal accounting controls and conducted the evaluation of these controls during the test runs.
• The internal auditors are sometimes asked to make the accounting entries for complex transactions because the employees in the accounting department are not adequately trained to handle such transactions. The corporate controller believes this gives an added measure of assurance to the accurate recording of these transactions.
Required
a. Define objectivity as it relates to the internal audit function.
b. For each of the five non-audit activities presented, explain whether the objectivity of Leigh Industries' Internal Audit Department has been materially impaired. Consider each situation independently.
c. The director of internal audit reports directly to the corporate controller.
1. Does this reporting relationship affect the objectivity of the internal audit department? Explain your answer.
2. Would your evaluation of the five situations in question (b) change if the director of internal audit reported to the audit committee of the board of directors? Explain your answer.

An organization's internal audit department is usually considered an effective control mechanism for evaluating the organization's internal control structure. Birch Company's internal auditing function reports directly to the controller. Comment on the effectiveness of this organizational structure.

Explain why reduced security is an outsourcing risk.

List the four general control areas.

SOX contains many sections. Which sections are the focus of this chapter?

Give three examples of application controls.

How do automated authorization procedures differ from manual authorization procedures?

What problems may occur as a result of combining applications programming and maintenance tasks into one position?

Discuss the concept of independence within the context of an audit.

What types of documents would an auditor review in testing organizational structure controls? Why is it also important to observe actual behavior?

Discuss the key features of Section 404 of SOX.

Does a qualified opinion on internal controls over the financial reporting system necessitate a qualified opinion on the financial statements? Explain why or why not.

A bank in California has 13 branches spread throughout northern California, each with its own minicomputer where its data are stored. Another bank has 10 branches spread throughout California, with the data being stored on a mainframe in San Francisco. Which system do you think is more vulnerable to unauthorized access? Excessive losses from disaster?

Discuss why any distinction between IT auditing and financial auditing is not meaningful.

Explain how IT outsourcing can lead to loss of strategic advantage.

What are some tests of physical security controls?

Which of the following is NOT an implication of Section 302 of SOX? a. Auditors must determine whether changes in internal control have materially affected, or are likely to materially affect, internal control over financial reporting.
B) Auditors must interview management regarding significant changes in the design or operation of internal control that occurred since the last audit.
C) Corporate management (including the CEO) must certify monthly and annually their organization's internal controls over financial reporting.
D) Management must disclose any material changes in the company's internal controls that have occurred during the most recent fiscal quarter.

Why is poor-quality systems documentation a prevalent problem?

What is the meaning of the term attest service?

What are the often-cited benefits of IT outsourcing?

INTERNAL CONTROL
In reviewing the process procedures and internal controls of one of your audit clients, Steeplechase Enterprises, you notice the following practices in place. Steeplechase has recently installed a new computer system that affects the accounts receivable, billing, and shipping records. A specifically identified computer operator has been permanently assigned to each of the functions of accounts receivable, billing, and shipping. Each of these computer operators is assigned the responsibility of running the program for transaction processing, making program changes, and reconciling the computer log. To prevent any single operator from having exclusive access to the program files and documentation, these three computer operators randomly rotate the custody and control tasks every two weeks over the files and the system documentation. Access controls to the computer room consist of magnetic cards and a digital code for each operator. Access to the computer room is not allowed to either the systems analyst or the computer operations supervisor.
The documentation for the system consists of the following: record layouts, program listings, logs, and error listings.
Once goods are shipped from one of Steeplechase's three warehouses, warehouse personnel forward shipping notices to the accounting department. The billing clerk receives the shipping notice and accounts for the manual sequence of the shipping notices. Any missing notices are investigated. The billing clerk also manually enters the price of the item and prepares daily totals (supported by adding machine tapes) of the units shipped and the amount of sales. The shipping notices and adding machine tapes are sent to the computer department for data entry.
The computer output consists of a two-copy invoice and remittance advice and a daily sales register. The invoices and remittance advice are forwarded to the billing clerk, who mails one copy of the invoice and remittance advice to the customer and files the other copy in an open invoice file, which serves as an accounts receivable document. The daily sales register contains the total of units shipped and sales amounts. The computer operator compares the computer-generated totals to the adding machine tapes.
Required
Identify the control weaknesses present and make a specific recommendation for correcting each of the control weaknesses.

SEPARATION OF DUTIES
Transferring people from job to job within the organization is the philosophy at Arcadia Plastics. Management believes that job rotation deters employees from feeling that they are stagnating in their jobs and promotes a better understanding of the company. The computer services personnel typically work for six months as an operator, one year as a systems developer, six months as a database administrator, and one year in systems maintenance. At that point, they are assigned to a permanent position.
Required
Discuss the importance of separation of duties within the information systems department. How can Arcadia Plastics have both job rotation and well-separated duties?

INTERNAL CONTROL AND DISTRIBUTED SYSTEM
Until a year ago, Dagwood Printing Company had always operated in a centralized computer environment. Now, 75 percent of the office employees have a PC. Users have been able to choose their own software packages, and no documentation of end user- developed applications has been required. Next month, each PC will be linked into a local area network and to the company's mainframe.
Required
a. Outline a plan of action for Dagwood Printing Company to ensure that the proper controls over hardware, software, data, people, procedures, and documentation are in place.
b. Discuss any risks the company may face if the devised plan is not implemented.

Discuss how the process of obtaining audit evidence in a IT environment is inherently different from obtaining it in a manual system.

Explain the role of a SAS 70 report in reviewing internal controls.

Define commodity IT asset.

What control framework does the PCAOB recommend?

Define general controls.

Explain why certain duties that are deemed incompatible in a manual system may be combined in a computer-based information system environment. Give an example.

What is the role of a corporate computer services department? How does this differ from other configurations?

What are assurance services?

Define specific asset.

404 requires management to make a statement identifying the control framework used to conduct the assessment of internal controls. Discuss the options in selecting a control framework.

The PCAOB Standard No. 5 specifically requires auditors to understand transaction flows in designing their tests of controls. What steps does this entail?

Compare and contrast the following disaster recovery options: empty shell, recovery operations center, and internally provided backup. Rank them from most risky to least risky, as well as from most costly to least costly.

Some internal controls can be tested objectively. Discuss some internal controls that you think are relatively more subjective to assess in terms of adequacy than others.

What are the conceptual phases of an audit? How do they differ between general auditing and IT auditing?

List five risks associated with IT outsourcing.

INTERNAL CONTROL RESPONSIBILITY FOR OUTSOURCED IT
Explain why managers who outsource their IT function may or may not also outsource responsibility for IT controls. What options are open to auditors regarding expressing an opinion on the adequacy of internal controls?

What are the five control implications of distributed data processing?

Distinguish between internal and external auditors.

DISTRIBUTED PROCESSING SYSTEM
The internal audit department of a manufacturing company conducted a routine examination of the company's distributed computer facilities. The auditor's report was critical of the lack of coordination in the purchase of PC systems and software that individual departments use. Several different hardware platforms, operating systems, spreadsheet packages, database systems, and networking applications were in use. In response to the internal audit report, and without consulting with department users regarding their current and future systems needs, Mr. Marten, the vice president of Information Services, issued a memorandum to all employees stating the following new policies:
1. The Micromanager Spreadsheet package has been selected to be the standard for the company, and all employees must switch to it within the month.
2. All future PC purchases must be Megasoft compatible.
3. All departments must convert to the Megasoft Entree database package.
4. The office of the vice president of Information Services must approve all new hardware and software purchases.
Several managers of other operating departments have complained about Marten's memorandum.
Required
a. Regarding setting systems standards in a distributed processing environment, discuss factors pertinent to:
1. Computer hardware and software considerations
2. Controls considerations
b. Discuss the benefits of having standardized hardware and software distributed across departments in the firm.
c. Discuss the concerns that the memorandum is likely to create for distributed users in the company.