Académique Documents
Professionnel Documents
Culture Documents
SOX Sections 302 and 404 (internal control and audit responsibilities)
Section 302
-
Section 404
-
Hall Chapter 15
Evaluate implications of misstatements identified by the auditor
Determine whether changes in IC are likely to materially affect IC over
financial reporting
SOX places responsibility on auditors to detect fraudulent activities and
emphasize the importance of controls designed to prevent or detect fraud that
could lead to material misstatement
Management is responsible for implementing controls and auditors are
responsible to test them
o
o
Computer Fraud
-
Hall Chapter 15
1. Misuse or theft of the firms computer resources
2. Often involves using the computer to conduct personal
business
3. Database management
a. Physical repository for financial and nonfinancial data
b. Database management fraud
i. includes altering, deleting, corrupting, destroying, or stealing an
organizations data
ii. access to database files are essential for this
iii. often associated with transaction of program fraud
iv. can access the database from a remote site and browse files for
useful information
v. logic bomb a destructive routine that can be inserted into a
program ; at a specified time or when certain conditions are met,
it erases the data files that the program accesses
4. Information generation
a. Process of compiling, arranging, formatting and presenting information
to users
b. Information can be operational document or published financial
statement
c. Fraud Steal, misdirect or misuse computer output
d. Scavenging low-tech but effective technique; involves searching
through the trash of the computer center for discarded output --- useful
information
e. Eavesdropping listening to output transmissions over
telecommunications lines use data encryption; it is practically
impossible to prevent a determined perpetrator from accessing data
communication channels
* Uses a risk-based approach rather than a one-size-fits-it-all approach to the
design and assessment of controls
* Size and complexity of the organization needs to be considered in determining
nature and extent of controls that are necessary
IT Governance Controls
-
Hall Chapter 15
Organizational Control Issues on the Generic Models:
1. Centralized
a. Separate systems development from the computer
operations
b. Separate the database administrator from other functions
i. Database administrator (DBA) vs. other IT functions
ii. DBA responsible for a number of critical tasks
pertaining to database security; its function is
organizationally independent
1. Create database scheme
2. Create subschema (user views) how database
access control
3. Assign access authority to users
4. Monitor database usage
5. Plan for future expansion
c. Separate DBA from systems development access control
d. Separate new systems development from maintenance
i. Systems development
1. Systems analysis group works with the user to
produce a detailed design of the new system
2. Programming codes the programs according to
the design specifications
ii. Programmer usually maintains the system
inadequate documentation & fraud
iii. Possible explanations for inadequate documentation:
1. Documenting is not as interesting as designing,
testing and implementing them
2. Job security to be indispensable to the
company
iv. Having sole responsibility for maintenance is an
important element in the duplicitous programmers
scheme
e. Superior structure for systems development
i. New systems development responsible for
designing, programming and implementing new
systems projects
ii. Systems maintenance maintenance of successful
projects
iii. Solves the inadequate documentation problem
2. Decentralized/Distributed Data Processing Model (DDP)
a. End-user departments control IT services
b. Consolidate functions that are traditionally separated and
distribute functions that are consolidated in centralized
c. Implications
i. Incompatibility software might not match hardware;
usage of different and incompatible technology might
impair internal communications
ii. Redundancy data common to many users
Hall Chapter 15
iii. Acquiring qualified professionals hard to attract
qualified personnel small opportunity
iv. Lack of standards unevenly applied or nonexistent
* Usually firms are somewhere in b/w the extreme points
* DDP control problems can be overcome by implementing a
corporate IT function has a different mission than that of the
centralized IT function; provides technical advice and expertise to the
various distributed IT functions
Creating a Corporate IT Function
Hall Chapter 15
4. Air conditioning for computer to function at its best; best in
temp. range of 70-75 degrees Fahrenheit and relative
humidity of 50%
5. Fire Suppression fire is the most common threat to firms
computer equipment
6. Fault Tolerance Controls ability of the system to continue
operations when part of the system fails because of hardware
failure, application program error or operator error; redundant
system components can help achieve fault tolerance
a. Redundant arrays of independent disks (RAIDS) 2
disks when one fails, lost data are automatically
reconstructed from the redundant components stored
on the other
b. Uninterruptible power supplies short-term backup
power to shut down in a controlled manner; must be
able to run computer and air-conditioning
* Total failure can occur only in the event of failure of multiple
components
Audit objectives relating to computer center security evaluate
the controls governing computer center security; verify:
1. Physical security controls are adequate to reasonably
protect the organization from physical exposures
2. Insurance coverage is adequate
3. Operator documentation is adequate to deal w/ routine
operations or system failures
Audit procedures for assessing physical security controls
1. Test of physical construction look at architectural plans
2. Test of fire detection system fire systems should be tested
regularly
3. Test of access control observe process by w/c access is
permitted
4. Test of fault tolerance control
Audit procedures for verifying insurance coverage annually
review insurance coverage
Audit procedures for verifying adequacy of operator
documentation
Hall Chapter 15
Hall Chapter 15
-
Transaction cost economics theory firms should retain certain specific noncore IT assets in-house; supports outsourcing of commodity but not of specific
CEOs perception of what is a commodity IT assets is important for IT
outsourcing decisions
Inherent risks: failure to perform (vendors performance will affect you). Vendor
exploitation (dependency on the vendor might be taken advantage of the
vendor), outsourcing costs exceed benefits (immediate costs but expected
benefits are not yet realized), reduced security, loss of strategic advantage
(affects IT strategic planning and its business planning functions)
Audit implications of IT outsourcing SAS 70 --- prepared by vendors auditor
vendor can give it to his client and the client can show it to his auditor
o Management is still responsible of ensuring adequacy of IT internal
controls
APPENDIX
Attest Services vs. Assurance Services
- Attestation:
o Practitioner is engaged to issue a written communication that expresses a
conclusion about the reliability of a written assertion that is the
responsibility of another party
o Requirements:
Written assertions and a practitioners written report
Formal establishment of measurement criteria or their description in
the presentation
The levels of services in attestation engagements are limited to
examination, review and application of agreed-upon procedures
- Assurance:
o professional services that are designed to improve the quality of
information, both financial and non-financial, used by decision-makers
o includes, but is not limited to attestation
External Financial Audit an attestation performed by an expert who expresses an
opinion regarding the presentation of FS
Auditing Standards 10 GAAS
Statements on Auditing Standards
-
By AICPA
Are authoritative pronouncements because every member of the profession
must follow their recommendations or be able to show why as SAS does not
apply in a given situation
External auditing --- independent auditing --- financial audit --- represents
interest of third party stakeholders
If internal auditor reports directly to controller, external auditors reliance on the
work of internal auditor should not be made possible ( dont rely)
Hall Chapter 15
Auditing is a systematic process of objectively obtaining and evaluating evidence
regarding assertions about economic actions and events to ascertain the degree of
correspondence b/w those assertions and established criteria and communicating the
results of interested users.
The Structure of an IT Audit
Audit
Planning
-
Obje
ctiv
e: to
obtain sufficient information about the firm to plan the other phases of audit
Analysis of audit risk is extensively done here
Identify principal exposures and controls that attempt to reduce them
Tests of Controls
-
Substantive Testing
-
Audit risk probability that auditor will render an unqualified (clean) opinion on
FS that are materially misstated
Errors unintentional mistakes
Irregularities intentional misrepresentation to perpetrate a fraud or to mislead
the users of FS
Auditors objective: minimize audit risk by performing tests of controls and
substantive tests
Hall Chapter 15
2. Control risks likelihood that the control structure is flawed because controls are
either absent or inadequate to prevent or detect errors in the accounts
3. Detection risks risk that auditors are willing to accept that errors not detected or
prevented by the control structure will also not be detected by auditors; must be
set at an acceptable level --- planned detection risk --- that influences the level of
substantive test to be performed
Relationship b/w tests of controls and substantive tests
-
Both are auditing techniques used for reducing total audit risk
Their relationship varies depending on the auditors risk assessment
Strong internal control low control risk less substantive testing
Weak IC high control risk more substantive testing (to reduce total audit
risk)
When controls are strong, auditors may limit substantive testing
Substantive testing is time consuming and also costly