POLYTECHNIC UNIVERSITY OF THE PHILIPPINES

COLLEGE OF ACCOUNTANCY AND FINANCE

DEPARTMENT OF ACCOUNTANCY

INFORMATION TECHNOLOGY
ENVIRONMENT:
WHY ARE CONTROLS AND AUDIT
IMPORTANT?

SUBMITTED TO
Professor Marietta M. Doquenia

SUBMITTED BY
Arcalas, Jomarica
Basco, Angela
Caeda, Mitzi Yvonne
Galarido, Mike Christian
Rapinan, Kamille
BSA 4-4 (Group 1)
 IT Auditing
IT auditing is the examination and evaluation of an organization's information technology
infrastructure, policies and operations. It is formerly called electronic data processing (EDP),
computer information systems (CIS), and IS auditing. Information technology audits determine
whether IT controls protect corporate assets, ensure data integrity and are aligned with the
business's overall goals. IT auditors examine not only physical security controls, but also overall
business and financial controls that involve information technology systems.
The need for and IT audit function stems from:
Computers having impacted the ability of auditors to perform the attestation function
Computers are key resources in the business environment
Professional associations and organizations recognize the need for IT control and
auditability

Because operations at modern companies are increasingly computerized, IT audits are used to
ensure information-related controls and processes are working properly. The primary objectives
of an IT audit include:
Evaluate the systems and processes in place that secure company data.
Determine risks to a company's information assets, and help identify methods to minimize
those risks.
Ensure information management processes are in compliance with IT-specific laws,
policies and standards.
Determine inefficiencies in IT systems and associated management.

Areas that affect IT Auditing:

Traditional Auditing contributes knowledge of internal control practices
IS Management provides methodologies needed to design and implement systems
Behavioral Science provide analysis on people problems that may cause IS to fail
Computer Science contributes knowledge about control concepts and formal models used
as basis for maintaining data
Types of Audit needs within IT Auditing:
Organizational IT audits
Technical IT audits
Application IT audit
Development/implementation IT audits
Compliance IT audits

The breadth and depth of knowledge required to audit IT systems are extensive. For example, IT
auditing involves
Application of risk oriented audit approaches
Use of computer-assisted audit tools and techniques
Application of standards
Understanding of business roles and expectations in the auditing of systems
Assessment of information security and privacy issues
Examination and verification of the organizations compliance with any IT-related legal
issues
Evaluation of complex systems development life cycles or new development techniques
Reporting to management and performing a follow-up review to ensure actions taken at
work

The auditing of complex technologies and communications protocols involves the Internet,
intranet, extranet, electronic data interchange, client servers, local and wide area networks, data
communications, telecommunications, wireless technology, integrated voice/data/video systems,
and the software and hardware that support these processes and functions.

IT Today and Tomorrow

High-speed information processing has become indispensable to organizations activities. Control
Objectives for Information and Related Technology (COBIT) emphasizes this point and
substantiates the need to research, develop, publicize, and promote up-to-date internationally
accepted IT control objectives.
The need for improved control over IT, especially in business/commerce, has been advanced over
the years in earlier and continuing studies by many national and international organizations.
Essentially, technology has impacted three significant areas of the business environment:
Technology has increased the ability to capture, store, analyze, and process tremendous
amounts of information. It has increased the empowerment of the business decision maker.
It has become a primary enabler to various production and service processes.
Technology has impacted the control process. It has altered the way which systems are
controlled.
Technology has impacted the auditing profession in terms of how audits are performed

Around the world, reports of white-collar crime, information theft, computer fraud, information
abuse, penetration, and information theft occurring in major financial institutions and other
information/technology control concerns continue to be heard in the press and major television
networks. Information assurance-oriented organizations have been warned of the threats and losses
as a result of poor controls over IS.
Today, more than ever, organizations are more information dependent and conscious of the
pervasive nature of technology across the business enterprise. The increased connectivity and
availability of systems and open environments have proven to be the lifelines of most business
entities. IT is used more extensively in all areas of commerce around the world. Owing to the rapid
diffusion of computer technologies and the ease of information accessibility, knowledgeable and
well-educated IT auditors are in great demand.

Information Integrity, Reliability and Validity:

Importance in Todays Global Business Environment
Information technology is a modern phenomenon that has dramatically changed the daily lives of
individuals and businesses throughout the world. Information technologies (IT) are vital to
Company operations and leveraging information technology for business success is a key to
survival in the modern business world. Nowadays, organizations operate in a dynamic global
multi-enterprise environment with team-oriented collaboration and place very stringent
requirements on the telecommunications network. Organizations are critically dependent on the
timely flow of accurate information. Two reported events in the past where IT failure impacted
world commerce and communications have resulted to the worlds dependency on IT:
An AT&T major switch failed due to two software errors and a procedural error, causing
communications at that switch to become overloaded and making customers using credit
cards unable to access their funds for 18 hours. (1998)
A communication satellite went into an uncontrollable rotation causing pager
communication systems worldwide to be useless, and those companies using this
technology for E-account transaction and verification were unable to process credit card
information for 24 hours, thus causing their customers to pay cash for their transactions.
(1998)

Even today, these types of events are repeated over and over again where organizations dependent
on technology encounter failure and disruption to services and business.
The chief executive officer (CEO) and chief information officer (CIO) want to meet or exceed
their business objectives and attain maximum profitability through an extremely high degree of
availability, fast response time, extreme reliability, and a very high level of security. In order to
meet the changing business conditions and competition, the products for which IT provides
consumer feedback will also be of high quality, rich in information content, and come packaged
with a variety of useful services.
Flexible Manufacturing permits products to be produced economically in arbitrary lot
sizes through modularization of the production process
Improvement of Just-In-Time (JIT) and Lean Manufacturing, and Total Quality
Management (TQM) enable low-cost production

The unpredictability of customer needs and the shortness of product life cycles will cause the mix
of production capabilities and underlying resources required by the organization to change
constantly. Organizations will possess a dynamic network organization synthesizing the best
available design, production, supply and distribution capabilities and resources from enterprises
around the world and linking them and the customers together.
A multienterprise nature will enable organizations to respond to competitive opportunities
quickly and with the requisite scale, while, at the same time, enabling individual network
participants cost and risk to be reduced.
 The network must be highly interconnected so the people, organizations, and machines can
communicate at any time, regardless of location.
Flexibility because the organization is constantly changing.
Cost effective because low cost is one of the ingredients in the mass-customization strategy

In order to accomplish this, the organization must have the ability to reach anyone anywhere in
the world with the help of global area networks, various collaborative service platforms and prefect
service.
1. Global Area Networks
Wireless Networks (on-premise)
Wireless PBXs or LANs
Cellular Networks (off-premise)
Ipad or Iphone
Global Satellite Networks
Iridium and Personal Communication Networks
2. Various Collaborative Service Platforms
Microsoft and Unix
3. Perfect service
Speed can be achieved through broadband networking: locally via
fast Ethernet, gigabit, and asynchronous transfer mode (ATM) LANs,
and over a wide area via switched multimegabit data services (SMDS)
and ATM services
Reliability through quality hardware/software and proven wired and
wireless solutions where possible

Control and Audit: A Global Concern

Barter Systems - system of exchange where goods or services are directly exchanged for other
goods or services without using a medium of exchange, such as money
Modified Barter Exchange Mechanism a common medium of exchange was agreed upon
Money-based Exchange System began by emerging central governments by minting or coinage
of metals
Banking System
1. Money Warehouses
- Served as depositories for safekeeping of funds
2. Fractional Reserve Banking System
- Only a fraction of bank deposits are backed by actual cash on hand and are
available for withdrawal
3. Electronic Funds Transfer
- Electronic transfer of money from one bank account to another

Future of Electronic Payment Systems

The actual definition of an electronic payment is simple: when you transfer money from one
account to another electronically, i.e., without the need for paper checks or currency notes.
Examples include making online bill payments; direct debits and credits in your bank account; and
using credit and debit cards in online stores.
The use of a-cash has positive aspects such as more convenience, flexibility, speed, costs savings
and greater privacy. However, uncontrolled growth of e-cash systems could threaten bank and
government controlled payment systems, which fuel the growth of confusing and inefficient
systems. In addition, e-cash could permit criminal activities such as money laundering and tax
evasion. Counterfeiters could also design their own mints of e-cash that would be difficult to
differentiate from real money. Finally, criminals such as computer hackers could instantaneously
pilfer the wealth of thousands of electronic consumers. Therefore, companies have been compelled
to develop electronic payment systems that will solve these consumers concerns.
With the increase of E-commerce related transactions, the likelihood of fraud increases as well. E-
commerce depends on security and privacy because without them, people would not have adequate
level of comfort in digital transmission and personal data. The primary areas of concern with E-
commerce are confidentiality, integrity, non-repudiation and authentication. These areas are
addressed through several ways such as encryption, cryptography and use of third parties.
In addition, the credit card industry has been motivated to find secure technology for E-commerce.
In US, the National Institute of Standards and Technology has done some extensive work in this
area under its Information Technology Laboratory, devoting an emphasis to Smart Card Standards.
 Legal Issues Impacting IT
The Sarbanes-Oxley Act was created as the result of public demand for the new legislation to
prevent, detect, and correct such aberrations. In addition to this legislation, the advancement in
network environments and technologies have resulted in bringing to the forefront issues of security
and privacy that were once only of the interest to the legal and technical expert but which today
are topics that affect virtually every user of the information superhighway. Common uses of the
Internet include everything from marketing, sales, and entertainment purposes to e-mail, research
and any other type of information sharing. Unfortunately, these advancements have also given rise
to various new problems such as security and privacy which are being brought to the attention of
the IT audit and control specialists. Thus, current legislation and government plans will affect the
online community.

Federal Financial Integrity Legislation

It has been more than a decade since the Enron case but it still continues to plague todays financial
market. Therefore, the Sarbanes-Oxley Act of 2002 will be a vivid reminder of the importance of
due professional care. This act prohibits all registered public accounting firms from providing non-
audit services (e.g., consulting) for the same clients. It also addresses new auditor approval
requirements, audit partner rotation every five years, and auditor reporting requirements.
This law has been amended to bring back the confidence and trust of the public.

Federal Security Legislation

The IT auditor should recognize that the US federal government has passed a number of laws to
deal with issues of computer crime and security privacy of IS. Private industry has in the past been
reluctant to implement these laws because of the fear of the negative impact it could bring to a
companys current and future earnings and image to the public.
 Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act CFAA was enacted by Congress in 1986 as an amendment to
existing computer fraud law, which had been included in the Comprehensive Crime Control Act
of 1984. The law prohibits accessing a computer without authorization, or in excess of
authorization.
The original 1984 bill was enacted in response to concern that computer-related crimes might go
unpunished. The House Committee Report to the original computer crime bill characterized the
1983 techno-thriller film WarGamesin which a young Matthew Broderick breaks into a U.S.
military supercomputer programmed to predict possible outcomes of nuclear war and unwittingly
almost starts World War IIIas a realistic representation of the automatic dialing and access
capabilities of the personal computer.
The only computers, in theory, covered by the CFAA are defined as "protected computers". They
are defined to mean a computer:
Xxclusively for the use of a financial institution or the United States Government, or
any computer, when the conduct constituting the offense affects the computer's use by
or for the financial institution or the Government; or
Which is used in or affecting interstate or foreign commerce or communication,
including a computer located outside the United States that is used in a manner that
affects interstate or foreign commerce or communication of the United States.

In practice, any ordinary computer has come under the jurisdiction of the law, including
cellphones, due to the inter-state nature of most internet communication.

Computer Security Act of 1987

Another act of importance is the Computer Security Act of 1987, which was drafted due to
congressional concerns and public awareness on computer security-related issues and because of
disputes on the control of unclassified information. The general purpose of the act was a
declaration from the government that improving the security and privacy of sensitive information
in federal computer systems is in the public interest. The act established a federal government
computer security program that would protect sensitive information in federal government
computer systems. It would also develop standards and guidelines for unclassified federal
computer systems and facilitate such protection.

Privacy Legislation and the Federal Government

Privacy Act
In addition to the basic right to privacy that an individual is entitled to under the U.S. Constitution,
the government also enacted the Privacy Act of 1974. The purpose of this is to provide certain
safeguards to an individual against invasion of personal privacy. This act places certain
requirements on federal agencies, which include the following:
Permits an individual to determine what records pertaining to him or her are collected and
maintained by federal agencies;
Permits an individual to prevent records pertaining to him or her that were obtained for a
particular purpose from being used or made available for another purpose without consent;
Permits an individual to gain access to information pertaining to him or her in federal
agency records and to correct or amend them; and
Requires federal agencies to collect, maintain, and use any personal information in a
manner that assures that such action is for a necessary and lawful purpose, that the
information is current and accurate, and that safeguards are provided to prevent misuse of
the information.

Electronic Communications Privacy Act

Title I of the ECPA protects wire, oral, and electronic communications while in transit. It sets
down requirements for search warrants that are more stringent than in other settings. Title II of the
ECPA, the Stored Communications Act (SCA), protects communications held in electronic
storage, most notably messages stored on computers. Its protections are weaker than those of Title
I, however, and do not impose heightened standards for warrants. Title III prohibits the use of pen
register and/or traps and trace devices to record dialing, routing, addressing, and signaling
information used in the process of transmitting wire or electronic communications without a court
order.
 Communications Decency act of 1995
The Communications Decency Act of 1996 (CDA) was the first notable attempt by the United
States Congress to regulate pornographic material on the Internet. It bans the making of "indecent"
or "patently offensive" material available to minors through computer network.
The act imposes a fine up to $250,000 and imprisonment for up to 2 years. Section 230 of the Act
has been interpreted to say that operators of Internet services are not to be construed as publishers
(and thus not legally liable for the words of third parties who use their services). Also it specifically
states that an employer shall not be held liable for the actions of the employee unless the
employee's conduct is within the scope of his or her employment.

Health Insurance Portability and Accountability Act

of 1996
HIPPA was signed by President Clinton on August 21, 1996. The original purpose was to make
easier for American to maintain their health insurance when switching jobs and restrict the ability
of insurers to reject them based on pre-existing health conditions. Unfortunately, the digital age
added the provision of "administrative simplification." According to the U.S. Department of
Health, the "administrative simplifications" provisions require the adaptation of national standards
for electronic health care transactions. By ensuring consistency throughout the industry, these
national standards will make it easier for health plans, doctors, hospitals, and other health care
providers to process claims and other transactions electronically. The law also required security
and privacy standards in order to protect personal information.
The provisions came when hospitals and insurers used more than 400 different software formats
to transmit healthcare data which covered everything from headers on insurance forms to the codes
describing diseases and medication. Many viewed this to be the most expensive ad most difficult
to implement.
According to InfoWorld, "Medical organizations will need to invest in some of the new
technologies currently available in other industries. Technologies like digital certificates,
authentication and biometric standards are needed to ensure that those who have authority to view
something are the only ones who have access." The cost and difficulty to implement these new
technologies to meet the requirements of HIPAA can be either time consuming and expensive,
especially for smaller hospitals and clinics with little or no IT support. Noncompliance by
organizations can face stiff fines and penalties.

Security, Privacy and Audit

It appears that traditional as well as new security methods and techniques are simply not working.
Although many products are quite efficient in securing the majority of attacks on a network, no
single product seems to be able to protect a system from every possible intruder. Some legislation
in effect, does not require periodic review, thus allowing for various policies and procedures to get
outdated. The computer network industry is continually changing. Because of this, laws, policies
and procedures, and guidelines must constantly change with it, otherwise they will have the
tendency to become outdated, ineffective and obsolete.
The government continue to utilize state-of-the-art techniques to access information for the sake
of "national standards" justified currently under the Homeland Security Act.
A good computer security policy will differ for each organization, corporation or individual
depending on security needs, although such a policy will not guarantee a system's security or make
the network completely safe from possible attacks from cyberspace. With the implementation of
such a policy, helped by good security products and a plan for recovery, perhaps the losses can be
targeted for a level that is considered acceptable and the leaking of private information can be
minimized.