Escolar Documentos
Profissional Documentos
Cultura Documentos
Course Modules
Exam Preparation
Resources
Information Systems Audit and Control Association (ISACA), an association that provides guidance in auditing controls for computer systems, has an online glossary of terminologies that can be used as an additional resource for further reference (not examinable).
Learning objectives
7.1 7.2 How IT affects the internal audit process Explain the concerns for internal auditors around IT auditing. (Level2) IT auditing Discuss how IT auditing has developed in response to the specialized skills required to audit IT systems. (Level1) Risk in an IT environment Identify the various IT risks and explain how they affect an organization. (Level1) IT control frameworks Discuss the prevalent IT control frameworks governing technology audits: the IIAs Global Technology Audit Guide (GTAG) 1, Information Technology Controls, and ISACAs Control Objectives for Information and Related Technology (COBIT) . (Level2) General controls Identify the types of general controls used to address risks in an IT environment, and develop audit procedures to test their operating effectiveness. (Level1) Application controls Identify the types of application controls (procedures) used to address risks in an IT environment, and develop audit procedures to test their operating effectiveness. (Level1) Communications network controls
7.3 7.4
7.5
7.6
7.7
7.8
7.9 7.10
Outline the types of controls used to address risks in an IT communications and networking environment. (Level2) Controls for end-user computing Analyze the advantages and risks of an end-user computing environment and the types of controls used. (Level 1) Emerging technologies and the auditor Explain the implications of emerging technologies for the internal auditing profession. (Level2) Impact of e-commerce Determine the impact of e-commerce on internal auditing. (Level2) Module summary Print this module
Course Schedule
Course Modules
Exam Preparation
Resources
2. A controller became aware that a competitor appeared to have access to the companys pricing information. The internal auditor determined that the leak was occurring during the electronic transmission of data from branch offices to the head office. Which of the following controls would be most effective in preventing the leak of information? a. b. c. d. Asynchronous transmission Encryption Use of fibre-optic transmission lines Use of passwords
3. Responsibility for the control of end-user computing exists at the organizational, departmental, and individual user level. Which of the following should be a direct responsibility of the end users themselves? a. b. c. d. Acquisition of hardware and software Taking of equipment inventories Strategic planning of end-user computing Physical security of equipment
4. Systematic and rigorous testing of programmed controls reduces the risk of misplaced reliance on which of the following? a. b. c. d. Management oversight to ensure adequate procedures Proliferation of knowledge-based systems Closer linkage between organizational strategy and information Automated controls
5. Which of the following is not a benefit of using IT in solving audit problems? a. b. c. d. 6. Which of the It helps reduce audit risk. It improves the timeliness of the audit. It increases audit opportunities. It improves the auditors judgment. following control objectives does not address application systems?
a. Controls designed to ensure that data are not lost, damaged, manipulated, or corrupted while being retrieved or updated b. Controls designed to ensure the continued reliability of data through the transaction processing cycle c. Controls designed to ensure that all authorized transactions are initially captured, once only, and are accurately recorded d. Controls designed to ensure that new application systems development projects are only initiated if they are included in the IT strategic plan 7. Guidance for auditors to assess the control environment and control systems in an IT context is
provided through various control frameworks and guidelines. Which of the following statements is true ? a. COBIT, published by the Information System Audit and Control Foundation, is geared towards management controls and does not address control objectives relating to application controls, which are of more relevance to the external auditor. b. CGA-Canada Auditing Guideline No. 6, when used together with COBIT and the CICA ITControl Guidelines by a skilled auditor, will provide adequate guidance on assessing both general computer controls and application controls. c. A computer audit specialist will always be needed to assess a clients use of technology because the guidelines are complex and information technology is changing all the time. d. Auditors always have a choice of whether to audit "through the computer" or "around the computer," depending on how much time and the level of skills required to assess the general computer controls and programmed controls in accounting application systems. 8. Each day, after all processing is finished, a bank performs a backup of its online deposit files and retains it for seven days. Copies of each days transaction files are not retained. Which of the following is the correct assessment? a. This is valid because having a weeks worth of backups permits recovery even if one backup is unreadable. b. This is risky because restoring from the most recent backup file would omit subsequent transactions. c. This is valid because it minimizes the complexity of backup/recovery procedures if the online file has to be restored. d. This is risky because no checkpoint/restart information is kept with the backup files. 9. The accountant who prepared a spreadsheet model for workload forecasting left the company, and her successor was unable to understand how to use the spreadsheet. Which of the following would be the best control for preventing such situations from occurring in the future? a. b. c. d. Solutions Monitor use of end-user computing resources. Ensure end-user computing efforts are consistent with strategic plans. Ensure documentation standards exist and are followed. Make adequate backups for spreadsheet models.
Course Schedule
Course Modules
Exam Preparation
Resources
3.
4.
5.
6.
7.
a. Incorrect. COBIT does address control objectives at the application system level. b. Correct. It is best to use a combination of available guidelines and control
c.
d.
8.
a. b.
c.
d. 9. a. b. c. d.
frameworks to demonstrate due diligence in assessing controls within an information technology environment. Incorrect. Although a computer audit specialist may be used, it is not essential when an auditor has sufficient computer audit skills and the information technology environment is not overly complex. Incorrect. Time and lack of knowledge are never valid reasons for restricting your scope. If you plan to place reliance on internal controls in a computerized environment, you will need to examine the controls built into the system. Incorrect. The practice of not retaining daily transaction data is unsound because the bank loses a days transactions for each backup that is unreadable. Correct. Backups should always be made to ensure that any lost information can be restored. However, not retaining each days transaction files is risky because information received since the last backup file was created will be lost. Incorrect. The practice of not retaining daily transaction data certainly minimizes complexity, but at the expense of losing transaction data if the online file must be restored from backup. Incorrect. Checkpoint/restart information is not needed. The backups are created after all processing is finished for the day. Incorrect. Lack of monitoring is not the reason the accountants successor could not use the forecasting model. Incorrect. Lack of consistency is not the reason the accountants successor could not use the forecasting model. Correct. The accountants successor could not use the forecasting model because of inadequate documentation. Incorrect. Maintaining adequate backups is necessary, but lack of adequate backup is not the reason why the accountants successor could not use the forecasting model.
Course Schedule
Course Modules
Exam Preparation
Resources
Online reading 7.1-1 , CGA-Canada Auditing Guideline No. 6: Auditing in an EDP environment (Level 2)
LEVEL 2
Information technology (IT) is not a new concept for the auditing profession. Every organization has either one or more computers onsite or a network of computers. In addition, technological change has accelerated over the past three decades and has made a significant impact on audits. For example, there has been a migration from centralized batch processing of transactions to distributed and networked information systems and webbased, real-time, online update and information retrieval. Technological change has created an increased reliance on both general controls and automated IT application system controls because there are fewer points of manual intervention in systems. In order to evaluate the adequacy of internal controls in an IT environment and determine the extent to which the controls are operating effectively, an internal auditor must have a good understanding of IT control objectives and criteria.
In manual systems, authorization can usually be traced to an individual. In some computer systems, authorizations can be automated (for example, credit authorization in point-of-sale or credit card systems). With these systems, controls must be in place to govern the automated authorizations embedded in application programs. Rapid developments in IT make for continuous change in the IT environment. This results in a need for changes in controls. The internal auditor also needs to keep abreast of the IT changes in the organization. Despite these concerns, the use of information technology provides an opportunity to improve controls. Properly designed controls built into IT systems can provide better quality and more timely financial and operational information, thereby enhancing the decision-making process.
In order to evaluate the adequacy of internal controls in an IT environment and assess their operating effectiveness, the internal auditor must have a good understanding of IT internal control objectives and criteria, as explained in Online reading 7.1-1, section 3. Like external auditors, internal auditors must have sufficient understanding of the IT environment to plan the audit, sufficient knowledge of IT to implement the audit procedures, and sufficient skills to competently evaluate the results.
Work performed by others
It is not necessary for every internal auditor to have the skills of an IT audit specialist. Where appropriate, audit teams can include IT audit specialists from within the internal audit department or outsourced resources when the necessary skills are not available internally.
Planning
Planning activities need to consider the IT environment and systems. See section 5 of Online reading 7.1-1 (but remember that this is written from an external audit perspective). Internal auditors should always consider whether using computer-assisted audit techniques will improve the effectiveness and efficiency of their work.
Accounting system and internal control
Internal controls in computerized systems are more difficult to evaluate than those in manual systems. To assess the adequacy of controls in computer systems, auditors must understand how the computer system works and how programmed controls are implemented. This is addressed in section 4 of Online reading 7.1-1 and covered more fully in later topics in this module.
Audit evidence
In evaluating audit evidence, auditors must determine if the computer systems process the information correctly and maintain accurate records. With the exception of small, less complex systems, it may not be sufficient for auditors to audit around the computer, examining only the input and output. Auditing around the computer refers to obtaining assurance by tracing output back to input source documents and vice versa, without directly evaluating the computer system and how the information is processed. Thus, auditors may need to audit through the computer. Auditing through the computer refers to evaluating the programmed controls in the computer to determine if they are adequate and effective. Here are some points to consider: Computer-assisted audit techniques (CAATs) may be required because of the absence of input documents or audit trail.
Timing may be affected if data are not retained for the whole period covered by the audit engagement.
CAATs may be used to improve the efficiency and effectiveness of the compilation of audit evidence and analysis. Prerequisites for the use of CAATs include the availability of computer facilities and software, and the auditor must have the necessary technical competence to perform or supervise the use of CAATs . (The use of CAATs was covered in Topic 5.5, and additional illustrations are included in Topics 8.3 and 9.3.)
Concentration of functions and knowledge: generally, the number of people involved in processing information is reduced and knowledge of the system may be concentrated, resulting in reduced segregation of duties in the absence of effective access controls. In addition, management competency with respect to IT affects internal control. Concentration of programs and data: this may result in increased risk of unauthorized access to, and alteration of, data and programs.
Nature of processing
Absence of input documents (online order entry, automated approvals/matching) Lack of a visible transaction trail (stored in computer files, perhaps for limited period) Lack of visible output (results of processing may not be printed in all cases) Ease of remote access to data and programs Vulnerability of systems and networks to exposure to hacking and unauthorized access
Design and procedural aspects
Consistency of performance: this can be more reliable, but incorrect programming logic will result in persistent errors. Programmed control procedures: these facilitate fully-automated controls (reasonableness and limit tests of field values, enforcement of segregation of duties through security profiles, and user IDs and passwords) and computer-assisted controls (error and exception reports that need manual attention). Single transaction update of multiple files or tables: erroneous entries may affect various records.
Systems-generated transactions: these involve no visible input or authorization. Vulnerability of data and program storage media: these may be exposed to theft, loss, or intentional or accidental destruction.
Course Schedule
Course Modules
Exam Preparation
Resources
7.2IT auditing
Learning objective
Discuss how IT auditing has developed in response to the specialized skills required to audit IT systems. (Level 1)
Required reading
Reading 7-1, IPPF Practice Guide: Integrated Auditing (Level 1) Online reading 7.2-1, Global Technology Audit Guide (GTAG) 16: Data Analysis Technologies, pages 1-6 and 14-16 (Level 1)
LEVEL 1
The concerns of using IT for internal auditing have led to the need for internal auditors who have specialized knowledge of IT. This specialty is known as IT auditing (also computer auditing or EDP auditing). Online reading 7.2-1 explains how most internal auditing projects now require data analysis, and how the technology can be used throughout all phases of the audit. The technology is also used to perform continuous auditing testing, which was introduced in Topic 3.6. Reading 7-1, Practice Guide: Integrated Auditing, describes how the knowledge of specialist information systems auditors is sometimes integrated into a single audit approach to produce a more effective outcome through a holistic approach. In an integrated audit, the audit team looks at several aspects of performance including, but not limited to, financial, operational, IT, regulatory, compliance environmental, and fraud. Exhibit 7.2-1 identifies several IT activities that are required to accomplish the mission of the IT internal audit unit.
Exhibit 7.2-1: Activities required to accomplish the mission of an IT internal audit unit
Keep current with those leading-edge technologies being considered to support and enable business operations. Obtain an understanding of how new technology will relate to the business processes. Foster an understanding and appreciation of the risks and controls associated with current technology among the internal and IT auditor community in order to ensure audit coverage and permit the auditors to move forward and keep pace with constantly changing leading-edge technologies. Seek out technological audit tools to add to the toolkits of the IT and non-specialist internal auditors. Interface with, or at a minimum, provide support and counsel to the internal auditors on audit issues associated with application systems that interface with business processes undergoing audit. Maintain open lines of communication with operational and IT management to identify and review plans that call for the introduction of new technologies, and advise and support management regarding the risk/control environment related to such technologies. Advise and counsel management to develop corporate computer policy and standards committees. Establish and maintain involvement with professional auditing organizations in order to share and validate concerns and solutions.
Source: Adapted from Allan R. Paliotta, A Personal View of a World Class IT Auditing Function , ISACA website (www.isaca.org), October 1999.
Because technology keeps changing and the pace of its advances is certain to accelerate, auditors must understand the risks and exposures created by firms adopting new and emerging technologies. Auditors can, in fact, capitalize on technological advances while at the same time making sure that the organization is protected from security threats.
Course Schedule
Course Modules
Exam Preparation
Resources
7.3Risk in an IT environment
Learning objective
Identify the various IT risks and explain how they affect an organization. (Level 1)
Required reading
Online reading 7.3-1: Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan (Section 5) (Level 1) Reading 7-2, Diagnosis for IT Risk (Level 1) Reading 7-3, Mobile computing (Level 1) Reading 7-4, Making Risk Assessments Useful (Level 1)
LEVEL 1
Competence of management with respect to the IT environment Pervasiveness and complexity of the IT environment Conversion from manual procedures to IT procedures Conversion from one IT application to another Data access controls Unwarranted reliance on computer-generated information Segregation of incompatible functions Adequacy of security and back-up procedures IT risks can manifest themselves through any of the following: Unauthorized disclosure, modification, or destruction of information, whether deliberate or accidental Unintentional errors and omissions during processing Disruptions in processing due to natural or man-made disasters Failure to exercise due care and diligence in the implementation and operation of the IT system Risk management should be integrated into every phase of the IT systems development life cycle (SDLC). Exhibit 7.3-1 describes the characteristics of each SDLC phase and how risk management can be performed in support of each phase.
Exhibit 7.3-1: Integration of risk management into the SDLC
SDLC phases Phase 1 Initiation Phase characteristics The need for an IT system is expressed and the purpose and scope of the IT system is documented. The IT system is designed, purchased, programmed, developed, or otherwise constructed. Support from risk management activities Identified risks are used to support the development of the system requirements, including security requirements and a security concept of operations (strategy). The risks identified during this phase can be used to support the security analyses of the IT system that may lead to architecture and design trade-offs during system development. The risk management process supports the assessment of the system implementation against its requirements and within its modelled operational environment. Decisions regarding risks identified must be made prior to system operation. Risk management activities are performed for periodic system reauthorization (or reaccreditation), or whenever major changes are made to an IT system in its operational, production environment (for example, new system interfaces). Risk management activities are performed for system components that will be disposed of or replaced to ensure that the hardware and software are properly disposed of, that residual data is appropriately handled, and that system migration is conducted in a secure and systematic manner.
Phase 3 Implementation
The system security features should be configured, enabled, tested, and verified.
The system performs its functions. Typically the system is being modified on an ongoing basis through the addition of hardware and software and by changes to organizational processes, policies, and procedures. This phase may involve the disposition of information, hardware, and software. Activities may include moving, archiving, discarding, or destroying information, and sanitizing the hardware and software.
Phase 5 Disposal
Source: Gary Stoneburner, Alice Goguen, and Alexis Feringa, Risk Management Guide for Information Technology Systems (National Institute of Standards and Technology, U.S. Department of Commerce, Gaithersburg, MD, 2002), page 5.
Section 5 of GTAG 11 (Online reading 7.3-1) provides an overview of the process of identifying IT risks as part of an overall risk-based audit plan. This material also provides insight into current best practices for performing an IT risk assessment. Reading 7-2 outlines a top-down, risk-based methodology to help identify the key risks in IT business processes. Reading 7-3 discusses the complex but important risks associated with mobile computing. Reading 7-4 provides practical guidance on assessing IT security risk and ensuring it is useful.
Course Schedule
Course Modules
Exam Preparation
Resources
Discuss the prevalent IT control frameworks governing technology audits: the IIAs Global Technology Audit Guide (GTAG) 1, Information Technology Controls, and ISACAs Control Objectives for Information and Related Technology (COBIT) . (Level 2)
Required reading
Online reading 7.4-1, Control Objectives for Information and Related Technology (COBIT) 4.1 Excerpt (Level 2) Online reading 7.4-2, Global Technology Audit Guide (GTAG) 1: Information Technology Controls, pages 3- 25 (Level 2)
LEVEL 2
GTAG 1 outlines the importance of information technology controls (Online reading 7.4-2): Although technology provides opportunities for growth and development, it also provides the means and tools for threats such as disruption, deception, theft, and fraud. Outside attackers threaten our organizations, yet trusted insiders are a far greater threat. Fortunately, technology can also provide protection from threats, as you will see in this guide. Executives should know the right questions to ask and what the answers mean. For example: Why should I understand IT controls? One word: Assurance. Executives play a key role in assuring information reliability. Assurance comes primarily from an interdependent set of business controls, plus the evidence that controls are continuous and sufficient. Management and governance must weigh the evidence provided by controls and audits and conclude that it provides reasonable assurance. This guide will help you understand the evidence. What is to be protected? Lets start with trust . Trust enables business and efficiency. Controls provide the basis for trust, although they are often unseen. Technology provides the foundation for many perhaps most business controls. Reliability of financial information and processes now mandated for many companies is all about trust. Where are IT controls applied? Everywhere. IT includes technology components, processes, people, organization, and architecture collectively known as infrastructure as well as the information itself. Many of the infrastructure controls are technical, and IT supplies the tools for many business controls. Who is responsible? Everybody. But you must specify control ownership and responsibilities, otherwise no one is responsible. When do we assess IT controls? Always. IT is a rapidly changing environment, fueling business change. New risks emerge at a rapid pace. Controls must present continuous evidence of their effectiveness, and that
evidence must be assessed and evaluated constantly. How much control is enough? You must decide. Controls are not the objective; controls exist to help meet business objectives. Controls are a cost of doing business and can be expensive but not nearly as expensive as the probable consequences of inadequate controls. IT controls are essential to protect assets, customers, and partners, and sensitive information; demonstrate safe, efficient, and ethical behavior; and preserve brand, reputation, and trust. In todays global market and regulatory environment, these are all too easy to lose.1 Now read pages 3 to 25 of Online reading 7.4-2 on information technology controls.
COBIT
The Information Systems Audit and Control Association through the IT Governance Institute issued its Control Objectives for Information and Related Technology (COBIT) 4.1 , in 2007 (Online reading 7.4-1). Although an expanded COBIT framework, known as COBIT 5, has been issued in 2012, it is a complex business framework for the governance and management of enterprise IT. COBIT 4.1 is still in use; it is more specific to IT controls, and it is the framework referenced by the IIA Global Technology Audit Guides (GTAGs). The COBIT framework has become recognized as an authoritative IT model designed to help corporate management understand and manage the risks associated with information technology. It is harmonized with other standards and continuously updated. COBIT helps answer the question relating to the minimum level of controls that is necessary. It is a control model to meet the needs of IT governance and ensure the integrity of information. COBIT supports IT governance by providing a framework to ensure the following needs are met: IT IT IT IT is aligned with the business. enables the business and maximizes benefits. resources are used responsibly. risks are managed appropriately.
Implementing COBIT allows for the following: Better alignment based upon a business focus An understandable view of IT for management Clear ownership and responsibilities General acceptability with third parties and regulators Shared understanding among all stakeholders based on a common language Fulfillment of the COSO requirements for the IT control environment The COBIT framework is organized under four broad domains: Planning and organization Acquisition and implementation Delivery and support Monitoring The four domains are further subdivided into 34 IT processes, with 3 to 30 detailed control objectives for each process (a total of 302 objectives). Most of the control objectives relate to general controls, but some attention is also given to application controls. COBIT provides internal and external auditors with a tool to substantiate their opinion on IT internal controls for the assessment of control risk (control environment, risk management processes, information systems, control procedures, and monitoring of controls). However, it is primarily aimed at providing management with a structured framework to demonstrate sound IT governance because it focuses on business objectives. Given
that there are 302 control objectives, evaluation of each control objective would be a daunting task.
March 2005, Copyright The Institute of Internal Auditors (IIA), Altamonte Springs, FL.
Course Schedule
Course Modules
Exam Preparation
Resources
7.5General controls
Learning objective
Identify the types of general controls used to address risks in an IT environment, and develop audit procedures to test their operating effectiveness. (Level 1)
Required reading
Online reading 7.4-2, Global Technology Audit Guide 1: Information Technology Controls, pages 16-21 (Level 1)
LEVEL 1
Begin your consideration of controls in a computerized environment by reading pages 16-21 of Online reading 7.4-2. General controls are controls that are implemented to support overall computerized information processing activities. The general control components are as follows: Organization and management controls Separation of duties Financial controls Change management controls Physical and environmental controls Application systems acquisition, development, and maintenance controls Computer operations controls Systems software controls (security) Program and data access controls (security) Physical security Backup and recovery controls Physical security requires that adequate safeguards be taken to prevent accidental or deliberate loss of hardware, software, and data. Appropriate security measures must be in place to prevent loss caused by natural hazard, man-made hazard, error, fraud, or sabotage. Although general controls may more appropriately apply to larger and more sophisticated computer environments, most internal auditors will still find this information useful. All general computer control components will not necessarily have equal importance for each situation or environment. However, a basic understanding of the concepts will help you exercise your judgment in different environments.
Continuity of operations
In many organizations, continuity of operations is an often neglected control area. However, it is an essential element in ensuring the survival of most modern businesses, especially when the organization depends on its automated information systems and electronic information to conduct its business. There are two elements to continuity of operations: Business continuity planning (BCP), which covers the development and update of plans, assigning responsibilities, obtaining contact names and numbers, periodic testing of the plans, and back-up procedures and off-site storage requirements. IT recovery planning, which encompasses both preventive measures to mitigate disruptive incidents and recovery plans to restore IT resources if need be. There are two aspects of backup: Backing up data and application programs and storing them offsite so the applications and data can be recovered Taking backups at various stages of data processing so that if a batch job fails, processing can be restored to the most recent backup and the job can run again A common term used for ensuring continuity of operations is disaster recovery planning (DRP). This term is often used to refer to the planned procedures for restoring the IT environment and processing capabilities to an acceptable level following a disaster such as fire, flood, power failure, or earthquake. A planning committee is typically in place to develop and implement these measures. In connection with DRP, the internal auditors role includes assisting with the assessment of risks, evaluating the design of the DRP, and periodically reviewing whether the plan is current.
Course Schedule
Course Modules
Exam Preparation
Resources
7.6Application controls
Learning objective
Identify the types of application controls (procedures) used to address risks in an IT environment, and develop audit procedures to test their operating effectiveness. (Level 1)
Required reading
Online reading 7.6-1 , Global Technology Audit Guide (GTAG) 8: Auditing Application Controls, pages 1-13 (Level 1)
LEVEL 1
Application controls are control standards and techniques designed to meet the control objectives for a specific business process, such as payroll or inventory management. Application controls are grouped into the traditional categories of input, processing (including storage), and output. These categories are relevant regardless of the application processing environment (batch, online, real-time, client-server). The effectiveness of application controls is influenced by the strength of general controls described in Topic 7.5
With computer-assisted control procedures, computer-produced data are used together with manual user procedures. With fully automated control procedures, the complete control procedure is executed by computer.
An example of a computer-assisted control procedure is a computerized inventory order system, which permits prices to be entered by an authorized individual to override a standard price master file and prints a report of all price overrides. The control procedure of reviewing and approving the listing of price overrides uses the price override report, and depends on the program to correctly identify and report all price overrides. Examples of fully automated application control procedures within computer programs include the use of edit checks, such as checking digits to ensure the validity of account numbers, and matching electronic purchase orders with goods received. In addition, application programs contain critical application processes, which perform computations or operations that cannot be verified independently. In the absence of such independent verification, reliance is placed on the critical application processes.1 Automated control procedures can be found in the following areas: Within application code: these control procedures require an experienced programmer to modify
them if the business rules change. Within parameter settings: these are the values that can be set within systems to determine how transactions will be processed. Within tables: these can be modified by end users. Application controls can be either preventive or detective: Preventive controls are designed to prevent data entry or processing errors from occurring. Detective controls are designed to identify areas or problems after the fact . Although detective controls are effective, there is a risk of the data being incorrect, if only for a matter of minutes or hours, before the control is performed and the error corrected. As enterprises use real-time processing in their computer-operating environments, the need for strong preventive controls increases. It is more efficient to prevent errors in files and databases than to correct them after the fact. However, detective controls are still important in most situations. In any application, a balance of preventive and detective controls is required. Online reading 7.6-1, Global Technology Audit Guide 8 on auditing application controls, sets out guidance on the performance of risk-based audits of the controls over application systems. The following exhibit provides an overview of the application processing cycle.
Many organizations outsource some of their application processing activities to other organizations. This is most commonly done for payroll processing. The scope of internal audit work includes reviewing the risk management and control processes related to outsourced IT activities. This type of engagement requires specific planning.
Course Schedule
Course Modules
Exam Preparation
Resources
Outline the types of controls used to address risks in an IT communications and networking environment. (Level 2)
No required reading LEVEL 2
Communications networks are complex combinations of hardware and software with many technical protocols. In light of the risk implicit in communications and networking technologies, management needs to establish a framework of network security controls. An adequate network security level must be maintained to protect the organization from a variety of external threats such as denial-of-service attacks and hacking. Management should assess the risk to the organization and its business from its Internet and other telecommunications connections. If, for example, the organizations LAN/WAN contains highly confidential information, or if applications process a large number of high dollar amount financial transactions, the risk of attack is much higher and a higher level of security control should be installed. Security controls may include such measures as firewalls, intranets, or non-use of the Internet altogether. Following is a brief description of firewalls and intranets: Firewalls are either hardware or software, or a combination of the two, designed to separate one network from another for security purposes. A firewall is installed between the router and the LAN, and provides protection against unauthorized access to services on the LAN from the outside (such as from the Internet). It protects the LAN from attacks by hackers using the external connection as the gateway into the LAN.
Intranets are internal information systems based on Internet technology, web services, communication protocols, and HTML publishing. Organizations use intranets to provide customers, suppliers, and staff with timely information in a secure private corporate network.
Security measures such as alarms and locks on doors should be in place to protect physical access to equipment. Access control software should require periodic password changes, and data access should be limited to authorized individuals. Audit trails of security violations and usage statistics should be prepared, analyzed, and followed up. Sensitive data should be controlled through encryption, diskless workstations, and so on. Sensitive data files should be backed up and stored off-site. Concurrent or simultaneous access to data should be controlled. Controls should be in place for administering IDs and passwords, monitoring logs, and monitoring compliance with software licenses and agreements. Controls should be in place to change and delete passwords, as well as to automate log-on procedures. A network control group should exist with responsibility to monitor network performance and implement recovery procedures. Audit trails should exist at both the network and applications system levels to support the ongoing operation of the network and provide information to reconstruct events occurring within the system. Access controls should be in place for files being transferred. The system must give ready access to authorized users and offer strict exclusion to non-users. Controls over distributed processing should be in place to ensure data consistency. Any file transfer (e-mail attachment or Internet download) may hold a virus. Virus-scanning software must be in place and used to protect systems from this threat. Posting of confidential e-mail messages on the Internet should be avoided. Access to various Internet sites by the organizations staff should be logged so that management can review such access to ensure legitimate use; filters can be used to restrict access to inappropriate internet sites. Where dial-in connection through the Internet is permitted by the organization, the system should keep a log of all successful and unsuccessful accesses so that irregular usage or attempted break-ins can be detected and prevented.
Course Schedule
Course Modules
Exam Preparation
Resources
Analyze the advantages and risks of an end-user computing environment and the types of controls used. (Level 1)
Required reading
Reading 7-5, Evaluating risk assessment and controls over end-user computing (Level 1)
LEVEL 1
Documentation is often inadequate, hindering transferability and maintenance. Basic system functionality tends to be inadequately tested. Programmed internal controls and audit functionality are not designed into applications or are inadequately tested. End-user data may duplicate and not be reconcilable to other organizational data.
Course Schedule
Course Modules
Exam Preparation
Resources
Explain the implications of emerging technologies for the internal auditing profession. (Level 2)
Required reading
Reading 7-6, The borderless enterprise (Level 2) Reading 7-7, The Cloud and Your Data (Level 2)
LEVEL 2
For many emerging technologies, existing control systems may not be sufficient, requiring auditors to consider the new risks and controls related to emerging technologies. Today, emerging technologies in widespread use include e-commerce, application service providers (ASP), e-appliances, wireless networks, social media, and cloud computing. Application service providers offer software for users to access on the Internet instead of from a standalone computer. E-appliances include special-purpose devices designed for accessing the Internet, such as e-mail devices, web tablets, and web-enabled telephones. Wireless networks allow users to download e-mail messages and connect to the Internet without connecting through telephone or cable lines. Information technology is a driving force in global commerce, and both public and private sector organizations are preparing for the technological challenges of the third millennium. The Internet has eclipsed all predecessor technologies in its impact. As its use grows exponentially, it has become an indispensable tool for organizations to relay information, form collaborative alliances, reduce operating costs, and generally transform the way business is conducted. The role of internal auditors as partners and consultants in business and information technology planning will likely grow. They will be challenged to maintain adequate knowledge of emerging technologies and propose appropriate security and control measures to their organizations and clients on a timely basis. Auditors will need both business and technology skills, and will need to update them continuously through training and development. They will need to proactively explore new technologies to achieve auditing efficiencies through improved communications, sharing of successful practices, greater collaboration, and team-based approaches to work. The impact of emerging technologies on the audit process is referenced in the Committee of Sponsoring Organizations of the Treadway Commissions (COSO) mission statement for an IT audit. According to COSO, the mission of IT internal auditing is using appropriate technological tools and expertise to evaluate the adequacy and effectiveness of control systems that address the risks resulting from the entitys use of technology to help achieve its business objectives. Reading 7-6 explains how new technologies are forcing companies to consider which risks to control when technology extends corporate activity beyond traditional corporate boundaries. Reading 7-7 discusses the benefits and risks offered by external service providers of cloud computing.
Course Schedule
Course Modules
Exam Preparation
Resources
7.10Impact of e-commerce
Learning objective
Electronic commerce (e-commerce) is the buying and selling of goods and services on the Internet, especially the World Wide Web. In e-commerce, financial transactions are conducted electronically between businesses or between a business and its customers. There are two main aspects of e-commerce: Electronic data interchange (EDI) and web-based (Internet) e-commerce . Until fairly recently, many organizations did not venture into e-commerce because of the cost of setting up the appropriate applications and security concerns relating to opening up their systems to the world. However, with the Internet proving to be cost-effective and security concerns being addressed through technological advances, e-commerce is now a viable option for almost every organization in the world, regardless of size.
Value-added network (VAN) is a third-party service that provides a store and forward function for the trading partners. The VAN operates as a mailbox for participating businesses, where the sender transmits EDI transactions to the VAN, which then places the data in the intended recipients mailbox. The recipient then accesses the mailbox and retrieves the EDI transactions. Although VANs can be costly, there are several advantages to using this type of arrangement: There is no need for common protocols between trading partners. It allows one trader to deal with many partners (no need for multiple point-to-point connections). A third-party report is likely to be available from a VAN service provider, to enable reliance to be placed on controls implemented at the organization. It provides increased security because it authenticates the sender and recipient and can act as a network firewall for the trading partners.
Course Schedule
Course Modules
Exam Preparation
Resources
Module 7 summary
Information technology auditing
Module 7 looks at the impact of IT on internal auditing and the changing field of IT auditing. You are introduced to two frameworks that assist auditors with the evaluation of IT controls. The use of such controls is outlined, especially as they apply to computer communications, networking, and end-user environments. The module concludes with a look at the challenges of auditing in this environment where emerging technology is a constant.
Discuss how IT auditing has developed in response to the specialized skills required to audit IT systems.
Computer programs (such as ACL) have been developed specifically to assist auditors to extract information to be used in the audit and to perform data analysis auditing activities. Other computer programs such as application programs, system software, and other utility programs can also be used by internal auditors to audit IT systems. Auditors realized that auditing IT systems required more technical knowledge, which in turn led to the development of IT auditing. As newer, emerging technologies are implemented, it is imperative that IT auditors remain current. However, as IT systems become an integral component of any enterprise, all internal auditors must also be computer literate.
Identify the various IT risks and explain how they affect an organization.
IT control frameworks support a risk management-based approach to control. The following are the risk categories identified in the CICA IT Control Guidelines: Inherent risk : the risk that naturally exists in a particular business or situation
Specific risk : the risk resulting from a location or method of operation of a particular function Technological risk : the risk of using technology to meet enterprise objectives The fact that IT control frameworks support a risk management-based approach to control means that where such control frameworks are used, controls are identified and implemented in proportion to the risk that must be managed. To manage risk effectively in an IT environment, both risk analysis and risk assessment must be performed. Auditors must be able to explain the impact of IT risk to managers who are unaware of such risks.
Discuss the prevalent IT control frameworks governing technology audits: the IIAs Global Technology Audit Guide (GTAG) 1, Information Technology Controls, and ISACAs Control Objectives for Information and Related Technology (COBIT).
Control frameworks have been developed to assist with the comprehensive evaluation of controls in an IT environment, providing guidelines for both general and applications controls: GTAG: Global technology audit guides have been developed by the IIA as a framework for technology audits. COBIT: This framework is becoming increasingly recognized as an authoritative IT governance model designed to help corporate management to understand and manage the risks associated with information technology.
Identify the types of general controls used to address risks in an IT environment, and develop audit procedures to test their operating effectiveness.
General controls are controls implemented to support overall computerized information processing activities, and include the following: Organization and management controls Separation of duties Financial controls Change management controls Physical and environmental controls Application systems acquisition, development, and maintenance controls Computer operations controls System software controls (security) Program and data access controls (security) Physical security Backup and recovery controls Audit procedures designed to test the operating effectiveness of general controls can often be performed using systems-oriented computer-assisted audit techniques and automated continuous monitoring.
Identify the types of application controls (procedures) used to address risks in an IT environment and develop audit procedures to test their operating effectiveness.
Application controls are control standards and techniques that are designed to meet the control objectives for a specific business process. Types of application control procedures include the following: Manual control procedures Programmed controls The application processing cycle is comprised of the following steps:
Input Processing Output Management or transaction trails Limitations to application controls include the following: Failure to consider controls in relation to business risks, resulting in ineffective or inefficient control techniques Over-reliance on application-based control techniques Errors in application system functions/processing Failure to provide a management trail for reviewing the processing of transactions Testing of application controls can be performed by doing the following: Inspecting system configurations Inspecting user acceptance testing Inspecting or reperforming reconciliations Reperforming the control activity on system data Inspecting user access listings Reperforming the control activity using test data
Outline the types of controls used to address risks in an IT communications and networking environment.
The internal auditor needs to evaluate the following: Firewalls, designed to separate one network from another for security purposes Intranets, designed to provide customers, suppliers, and staff with timely information in a secure, private corporate network Other specific network controls put in place by the organization
Analyze the advantages and risks of an end-user computing environment and the types of controls used.
Information processing using end-user computing is outside of the computer controls traditionally implemented by IT professionals. Because creating applications is easy for end users, IT departments have difficulty maintaining control over production and storage of information. For this reason, accepted control standards are either absent from end-user applications or inconsistently applied. At the same time, there are many benefits to end-user computing such as reduced bureaucracy and enhanced innovation. Classical methods of control need to be adapted to compensate for the specific risks of end-user computing. Intensity, invasiveness, and cost of controls must be balanced with the risks associated with each end-user application. The challenge for internal auditors is to stay abreast of ongoing advances, evaluate managements risk assessment, and provide advice on controls to minimize identified risks. The following are areas for consideration by management when evaluating its risk assessment and control framework for end-user computing: Policy directives and standards Support Application development Documentation Segregation of non-compatible duties Security
Explain the implications of emerging technologies for the internal auditing profession.
Emerging technologies are new, and therefore existing control systems may not be sufficient. Internal auditors are now acting as partners and consultants in business and IT planning roles that will continue to grow as new technologies emerge. Internal auditors will be challenged to maintain adequate knowledge of emerging technologies and to propose appropriate security and control measures to their organizations and clients on a timely basis. Internal auditors will require business and technology skills, updated continuously through training and development. They must proactively explore new technologies to achieve auditing efficiencies through improved communications, sharing of successful practices, greater collaboration, and a team-based approach to work.
Course Schedule
Course Modules
Exam Preparation
Resources
Module 7: Self-test
1. Multiple choice a. There are different control frameworks that assist internal auditors in evaluating internal controls in an IT environment. Which of the following best describes the four domains around which the COBIT framework is organized? 1. Planning and organization; acquisition and implementation; delivery and support; monitoring 2. Planning and organization; acquisition and implementation; systems development; systems security 3. Delivery and support; systems development; systems security; plans for IT personnel continuity 4. Planning and organization; acquisition and development; delivery and support; plans for IT personnel continuity b. IT has had an impact on the way auditors approach an audit. Which of the following statements does not represent an effect of a client computerizing their accounting systems? 1. If interest calculation computer programs are not properly designed and tested, there is an increased risk that all transactions with an interest component will be incorrect. 2. In manual systems, all control processes are visible. However, when an accounting system is computerized, the control procedures are built into the application system, and previously manual control procedures are no longer visible. The auditor will not need to examine manual control procedures because automated control processes will now have to be tested. 3. The combined skills and competence required of the audit team will need to include the ability to identify and evaluate internal controls in an IT environment. 4. The use of a computer to assist with audit steps can improve the effectiveness and efficiency of the audit. Thus, the auditor could now consider opportunities for using CAATs where the client has computerized his/her accounting systems. c. For general controls in an IT environment, which of the following statements is true ? 1. The area responsible for computer operations should be responsible for application systems maintenance, running batch programs, and backing up application system data and programs. 2. Application systems development should be subject to a formal methodology, which includes defined standards within a formalized approach in initiating the system requirement, investigating the feasibility of the system, defining user requirements, systems design, program construction, acceptance testing, conversion, and implementation. 3. To enable users to fully utilize the available functions in the inventory system, the program documentation should be made available to all warehousing staff. 4. Emergency changes to application system programs that are required due to program failure should always be required to follow the control
processes established for changes initiated by the application system users. d. Which of the following statements represents a programmed application control? 1. The accounts receivable system generates an aged list of customer accounts for review and follow-up by the credit control manager. 2. The credit control manager reviews the customers financial statements for the past financial year before revising the credit limits in the sales and accounts receivable system. 3. The operating system automatically initiates a daily data back-up batch run at midnight. 4. A personal identification number must be entered into a keypad located at the entrance to the computer room before personnel are granted access. e. An internal auditor is reviewing the adequacy of existing policies and procedures concerning end-user computing activities. Which of the following is the auditor testing? 1. 2. 3. 4. An application control An organizational control An environmental control A systems control
Solution 2. CASE STUDY T7-1: Auditing personal computer environments Your company has invested heavily in personal computing resources with the intent of reducing the amount of paperwork and spending on communications. Many of the personal computers are networked to provide automated office communications. Others are used for word processing and important business applications. A central IT support group has specified hardware and software requirements, and has provided assistance to purchasing in the vendor selection process. Before any acquisitions can take place, company procedures require a cost-benefit study. Senior management has expressed concern about the proliferation of personal computers and the relatively poor results. Correspondence and reports are not as timely as expected and often contain errors. It has become difficult to tell which personal system contains the most authoritative figures, and occasionally, information produced fails to coincide with rules of thumb used by seasoned managers. As an internal auditor, you have contributed to the cost-benefit study by conducting a special review of personal computer installations. You reported your findings and recommendations to the senior management committee. The audit review found that equipment was underutilized and that the benefits originally expected were not being realized. Local management and staff had plenty of ideas, but found it difficult to make new applications operational. Those systems that were functioning were poorly documented. Information on the hard drives and network file servers was seldom backed up, and the staff operating the personal computers had difficulty using some of the software. Some managers had hired consultants to help program their applications, but found the costs excessive. There was little evidence of any IT development and acquisition methodology when new applications were being developed.
Required
On the basis of your findings, draft your recommendations with respect to the assignment of responsibilities between the IT group, the managers who use the personal computers, and the internal audit function.
Solution 3. CASE STUDY T7-2: Personal Printing Inc. Concerns have been raised about a plan your CEO has tabled with the board of directors, which entails making significant investments in a variety of emerging technologies over the next five years. The board seems generally unfamiliar and uncomfortable with these emerging technologies. It is whispered that the senior management team is quietly planning to make a takeover bid on one of the competitors whom the board members view as a renegade in terms of e-commerce activities and radical product lines. Apparently, when pressed for information, your CEO seems unable to clearly state what returns these investments will produce, what the payback period will be, or even how some of the technologies are intended to work. Needless to say, there is skepticism among some of the older members of the board. As internal auditor, you are requested to make a presentation to the companys audit committee to advise whether funds that would otherwise be available for dividend increases are being misdirected, and how the audit department proposes to find out.
Required
Prepare the presentation by identifying opportunities and risks of the venture, and then describe your role in the evaluation.
Solution 4. CASE STUDY T7-3: Meander Inc. You are the IT audit specialist in the internal audit department at Meander Inc., a growing distributor of building supplies. Having just completed an examination of the companys information technologies, you are reviewing your audit working papers in preparation for drafting the internal audit report. Your working papers highlight the following issues: a. The information systems and technology manager (ISTM) presently reports to the director of finance, who reports to the vice-president of finance. The ISTM has repeatedly requested replacements to upgrade the aging connectivity infrastructure to a fibre-optic cable standard that would be capable of supporting requirements for greater bandwidths and faster response times. Sadly, these requests have been denied and priority has been given to the implementation of a new financial accounting application package. If steps are not taken to remedy this situation, erosion of online response times of the integrated marketing, inventory, purchasing system (IMIPS) is to be expected, and marketings demands for video-conferenced national sales meetings and customer liaison will not be achieved. b. Transaction files on tape are used daily to update the various master files, including Meander Inc.s payroll system, which continues to be processed at the mainframe computing facility in Unionville. As a cost-cutting measure taken during the recession, it was decided that transaction tapes would be sent directly to the tape recycling facility at the end of each payroll run.
c. Daily integrated marketing, inventory, purchasing system (IMIPS) activity summaries and exception reports are written onto a network storage drive for laser printing at a later date. You noted that these summaries and exception reports have not yet been printed for the last 11 working days. d. To economize on salary and benefit costs, the two former positions of Accounting Systems User Analyst and Accounting Systems Operator have been combined into one position. The qualifications, ability, and experience of the incumbent are good. e. Your review of recent software enhancements and upgrades indicated that the program, which computes interest on overdue accounts receivable, was modified recently. The changes were designed and programmed by the accounting systems user analyst/operator, independently tested by operating systems department staff, and checked by the manager of processing operations.
Required
Draft the findings and recommendations section of the internal audit report to Meander Inc.s management. Solution 5. CASE STUDY T7-4: Nut Case, Inc. From a review of your prior years working papers and from audit planning discussions with John Case and Mary Nut (the directors), William Bates (the IT division head), and Justin Balance (the chief accountant), you have gathered the general information relating to the business and related information technology environment of Nut Case, Inc. You determine that for the past few years, William has been the driving force behind the growth and sophistication of Nut Cases information systems and has received enthusiastic support from the directors. Executive management support has particularly been forthcoming from Mary, who considers herself to be highly computer-literate and has personally been involved in the hiring of the IT staff. The use of computerized systems has increased steadily over the past few years to the point where, according to Justin, the running of Nut Case is now totally dependent on its system. Mary mentioned that they had experienced some technical hitches earlier in the year when they connected to the Internet to take advantage of electronic communication with customers and suppliers. William advised that the companys use of web-based technology is in the initial testing phase and will not be in place by the end of the current financial year. He further explained that they are very conservative in their approach, following established standards and procedures, and have defined their planned future use of technology in a detailed strategy document. (He provided you with a copy of the strategy and annual business plans for the IT division, as well as with a status of implementation as of two months ago.) William advised that we like to run a tight ship here, and instil in our managers and staff the need to adhere to good business practices and technology standards. He further explained that the IT policies and procedures (which were assessed as appropriate and effective in the previous audit) have been further improved to incorporate the recommendations made by an independent consulting firm who had performed a penetration attack test following Nut Cases implementation of the web server. These recommendations related to improving the firewall. William further stated, I have advised my managers that they need to comply with and contribute to the maintenance of the policies and procedures. He also indicated that the COBIT framework was used as the basis for developing a self-evaluation of Nut Cases IT governance and controls. You also interviewed the IT managers from the technical support, operations, and systems development departments.
The managers are proud of the IT divisions achievements and emphasized their efforts in the operational and strategic planning process. The technical support manager remarked that it was hard work and involved long hours, but it was worth it. Just look at the results. You establish that progress against the IT operational plan is discussed at the IT divisions monthly management meeting and the strategic plan is monitored on a continuous basis. After all, said the operations manager, Mary wants to know how we are doing at the quarterly IT steering committee meetings. The managers all expressed that they fully understood what was expected of them and were happy in their jobs. We have not lost a single technical person in the last 18 months, which is remarkable considering the career opportunities in the market today, the systems development manager added. The technical support manager gave you a diagram of the computer environment (Exhibit S7-1).
Exhibit S7-1: Nut Case computer environment overview
This is our environment and we have had outstanding performance so far, with almost no downtime for our users. The main LAN with the applications, database, and print servers are located in the main administrative building in the basement. The servers themselves are located in the computer room, which has a protected environment. A flea could not get into that place. Its like Fort Knox! stated the operations manager, who added, We have to use a magnetic card and then key in a code to actually get into the computer room. You later observed this operation and noticed that the entrance and room were monitored by closed circuit cameras. You also confirmed with the security department that all movement to and from the computer room was logged, and the logs were submitted to William Bates each morning. The technical support manager also advised that the factory and warehouse servers (although located outside the main administration building) were in locked rooms to which only the LAN
administrators in his section had access. Oh, and by the way, all the network hubs and routers, in fact all the network components, are secured in locked wiring closets. We cannot be too careful, added the technical support manager. You later confirmed that the buyer, sales, and IT LAN servers were also located in the computer room and the workstations were on the second floor. You also noticed that the factory was fenced and a small contingent of security guards observed all employees who entered and exited the factory and office premises. The operations manager advised that six months ago, the organization had conducted a renewed risk assessment of the impact that a significant interruption would have on Nut Cases business. Following this assessment of the application systems and the technology infrastructure required to support them, we have recently signed a hot site agreement with Keep Up and Running Inc. They have a very similar set-up to us and it will not be a major task to recover from a disaster, the systems development manager added. The operations manager agreed, and proceeded to extensively explain how well the first full recovery test went and how it confirmed that the business continuity plan would work. (You later confirmed the successful recovery of all major application systems from the off-site backups with the chief accountant and warehouse manager, Dave Stored.) The operations manager further explained that her section is responsible for migrating all approved program changes from the test environment into production and for running all the batch jobs, including the application system and database backups. We also distribute the reports to the factory and warehouse managers each morning. The accounting section, the buyers, and sales area collect their own output. The operations manager further indicated that it is policy for the operations section to ensure that the ZapEm anti-virus software is installed and running on all servers and loaded on all workstations. She told you that ZapEm fires up on the workstations each day when the user first logs onto the network. We send out a monthly newsletter to all staff to keep them aware of the threat from viruses. We also provide the help desk with the newsletters and we have not had a single report of a virus in the past 10 months. The technical support section is responsible for the installation and maintenance of equipment and systems software, and for the system and network security. We only provide access to the network and applications on receipt of a memo from the responsible manager. Each day, I review all new user IDs and changes made to existing user access rights, if any. In addition, I make sure that all user accounts are promptly disabled for employees who leave Nut Case. The technical support manager added, The policy from the IT steering committee is clear, and I agree with their requirements for the password rules we have set up on our networks. You subsequently review the password policies and note that the system should enforce a minimum password length of seven characters; require a mix of alpha, numeric, and special characters; enforce changes every 35 days; and disallow the reuse of the previous 10 passwords. You also establish that a default password nutcase is used for all new user IDs. This must be changed on the new employees first login. From discussions with user managers, you are told that their staff have only five attempts to log into the network before they are locked out and must phone the technical support area to enable them to get back into the system. In response to your question on the systems development methodology, the systems development manager stated, We have a well-defined, tried, and tested set of procedures and standards. Most of our major application systems are proprietary, and we followed an intensive evaluation phase together with the users before we selected the vendor whose product was the best fit. Thats from a business-needs and technological point of view. You subsequently confirmed the high level of user involvement in the selection and testing of each module, as well as any changes to systems, before the systems were implemented, through discussions with the chief accountant, warehouse manager, and sales manager. You also reviewed the change management committee minutes and noted that changes were evaluated and approved by the committee. It also reviewed any emergency changes that were made. The systems development manager added that the major application system modules were as follows: Implemented in prior years:
General ledger Project management and job costing in the factory Implemented at the beginning of the current financial year: Sales and accounts receivable Capital assets Implemented five months into the current financial year: Purchases and accounts payable Cash management, including electronic funds transfers from customers and to suppliers You establish that the system modules are fairly integrated.
Required
Assess the IT general controls at Nut Case, Inc. Include a conclusion as to the strength of the general controls. Hint : Base your answer on the discussion of general controls provided in Topic 7.5. Solution
Course Schedule
Course Modules
Exam Preparation
Resources
Self-test 7 Solution 1
a. 1. Correct. These are the four domains of the COBIT framework. 2. Incorrect. Systems development falls under acquisition and implementation, and systems security under delivery and support 3. Incorrect. Systems development falls under acquisition and implementation, systems security under delivery and support, and continuity also falls under delivery and support. 4. Incorrect. Continuity falls under delivery and support. b. 1. Incorrect. In contrast to manual calculations where interest computation errors would likely be ad hoc and detected by independent checking/reviews, computer program errors would be systemic rather than random. This would be an effect of computerization that an auditor would have to consider. 2. Correct. Manual control processes would still be relevant in a computerized system. It is generally not possible to automate all control procedures and some human intervention would be required (such as review and approval of accounts receivable write-off entries). 3. Incorrect. To evaluate the adequacy of internal controls in an IT environment, it is necessary for an auditor to either have or use a specialist to assess IT internal control objectives and control techniques. 4. Incorrect. The use of CAATs can certainly improve the effectiveness (100% testing instead of sampling) and efficiency (speed of calculation, sample selection, summarization, trend analysis and analytical procedures) of an audit. c. 1. Incorrect. Computer operations should not be responsible for application systems maintenance. Application systems programmers should maintain systems and computer operations should transfer authorized changes into the production libraries. (Ensure authorized changes to programs through separation of duties.) 2. Correct. A formal systems development methodology should be used to ensure that the system delivers as expected and according to standards. 3. Incorrect. Access to program documentation should be restricted to application programmers. Users of application systems should not have free access to the documentation, because this increases the risk of unauthorized transactions through exploitation of system weaknesses. 4. Incorrect. Emergency changes cannot be subject to the same control procedures as planned changes. Because emergency changes often arise due to program failure, corrective action is taken immediately and the change is subsequently reviewed and approved. d. 1. Correct. This is a computer-assisted control procedure that combines computerproduced data with manual user procedures. 2. Incorrect. This is a manual procedure. 3. Incorrect. This is a general (business continuity) control. 4. Incorrect. This is a physical access (general) control. e. 1. Incorrect. Application controls are specific to the flow of transactions. 2. Correct. Organizational control concerns the proper segregation of duties and responsibilities within the information systems department. These duties are specified by the policies and procedures for the various information system
functions such as end-user computing. 3. Incorrect. Environmental controls influence the effective operation of all internal controls. 4. Incorrect. Systems control is not a sufficiently specific response.
Course Schedule
Course Modules
Exam Preparation
Resources
Self-test 7 Solution 2
CASE STUDY T7-1: Auditing personal computer environments
Note: The purpose of this case is to show how the purchase and use of personal computers can be less beneficial than expected by a company. It helps to highlight the importance of assigning appropriate responsibilities to systems staff, management, and auditors in order to improve the effectiveness of the companys personal computer systems. It puts you in the position of the internal auditor who is expected to recommend changes to alleviate the problems identified. A number of valid approaches to this case are possible. One such approach follows. If the responsibilities for the development, acquisition, implementation, use, and maintenance of personal computer systems are shared, the organization will probably optimize its investment in personal computing resources. Users need help in acquiring and developing new applications, and require guidance in operating and maintaining existing ones. Central control by IT professionals over system development generally does not work because the users can easily program personal computers. It is recommended that the delegation of authority to the IT group gives the group responsibility for the following: Providing policies and standards to guide users when developing systems, maintaining programs, and operating equipment Maintaining specialized software Providing training to users on system operation and maintenance Dealing with operating problems It is recommended that authority delegated to managers responsible for the use of personal computers should be clear and should include the following: Ensuring adherence to policies and standards Appointing a site administrator who knows and understands the operations and equipment, to apply the policies and standards, and identify trouble spots on a timely basis Defining training needs Monitoring results It is recommended that the responsibilities of the internal auditing group include the following: Analyzing policies and procedural guidelines for completeness and practicality Examining computer applications and sites critical to effective business operations Evaluating the extent to which data assets, programs, and equipment are adequately safeguarded Reviewing non-critical applications periodically, as priorities permit
Course Schedule
Course Modules
Exam Preparation
Resources
Self-test 7 Solution 3
CASE STUDY T7-2: Personal Printing Inc.
Your presentation should identify opportunities and risks associated with the CEOs plan and present a clear sense of the role the internal audit team will play in assisting the board of directorsto discharge its responsibilities. Structure and content of the presentation should address the following areas:
Opportunities
It is likely essential for this organizations management to aggressively pursue opportunities to capture and harness emerging technologies to contribute to the achievement of increased share values and profitability. The prospects for an ability to pay future dividends may be enhanced. In a dynamic and highly competitive global economy, private and public sector organizations must commit large segments of their total resources to capture and harness technologies to maintain their effectiveness or competitive position, and to ensure the fulfillment of key strategic, operating, and financial goals. This approach may also have a significant impact on the longevity, competitive position, and long-term success of the company. New information technologies can help the organization pursue innovative ways of doing business, supply vital information to support management decisions at all levels of the organization, and help to control and reduce costs.
Risks
While there are some opportunities, there are also significant risks of failing to effectively manage the development and acquisition of emerging technologies. Below are some possible outcomes when the development/acquisition of IT is not well managed: Strategic, operational, and financial goals of the organization may not be achieved. Information technologies may not work properly to meet the functionality needs of users, possibly producing inaccurate, incomplete, or untimely information that is inadequate to support management decision making. Information technologies may not be developed, acquired, or successfully implemented on time, negatively impacting operational effectiveness and the firms competitive position. Information technologies may not be developed within reasonable cost targets established through an approved financial budget. IT solutions may be implemented when more cost-effective options, such as outsourcing, might have been pursued. New information technologies may be developed or acquired, or existing ones modified, with inadequate controls that can permit errors, departures from acceptable accounting principles, and potentially, fraud. To leading competitors in the IT arena, innovation can be costly and may create anxiety among risk-averse customers.
Business operations may be interrupted if information technologies fail to work properly, potentially causing significant financial loss and jeopardizing the business continuity.
The internal auditors role
The internal auditor should evaluate areas in IT development and acquisition projects, including the contribution to the organization, and present these evaluations to the board of directors. Main areas to examine would include strategic, operational, and financial planning processes; organization design and accountability frameworks; staff motivation; and monitoring and evaluation processes. Improvements in control systems and practices in these areas are likely to lead to greater profitability, share value, competitive position, corporate longevity, and ability to pay increasing future dividends. As agents of constructive change, internal auditors are probably most effective when they identify opportunities to strengthen new IT designs and implementation plans at a time when improvements can be made with the least effort and cost. This implies a degree of active and ongoing participation as a member of project teams, which is not typical of the internal auditors approach in other settings. Over a projects life, different team players are normally involved in projects with different intensities as projects unfold. Users, for example, are critically involved in identifying needs at the beginning of projects; IT professionals take on a leadership role in the middle part of projects for the systems analysis, design, and software coding components; and all players are keenly interested in testing and conversion activities. As these are key areas of interest, the internal auditor will do the following: Monitor the projects compliance with the organizations IT development and acquisition methodology, which establishes project management standards Evaluate the design and execution of system and acceptance testing Closely monitor and evaluate the planning and execution of the conversion from the old technology to the new technology Furthermore, in light of the internal auditors training and professional expertise, he or she may be the most capable individual on the project team to advise on matters such as internal control requirements, management or audit trail needs, integrated CAAT design, the correct implementation of appropriate accounting principles, and overall cost-effectiveness.
Course Schedule
Course Modules
Exam Preparation
Resources
Self-test 7 Solution 4
CASE STUDY T7-3 Meander Inc. OBSERVATIONS AND RECOMMENDATIONS
a. Observation : The information technology department reports at too low a level in the organization and within a single function of the organization. IT investments have assumed a bias towards financial reporting applications at the expense of serving the current and expected future operational needs of departments such as marketing. During the audit, we noted that the information systems and technology manager (ISTM) reports to the director of finance. The system storage capacity has reached critical limits, and the computer systems department has been unable to obtain sufficient resources to pursue needed upgrades in connectivity to support marketing and sales activities. The effect will be significant reductions in customer service levels and potential loss of the companys competitive position. Recommendation : Given the critical need to develop the companys connectivity infrastructure, we recommend that the ISTM report directly to the vice-president level. We also recommend that resources be redeployed from lower-priority investments and made available to purchase the needed fibre-optic network infrastructure. b. Observation : Controls with respect to continuity of processing are not adequate because there is presently no provision for backing up transaction data. There is the risk of permanent loss of transaction details if system problems develop. Detailed transactions could not be reconstructed because the only record is stored on transaction tapes that are not retained but are recycled at the end of each payroll run. Recommendation : Back-up systems and practices should be developed and documented to strengthen continuity controls. This would include backup for files, programs, hardware (alternate facilities), and contingency plans, all to ensure continuous operation of information processing and business operations support in the event of system failure. c. Observation : There is inefficient use of management information leading to a weakness in management/supervisory control systems and practices. At present, there is a significant delay in printing some of the daily transaction summaries and exception reports. We noted several instances where computer runs from the previous week had not been printed. Failure to make these reports available for timely managerial review, analysis, and follow-up undermines managements control of this application system. Recommendation : Management control information should be provided to management for a timely review, analysis, and follow-up. d. Observation : There is inadequate segregation of non-compatible duties within the IT function. To ensure an appropriate level of control, the duties of system analysis, design, and programming should be separate from information processing operations. The proposed segregation of duties is primarily to prevent illicit manipulation of information or related resources and the simultaneous ability to conceal such actions. Recommendation : The duties of systems analysis, design, and programming should be separated from IT operations. Duties should be arranged such that different individuals from
separate functional areas perform these two important functions. e. Observation : Control systems and practices are not in place to ensure user approval of enhancements and upgrades to application programs. We found that accounts receivable management did not approve changes to the accounts receivable program in connection with the calculation of interest charges. Although the changes were tested and independently approved by staff in IT operations, it is important that the users, who have the best knowledge of the correct operation of the system and fiduciary accountability, should approve all program changes. Recommendation : Management of the primary user department should approve all application program changes.
Course Schedule
Course Modules
Exam Preparation
Resources
Self-test 7 Solution 5
CASE STUDY T7-4: Nut Case Inc. Assessment of general computer controls
You should identify the general control framework and the key controls associated with each area, as follows:
Organization and management
There are well-defined responsibilities, which are communicated and accepted by the IT and user communities. IT management has maintained up-to-date policies, procedures, and standards covering all significant IT and end-user computing activities. The strategic and operation plans are current, and IT projects and performance are closely monitored by senior management through the IT steering committee. There is adequate segregation of duties between IT operations and the user functions. Management is using a generally accepted control framework tool (COBIT).
Application systems acquisition, development, and maintenance
The organization has complied with its formal systems development and acquisition methodology. The accounting system modules were thoroughly evaluated (with a high level of user involvement) and tested prior to being accepted by user management and implemented. The implementation of the new module was well controlled through the change management Committee.
Change control (Application system maintenance)
There are strong controls over changes, including emergency change review. The operations section is responsible for migrating all approved program changes.
Computer operations
Strong anti-virus policies, procedures, and techniques are in place. Access to computer operations is restricted to authorized personnel through strong physical access controls: Good perimeter physical security around the factory and office locations Use of card keys to gain access to office areas well controlled File servers and network components are physically secured After-hours logging and monitoring of offices and computer locations
System software controls
Strong logical access controls (password protected) are in place over software programs.
Data entry and program controls
Physical security :
Use of card keys to gain access to the computer room well controlled After-hours logging and monitoring of access to the computer room
Firewall is in place to protect local networks and was improved early in the year. Penetration testing results are positive. Strong password policies are in place and implemented (automated enforcement). Creation of new user accounts is closely monitored. Inactive user accounts are removed on a timely basis. Good intrusion prevention, account lockout, and response procedures are in place.
Continuity of operations
Planning for recovery is based on a risk assessment. Backups are taken regularly and stored off-site. Arrangement has been made for an alternate site and this has been recently tested. Nut Case has an up-to-date business continuity plan, which was tested during the year.
Overall conclusion
The general IT controls at Nut Case, Inc. have been appropriately designed and implemented and, as far as the evidence reviewed indicates, appear to be working effectively.