UNIVERSITY OF WATERLOO SCHOOL OF ACCOUNTING AND FINANCE

ACC 626 Term Paper

Informa!on e"#no$o%& !mpa" on
a''(ran"e en%a%emen) Impa" of
Sar*ane' O+$e&) Inerna$ Conro$' an,
O('o(r"!n%
Kieng Iv 20233702
6/30/2011
Abstract:
Information technology has created risks for businesses and auditors such as segregation of duties,
complex revenue streams and computer crimes. C-suite executives should understand the impact that
information technology can have on their businesses. The profession and businesses manage these risks
through experts, frameworks, information technology tools and access management. There are new
information technology tools, such as cloud computing, that need to be addressed by auditors because
they create implications for internal controls and security of the business. This is something that is not
currently addressed by the profession but must be addressed in order to meet the needs of their clients.

Table of Contents
Introduction.................................................................................................................................................. 1
Information Technology Risk........................................................................................................................ 1
Managing Information Technology Risk....................................................................................................... 4
Sarbanes Oxley Impact...............................................................................................................................
Outsourcing Information Technology........................................................................................................... !
"onclusion................................................................................................................................................. 1#
$ork "ited................................................................................................................................................. 11
%nnotated &ibliography.............................................................................................................................. 1'
Introduction
Information technology has re(olutioni)ed the business *orld through ho* it operates and inno(ates+
ho*e(er, the same technology has also created many risks *ithin the business *orld and should be a
main concern for "-suite executi(es. .Information systems permeate all areas of organi)ations,
differentiate them in the marketplace, and consume increasing amounts of human and financial capital./
1

The same information technology has had a per(asi(e impact on audit risk for internal and external
auditors. %uditors and the profession manage this relati(ely ne* risk in (arious *ays such as use of frame
*orks, assistance from specialists and information technology tools. This risk has increased significantly
due to the Sarbanes Oxley %ct 0##0. Sarbanes Oxley has had significant impact on internal controls and
internal control reporting, and it has increased the risk of outsourcing information technology processes.
This paper *ill also identify areas of risk *ith outsourcing information technology, sho* ho* the business
community manages that risk, and *ill identify any gaps not currently addressed that *ill need to be
addressed by the accounting profession.
Information Technology Risk
% sur(ey done by "omputer "rime and Security has sho*ed that 412 of unauthori)ed access *as
performed by insiders *ithin a company.
0
Insiders ha(e access to and kno*ledge of the system that is not
as readily a(ailable to outsiders. 3mployees can also damage the organi)ation through unintentional
means such as deleting important files, opening emails *ith (iruses, and other such accidental acts. To
mitigate the risk of intentional and unintentional damage, organi)ations need effecti(e access
management. Segregation of duties built into non-information technology processes need to be
implemented in the information technology en(ironment. $ith the use of information technology, capital
has replaced human capital in many traditional functions *ithin the *orkplace+ ho*e(er, the same
segregation of duties re4uirements is still needed. %n example of this is the posting of 5ournal entries.
6rior to information technology, there may ha(e been the need to ha(e many accounting clerks to
manage all the 5ournal entries of the organi)ation+ nonetheless, *ith automated functions, the need for
accounting clerks is reduced. This is only an issue *hen functions need to be segregated. $ith fe*er
employees, organi)ations ha(e to ensure that no employee has too much access and this is easy to
1
&orit), 3frim 7. 8Introduction to Internal "ontrol and the Role of Information Technology.8Computer
Control & udit !uide. 11th ed. $aterloo9 "entre for Information Integrity and Information Systems
%ssurance, 0#11. '-04. 6rint.
0
Sillto*, 7ohn. 8Shedding :ight on Information Technology Risks.8 Internal uditor ;ecember
<0##1=9 '0-'>. $eb. 1 7une 0#11.
?http9@@*eb.ebscohost.com.proxy.lib.u*aterloo.ca@ehost@pdf(ie*er@pdf(ie*erAsidB0fe1fd#'-'a4'-4b'd-
a'f-4#db'4e4#1c24#sessionmgr4C(idBDChidB1DE.
1
o(erlook since functions are performed (irtually instead of physically. This makes segregation of duties
more challenging *hen information technology is introduced. The potential damage caused by internal
and external attacks includes direct costs but also loss of reputation.
'
Information technology has increased audit risk by ha(ing a per(asi(e impact on the financial statement
reporting and auditing, especially on the occurrence and completeness of transactions and the testing of
controls. In todayFs standard audit, auditors must de(elop an understanding of the control en(ironment of
the entity. .%n unreliable system can cause a succession of e(ents that negati(ely affect a company and
its customers, suppliers, and business partners./
4
"ontrols ha(e increased in complexity *ith information technology. One example, prior to information
technology, is in order to test the controls for cash disbursements, an auditor *ould 5ust need to obtain a
list of appro(ed signatures and manually sample a list of che4ues and compare it against the list of
appro(ed signatures. Go*e(er, information technology has allo*ed electronic transfers in addition to
preexisting physical che4ues. In addition to the pre(ious manual testing, auditors *ill ha(e to de(elop an
understanding of the underlying accounting information system. $ho has authority to create (endorsA
;oes authority exist for electronic transfersA If so, *ho has authority and can anyone o(erride that
authorityA Many of the same implications that exist for manual cash disbursements exist for information
technology, but (erifying the controls is much more complicated and re4uires an understanding of the
information system.
"ash disbursement is not the only component of the audit that re4uires more attention, "%S '11.'
re4uires auditors to test controls if the entityFs en(ironment is highly automated *ith little or no manual
inter(ention.
1
Substanti(e procedures alone are insufficient to obtain sufficient appropriate audit e(idence.
6rior to information technology, auditors e(aluated *hether to use a combined approach or purely
substanti(e approach based on the strength of the control en(ironment, the (olume of transactions, and
the cost-benefit analysis+ ho*e(er, the "anadian %uditing Standards are mandating the compulsory
testing of controls if the en(ironment uses information technology and highly automated processes. The
standard setters ha(e identified that it is improbable to obtain sufficient appropriate audit e(idence and
thus, cannot express an opinion on the financial statements solely through substanti(e testing.
Information technology has allo*ed companies to increase its re(enue streams especially in the field of e-
commerce and online ad(ertising. These opportunities ha(e also increased complications in the
occurrence and completeness of these re(enues. Re(enue can generally be recogni)ed *hen risk and
re*ards are transferred to the buyer, performance is complete, collection is reasonably assured and
expenses and re(enue are measurable. $hen it comes to online sales, the occurrence of sales is the
'
Ibid
4
&orit), 3frim 7. 8Introduction to Internal "ontrol and the Role of Information Technology.8Computer
Control & udit !uide. 11th ed. $aterloo9 "entre for Information Integrity and Information Systems
%ssurance, 0#11. '-04. 6rint.
1
"%S '11.1'
0
assertion that auditors need to test. One of the ma5or differences bet*een brick and mortar and online
sales is the collectability of the economic benefits. If an entity does not (alidate the method of payment for
online sales then fictitious transactions could be processed and re(enue could potentially be o(erstated+
ho*e(er, *ithout understanding the information technology en(ironment, auditors and the company *ould
not kno* that the re(enue cannot be recorded due to collectability issues until much later.
It is difficult to assess completeness and occurrence *ithout thorough understanding of controls for online
ad(ertising and other purely electronic re(enue streams such as (ideo games. Hor example, if re(enue is
recogni)ed *hen ad(ertisements are clicked on a *ebsite, then in order to capture *hen re(enue is
earned, the underlying information system has to capture the instances *hen ad(ertisements are clicked.
It is not enough to assess re(enue earned by the information captured by the system. %nother example is
if the batch transfer or the real-time transfer is corrupted or ne(er reaches the internal systems *hen
ad(ertisements are clicked, then the internal system *ill be inaccurate and the re(enues *ill be
misstated. This increases the risk of material misstatements to a greater extent than if there *ere no
online re(enue streams.
Iot only does information technology increase the risk of material misstatement through complex re(enue
streams, accounting errors occur more often *hen there is information technology control deficiencies.

"ompanies *ith more information technology control deficiencies pay a higher audit fee and generally
employ smaller accounting firms.
D
:astly, auditors could issue the incorrect opinion if they do not
understand ho* the information technology impacts the business and this could lead to loss of reputation
and legal issues.
One of the top risks listed in the 0#1# Internal %udit "apabilities and Ieeds Sur(ey *as ability to assess
information technology risk, *hich also topped the list in 0##>. %lso high on the list is certification
standards for "O&IT. .Managing director of 6roti(iti, Scott Jraham, stated that auditing information
technology processes and acti(ities should be one of the highest priorities in internal audit departments
gi(en that information technology enables (irtually all business functions/.
!
The Institute of Internal
%uditing has responded *ith this risk by introducing six standards co(ering topics including assessing
information technology go(ernance.
O(erall, there are many implications that information technology has created for the audit and the
businesses that utili)e information technology.

Jrant, Jerry G., Karen ". Miller, and Hatima %lali. 8The 3ffect of IT "ontrols on Hinancial
Reporting.8 "anagerial uditing #ournal 0'.! <0##!=9 !#'-0'. $eb. 0> May 0#11.
?http9@@***.emeraldinsight.com@5ournals.htmAarticleidB1D4D11Csho*BpdfE.
D
Ibid
!
7aeger, 7aclyn. 8Sur(ey9 IT Risk, IHRS Top Internal %uditorsF $orries.8 $urvey% IT &isk, I'&$ Top
Internal uditors( )orries D.DD <0#1#=9 '!. $eb. '1 May 0#11.
?http9@@*eb.ebscohost.com.proxy.lib.u*aterloo.ca@ehost@detailA(idB10ChidB1DCsidBca14f>4e-d!0f-4eDc-
b4D1-
a1f4104#f!424#sessionmgr11CbdataB7nIpdJL>M$h(c'NtbJl0MSM)O0>*MT1)aPRlQdbBbthC%IB10
!0111E.
'
Managing Information Technology Risk
Information technology has increased audit risk and auditors had to address this risk by using information
technology specialists and information technology tools. The II% has pro(ided lots of material and training
to address the information technology issues *ithin internal audit. %s *ell, frame*orks such as "O&IT,
"OSO and IT"J ha(e pro(ided guidance for auditors to use in order to assess clientFs information
technology controls. :astly, %I"6% has clearly established that auditors are responsible for understanding
the role of information technology in the clientFs business.
>
%I"6% has ad(ised auditors to consider using .computer-related audit procedures, including information
technology specialists, *hen they obtain an understanding of client internal controls during audit
planning/.
1#
In a study done in the 7ournal of Information Systems, it *as found that 412 of sampled
engagements information technology specialist *ere used.
11
Information technology specialists are
generally in(ol(ed in the planning and performance of information technology controls testing to reduce
audit risk. The more complex the computer en(ironment, the more important it is to get an information
technology specialist in(ol(ed *hen performing an audit. %t ;eloitte, it is no* re4uired to ha(e an IT
specialist in the audit planning at least e(ery three years because of the gro*ing importance of
information technology *ith the clientsF en(ironment produces the need to reduce the information
technology risk.
10
The use of information technology specialist allo*s auditors to test sophisticated information technology
processes. Referring back to the example *ith electronic transfers, if an information technology specialist
is used, then the underlying system controls can be (erified *hether or not there is segregation of duties
issues and if there are unauthori)ed disbursements. %s *ell, online re(enue streams can be tested more
effecti(ely if the controls of the system are tested by information technology professors to (erify the
completeness and occurrence of those re(enue streams. Testing controls is not only necessary for these
complicated transactions, but also reduces the amount of substanti(e testing needed and creates audit
efficiencies.
>
&edard, 7ean "., "ynthia 7ackson, and :ynford Jraham. 8Information Systems Risk Hactors, Risk
%ssessments, and %udit 6lanning ;ecisions.8 $eb. 0! Mar. 0#11.
?http9@@aaah4.org@audit@midyear@#'midyear@papers@Systems20#Risk20#Hactors20#and20#%udit
20#6lanning20##>-1!.pdfE.
1#
7ar(in, ;iane, 7ames &ierstaker, and 7ordan :o*e. 8%n In(estigation of Hactors InRuencing the
Lse of "omputer-Related %udit 6rocedure.8 #ournal of Information $ystems 0' <0##>=9 1-00. $eb. 0'
7une 0#11. ?http9@@***.bus.iastate.edu@d5an(rin@acct4!41!4@readings@#120#1S00-'.pdfE.
11
7ar(in, ;iane, 7ames &ierstaker, and 7ordan :o*e. 8%n 3xamination of %udit Information Technology
Lse and 6ercei(ed Importance.8 ccounting *ori+ons 00.1 <0##!=9 1-01. $eb. 0! May 0#11.
?http9@@*eb.ebscohost.com.proxy.lib.u*aterloo.ca@ehost@pdf(ie*er@pdf(ie*erAsidBca14f>4e-d!0f-4eDc-
b4D1-a1f4104#f!424#sessionmgr11C(idBChidB1DE.
10
6ryce, 7im. 8%"" 0 ;eloitte 6artner Inter(ie*.8 #' May 0#11. 3-mail.
4
In the past, !#2 of data files *ere processed using flat files and only 0#2 using databases. Go*e(er,
those percentages ha(e changed and no* !#2 of data files are processed using databases. The
implication is that record retention is not as clear, and as a result, audit trails are more complex or do not
exist in physical form.
1'
In order to obtain sufficient appropriate audit e(idence, computer assisted audit
techni4ues may be needed in situations such as the absence of input documents <i.e. order entry in on-
line systems=, the lack of a (isible audit trail, (isible output, (isible control totals, or (arying 4uantities of
audit information may make manual techni4ues impractical.
14
In order to address the risk that information
technology has created, it is necessary for auditors to turn to computer-assisted auditing techni4ues.
."omputer-assisted auditing techni4ues <"%%Ts= can be used for assessing inherent risk, e(aluating
internal control and assessing control risk, analytical re(ie*, and tests of detail applied to transactions
and@or balances./
11
% more specific example is illustrated by the Information Systems %udit and "ontrol
%ssociation <IS%"%=. This example entails that payroll controls ha(e not been properly implemented and
the system has existed for t*o years. Instead of manually testing t*o years of payroll data, the system
can be tested in completeness using "%%Ts and not only pro(ides assurance on payroll but also
.increases the credibility and (alue pro(ided by the audit function./
1
This is an example of *here "%%Ts
are necessary because of the large amount of transactions.
1D
%": and I;3% are t*o common "%%Ts
used in practice. .The use of %": and I;3% has increased audit efficiency and effecti(eness./
1!
&eyond, "%%Ts and information technology specialist, frame*orks are often used for assessing internal
controls. "ommittee of Sponsoring Organi)ations <"OSO= is the most common information technology
go(erning frame*ork but does not explicitly address information technology control ob5ecti(es. "OSO has
been used as the basis for S%S D!, IS% '11 and "anadian standards, *hich all address information
technology either implicitly or explicitly.
1>
.Hinancial auditors are re4uired to gain an understanding of the
8entity and its en(ironment8 to ascertain the risk of material misstatement associated *ith that aspect of
the financial statements, and the "OSO model is extremely (aluable as a tool to comply *ith this
standard./
0#
"OSO pro(ides guidance on general, application, and physical controls. .Jeneral controls
are controls that in general affect the computer systems <information systems= and information
1'
14
Ibid
11
Ibid
1
Sayana, %nantha. 8Lsing "%%Ts to Support IS %udit.8 Information $ystems Control 1 <0##'=9 1-0. $eb.
0' 7une 0#11. ?http9@@***.isaca.org@7ournal@6ast-Issues@0##'@Tolume-1@;ocuments@5pdf#'1-
Lsing"%%TstoSupportIS%u.pdfE.
1D
6ryce, 7im. 8%"" 0 ;eloitte 6artner Inter(ie*.8 #' May 0#11. 3-mail.
1!
1>
&orit), 3frim 7. 8Introduction to Internal "ontrol and the Role of Information Technology.8Computer
Control & udit !uide. 11th ed. $aterloo9 "entre for Information Integrity and Information Systems
%ssurance, 0#11. '-04. 6rint.
0#
Singleton, Tommie. 8The "OSO Model9 Go* IT %uditors "an Lse It to 3(aluate the 3ffecti(eness of
Internal "ontrols.8 I$C. IS%"%. $eb. 04 7une 0#11. ?http9@@***.isaca.org@7ournal@6ast-
Issues@0##D@Tolume-@6ages@The-"OSO-Model-Go*-IT-%uditors-"an-Lse-It-to-3(aluate-the-
3ffecti(eness-of-Internal-"ontrols1.aspxE.
1
technologies employed by the entity in performing functions <business processes= associated *ith
financial reporting acti(ities. %pplication controls are computer controls embedded *ithin technologies and
systems that are intended to ensure that policies and procedures are carried out in the business
processes./
01
"OSO also pro(ides guidance for auditors on the le(els that controls can be tested9 design
effecti(eness, implementation and operational effecti(eness *hich are helping *ith being compliant *ith
S%S 1#>.
%nother frame*ork that can be used, that is arguably more rele(ant than "OSO for information
technology controls, is "ontrol Ob5ecti(es for Information and related Technology <"O&IT=. "O&IT is
.%uthoritati(e, up-to-date, international set of generally accepted IT control ob5ecti(es and control
practices for day-to-day use by business managers and auditors./
00
It *as created because of the gro*ing
importance of technology and the need to hold senior management more accountable. ."O&IT focuses
on information ha(ing integrity and being secure and a(ailable./
0'
"O&ITFs ob5ecti(es are to ensure the
integrity of information systems and by creating a frame*ork to pro(ide assurance by gi(ing excellent
criteria for re(ie* and audit *ork. "O&IT supplies a *orking control model for information technology
control ob5ecti(es, helps auditors identify key risk areas *hen obser(ing systems, and pro(ides a model
for e(aluating controls.
O(erall, auditors ha(e addressed many of the past risks that information technology has created through
use of specialists, frame*orks, and information technology tools such as "%%Ts.
Sarbanes Oxley Impact
Sarbanes Oxley has made information technology go(ernance and internal controls mission critical in
financial reporting and performing the audit. Sarbanes Oxley has also made the reporting of internal
controls mandatory for public companies and the attesting of those controls a compulsory component of
financial statement audit.
04
IT assurance is more rele(ant in the business *orld than e(er before because
of Sarbanes Oxley. The penalties for not being compliant to Sarbanes Oxley legislation can be se(ere
*ith fines of up to U1 million dollars and 0# years in prison. This makes information technology important
to senior executi(es *ithin the company.
&efore discussing ho* Sarbanes Oxley impacts internal controls, it is first important to define and
understand internal controls. The %I"6% defines the role of internal controls as one that .compromises the
plan of organi)ation and all the coordinate methods and measures adopted *ithin a business to
01
Ibid
00
&e(eridge, 7ohn. C,-IT I"./0"01TTI,1 ),&2$*,.. 66T.
0'
Ibid
04
Jrant, Jerry G., Karen ". Miller, and Hatima %lali. 8The 3ffect of IT "ontrols on Hinancial
Reporting.8 "anagerial uditing #ournal 0'.! <0##!=9 !#'-0'. $eb. 0> May 0#11.
?http9@@***.emeraldinsight.com@5ournals.htmAarticleidB1D4D11Csho*BpdfE.

safeguard its assets, check the accuracy and reliability of its accounting data, promote operating
efficiency, and encourage adherence to prescribed managerial policies/.
01
"ontrols entail t*o main (ie*s,
namely the cybernetic (ie* and socio-cultural (ie*. The cybernetic (ie* is based on the principles of a
self-monitoring system. It compromises of setting goals then follo*ing up if there are any de(iations. The
socio-cultural (ie* focuses on hiring good people, training, and sociali)ing employees into the culture of
the organi)ation. $hen beha(ioural processes are readily obser(able and goals, tasks and outcomes are
*ell specified then cybernetic is better to use since control can be better monitored o(er the process. If
the re(erse is true, then socio-cultural is superior to use. Go*e(er, most organi)ations use a combination
of socio-cultural and cybernetic. In addition to the (ie*s, there are fi(e components of an internal control
system and they are control en(ironment, risk assessment process, information system, control acti(ities,
and monitoring of controls.
0

Sarbanes Oxley makes executi(es accountable for e(aluating and monitoring the effecti(eness of internal
control o(er financial reporting and disclosures.
0D
%uditors must also attest to managementFs internal
control assessment and effecti(eness of controls. %n important component of internal controls is the
information technology controls, especially in entities that use computer systems extensi(ely. Ji(en the
importance of complying *ith Sarbanes Oxley and the harsh criticism of auditors from scandals in the
early 0###Fs, information technology controls ha(e increased the audit business risk and ha(e made
information technology risk e(en more important to manage. The cost of complying is high V audit fees
are higher and one of the biggest reasons is because of IT controls.
0!
%n information system audit is assessing *hether the information systems and related resources in
safeguard assets maintain system and data integrity and a(ailability, pro(ide rele(ant and reliable
information, achie(e organi)ational goals effecti(ely, and consume resources efficiently. It also assesses
*hether internal controls that pro(ide assurance that business, operational, and control ob5ecti(es ha(e
been met and *hether undesired e(ents *ill be pre(ented or detected and corrected in a timely manner.
Ion-financial audit fees ha(e increased from 1>2 in 1>>0 to D>2 in 0##1 *hich indicates the continual
importance of IS auditing.
0>
Since 1>>#, the e(olution of the IS audit professional has changed from a
01
7ar(in, ;iane, 7ames &ierstaker, and 7ordan :o*e. 8%n In(estigation of Hactors InRuencing the Lse of
"omputer-Related %udit 6rocedure.8 #ournal of Information $ystems 0' <0##>=9 1-00. $eb. 0' 7une 0#11.
?http9@@***.bus.iastate.edu@d5an(rin@acct4!41!4@readings@#120#1S00-'.pdfE.
0
"I"I% "%S '11 %ppendix 19
0D
;amianides, Marios. 8SOP and IT Jo(ernance Ie* Juidance on IT "ontrols and
"ompliance.8 Information $ystems "anagement <0##1=9 DD-!1. $eb. 0> May 0#11.
?http9@@*eb.ebscohost.com.proxy.lib.u*aterloo.ca@ehost@detailA(idB'ChidB1DCsidBca14f>4e-d!0f-4eDc-
b4D1-
a1f4104#f!424#sessionmgr11CbdataB7nIpdJL>M$h(c'NtbJl0MSM)O0>*MT1)aPRlQdbBbthC%IB11
'#41D>E.
0!
Golmes, Monica "., and ;arian Ieubecker. 8The Impact Of The Sarbanes-Oxley %ct 0##0 On The
Information Systems Of 6ublic "ompanies.8 Information $ystem D.0 <0##=9 04-4!. $eb. 0> May 0#11.
?http9@@***.iacis.org@iis@0##Siis@6;Hs@GolmesSIeubecker.pdfE.
0>
D
secondary function to professionals that pro(ide (alue-added *ork *ith auditors *ho do not
understanding the *ork performed to finally, a key component of the risk assessment process. .Sarbanes-
Oxley experts agreed that IT control *as a specific area likely to produce significant deficiencies by many
companies. %s the ma5ority of internal controls are embedded in automated systems, information system
auditors ha(e become a (ital part of complying *ith the standards, guidelines, and regulations/
'#
Outsourcing Information Technology
Information technology and recent regulations, such as Sarbanes Oxley, ha(e unco(ered ne* risks for
organi)ations that outsource information technology. These same ne* risks for businesses ha(e also
pro(ided ne* assurance opportunities for public accounting firms to try and manage these risks for their
clients.
Sarbanes Oxley impacts outsourcing since management must report on controls of the organi)ation and
auditors must consider the risks of ha(ing mission critical applications outside of the organi)ation. It *as
found that Sarbanes Oxley increases pre-existing risks of large-scale information technology outsourcing
on compliance.
'1
One of the roles of management *ithin Sarbanes Oxley is to o(ersee of the internal
controls. Internal controls must be effecti(e or management *ill suffer conse4uences, since information
technology outsourcing distances the information technology operations from management both
intellectually and physically. The managementFs inability to communicate *ith (endorsF leadership, *ho
are generally offsite, makes it more difficult to assess business strategy and information technology
issues, and *ill result in a higher likelihood that internal control failures *ill go undetected. In order to
audit these risks and outsourced controls, auditors must audit the outsourced organi)ations themsel(es or
recei(e S%S D# reports. This information could be more difficult to obtain if they are offshore companies.
There is an increased number of legislations, such as the passing of the follo*ing legislations+ the Gealth
Insurance 6ortability and %ccountability %ct of 1>> <GI6%%=, Jramm-:each&liley %ct of 1>>>, Sarbanes-
Oxley %ct of 0##0, Sections 4#4 and '#0. The three rulings enforce protection of pri(acy, corporate
accountability, and establishment of internal controls throughout businesses. .Thus, a need *as created
in many industries for a due diligence process that can aggregate many of the principles found *ithin
these three acts and pro(ide companies *ith a high le(el of assurance and confidence *hen using
ser(ice organi)ations for outsourcing critical business functions./
'0
This has created the need for S%S D#
and other e4ui(alent reporting. The importance of information technology assurance has increased *ith
ne* regulations and this has created many ne* opportunities for auditors.
'#
Ibid
'1
'0
;enyer, "harles, and "hristopher Iickell. 8%n Introduction to S%S D# %udits.8 -enefits /aw
#ournal. $eb. 0' 7une 0#11. ?http9@@***.csb.unc*.edu@people@I(ance(ich;@classes@MS%20#11@3xtra
20#Readings20#on20#Topics@S%S20#D#@Intro20#to20#S%S20#D#20#%udits.pdfE.
!
%uditors and businesses are exploring and in(estigating the real and regulation risks associated *ith
cloud computing and ho* to address these risks. Iational Institute of Standards and Technology, "loud
Security %lliance and Information System %udit and "ontrol %ssociation define cloud as a .model for
enabling con(enient, on-demand net*ork access to a shared pool of configurable computing resources
<e.g., net*ork, ser(ers, storage, applications and ser(ices= that can be rapidly pro(isioned and released
*ith minimal management effort or ser(ice pro(ider interaction./
''
"urrently, there are no standards in
place for cloud certification.
'4
&usiness critical is defined as data or applications determined to be
confidential, proprietary or sub5ect to regulation. This includes data and application under Sarbanes-Oxley
regulation. It is kno*n in the information technology *orld that .black hat/ soft*are gurus *ant to steal
data, especially on the cloud. Information technology departments and information technology risk
managers should assess the cloud ser(ice pro(idersF security as *ell as their disaster reco(ery and
business continuity policies, and compare against internal standards.
'1

Outsourcing information technology has created benefits, such as reduced costs and better technology
for organi)ations, but has also created ne* business risks such as uncertainty of the 4uality of controls.
Many traditional outsourcing risks ha(e been appropriately mitigated by auditors through information
technology assurance on ser(ice organi)ations+ ho*e(er, cloud computing is one area of information
technology that has not been explicitly addressed. This has left open the door on ho* the profession *ill
address this risk, an issue that the profession *ill ans*er in the future. %s information technology
continues to e(ol(e, both in form and functionality, the audit profession *ill need to continue to similarly
e(ol(e in order to address the risks that information technology creates.
Conclusion
It is clear that information technology has had a significant impact on ho* businesses operate and ho*
they do business *ith their suppliers and customers. Go*e(er, this same inno(ation has allo*ed for
*eaknesses in the business that has an unparalleled magnitude of damage. &usinesses are not the only
ones that ha(e been impacted by information technology+ auditors ha(e ne* risks that they must address.
To e(en the importance of addressing this risk, Sarbanes Oxley has made auditors more accountable for
the *ork performed. %uditors ha(e managed these risks *ith the use of information technology
specialists, frame*orks, and information technology itself. %s information technology continues to e(ol(e,
ne* standards *ill be created to reduce the risk for businesses. The latest information technology risk
''
Rapp, 6eet. 8%uditing the "loud.8 'inancial 0xecutive May <0#1#=9 0-'. $eb. 1 7une 0#11.
?http9@@pro4uest.umi.com.proxy.lib.u*aterloo.ca@p4d*ebA
indexB10CsidB1CsrchmodeB0C(instB6RO;CfmtBCstartpageB-
1CclientidB1D4C(nameB6N;CRNTB'#>CdidB0#4!>!#D1CscalingBHL::CtsB1'#>D0>0>C(typeB6N
;Cr4tB'#>CTSB1'#>D''14CclientIdB1D4E.
'4
Ibid
'1
Ibid
>
that has already been raised but has yet to be explicitly addressed by auditors is cloud computing. $ill
auditors pro(ide assurance on this gro*ing field of information technologyA If so, ho* *ill auditors pro(ide
assurance on cloud computing for its clientsA %s information technology has gone from transactional to
necessary for the business to function to transformational, auditors must change and adapt at the same
pace or be at risk of falling behind the needs of clients.
1#
Work Cited
&edard, 7ean "., "ynthia 7ackson, and :ynford Jraham. 8Information Systems Risk Hactors, Risk
%ssessments, and %udit 6lanning ;ecisions.8 $eb. 0! Mar. 0#11.
?http9@@aaah4.org@audit@midyear@#'midyear@papers@Systems20#Risk20#Hactors20#and20#%udit
20#6lanning20##>-1!.pdfE.
&e(eridge, 7ohn. C,-IT I"./0"01TTI,1 ),&2$*,.. 66T.
&orit), 3frim 7. 8Introduction to Internal "ontrol and the Role of Information Technology.8Computer Control
& udit !uide. 11th ed. $aterloo9 "entre for Information Integrity and Information Systems
%ssurance, 0#11. '-04. 6rint.
"%S '11.1'
"I"I% "%S '11 %ppendix 19
;amianides, Marios. 8SOP and IT Jo(ernance Ie* Juidance on IT "ontrols and
"ompliance.8 Information $ystems "anagement <0##1=9 DD-!1. $eb. 0> May 0#11.
?http9@@*eb.ebscohost.com.proxy.lib.u*aterloo.ca@ehost@detailA(idB'ChidB1DCsidBca14f>4e-d!0f-
4eDc-b4D1-
a1f4104#f!424#sessionmgr11CbdataB7nIpdJL>M$h(c'NtbJl0MSM)O0>*MT1)aPRlQdbBbthC%
IB11'#41D>E.
;enyer, "harles, and "hristopher Iickell. 8%n Introduction to S%S D# %udits.8 -enefits /aw #ournal. $eb.
0' 7une 0#11. ?http9@@***.csb.unc*.edu@people@I(ance(ich;@classes@MS%20#11@3xtra
20#Readings20#on20#Topics@S%S20#D#@Intro20#to20#S%S20#D#20#%udits.pdfE.
Jrant, Jerry G., Karen ". Miller, and Hatima %lali. 8The 3ffect of IT "ontrols on Hinancial
Reporting.8 "anagerial uditing #ournal 0'.! <0##!=9 !#'-0'. $eb. 0> May 0#11.
?http9@@***.emeraldinsight.com@5ournals.htmAarticleidB1D4D11Csho*BpdfE.
Golmes, Monica "., and ;arian Ieubecker. 8The Impact Of The Sarbanes-Oxley %ct 0##0 On The
Information Systems Of 6ublic "ompanies.8 Information $ystem D.0 <0##=9 04-4!. $eb. 0> May
0#11. ?http9@@***.iacis.org@iis@0##Siis@6;Hs@GolmesSIeubecker.pdfE.
11
7aeger, 7aclyn. 8Sur(ey9 IT Risk, IHRS Top Internal %uditorsF $orries.8 $urvey% IT &isk, I'&$ Top Internal
uditors( )orries D.DD <0#1#=9 '!. $eb. '1 May 0#11.
?http9@@*eb.ebscohost.com.proxy.lib.u*aterloo.ca@ehost@detailA(idB10ChidB1DCsidBca14f>4e-d!0f-
4eDc-b4D1-
a1f4104#f!424#sessionmgr11CbdataB7nIpdJL>M$h(c'NtbJl0MSM)O0>*MT1)aPRlQdbBbthC%
IB10!0111E.
7ar(in, ;iane, 7ames &ierstaker, and 7ordan :o*e. 8%n 3xamination of %udit Information Technology Lse
and 6ercei(ed Importance.8 ccounting *ori+ons 00.1 <0##!=9 1-01. $eb. 0! May 0#11.
?http9@@*eb.ebscohost.com.proxy.lib.u*aterloo.ca@ehost@pdf(ie*er@pdf(ie*erAsidBca14f>4e-d!0f-
4eDc-b4D1-a1f4104#f!424#sessionmgr11C(idBChidB1DE.
7ar(in, ;iane, 7ames &ierstaker, and 7ordan :o*e. 8%n In(estigation of Hactors InRuencing the Lse of
"omputer-Related %udit 6rocedure.8 #ournal of Information $ystems 0' <0##>=9 1-00. $eb. 0' 7une
0#11. ?http9@@***.bus.iastate.edu@d5an(rin@acct4!41!4@readings@#120#1S00-'.pdfE.
6ryce, 7im. 8%"" 0 ;eloitte 6artner Inter(ie*.8 #' May 0#11. 3-mail.
Rapp, 6eet. 8%uditing the "loud.8 'inancial 0xecutive May <0#1#=9 0-'. $eb. 1 7une 0#11.
?http9@@pro4uest.umi.com.proxy.lib.u*aterloo.ca@p4d*ebA
indexB10CsidB1CsrchmodeB0C(instB6RO;CfmtBCstartpageB-
1CclientidB1D4C(nameB6N;CRNTB'#>CdidB0#4!>!#D1CscalingBHL::CtsB1'#>D0>0>C(typ
eB6N;Cr4tB'#>CTSB1'#>D''14CclientIdB1D4E.
Sayana, %nantha. 8Lsing "%%Ts to Support IS %udit.8 Information $ystems Control 1 <0##'=9 1-0. $eb. 0'
7une 0#11. ?http9@@***.isaca.org@7ournal@6ast-Issues@0##'@Tolume-1@;ocuments@5pdf#'1-
Lsing"%%TstoSupportIS%u.pdfE.
Singleton, Tommie. 8The "OSO Model9 Go* IT %uditors "an Lse It to 3(aluate the 3ffecti(eness of
Internal "ontrols.8 I$C. IS%"%. $eb. 04 7une 0#11. ?http9@@***.isaca.org@7ournal@6ast-
Issues@0##D@Tolume-@6ages@The-"OSO-Model-Go*-IT-%uditors-"an-Lse-It-to-3(aluate-the-
3ffecti(eness-of-Internal-"ontrols1.aspxE.
10
Annotated ibliography
Annotation #1
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublis
he
Pages (ate
accesse
)ocation*
ata base*
!ebsite*
lin+
6ryce, 7im #1@1D@0#1
1
Inter(ie*
Annotation
The use of information technology *ithin a clientFs en(ironment has increased the complexity of an
audit.
Re(enue recognition has become more complicated. Go* do you ensure the existence of many online
re(enue streams such as ad(ertisingA Ga(ing strong controls is more important no* *ith the use of
information technology than e(er before.
In order to address the assertion of occurrence on re(enue, there is a need to bring IT experts and
ha(ing appropriate training to understand ho* transaction flo* throughout the accounting information
system.
Sarbanes Oxley has re4uired management to attest to controls including IT controls.
Annotation #2
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
&edard, 7ean
".
7ackson,
"ynthia
Jraham,
:ynford
Information
Systems
Risk Hactors,
Risk
%ssessments
, and %udit
6lanning
;ecisions
May 0!,
0#11
http9@@aaah4.or
g@audit@midyea
r@#'midyear@p
apers@System
s20#Risk
20#Hactors
20#and
20#%udit
20#6lanning
20##>-1!.pdf
Annotation
.The purpose of this study is to examine external auditorsF perspecti(es on information
1'
systems risk in their actual audit client/
The paper found IT system risks can be categori)ed in one of t*o categories9 Management
information 4uality and 3;6 security
o The system does not output suitable or accurate data to help management *ith decision
making and makes it difficult to identify *hen problems occur
o % lack of 3;6 security undermines the (alue of effecti(e design of controls do to security
breaches
%I"6% has become more clear on auditorFs responsibility to understand the role of IT in the
clientFs business
Gigh correlation bet*een management information 4uality and risk assessment taken by the firm
:o* correlation *as found because bet*een 3;6 security and risk assessments and this is
attributed .to the fre4uent practice of calling on 3;6 specialists to assist *ith engagements in
*hich system security risks ha(e been identified/
Annotation #3
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
Golmes,
Monica ".
Ieubecker,
;arian
The Impact
Of The
Sarbanes-
Oxley %ct
0##0 On The
Information
Systems Of
6ublic
"ompanies
Information
System
Tol. TII
Io. 0
0## 04-0! May 0>,
0#11
http9@@***.iaci
s.org@iis@0##S
iis@6;Hs@Golm
esSIeubecker
.pdf
Annotation
This paper discusses the impact of Sarbanes-Oxley %ct and Information Technology.
"IO are (ery critical in helping a company to be complying *ith Sarbanes-Oxley because ho*
transactions are automated and paperless <no audit trail=
Scalability of storage systems is (ery important in high transaction industries *ith automation
There ha(e been a lot of IT solutions de(eloped to make systems and businesses SOP compliant
:ots of IT companies and consulting companies are offering compliance solutions
o &$ise, a soft*are leader in internal control soft*are, claims the platform is .auditable,
*eb-based *ith extensi(e security measures built-in, and can achie(e compliance in as
little as '-4 *eeks/
The cost complying is high V audit fees are higher and one of the biggest reasons is because of
IT controls
Annotation #,
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
Gall, 7ames The "OMMLII" Tol. 1# 0##D >1-1## May 0>, http9@@pro4uest
14
%.
:iedtka,
Stephen :.
Sarbanes
Oxley %ct9
The
implications
for large-
scale IT
outsourcing
%TIOIS OH
TG3 %"M
Io. ' 0#11 .umi.com.prox
y.lib.u*aterloo
.ca@p4d*ebA
indexB#CdidB
1004!14>D1C
SrchModeB0C
sidB0CHmtB0
CTInstB6RO;
CTTypeB6N;
CRNTB'#>CT
IameB6N;C
TSB1'#>DD#
D1CclientIdB1
D4
Annotation
This paper discusses the implication of SOP on large scale IT outsourcing.
The response from corporate decision makers (aried in response to SOP and their thoughts on
the impact to IT outsourcing. 012 responded that they *ould outsource more, 1>2 indicated that
they *ould outsource less, 012 said no one of kno*ing the impact and the remainder did not
expect a change at all
It *as found that SOP increases pre-existing risks of large-scale IT outsourcing on SOP
compliance.
The purpose of SOP is to increase public confident in capital markets through impro(ed corporate
go(ernance, financial reporting, internal controls and external audit 4uality
SOP has increased the demand for employees *ith computer skills and business training
especially in the areas of forensic accounting, risk management, computer auditing and IT-
controls
The benefits of IT outsourcing include reduced IT costs and impro(ed IT performance.
:arge scale IT sourcing actually increases the risk of failing to comply *ith both the detail and the
spirit of SOP.
One of the roles of management *ithin SOP is o(ersight of the internal controls are effecti(e but
since IT outsourcing distances the IT operations from management both intellectually and
physically
;ue to managementFs inability to communicate *ith (endors leadership, *ho are generally offsite,
makes it more difficult to assess business strategy and IT issues and *ill result in a higher
likelihood that internal control failures *ill go undetected
In order to audit these risks and outsourced controls, auditors must audit them themsel(es or
recei(e S%S D# reports. This information could be more difficult to obtain if they are offshore
companies.
IT outsourcing is sometimes described as off balance sheet financing since no in(estment in IT
assets *ill need to be made
IT outsourcing may result in decepti(e short-term increases in profitability since IT (endors often
charge lo*er amounts in the first couple years then increase prices later
Annotation #-
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
;amianides, SOP and IT Information 0##1 DD-!1 May 0>, http9@@*eb.ebs
11
Marios Jo(ernance
Ie*
Juidance on
IT "ontrols
and
"ompliance
Systems
Management
0#11 cohost.com.pr
oxy.lib.u*aterl
oo.ca@ehost@de
tailA
(idB'ChidB1D
CsidBca14f>4
e-d!0f-4eDc-
b4D1-
a1f4104#f!4
24#sessionm
gr11CbdataB7
nIpdJL>M$h
(c'NtbJl0MS
M)O0>*MT1)a
PRlQdbBbthC
%IB11'#41D>
Annotation
This article discusses ho* SOP has focused companies to impro(e their internal controls and maintain
an effecti(e IT en(ironment in order to be compliant. This article further discusses ho* SOP has impacted
executi(es and IS professionals.
$ith SOP regulation, IT professionals ha(e higher expectations to gi(e timely, accurate and
(isible information *hile still maintaining high le(el security of these information assets
!! percent of senior business executi(es (ie* security as a top priority and D1 percent (ie*
security as a positi(e in(estment due to more continuity and efficiency
SOP makes executi(es accountable for e(aluating and monitoring the effecti(eness of internal
control o(er financial reporting and disclosures
SOP has increased the need for companies to ha(e strong IT controls in place
One of the main criteria of IT go(ernance is to align IT *ith the o(erall business strategy
Hortune 1## companies board members hardly discuss IT during board meetings V one out of ten
boards ask IT 4uestions, t*o out of three appro(al IT strategy and six out of se(en directors are
regularly informed about IT
Annotation #6
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
7an(in,
;iane
&ierstaker,
7ames
:o*e, 7ordan
%n
3xamination
of %udit
Information
Technology
Lse and
6ercei(ed
Importance
%ccounting
Gori)ons
Tol. 00
Io. 1
0##! 1-01 May 0!,
0#11
http9@@*eb.ebs
cohost.com.pr
oxy.lib.u*aterl
oo.ca@ehost@pd
f(ie*er@pdf(ie
*erA
sidBca14f>4e-
d!0f-4eDc-
b4D1-
a1f4104#f!4
24#sessionm
1
gr11C(idBChi
dB1D
Annotation
The article is a study about ho* IT is percei(ed and ho* it is used in (arious si)e firms from local to &ig 4
firms.
.Standards no* encourage audit firms to adopt IT and use IT specialists *hen necessary/
%uditors (ie* the use of applications as important but donFt fully utili)e them
IT specialists are not used in a large extent
In general, larger firms tend to use more specific IT to perform their audits and more likely to use
IT specialist than smaller firms
IT has created a barriers to entry to run a public practice
IT is used for helping identify risks in client acceptance, going concern and analytical procedures
Annotation #7
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
Jrant, Jerry
G
Miller, Karen
"
%lai, Hatima
The effect of
IT controls on
Hinancial
Reporting
Managerial
%uditing
7ournal
Tol. 0'
Io. !
0##! !#'-!0' May 0>,
0#11
http9@@***.em
eraldinsight.co
m@5ournals.htm
A
articleidB1D4
D11Csho*Bpd
f
Annotation
.The purpose of this study is to examine IT control deficiencies and their affect on financial reporting/
%ccounting errors occur more often *hen there are IT control deficiencies
IT deficient companies pay a higher audit fee and employ smaller accounting firms
Many ma5or scandals *ere not pre(ented or detected because the company had poor internal
controls
SOP *as created because of the abo(e point to force companiesF auditors to assess and attest to
the effecti(eness of controls
6re-sox and post-sox studies ha(e come to the same conclusion. The more I" deficiencies the
more accounting errors
6rior to SOP minimal IT controls *ere tested since it *as not explicit in the standards. Go*e(er,
post SOP, companies are re4uired to report any significant IT deficiencies
The most commonly used IT go(ernance frame*ork is "OSO but "OSO pro(ides minimal
guidance for designing and implementing IT controls
The use of "O&IT has been used to e(aluate IT controls for SOP compliance
There is a .a direct relationship bet*een the increased 4uality of IT controls and external factors
such as longer tenured "IOs, more IT-experienced managers, higher percentages of independent
directors, and more IT-experienced audit committee Members/
Annotation #.
1D
Author Title of Article Perioical
/ !ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
&ierstaker
, 7ames :.
&urnaby,
6riscilla
Thibodea
u, 7ayWW
The impact of
information
technology on the
audit
process9 an
assessment of the
state of the art and
implications for the
future
Managerial
%uditing
7ournal
1@' 0##1 11>-14 May 0>,
0#11
http9@@***.em
eraldinsight.co
m@5ournals.htm
A
articleidB!!1
##
Annotation
/The purpose of this paper is to assess the current impact of technology on the audit process, and to
discuss the future implications of technological trends for the auditing profession./
This paper discusses ho* auditors obtain information clientFs current systems, ho* information
technology has affected planning, documentation and testing of internal controls, and ho* ad(ancements
in technology *ill impro(e audit efficiency and effecti(eness.
%udits are becoming more about process audits rather than audits of each department. Hor
example, an auditor may audit the flo* of ra* in(entory to the end of the cycle *here recei(ables
are collected. &eginning to end audits are becoming more of a re4uirement
The use of audit soft*are has already helped audit planning *here a soft*are is used to identify
key risk areas instead of relying solely on the audit team expertise
The use of ne* technology has also freed up professional ser(ice time through the creation of
documents, proposals and memo templates that gather the expertise of members of the firm
If e(idence is transmitted, processed and assessed through only electronic means then need to
assess reliability of the system to ensure e(idence *as not manipulated.
Since there some processes do not ha(e paper trails, it is useless to use the traditional methods
of testing controls since significant risk *ill go unnoticed
It is no* a re4uirement to test sophisticated controls including fire*alls, encryption and
pass*ords
The use of %": and I;3% has increased audit efficiency and effecti(eness
%udit soft*are can also be used to test fraud. One example, is comparing all employee addresses
*ith (endor addresses
Annotation #0
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
Tilsanoiu,
;aniel
Serban,
Michaela
"hanging
Methodologie
s in Hinancial
%udit and
Their Impact
on
Information
Informatica
3conomica
Tol. 14
Issue 1
0#1# 1D-1 Monday,
May '#,
0#11
http9@@*eb.ebs
cohost.com.pr
oxy.lib.u*aterl
oo.ca@ehost@de
tailA
(idB!ChidB1D
CsidBca14f>4
e-d!0f-4eDc-
1!
Systems
%udit
b4D1-
a1f4104#f!4
24#sessionm
gr11CbdataB7
nIpdJL>M$h
(c'NtbJl0MS
M)O0>*MT1)a
PRlQdbBbthC
%IB4!>04'D!
Annotation
.The ob5ecti(e of this article is to pro(ide a better understanding of the relation bet*een financial audit
and information systems audit and to assess the influence the change in financial audit methodologies
had on IS audit./
% financial audit is a degree of confidence on a set of financial statement if they are prepared
*ithout material misstatements
%n information system audit is the assessing *hether the information systems and related
resources safe guard assets, maintain system and data integrity and a(ailability, pro(ide rele(ant
and reliable information, achie(e organi)ational goals effecti(ely, consume resources efficiently,
and ha(e, internal controls that pro(ide assurance that business, operational and control
ob5ecti(es *ill be met and that undesired e(ents *ill be pre(ented or detected and corrected in a
timely manner.
In the mid 1>>#Fs, auditors changed from transaction cycle auditing to business process oriented
auditing
Transaction cycle auditing focuses on account le(el risk and the goal is audit to reduce the risk
that auditors make 5udgmental errors and pro(ide an opinion that can *ithstand the re(ie* of peer
auditors and regulators. It does not take into consideration business risk and does not re4uire a
deep understanding of the business strategy of the company getting audited
.business risk is defined as the risk resulting from significant conditions, e(ents, circumstances,
actions or inactions that could ad(ersely affect an entityFs ability to achie(e its ob5ecti(es and
execute its strategies, or from the setting of inappropriate ob5ecti(es and strategies
In the mid 1>>#Fs it *as belie(ed that business risk increased audit risk. &usiness Risk %uditing
<&R%= allo*ed auditors to help clients identify non-financial statement risks or areas of
impro(ement.
.Sarbanes-Oxley experts agreed that IT control *as a specific area likely to produce significant
deficiencies by many companies. %s the ma5ority of internal controls are embedded in automated
systems, IS auditors ha(e become a (ital part of complying *ith the standards, guidelines and
regulations/
Since 1>>#, the e(olution of the IS audit professional has changed from a secondary function to
professionals that pro(ided (alue added *ork but auditors not understanding the *ork performed
to finally, a key component of the risk assessment process.
Ion-financial audit fees ha(e increased from 1>2 in 1>>0 to D>2 in 0##1 *hich indicates the
continuance importance of IS auditing
Annotation #10
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
&edard, 7ean
".
Information
Systems
Risk and
International
7ournal of
Tol. > 0##1 14D-1' May '#,
0#11
http9@@*eb.ebs
cohost.com.pr
oxy.lib.u*aterl
1>
Jraham,
:ynford
7ackson,
"ynthia
%udit
6lanning
%uditing Issue 0 oo.ca@ehost@de
tailA
(idB1#ChidB1
DCsidBca14f>
4e-d!0f-4eDc-
b4D1-
a1f4104#f!4
24#sessionm
gr11CbdataB7
nIpdJL>M$h
(c'NtbJl0MS
M)O0>*MT1)a
PRlQdbBbthC
%IB1!##!4!>
Annotation
.In this study, *e examine client characteristics identified by external auditors for actual audit clients,
*hich are rele(ant to t*o important areas of systems risk9 system security and management information
4uality/
It *as found that management information 4uality increased *ith the number of identified risk
factors but not the same result *as found for 3;6 security
3;6 security risks are associated *ith control acti(ities
Management information 4uality is associated *ith the control en(ironment
SOP %ct of 0##0 emphasi)es internal control *hich information systems play a key role
Managers must assess the effecti(eness of control design and the operating effecti(eness of
controls in the annual report
%uditors must also attest to managementFs internal control assessment and effecti(eness of
controls
The common 3;6 security risk factors included system security controls, outdated systems and
management style@attitude
The common management information risk factors included management style@attitude and
management competence
It *as found that only control acti(ities risk factors are significantly associated *ith audit planning
for 3;6 security
"ontrol en(ironment affects audit planning in management information 4uality but not 3;6
security
Annotation #11
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
"han, Sally Sarbanes-
Oxley9 the IT
dimension9
information
technology
can
represent a
key factor in
auditorsX
assessment
0##4 http9@@findarticl
es.com@p@articl
es@miSm411'@i
sS1S1@aiSn1
101##@
0#
of financial
reporting
controls
Annotation
Sarbanes-Oxley %ct 0##0 presented both immediate and far-reaching compliance issues for companies,
especially in the areas of internal-control pro(isions of '#0 and 4#4. Juidance by the 6ublic "ompany
%ccounting O(ersight &oard states that .the nature and characteristics of a companyXs use of information
technology in its information system affect the companyXs internal control o(er financial reporting/.
Go*e(er, this (ague guidance has audits ha(e had to pay special attention to the information technology
component of Sarbanes-Oxley.
The IT en(ironment must be re(ie*ed as part of the re(ie*ing of the larger control en(ironment
Some auditors ha(e found guidance through the use of "O&IT. Other guidance such as %I"6%Fs
S%S D#, Systrust and $ebtrust can be used for Sarbanes Oxley in a broader context
% key IT component of Sarbanes Oxley is mapping financial reporting control ob5ecti(es to IT
control ob5ecti(es. %n example is that authori)ation and safeguarding of assets relates to IT
control ob5ecti(e V ensuring information security, confidentiality and pri(acy
There are se(eral assertions related to IT controls including existence, occurrence, measurement,
completeness, accuracy, presentation and disclosure
Through the examination of the IT control en(ironment, controls that donFt mitigate risks and
control *eaknesses *ill likely no longer exist after the examination
There are the indirect benefit from Sarbanes Oxley of elimination of control redundancies, ser(ice
impro(ements or the identification of (alue-added pro5ects beyond compliance re4uirements
Annotation #12
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
7aeger,
7aclyn
Sur(ey9 IT
Risk, IHRS
Top Internal
%uditorsF
$orries
"ompliance
$eek
Tol. D
Issue DD
0#1# '! May '1,
0#11
http9@@*eb.ebs
cohost.com.pr
oxy.lib.u*aterl
oo.ca@ehost@de
tailA
(idB10ChidB1
DCsidBca14f>
4e-d!0f-4eDc-
b4D1-
a1f4104#f!4
24#sessionm
gr11CbdataB7
nIpdJL>M$h
(c'NtbJl0MS
M)O0>*MT1)a
PRlQdbBbthC
%IB10!0111
Annotation
This article discusses ho* IT has become e(en more important and has recei(ed more attention from
Internal %uditors. One of the top risk listed in the 0#1# Internal audit "apabilities and Ieeds Sur(ey *as
ability to assess IT risk, *hich also topped 0#1#.
01
P&:R, ISO 0D### certification standard for information security and "O&IT *ere high on the list
of concerns for internal auditors
Managing director of 6roti(iti, Scott Jraham, stated that auditing IT processes and acti(ities
should be one of the highest priorities in internal audit departments gi(en that IT enables (irtually
all business functions
Institute of Internal %uditing has responded *ith this risk by introducing six standards co(ering
topics including assessing IT go(ernance
Annotation #13
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
&aker, Ieil ;iagnosis for
IT Risk
Internal
%uditor
%ugust 0#1# '!-40 7une 1,
0#11
http9@@content.
ebscohost.co
m.proxy.lib.u*
aterloo.ca@pdf
0'S04@pdf@0#1
#@I%L@#1%ug1
#@1'DD##1.p
dfA
TB6C6B%ICK
B1'DD##1CS
BRC;BbthC3b
sco"ontentBd
J7yMIPb4kS
ep4!4yO(sO:
"mr#me4K1S
r44Sre$x$
PSC"ontent"
ustomerBdJ7y
M6J(tku4b7
Rue6fgeyx44
;tfI%
Annotation
This article discusses a guide *ritten by the Institute of Internal %uditors on ho* to identify IT risks.
The guide is a top do*n and risk-based approach. % risk based approach is *here the
identification starts *ith understanding the business process and then looks for IT risks that could
lead to failure or error in that process.
The approach *as meant to reduce the number of controls that *erenFt significant out of
Sarbanes-Oxley testing
The approach is more focused on IT general controls rather than detailed application controls and
is easier to learn for non-technical internal auditors
%t Intel, *ith the use of the III% approach, the number of controls tested reduced from 1'## to a
couple hundred and 12 reduction in company testing efforts
IT specialist may not be needed during the risk identification process but in terms of testing the
controls IT specialist may need to be used
Annotation #1,
00
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
Rapp, 6eet
G.
%uditing the
"loud
Hinancial
3xecuti(e
May 0#1# 0-' 7une 1,
0#11
http9@@pro4uest
.umi.com.prox
y.lib.u*aterloo
.ca@p4d*ebA
indexB10Csid
B1Csrchmode
B0C(instB6R
O;CfmtBCst
artpageB-
1CclientidB1
D4C(nameB
6N;CRNTB'
#>CdidB0#4!
>!#D1Cscaling
BHL::CtsB1'
#>D0>0>C(ty
peB6N;Cr4tB
'#>CTSB1'#
>D''14Cclient
IdB1D4
Annotation
This article discusses the risk and audit considerations *hen businesses start storing and using business
critical applications on the cloud.
"loud computing does not re4uire the traditional IT capital in(estment or skilled technical support
Iational Institute of Standards and Technology, "loud Security alliance and Information System
%udit and "ontrol %ssociation define cloud as .model for enabling con(enient, on-demand
net*ork access to a shared pool of configurable computing resources <e.g., net*ork, ser(ers,
storage, applications and ser(ices= that can be rapidly pro(isioned and released *ith minimal
management effort or ser(ice pro(ider interaction./
Three types9 Infrastructure as a Ser(ice,<IaaS= 6latform as a Ser(ice <6aas= and Soft*are as a
Ser(ice <SaaS=
SasS clients share the use of one application on one or se(eral ser(ers sharing the same data
memory. This is called multi-tenancy.
It is kno*n in the IT *orld that .black hat/ soft*are gurus *ant to steal data especially on the
cloud
&usiness critical is defined as data or applications determined to be confidential, proprietary or
sub5ect to regulation. This includes data and application under Sarbanes-Oxley regulation.
&usinesses should identify applications that are considered business critical
IT departments and IT risk managers should assess the cloud ser(ice pro(iders security and
disaster reco(ery and business continuity policies and compare against internal standards
The article suggests that the ser(ice le(el agreement ha(e a right to audit clause
"urrently, there are no standards in place for cloud certification
Annotation #1-
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe
Pages (ate
accesse
)ocation*
ata base*
0'
!ebsite* lin+
Guang, Shi-
Ming
Gung $ei-
Gis
Oen, ;a(id
".
"hang, I-
"heng
7iang, ;ino
&uilding the
e(aluation
model of the
IT general
control for
"6%s under
enterprise
risk
management
;ecision
Support
Systems
Tol. 1#
Issue 1#
0#11 >0-D#1 7une 1,
0#11
http9@@*eb.ebs
cohost.com.pr
oxy.lib.u*aterl
oo.ca@ehost@de
tailA
(idB14ChidB1
DCsidBca14f>
4e-d!0f-4eDc-
b4D1-
a1f4104#f!4
24#sessionm
gr11CbdataB7
nIpdJL>M$h
(c'NtbJl0MS
M)O0>*MT1)a
PRlQdbBbthC
%IB1D114DD>
Annotation
This paper e(aluates the Information Technology Jeneral "ontrol <ITJ"= for "6%s under an 3nterprise
Risk Management <3RM= frame*ork.
S%S Io. >4 stated that auditors must take into consideration the importance of IT processes and
rele(ant controls to prepare the financial statements
%uditors ha(e responsibility to pro(ide assertion to the effecti(eness of IT controls *ithin a
company
To reduce audit risk, auditors must ha(e a clear and thorough understanding of IT controls
"OSO is currently used as a *ay to assess internal controls but does not explicitly address the IT
control ob5ecti(es
IT can establish and maintain a ne* go(ernance processes but can also increase organi)ational
risk
IT controls can be classified as general and application controls
Jeneral controls include security management, soft*are ac4uisition, de(elopment and
maintenance that can support reliable application controls and ensure continued operation of the
system
S%S Io. 11 re4uires auditors to understand the internal control and it indicates that it may be
more cost effecti(e and reliable to use rotational test of controls
More and more companies rely on IT hea(ily to ensure the reliable and trustable operation
"O&IT can help firms reduce IT risks
The study found that %cti(ity le(el IT control is more important than 3ntity-le(el IT control in ITJ"
The study found that ;eli(er and Support is the most important ob5ecti(e and that the auditor
should spend more time in this area
Annotation #16
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
Sillto*, 7ohn Shedding
:ight on
Internal
%uditor
;ecember 0##1 '0-'> 7une 1,
0#11
http9@@*eb.ebs
cohost.com.pr
04
Information
Technology
Risks
oxy.lib.u*aterl
oo.ca@ehost@pd
f(ie*er@pdf(ie
*erA
sidB0fe1fd#'-
'a4'-4b'd-
a'f-
4#db'4e4#1
c
24#sessionm
gr4C(idBDChid
B1D
Annotation
This article discusses the (arious IT risk that a company can be exposed to.
% sur(ey by "omputer "rime and Security sho*s that 412 of unauthori)ed access by insiders
Hinancial fraud and theft of information is the most costly crime and re4uires insider kno*ledge
3mployees can also damage the organi)ation through unintentional means such as deleting
important files, opening emails *ith (iruses, etc
To mitigate the risk of intentional and unintentional damage, organi)ations need effecti(e access
management
This risk is increased if there are a large databases *ith sensiti(e information
Segregation of duties built into non-IT processes need to be implemented into the IT en(ironment
$hen e(aluating access control determine *hether or not systems allo*s common pass*ords
such as usernames, spousesF or petsF names, etc and other pass*ord security settings
%uthori)ation of access should be examined as *ell. Security admin should not authori)e access.
%ccess should be authori)ed by information o*ners.
3xternal attacks ha(e increased. Spam, *orms and (iruses are the most common type.
The potential damage caused by external attacks include direct costs but also lost of reputation
Social engineering takes ad(antage of holes in peopleFs common sense
To protect against the threat of social engineering organi)ations need to educate employees
about *hat kind of information they disclose
Organi)ations need to ensure that the right information is a(ailable to the right people at the right
time at the right place
One of the main *ays to ensure data accuracy is (alid is through field (alidation and input
controls
Annotation #17
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
Germanson,
;ana R.
I(ance(ich,
;aniel M.
;isaster
Reco(ery
6lanning9
$hat Section
4#4 %udits
Management
"onsulting
;ecember 0##D #-0 7une 1,
0#11
http9@@content.
ebscohost.co
m.proxy.lib.u*
aterloo.ca@pdf
1>S00@pdf@0##
01
I(ance(ish,
Susan G.
Re(eal D@"6%@#1;ec#
D@0!#>>#.p
dfA
TB6C6B%ICK
B0!#>>#CS
BRC;BbthC3b
sco"ontentBd
J7yMIPb4kS
ep4!4yO(sO:
"mr#me4K>S
r4y4Sbe$x$
PSC"ontent"
ustomerBdJ7y
M6J(tku4b7
Rue6fgeyx44
;tfI%
Annotation
This article discusses ho* SOP 4#4 re(eals material *eaknesses in disaster reco(ery planning <;R6=.
It *as reported from Io(ember 0##4 to %ugust 0>
th
, 0## there *ere 1 public companies *ith
material *eaknesses in internal control o(er financial reporting that *ere ;R6 related
Out of the 1# companies there *ere 1# cases *here the deficiency in(ol(ed a lack of ;R6 or
backup and reco(ery plan
There *ere 1 companies that had issues *ith storage of backups *here backups *ere onsite
rather than offsite
"6%s are also encouraged to help companies implement and build effecti(e ;R6s
"ompanies that outsource IT should be a*are that ;R6 may fall outside of S%S D#
Updated since First Submission
Annotation #1.
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
7ar(in, ;iane
&ierstaker,
7ames
:o*e, 7ordan
%n
In(estigation
of Hactors
InRuencing
the Lse of
"omputer-
Related
%udit
6rocedure
7OLRI%:
OH
IIHORM%TI
OI SOST3M
0' 0##> 1-00 7une 0',
0#11
http9@@***.bus
.iastate.edu@d5
an(rin@acct4!4
1!4@readings@
#120#1S00-
'.pdf
Annotation
In this article, discusses ho* computer-related audit procedures are used and ho* control risk and audit
firm si)e influence those procedures.
0
S%S >4 informs auditors that assessing control risk as maximum and relying only on substanti(e
is not effecti(e
%uditors should rely on computer-related audit procedures including the use of IT specialists
*hen planning the audit
%udit firm si)e impacts *hether or not computer-related audit procedures are used because
generally larger firms ha(e clients *ith more complex computer systems
4'2 of participants in this study assessed control risk belo* maximum *hen examining clients
*ith complex IT en(ironments
112 of the sampled engagements used IT specialists
:ess than half of the participants used "%%Ts for substanti(e testing
Annotation #10
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
Sayana,
%nantha S.
Lsing "%%Ts
to Support IS
%udit
Information
Systems
"ontrol
7ournal
1 0##' 1-' 7une 0',
0#11
http9@@***.isa
ca.org@7ournal
@6ast-
Issues@0##'@T
olume-
1@;ocuments@5
pdf#'1-
Lsing"%%Tsto
SupportIS%u.p
df
Annotation
This article describes the *hy there is a need for audit soft*are, ho* audit soft*are benefits the
assurance engagement and ho* to use "%%Ts.
There is a need for audit soft*are *hen the task is far too difficult to perform manually and it is
more efficient and@or more effecti(e to perform using audit soft*are
The auditor must design the procedures and tests. This includes understanding the business
rules of the function and ho* the application functions.
%udit soft*are can perform 1##2 audit *hich gi(es more (alidity to the conclusion gi(en
$hen first implementing an audit soft*are there can be many issues
Annotation #20
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
&e(eridge,
7ohn
C,-IT
I"./0"01T
TI,1
),&2$*,
.. 66T.
6o*er6oint
6resentation
0D
Annotation
These slides describe *hat "O&IT is, *ho should use "O&IT, ho* "O&IT can help auditors and ho* to
use it effecti(ely.
.%uthoritati(e, up-to-date, international set of generally accepted IT control ob5ecti(es and control
practices for day-to-day use by business managers and auditors/
IT go(ernance is . structure of relationships and processes to direct and control the enterprise in
order to achieve the enterprise(s goals by adding value while balancing risk versus return over IT
and its processes3
If you use computer generated information, need to assess reliability
."O&IT focuses on information ha(ing integrity and being secure and a(ailable/
"O&IT pro(ides auditors an excellent *ay to structure re(ie* and audit *ork
The goals of internal controls are .The design, implementation, and proper exercise of a system
of internal controls should pro(ide 8reasonable assurance8 that managementXs goals are attained,
control ob5ecti(es are addressed, legal obligations are met, and undesired e(ents do not occur/
"O&IT is aligned *ith "OSO, "O"O, "adbury and King
Annotation #21
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
;enyer,
"harles
Iickell,
"hristopher
J.
%n
Introduction
to S%S D#
%udits
&enefits :a*
7ournal
Tol. 0#
Io. 1
0##D 1!-! 7une 0',
0#11
http9@@***.csb
.unc*.edu@peo
ple@I(ance(ich
;@classes@MS
%
20#11@3xtra
20#Readings
20#on
20#Topics@S%
S20#D#@Intro
20#to
20#S%S
20#D#20#%u
dits.pdf
Annotation
.This article offers an o(er(ie* of the S%S D# audit used to report on the .processing of transactions by
ser(ice organi)ations,/ *hich can be done by completing either a S%S D# Type I or Type II audit. % S%S
D# Type I is kno*n as .reporting on controls placed in operation,/ *hile a S%S D# Type II is kno*n as
.reporting on controls placed in operation/ and .tests of operating effecti(eness/
Recent legal legislation such as GI6%%, Jramm-:each-&ililey %ct and Sarbanes-Oxley %ct ha(e
increased corporate accountability and the creation of internal controls throughout organi)ations
Type I S%S D# report *ould issue an un4ualified opinion for a point in time and Type II report
*ould be o(er a time period
0!
The benefits an un4ualified opinion from a S%S D# ser(ice report solidifies that the ser(ice
organi)ation has effecti(e controls in place
.%uditors ha(e implemented an exhausti(e list of policies, procedures, and related controls that
must be examined for this type of engagement./
S%S D# reports incorporate general and application controls but also expand into operational and
human resource issues *hich makes the report more useful if the scope of the engagement is
larger
Type II report re4uires a minimum six month testing period and is tested through testing of
controls *hile Type I consists of in4uiry and obser(ation of controls
S%S D# reports uses a combination of many different standards such as "O&IT, "OSO, ISO
1DD>>, and many others.
Annotation #22
Author Title of
Article
Perioical/
!ebsite
"ol# / $o# /
%ition
&ear
'ublishe

Pages (ate
accesse

)ocation*
ata base*
!ebsite* lin+
Singleton,
Tommie
The "OSO
Model9 Go*
IT %uditors
"an Lse It to
3(aluate the
3ffecti(eness
of Internal
"ontrols
IS%"%
$ebsite
1 0## 7une 0',
0#11
http9@@***.isa
ca.org@7ournal
@6ast-
Issues@0##'@T
olume-
1@;ocuments@5
pdf#'1-
Lsing"%%Tsto
SupportIS%u.p
df
Annotation
In this article, IS%"% describes ho* auditors can apply "OSO model in performing auditors. It breaks the
"OSO model into fi(e categori)es V "ontrol 3n(ironment, Risk %ssessment, Information and
"ommunication, "ontrol %cti(ities and Monitoring
"ontrol 3n(ironment9 This part of the "OSO model allo*s auditors to help comply *ith S%S 1#>.
S%S 1#> re4uires auditors to understand the entities en(ironment and to assess the risk of
material misstatement
Risk %ssessment9 This part of the "OSO model helps auditors assess risk *ithin the entityFs
system of controls by identifying factors that increase risk such as changes in the operating
en(ironment.
Information and "ommunication9 This part of the model addresses that financial reporting
information should not only be rele(ant but also timely.
"ontrol %cti(ities9 This part breaks control acti(ities into three categories V general, application
and physical.
Monitoring9 This part discusses ho* controls should be monitored, assessed and re(ie*ed.
0>