SM-15-new CHAPTER 15

8/10/2019 SM-15-new CHAPTER 15

1/41

Chapter 15 Page 33

CHAPTER 15

IT CONTROLS PART I: SARBANES-OXLEY

AND IT GOVERNANCE

REVIEW QUESTIONS

1. The chapter concentrates on internal control and audit responsibilities pursuant

to Sections 302 and 404.

2. The PCAOBs Auditing Standard !o. 5 endorses the use o" COSO as the

"ra#e$or% "or control assess#ent.

3. Application controls and general controls

4. The ob&ecti'es o" applicai!" c!"#!l$ are to ensure the 'alidit()

co#pleteness) and accurac( o" "inancial transactions.

5. *+a#ples include,

A cash disburse#ents batch-balancing routine that 'eri"ies that the total

pa(#ents to 'endors reconciles $ith the total postings to the accounts pa(able

subsidiar( ledger.

An account recei'able chec% digits procedure that 'alidates custo#er account

nu#bers on sales transactions.

A pa(roll s(ste# li#it chec% that identi"ies e#plo(ee ti#e card records $ith

reported hours $or%ed in e+cess o" the predeter#ined nor#al li#it.


2/41

Chapter 15 Page 34

. /eneral controls appl( to all s(ste#s. The( are not application speci"ic.

/eneral controls include controls o'er T go'ernance) the T in"rastructure)

securit( and access to operating s(ste#s and databases) application

acuisition and de'elop#ent) and progra# changes.

. Co#puter "raud re"ers to using hard$are and so"t$are to di'ert or acuire the

assets o" the "ir#. ts acti'ities include,

a. the the"t) #isuse) or #isappropriation o" assets b( altering co#puter

records and "iles

b. the the"t) #isuse) or #isappropriation o" assets b( altering the logic o"

co#puter so"t$are

c. the the"t or illegal use o" co#puter records and "iles

d. the the"t) corruption) illegal cop(ing or the intentional destruction o"

co#puter so"t$are and

e. the the"t) #isuse) or #isappropriation o" co#puter hard$are.

. The data-collection or data-entr( stage is the si#plest $a( to co##it

co#puter "raud since the perpetrator need onl( understand ho$ the

s(ste# $or%s to enter data that it $ill process.


3/41

Chapter 15 Page 35

. n a #anual authori6ation s(ste#) #anage#ent and auditors can 'eri"(

co#pliance $ith established authori6ation rules b( obser'ing the e#plo(ees

in'ol'ed and re'ie$ing their $or%. n an auto#ated authori6ation s(ste#) the

authori6ation is unobser'ed b( #anage#ent and control "ailure #a( go

unnoticed until the "ir# e+periences so#e undesirable s(#pto#s.

10. n a CBS en'iron#ent) it $ould be ine""icient and contrar( to the ob&ecti'es o"

auto#ation to separate such tas%s and processing and recoding a transaction

a#ong se'eral di""erent application progra#s #erel( to e#ulate a #anual

control #odel. 7urther) the reason "or separating tas%s is to control against the

negati'e beha'ior o" hu#ans in a CBS the co#puter per"or#s the tas%s) not

hu#ans.

11. a. Separating s(ste#s de'elop#ent "ro# co#puter operations

b. Separating the database ad#inistrator "ro# other "unctions and s(ste#s

de'elop#ent

c. Separating ne$ s(ste#s de'elop#ent "ro# #aintenance


4/41

Chapter 15 Page 3

12. Co#puter "raud and losses "ro# disaster

13. /eneral controls appl( to a $ide range o" e+posures that s(ste#aticall(

threaten the integrit( o" all applications processed $ithin the CBS en'iron#ent.

So#e e+a#ples o" general controls are controls against 'iruses and controls to

protect the hard$are "ro# 'andalis#. Application controls are narro$l( "ocused

on e+posures $ithin speci"ic s(ste#s. So#e e+a#ples o" application controls

are controls to #a%e sure that each e#plo(ee onl( recei'es one pa(chec% per

pa( period and controls to ensure that each in'oice gets paid onl( once.

14. The operations acti'ities should be separated "ro# s(ste#s de'elop#ent and

#aintenance acti'ities) and an( relationships bet$een these t$o groups should

be through "or#al and controlled channels. The s(ste#s de'elop#ent and

#aintenance groups create and #aintain the applications. The operations

personnel run the s(ste#s and should ha'e no input in their design. The less

the operations personnel %no$ about the applications logic and control

para#eters) the less li%el( the( are to #a%e unauthori6ed changes to these

applications "or personal gain.


5/41

Chapter 15 Page 3

15. One proble# that #a( occur is inadeuate docu#entation. 8ocu#enting is not

considered as interesting a tas% as designing) testing) and i#ple#enting a ne$

s(ste#) thus a s(ste#s pro"essional #a( #o'e on to a ne$ pro&ect rather than

spend ti#e docu#enting an al#ost co#plete pro&ect. 9ob securit( #a( be

another reason a progra##er #a( not "ull( docu#ent his or her $or%. Another

proble# that #a( occur is the increased potential "or "raud. " the original

progra##er generates "raudulent code during de'elop#ent) then this

progra##er) through #aintenance procedures) #a( disable the code prior to

audits. Thus) the progra##er can continue to co'er his or her trac%s.

1. :an( "ir#s that do not use CAS* tools $ith auto#atic docu#entation "eatures

"ace this proble# because the s(ste#s pro"essionals do not "ind this tas% as

interesting as the design) testing) and i#ple#entation steps. 7urther) the

s(ste#s pro"essionals are t(picall( eager or pressured to #o'e on to another

pro&ect be"ore docu#entation is co#plete. 9ob securit( is another reason "or

poor s(ste#s docu#entation.


6/41

Chapter 15 Page 3

1. The role o" a corporate co#puter ser'ices depart#ent di""ers in that it is not a

co#pletel( centrali6ed #odel. nstead) the group pla(s the role o" pro'ider o"

technical ad'ice and e+pertise to distributed co#puter ser'ices. Thus) it

pro'ides #uch #ore support than $ould be recei'ed in a co#pletel( distributed

#odel. A corporate co#puter ser'ices depart#ent pro'ides a #eans "or central

testing o" co##ercial hard$are and so"t$are in an e""icient #anner. 7urther)

the corporate group can pro'ide users $ith ser'ices such as installation o" ne$

so"t$are and troubleshooting hard$are and so"t$are proble#s. The corporate

group can establish s(ste#s de'elop#ent) progra##ing) and docu#entation

standards. The corporate group can aid the user groups in e'aluating the

technical credentials o" prospecti'e s(ste#s pro"essionals.

1. nco#patibilit() redundanc() consolidating inco#patible acti'ities) acuiring

uali"ied pro"essionals) and lac% o" standards

1. a. ph(sical location controls

b. construction controls

c. access controls

d. air conditioning controls

e. "ire suppression controls

". "ault tolerance controls

20. 7ault tolerance is the abilit( o" the s(ste# to continue operation $hen part

o" the s(ste# "ails due to hard$are "ailure) application progra# error) or

operator error. ;arious le'els o" "ault tolerance can be achie'ed b(


7/41

Chapter 15 Page 3

i#ple#enting redundant s(ste# co#ponents.


8/41

Chapter 15 Page 40

21. e'aluating internal controls) and 3> anal(6ing

"inancial data. Conceptuall() no di""erence e+ists bet$een T auditing and

general auditing. T auditing is t(picall( a subset o" the o'erall audit the portion

that in'ol'es co#puter technolog( is the subset.


9/41

Chapter 15 Page 41

2. *+ternal auditors represent the interests o" third-part( sta%eholders in the

organi6ation) such as stoc%holders) creditors) and go'ern#ent agencies.

*+ternal auditing is conducted b( certi"ied public accountants $ho are

independent o" the organi6ations #anage#ent. nternal auditors represent the

interests o" #anage#ent. nternal auditing tas%s include conducting "inancial

audits) e+a#ining an operations co#pliance $ith legal obligations) e'aluating

operational e""icienc() detecting and pursuing "raud $ithin the "ir#) and

conducting *8P audits.

2. a. s(ste#atic process

b. obtaining e'idence

c. ascertaining the degree o" correspondence $ith established criteria

d. co##unicating results


10/41

Chapter 15 Page 42

2. :aterialit( re"ers to the si6e o" the e""ect o" a transaction. 7ro# a cost-bene"it

point o" 'ie$) a threshold is set) abo'e $hich the auditor is concerned $ith the

correct recording and e""ects o" transactions.

30. The auditors per"or# an anal(sis and assess#ent o" audit ris% that includes an

in'estigation o" the organi6ations general controls and application controls. The

pri#ar( techniues "or gathering e'idence at this phase are using

uestionnaires) inter'ie$ing #anage#ent) re'ie$ing s(ste#s docu#entation)

and obser'ing acti'ities.

31. The tests o" controls phase in'ol'es deter#ining $hether adeuate internal

controls are in place and $hether the( "unction properl(. The substanti'e

testing phase in'ol'es a detailed in'estigation o" speci"ic account balances and

transactions.

32. Audit ris% is the probabilit( that the auditor $ill render an unuali"ied =clean>

opinion on "inancial state#ents that are) in "act) #ateriall( #isstated.


11/41

Chapter 15 Page 43

33. *rrors are unintentional #ista%es $hile irregularities are intentional

#isrepresentations to perpetrate a "raud or #islead the users o" "inancial

state#ents. *rrors are a concern i" the( are nu#erous or si6able enough to

cause the "inancial state#ents to be #ateriall( #isstated. Processes that

in'ol'e hu#an actions $ill contain so#e a#ount o" hu#an error. Co#puter

processes should onl( contain errors i" the progra#s are erroneous) or i"

s(ste#s operating procedures are not being closel( and co#petentl( "ollo$ed.

*rrors are t(picall( #uch easier to unco'er than #isrepresentations) thus

auditors t(picall( are #ore concerned $ith $hether the( ha'e unco'ered an(

and all irregularities.

34. nherent ris% is associated $ith the uniue characteristics o" the business or

industr( o" the client. 7ir#s in declining industries are considered to ha'e #ore

inherent ris% than "ir#s in stable or thri'ing industries. nherent ris% $ill not be

reduced b( internal control. Control ris% is the li%elihood that the control

structure is "la$ed because internal controls are either absent or inadeuate to

pre'ent or detect errors in the accounts. nternal controls #a( be present in

"ir#s) (et the "inancial state#ents #a( be #ateriall( #isstated due to

circu#stances outside the control o" the "ir#. 7or e+a#ple) a custo#er) on the

'erge o" ban%ruptc() has an outstanding Accounts


12/41

Chapter 15 Page 44

35. The relationship bet$een tests o" controls and substanti'e testing is directl(

related the auditors ris% assess#ent. The stronger the internal controls) the

less substanti'e testing the auditor #ust do.

3. The "ollo$ing are e+a#ples o" general control areas,

a. operating s(ste# controls

b. data #anage#ent controls

c. organi6ational structure controls

d. s(ste#s de'elop#ent controls

e. s(ste#s #aintenance controls

". co#puter center securit( and controls

g. nternet and intranet controls

h. electronic data interchange controls

3. The auditor should re'ie$ the current organi6ation chart) #ission state#ents)

&ob descriptions o" %e( "unctions) s(ste#s #aintenance records) and

progra##er authorit( tables. Actual beha'ior should be obser'ed to see

$hether the &ob descriptions are in line $ith the tas%s people are actuall(

per"or#ing. So#eti#es) &ob descriptions #a( turn out be theoretical in nature)

$hile the realit( is uite di""erent.

3. a. tests o" ph(sical construction

b. tests o" the "ire detection s(ste#

c. tests o" access control

d. tests o" the bac%up po$er suppl(


13/41

Chapter 15 Page 45

3. O"ten-cited bene"its o" T outsourcing include i#pro'ed core business

per"or#ance) i#pro'ed T per"or#ance =due to the 'endors e+pertise>) and

reduced T costs.

40. Co##odit( T assets are not uniue to a particular organi6ation and are thus

easil( acuired in the #ar%etplace. These include such things as net$or%

#anage#ent) s(ste#s operations) ser'er #aintenance) and help-des%

"unctions.

41. Speci"ic T assets) in contrast) are uniue to the organi6ation and support its

strategic ob&ecti'es. Because o" their idios(ncratic nature) speci"ic assets ha'e

little 'alue outside o" their current use.

42. 7i'e ris%s associated $ith T outsourcing are, 7ailure to Per"or#) ;endor

*+ploitation) Outsourcing Costs *+ceed Bene"its)


14/41

Chapter 15 Page 4

2. Section 404 reuires the #anage#ent o" public co#panies to assess the

e""ecti'eness o" their organi6ations internal controls o'er "inancial reporting

and pro'ide an annual report addressing the "ollo$ing points, 1> A state#ent o"

#anage#ents responsibilit( "or establishing and #aintaining adeuate internal

control. 2> An assess#ent o" the e""ecti'eness o" the co#pan(s internal

controls o'er "inancial reporting. 3> A state#ent that the organi6ations e+ternal

auditors has issued an attestation report on #anage#ents assess#ent o" the

co#panies internal controls. 4> An e+plicit $ritten conclusion as to the

e""ecti'eness o" internal control o'er "inancial reporting. 5> A state#ent

identi"(ing the "ra#e$or% used b( #anage#ent to conduct their assess#ent o"

internal controls.

3. The S*C has #ade speci"ic re"erence to the Co##ittee o" the Sponsoring

Organi6ations o" the Tread$a( Co##ission =COSO> as a reco##ended

control "ra#e$or%. 7urther#ore) the PCAOBs Auditing Standard !o. 5

endorses the use o" COSO as the "ra#e$or% "or control assess#ent. Although

other suitable "ra#e$or%s ha'e been published) according to Standard !o. 5)

an( "ra#e$or% used should enco#pass all o" COSOs general the#es.

4. Consider an organi6ation $ith poor database securit( controls. n such a

situation) e'en data processed b( s(ste#s $ith adeuate built-in application

controls #a( be at ris%. An indi'idual $ho can circu#'ent database securit(

#a( then change) steal) or corrupt stored transaction data. Thus) general

controls are needed to support the "unctioning o" application controls) and both

are needed to ensure accurate "inancial reporting.


15/41

Chapter 15 Page 4

5. Auditors had the option o" not rel(ing on internal controls in the conduct o" an

audit and there"ore did not need to test the#. nstead) auditors could "ocus

pri#aril( on substanti'e tests. @nder SO) #anage#ent is reuired to #a%e

speci"ic assertions regarding the e""ecti'eness o" internal controls. To attest to

the 'alidit( o" these assertions) auditors are reuired to test the controls.

. !o. Auditors are per#itted to si#ultaneousl( render a uali"ied opinion on

#anage#ents assess#ent o" internal controls and render an unuali"ied

opinion on the "inancial state#ents. n other $ords) it is technicall( possible "or

auditors to "ind internal controls o'er "inancial reporting to be $ea%) but

conclude through substanti'e tests that the $ea%ness did not cause the

"inancial state#ents to be #ateriall( #isrepresented.

. This in'ol'es,

a. Selecting the "inancial accounts that ha'e #aterial i#plications "or "inancial

reporting.

b. denti"(ing the application controls related to those accounts.

c. denti"(ing the general controls that support the application controls. The

su# o" these controls) both application and general) constitute the

rele'ant internal controls o'er "inancial reporting that need to be

re'ie$ed.

. Standard !o. 2 places ne$ responsibilit( on auditors to detect "raudulent

acti'it(. The standard e#phasi6es the i#portance o" controls designed to

pre'ent or detect "raud that could lead to #aterial #isstate#ent o" the

"inancial state#ents. :anage#ent is responsible "or i#ple#enting such


16/41

Chapter 15 Page 4

controls and auditors are e+pressl( reuired to test the#.

. Co#puter "raud can occur at 'arious points during co#puter processing. The

"ollo$ing su##ari6es the %e( areas o" ris%,

Daa C!ll%ci!"a'(in'ol'es the data entr( stage o" the process. 7rauds o" this

t(pe reuire little or no co#puter s%ills. The perpetrator need onl( understand

ho$ the s(ste# $or%s to enter data that it $ill process. The "raudulent act

in'ol'es "alsi"(ing data as it enters the s(ste#. This can be to delete) alter) or

add a transaction. 7or e+a#ple) to co##it a pa(roll "raud) the perpetrator #a(

insert a "raudulent pa(roll transaction along $ith other legiti#ate transactions.

P#!)#a* a'(includes the "ollo$ing techniues, =1> creating illegal progra#s that

can access data "iles to alter) delete) or insert 'alues into accounting records

=2> destro(ing or corrupting a progra#s logic using a co#puter 'irus or =3>

altering progra# logic to cause the application to process data incorrectl(.

Altering the logic to the rounding progra# used b( ban%s uses to calculate

interest on its custo#ers accounts is an e+a#ple o" progra# "raud.

Op%#ai!"$ a'( is the #isuse or the"t o" the "ir#s co#puter resources. This

o"ten in'ol'es using the co#puter to conduct personal business. 7or e+a#ple)

a progra##er #a( use the "ir#s co#puter ti#e to $rite so"t$are that he or she

sells co##erciall(.

Daa+a$% ,a"a)%*%" a'(includes altering) deleting) corrupting) destro(ing)

or stealing an organi6ations data. The #ost co##on techniue is to access


17/41

Chapter 15 Page 4

the database "ro# a re#ote site and bro$se the "iles "or use"ul in"or#ation that

can be copied and sold to co#petitors. 8isgruntled e#plo(ees ha'e been

%no$n to destro( co#pan( data "iles si#pl( to har# the organi6ation. ;iruses

and logic bo#bs designed to destro( databases are also "or#s o" database

"raud.

I"&!#*ai!" G%"%#ai!" a'( is stealing) #isdirecting) or #isusing co#puter

output. One techniue called $ca%")i")in'ol'es searching through the trash

cans o" the co#puter center "or discarded output. A perpetrator can o"ten obtain

use"ul in"or#ation "ro# the carbon sheets re#o'ed "ro# #ultipart reports or

"ro# paper reports that $ere re&ected during processing.

Ea%$(#!ppi") in'ol'es listening to output trans#issions o'er

teleco##unications lines. A'ailable technologies enable perpetrators to

intercept #essages being sent o'er unprotected telephone lines and

#icro$a'e channels. :ost e+perts agree that it is practicall( i#possible to

pre'ent a deter#ined perpetrator "ro# accessing data co##unication

channels. 8ata encr(ption can) ho$e'er) render useless an( data captured

through ea'esdropping.


18/41


19/41

Chapter 15 Page 51

11. The lo$est cost #ethod is internall( pro'ided bac%up. ith this #ethod)

organi6ations $ith #ultiple data-processing centers #a( in'est in internal

e+cess capacit( and support the#sel'es in the case o" disaster in one data

processing center. n ter#s o" cost) the ne+t highest #ethod is the e#pt( shell

$here t$o or #ore organi6ations bu( or lease space "or a data-processing

center. The space is #ade read( "or co#puter installation ho$e'er) no

co#puter euip#ent is installed. This #ethod reuires lease or #ortgage

pa(#ents) as $ell as pa(#ent "or air conditioning and raised "loors. The ris% o"

this #ethod is that the hard$are) so"t$are) and technicians #a( be di""icult) i"

not i#possible) to ha'e a'ailable in the case o" a natural disaster. 7urther) i"

#ultiple #e#bers s(ste#s crash si#ultaneousl() an allocation proble# e+ists.

The #ethod $ith lo$est ris%) and also the highest cost) is the reco'er(

operations center. This #ethod ta%es the e#pt( shell concept one step "urther

the co#puter euip#ent is actuall( purchased and so"t$are #a( e'en be

installed. Assu#ing that this site is "ar enough a$a( "ro# the disaster-stric%en

area not to be a""ected b( the disaster) this #ethod can be a 'er( good

sa"eguard.

12. The critical applications should be identi"ied and prioriti6ed b( #anage#ent)

user depart#ents) and auditors. The applications should be prioriti6ed based

on the i#pact to the short-run sur'i'al o" the "ir#. The "reuenc( $ith $hich the

priorities need to be assessed depends on the a#ount and %inds o" changes

that are #ade to s(ste#s o'er ti#e. 7ir#s that #a%e changes "reuentl(

should reassess priorities "reuentl(.


20/41

Chapter 15 Page 52

13. The attest ser'ice is de"ined as an engage#ent in $hich a practitioner is

engaged to issue) or does issue) a $ritten co##unication that e+presses a

conclusion about the reliabilit( o" a $ritten assertion that is the responsibilit( o"

another part(. The "ollo$ing reuire#ents appl( to attestation ser'ices,

o Attestation ser'ices reuire $ritten assertions and a practitioners

$ritten report.

o Attestation ser'ices reuire the "or#al establish#ent o" #easure#ent

criteria or their description in the presentation.

o The le'els o" ser'ice in attestation engage#ents are li#ited to

e+a#ination) re'ie$) and application o" agreed-upon procedures.

Assurance ser'ices constitute a broader concept that enco#passes) but is not

li#ited to) attestation. Assurance ser'ices are pro"essional ser'ices that are

designed to i#pro'e the ualit( o" in"or#ation) both "inancial and non"inancial)

used b( decision #a%ers. Assurance ser'ices are intended help people #a%e

better decisions b( i#pro'ing in"or#ation. This in"or#ation #a( co#e as a b(-

product o" the attest "unction or it #a( ensue "ro# an independentl( #oti'ated

re'ie$.

14. The existence or occurrenceassertion a""ir#s that all assets and euities

contained in the balance sheet e+ist and that all transactions in the inco#e

state#ent actuall( occurred.

The completeness assertion declares that no #aterial assets) euities) or

transactions ha'e been o#itted "ro# the "inancial state#ents.


21/41

Chapter 15 Page 53

The rights and obligations assertion #aintains that assets appearing on the

balance sheet are o$ned b( the entit( and that the liabilities reported are

obligations.

Thevaluation or allocationassertion states that assets and euities are 'alued in

accordance $ith generall( accepted accounting principles and that allocated

a#ounts such as depreciation e+pense are calculated on a s(ste#atic and

rational basis.

Thepresentation and disclosureassertion alleges that "inancial state#ent ite#s

are correctl( classi"ied =e.g.) long-ter# liabilities $ill not #ature $ithin one (ear>

and that "ootnote disclosures are adeuate to a'oid #isleading the users o"

"inancial state#ents.


22/41

Chapter 15 Page 54

15. Da'ing the internal auditing "unction report to the controller is unacceptable. "

the controller is a$are o" or in'ol'ed in a "raud or de"alcation) then heEshe #a(

gi'e "alse or inaccurate in"or#ation to the auditors. The possibilit( that the

auditors #a( lose their &obs i" the( do not %eep certain #atters uiet also e+ists.

7urther) the "raud #a( be occurring at a le'el higher than the controller) and the

controller #a( "ear losing hisEher &ob i" the #atter is pursued. The best route is

to ha'e the internal auditing "unction report directl( to the board o" directors.

1. ;irtuall( all audits in'ol'e so#e "or# o" co#puter-based s(ste#. Thus) "inancial

auditing #ust include the T auditing.

1. n the CBS en'iron#ent) the data needed to per"or# audit tests are contained

in co#puter "iles that #ust be e+tracted using speciali6ed audit so"t$are.

1. Assessing s(ste#s de'elop#ent controls reuire #ore &udg#ent than so#e o"

the other areas.

1. *+posureunauthori6ed progra# changes

Controlsegregation o" duties

Audit Ob&ecti'eto 'eri"( that progra##ers and operators do not per"or#

inco#patible tas%s

Test o" Controlre'ie$ o" organi6ation chart) &ob descriptions) pass$ord

controls) and ph(sical access controls


23/41

Chapter 15 Page 55

20. Co#puting center securit( is an area $here &udg#ent is necessar( to

deter#ine i" the controls in place are adeuate "ro# a cost bene"it standpoint.

Preparing "or disasters is di""icult since one can onl( speculate as to the

disaster and its conseuences.

21. Once a client "ir# has outsourced speci"ic T assets) its per"or#ance beco#es

lin%ed to the 'endors per"or#ance. The negati'e i#plications o" such

dependenc( are illustrated in the "inancial proble#s that ha'e plagued the huge

outsourcing 'endor *lectronic 8ata S(ste#s Corp. =*8S>. n a cost-cutting

e""ort) *8S ter#inated se'en thousand e#plo(ees) $hich i#pacted its abilit( to

ser'e other clients. 7ollo$ing an ele'en-(ear lo$ in share prices) *8S

stoc%holders "iled a class-action la$suit against the co#pan(. Clearl() 'endors

e+periencing such serious "inancial and legal proble#s threaten the 'iabilit( o"

their clients also.

22. Once the client "ir# has di'ested itsel" o" speci"ic assets it beco#es dependent

on the 'endor. The 'endor #a( e+ploit this dependenc( b( raising ser'ice

rates to an e+orbitant le'el. As the clients T needs de'elop o'er ti#e be(ond

the original contract ter#s) it runs the ris% that ne$ or incre#ental ser'ices $ill

be negotiated at a pre#iu#. This dependenc( #a( threaten the clients long

ter# "le+ibilit() agilit( and co#petiti'eness and result in e'en greater 'endor

dependenc(.

23. n"or#ation outsourced to o""-shore T 'endors raises uniue and serious

uestions regarding internal control and the protection o" sensiti'e personal

data. hen corporate "inancial s(ste#s are de'eloped and hosted o'erseas)


24/41

Chapter 15 Page 5

and progra# code is de'eloped through inter"aces $ith the host co#pan(Fs

net$or%) @S corporations are at ris% o" losing control o" their in"or#ation. To a

large degree @S "ir#s are reliant on the outsourcing 'endors securit(

#easures) data-access policies and the pri'ac( la$s o" the host countr(.

24. Align#ent bet$een T strateg( and business strateg( reuires a close $or%ing

relationship bet$een corporate #anage#ent and T #anage#ent in the

concurrent de'elop#ent o" business and T strategies. This) ho$e'er) is

di""icult to acco#plish $hen T planning is geographicall( redeplo(ed o""-shore

or e'en do#esticall(. 7urther) since the "inancial &usti"ication "or T outsourcing

depends upon the 'endor achie'ing econo#ies o" scale) the 'endor is naturall(

dri'en to to$ard see%ing co##on solutions that #a( be used b( #an( clients

rather than creating uniue solutions "or each o" the#. This "unda#ental

underpinning o" T outsourcing is inconsistent $ith the clients pursuit o"

strategic ad'antage in the #ar%etplace.

25. SAS 0 report is the #eans b( $hich an outsourcing 'endor can obtain a single

audit report that #a( be used b( its clients auditors and thus preclude the need

"or each client "ir# auditor to conduct its o$n audit o" the 'endor organi6ations

internal controls.

,ULTIPLE CHOICE

1. B

2. C

3. 8


25/41

Chapter 15 Page 5

4. B

5. B

. C

. B

. B

. A

10. *

PROBLE,S

1. a. hen tal%ing o" the ph(sical en'iron#ent) the auditors are not &ust tal%ing

o" the potential threat o" ph(sical intruders and sabotage) but also o"

en'iron#ental ha6ards such as "ires) "loods) $ind) earthua%es or po$er

outages. Though these occurrences are relati'el( rare) the( still should be

accounted "or) as the( can seriousl( ha#per operations. The co#pan(

$ould not onl( &ust lose the in'est#ent in the ser'ers and co#puter

s(ste#s but also the data and abilit( to do business. As is e'ident so"t$are

chec%s cannot pre'ent such losses.

b. These are the si+ control "eatures that contribute directl( to the securit( o"

the co#puter ser'er en'iron#ent,

i. Physical Location, The ph(sical location o" the co#puter center a""ects

the ris% o" disaster directl(. The co#puter center should be a$a( "ro#

hu#an-#ade and natural ha6ards as #uch as possible) such as

processing plants) gas and $ater #ains) airports) high-cri#e areas)

"lood plains) and geological "aults.


26/41

Chapter 15 Page 5

ii. Construction, deall() a co#puter center should be located in a single-

stor( building o" solid concrete $ith controlled access. @tilit( and

co##unication lines should be underground. The building $indo$s

should not open. An air "iltration s(ste# should be in place that is

capable o" e+cluding dust) pollen) and dust #ites.

iii. Access, Access should be li#ited to operators and other e#plo(ees

$ho $or% there. Progra##ers and anal(sts $ho need access to

correct progra# errors should be reuired to sign in and out. The

co#puter center should #aintain accurate records o" all such e'ents to

'eri"( access control. The #ain entrance to the co#puter center should

be through a single door) though "ire e+its $ith alar#s are i#portant.

?ose circuit ca#era $ith 'ideo recording is also highl( ad'isable.

i'. Air Conditioning, :ain"ra#es and ser'ers) as in the case $ith A'atar)

ha'e hea'( processing 'olu#es. These are designed to $or% at their

opti#al le'els onl( $ithin a narro$ range o" conditions) #ost i#portantl(

the te#perature. Co#puters operate best in a te#perature range o" 0 to

5 degrees 7ahrenheit and a relati'e hu#idit( o" 50 percent. ?ogic errors

and static electricit( ris%s can be #itigated b( proper use o" air

conditioning.

'. Fire Suppression, #a&or "eatures should include,

1. Auto#atic and #anual alar#s, Placed in strategic locations

connected to "ire stations.

2. Auto#atic "ire e+tinguishing s(ste#, These should not be $ater


27/41

Chapter 15 Page 5

sprin%lers use carbon dio+ide or halon e+tinguishers.

3. :anual "ire e+tinguisher.

4. 7ire e+its, Clearl( #ar%ed and illu#inated.

'i. Fault Tolerance Controls, Co##erciall( pro'ided electrical po$er

presents se'eral proble#s that can disrupt the co#puter centers

operations including total po$er "ailures bro$nouts and po$er "luctuation

all o" $hich could ha'e se'erel( detri#ental e""ects to the ser'er

s(ste#. The co#pan( should loo% into surge protectors) generators)

batteries) and 'oltage regulators.

2. Progra##ers should ha'e li#ited access to co#puters to include onl(

testing and debugging acti'ities.

The co#puter operators super'isor should ha'e access to the co#puter

roo#.

The tas%s o" progra##ing) operations) and control should be separated.


28/41

Chapter 15 Page 0

Control totals) hash totals) and record counts should be i#ple#ented to

ensure the authori6ation o" data and to pre'ent data losses "ro# going

unnoticed or being i#properl( changed.

The nu#erical seuence o" shipping notices should be chec%ed b( the

co#puter to report an( #issing nu#bers.

Billing and cash collections should be separate "ro# accounts recei'able.

The in'oices should not be "or$arded to the billing cler% the( should be

"or$arded to so#eone else) such as the #ailroo# cler%) to #ail to the

custo#ers.

The billing cler% should #aintain a cop( o" the adding #achine tapes to

reconcile $ith the dail( sales register.

3. a. hen setting s(ste#s standards in a distributed processing en'iron#ent)

discuss the pertinent "actors about,

1. Co#puter hard$are "actors that need to be considered include,

understanding the pri#ar( applications "or $hich the euip#ent $ill

be used.

the operating s(ste# "or each t(pe o" hard$are and $hether

appropriate so"t$are is a'ailable "or the desired applications.

"ile options such as hard dis% dri'es) Gip dri'e) "lopp( dis%ettes) or

C8-


29/41

Chapter 15 Page 1

and uploading in"or#ation) and technical speci"ications o"

co##unication protocol.

2. Controls considerations include,

clear) $ell-$ritten) tested docu#entation "or hard$are and so"t$are

adeuate #aintenance contracts) and so"t$are support

adeuate user training

adeuate securit( pro'isions "or "ile protection) e""ecti'e pass$ord

polic() appropriate database access authorit() bac%up procedures

"or internal record integrit() and o""-site storage procedures "or

disaster reco'er(

a. The bene"its o" ha'ing standardi6ed hard$are and so"t$are include,

cost sa'ings "ro# uantit( discounts and #ultiple use o" so"t$are

licensing agree#ents.

technological gro$th capabilities such as net$or% co#patibilit(.

standardi6ed and centrali6ed s(ste# bac%up procedures "or both

hard$are and so"t$are and pro'isions "or "acilit( sharing in the e'ent

o" brea%do$ns.

i#pro'ed standard operating procedures and so"t$are i#ple#entation

through e+perience b( a large user base $ith distributed %no$ledge.

b. The #e#orandu# is li%el( to create the "ollo$ing concerns,


30/41

Chapter 15 Page 2

The #e#orandu# suggests a lac% o" understanding o" user needs that

#a( inhibit their cooperation.

The ne$ polic( does not pro'ide "or an adeuate transition period "or

con'erting e+isting depart#ent applications to the prescribed ones.

4. Co#pensating controls that /usta'e #ost li%el( "ound include,

#andator( 'acations "or all e#plo(ees.

&oint operation b( t$o or #ore operators.

rotation o" operator duties.

adeuate super'ision o" all *8P operations.

co#parison o" actual co#puter ti#es to an a'erage or nor#.

in'estigation o" all e+cess co#puter ti#e =errors>.

periodic co#parison o" progra# code to an archi'ed cop(.

use o" a co#puter acti'it( log.

5. a. The co#puter securit( $ea%nesses present at Dill Crest Corporation that

#ade it possible "or a disastrous data loss to occur include,

not housing the data-processing "acilit( in a building constructed o"

"ire-retardant #aterials) instead using one $ith e+posed $ooden

bea#s and a $ooden-shingled e+terior.

the absence o" a sprin%ler =halon> s(ste# and a "ire-suppression

s(ste# under a raised "loor "ire doors.

an online s(ste# $ith in"reuent =$ee%l(> tape bac%ups. Bac%ups)

$ith chec%points and restarts) should be per"or#ed at least dail(.


31/41

Chapter 15 Page 3

H/rand"atherI and H7atherI bac%up "iles should be retained at a

secure o""-site storage location.

data and progra#s should ha'e been %ept in a librar( separate "ro#

the data-processing roo#) $ith the librar( area constructed o" "ire-

retardant #aterials.

lac% o" a $ritten disaster reco'er( plan $ith arrange#ents in place to

use an alternate o""-site co#puter center in the e'ent o" a disaster or

an e+tended ser'ice interruption. There $as a phone list o" 8P

personnel) but $ithout assigned responsibilities as to actions to be

ta%en $hen needed.

lac% o" co#plete s(ste#s docu#entation %ept outside the data-

processing area.

b. The co#ponents that should ha'e been included in the disaster reco'er(

plan at Dill Crest Corporation to ensure co#puter reco'er( $ithin 2

hours include the "ollo$ing,

A $ritten disaster reco'er( plan should be de'eloped $ith re'ie$

and appro'al b( senior #anage#ent) data-processing #anage#ent)

end-user #anage#ent) and internal audit.

Bac%up data and progra#s should be stored at an o""-site location

that $ill be uic%l( accessible in an e#ergenc() should be pro'ided.

The disaster reco'er( tea# should be organi6ed. Select the disaster

reco'er( #anager) identi"( the tas%s) segregate into tea#s) de'elop

an organi6ation chart "or disaster procedures) #atch personnel to


32/41

Chapter 15 Page 4

tea# s%ills and "unctions) and assign duties and responsibilities to

each #e#ber.

The duties and responsibilities o" the reco'er( tea# include,

obtaining use o" a pre'iousl( arranged alternate data-processing

"acilit( acti'ating the bac%up s(ste# and net$or%.

retrie'ing bac%up data "iles and progra#s) restoring progra#s and

data) processing critical applications) and reconstructing data

entered into the s(ste# subseuent to latest sa'ed bac%upErestart

point.

c. 7actors) other than those included in the disaster reco'er( plan itsel") that

should be considered $hen "or#ulating the plan include,

arranging business interruption insurance in addition to liabilit(

insurance.

ensuring that all s(ste#s and operations docu#entation is %ept up

to date and is easil( accessible "or use in case o" a disaster.

per"or#ing a ris%Ecost anal(sis to deter#ine the le'el o" e+pense

that #a( be &usti"ied to obtain reasonable) as opposed to certain)

assurance that reco'er( can be acco#plished in 2 hours.


33/41

Chapter 15 Page 5

. Since the e#plo(ee $ill ha'e per"or#ed se'eral highl( inco#patible tas%s) this

co#pan( needs to e#plo( strong pass$ord access controls and constantl(

reuire their e#plo(ees to change their pass$ords) especiall( since the( ha'e

had the opportunit( to either design or 'ie$ authori6ation access tables.

7urther) strong controls o'er progra# #aintenance) such as progra#

#odi"ication reports) are also a necessit(. The %e( is that $hen an e#plo(ee

trans"ers "ro# one &ob to another) heEshe should absolutel( ha'e no access to

per"or# an( "unctions in an( o" the pre'ious positions.

. Sun/ard separates its reco'er( ser'ices into three groups, high a'ailabilit()

s(ste#s reco'er() and end-user reco'er(. *ach contains speci"ic ser'ices

co#panies can utili6e to ensure continuit( under the #ost drastic situations.

Together) the ser'ices support the #ost e+tensi'e disaster reco'er( plan.

The goal o" high a'ailabilit( is to ensure the ongoing a'ailabilit( o"

in"or#ation) to eli#inate e+posure to lost in"or#ation) to reduce o'erall

business ris%) and to help ensure that the re'enue strea# $ill sta( intact. :an(

co#panies rel( on redundant storage to ensure the a'ailabilit( o" in"or#ation

under uncertaint(. " data is da#aged or erased) the co#pan( can use the

bac%up in"or#ation to reco'er lost records and continue nor#al processing.

The proble# that e+ists is that #an( "ir#s process and store "iles at the sa#e

location. This e+poses bac%up "iles to the sa#e ris%s as the in"or#ation s(ste#.

To re#ed( this proble# Sun/ard o""ers a data #irroring s(ste# $here data

"ro# a clients in"or#ation s(ste# is sent directl( to a Sun/ard location "or


34/41

Chapter 15 Page

bac%up and storage. ithin #inutes a"ter a disaster occurs) clients can access

up-to-date in"or#ation that $as lost or da#aged.

S(ste# reco'er( "ocuses on reco'ering #ain"ra#e andEor distributed

s(ste#s uic%l( and e""icientl(. To do this) Sun/ard pro'ides speciali6ed tea#s

o" up to 2)000 technicians $or%ing around the cloc% to get clients s(ste#s

running properl(. These tea#s use a process called Silhouette OS to

understand and repair indi'idual s(ste#s. Silhouette OS auto#aticall( #onitors

each clients operating s(ste# en'iron#ent) and regularl( trans#its a s(ste#

pro"ile to a repositor( at Sun/ard. The pro"ile is created using the "ollo$ing

in"or#ation, operating s(ste# data) hard$are con"iguration) storage de'ices)

per"or#ance tuning para#eters) net$or%s) s(ste# boot "iles) and con"iguration

"iles. The ser'er can then be rebuilt an( ti#e in a reliable) repeatable #anner at

a Sun/ard site. This reduces reco'er( ti#e and "inancial losses "ro#

do$nti#e.

*nd-user reco'er( is dedicated to #aintain e#plo(ee producti'it( until

s(ste#s are repaired and "unctional. One techniue used is to pro'ide a disaster

reco'er( center. These centers pro'ide "ull( "urnished $or%stations) high-speed

nternet access) all necessar( hard$are and so"t$are) and co##unication de'ices "or

the clients use. *ach center is secure and #aintains a bac%up po$er suppl(. Si#ilar

to the disaster reco'er( center is the #obile reco'er(. Sun/ard #aintains a "leet o"

o'er 40 #obile reco'er( centers that pro'ide the sa#e bene"its as the traditional

reco'er( center) but can be brought directl( to the client. The #obile centers

pro'ide $or%stations "or up to 50 e#plo(ees) and are guaranteed to be at the


35/41

Chapter 15 Page

clients site $ithin 4 hours o" the disaster. Together) the disaster reco'er(

center and the #obile center $ill reduce e#plo(ee do$nti#e during a disaster

and #ini#i6e losses.

. a. The role o" each o" the "ollo$ing in the establish#ent) #aintenance) and

e'aluation o" :icro 8(na#ics s(ste# o" internal control is as "ollo$s,

i. :anage#ent has the o'erall responsibilit( "or protecting co#pan(

assets and) there"ore) "or establishing) #aintaining) and e'aluating the

internal control s(ste#.

ii. The audit co##ittees pri#ar( responsibilit( in'ol'es assisting the

board o" directors in carr(ing out its responsibilities as the( relate to the

organi6ations accounting policies) internal control) and "inancial

reporting practices. The audit co##ittee assists #anage#ent and the

board in "ul"illing its "iduciar( and accountabilit( responsibilities) and

helps #aintain a direct line o" co##unication bet$een the board and

the e+ternal and internal auditors.

iii. The e+ternal auditor re'ie$s the organi6ations control structure)

including the control en'iron#ent) accounting s(ste#s) and control

procedures) to assess the control ris%s "or "inancial state#ent

assertions. n addition) the e+ternal auditor $ould in"or# the co#pan(

o" an( #aterial $ea%nesses "ound during the re'ie$.

i'. The internal audit depart#ent per"or#s both operational and "inancial

audits to deter#ine co#pliance $ith established policies and

procedures) and reports its "indings and reco##endations to


36/41

Chapter 15 Page

#anage#ent or the audit co##ittee "or e'aluation and correcti'e

action. The internal audit depart#ent #a( also assist the e+ternal

auditors $ith their re'ie$ o" the internal control s(ste#.

b. The responsibilities o" the :icro 8(na#ics audit co##ittee in the "inancial

reporting process include,

obtaining assurance that the organi6ations control s(ste# is adeuate

and e""ecti'e) to identi"( ris% and e+posure) and that the "inancial

disclosures #ade b( #anage#ent reasonabl( re"lect the "inancial

position) results o" operations) and changes in cash "lo$.

re'ie$ing the progress o" the audit and the "inal audit "indings.

acting as a liaison bet$een the auditors and the board o" directors.

. a. The internal auditor #ust ha'e and #aintain ob&ecti'it() $hich i#plies no

subordination o" &udg#ent to another and arises "ro# an independent

#ental attitude $hich 'ie$s e'ents on a "actual basis $ithout in"luence

"ro# "eelings) pre&udice) opinions) or interests.

b. The anal(sis is as "ollo$s,

i. The internal auditors ob&ecti'it( is not i#paired b( the preparation o"

polic( state#ents on internal control. The preparation o" polic(

state#ents to guide others in the de'elop#ent and i#ple#entation o"

internal controls is a responsibilit( o" the internal audit sta"".

ii. The internal auditors ob&ecti'it( is i#paired. To #aintain ob&ecti'it() the

auditor should not per"or# operational assign#ents that are included as


37/41

Chapter 15 Page

part o" the independent e'aluation and 'eri"ication o" a proper s(ste# o"

internal control. Separation o" duties #ust be #aintained.

iii. Ob&ecti'it( is not i#paired in the re'ie$ o" the budget "or rele'ance and

reasonableness i" the internal auditor has no responsibilit( "or

establishing or i#ple#enting the budget. Do$e'er) the re'ie$ o"

'ariances and e+planations $ould i#pair ob&ecti'it() as this is an area

that $ould nor#all( be re'ie$ed during an operational audit.

i'. Ob&ecti'it( is i#paired to the e+tent that the internal auditor has been

in'ol'ed in the design and installation o" internal accounting controls as

there $ill be little con"idence in audit "indings issued b( the indi'idual

$ho designed and installed the s(ste# being audited.

'. The preparation o" accounting records $ill #ateriall( i#pair the internal

auditors ob&ecti'it( b( in'ol'ing the auditor in da(-to-da( operations.

c. The director o" internal audit reports directl( to the corporate controller.

i. This reporting relationship ad'ersel( a""ects the ob&ecti'it( o" the

internal audit depart#ent. The corporate controller is responsible "or

the accounting s(ste# and related operational transactions. The

internal audit sta"" is responsible "or the independent and ob&ecti'e

re'ie$ and e+a#ination o" the accounting s(ste# and related

operational transactions. ndependence and ob&ecti'it( #a( not e+ist

because the internal audit sta"" is responsible "or re'ie$ing the $or% o"

the corporate controller) the person to $ho# it reports.


38/41

Chapter 15 Page 0

ii. !o) the responses "or reuire#ent =b> $ould not be a""ected b( the

internal audit sta"" reporting to an audit co##ittee rather than the

corporate controller. n order to #aintain ob&ecti'it() the internal audit

sta"" should re"rain "ro# per"or#ing non-audit "unctions such as

#anage#ent decision #a%ing) design and installation o" s(ste#s)

record %eeping) operational duties) etc.

10. a. This co#pan( needs to #a%e sure that the "ollo$ing ite#s are included in

their ?A! and PC design.

i. 8ata encr(ption techniues "or the sending o" sensiti'e data "ro# one

"ile to another o'er the ?A!.

ii. Access controls "or "iles on the ?A! "ile ser'er.

iii. Access controls "or data on hard dri'es o" the personal co#puters.

i'. Bac%up polic( and procedures "or data on the "ile ser'er and the PCs.

'. So"t$are support polic(.

'i. ;irus protection "or the ?A! and "or the PCs.

'ii. Output polic( regarding $hich docu#ents #a( be printed on the ser'er

printer.

b. " the "ollo$ing controls are not i#ple#ented) the "ollo$ing e+posures #a(

sur"ace,

i. sensiti'e "iles #a( be intercepted as the( are tra'eling around the ?A!

cabling de'ices.

ii. unauthori6ed access to sensiti'e "iles on the "ile ser'er and user PCs.

iii. data loss "ro# poor bac%up.


39/41

Chapter 15 Page 1

i'. inco#patible "ile "or#ats bet$een $or%ers.

'. data loss "ro# 'iruses.

'i. pass$ords stolen "ro# tro&an horse de'ices.

'ii. sensiti'e printouts being printed on a co##on printer.

11. I"%#"al C!"#!l R%$p!"$i+ili/ &!# O'$!'#c%( IT

:anage#ent #a( outsource their organi6ations T "unctions) but the( cannot

outsource their #anage#ent responsibilities under SO "or ensuring adeuate T

internal controls. The PCAOB speci"icall( states in its Auditing Standard !o. 2)

HThe use o" a ser'ice organi6ation does not reduce #anage#ents responsibilit(

to #aintain e""ecti'e internal control o'er "inancial reporting.


40/41

Chapter 15 Page 2

This pre#ise) ho$e'er) ignores an i#portant distinction bet$een co##odit(

and speci"ic T assets.

C!**!(i/ IT a$$%$are not uniue to a particular organi6ation and

are thus easil( acuired in the #ar%etplace. These include such things as

net$or% #anage#ent) s(ste#s operations) ser'er #aintenance) and help-

des% "unctions. Sp%ci&ic IT a$$%$) in contrast) are uniue to the

organi6ation and support its strategic ob&ecti'es. Because o" their

idios(ncratic nature) speci"ic assets ha'e little 'alue outside o" their current

use. Such assets #a( be tangible =co#puter euip#ent>) intellectual

=co#puter progra#s>) or hu#an. *+a#ples o" speci"ic assets include s(ste#s

de'elop#ent) application #aintenance) data $arehousing) and highl(-s%illed

e#plo(ees trained to use organi6ation-speci"ic so"t$are.

T#a"$aci!" C!$ Ec!"!*ic$ 2TCE3theor( is in con"lict $ith the core

co#petenc( school b( suggesting that "ir#s should retain certain speci"ic

non-core T assets in house. Because o" their esoteric nature speci"ic assets

cannot be easil( replaced once the( are gi'en up in an outsourcing

arrange#ent. There"ore) i" the organi6ation should decide to cancel its

outsourcing contract $ith the 'endor) it #a( not be able to return to its pre-

outsource state. On the other hand) TC* theor( supports the outsourcing o"

co##odit( assets) $hich are easil( replaced or obtained "ro# alternati'e

'endors.


41/41

Chapter 15 Page 3

!aturall() a C*Os perception o" $hat constitutes co##odit( T assets pla(s

an i#portant role in T outsourcing decisions. O"ten this co#es do$n to a

#atter o" de"inition and interpretation. 7or e+a#ple) #ost C*Os $ould de"ine

their T "unction as a non-core co##odit() unless the( are in the business o"

de'eloping and selling T applications. Conseuentl() a belie" that allT can)

and should) be #anaged b( large ser'ice organi6ations tends to pre'ail.

Such #isperception re"lects) in part) both lac% o" e+ecuti'e education and

disse#ination o" "ault( in"or#ation regarding the 'irtues and li#itations o" T

outsourcing.

SM-15-new CHAPTER 15

Documents

Transcript of SM-15-new CHAPTER 15