Chapter 15

IT Controls Part I: Sarbanes-Oxley

& IT Governance

Accounting Information Systems, 5th editionJames A. Hall

2

Objectives for Chapter 15 Key features of Sections 302 and 404 of

Sarbanes-Oxley Act Management and auditor responsibilities

under Sections 302 and 404 Risks of incompatible functions and how to

structure IT function Controls and security of organization’s

computer facilities Key elements of disaster recovery plan

3

Sarbanes-Oxley Act

The 2002 Sarbanes-Oxley (SOX) Act established new corporate governance rules◦ Created company accounting oversight board◦ Increased accountability for company officers and

board of directors◦ Increased white collar crime penalties◦ Prohibits a company’s external audit firms from

providing financial information systems

4

SOX Section 302

Section 302—in quarterly and annual financial statements, management must:◦ certify the internal controls over financial

reporting◦ state responsibility for internal control design ◦ provide reasonable assurance as to the reliability

of the financial reporting process◦ disclose any recent material changes in internal

controls

5

SOX Section 404

Section 404—in annual report on internal control effectiveness, management must:◦ state responsibility for establishing /maintaining

adequate financial reporting internal control◦ assess internal control effectiveness◦ Refer to the external auditors’ attestation report

on management’s internal control assessment◦ provide explicit conclusions on the effectiveness

of financial reporting internal control◦ Identify the framework management used to

conduct their internal control assessment Examples – COSO or COBIT

6

http://www.microsoft.com/msft/reports/ar08/10k_fr_con.html

7

IT Controls & Financial Reporting Modern financial reporting is driven by

information technology (IT) IT initiates, authorizes, records, and reports

the effects of financial transactions. ◦ Financial reporting internal controls are

inextricably integrated to IT. COSO identifies two groups of IT controls:

◦ application controls – apply to specific applications and programs, and ensure data validity, completeness and accuracy

◦ general controls – apply to all systems and address IT governance and infrastructure, security of operating systems and databases, and application and program acquisition and development

8

SOX Audit Implications Pre-SOX, audits did not require internal control tests.

◦ Only required to be familiar with client’s internal control◦ Audit consisted primarily of substantive tests (tests of

account balances)

SOX – radically expanded scope of audit◦ Issue new audit opinion on management’s internal control

assessment◦ Required to test internal control affecting financial

information, especially internal control to prevent fraud◦ Collect documentation of management’s internal control

tests and interview management on internal control changes

9

Types of Audit TestsTests of controls – tests to determine if appropriate internal controls are in place and functioning effectively

Substantive testing – detailed examination of account balances and transactions

10

Organizational Structure IC

Audit objective – verify that individuals in incompatible areas are segregated to minimize risk while promoting operational efficiency

internal controls, especially segregation of duties, are affected by the type of organizational structure:◦ Centralized model◦ Distributed model

President

VPMarketing

VP ComputerServices

VPOperations

VPFinance

SystemsDevelopment

DatabaseAdministration

DataProcessing

New SystemsDevelopment

SystemsMaintenance

DataControl

DataPreparation

ComputerOperations

DataLibrary

President

VPMarketing

VPFinance

VPOperations

Workstation

VPAdministration

Treasurer Controller ManagerPlant X

ManagerPlant Y

CENTRALIZED COMPUTER SERVICES FUNCTION

DISTRIBUTED ORGANIZATIONALSTRUCTURE

Workstation

Workstation

Workstation

Workstation

Workstation

12

Need to separate:◦ systems development from computer

operations/processing◦ database administrator and other computer

service functions especially database administrator (DBA) and

systems development DBA authorizes access

◦ maintenance and new systems development◦ data library and operations

(assumes internally developed software)

Centralized DP Organizational Controls

13

Many advantages to using DDP, yet there are control implications:◦ incompatible software among various work

centers ◦ data redundancy may result◦ consolidation of incompatible tasks◦ lack of standards

Distributed DP Organizational Controls

14

Corporate computer services function/information center may help to alleviate potential problems associated with DDP by providing:◦ central testing of commercial hardware and

software◦ user services staff◦ standards setting body ◦ reviewing technical credentials of prospective

systems professionals

Organizational Structure Controls

Operating System

Data Management

Systems Development

Systems Maintenance

Organizational Structure

Internet

& Intranet

EDI Trading Partners

Personal Computers

Computer Center Security

Applications

Internet

& Intranet

General Control Framework for CBIS Exposures

16

Audit objectives:◦ physical security internal control protects the

computer center from physical exposures◦ insurance coverage compensates the organization

for damage to the computer center◦ operator documentation addresses routine

operations as well as system failures

Computer Center Internal Controls

(centralized or DDP)

17

Considerations: location away from human-made and natural

hazards utility and communications lines underground keep windows closed – use air filtration systems access limited to operators and other necessary

workers; others required to sign in and out fire suppression systems should be installed backup power supplies

Computer Center Controls(assumes centralized processing)

(centralized or DDP)

18

Segregation of Duties

Transaction authorization is separate from transaction processing.

Asset custody is separate from record-keeping responsibilities.

The tasks needed to process the transactions are subdivided so that fraud requires collusion.

19

Audit Procedures Review corporate policy on computer security

◦ Verify that security policy is communicated to employees Review documentation to determine if individuals or groups

are performing incompatible functions Review systems documentation and maintenance records

◦ Verify that maintenance programmers are not also design programmers

Observe if segregation policies are followed in practice. ◦ Example: check operations room access logs to determine

if programmers enter for reasons other than system failures

Review user rights and privileges ◦ Verify that programmers have access privileges consistent

with their job descriptions

20

Audit Procedures Review insurance coverage on hardware, software, and physical facility

Review operator documentation, run manuals, for completeness and accuracy

Verify that operational details of a system’s internal logic are not in the operator’s documentation

21

Disaster Recovery Planning

Disaster recovery plans (DRP) identify:◦ actions before, during, and after the disaster◦ disaster recovery team◦ priorities for restoring critical applications

Audit objective – verify that DRP is adequate and feasible for dealing with disasters

22

Disaster Recovery Planning

Major IC concerns: ◦second-site backups◦critical applications and databases including supplies and documentation

◦back-up and off-site storage procedures

◦disaster recovery team◦testing the DRP regularly

23

Disaster Recovery Planning (DRP)

Disaster recovery plan◦ Include all actions to be taken

before, during, and after disaster◦ Disaster Recovery Team identified◦ critical applications

(modules/programs) must be identified restore these applications first

Backups and off-site storage procedures◦ databases and applications◦ documentation◦ supplies

24

Mutual Aid Pact - agreement between two or more organizations (with compatible computer facilities) to aid each other with their data processing needs

Empty Shell/Cold Site - involves two or more user organizations that buy or lease building and remodel it into computer site, but without computer equipment

Recovery Operations Center/Hot Site - completely equipped site; very costly and typically shared among many companies

Internally Provided Backup - companies with multiple data processing centers may create internal excess capacity

Second-Site Disaster Backups

25

Audit Procedures Evaluate adequacy of second-site

backup arrangements Review list of critical applications for

completeness and currency Verify procedures are in place for storing

off-site copies of applications/ data◦Check currency back-ups and copies

Verify that documentation, supplies, etc., are stored off-site

Verify that disaster recovery team knows its responsibilities◦Check frequency of testing DRP

26