- Section 302 requires corporate management to certify financial and other information contained in the organization’s quarterly and annual reports. - Section 404 requires the management of public companies to assess the effectiveness of their organization’s internal controls over financial reporting. Relationship Between It Controls And Financial Reporting - Information technology drives the financial reporting processes of modern organizations. Automated systems initiate, authorize, record, and report the effects of financial transactions. - As such, they are inextricable elements of the financial reporting processes that SOX considers and must be controlled. - SAS 78/ COSO identifies two broad groupings of information system controls: application controls and general controls. o The objectives of application controls are to ensure the validity, completeness, and accuracy of financial transactions. o General controls (general computer controls and information technology controls). they include controls over IT governance, IT infrastructure, security and access to operating systems and databases, application acquisition and development, and program changes. B. IT Governance 1. Organizational Structure Control a. Segregate the task of transaction authorization from transaction processing. b. Segregate record keeping from asset custody. c. Divide transaction-processing tasks among individuals so that fraud will require collusion between two or more individuals 2. Computer Center Security and Controls a. Computer Center Controls o Physical Location o Construction o Access o Air Conditioning o Fire Suppression Audit Objectives Relating to Computer Center Security the auditor must verify that o physical security controls are adequate to reasonably protect the organization from physical exposures; o insurance coverage on equipment is adequate to compensate the organization for the destruction of, or damage to, its computer center; and o operator documentation is adequate to deal with routine operations as well as system failures. 3. Disaster Recovery Planning A disaster recovery plan (DRP) is a comprehensive statement of all actions to be taken before, during, and after a disaster, along with documented, tested procedures that will ensure the continuity of operations. the following control issues: 1. Providing second-site backup : provides for duplicate data processing facilities following a disaster. The viable options available include: o the empty shell, o recovery operations center, and o internally provided backup 2. identifying critical applications : Another essential element of a DRP involves procedures to identify the critical applications and data files of the firm to be restored 3. performing backup and off-site storage procedures : All data files, application documentation, and supplies needed to perform critical functions should be specified in the DRP. Data processing personnel should routinely perform backup and storage procedures to safeguard these critical resources. 4. creating a disaster recovery team: To avoid serious omissions or duplication of efforts during implementation of the contingency plan, individual task responsibility must be clearly defined and communicated to the personnel involved. 5. testing the DRP : A test is most useful in the form of a surprise simulation of a disruption. When the mock disaster is announced, the status of all processing that it affects should be documented C. Outsourcing IT Function Often-cited benefits of IT outsourcing include improved core business performance, improved IT performance (because of the vendor’s expertise), and reduced IT costs. Risk Inherent to IT Outsorcing 1. Failure to Perform 2. Vendor Exploitation 3. Outsourcing Costs Exceed Benefits 4. Reduced Security 5. Loss of Strategic Advantage
Security and Accsess
A. Controlling the Operating System 1. Operating System Objective The operating system performs three main tasks. a. it translates high-level languages, such as COBOL, Cþþ, BASIC, and SQL, into the machine-level language that the computer can execute b. allocates computer resources to users, workgroups, and applications c. manages the tasks of job scheduling and multiprogramming five fundamental control objectives 1. The operating system must protect itself from users. 2. The operating system must protect users from each other. 3. The operating system must protect users from themselves 4. The operating system must be protected from itself. 5. The operating system must be protected from its environment. 2. Operating system security involves policies, procedures, and controls that determine who can access the operating system, which resources (files, programs, printers) they can access, and what actions they can take. The following security components are found in secure operating systems: o log-on procedure, o access token, o access control list, and o discretionary access privileges. Audit Objectives Relating to Access Privileges The objective of the auditor is to verify that access privileges are granted in a manner that is consistent with the need to separate incompatible functions and is in accordance with the organization’s policy B. Control Database Management System 1. Accsess Controls - User View - Database Authorization Table - User Defined Procedures - Data Encryption - Biometric Devices 2. Backup Controls - Database Backup - Transaction Log (Jurnal) - Checkpoint Feature - Recovery Module C. Controlling Networks 1. Controlling Risks From Subversive Threats o Firewalls : is a system that enforces access control between two networks o Controlling Denial of Service Attacks o Encryption is the conversion of data into a secret code for storage in databases and transmission over networks. (private key and public key encryption.) 2. Controlling Risks From Equipment Failure o Line Errors: Echo Check, Parity Check D. Electronic Data Interchange (EDI) 1. Transaction Authorization and Validation a. Some VANs have the capability of validating passwords and user ID codes for the vendor by matching these against a valid customer file. The VAN rejects any unauthorized trading partner transactions before they reach the vendor’s system. b. Before being converted, the translation software can validate the trading partner’s ID and password against a validation file in the firm’s database. c. Before processing, the trading partner’s application software references the valid customer and vendor files to validate the transaction. 2. Access Control To function smoothly, EDI trading partners must permit a degree of access to private data files that would be forbidden in a traditional environment
System Development, Program Changes and Application Controls
A. System Development Control 1. Controlling System Development Activities - System Authorization Activities - User Specification Activities - Technical Design Activities - Internal Audit Participation - Program Testing - User Test and Acceptance Procedures 2. Controlling Program Change Activities Upon implementation, the information system enters the maintenance phase of the SDLC. This is the longest period in the SDLC, often spanning several years. Most systems do not remain static throughout this period. Maintenance access to systems increases the risk that logic will be corrupted either by accident or intent to defraud. To minimize the risk, all maintenance actions should require, as a minimum, four controls: formal authorizations, technical specifications, testing, and documentation updates 3. Source Program Library a. The worst case situation : No Control In this situation, access to application programs is completely unrestricted. Legitimate maintenance programmers or others may access any programs stored in the library, which has no provision for detecting an unauthorized intrusion b. A controlled SPL Environment o Password Control o Separation of Test Librarie o Audit Trail and Management Reports o Program Version Numbers o Controlling Access to Maintenance Commands B. Application Control 1. Input Control Input controls are programmed procedures (routines) that perform tests on transaction data to ensure that they are free from errors. 2. Processing Control Processing controls are programmed procedures and may be divided into three categories: batch controls, run-torun controls, and audit trail controls. 3. Output controls are a combination of programmed routines and other procedures to ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. C. Testing Computer Application Control 1. the black box (around the computer) approach analyze flowcharts and interview knowledgeable personnel in the client’s organization to understand the functional characteristics of the application 2. the white box (through the computer) approach relies on an in-depth understanding of the internal logic of the application being tested D. Substantive Testing Techniques Substantive Testing Techniques Substantive tests are so named because they are used to substantiate dollar amounts in account balances. Substantive tests include but are not limited to the following: 1. Determining the correct value of inventory. 2. Determining the accuracy of prepayments and accruals. 3. Confirming accounts receivable with customers. 4. Searching for unrecorded liabilities. 1. Embedded Audit Module 2. Generalized Audit Software