Chapter 14 Slides

Chapter 14
Auditing IT
Controls Part I:
Sarbanes-
Oxley and IT
Governance
James A. Hall, Accounting Information Systems, 10th Edition. © 2019

Cengage. All Rights Reserved. May not be scanned, copied or duplicated,
or posted to a publicly accessible website, in whole or in part.
Learning Objectives
• Be familiar with the structure of a financial audit and the role of the
IT audit component.
• Understand the key features of Sections 302 and 404 of the
Sarbanes-Oxley Act.
• Understand management and auditor responsibilities under
Sections 302 and 404.
• Understand the risks of incompatible functions and how to
structure the IT function.
• Be familiar with the controls and precautions required to ensure
the security of an organization’s computer facilities.
• Understand the key elements of a disaster recovery plan.
• Be familiar with the benefits, risks, and audit issues related to IT
outsourcing.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 2
1
Overview of Auditing
• An external audit is an independent attestation performed
by an expert—the auditor—who expresses an opinion
regarding the presentation of financial statements.
• The CPA’s role is to collect and evaluate evidence and
thus render an opinion.
• External auditors follow strict rules in conducting financial
audits.
Financial Audit Components

• The product of the attestation function is a formal written
report that expresses an opinion as to whether the
financial statements are in conformity with generally
accepted accounting principles (GAAP).
• External users of financial statements are presumed to
rely on the auditor’s opinion about the reliability of
financial statements in making decisions.
2
Generally Accepted Auditing Standards
AUDITING STANDARDS
• Auditing standards are divided into three classes:

1. General qualification standards
2. Field work standards
3. Reporting standards
• To provide specific guidance, the AICPA issues
Statements on Auditing Standards (SASs) as authoritative
interpretations of GAAS.
• The first SAS (SAS 1) was issued by the AICPA in 1972.
3
Structure of an Audit
• Conducting an audit is a systematic and logical process
that consists of three conceptual phases:
1. Audit planning
2. Tests of controls
3. Substantive testing
• An IT audit involves the review of the computer-based
components of an organization. The audit is often
performed as part of a broader financial audit.
AUDIT PLANNING
• Audit planning is the first step in the IT audit in which the

auditor gains a thorough understanding of the client’s
business. A major part of this phase of the audit is the
analysis of audit risk.
• Tests of Controls
• The tests of controls are tests that establish whether internal
controls are functioning properly.
• Computer-assisted audit tools and techniques (CAATTs) is
the use of computers to illustrate how application controls are
tested and to verify the effective functioning of application
controls.
• Control risk is the likelihood that the control structure is flawed
because controls are either absent or inadequate to prevent or
detect errors in the accounts.
4
AUDIT PLANNING (continued)
• Substantive Testing
• Substantive tests are tests that determine whether database
contents fairly reflect the organization’s transactions.
Phases of an Audit
10
5
MANAGEMENT ASSERTIONS
• Management assertions are a combination of tests of

application controls and substantive tests of transaction
details and account balances.
• Audit objectives are the task of creating meaningful test
data.
• Audit procedures are used to gather evidence that
corroborates or refutes management’s assertions.
11
Audit Objectives and Audit Procedures Based

on Management Assertions
12
6
AUDIT RISK
• Audit risk is the probability that the auditor will render

unqualified opinions on financial statements that are, in
fact, materially misstated.
• Audit Risk Components
• Inherent Risk
• Inherent risk (IR) is the risk associated with the unique
characteristics of the business or industry of the client.
• Control Risk
13
AUDIT RISK (continued)
• Detection Risk
• Detection risk (DR) is risk that auditors are willing to take that
errors not detected or prevented by the control structure will
also not be detected by the auditor.
• Audit Risk Model
• The audit report includes an opinion on the fair presentation
of the financial statements and an opinion on the quality of
internal controls over financial reporting.
14
7
Overview of SOX Sections 302 and 404
• Sarbanes-Oxley Act (SOX) of 2002 established corporate

governance regulations and standards for public
companies registered with the SEC.
• Section 302 requires corporate management, including
the chief executive officer (CEO), to certify financial and
other information contained in the organization’s quarterly
and annual reports.
• Section 404 requires the management of public
companies to assess the effectiveness of their
organization’s internal controls over financial reporting.
15
RELATIONSHIP BETWEEN IT CONTROLS

AND FINANCIAL REPORTING
• Application controls ensure the integrity of specific
systems.
• General controls are controls that pertain to entity-wide
concerns such as controls over the data center,
organization databases, systems development, and
program maintenance.
• General computer controls are specific activities
performed by persons or systems designed to ensure that
business objectives are met.
• Information technology controls include controls over
IT governance, IT infrastructure, security, and access to
operating systems and databases, application acquisition
and development, and program changes.
16
8
AUDIT IMPLICATIONS OF SECTIONS 302
AND 404
• Computer fraud is the theft, misuse, or misappropriation
of assets by altering computer-readable records and files,
or by altering the logic of computer software; the illegal
use of computer-readable information; or the intentional
destruction of computer software or hardware.
17
AUDIT IMPLICATIONS OF SECTIONS 302

AND 404 (continued)
• Computer Fraud
• DATA COLLECTION
• DATA PROCESSING: Program fraud includes techniques such
as creating illegal programs that can access data files to alter,
delete, or insert values into accounting records; destroying or
corrupting a program’s logic using a computer virus; or altering
program logic to cause the application to process data
incorrectly. Operations fraud is the misuse or theft of the firm’s
computer resources.
• DATABASE MANAGEMENT: Database management fraud
includes altering, deleting, corrupting, destroying, or stealing an
organization’s data.
• INFORMATION GENERATION: Scavenging involves searching
through the trash of the computer center for discarded output.
Eavesdropping involves listening to output transmissions over
telecommunication lines.
18
9
Information Technology Control Relationship
19
The General Model for Accounting

Information Systems
20
10
IT Governance Controls
• IT governance is a broad concept relating to the decision
rights and accountability for encouraging desirable
behavior in the use of IT.
• Not all elements of IT governance relate specifically to
control issues that SOX addresses and that are outlined in
the COSO framework.
21
Organizational Structure Controls

• Operational tasks should be separated to:
• Segregate the task of transaction authorization from
transaction processing.
• Segregate record keeping from asset custody.
• Divide transaction-processing tasks among individuals so that
fraud will require collusion between two or more individuals.
22
11
SEGREGATION OF DUTIES WITHIN THE
CENTRALIZED FIRM
• Separating Systems Development from Computer
Operations
• Separating the Database Administrator from Other
Functions
• User views are sets of data that a particular user needs to
achieve his or her assigned tasks.
• SEPARATING THE DBA FROM SYSTEMS DEVELOPMENT:
Access controls are controls that ensure that only authorized
personnel have access to the firm’s assets.
• Separating New Systems Development from Maintenance
• INADEQUATE DOCUMENTATION
• PROGRAM FRAUD
• A Superior Structure for Systems Development
23
Organizational Chart of a Centralized

Information Technology Function
24
12
Alternative Organization of Systems
Development
25
THE DISTRIBUTED MODEL
• Distributed data processing (DDP) is reorganizing the

IT function into small information processing units (IPUs)
that are distributed to end users and placed under their
control.
• Advantages of DDP
• COST REDUCTIONS
• IMPROVED COST CONTROL RESPONSIBILITY
• IMPROVED USER SATISFACTION
• BACKUP
26
13
THE DISTRIBUTED MODEL (continued)
• Disadvantages of DDP
• MISMANAGEMENT OF ORGANIZATION-WIDE
RESOURCES
• HARDWARE AND SOFTWARE INCOMPATIBILITY
• REDUNDANT TASKS
• CONSOLIDATING INCOMPATIBLE ACTIVITIES
• HIRING QUALIFIED PROFESSIONALS
• LACK OF STANDARDS
27
Organizational Structure for a Distributed

System
28
14
CREATING A CORPORATE IT FUNCTION
• Corporate IT function is a coordinating IT unit that

attempts to establish corporate-wide standards among
distributed IT units.
• Central Testing of Commercial Software and Hardware
• User Services
• Standard-Setting Body
• Personnel Review
29
Distributed Organization with Corporate IT

Function
30
15
AUDIT OBJECTIVES RELATING TO
ORGANIZATIONAL STRUCTURE
• The auditor’s objective is to ascertain whether individuals
serving in incompatible areas are segregated in
accordance with an acceptable level of risk and in a
manner that promotes an effective working environment.
31
AUDIT PROCEDURES RELATING TO

ORGANIZATIONAL STRUCTURE
• The following audit tests provide evidence in achieving the
audit objective:
• Obtain and review the corporate policy on computer security.
• Review relevant documentation, including the current
organizational chart, mission statement, and job descriptions
for key functions, to determine if individuals or groups are
performing incompatible functions.
• Review systems documentation and maintenance records for a
sample of applications.
• Through observation, determine that the segregation policy is
being followed in practice.
• Review user roles to verify that programmers have access to
privileges consistent with their job descriptions.
32
16
Computer Center Security and Controls
• Fires, floods, wind, sabotage, earthquakes, or even power

outages can deprive an organization of its data
processing facilities and bring to a halt those functions
that are performed or aided by computer.
• What does a company do to prepare itself for such an
event?
• How will it recover?
33
COMPUTER CENTER CONTROLS
• Physical Location
• Construction
• Access
• Air Conditioning
• Fire Suppression
• Fault Tolerance Controls
• Fault tolerance is the ability of the system to continue
operation when part of the system fails because of hardware
failure, application program error, or operator error.
• Audit Objectives Relating to Computer Center Security
34
17
COMPUTER CENTER CONTROLS
(continued)
• Audit Procedures for Assessing Physical Security Controls

• TESTS OF PHYSICAL CONSTRUCTION
• TESTS OF THE FIRE DETECTION SYSTEM
• TESTS OF ACCESS CONTROL
• Tests of Fault Tolerance Controls
• RAID
• POWER SUPPLIES BACKUP
• Audit Procedures for Verifying Insurance Coverage
• Audit Procedures for Verifying Adequacy of Operator
Documentation
35
Disaster Recovery Planning

• A disaster recovery plan (DRP) is a comprehensive
statement of all actions to be taken before, during, and
after a disaster, along with documented, tested
procedures that will ensure the continuity of operations.
• Off-site storage is a storage procedure used to
safeguard the critical resources.
36
18
PROVIDING SECOND-SITE BACKUP
• The Empty Shell

• The empty shell is an arrangement that involves two or more
user organizations that buy or lease a building and remodel it
into a computer site, but without the computer and peripheral
equipment.
• The Recovery Operations Center
• A recovery operations center (ROC) is an arrangement
involving two or more user organizations that buy or lease a
building and remodel it into a completely equipped computer
site.
• Internally Provided Backup
• Mirrored data center is a data center that reflects current
economic events of the firm.
37
IDENTIFYING CRITICAL APPLICATIONS
• An essential element of a DRP involves procedures to

identify the critical applications and data files of the firm to
be restored.
• For most organizations, short-term survival requires the
restoration of those functions that generate cash flows
sufficient to satisfy short-term obligations.
• Applications should be identified and prioritized in the
restoration plan.
• The task of identifying and prioritizing critical applications
requires active participation of management, user
departments, and internal auditors.
38
19
PERFORMING BACKUP AND OFF-SITE
STORAGE PROCEDURES
• Backup Data Files
• Backup Documentation
• Backup Supplies and Source Documents
39
CREATING A DISASTER RECOVERY TEAM
• Recovering from a disaster depends on timely corrective

action.
• Failure to perform essential tasks prolongs the recovery
period and diminishes the prospects for a successful
recovery.
• Individual task responsibility must be clearly defined and
communicated to the personnel involved.
40
20
Disaster Recovery Team
41
TESTING THE DRP
• Tests provide measures of the preparedness of personnel

and identify omissions or bottlenecks in the plan.
• A test is most useful in the form of a surprise simulation of
a disruption.
42
21
AUDIT OBJECTIVE: ASSESSING DISASTER
RECOVERY PLANNING
• The auditor should verify that management’s disaster
recovery plan is adequate and feasible for dealing with a
catastrophe that could deprive the organization of its
computing resources.
43
AUDIT PROCEDURES FOR ASSESSING

DISASTER RECOVERY PLANNING
• Second-Site Backup
• Critical Application List
• Backup Critical Applications and Critical Data Files
• Backup Supplies, Source Documents, and Documentation
• The Disaster Recovery Team
• CURRENT TREND IN DISASTER RECOVERY: Disaster
recovery as a service (DRaaS) is a variant on cloud
computing, which draws upon these traditional services to
provide computing and backup services.
44
22
Outsourcing the IT Function
• IT outsourcing is the contracting with a third-party vendor to
take over the costs, risks, and responsibilities associated
with maintaining an effective corporate IT function, including
management of IT assets and staff and delivery of IT
services such as data entry, data center operations,
applications development, applications maintenance, and
network management.
• Core competency theory is the theory underlying
outsourcing that posits an organization should focus
exclusively on its core business competencies while allowing
outsourcing vendors to manage non-core areas such as IT
functions efficiently.
45
Outsourcing the IT Function (continued)

• Commodity IT assets are assets not unique to an organization
and easily acquired in the marketplace (e.g., network
management, systems operations, server maintenance, help-
desk functions).
• Specific IT assets are assets unique to an organization that
support its strategic objectives. Specific IT assets have little
value outside their current use. May be tangible (computer
equipment), intellectual (computer programs), or human.
• Transaction Cost Economics (TCE) theory is a belief that
organizations should retain certain specific non-core IT assets
in-house; due to their esoteric nature, such assets cannot be
easily replaced once they are given up in an outsourcing
arrangement. Supports outsourcing of commodity assets,
which are easily replaced.
46
23
RISKS INHERENT TO IT OUTSOURCING
• Failure to Perform
• Vendor Exploitation of Clients
• Outsourcing Costs Exceed Benefits
• Reduced Security
47
LOSS OF STRATEGIC ADVANTAGE
• Organizations that use IT strategically must align business

strategy and IT strategy or run the risk of decreased
business performance.
• To accomplish such alignment necessitates a close
working relationship between corporate management and
IT management in the concurrent development of
business and IT strategies.
48
24
AUDIT IMPLICATIONS OF IT
OUTSOURCING
• The PCAOB specifically states in its Auditing Standard
No. 2 that the use of a service organization does not
reduce management’s responsibility to maintain effective
internal control over financial reporting.
• Statement on Standards for Attestation Engagements
No. 16 (SSAE 16) is an internationally recognized third-
party attestation report designed for service organizations
such as IT outsourcing vendors.
• SSAE 16 is the definitive standard by which client
organizations’ auditors can determine whether processes
and controls at the third-party vendor are adequate to
prevent or detect material errors that could impact the
client’s financial statements.
49
SSAE 16 Reporting
50
25
SSAE 16 REPORT CONTENTS
• The SSAE 16 attest report provides a description of the

service provider’s system including details of how
transactions are processed and results are communicated
to their client organizations.
• When using the carve-out method, the service provider
management would exclude the subservice organization’s
relevant control objectives and related controls from the
description of its system.
• When using the inclusive method, reporting the service
provider’s description of its system will include the
services performed by the subservice organization.
51
26

Chapter 14 Slides

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 14 Slides

Uploaded by

Copyright:

Available Formats

Chapter 14

James A. Hall, Accounting Information Systems, 10th Edition. © 2019

Financial Audit Components

• Auditing standards are divided into three classes:

• Audit planning is the first step in the IT audit in which the

• Management assertions are a combination of tests of

Audit Objectives and Audit Procedures Based

• Audit risk is the probability that the auditor will render

AUDIT RISK (continued)

• Sarbanes-Oxley Act (SOX) of 2002 established corporate

RELATIONSHIP BETWEEN IT CONTROLS

AUDIT IMPLICATIONS OF SECTIONS 302

The General Model for Accounting

Organizational Structure Controls

Organizational Chart of a Centralized

THE DISTRIBUTED MODEL

• Distributed data processing (DDP) is reorganizing the

Organizational Structure for a Distributed

• Corporate IT function is a coordinating IT unit that

Distributed Organization with Corporate IT

AUDIT PROCEDURES RELATING TO

• Fires, floods, wind, sabotage, earthquakes, or even power

COMPUTER CENTER CONTROLS

• Audit Procedures for Assessing Physical Security Controls

Disaster Recovery Planning

• The Empty Shell

IDENTIFYING CRITICAL APPLICATIONS

• An essential element of a DRP involves procedures to

CREATING A DISASTER RECOVERY TEAM

• Recovering from a disaster depends on timely corrective

TESTING THE DRP

• Tests provide measures of the preparedness of personnel

AUDIT PROCEDURES FOR ASSESSING

Outsourcing the IT Function (continued)

LOSS OF STRATEGIC ADVANTAGE

• Organizations that use IT strategically must align business

• The SSAE 16 attest report provides a description of the

You might also like