Chapter 15

IT Controls Part I:
Sarbanes-Oxley & IT Governance
Objectives for Chapter 15
• Key features of Sections 302 and 404 of the Sarbanes-Oxley Act
• Management and auditor responsibilities under Sections 302 and
404
• Risks of incompatible functions and how to structure the IT
function
• Controls and security of an organization’s computer facilities
• Key elements of a disaster recovery plan
Sarbanes-Oxley Act

• The 2002 Sarbanes-Oxley (SOX) Act established new

corporate governance rules
• Created company accounting oversight board
• Increased accountability for company officers and
board of directors
• Increased white collar crime penalties
• Prohibits a company’s external audit firms from
providing financial information systems
SOX Section 302

• Section 302—in quarterly and annual financial

statements, management must:
• certify the internal controls (IC) over financial
reporting
• state responsibility for IC design
• provide reasonable assurance as to the reliability of
the financial reporting process
• disclose any recent material changes in IC
SOX Section 404
• Section 404—in the annual report on IC effectiveness,
management must:
• state responsibility for establishing and maintaining adequate financial
reporting IC
• assess IC effectiveness
• reference the external auditors’ attestation report on management’s IC
assessment
• provide explicit conclusions on the effectiveness of financial reporting IC
• identify the framework management used to conduct their IC
assessment, e.g., COBIT
IT Controls & Financial Reporting
• Modern financial reporting is driven by
information technology (IT)
• IT initiates, authorizes, records, and
reports the effects of financial
transactions.
• Financial reporting IC are inextricably
integrated to IT.
IT Controls & Financial Reporting
• COSO identifies two groups of IT controls:
• application controls – apply to specific
applications and programs, and ensure data
validity, completeness and accuracy
• general controls – apply to all systems and
address IT governance and infrastructure,
security of operating systems and databases,
and application and program acquisition and
development
 IT Controls & Financial Reporting
Significant
Sales CGS Inventory AP Cash Financial
Accounts

Related
Order Entry Purchases Cash Disbursements
Application
Application Controls Application Controls Application Controls
Controls

Controls
for
Review

Systems Development and Program Change Control

Supporting
General
Database Access Controls Controls
Operating System Controls
SOX Audit Implications
• Pre-SOX, audits did not require IC tests.
• Only required to be familiar with client’s IC
• Audit consisted primarily of substantive tests
• SOX – radically expanded scope of audit
• Issue new audit opinion on management’s IC
assessment
• Required to test IC affecting financial information,
especially IC to prevent fraud
• Collect documentation of management’s IC tests and
interview management on IC changes
Types of Audit Tests
• Tests of controls – tests to determine if
appropriate IC are in place and
functioning effectively
• Substantive testing – detailed
examination of account balances and
transactions
Organizational Structure IC
• Audit objective – verify that individuals in
incompatible areas are segregated to minimize
risk while promoting operational efficiency
• IC, especially segregation of duties, affected by
which of two organizational structures applies:
• Centralized model
• Distributed model
 President
CENTRALIZED COMPUTER
SERVICES FUNCTION

VP VP Computer VP VP
Marketing
Services Operations Finance

Systems Database Data

Development Administration Processing

New Systems Systems Data Data Computer Data

Development Maintenance Control Preparation Operations Library

DISTRIBUTED ORGANIZATIONAL President

STRUCTURE

VP VP VP VP
Marketing Finance Administration Operations

Manager Manager
Treasurer Controller Plant X Plant Y

IPU IPU IPU IPU IPU IPU

Segregation of Duties
• Transaction authorization is separate from
transaction processing.
• Asset custody is separate from record-keeping
responsibilities.
• The tasks needed to process the transactions
are subdivided so that fraud requires collusion.
 Segregation of Duties

Control Objective 1 Authorization Processing

Control Objective 2 Authorization Custody Recording

Custody Recording

Control Objective 3 Authorization Task 1 Task 2 Task 3 Task 4

TRANSACTION
Centralized IT Structure
• Critical to segregate:
• systems development from computer operations
• database administrator (DBA) from other
computer service functions
• DBA’s authorizing and systems development’s
processing
• DBA authorizes access
• maintenance from new systems development
• data library from operations
Distributed IT Structure
• Despite its many advantages, important IC
implications are present:
• incompatible software among the various
work centers
• data redundancy may result
• consolidation of incompatible tasks
• difficulty hiring qualified professionals
• lack of standards
Organizational Structure IC
• A corporate IT function alleviates potential
problems associated with distributed IT
organizations by providing:
• central testing of commercial hardware and
software
• a user services staff
• a standard-setting body
• reviewing technical credentials of prospective
systems professionals
Audit Procedures
• Review the corporate policy on computer security
• Verify that the security policy is communicated to
employees
• Review documentation to determine if individuals
or groups are performing incompatible functions
• Review systems documentation and maintenance
records
• Verify that maintenance programmers are not also
design programmers
Audit Procedures
• Observe if segregation policies are followed in
practice.
• E.g., check operations room access logs to
determine if programmers enter for reasons other
than system failures
• Review user rights and privileges
• Verify that programmers have access privileges
consistent with their job descriptions
Computer Center IC
Audit objectives:
• physical security IC protects the computer center
from physical exposures
• insurance coverage compensates the
organization for damage to the computer center
• operator documentation addresses routine
operations as well as system failures
Computer Center IC
Considerations:
• man-made threats and natural hazards
• underground utility and communications lines
• air conditioning and air filtration systems
• access limited to operators and computer center
workers; others required to sign in and out
• fire suppressions systems installed
• fault tolerance
• redundant disks and other system components
• backup power supplies
Audit Procedures
• Review insurance coverage on hardware,
software, and physical facility
• Review operator documentation, run
manuals, for completeness and accuracy
• Verify that operational details of a system’s
internal logic are not in the operator’s
documentation
Disaster Recovery Planning
• Disaster recovery plans (DRP) identify:
• actions before, during, and after the disaster
• disaster recovery team
• priorities for restoring critical applications
• Audit objective – verify that DRP is
adequate and feasible for dealing with
disasters
 Disaster Recovery Planning
• Major IC concerns:
• second-site backups
• critical applications and databases
• including supplies and documentation
• back-up and off-site storage procedures
• disaster recovery team
• testing the DRP regularly
Second-Site Backups
• Empty shell - involves two or more user
organizations that buy or lease a building and
remodel it into a computer site, but without
computer equipment
• Recovery operations center - a completely
equipped site; very costly and typically shared
among many companies
• Internally provided backup - companies with
multiple data processing centers may create
internal excess capacity
DRP Audit Procedures
• Evaluate adequacy of second-site backup
arrangements
• Review list of critical applications for
completeness and currency
• Verify that procedures are in place for
storing off-site copies of applications and
data
• Check currency back-ups and copies
DRP Audit Procedures
• Verify that documentation, supplies, etc.,
are stored off-site
• Verify that the disaster recovery team
knows its responsibilities
• Check frequency of testing the DRP
Audit Background
Material
From Appendix
Attestation versus Assurance
• Attestation:
• practitioner is engaged to issue a written
communication that expresses a conclusion about
the reliability of a written assertion that is the
responsibility of another party.
• Assurance:
• professional services that are designed to improve
the quality of information, both financial and non-
financial, used by decision-makers
• includes, but is not limited to attestation
Attest and Assurance
Services
What is an External Financial Audit?
• An independent attestation by a professional
(CPA) regarding the faithful representation of
the financial statements
• Three phases of a financial audit:
• familiarization with client firm
• evaluation and testing of internal controls
• assessment of reliability of financial data
Generally Accepted Auditing
Standards (GAAS)
Auditing Management’s Assertions
External versus Internal
Auditing
• External auditors – represent the interests of
third party stakeholders
• Internal auditors – serve an independent
appraisal function within the organization
• Often perform tasks which can reduce external
audit fees and help to achieve audit efficiency
and reduce audit fees
 What is an IT Audit?
Since most information systems employ IT, the IT
audit is a critical component of all external and
internal audits.
• IT audits:
• focus on the computer-based aspects of an
organization’s information system
• assess the proper implementation, operation,
and control of computer resources
Elements of an IT Audit
• Systematic procedures are used
• Evidence is obtained
• tests of internal controls
• substantive tests
• Determination of materiality for weaknesses
found
• Prepare audit report & audit opinion
Phases of an IT Audit
Audit Risk is...
the probability the auditor will issue an
unqualified (clean) opinion when in fact
the financial statements are materially
misstated.
Three Components of Audit Risk
• Inherent risk – associated with the unique characteristics of the
business or industry of the client
• Control risk – the likelihood that the control structure is flawed
because controls are either absent or inadequate to prevent or
detect errors in the accounts
• Detection risk – the risk that errors not detected or prevented by
the control structure will also not be detected by the auditor