CHAPTER 14 D217

The COSO model identifies what 2 broad groupings of IT controls?

1) Application Controls 2) General Controls

Although having 2 groups (systems analysis and programming) within the systems development function is a popular arrangement this approach promotes 2 potential problems. What are they?

1) Inadequate Documentation 2) Fraud

Data processing frauds fall into what 2 classes?

1) Program Fraud 2) Operations Fraud

Some companies organize their systems development function into what 2 groups?

1) Systems Analysis 2) Programming

Name 3 examples of application controls.

1. A cash disbursements batch balancing routine that verifies that the total payments to vendors reconciles with the total postings to the accounts payable subsidiary ledger. 2. An AR check digit procedure that validates customer account numbers on sales transactions. 3. A payroll system limit check that identifies employee time card records with reported hours worked in excess of the predetermined normal limit.

Each stage in the General Model for AIS is a potential area of risk for certain types of computer fraud. Name the 4 key stages.

1. Data Collection 2. Data Processing 3. Database Management 4. Information Generation

Under Section 404 of SOX management is required to provide an annual report addressing what 5 points?

1. Describe the flow of transactions including IT aspects in sufficient detail to identify points at which a misstatement could arise. 2. Using a risk-based approach assess both the design and operating effectiveness of selected internal controls related to material accounts. 3. Assess the potential for fraud in the system and evaluate the controls designed to prevent or detect fraud. 4. Evaluate and conclude on the adequacy of controls over the financial statement reporting process. 5. Evaluate entity-wide (general) controls that correspond to COSO internal control framework.

Poor-quality systems documentation is a chronic IT problem and a significant challenge for many organizations seeking SOX compliance. There are at least two explanations for this phenomenon. What are those 2 explanations?

1. Documenting systems is not as interesting as designing testing and implementing them. Systems professionals much prefer to move on to an exciting new project rather than document one just completed. 2. Job security. When a system is poorly documented it is difficult to interpret test and debug. Therefore the programmer who understand the system (the one who coded it) maintains bargaining power and becomes relatively indispensable. When the programmer leaves the firm however a new programmer inherits maintenance responsibility for the undocumented system. Depending on its complexity the transition period may be long and costly.

Section 302 also carries significant auditor implications. In addition to expressing an opinion on the effectiveness of internal control auditors have responsibility regarding management's quarterly certifications of internal controls. Specifically auditors must perform what 3 procedures quarterly to identify any material modifications in controls over financial reporting?

1. Interview management regarding any significant changes in the design or operation of internal control that occurred subsequent to the preceding annual audit or prior review of interim financial information. 2. Evaluate the implications of misstatements identified by the auditor as part of the interim review that relate to effective internal controls. 3. Determine whether changes in internal controls are likely to materially affect internal control over financial reporting.

Networked systems expose organizations to transaction frauds from remote locations. Name 3 examples of such fraud techniques.

1. Masquerading 2. Piggybacking 3. Hacking

Name 2 fraud techniques that can be used at the information generation stage.

1. Scavenging 2. Eavesdropping

Operational tasks should be separated to do what 3 things?

1. Segregate the task of transaction authorization from transaction processing. 2. Segregate record keeping from asset custody. 3. Divide transaction-processing tasks among individuals so that fraud will require collusion between two or more individuals.

Computer fraud (for the purposes of this textbook) includes what 5 things?

1. The theft misuse or misappropriation of assets by altering computer-readable records and files. 2. The theft misuse or misappropriation of assets by altering the logic of computer software. 3. The theft or illegal use of computer-readable information. 4. The theft corruption illegal copying or intentional destruction of computer software. 5. The theft misuse or misappropriation of computer hardware.

Systems development is separated from data processing activities because failure to do so: A. allows programmers access to make unauthorized changes to applications during execution. B. results in inadequate documentation. C. weakens database access security. D. results in master files being inadvertently erased.

A Consolidating these functions invites fraud. With detailed knowledge of an application's logic and control parameters along with access to the computer operations an individual could make unauthorized changes to application logic during program execution. Such changes may be temporary (in real-time) and will disappear with little or no trace when the application terminates.

Application controls ensure what?

Application controls ensure the validity completeness and accuracy of financial transactions.

Recovery Operations Center (ROC)

Arrangement involving two or more user organizations that buy or lease a building and remodel it into a completely equipped computer site.

Empty Shell

Arrangement that involves two or more user organizations that buy or lease a building and remodel it into a computer site but without the computer and peripheral equipment.

Commodity IT Assets

Assets not unique to an organization and easily acquired in the marketplace (e.g. network management systems operations server maintenance help-desk functions).

Specific IT Assets

Assets unique to an organization that support its strategic objectives. Specific IT assets have little value outside their current use. May be tangible (computer equipment) intellectual (computer programs) or human.

The tendency in an IT environment is to _____ activities. A. Separate B. Consolidate

B A single application may authorize process and record all aspects of a transaction. Thus the focus of segregation control shifts from the operational level (transaction processing tasks that computer programs now perform) to higher-level organizational relationships within the IT function. The interrelationships among systems development application maintenance database administration and computer operations activities are of particular concern.

Control risk is: A. associated with the unique characteristics of the business or industry of the client. B. the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts. C. the risk that errors not detected or prevented by the control structure will also not be detected by the auditor. D. the probability that the auditor will render an unqualified opinion on financial statements that are materially misstated.

B Auditors assess the level of control risk by performing tests of internal controls. An auditor could create test transactions including some with incorrect total values which are processed by the application in a test run. The results of the test will indicate that price extension errors are not detected and are being incorrectly posted to the AR file.

Segregation of duties in the computer-based information system includes: A. separating the inventory process from the billing process. B. separating the programmer from the computer operator. C. preventing management override. D. performing independent verification by the computer operator.

B The segregation of systems development (both new systems development and maintenance) and operations activities is of great importance. The responsibilities of these groups should not be commingled. Systems development and maintenance professionals acquire (by in-house development and purchase) and maintain systems for users. Operations staff should run these systems and have no involvement in their design and implementation. Consolidating these functions invites fraud.

Transaction Cost Economics (TCE) Theory

Belief that organizations should retain certain specific non-core IT assets in-house due to their esoteric nature such assets cannot be easily replaced once they are given up in an outsourcing arrangement. Supports outsourcing of commodity assets which are easily replaced.

SOX legislation dramatically expands the role of external auditors by mandating what?

By mandating that they attest to the quality of internal controls. This constitutes the issuance of a separate audit opinion in addition to the opinion on the fairness of the financial statements. The standard for this additional audit opinion is high. Indeed the auditor is precluded from issuing an unqualified opinion if only one material weakness in internal control is detected.

Test of controls include: A. counting cash B. counting inventory C. completing questionnaires D. confirming accounts receivable

C The Sarbanes-Oxley Act requires that management certify that the financial statements are correct. In order to ensure that the financial statements are in fact correct accounting processes and information systems will be built with checks balances and controls. Auditors will use questionnaires to guide their approach to testing the controls in the system. Questions include topics such as "Is fraud awareness training carried out?" and "Do particularly critical or sensitive activities require two levels of authority?"

Management Assertions

Combination of tests of application controls and substantive tests of transactions details and account balances.

Disaster Recovery Plan (DRP)

Comprehensive statement of all actions to be taken before during and after a disaster along with documented tested procedures to ensure the continuity of operations.

Name a popular competing control framework for COSO.

Control Objectives for Information and Related Technology (COBIT) Published by the IT Governance Institute (ITGI) This framework maps into COSO's general themes.

Corporate IT Function

Coordinating IT unit that attempts to establish corporate-wide standards among distributed IT units.

Which is the most critical segregation of duties in the centralized IT function? A. Data preparation from data control B. Data operations from data librarian C. Data control from data librarian D. Systems development from computer operations

D Access to the data center must be very carefully controlled to comply with SOX. This includes both physical and electronic access. Once the system is turned over to operations developers lose their access to the live system. Should an error occur the developers will diagnose the error in their development copy or in a test system. When the error is corrected the update will be turned over to operations for installation.

Under Section 302 of SOX the officers who certify the internal controls are also required to: A. have designed the internal controls B. have caused such controls to be designed C. provide reasonable assurance as to the reliability of the financial reporting process D. All of the above

D The certifying officers are required to have designed internal controls or to have caused such controls to be designed and to provide reasonable assurance as to the reliability of the financial reporting process.

Mirrored Data Center

Data center that reflects current economic events of the firm.

A qualified opinion on internal controls means a qualified opinion on the financial statements. True or False?

False A qualified opinion on internal controls does not necessarily mean a qualified opinion on the financial statements. Auditors are permitted to simultaneously render a qualified opinion on controls and an unqualified opinion on the financial statements when they conclude through substantive tests that the control weakness(es) did not cause the financial statements to be materially misrepresented.

Because general controls do not control specific transactions they do not have an effect on transaction integrity. True or False?

False Although general controls do not control specific transactions they have an effect on transaction integrity. General controls are needed to support the environment in which application controls function and both are needed to ensure accurate financial reporting.

An important organizational control is the consolidation of the database administrator (DBA) function and other IT functions. True or False?

False An important organizational control is the segregation of the DBA function from other IT functions. The DBA is responsible for a number of critical tasks pertaining to database security including creating the database schema creating user views (subschemas) assigning access authority to users monitoring database usage and planning for future expansion. Delegating these responsibilities to others who perform incompatible tasks threatens database integrity.

Compliance with Section 404 requires management to provide the internal auditors with documented evidence of functioning controls related to selected material accounts in its report on control effectiveness. True or False?

False Compliance with Section 404 requires management to provide the external auditors with documented evidence of functioning controls related to selected material accounts in its report on control effectiveness. The organization's internal audit function or a specialized SOX group would likely perform these tests.

SOX places responsibility on management to detect fraudulent activity and emphasizes the importance of controls designed to prevent or detect fraud that could lead to material misstatement of the financial statements. True or False?

False SOX places this responsibility on the auditors. Management is responsible for implementing such controls and auditors are specifically required to test them. Because computers lie at the heart of the modern organizations' accounting and financial reporting systems the topic of computer fraud falls within the management and audit responsibilities specified by SOX.

The most common access point for perpetrating computer fraud is at the data processing stage. True or False?

False The most common access point for perpetrating computer fraud is at the data collection stage. Frauds of this type require little or no computer skills on the part of the fraudster but they do require poorly designed controls. The perpetrator need only understand how the system works and the control weaknesses of the system. The fraudulent act involves entering falsified data into the system. This may involve deleting altering or creating a transaction.

The officers responsible for certifying the internal controls over financial reporting (as required by Section 302 of SOX) are not required to disclose and material changes in the company's internal controls that have occurred during the most recent fiscal quarter. True or False?

False They are required to disclose any material changes in the company's internal controls that have occurred during the most recent fiscal quarter.

Hacking

Hacking may involve piggybacking or masquerading techniques. Hackers are distinguished from other computer criminals because their motives are not usually to defraud for financial gain. More often they are motivated by the challenge of breaking into the system rather than the theft of assets. Nevertheless hackers have caused extensive damage and loss to organizations by destroying and corrupting corporate data.

General Controls

IT general controls are so named because they are not application-specific but rather apply to all systems. General controls have other names in other frameworks including general computer controls and information technology controls. Whatever name is used they include controls over IT governance IT infrastructure network and operating system security databases access application acquisition and development and program changes.

IT Governance

IT governance is a broad concept relating to the decision rights and accountability for encouraging desirable behavior is the use of IT. Although important not all elements of IT governance relate specifically to control issues that SOX addresses and that are outlined in the COSO framework.

Information Technology Controls

Include controls over IT governance IT infrastructure security and access to operating systems and databases application acquisition and development and program changes.

Information Generation Stage (1 of 4 key stages in the General Model for AIS)

Information generation is the process of compiling arranging formatting and presenting information to users. Information can be an operational document such as a sales order a report sent to a computer screen and published financial statements.

Audit Report

It includes an opinion on the fair presentation of the financial statements and an opinion on the quality of internal controls over financial reporting.

Disaster Recovery as a Service (DRaaS)

It is a variant on cloud computing which draws upon traditional services to provide computing and backup services.

Statement on Standards for Attestation Engagements No. 16 (SSAE 16)

It is an internationally recognized third-party attestation report designed for service organizations such as IT outsourcing vendors.

Audit Procedures

It is used to gather evidence that corroborates or refutes management's assertions.

Eavesdropping

Listening to output transmissions over telecommunications lines. Technologies are readily available that enable perpetrators to intercept messages being sent over unprotected telephone lines and microwave channels. Most experts agree that it is practically impossible to prevent a determined perpetrator from accessing data communication channels. Data encryption however can render useless any data captured in this way.

Disgruntled employees have been known to destroy company data files simply to harm the organization. One method is to insert a destructive routine called a ___ ___ into a program. At a specified time or when certain conditions are met the ___ ___ erases the data files that the program accesses.

Logic Bomb For example: - A disgruntled programmer who is contemplating leaving an organization inserts a logic bomb into the payroll system. - Weeks later when the system detects that the programmer's name has been removed from the payroll file the logic bomb is activated and erases the entire payroll file.

Masquerading

Masquerading involves a perpetrator gaining access to the system from a remote site by pretending to be an authorized user. This usually requires first gaining authorized access to a password.

Operations Fraud

Misuse or theft of the firm's computer resources. This often involves using the computer to conduct personal business.

Which PCAOB Auditing Standard endorses the use of COSO as the framework for control assessment?

PCAOB Auding Standard No. 5

Piggybacking

Piggybacking is a technique in which the perpetrator at a remote site taps in to the telecommunications lines and latches on to an authorized user who is logging in to the system. Once in the system the perpetrator can masquerade as the authorized user.

Audit Risk

Probability that the auditor will render unqualified opinions on financial statements that are in fact materially misstated.

Inclusive Method

Reporting the service provider's description of its system will include the services performed by the subservice organization.

Scavenging

Searching through the trash of the computer center for discarded output. Sometimes output reports that are misaligned on the paper or slightly garbled during printing are discarded into the trash. A perpetrator may obtain useful information from hard-copy reports that were rejected during processing.

What is required under Section 302 of SOX?

Section 302 requires corporate management including the chief executive officer (CEO) to certify financial and other information contained in the organization's quarterly and annual reports.

What is required under Section 404 of SOX?

Section 404 requires the management of public companies to assess the effectiveness of their organization's internal controls over financial reporting.

Carve-Out Method

Service provider management would exclude the subservice organization's relevant control objectives and related controls from the description of its system.

General Computer Controls

Specific activities performed by persons or systems designed to ensure that business objectives are met.

Off-Site Storage

Storage procedure used to safeguard the critical resources.

Why is it important to segregate systems development and operations activities?

Systems development and maintenance professionals acquire (by in-house development and purchase) and maintain systems for users. Operations staff should run these systems and have no involvement in their design and implementation. Consolidating these functions invites fraud. With detailed knowledge of an application's logic and control parameters along with access to the computer operations an individual could make unauthorized changes to application logic during program execution. Such changes may be temporary (on the fly) and will disappear with little or no trace when the application terminates.

Audit Objectives

Task of creating meaningful test data.

Program Fraud

Techniques such as: (1) creating illegal programs that can access data files to alter delete or insert values into accounting records (2) destroying or corrupting a program's logic using a computer virus or (3) altering program logic to cause the application to process data incorrectly.

Uninterruptible Power Supplies

Technologies that prevent data loss and system corruption due to power failure.

Audit Planning

The first step in the IT audit is audit planning in which the auditor gains a thorough understanding of the client's business. A major part of this phase of the audit is the analysis of audit risk.

Control Risk

The likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts.

How does the superior organizational structure in which the systems development function is separated into two independent groups (new systems development and systems maintenance) help to resolve the control problems of inadequate documentation and fraud?

The new systems development group is responsible for designing programming and implementing new systems projects. Upon successful implementation responsibility for the system's ongoing maintenance falls to the systems maintenance group. First documentation standards are improved because the maintenance group will require adequate documentation to perform their maintenance duties. Without complete documentation the formal transfer of system responsibility from new systems development to systems maintenance cannot occur. Second denying the original programmer future access to the application code deters program fraud. Fraudulent code within an application which is out of the perpetrator's control increases the risk that the fraud will be discovered. The success of this control depends on the existence of other controls that limit prevent and detect unauthorized access to programs.

Database Management Stage (1 of 4 key stages in the General Model for AIS)

The organization's database is its physical repository for financial and nonfinancial data.

To achieve database access both the programmer and the DBA need to agree on what?

The programmer and the DBA need to agree as to the attributes and tables (the user view) to make available to the application (or user) in question. If done properly this permits and requires a formal review of the user data needs and security issues surrounding the request. Assigning responsibility for user view definition to individuals with programming responsibility removes this need to seek agreement and thus effectively erodes access controls to the DBMS.

What is the role of the programming group within the systems development function?

The programming group codes the programs according to the design specifications produced by the systems analysis group. Under this approach the programmer who codes the original programs also maintains them during the maintenance phase of the systems development life cycle (SDLC).

Inherent Risk (IR)

The risk associated with the unique characteristics of the business or industry of the client.

Detection Risk (DR)

The risk that auditors are willing to take that errors not detected or prevented by the control structure will also not be detected by the auditor.

What is the role of the systems analysis group within the systems development function?

The systems analysis group works with the user to produce a detailed design of the new system.

Core Competency Theory

Theory underlying outsourcing that posits an organization should focus exclusively on its core business competencies while allowing outsourcing vendors to manage non-core areas such as IT functions efficiently.

A common database management fraud technique is to access the database from a remote site and browse the files for useful information that can be copied and sold to competitors. True or False?

True

Programmers create applications that access update and retrieve data from the database. True or False?

True

SOX of 2002 established corporate governance regulations and standards for public companies registered with the SEC. True or False?

True

Section 302 of SOX requires that corporate management certify the internal controls over financial reporting. True or False?

True

The SEC has made specific references to COSO as a recommended control framework. True or False?

True

When the original programmer of a system is also assigned maintenance responsibility the potential for fraud is increased. True or False?

True

Information technology drives the financial reporting processes of modern organizations. True or False?

True Automated systems initiate authorize record and report the effects of financial transactions.

PCAOB Auditing Standard No. 5 emphasizes that management and auditors use a risk-based approach rather than a one-size-fits-all approach to the design and assessment of controls. True or False?

True In other words the size and complexity of the organization needs to be considered in determining the nature and extent of controls that are necessary.

The segregation of systems development (both new systems development and maintenance) and operations activities is of great importance. True or False?

True The responsibilities of these groups should not be commingled.

The reliability of application controls rests on the IT general controls that support them. True or False?

True These include controls over access to databases operating systems and networks. The sum of these controls both application and general constitute the relevant internal controls over financial reporting that need to be reviewed.

Prior to SOX external auditors were not required to test internal controls as part of their attest function. True or False?

True They were required to be familiar with the client organization's internal controls but had the option of not relying on them and thus not performing tests of controls. The audit could and often did therefore consist primarily of substantive tests.

As part of the attestation responsibility PCAOB Standard No. 5 specifically requires auditors to understand transaction flows including the controls pertaining to how transactions are initiated authorized recorded and reported. True or False?

True This involves first selecting the financial accounts that have material implications for financial reporting and identifying the application controls related to those accounts.

Computer-Assisted Audit Tools and Techniques (CAATTs)

Use of computers to illustrate how application controls are tested and to verify the effective functioning of application controls.

Redundant Arrays of Independent Disks (RAID)

Use of parallel disks that contain redundant elements of data and applications.

Data Collection Stage (1 of 4 key stages in the General Model for AIS)

• Data collection is the first operational stage in the information system. • The control objective is to ensure that event data entering the system are valid complete and free from material errors. • In many respects this is the most important stage in the system. • Should erroneous or fraudulent transactions pass through data collection undetected the organization runs the risk that the system will process the transaction and that it will impact the financial statements.

Data Processing Stage (1 of 4 key stages in the General Model for AIS)

• Once collected data usually require processing to produce information. • Tasks in data processing include: - mathematical algorithms (e.g. linear programming models) used for production scheduling applications - statistical techniques for sales forecasting and - posting and summarizing procedures used for accounting applications.

Fault Tolerance

Ability of the system to continue operation when part of the system fails due to hardware failure application program error or operator error.

Database Management Fraud

Altering deleting corrupting destroying or stealing an organization's data. Because access to database files is an essential element of this fraud it is often associated with transaction or program fraud.