Chapter 15—IT Controls Part I: Sarbanes-Oxley and IT Governance
TRU!"#$S
1. Corporate management management (including (including the the CEO) must certify certify monthly and annually annually their their organization’s organization’s internal controls over financial reporting. AN! " #. $oth the the EC and the %CAO$ %CAO$ re&uires re&uires manageme management nt to use the the CO$' frameor frameor* * for assessing assessing internal control ade&uacy. AN! " +. $oth the the EC and the %CAO$ %CAO$ re&uires re&uires manageme management nt to use the the COO frameor* frameor* for for assessing assessing internal control ade&uacy. AN! " ,. A &ualified opinion opinion on management’s assessment of internal controls over over the financial financial reporting reporting system necessitates a &ualified opinion on the financial statementsAN! " . he same internal control o/0ectives o/0ectives apply apply to manual and computer/ased information systems. AN! 2. o fulfill the segregation of duties control o/0ective3 o/0ective3 computer computer processing functions (li*e authorization authorization of credit and /illing) are separated. AN! " 4. o ensure sound sound internal internal control3 control3 program coding and and program processing should /e separated. separated. AN! 5. ome systems systems professionals professionals have unrestricted access to the organization6s organization6s programs and data. AN! 7. Application controls apply apply to a ide range range of e8posures e8posures that threaten the integrity of of all programs programs processed ithin the the computer environment. environment. AN! " 19. he :ata/ase :ata/ase Admini Administrat strator or should should /e separated from sy systems stems developm development. ent. AN! 11. A disaster recovery plan is a comprehensive comprehensive statement of all actions actions to /e ta*en after a disaster. disaster.
AN! 1#. ' auditin auditing g is a small small part of of most e8terna e8ternall and interna internall audits. audits. AN! " 1+. Assurance services services is an emerging field field that goes /eyond the auditor’s auditor’s traditional traditional attestation attestation function. function. AN! 1,. An ' auditor auditor e8presse e8pressess an opinion opinion on the fairness fairness of the financial financial statemen statements. ts. AN! " 1. E8ternal auditing auditing is an independent independent appraisal function esta/lished esta/lished ithin ithin an organization to e8amine and evaluate its activities as a service to the organization. AN! " 12. E8ternal auditors auditors can cooperate ith ith and use evidence gathered gathered /y internal internal audit departments that are organizationally organizationally independent and that report to the Audit Committee of the $oard of :irectors. AN! 14. ests ests of controls controls determine determine hether the data/ase contents fairly reflect the organization6s organization6s transactions. transactions. AN! " 15. Audit ris* is the pro/a/ility that the auditor ill ill render an un&ualified opinion on financial statements statements that are materially misstated. AN! 17. A strong internal internal control system ill reduce the amount of su/stantive testing that that must /e /e performed. AN! #9. u/stantive testing techni&ues provide information information a/out the the accuracy and completeness completeness of an application6s processes. AN! " %U$TIP$ C&OIC
1. ;hich of the the folloing folloing is NO an implicat implication ion of section section +9# of the ar/anes ar/anesO8ley O8ley ActActa. Auditors Auditors must must determine3 determine3 hether hether changes changes in internal internal control control has3 has3 or is li*ely to3 material materially ly affect internal control over financial reporting. /. Auditors must intervie intervie management regarding regarding significant changes changes in the design or operation of internal control that occurred since the last audit. c. Corporate Corporate managemen managementt (including (including the the CEO) must must certify monthly monthly and and annually annually their their organization’s organization’s internal controls over financial reporting. d.
AN! C #. ;hich of the folloing folloing is NO NO a re&uirement in management’s report on the effectiveness effectiveness of internal internal controls over financial reportinga. A statemen statementt of management’s management’s respon responsi/i si/ility lity for esta/lish esta/lishing ing and maintainin maintaining g ade&uate ade&uate internal control user satisfaction. /. A statement statement that the organizations organizations internal internal auditors has issued an attestation report report on management’s assessment assessment of the companies internal controls. c. A statemen statementt identifying identifying the the frameor* frameor* used /y managemen managementt to conduct conduct their assessme assessment nt of internal controls. d. An e8plicit e8plicit ritten ritten conclus conclusion ion as to the effectiv effectiveness eness of interna internall control control over financial financial reporting. AN! $ +. 'n a. /. c. d.
a computer/ased information system3 hich hich of the folloing folloing duties duties needs needs to /e separatedseparatedprogra program m codin coding g from from progr program am opera operatio tions ns program operations from program program maintenance progra program m maint maintena enance nce from from progr program am codin coding g all of of the a/ove a/ove duti duties es shoul should d /e separ separate ated d
AN! : ,. upervision in a computerized computerized environment environment is more comple8 than in a manual environment environment for all of the folloing reasons e8cept a. rapid turnove turnoverr of systems systems professional professionalss complicates complicates managem management6s ent6s tas* tas* of assessing assessing the competence and honesty of prospective employees /. many systems professionals professionals have direct and unrestricted unrestricted access to the organization6s organization6s programs and data c. rapid changes changes in in technology technology ma*e ma*e staffing staffing the the systems systems environm environment ent challengi challenging ng d. systems systems professi professionals onals and and their their supervisor supervisorss or* at the same same physical physical locatio location n AN! : . Ade&uate Ade&uate /ac*ups /ac*ups ill ill protect protect against against all all of the folloin folloing g e8cept e8cept a. natura naturall disa disaste sters rs such such as as fires fires /. unauthorized access c. data data corrup corruptio tion n caused caused /y /y progr program am error errorss d. syst system em crash rashes es AN! $ 2. ;hich is the most most critical segregation of duties duties in the centralized centralized computer computer services functiona. system systemss develop developme ment nt from from data data proces processin sing g /. data operations from data data li/rarian c. data data prepa preparat ration ion from from data data contro controll d. data data cont control rol from data data li/ li/rar rarian ian AN! A 4. ystems ystems development development is separate separated d from data processi processing ng activities activities /ecaus /ecausee failure to do so a. ea*en ea*enss data data/as /asee acce access ss securi security ty /. allos programmers access to to ma*e unauthorized changes changes to applications applications during e8ecution c. resul results ts in in inade inade&ua &uate te docu documen mentat tation ion d. results results in in master master files /eing inadverte inadvertently ntly erased erased
AN! $ 5. ;hich organizational organizational structure is most li*ely to result in good good documentation documentation proceduresproceduresa. separate separate systems systems develo developmen pmentt from from systems systems maintenanc maintenancee /. separate systems analysis analysis from application programming programming c. separate separate systems systems developme development nt from from data processin processing g d. separate separate data/ data/ase ase admini administra strator tor from from data data process processing ing AN! A 7. All of the the folloing folloing are control control ris*s associated ith ith the distri/uted data processing processing structure structure e8cept a. lac* lac* of of sepa separa rati tion on of of duti duties es /. system incompati/ilities incompati/ilities c. syst system em inte interd rdep epen ende dency ncy d. lac* lac* of of docu documen mentat tation ion stand standard ardss AN! C 19. ;hich of of the folloing folloing is is not an essenti essential al feature feature of a disaster disaster recovery recovery planplana. off offsi site te sto stora rage ge of of /ac* /ac*up upss /. computer services function function c. seco second nd site site /ac* /ac*up up d. critic critical al appli applicat cation ionss ident identifi ified ed AN! $ 11. A second site /ac*up agreement /eteen to or more firms firms ith compati/le compati/le computer computer facilities facilities to assist each other ith data processing needs in an e mergency is called a. inte intern rnal ally ly pro provi vide ded d /ac* /ac*up up /. recovery operations center center c. emp empty shell d. mutu utual aid aid pac pactt AN! : 1#. he ma0or ma0or disadvant disadvantage age of an empty shell shell soluti solution on as a second second site /ac*up /ac*up is a. the host host site may /e /e unilling unilling to disrup disruptt its processi processing ng needs needs to process process the critica criticall applications of the disaster stric*en company /. intense competition competition for shell resources during during a idespread disaster disaster c. mainte maintenan nance ce of of e8cess e8cess hard hardar aree capaci capacity ty d. the control control of of the shell shell site site is an admini administrat strative ive drain drain on the the company company AN! $ 1+. An advant advantage age of of a recovery recovery operation operationss center center is is that that a. this this is an ine8pe ine8pensi nsive ve soluti solution on /. the initial recovery period period is very &uic* c. the company company has sole sole control control over over the the administ administratio ration n of the the center center d. none of of the a/ove a/ove are advant advantages ages of the the recovery recovery operat operations ions center center AN! $ 1,. "or most companies3 companies3 hich of the folloing is the least least critical application for disaster recovery purposesa. mont month hen end d ad0u ad0ust stme ment ntss
/. accounts receiva/le c. acco accoun unts ts pay paya/le a/le d. orde orderr entry entry=/ =/il illi ling ng AN! A 1. he least least importan importantt item to store store offsite offsite in case case of an emerge emergency ncy is a. /ac* /ac*up upss of syst system emss soft softa are re /. /ac*ups of application application softare c. docume documenta ntatio tion n and /lan* /lan* forms forms d. results results of the latest latest test test of of the disas disaster ter recovery recovery program program AN! : 12. ome companies companies separate separate systems systems analysis from programmin programming=pro g=program gram maintenan maintenance. ce. All of the folloing are control ea*nesses that may occur ith this organizational structure e8cept a. systems systems document documentation ation is is inade&uat inade&uatee /ecause /ecause of pressures pressures to /egin /egin coding coding a ne program program /efore documenting the the current program /. illegal lines of code code are hidden among legitimate legitimate code and a fraud is covered up for a long period of time c. a ne systems systems analyst analyst has has difficulty difficulty in in understan understanding ding the the logic of of the program program d. inade&uat inade&uatee systems systems documentatio documentation n is prepared prepared /ecause /ecause this provides provides a sense of 0o/ securi security ty to the programmer AN! C 14. All of the folloin folloing g are recommended recommended features features of a fire protecti protection on system system for a computer computer center e8cept e8cept a. clea clearl rly y mar mar*e *ed d e8i e8its ts /. an ela/orate ater sprin*ler sprin*ler system c. manual manual fire fire e8tin e8tinguis guishers hers in strategic strategic locations locations d. automatic automatic and manual manual alarms alarms in strate strategic gic locati locations ons AN! $ 15. ;hich concept concept is not an integra integrall part of an auditaudita. evalua evaluatin ting g intern internal al contro controls ls /. preparing financial statements statements c. e8pr e8pres essi sing ng an opin opinio ion n d. analy analyzi zing ng fin finan anci cial al dat dataa AN! $ 17. 17. ;hich ;hich statem statement ent is not truetruea. Audito Auditors rs must must maint maintain ain inde indepen penden dence. ce. /. ' auditors attest attest to the integrity of of the computer system. c. ' auditin auditing g is indepen independent dent of of the genera generall financia financiall audit. audit. d. ' auditin auditing g can /e perform performed ed /y /oth /oth e8ternal e8ternal and and internal internal auditors. auditors. AN! C #9. ypically ypically33 internal internal auditors auditors perform all all of the folloing folloing tas*s e8cept e8cept a. ' audits /. evaluation of operational operational efficiency c. revie revie of of compli complianc ancee ith ith legal legal o/lig o/ligati ations ons d. internal internal auditors auditors perform perform all all of of the a/ove tas*s tas*s
AN! : #1. he fundament fundamental al difference difference /eteen /eteen interna internall and e8ternal e8ternal auditing auditing is that a. internal internal auditors auditors represen representt the interests interests of management management and e8terna e8ternall auditors auditors represent represent outsiders /. internal auditors perform perform ' audits and e8ternal e8ternal auditors perform financial financial statement audits audits c. internal internal auditors auditors focus focus on financial financial stateme statement nt audits audits and e8ternal e8ternal auditors auditors focus focus on operational audits and financial statement audits d. e8ternal auditors auditors assist assist internal internal auditors auditors /ut internal auditors cannot assist assist e8ternal e8ternal auditors auditors AN! A ##. 'nternal 'nternal auditors auditors assist assist e8terna e8ternall auditors auditors ith ith financial financial audits audits to a. redu reduce ce aud audit fees fees /. ensure independence c. repres represent ent the the intere interests sts of mana managem gement ent d. the statement statement is not true> true> internal auditors are not permitted to assist e8ternal e8ternal auditors auditors ith financial audits AN! A #+. #+. ;hich ;hich stat stateme ement nt is is not not corre correctcta. Auditors Auditors gather gather evidence evidence using using tests tests of controls controls and and su/stantiv su/stantivee tests. tests. /. he most important element element in determining the the level of materiality is the the mathematical formula. c. Auditors Auditors e8press e8press an an opinion opinion in their their audit report. report. d. Auditors Auditors compare compare evidenc evidencee to esta/lish esta/lished ed criteri criteria. a. AN! $ #,. All of of the follo folloing ing are are steps steps in an an ' audit audit e8cept e8cept a. su/s su/sta tant ntiv ivee testi testing ng /. tests of controls c. post posta aud udit it test testin ing g d. audi auditt pla plann nnin ing g AN! C #. ;hen planning planning the the audit3 information is gathered gathered /y all of the folloing folloing methods methods e8cept e8cept a. comp comple leti ting ng &uest &uestio ionn nnai aire ress /. intervieing management management c. o/se o/serv rvin ing g acti activi viti ties es d. confir confirmin ming g acco account untss rece receiva iva/le /le AN! : #2. #2. u/sta u/stanti ntive ve tests tests includ includee a. e8amining e8amining the safety safety deposit deposit /o8 /o8 for for stoc* stoc* certifi certificates cates /. revieing systems systems documentation c. comp comple leti ting ng &uest &uestio ionn nnai aire ress d. o/servation AN! A #4. #4. ests ests of cont control rolss incl include ude a. confir confirmin ming g acco account untss receiv receiva/l a/lee
/. counting inventory inventory c. comp comple leti ting ng &uest &uestio ionn nnai aire ress d. coun countting cash ash AN! C #5. All of of the follo folloing ing are are componen components ts of audit audit ris* ris* e8cept e8cept a. control ris ris* /. legal ris* c. detec etecttion ion ris* ris* d. inhe inhere rent nt ris ris* AN! $ #7. #7. Cont Contro roll ris ris* * is is a. the pro/a/il pro/a/ility ity that the the auditor auditor ill render render an un&ualified un&ualified opinion opinion on financ financial ial statement statementss that are materially misstated /. associated ith the the uni&ue characteristics characteristics of the /usiness or industry industry of the client c. the li*elih li*elihood ood that that the control control structure structure is flaed flaed /ecause /ecause contro controls ls are either either a/sent a/sent or inade&uate to prevent or detect errors in the accounts d. the ris* that that auditors auditors are illing illing to ta*e that that errors not detecte detected d or prevented prevented /y the control control structure ill also not /e detected /y the auditor AN! C +9. All of the the folloing folloing tests of controls ill provide provide evidence a/out the physical security security of the the computer center e8cept a. revi revie e of of fire fire mar marsh shal al rec recor ords ds /. revie of the test of the the /ac*up poer supply c. verifi verificat cation ion of of the second second site site /ac* /ac*up up locat location ion d. o/servati o/servation on of procedur procedures es surroundi surrounding ng visitor visitor access access to the compute computerr center AN! C +1. All of the the folloing folloing tests of controls ill provide provide evidence a/out the ade&uacy of the disaster disaster recovery plan e8cept a. inspec inspectio tion n of the second second site site /ac*u /ac*up p /. analysis of the fire detection detection system at the primary primary site c. revie revie of of the crit critica icall applic applicati ations ons list list d. compos compositi ition on of the the disast disaster er recove recovery ry team team AN! $ +#. +#. ;hich ;hich of of the the foll folloi oing ng is is truetruea. 'n the C$' environ environment ment33 auditors auditors gather gather evidence evidence relating relating only only to the contents contents of of data/ases3 not the relia/ility of the computer system. /. Conducting an audit audit is a systematic and logical logical process that applies applies to all forms of information systems. c. u/stantiv u/stantivee tests esta/li esta/lish sh hether hether internal internal controls controls are functioni functioning ng properly properly.. d. ' audito auditors rs prepare prepare the audit audit report report if if the system system is compu computeriz terized. ed. AN! $ ++. ++. 'nhe 'nhere rent nt ris* ris* a. e8ists e8ists /ecause /ecause all all control control structure structuress are flaed flaed in some some ays. ays. /. is the li*elihood li*elihood that material misstatements misstatements e8ist in the financial financial statements of the the firm.
c. is associat associated ed ith the the uni&ue uni&ue characteris characteristics tics of the the /usiness /usiness or industry industry of of the client. client. d. is the li*elih li*elihood ood that that the auditor auditor ill ill not find find material material misstatem misstatements. ents. AN! C +,. Attestati Attestation on services services re&uir re&uiree all of the the folloing folloing e8cep e8ceptt a. ritten ritten assert assertions ions and a practitio practitioner’s ner’s ritten ritten report report /. the engagement is designed designed to conduct ris* assessment assessment of the client’s client’s systems systems to verify their degree of O? compliance c. the formal formal esta/li esta/lishmen shmentt of of measurem measurements ents criteria criteria d. the engagemen engagementt is limited limited to e8aminatio e8amination3 n3 revie3 revie3 and applicatio application n of agreedupon agreedupon procedures AN! $ +. he financial statement of an organization organization reflects reflects a set of management assertions a/out the financial health of the /usiness. All All of the folloing descri/ed types of assertions e8cept a. that all all of the the assets assets and and e&uities e&uities on the the /alance /alance sheet sheet e8ist e8ist /. that all employees are properly properly trained to carry out their assigned duties duties c. that all all transac transactions tions on the the income income statemen statementt actually actually occurred occurred d. that all allocat allocated ed amounts amounts such as depreciat depreciation ion are calculated calculated on a systemati systematicc and rational rational /asis AN! $ S&ORT #'S(R
1. ;hich of the the follo folloing ing statem statements ents is truea. $oth the EC and the %CAO$ re&uires the use of the COO frameor* /.$oth the EC and the %CAO$ re&uires the CO$' frameor* frameor* c. he EC recommends CO$' and the %CAO$ recommends COO d.Any frameor* can /e used that encompass all of COO’s general themes AN! $oth c and d a/ove are true. #. COO identifie identifiess to /road groupin groupings gs of information information system system controls. controls. ;hat ;hat are theytheyAN! general> application +. he ar/anesO ar/anesO8ley 8ley Act Act contains contains many sections sections.. ;hich sections sections are the focus of this chapterchapterAN! he chapter concentrate on internal control and audit responsi/ilities pursuant to ections +9# and ,9,. ,. ;hat control control frame frameor* or* is is recommen recommended ded /y the %CAO$%CAO$AN! he %CAO$’s Auditing Auditing tandard No. # endorses the use of COO as the frameor* for control assessment. . ;hat are the the o/0ecti o/0ectives ves of of applicati application on control controlss-
AN! he o/0ectives of appl)cat)on controls are to ensure the validity3 validity3 completeness3 and accuracy financial transactions. 2. :efi :efine ne gene genera rall contr control ols. s. AN! @eneral controls apply to all systems. hey are not application specific. @eneral controls include controls over ' governance3 the ' infrastructure3 security and access to operating systems and data/ases3 application ac&uisition and development3 and program changes. 4. :iscuss :iscuss the *ey featur features es of ection ection +9# of the the ar/anesO8 ar/anesO8ley ley Act. Act. AN! ection +9# re&uires that corporate management (including the CEO) certify &uarterly and annually their organization’s organization’s internal controls over financial reporting. he certifying officers are re&uired to! a. have designed internal controls /. they must disclose disclose any material changes in the the company’s internal controls controls that have occurred during the most recent fiscal &uarter. 5. ;hat the the three three primary primary C$' C$' functions functions that must must /e separa separatedtedAN! %rogramming should /e separated from computer operations %rogramming maintenance should /e separated from ne systems development. End users should /e separate from systems design. 7. ist three pairs of system system functions that should /e separated in the centralized computer computer services organization. organization. :escri/e a ris* e8posure if the functions are not separated. "unctions to eparate
Bis* E8posure
AN! separate systems development from data processing operations (unauthorized changes to application programs during e8ecution)3 e8ecution)3 separate data/ase administrator from systems development (unauthorized access to data/ase files)3 separate ne systems development from systems maintenance (riting fraudulent code and *eeping it concealed during maintenance)3 separate data li/rary from computer operations (loss of files or erasing current files) 19. "or disaster recovery purposes3 purposes3 hat criteria criteria are used used to identify identify an application or data as criticalAN! Critical application and files are those that impact the shortrun survival of the firm. Critical items impact cash flos3 legal o/ligations3 and customer relations. 11. 11. :escri/e :escri/e the the componen components ts of a disaster disaster recovery recovery plan. plan.
AN! Every disaster recovery plan should! designate a second site /ac*up identify critical applications prepare /ac*up and offsite offsite storage procedures create a disaster recovery team test the disaster recovery plan 1#. 1#. ;hat ;hat is a mirro mirrored red data data center center-AN! :uplicating programs and data onto a computer at a separate location.
'rregularities3 Errors 15. E8plain E8plain the relations relationship hip /eteen /eteen internal internal controls controls and su/stanti su/stantive ve testing. testing. AN! he stronger the internal controls3 the less su/stantive testing must /e performed. 17. :iscuss the the interrelationship interrelationship of tests of controls3 audit audit o/0ectives3 o/0ectives3 e8posures3 and and e8isting e8isting controls. AN! :uring the ris* analysis phase of the audit3 the auditor develops an understanding of the e8posures that threaten the firm and a/out the e8isting controls. $ased on that understanding3 the auditor develops audit o/0ectives. "rom the audit o/0ectives the auditor designs and performs tests of controls. #9. :istinguish /eteen errors and irregularities. irregularities. ;hich ;hich do you you thin* concern concern the auditors the mostAN! Errors are unintentional mista*es> hile irregularities are intentional misrepresentations to perpetrate a fraud or mislead the users of financial statements. Errors are a concern if they are numerous or siza/le enough to cause the financial statements to /e materially misstated. %rocesses hich involve human actions ill contain some amount of human error. Computer processes should only contain errors if the programs are erroneous3 or if systems systems operating procedures procedures are not /eing closely and competently folloed. Errors are t ypically much easier to uncover than misrepresentations3 thus auditors typically are more concerned hether they have uncovered an y and all irregularities. #1. :escri/e to tests that that an auditor auditor ould perform to ensure that the disaster disaster recovery plan plan is ade&uate. ade&uate. AN! revie second site /ac*up plan3 critical application list3 and offsite /ac*ups of critical li/raries3 applications and data files> ensure that /ac*up supplies3 source documents and documentation are located offsite> revie hich employees are mem/ers of disaster recovery team ##. :istinguish /eteen inherent inherent ris* and control ris*. Fo do internal internal controls and detection detection ris* fit fit inAN! 'nherent ris* is associated ith the uni&ue characteristics of the /usiness or industry of the client. "irms in declining industries are considered to have more inherent ris* than firms in sta/le or thriving industries. Control ris* is the li*elihood that the control structure is flaed /ecause internal controls are either a/sent or inade&uate to prevent or detect errors in the accounts. 'nternal controls may /e present in firms ith inherent inherent ris*3 yet the financial financial statements may /e materially materially misstated due to circumstances outside the control of the firm3 such as a customer ith unpaid /ills on the verge of /an*ruptcy. /an*ruptcy. :etection ris* ris* is the ris* that auditors auditors are illing to accept accept that errors are not detected or prevented /y the control control structure. y ypically3 pically3 detection ris* ill ill /e loer for firms ith higher higher inherent ris* and control ris*. #+. Contrast Contrast internal internal and e8ternal e8ternal auditing auditing.. AN! 'nternal auditing is an independent appraisal function esta/lished ithin an organization to e8amine and evaluate its activities as a service to the organization. E8ternal auditing auditing is often called Gindependent auditingG /ecause it is done /y certified pu/lic accountants ho are independent of the organization /eing audited. his independence is necessary since the e8ternal auditors represent the interests of thirdparty sta*eholders such as shareholders3 creditors3 and government agencies.
#,. #,. ;hat ;hat are the the compon component entss of audit audit ris* ris*-AN! 'nherent ris* is associated ith the uni&ue characteristics of the /usiness itself> control ris* is the li*elihood that the control structure is flaed /ecause controls are a/sent or inade&uate> and detection ris* is the ris* that auditors are illing to ta*e that errors ill not /e detected /y the audit. #. Fo do the tests tests of controls controls affec affectt su/stant su/stantive ive teststestsAN! ests ests of controls are used /y the auditor to measure the strength of the internal control structure. he stronger the internal controls3 the loer the control ris*3 and the less su/stantive testing the auditor must do. #2. ;hat is an audit auditor or loo*ing loo*ing for hen hen testing testing computer computer center center control controlssAN! ;hen testing computer center controls3 the auditor is trying to determine that the physical security controls are ade&uate to protect the organization from physical e8posures3 that insurance coverage on e&uipment is ade&uate3 that operator documentation is ade&uate to deal ith operations and failures3 and that the disaster recovery plan is ade&uate and feasi/le. #4. :efine :efine and contrast contrast attesta attestation tion services services and and assurance assurance servic services. es. AN! Attest services are services are engagements in hich a practitioner is engaged to issue3 or does issue3 a ritten communication that e8presses a conclusion a/out the relia/ility of a ritten assertion that is the responsi/ility of another party3 e.g.3 the financial statements prepared / y an organization. Assurance services are services are professional services that are designed to improve the &uality of information3 /oth financial and nonfinancial3 nonfinancial3 used /y decision decision ma*ers. he domain domain of assurance services is is intentionally un/ounded. SS#*
1. :iscuss :iscuss the *ey *ey features features of of ection ection ,9, of the the ar/anes ar/anesO8ley O8ley Act AN! ection ,9, re&uires the management of pu/lic companies to assess the effectiveness of their organization’s organization’s internal controls over financial reporting and provide an annual report addressing the folloing points! 1) A statement of management’s responsi/ility for esta/lishing and maintaining ade&uate internal control. #) An assessment of the effectiveness of the company’s internal controls over financial reporting. +) A statement that the organizations e8ternal auditors has issued an attestation report on management’s assessment of the companies internal controls. ,) An e8plicit ritten conclusion as to the effectiveness of internal control over financial reporting. 2) A statement statement identifying the frameor* used /y management to conduct their assessment of internal controls. #. ection ection ,9, re&uires re&uires managemen managementt to ma*e a statement statement identifyin identifying g the control control frameor* frameor* used to conduct their assessment of internal controls. :iscuss the options in selecting a control frameor*. AN!
he EC has made specific reference to the Committee of the ponsoring Organizations Organizations of the readay Commission (COO) as a recommended control frameor*. "urthermore3 the %CAO$’s Auditing tandard No. # endorses the use of C OO as the frameor* for control assessment. Although other suita/le frameor*s have /een pu/lished3 according to tandard No. #3 an y frameor* used should encompass all of COO’s general themes. +. E8plain ho general controls impact impact transaction transaction integrity integrity and the financial financial reporting process. AN! Consider an organization ith poor data/ase security controls. 'n such a situation3 even data processed /y systems ith ade&uate ade&uate /uilt in application application controls may may /e at ris*. An An individual ho can circumvent data/ase security3 may then change3 steal3 or corrupt stored transaction data. hus3 general controls are needed to support the functioning of application controls3 and /oth are needed to ensure accurate financial reporting. ,. %rior to O?3 O?3 e8ternal auditors ere ere re&uired to /e familiar familiar ith the client organization’s organization’s internal controls3 /ut not test them. E8plain. AN! Auditors had the option of not relying on internal controls in the conduct of an audit and therefore did not need to test them. 'nstead ' nstead auditors could focus primarily of su/stantive tests. Hnder O?3 management is re&uired to ma*e specific assertions regarding the effectiveness of internal controls. o attest to the validity of these assertions3 auditors are re&uired to test the controls. . :oes a &ualified opinion on managements managements assessment assessment of internal controls controls over over the financial reporting system necessitate a &ualified opinion on the financial statements- E8plain. AN! No. Auditors Auditors are permitted to simultaneously render render a &ualified opinion on management’s assessment of internal controls and an un&ualified opinion on the financial statements. 'n other ords3 it is technically possi/le for auditors to find internal controls over financial reporting to /e ea*3 /ut conclude through su/stantive tests that the ea*nesses did not cause the financial statements to /e materially misrepresented. 2. he %CAO$’s %CAO$’s standard standard No. No. # specifically specifically re&uires auditors auditors to understand transaction flos in designing their test of controls. ;hat steps does this entailAN! his involves! 1. electing the financial accounts that have material implications for financial reporting. #. 'dentify the application controls related to those accounts. As previously noted3 the +. 'dentify the general that support the application controls. he sum of these controls3 /oth application and general3 constitute the relevant internal controls over financial reporting that need to /e revieed. 4. ;hat fraud fraud detection detection respons responsi/il i/ilities ities (if (if any) are imposed imposed on auditors auditors /y O?. AN! tandard No. # places ne responsi/ility on auditors to detect fraudulent activity. activity. he standard emphasizes the importance of controls designed to prevent or detect fraud that could lead to material misstatement of the financial statements.
5. :escri/e ho ho a Corporate Computer Computer ervices "unction can can overcome some of the pro/lems pro/lems associated associated ith distri/uted data processing. AN! he Corporate Computer ervices "unction may provide the folloing technical advice and e8pertise to distri/uted data processing units! central testing of commercial softare and hardare> installation of ne softare> trou/leshooting trou/leshooting hardare and softare pro/lems> technical training> firmide standard setting for the systems area> and performance evaluation of systems professionals. professionals. 7. :iscuss :iscuss the advantag advantages es and disadvant disadvantages ages of the second second site /ac*up /ac*up options. options. AN! econd site /ac*ups include mutual aid pacts3 empty shell3 recovery operations center3 and internally provided /ac*ups. /ac*ups. %+t+al #)d Pacts Advantages 'ne8pensive :isadv :isadvant antage agess
'ne8pensive E8tend E8tended ed time time lag lag /etee /eteen n disa disaste sterr and and initia initiall reco recovery very
Recovery Operat)ons Center Advantages Bapid initial recovery :isadvantages E8pensive Internally Prov)ded ac.+ps Advantages Controlled /y the firm Compati/ility of hardare and softare Bapid initial recovery :isadv :isadvant antage agess E8pens E8pensee of of mainta maintaini ining ng e8cess e8cess capaci capacity ty year year roun round d
19. 'nternal control control in a computerized environment environment can /e divided into to /road categories. categories. ;hat are they- E8plain each. AN! 'nternal controls can /e divided into to /road categories. General controls apply controls apply to all or most of a system to minimize e8posures that threaten the integrity of the applications /eing processed. hese include operating system controls3 data management controls3 organizational organizational structure controls3 system development controls3 system maintenance controls3 computer center security3 'nternet and 'ntranet controls3 E:' controls3 and %C controls. Application controls controls focus focus on e8posures related to specific parts of the system! payroll3 payroll3 accounts receiva/le3 etc. 11. Auditors e8amine e8amine the physical physical environment environment of the computer computer center as part of their their audit.
he characteristics of computer centers that are of interest of auditors include! physical location /ecause it affects the the ris* of disasterIit should should /e aay from manmade and natural natural hazards> construction of construction of the computer center should /e sound> access to access to the computer center should /e controlled> air-conditioning should air-conditioning should /e ade&uate given the heat generated /y electronic e&uipment and the failure that can result from overheating> overheating> fire suppression suppression systems systems are critical> and ade&uate power supply is supply is needed to ensure service. 1#. E8plain hy certain duties that are deemed deemed incompati/le incompati/le in a manual system system may /e com/ined in a C$' environment- @ive an e8ample. AN! 'n a C$' environment it ould /e inefficient and contrary to the o/0ectives of automation to separate such tas*s and processing and recoding a transaction among several different application programs merely to emulate a manual control model. "urther3 the reason for separating tas*s is to control against the negative /ehavior of humans> in a C$' the computer performs the tas*s not humans. 1+. Compare and contrast the the folloing folloing disaster disaster recovery options! mutual aid aid pact3 empty shell3 shell3 recovery operations center3 and internally provided /ac*up. Ban* them from most ris*y to least ris*y3 as ell as most costly to least costly. AN! A mutual aid pact re&uires to or more organizations to agree and trust one another to aid each other ith their data processing needs in the event of a disaster. disaster. his method is the loest cost3 /ut also somehat ris*y for to reasons. "irst3 the host company must /e trusted to scale /ac* its on processing in order to process the transactions transactions of the disasterstric*en disasterstric*en company. company. econd3 the to or or more firms must not /e affected /y the same disaster or the plan fails. he ne8t loest cost method is internally provided /ac*up. ;ith this method3 organizations ith multiple data processing centers may invest in internal e8cess capacity and support themselves in the case of disaster in one data processing center. his his method is not as ris*y as the mutual aid pact /ecause reliance on another organization is not a factor. 'n terms of cost3 the ne8t highest method is the empty shell here to or more organizations organizations /uy or lease space for a data processing center. center. he space is made ready for computer installation> hoever3 hoever3 no computer e&uipment is installed. his method re&uires lease or mortgage payments3 as ell as payment payment for air conditioning conditioning and raised floors. he he ris* of this method is is that the hardare3 softare3 and technicians may /e difficult3 if not impossi/le3 to have availa/le in the case of a natural disaster. disaster. "urther3 if multiple mem/ers6 systems crash simultaneously3 simultaneously3 an allocation pro/lem e8ists. he method ith loest ris* and also the highest cost is the recovery operations center. his method ta*es the empty shell concept one step further the computer e&uipment is actually purchased and softare may even /e installed. Assuming Assuming that this site is far enough aay from the disaster stric*en area not to /e affected /y the disaster3 this method can /e a very good safeguard. 1,. ;hat is is a disaster disaster recovery recovery plan- ;hat ;hat are the *ey *ey featuresfeaturesAN! A disaster disaster recovery plan is a comprehensive statement of all actions to /e ta*en /efore3 during3 and after a disaster3 along ith documented3 tested procedures that ill ensure the continuity of operations. he essential features are! providing second site /ac*up3 identifying critical applications3 /ac*up and offsite storage procedures3 creating a disaster recovery team3 and testing the disaster recovery plan.
