Erica Neidhardt Week 5 Homework Chapter 12 & Chapter 13 August 1, 2012 Chapter 12 (12-8 & 12-11) 12-8: The Espy Company recently had an outside consulting firm perform an audit of its information systems department. One of the consultants identified some business risks and their probability of occurrence. Estimates of the potential losses and estimated control costs are given in Figure 12-11. a.) Using the Figure 12-11 information, develop a risk assessment for the Espy Company. Risk Assessment for Espy Company The following risk assessment for Espy company was completed July 2012 and the following issues were found. We have put these are put in the order of the greatest probability that the loss will occur. We have also made suggestions on ways to help prevent any loss. 1.) Vandalism comes in first with the probability that the loss will occur at .65%. There are a few things that you can do to try your best to protect against vandalism. The first suggestion is to make sure that you have everything password protected. It is important to make sure the employees you a password that no one else knows that that they don’t share their passwords with anyone. You will also want to make sure that the only the people that need the information are allowed in the system. The estimated loss in this situation could be anywhere from $1,000 to $15,000 and has an estimated cost of $8,000 to put the controls in place for prevention. 2.) Power surge comes in second with the probability that the loss will occur at .40%. In order to prevent this you will want to make sure that the system has the proper power cords and is kept in a proper location. The estimated los in this situation could be anywhere from $850 to $2,000 and has an estimated cost of $300 to put a control into place. 3.) Brownout comes in third with the probability that the loss will occur at .40%. A brownout is an intentional drop in voltage used for load reduction in an emergency. You will want to make sure that you once again have the proper equipment needed to support the system. You will also want to make sure that you have a back up place or some kind of procedure in place if this were to happen. The estimated loss in this situation could be between $850 and $2000 with and estimated $250 for a control to be put into place. 4.) Flood comes in fourth with the probability that the loss will occur at .15%. You can’t really prevent a flood but there at things you can have in place in case one should happen. You will want to make sure all of your equipment is up off the floor and have a level that water would not be able to reach if something should go wrong. This one has the larges loss potential with it coming in at $250,000 to $500,000 and an estimated control cost of $2,500. 5.) Fire comes in fifth with the probability that the loss will occur at .10%. Once again this is a thing that you can’t prevent but you can have steps in place to make sure you do everything you can incase it does happen. You will want to make sure you have the proper equipment installed if there is a fire that does occur. The less damage the better. The potential loss is anywhere from $150,000 to $300,000 and the cost for the control would be around $4,000. 6.) Software failure comes in sixth with the probability of the loss at .10%. If this occurs you want to make sure you have all the documents on file that you need in order to get the issue resolved with the software developers. The estimated loss could come in anywhere from $4,000 to $18,000 and has an estimated control cost of $1,400. 7.) Equipment failure comes in seventh with a probability of .08% that the loss will occur. Once again if equipment is going to fail it is going to fail there is not a lot you can do to prevent it. But you will want to make sure that you have the proper documentation on had so that if something does happen you can get the equipment replaced quickly. The estimated loss cost is anywhere between $50,000 to $150,000 and the estimated control cost is $2,000. b.) If you were the manager responsible for the Espy Company’s information processing system, which controls would you implement and why? I would have to say that I would implement the vandalism, flood, and fire. The reason I would put these into place is because they would have the greatest consequences if there were to happen. When you are dealing with other people’s information you want to make sure you do everything you can to protect that information. There may be a little bit of cost involved to get the proper procedures and equipment put into place but it would be very worth it. 12-11: Continuous auditing has the potential to reduce labor costs associated with auditing. It also can provide audit assurance closer to the occurrence of a transaction, which improves the reliability of frequent or real-time financial reports. Using an Internet search engine, find an example of an organization’s usage of continuous auditing. I found my information at the following website: http://normanmarks.wordpress.com/2011/07/22/pwc-continuous-auditing/ There were a couple of good points in this article about the company PwC’s usage of the continuous auditing. The first is that with continuous auditing you have get the issues right then and there and don’t get the risks from when the assessment was complete. If you have someone continuously doing this they will be able to bring these up to your attention as soon as they arise. Chapter 13 (13-9) 13-9: Three methods for implementing a new system in an organization are directed conversion, parallel conversion, and modular conversion. Discuss the advantages and disadvantages of using each of these three systems implementation methods. Directional conversion is when the old system is dropped immediately dropped and the new system takes over the complete processing of the companies transactions. One of the good things about this would be that the employees would not have a choice because if you give them a choice to work in both systems then they are likely to not take the change well. On the down side if you just kick the old system to the side and something goes wrong then you are stuck because you don’t have anything with the old system anymore. Parallel Conversion is when both systems the old and new operate at the same time for a while. An advantage of this would be that you would be able to work all the kinks out of the new system while you are still able to get stuff done in the old system. A disadvantage to this would be the employees not wanting to convert to the new system. I have had this happen to me at a place of employment. When they were putting in the new system we were still able to use the old system and we had one individual that did not want to change at all because they gave her the choice to use the old system longer and she never went into the new system to give it a try. Modular conversion is when the company divides the group into smaller modules and implements the system module by module. An advantage to this would be that the individuals would be able to ask others for help because they would have already been transferred over. Sometimes it is better to be able to ask a coworker for help then to have to go through the IT department. The disadvantage to this would be it could take a large amount of time to get the system or company totally transferred over.