ACC 626 Term Paper
advertisement
UNIVERSITY OF WATERLOO – SCHOOL OF ACCOUNTING AND FINANCE ACC 626 Term Paper Information technology impact on assurance engagement; Impact of Sarbanes Oxley; Internal Controls and Outsourcing Kieng Iv 20233702 6/30/2011 Abstract: Information technology has created risks for businesses and auditors such as segregation of duties, complex revenue streams and computer crimes. C-suite executives should understand the impact that information technology can have on their businesses. The profession and businesses manage these risks through experts, frameworks, information technology tools and access management. There are new information technology tools, such as cloud computing, that need to be addressed by auditors because they create implications for internal controls and security of the business. This is something that is not currently addressed by the profession but must be addressed in order to meet the needs of their clients. Table of Contents Introduction.................................................................................................................................................... 1 Information Technology Risk......................................................................................................................... 1 Managing Information Technology Risk ........................................................................................................ 4 Sarbanes Oxley Impact ................................................................................................................................. 6 Outsourcing Information Technology ............................................................................................................ 8 Conclusion................................................................................................................................................... 10 Work Cited................................................................................................................................................... 11 Annotated Bibliography ............................................................................................................................... 13 Introduction Information technology has revolutionized the business world through how it operates and innovates; however, the same technology has also created many risks within the business world and should be a main concern for C-suite executives. “Information systems permeate all areas of organizations, differentiate them in the marketplace, and consume increasing amounts of human and financial capital.” 1 The same information technology has had a pervasive impact on audit risk for internal and external auditors. Auditors and the profession manage this relatively new risk in various ways such as use of frame works, assistance from specialists and information technology tools. This risk has increased significantly due to the Sarbanes Oxley Act 2002. Sarbanes Oxley has had significant impact on internal controls and internal control reporting, and it has increased the risk of outsourcing information technology processes. This paper will also identify areas of risk with outsourcing information technology, show how the business community manages that risk, and will identify any gaps not currently addressed that will need to be addressed by the accounting profession. Information Technology Risk A survey done by Computer Crime and Security has showed that 45% of unauthorized access was performed by insiders within a company.2 Insiders have access to and knowledge of the system that is not as readily available to outsiders. Employees can also damage the organization through unintentional means such as deleting important files, opening emails with viruses, and other such accidental acts. To mitigate the risk of intentional and unintentional damage, organizations need effective access management. Segregation of duties built into non-information technology processes need to be implemented in the information technology environment. With the use of information technology, capital has replaced human capital in many traditional functions within the workplace; however, the same segregation of duties requirements is still needed. An example of this is the posting of journal entries. Prior to information technology, there may have been the need to have many accounting clerks to manage all the journal entries of the organization; nonetheless, with automated functions, the need for accounting clerks is reduced. This is only an issue when functions need to be segregated. With fewer 1 Boritz, Efrim J. "Introduction to Internal Control and the Role of Information Technology."Computer Control & Audit Guide. 15th ed. Waterloo: Centre for Information Integrity and Information Systems Assurance, 2011. 3-24. Print. 2 Silltow, John. "Shedding Light on Information Technology Risks." Internal Auditor December (2005): 32-39. Web. 1 June 2011. <http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=2fe1fd03-3a43-4b3da36f-406db34e405c%40sessionmgr4&vid=7&hid=17>. 1 employees, organizations have to ensure that no employee has too much access and this is easy to overlook since functions are performed virtually instead of physically. This makes segregation of duties more challenging when information technology is introduced. The potential damage caused by internal and external attacks includes direct costs but also loss of reputation. 3 Information technology has increased audit risk by having a pervasive impact on the financial statement reporting and auditing, especially on the occurrence and completeness of transactions and the testing of controls. In today’s standard audit, auditors must develop an understanding of the control environment of the entity. “An unreliable system can cause a succession of events that negatively affect a company and its customers, suppliers, and business partners.”4 Controls have increased in complexity with information technology. One example, prior to information technology, is in order to test the controls for cash disbursements, an auditor would just need to obtain a list of approved signatures and manually sample a list of cheques and compare it against the list of approved signatures. However, information technology has allowed electronic transfers in addition to preexisting physical cheques. In addition to the previous manual testing, auditors will have to develop an understanding of the underlying accounting information system. Who has authority to create vendors? Does authority exist for electronic transfers? If so, who has authority and can anyone override that authority? Many of the same implications that exist for manual cash disbursements exist for information technology, but verifying the controls is much more complicated and requires an understanding of the information system. Cash disbursement is not the only component of the audit that requires more attention, CAS 315.3 requires auditors to test controls if the entity’s environment is highly automated with little or no manual intervention.5 Substantive procedures alone are insufficient to obtain sufficient appropriate audit evidence. Prior to information technology, auditors evaluated whether to use a combined approach or purely substantive approach based on the strength of the control environment, the volume of transactions, and the cost-benefit analysis; however, the Canadian Auditing Standards are mandating the compulsory testing of controls if the environment uses information technology and highly automated processes. The standard setters have identified that it is improbable to obtain sufficient appropriate audit evidence and thus, cannot express an opinion on the financial statements solely through substantive testing. Information technology has allowed companies to increase its revenue streams especially in the field of ecommerce and online advertising. These opportunities have also increased complications in the occurrence and completeness of these revenues. Revenue can generally be recognized when risk and 3 Ibid Boritz, Efrim J. "Introduction to Internal Control and the Role of Information Technology."Computer Control & Audit Guide. 15th ed. Waterloo: Centre for Information Integrity and Information Systems Assurance, 2011. 3-24. Print. 5 CAS 315.13 4 2 rewards are transferred to the buyer, performance is complete, collection is reasonably assured and expenses and revenue are measurable. When it comes to online sales, the occurrence of sales is the assertion that auditors need to test. One of the major differences between brick and mortar and online sales is the collectability of the economic benefits. If an entity does not validate the method of payment for online sales then fictitious transactions could be processed and revenue could potentially be overstated; however, without understanding the information technology environment, auditors and the company would not know that the revenue cannot be recorded due to collectability issues until much later. It is difficult to assess completeness and occurrence without thorough understanding of controls for online advertising and other purely electronic revenue streams such as video games. For example, if revenue is recognized when advertisements are clicked on a website, then in order to capture when revenue is earned, the underlying information system has to capture the instances when advertisements are clicked. It is not enough to assess revenue earned by the information captured by the system. Another example is if the batch transfer or the real-time transfer is corrupted or never reaches the internal systems when advertisements are clicked, then the internal system will be inaccurate and the revenues will be misstated. This increases the risk of material misstatements to a greater extent than if there were no online revenue streams. Not only does information technology increase the risk of material misstatement through complex revenue streams, accounting errors occur more often when there is information technology control deficiencies. 6 Companies with more information technology control deficiencies pay a higher audit fee and generally employ smaller accounting firms.7 Lastly, auditors could issue the incorrect opinion if they do not understand how the information technology impacts the business and this could lead to loss of reputation and legal issues. One of the top risks listed in the 2010 Internal Audit Capabilities and Needs Survey was ability to assess information technology risk, which also topped the list in 2009. Also high on the list is certification standards for COBIT. “Managing director of Protiviti, Scott Graham, stated that auditing information technology processes and activities should be one of the highest priorities in internal audit departments given that information technology enables virtually all business functions”.8 The Institute of Internal 6 Grant, Gerry H., Karen C. Miller, and Fatima Alali. "The Effect of IT Controls on Financial Reporting." Managerial Auditing Journal 23.8 (2008): 803-23. Web. 29 May 2011. <http://www.emeraldinsight.com/journals.htm?articleid=1746755&show=pdf>. 7 Ibid 8 Jaeger, Jaclyn. "Survey: IT Risk, IFRS Top Internal Auditors’ Worries." Survey: IT Risk, IFRS Top Internal Auditors’ Worries 7.77 (2010): 38. Web. 31 May 2011. <http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7cb475a5f41240f864%40sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52 682551>. 3 Auditing has responded with this risk by introducing six standards covering topics including assessing information technology governance. Overall, there are many implications that information technology has created for the audit and the businesses that utilize information technology. Managing Information Technology Risk Information technology has increased audit risk and auditors had to address this risk by using information technology specialists and information technology tools. The IIA has provided lots of material and training to address the information technology issues within internal audit. As well, frameworks such as COBIT, COSO and ITCG have provided guidance for auditors to use in order to assess client’s information technology controls. Lastly, AICPA has clearly established that auditors are responsible for understanding the role of information technology in the client’s business.9 AICPA has advised auditors to consider using “computer-related audit procedures, including information technology specialists, when they obtain an understanding of client internal controls during audit planning”.10 In a study done in the Journal of Information Systems, it was found that 45% of sampled engagements information technology specialist were used. 11 Information technology specialists are generally involved in the planning and performance of information technology controls testing to reduce audit risk. The more complex the computer environment, the more important it is to get an information technology specialist involved when performing an audit. At Deloitte, it is now required to have an IT specialist in the audit planning at least every three years because of the growing importance of information technology with the clients’ environment produces the need to reduce the information technology risk.12 The use of information technology specialist allows auditors to test sophisticated information technology processes. Referring back to the example with electronic transfers, if an information technology specialist is used, then the underlying system controls can be verified whether or not there is segregation of duties issues and if there are unauthorized disbursements. As well, online revenue streams can be tested more 9 Bedard, Jean C., Cynthia Jackson, and Lynford Graham. "Information Systems Risk Factors, Risk Assessments, and Audit Planning Decisions." Web. 28 Mar. 2011. <http://aaahq.org/audit/midyear/03midyear/papers/Systems%20Risk%20Factors%20and%20Audit%20Pl anning%2009-18.pdf>. 10 Jarvin, Diane, James Bierstaker, and Jordan Lowe. "An Investigation of Factors Influencing the Use of Computer-Related Audit Procedure." Journal of Information Systems 23 (2009): 1-22. Web. 23 June 2011. <http://www.bus.iastate.edu/djanvrin/acct484584/readings/05%201_22-3.pdf>. 11 Jarvin, Diane, James Bierstaker, and Jordan Lowe. "An Examination of Audit Information Technology Use and Perceived Importance." Accounting Horizons 22.1 (2008): 1-21. Web. 28 May 2011. <http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=ca14f94e-d82f-4e7cb475-a5f41240f864%40sessionmgr15&vid=6&hid=17>. 12 Pryce, Jim. "ACC 626 Deloitte Partner Interview." 03 May 2011. E-mail. 4 effectively if the controls of the system are tested by information technology professors to verify the completeness and occurrence of those revenue streams. Testing controls is not only necessary for these complicated transactions, but also reduces the amount of substantive testing needed and creates audit efficiencies. In the past, 80% of data files were processed using flat files and only 20% using databases. However, those percentages have changed and now 80% of data files are processed using databases. The implication is that record retention is not as clear, and as a result, audit trails are more complex or do not exist in physical form.13 In order to obtain sufficient appropriate audit evidence, computer assisted audit techniques may be needed in situations such as the absence of input documents (i.e. order entry in online systems), the lack of a visible audit trail, visible output, visible control totals, or varying quantities of audit information may make manual techniques impractical. 14 In order to address the risk that information technology has created, it is necessary for auditors to turn to computer-assisted auditing techniques. “Computer-assisted auditing techniques (CAATs) can be used for assessing inherent risk, evaluating internal control and assessing control risk, analytical review, and tests of detail applied to transactions and/or balances.”15 A more specific example is illustrated by the Information Systems Audit and Control Association (ISACA). This example entails that payroll controls have not been properly implemented and the system has existed for two years. Instead of manually testing two years of payroll data, the system can be tested in completeness using CAATs and not only provides assurance on payroll but also “increases the credibility and value provided by the audit function.” 16 This is an example of where CAATs are necessary because of the large amount of transactions. 17 ACL and IDEA are two common CAATs used in practice. “The use of ACL and IDEA has increased audit efficiency and effectiveness.”18 Beyond, CAATs and information technology specialist, frameworks are often used for assessing internal controls. Committee of Sponsoring Organizations (COSO) is the most common information technology governing framework but does not explicitly address information technology control objectives. COSO has been used as the basis for SAS 78, ISA 315 and Canadian standards, which all address information 14 Ibid Ibid 16 Sayana, Anantha. "Using CAATs to Support IS Audit." Information Systems Control 1 (2003): 12. Web. 23 June 2011. <http://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031UsingCAATstoSupportISAu.pdf>. 17 Pryce, Jim. "ACC 626 Deloitte Partner Interview." 03 May 2011. E-mail. 15 5 technology either implicitly or explicitly. 19 “Financial auditors are required to gain an understanding of the "entity and its environment" to ascertain the risk of material misstatement associated with that aspect of the financial statements, and the COSO model is extremely valuable as a tool to comply with this standard.”20 COSO provides guidance on general, application, and physical controls. “General controls are controls that in general affect the computer systems (information systems) and information technologies employed by the entity in performing functions (business processes) associated with financial reporting activities. Application controls are computer controls embedded within technologies and systems that are intended to ensure that policies and procedures are carried out in the business processes.”21 COSO also provides guidance for auditors on the levels that controls can be tested: design effectiveness, implementation and operational effectiveness which are helping with being compliant with SAS 109. Another framework that can be used, that is arguably more relevant than COSO for information technology controls, is Control Objectives for Information and related Technology (COBIT). COBIT is “Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors.”22 It was created because of the growing importance of technology and the need to hold senior management more accountable. “COBIT focuses on information having integrity and being secure and available.” 23 COBIT’s objectives are to ensure the integrity of information systems and by creating a framework to provide assurance by giving excellent criteria for review and audit work. COBIT supplies a working control model for information technology control objectives, helps auditors identify key risk areas when observing systems, and provides a model for evaluating controls. Overall, auditors have addressed many of the past risks that information technology has created through use of specialists, frameworks, and information technology tools such as CAATs. Sarbanes Oxley Impact Sarbanes Oxley has made information technology governance and internal controls mission critical in financial reporting and performing the audit. Sarbanes Oxley has also made the reporting of internal 19 Boritz, Efrim J. "Introduction to Internal Control and the Role of Information Technology."Computer Control & Audit Guide. 15th ed. Waterloo: Centre for Information Integrity and Information Systems Assurance, 2011. 3-24. Print. 20 Singleton, Tommie. "The COSO Model: How IT Auditors Can Use It to Evaluate the Effectiveness of Internal Controls." ISACA. ISACA. Web. 24 June 2011. <http://www.isaca.org/Journal/Past-Issues/2007/Volume-6/Pages/The-COSO-Model-How-IT-AuditorsCan-Use-It-to-Evaluate-the-Effectiveness-of-Internal-Controls1.aspx>. 21 Ibid 22 Beveridge, John. COBIT IMPLEMENTATION WORKSHOP. PPT. 23 Ibid 6 controls mandatory for public companies and the attesting of those controls a compulsory component of financial statement audit.24 IT assurance is more relevant in the business world than ever before because of Sarbanes Oxley. The penalties for not being compliant to Sarbanes Oxley legislation can be severe with fines of up to $5 million dollars and 20 years in prison. This makes information technology important to senior executives within the company. Before discussing how Sarbanes Oxley impacts internal controls, it is first important to define and understand internal controls. The AICPA defines the role of internal controls as one that “compromises the plan of organization and all the coordinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operating efficiency, and encourage adherence to prescribed managerial policies”. 25 Controls entail two main views, namely the cybernetic view and socio-cultural view. The cybernetic view is based on the principles of a self-monitoring system. It compromises of setting goals then following up if there are any deviations. The socio-cultural view focuses on hiring good people, training, and socializing employees into the culture of the organization. When behavioural processes are readily observable and goals, tasks and outcomes are well specified then cybernetic is better to use since control can be better monitored over the process. If the reverse is true, then socio-cultural is superior to use. However, most organizations use a combination of socio-cultural and cybernetic. In addition to the views, there are five components of an internal control system and they are control environment, risk assessment process, information system, control activities, and monitoring of controls.26 Sarbanes Oxley makes executives accountable for evaluating and monitoring the effectiveness of internal control over financial reporting and disclosures. 27 Auditors must also attest to management’s internal control assessment and effectiveness of controls. An important component of internal controls is the information technology controls, especially in entities that use computer systems extensively. Given the importance of complying with Sarbanes Oxley and the harsh criticism of auditors from scandals in the early 2000’s, information technology controls have increased the audit business risk and have made 24 Grant, Gerry H., Karen C. Miller, and Fatima Alali. "The Effect of IT Controls on Financial Reporting." Managerial Auditing Journal 23.8 (2008): 803-23. Web. 29 May 2011. <http://www.emeraldinsight.com/journals.htm?articleid=1746755&show=pdf>. 25 Jarvin, Diane, James Bierstaker, and Jordan Lowe. "An Investigation of Factors Influencing the Use of Computer-Related Audit Procedure." Journal of Information Systems 23 (2009): 1-22. Web. 23 June 2011. <http://www.bus.iastate.edu/djanvrin/acct484584/readings/05%201_22-3.pdf>. 26 CICIA CAS 315 Appendix 1:6 27 Damianides, Marios. "SOX and IT Governance New Guidance on IT Controls and Compliance." Information Systems Management (2005): 77-85. Web. 29 May 2011. <http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f-4e7cb475a5f41240f864%40sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=15 304579>. 7 information technology risk even more important to manage. The cost of complying is high – audit fees are higher and one of the biggest reasons is because of IT controls.28 An information system audit is assessing whether the information systems and related resources in safeguard assets maintain system and data integrity and availability, provide relevant and reliable information, achieve organizational goals effectively, and consume resources efficiently. It also assesses whether internal controls that provide assurance that business, operational, and control objectives have been met and whether undesired events will be prevented or detected and corrected in a timely manner. Non-financial audit fees have increased from 19% in 1992 to 79% in 2001 which indicates the continual importance of IS auditing.29 Since 1990, the evolution of the IS audit professional has changed from a secondary function to professionals that provide value-added work with auditors who do not understanding the work performed to finally, a key component of the risk assessment process. “Sarbanes-Oxley experts agreed that IT control was a specific area likely to produce significant deficiencies by many companies. As the majority of internal controls are embedded in automated systems, information system auditors have become a vital part of complying with the standards, guidelines, and regulations”30 Outsourcing Information Technology Information technology and recent regulations, such as Sarbanes Oxley, have uncovered new risks for organizations that outsource information technology. These same new risks for businesses have also provided new assurance opportunities for public accounting firms to try and manage these risks for their clients. Sarbanes Oxley impacts outsourcing since management must report on controls of the organization and auditors must consider the risks of having mission critical applications outside of the organization. It was found that Sarbanes Oxley increases pre-existing risks of large-scale information technology outsourcing on compliance.31 One of the roles of management within Sarbanes Oxley is to oversee of the internal controls. Internal controls must be effective or management will suffer consequences, since information technology outsourcing distances the information technology operations from management both 28 Holmes, Monica C., and Darian Neubecker. "The Impact Of The Sarbanes-Oxley Act 2002 On The Information Systems Of Public Companies." Information System 7.2 (2006): 24-48. Web. 29 May 2011. <http://www.iacis.org/iis/2006_iis/PDFs/Holmes_Neubecker.pdf>. 30 Ibid 8 intellectually and physically. The management’s inability to communicate with vendors’ leadership, who are generally offsite, makes it more difficult to assess business strategy and information technology issues, and will result in a higher likelihood that internal control failures will go undetected. In order to audit these risks and outsourced controls, auditors must audit the outsourced organizations themselves or receive SAS 70 reports. This information could be more difficult to obtain if they are offshore companies. There is an increased number of legislations, such as the passing of the following legislations; the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-LeachBliley Act of 1999, SarbanesOxley Act of 2002, Sections 404 and 302. The three rulings enforce protection of privacy, corporate accountability, and establishment of internal controls throughout businesses. “Thus, a need was created in many industries for a due diligence process that can aggregate many of the principles found within these three acts and provide companies with a high level of assurance and confidence when using service organizations for outsourcing critical business functions.” 32 This has created the need for SAS 70 and other equivalent reporting. The importance of information technology assurance has increased with new regulations and this has created many new opportunities for auditors. Auditors and businesses are exploring and investigating the real and regulation risks associated with cloud computing and how to address these risks. National Institute of Standards and Technology, Cloud Security Alliance and Information System Audit and Control Association define cloud as a “model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., network, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”33 Currently, there are no standards in place for cloud certification.34 Business critical is defined as data or applications determined to be confidential, proprietary or subject to regulation. This includes data and application under Sarbanes-Oxley regulation. It is known in the information technology world that “black hat” software gurus want to steal data, especially on the cloud. Information technology departments and information technology risk managers should assess the cloud service providers’ security as well as their disaster recovery and business continuity policies, and compare against internal standards. 35 32 Denyer, Charles, and Christopher Nickell. "An Introduction to SAS 70 Audits." Benefits Law Journal. Web. 23 June 2011. <http://www.csb.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20Topic s/SAS%2070/Intro%20to%20SAS%2070%20Audits.pdf>. 33 Rapp, Peet. "Auditing the Cloud." Financial Executive May (2010): 62-63. Web. 1 June 2011. <http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?index=12&sid=1&srchmode=2&vinst=PROD&fm t=6&startpage=1&clientid=16746&vname=PQD&RQT=309&did=2046898071&scaling=FULL&ts=1306972929&vtype=PQ D&rqt=309&TS=1306973354&clientId=16746>. 34 Ibid 35 Ibid 9 Outsourcing information technology has created benefits, such as reduced costs and better technology for organizations, but has also created new business risks such as uncertainty of the quality of controls. Many traditional outsourcing risks have been appropriately mitigated by auditors through information technology assurance on service organizations; however, cloud computing is one area of information technology that has not been explicitly addressed. This has left open the door on how the profession will address this risk, an issue that the profession will answer in the future. As information technology continues to evolve, both in form and functionality, the audit profession will need to continue to similarly evolve in order to address the risks that information technology creates. Conclusion It is clear that information technology has had a significant impact on how businesses operate and how they do business with their suppliers and customers. However, this same innovation has allowed for weaknesses in the business that has an unparalleled magnitude of damage. Businesses are not the only ones that have been impacted by information technology; auditors have new risks that they must address. To even the importance of addressing this risk, Sarbanes Oxley has made auditors more accountable for the work performed. Auditors have managed these risks with the use of information technology specialists, frameworks, and information technology itself. As information technology continues to evolve, new standards will be created to reduce the risk for businesses. The latest information technology risk that has already been raised but has yet to be explicitly addressed by auditors is cloud computing. Will auditors provide assurance on this growing field of information technology? If so, how will auditors provide assurance on cloud computing for its clients? As information technology has gone from transactional to necessary for the business to function to transformational, auditors must change and adapt at the same pace or be at risk of falling behind the needs of clients. 10 Work Cited Bedard, Jean C., Cynthia Jackson, and Lynford Graham. "Information Systems Risk Factors, Risk Assessments, and Audit Planning Decisions." Web. 28 Mar. 2011. <http://aaahq.org/audit/midyear/03midyear/papers/Systems%20Risk%20Factors%20and%20Audit% 20Planning%2009-18.pdf>. Beveridge, John. COBIT IMPLEMENTATION WORKSHOP. PPT. Boritz, Efrim J. "Introduction to Internal Control and the Role of Information Technology."Computer Control & Audit Guide. 15th ed. Waterloo: Centre for Information Integrity and Information Systems Assurance, 2011. 3-24. Print. CAS 315.13 CICIA CAS 315 Appendix 1:6 Damianides, Marios. "SOX and IT Governance New Guidance on IT Controls and Compliance." Information Systems Management (2005): 77-85. Web. 29 May 2011. <http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f4e7c-b475a5f41240f864%40sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&A N=15304579>. Denyer, Charles, and Christopher Nickell. "An Introduction to SAS 70 Audits." Benefits Law Journal. Web. 23 June 2011. <http://www.csb.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20 Topics/SAS%2070/Intro%20to%20SAS%2070%20Audits.pdf>. Grant, Gerry H., Karen C. Miller, and Fatima Alali. "The Effect of IT Controls on Financial Reporting." Managerial Auditing Journal 23.8 (2008): 803-23. Web. 29 May 2011. <http://www.emeraldinsight.com/journals.htm?articleid=1746755&show=pdf>. Holmes, Monica C., and Darian Neubecker. "The Impact Of The Sarbanes-Oxley Act 2002 On The Information Systems Of Public Companies." Information System 7.2 (2006): 24-48. Web. 29 May 2011. <http://www.iacis.org/iis/2006_iis/PDFs/Holmes_Neubecker.pdf>. 11 Jaeger, Jaclyn. "Survey: IT Risk, IFRS Top Internal Auditors’ Worries." Survey: IT Risk, IFRS Top Internal Auditors’ Worries 7.77 (2010): 38. Web. 31 May 2011. <http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f4e7c-b475a5f41240f864%40sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&A N=52682551>. Jarvin, Diane, James Bierstaker, and Jordan Lowe. "An Examination of Audit Information Technology Use and Perceived Importance." Accounting Horizons 22.1 (2008): 1-21. Web. 28 May 2011. <http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=ca14f94e-d82f4e7c-b475-a5f41240f864%40sessionmgr15&vid=6&hid=17>. Jarvin, Diane, James Bierstaker, and Jordan Lowe. "An Investigation of Factors Influencing the Use of Computer-Related Audit Procedure." Journal of Information Systems 23 (2009): 1-22. Web. 23 June 2011. <http://www.bus.iastate.edu/djanvrin/acct484584/readings/05%201_22-3.pdf>. Pryce, Jim. "ACC 626 Deloitte Partner Interview." 03 May 2011. E-mail. Rapp, Peet. "Auditing the Cloud." Financial Executive May (2010): 62-63. Web. 1 June 2011. <http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?index=12&sid=1&srchmode=2&vinst=PRO D&fmt=6&startpage=1&clientid=16746&vname=PQD&RQT=309&did=2046898071&scaling=FULL&ts=1306972929&vtyp e=PQD&rqt=309&TS=1306973354&clientId=16746>. Sayana, Anantha. "Using CAATs to Support IS Audit." Information Systems Control 1 (2003): 1-2. Web. 23 June 2011. <http://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031UsingCAATstoSupportISAu.pdf>. Singleton, Tommie. "The COSO Model: How IT Auditors Can Use It to Evaluate the Effectiveness of Internal Controls." ISACA. ISACA. Web. 24 June 2011. <http://www.isaca.org/Journal/PastIssues/2007/Volume-6/Pages/The-COSO-Model-How-IT-Auditors-Can-Use-It-to-Evaluate-theEffectiveness-of-Internal-Controls1.aspx>. 12 Annotated Bibliography Annotation #1 Author Title of Article Periodical/ website Vol. / No. / Edition Year Pages publis hed Pryce, Jim Date Location, accessed data base, website, link 05/17/201 Interview 1 Annotation The use of information technology within a client’s environment has increased the complexity of an audit. Revenue recognition has become more complicated. How do you ensure the existence of many online revenue streams such as advertising? Having strong controls is more important now with the use of information technology than ever before. In order to address the assertion of occurrence on revenue, there is a need to bring IT experts and having appropriate training to understand how transaction flow throughout the accounting information system. Sarbanes Oxley has required management to attest to controls including IT controls. Annotation #2 Author Title of Article Periodical/ website Bedard, Jean Information C. Systems Risk Factors, Jackson, Risk Cynthia Assessments , and Audit Graham, Planning Lynford Decisions Vol. / No. / Edition Year Pages publishe d Date Location, accesse data base, d website, link May 28, 2011 http://aaahq.or g/audit/midyea r/03midyear/p apers/System s%20Risk%20 Factors%20an d%20Audit%2 0Planning%20 09-18.pdf Annotation “The purpose of this study is to examine external auditors’ perspectives on information systems risk in their actual audit client” 13 The paper found IT system risks can be categorized in one of two categories: Management information quality and EDP security o The system does not output suitable or accurate data to help management with decision making and makes it difficult to identify when problems occur o A lack of EDP security undermines the value of effective design of controls do to security breaches AICPA has become more clear on auditor’s responsibility to understand the role of IT in the client’s business High correlation between management information quality and risk assessment taken by the firm Low correlation was found because between EDP security and risk assessments and this is attributed “to the frequent practice of calling on EDP specialists to assist with engagements in which system security risks have been identified” Annotation #3 Author Title of Article Holmes, Monica C. The Impact Information Of The System SarbanesOxley Act 2002 On The Neubecker, Darian Periodical/ website Vol. / No. / Edition Year Pages publishe d Date Location, accesse data base, d website, link Vol. VII 2006 May 29, 2011 24-28 No. 2 http://www.iaci s.org/iis/2006_ iis/PDFs/Holm es_Neubecker .pdf Information Systems Of Public Companies Annotation This paper discusses the impact of Sarbanes-Oxley Act and Information Technology. CIO are very critical in helping a company to be complying with Sarbanes-Oxley because how transactions are automated and paperless (no audit trail) Scalability of storage systems is very important in high transaction industries with automation There have been a lot of IT solutions developed to make systems and businesses SOX compliant Lots of IT companies and consulting companies are offering compliance solutions o BWise, a software leader in internal control software, claims the platform is “auditable, web-based with extensive security measures built-in, and can achieve compliance in as little as 3-4 weeks” The cost complying is high – audit fees are higher and one of the biggest reasons is because of IT controls Annotation #4 Author Title of Article Periodical/ website Hall, James A. The Sarbanes Oxley Act: The COMMUNIC Vol. 50 ATIONS OF No. 3 THE ACM Liedtka, Vol. / No. / Edition Year Pages publishe d Date Location, accesse data base, d website, link 2007 May 29, 2011 95-100 http://proquest .umi.com.prox y.lib.uwaterloo .ca/pqdweb?in 14 Stephen L. implications for largescale IT outsourcing dex=0&did=12 24854971&Sr chMode=2&si d=2&Fmt=2& VInst=PROD& VType=PQD& RQT=309&VN ame=PQD&T S=130697707 1&clientId=16 746 Annotation This paper discusses the implication of SOX on large scale IT outsourcing. The response from corporate decision makers varied in response to SOX and their thoughts on the impact to IT outsourcing. 21% responded that they would outsource more, 19% indicated that they would outsource less, 25% said no one of knowing the impact and the remainder did not expect a change at all It was found that SOX increases pre-existing risks of large-scale IT outsourcing on SOX compliance. The purpose of SOX is to increase public confident in capital markets through improved corporate governance, financial reporting, internal controls and external audit quality SOX has increased the demand for employees with computer skills and business training especially in the areas of forensic accounting, risk management, computer auditing and ITcontrols The benefits of IT outsourcing include reduced IT costs and improved IT performance. Large scale IT sourcing actually increases the risk of failing to comply with both the detail and the spirit of SOX. One of the roles of management within SOX is oversight of the internal controls are effective but since IT outsourcing distances the IT operations from management both intellectually and physically Due to management’s inability to communicate with vendors leadership, who are generally offsite, makes it more difficult to assess business strategy and IT issues and will result in a higher likelihood that internal control failures will go undetected In order to audit these risks and outsourced controls, auditors must audit them themselves or receive SAS 70 reports. This information could be more difficult to obtain if they are offshore companies. IT outsourcing is sometimes described as off balance sheet financing since no investment in IT assets will need to be made IT outsourcing may result in deceptive short-term increases in profitability since IT vendors often charge lower amounts in the first couple years then increase prices later Annotation #5 Author Title of Article Periodical/ website Damianides, Marios SOX and IT Information Governance Systems New Management Guidance on IT Controls Vol. / No. / Edition Year Pages publishe d Date Location, accesse data base, d website, link 2005 May 29, 2011 77-85 http://web.ebs cohost.com.pr oxy.lib.uwaterl oo.ca/ehost/d etail?vid=3&hi 15 and Compliance d=17&sid=ca1 4f94e-d82f4e7c-b475a5f41240f864 %40sessionm gr15&bdata=J nNpdGU9ZW hvc3QtbGl2Z SZzY29wZT1 zaXRl#db=bth &AN=153045 79 Annotation This article discusses how SOX has focused companies to improve their internal controls and maintain an effective IT environment in order to be compliant. This article further discusses how SOX has impacted executives and IS professionals. With SOX regulation, IT professionals have higher expectations to give timely, accurate and visible information while still maintaining high level security of these information assets 88 percent of senior business executives view security as a top priority and 71 percent view security as a positive investment due to more continuity and efficiency SOX makes executives accountable for evaluating and monitoring the effectiveness of internal control over financial reporting and disclosures SOX has increased the need for companies to have strong IT controls in place One of the main criteria of IT governance is to align IT with the overall business strategy Fortune 500 companies board members hardly discuss IT during board meetings – one out of ten boards ask IT questions, two out of three approval IT strategy and six out of seven directors are regularly informed about IT Annotation #6 Author Janvin, Diane Title of Article An Examination of Audit Bierstaker, Information James Technology Use and Lowe, Jordan Perceived Importance Periodical/ website Vol. / No. / Edition Year Pages publishe d Date Location, accesse data base, d website, link Accounting Horizons Vol. 22 2008 May 28, 2011 No. 1 1-21 http://web.ebs cohost.com.pr oxy.lib.uwaterl oo.ca/ehost/p dfviewer/pdfvi ewer?sid=ca1 4f94e-d82f4e7c-b475a5f41240f864 %40sessionm gr15&vid=6&h id=17 16 Annotation The article is a study about how IT is perceived and how it is used in various size firms from local to Big 4 firms. “Standards now encourage audit firms to adopt IT and use IT specialists when necessary” Auditors view the use of applications as important but don’t fully utilize them IT specialists are not used in a large extent In general, larger firms tend to use more specific IT to perform their audits and more likely to use IT specialist than smaller firms IT has created a barriers to entry to run a public practice IT is used for helping identify risks in client acceptance, going concern and analytical procedures Annotation #7 Author Title of Article Grant, Gerry H The effect of IT controls on Financial Miller, Karen Reporting C Periodical/ website Vol. / No. / Edition Year Pages publishe d Date Location, accesse data base, d website, link Managerial Auditing Journal Vol. 23 2008 May 29, 2011 803-823 No. 8 Alai, Fatima http://www.em eraldinsight.co m/journals.ht m?articleid=1 746755&show =pdf Annotation “The purpose of this study is to examine IT control deficiencies and their affect on financial reporting” Accounting errors occur more often when there are IT control deficiencies IT deficient companies pay a higher audit fee and employ smaller accounting firms Many major scandals were not prevented or detected because the company had poor internal controls SOX was created because of the above point to force companies’ auditors to assess and attest to the effectiveness of controls Pre-sox and post-sox studies have come to the same conclusion. The more IC deficiencies the more accounting errors Prior to SOX minimal IT controls were tested since it was not explicit in the standards. However, post SOX, companies are required to report any significant IT deficiencies The most commonly used IT governance framework is COSO but COSO provides minimal guidance for designing and implementing IT controls The use of COBIT has been used to evaluate IT controls for SOX compliance There is a “a direct relationship between the increased quality of IT controls and external factors such as longer tenured CIOs, more IT-experienced managers, higher percentages of independent directors, and more IT-experienced audit committee Members” Annotation #8 Author Title of Article Bierstaker The impact of Periodical Vol. / No. / / website Edition Year Pages publishe d Date Location, accesse data base, d website, link Managerial 16/3 2001 May 29, 159-164 http://www.em 17 , James L. information Auditing technology on the Journal Burnaby, audit Priscilla process: an Thibodea assessment of the u, Jay`` state of the art and 2011 eraldinsight.co m/journals.ht m?articleid=8 68500 implications for the future Annotation “The purpose of this paper is to assess the current impact of technology on the audit process, and to discuss the future implications of technological trends for the auditing profession.” This paper discusses how auditors obtain information client’s current systems, how information technology has affected planning, documentation and testing of internal controls, and how advancements in technology will improve audit efficiency and effectiveness. Audits are becoming more about process audits rather than audits of each department. For example, an auditor may audit the flow of raw inventory to the end of the cycle where receivables are collected. Beginning to end audits are becoming more of a requirement The use of audit software has already helped audit planning where a software is used to identify key risk areas instead of relying solely on the audit team expertise The use of new technology has also freed up professional service time through the creation of documents, proposals and memo templates that gather the expertise of members of the firm If evidence is transmitted, processed and assessed through only electronic means then need to assess reliability of the system to ensure evidence was not manipulated. Since there some processes do not have paper trails, it is useless to use the traditional methods of testing controls since significant risk will go unnoticed It is now a requirement to test sophisticated controls including firewalls, encryption and passwords The use of ACL and IDEA has increased audit efficiency and effectiveness Audit software can also be used to test fraud. One example, is comparing all employee addresses with vendor addresses Annotation #9 Author Title of Article Vilsanoiu, Daniel Changing Informatica Methodologie Economica s in Financial Audit and Their Impact Serban, Michaela on Information Systems Audit Periodical/ website Vol. / No. / Edition Year Pages publishe d Date Location, accesse data base, d website, link Vol. 14 2010 Monday, http://web.ebs May 30, cohost.com.pr 2011 oxy.lib.uwaterl oo.ca/ehost/d etail?vid=8&hi d=17&sid=ca1 4f94e-d82f4e7c-b475a5f41240f864 %40sessionm gr15&bdata=J nNpdGU9ZW hvc3QtbGl2Z Issue 1 57-65 18 SZzY29wZT1 zaXRl#db=bth &AN=489243 78 Annotation “The objective of this article is to provide a better understanding of the relation between financial audit and information systems audit and to assess the influence the change in financial audit methodologies had on IS audit.” A financial audit is a degree of confidence on a set of financial statement if they are prepared without material misstatements An information system audit is the assessing whether the information systems and related resources safe guard assets, maintain system and data integrity and availability, provide relevant and reliable information, achieve organizational goals effectively, consume resources efficiently, and have, internal controls that provide assurance that business, operational and control objectives will be met and that undesired events will be prevented or detected and corrected in a timely manner. In the mid 1990’s, auditors changed from transaction cycle auditing to business process oriented auditing Transaction cycle auditing focuses on account level risk and the goal is audit to reduce the risk that auditors make judgmental errors and provide an opinion that can withstand the review of peer auditors and regulators. It does not take into consideration business risk and does not require a deep understanding of the business strategy of the company getting audited “business risk is defined as the risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies In the mid 1990’s it was believed that business risk increased audit risk. Business Risk Auditing (BRA) allowed auditors to help clients identify non-financial statement risks or areas of improvement. “Sarbanes-Oxley experts agreed that IT control was a specific area likely to produce significant deficiencies by many companies. As the majority of internal controls are embedded in automated systems, IS auditors have become a vital part of complying with the standards, guidelines and regulations” Since 1990, the evolution of the IS audit professional has changed from a secondary function to professionals that provided value added work but auditors not understanding the work performed to finally, a key component of the risk assessment process. Non-financial audit fees have increased from 19% in 1992 to 79% in 2001 which indicates the continuance importance of IS auditing Annotation #10 Author Title of Article Bedard, Jean Information C. Systems Risk and Graham, Audit Lynford Planning Jackson, Cynthia Periodical/ website Vol. / No. / Edition Year Pages publishe d Date Location, accesse data base, d website, link International Journal of Auditing Vol. 9 2005 May 30, 2011 Issue 2 147-163 http://web.ebs cohost.com.pr oxy.lib.uwaterl oo.ca/ehost/d etail?vid=10& hid=17&sid=c a14f94e-d82f4e7c-b475- 19 a5f41240f864 %40sessionm gr15&bdata=J nNpdGU9ZW hvc3QtbGl2Z SZzY29wZT1 zaXRl#db=bth &AN=180084 89 Annotation “In this study, we examine client characteristics identified by external auditors for actual audit clients, which are relevant to two important areas of systems risk: system security and management information quality” It was found that management information quality increased with the number of identified risk factors but not the same result was found for EDP security EDP security risks are associated with control activities Management information quality is associated with the control environment SOX Act of 2002 emphasizes internal control which information systems play a key role Managers must assess the effectiveness of control design and the operating effectiveness of controls in the annual report Auditors must also attest to management’s internal control assessment and effectiveness of controls The common EDP security risk factors included system security controls, outdated systems and management style/attitude The common management information risk factors included management style/attitude and management competence It was found that only control activities risk factors are significantly associated with audit planning for EDP security Control environment affects audit planning in management information quality but not EDP security Annotation #11 Author Title of Article Chan, Sally SarbanesOxley: the IT dimension: information technology can represent a key factor in auditors' assessment of financial reporting controls Periodical/ website Vol. / No. / Edition Year Pages publishe d 2004 Date Location, accesse data base, d website, link http://findarticl es.com/p/articl es/mi_m4153/i s_1_61/ai_n6 152500/ Annotation 20 Sarbanes-Oxley Act 2002 presented both immediate and far-reaching compliance issues for companies, especially in the areas of internal-control provisions of 302 and 404. Guidance by the Public Company Accounting Oversight Board states that “the nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting”. However, this vague guidance has audits have had to pay special attention to the information technology component of Sarbanes-Oxley. The IT environment must be reviewed as part of the reviewing of the larger control environment Some auditors have found guidance through the use of COBIT. Other guidance such as AICPA’s SAS 70, Systrust and Webtrust can be used for Sarbanes Oxley in a broader context A key IT component of Sarbanes Oxley is mapping financial reporting control objectives to IT control objectives. An example is that authorization and safeguarding of assets relates to IT control objective – ensuring information security, confidentiality and privacy There are several assertions related to IT controls including existence, occurrence, measurement, completeness, accuracy, presentation and disclosure Through the examination of the IT control environment, controls that don’t mitigate risks and control weaknesses will likely no longer exist after the examination There are the indirect benefit from Sarbanes Oxley of elimination of control redundancies, service improvements or the identification of value-added projects beyond compliance requirements Annotation #12 Author Title of Article Periodical/ website Vol. / No. / Edition Year Pages publishe d Date Location, accesse data base, d website, link Jaeger, Jaclyn Survey: IT Risk, IFRS Top Internal Auditors’ Worries Compliance Week Vol. 7 2010 May 31, 2011 Issue 77 38 http://web.ebs cohost.com.pr oxy.lib.uwaterl oo.ca/ehost/d etail?vid=12& hid=17&sid=c a14f94e-d82f4e7c-b475a5f41240f864 %40sessionm gr15&bdata=J nNpdGU9ZW hvc3QtbGl2Z SZzY29wZT1 zaXRl#db=bth &AN=526825 51 Annotation This article discusses how IT has become even more important and has received more attention from Internal Auditors. One of the top risk listed in the 2010 Internal audit Capabilities and Needs Survey was ability to assess IT risk, which also topped 2010. XBLR, ISO 27000 certification standard for information security and COBIT were high on the list of concerns for internal auditors Managing director of Protiviti, Scott Graham, stated that auditing IT processes and activities should be one of the highest priorities in internal audit departments given that IT enables virtually all business functions Institute of Internal Auditing has responded with this risk by introducing six standards covering 21 topics including assessing IT governance Annotation #13 Author Title of Article Periodical/ website Baker, Neil Diagnosis for Internal IT Risk Auditor Vol. / No. / Edition Year Pages publishe d Date Location, accesse data base, d website, link August 2010 June 1, 2011 38-42 http://content. ebscohost.co m.proxy.lib.uw aterloo.ca/pdf 23_24/pdf/201 0/IAU/01Aug1 0/53770601.p df?T=P&P=A N&K=537706 01&S=R&D=b th&EbscoCont ent=dGJyMN Xb4kSepq84y OvsOLCmr0m eqK5Srq64Sr eWxWXS&Co ntentCustome r=dGJyMPGvt k6uqbJRuePf geyx44Dt6fIA Annotation This article discusses a guide written by the Institute of Internal Auditors on how to identify IT risks. The guide is a top down and risk-based approach. A risk based approach is where the identification starts with understanding the business process and then looks for IT risks that could lead to failure or error in that process. The approach was meant to reduce the number of controls that weren’t significant out of Sarbanes-Oxley testing The approach is more focused on IT general controls rather than detailed application controls and is easier to learn for non-technical internal auditors At Intel, with the use of the IIIA approach, the number of controls tested reduced from 1300 to a couple hundred and 65% reduction in company testing efforts IT specialist may not be needed during the risk identification process but in terms of testing the controls IT specialist may need to be used Annotation #14 Author Title of Article Periodical/ website Vol. / No. / Edition Year Pages publishe d Date Location, accesse data base, d website, link Rapp, Peet H. Auditing the Cloud Financial Executive May 2010 June 1, 2011 62-63 http://proquest .umi.com.prox y.lib.uwaterloo .ca/pqdweb?in 22 dex=12&sid=1 &srchmode=2 &vinst=PROD &fmt=6&startp age=1&clientid=16 746&vname= PQD&RQT=3 09&did=20468 98071&scalin g=FULL&ts=1 306972929&vt ype=PQD&rqt =309&TS=130 6973354&clie ntId=16746 Annotation This article discusses the risk and audit considerations when businesses start storing and using business critical applications on the cloud. Cloud computing does not require the traditional IT capital investment or skilled technical support National Institute of Standards and Technology, Cloud Security alliance and Information System Audit and Control Association define cloud as “model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., network, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Three types: Infrastructure as a Service,(IaaS) Platform as a Service (Paas) and Software as a Service (SaaS) SasS clients share the use of one application on one or several servers sharing the same data memory. This is called multi-tenancy. It is known in the IT world that “black hat” software gurus want to steal data especially on the cloud Business critical is defined as data or applications determined to be confidential, proprietary or subject to regulation. This includes data and application under Sarbanes-Oxley regulation. Businesses should identify applications that are considered business critical IT departments and IT risk managers should assess the cloud service providers security and disaster recovery and business continuity policies and compare against internal standards The article suggests that the service level agreement have a right to audit clause Currently, there are no standards in place for cloud certification Annotation #15 Author Title of Article Periodical/ website Vol. / No. / Edition Year Pages publishe d Date Location, accesse data base, d website, link Huang, ShiMing Building the evaluation model of the IT general control for CPAs under enterprise Decision Support Systems Vol. 50 2011 June 1, 2011 Hung WeiHis Yen, David Issue 50 692-701 http://web.ebs cohost.com.pr oxy.lib.uwaterl oo.ca/ehost/d etail?vid=14& hid=17&sid=c a14f94e-d82f- 23 C. Chang, ICheng risk management 4e7c-b475a5f41240f864 %40sessionm gr15&bdata=J nNpdGU9ZW hvc3QtbGl2Z SZzY29wZT1 zaXRl#db=bth &AN=575147 79 Jiang, Dino Annotation This paper evaluates the Information Technology General Control (ITGC) for CPAs under an Enterprise Risk Management (ERM) framework. SAS No. 94 stated that auditors must take into consideration the importance of IT processes and relevant controls to prepare the financial statements Auditors have responsibility to provide assertion to the effectiveness of IT controls within a company To reduce audit risk, auditors must have a clear and thorough understanding of IT controls COSO is currently used as a way to assess internal controls but does not explicitly address the IT control objectives IT can establish and maintain a new governance processes but can also increase organizational risk IT controls can be classified as general and application controls General controls include security management, software acquisition, development and maintenance that can support reliable application controls and ensure continued operation of the system SAS No. 55 requires auditors to understand the internal control and it indicates that it may be more cost effective and reliable to use rotational test of controls More and more companies rely on IT heavily to ensure the reliable and trustable operation COBIT can help firms reduce IT risks The study found that Activity level IT control is more important than Entity-level IT control in ITGC The study found that Deliver and Support is the most important objective and that the auditor should spend more time in this area Annotation #16 Author Title of Article Silltow, John Shedding Light on Information Technology Risks Periodical/ website Vol. / No. / Edition Year Pages publishe d Date Location, accesse data base, d website, link Internal Auditor December 2005 June 1, 2011 32-39 http://web.ebs cohost.com.pr oxy.lib.uwaterl oo.ca/ehost/p dfviewer/pdfvi ewer?sid=2fe 1fd03-3a434b3d-a36f406db34e405 c%40session mgr4&vid=7& 24 hid=17 Annotation This article discusses the various IT risk that a company can be exposed to. A survey by Computer Crime and Security shows that 45% of unauthorized access by insiders Financial fraud and theft of information is the most costly crime and requires insider knowledge Employees can also damage the organization through unintentional means such as deleting important files, opening emails with viruses, etc To mitigate the risk of intentional and unintentional damage, organizations need effective access management This risk is increased if there are a large databases with sensitive information Segregation of duties built into non-IT processes need to be implemented into the IT environment When evaluating access control determine whether or not systems allows common passwords such as usernames, spouses’ or pets’ names, etc and other password security settings Authorization of access should be examined as well. Security admin should not authorize access. Access should be authorized by information owners. External attacks have increased. Spam, worms and viruses are the most common type. The potential damage caused by external attacks include direct costs but also lost of reputation Social engineering takes advantage of holes in people’s common sense To protect against the threat of social engineering organizations need to educate employees about what kind of information they disclose Organizations need to ensure that the right information is available to the right people at the right time at the right place One of the main ways to ensure data accuracy is valid is through field validation and input controls Annotation #17 Author Title of Article Hermanson, Dana R. Disaster Management December Recovery Consulting Planning: What Section 404 Audits Reveal Ivancevich, Daniel M. Ivancevish, Susan H. Periodical/ website Vol. / No. / Edition Year Pages publishe d Date Location, accesse data base, d website, link 2007 June 1, 2011 60-62 http://content. ebscohost.co m.proxy.lib.uw aterloo.ca/pdf 19_22/pdf/200 7/CPA/01Dec 07/28099606. pdf?T=P&P=A N&K=280996 06&S=R&D=b th&EbscoCont ent=dGJyMN Xb4kSepq84y OvsOLCmr0m eqK9Srqy4Sb eWxWXS&Co ntentCustome r=dGJyMPGvt 25 k6uqbJRuePf geyx44Dt6fIA Annotation This article discusses how SOX 404 reveals material weaknesses in disaster recovery planning (DRP). It was reported from November 2004 to August 29th, 2006 there were 16 public companies with material weaknesses in internal control over financial reporting that were DRP related Out of the 10 companies there were 10 cases where the deficiency involved a lack of DRP or backup and recovery plan There were 5 companies that had issues with storage of backups where backups were onsite rather than offsite CPAs are also encouraged to help companies implement and build effective DRPs Companies that outsource IT should be aware that DRP may fall outside of SAS 70 Updated since First Submission Annotation #18 Author Title of Article Jarvin, Diane An Investigation Bierstaker, of Factors James Influencing Lowe, Jordan the Use of ComputerRelated Periodical/ website Vol. / No. / Edition JOURNAL 23 OF INFORMATI ON SYSTEM Year Pages publishe d Date Location, accesse data base, d website, link 2009 June 23, http://www.bu 2011 s.iastate.edu/d janvrin/acct48 4584/readings /05%201_223.pdf 1-22 Audit Procedure Annotation In this article, discusses how computer-related audit procedures are used and how control risk and audit firm size influence those procedures. SAS 94 informs auditors that assessing control risk as maximum and relying only on substantive is not effective Auditors should rely on computer-related audit procedures including the use of IT specialists when planning the audit Audit firm size impacts whether or not computer-related audit procedures are used because generally larger firms have clients with more complex computer systems 43% of participants in this study assessed control risk below maximum when examining clients with complex IT environments 55% of the sampled engagements used IT specialists Less than half of the participants used CAATs for substantive testing Annotation #19 26 Author Title of Article Periodical/ website Sayana, Anantha S. Using CAATs Information to Support IS Systems Audit Control Journal Vol. / No. / Edition Year Pages publishe d Date Location, accesse data base, d website, link 1 2003 June 23, http://www.isa 2011 ca.org/Journal /PastIssues/2003/V olume1/Documents/j pdf031UsingCAATst oSupportISAu. pdf 1-3 Annotation This article describes the why there is a need for audit software, how audit software benefits the assurance engagement and how to use CAATs. There is a need for audit software when the task is far too difficult to perform manually and it is more efficient and/or more effective to perform using audit software The auditor must design the procedures and tests. This includes understanding the business rules of the function and how the application functions. Audit software can perform 100% audit which gives more validity to the conclusion given When first implementing an audit software there can be many issues Annotation #20 Author Title of Article Beveridge, John COBIT IMPLEMENT ATION WORKSHOP . PPT. Periodical/ website Vol. / No. / Edition Year Pages publishe d Date Location, accesse data base, d website, link PowerPoint Presentation Annotation These slides describe what COBIT is, who should use COBIT, how COBIT can help auditors and how to use it effectively. “Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors” IT governance is “A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes” If you use computer generated information, need to assess reliability “COBIT focuses on information having integrity and being secure and available” 27 COBIT provides auditors an excellent way to structure review and audit work The goals of internal controls are “The design, implementation, and proper exercise of a system of internal controls should provide "reasonable assurance" that management's goals are attained, control objectives are addressed, legal obligations are met, and undesired events do not occur” COBIT is aligned with COSO, COCO, Cadbury and King Annotation #21 Author Title of Article Periodical/ website Denyer, Charles An Introduction to SAS 70 Audits Benefits Law Vol. 20 Journal No. 1 Nickell, Christopher G. Vol. / No. / Edition Year Pages publishe d Date Location, accesse data base, d website, link 2007 June 23, http://www.csb 2011 .uncw.edu/peo ple/Ivancevich D/classes/MS A%20516/Extr a%20Reading s%20on%20T opics/SAS%2 070/Intro%20t o%20SAS%2 070%20Audits .pdf 58-68 Annotation “This article offers an overview of the SAS 70 audit used to report on the “processing of transactions by service organizations,” which can be done by completing either a SAS 70 Type I or Type II audit. A SAS 70 Type I is known as “reporting on controls placed in operation,” while a SAS 70 Type II is known as “reporting on controls placed in operation” and “tests of operating effectiveness” Recent legal legislation such as HIPAA, Gramm-Leach-Bililey Act and Sarbanes-Oxley Act have increased corporate accountability and the creation of internal controls throughout organizations Type I SAS 70 report would issue an unqualified opinion for a point in time and Type II report would be over a time period The benefits an unqualified opinion from a SAS 70 service report solidifies that the service organization has effective controls in place “Auditors have implemented an exhaustive list of policies, procedures, and related controls that must be examined for this type of engagement.” SAS 70 reports incorporate general and application controls but also expand into operational and human resource issues which makes the report more useful if the scope of the engagement is larger Type II report requires a minimum six month testing period and is tested through testing of controls while Type I consists of inquiry and observation of controls SAS 70 reports uses a combination of many different standards such as COBIT, COSO, ISO 17799, and many others. Annotation #22 28 Author Title of Article Periodical/ website Singleton, Tommie The COSO ISACA Model: How Website IT Auditors Can Use It to Evaluate the Effectiveness of Internal Controls Vol. / No. / Edition Year Pages publishe d Date Location, accesse data base, d website, link 1 2006 June 23, http://www.isa 2011 ca.org/Journal /PastIssues/2003/V olume1/Documents/j pdf031UsingCAATst oSupportISAu. pdf Annotation In this article, ISACA describes how auditors can apply COSO model in performing auditors. It breaks the COSO model into five categorizes – Control Environment, Risk Assessment, Information and Communication, Control Activities and Monitoring Control Environment: This part of the COSO model allows auditors to help comply with SAS 109. SAS 109 requires auditors to understand the entities environment and to assess the risk of material misstatement Risk Assessment: This part of the COSO model helps auditors assess risk within the entity’s system of controls by identifying factors that increase risk such as changes in the operating environment. Information and Communication: This part of the model addresses that financial reporting information should not only be relevant but also timely. Control Activities: This part breaks control activities into three categories – general, application and physical. Monitoring: This part discusses how controls should be monitored, assessed and reviewed. 29
