IT Controls Part I:
Sarbanes-Oxley &
IT Governance
Accounting Information Systems, 5th edition
James A. Hall
1





Key features of Sections 302 and 404 of
Sarbanes-Oxley Act
Management and auditor responsibilities
under Sections 302 and 404
Risks of incompatible functions and how to
structure IT function
Controls and security of organization’s
computer facilities
Key elements of disaster recovery plan

The 2002 Sarbanes-Oxley (SOX) Act
established new corporate governance rules
◦ Created company accounting oversight board
◦ Increased accountability for company officers and
board of directors
◦ Increased white collar crime penalties
◦ Prohibits a company’s external audit firms from
providing financial information systems

Section 302—in quarterly and annual
financial statements, management must:
◦ certify the internal controls over financial reporting
◦ state responsibility for internal control design
◦ provide reasonable assurance as to the reliability of
the financial reporting process
◦ disclose any recent material changes in internal
controls

Section 404—in annual report on internal
control effectiveness, management must:
◦ state responsibility for establishing and
maintaining adequate financial reporting internal
control
◦ assess internal control effectiveness
◦ reference the external auditors’ attestation report
on management’s internal control assessment
◦ provide explicit conclusions on the effectiveness
of financial reporting internal control
◦ Identify the framework management used to
conduct their internal control assessment
 For example - COBIT


Modern financial reporting is driven by
information technology (IT)
IT initiates, authorizes, records, and reports
the effects of financial transactions.
◦ Financial reporting internal control are
inextricably integrated to IT.

COSO identifies two groups of IT controls:
◦ application controls – apply to specific
applications and programs, and ensure data
validity, completeness and accuracy
◦ general controls – apply to all systems and
address IT governance and infrastructure,
security of operating systems and databases, and
application and program acquisition and
development


Pre-SOX, audits did not require internal control tests.
◦ Only required to be familiar with client’s internal
control
◦ Audit consisted primarily of substantive tests
SOX – radically expanded scope of audit
◦ Issue new audit opinion on management’s internal
control assessment
◦ Required to test internal control affecting financial
information, especially internal control to prevent
fraud
◦ Collect documentation of management’s internal
control tests and interview management on internal
control changes
 Tests
of controls – tests to
determine if appropriate internal
controls are in place and
functioning effectively
 Substantive testing – detailed
examination of account balances
and transactions


Audit objective – verify that individuals in
incompatible areas are segregated to minimize
risk while promoting operational efficiency
internal controls, especially segregation of
duties, are affected by the type of
organizational structure:
◦ Centralized model
◦ Distributed model
President
CENTRALIZED COMPUTER
SERVICES FUNCTION
VP
Marketing
VP Computer
Services
Systems
Development
New Systems
Development
Database
Administration
VP
Finance
Data
Processing
Data
Computer
Preparation Operations
Data
Library
President
VP
Finance
Treasurer
Work
station
Data
Control
Systems
Maintenance
DISTRIBUTED ORGANIZATIONAL
STRUCTURE
VP
Marketing
VP
Operations
Work
station
VP
Administration
Manager
Plant X
Controller
Work
station
VP
Operations
Work
station
Work
station
Manager
Plant Y
Work
station

Need to separate:
◦ systems development from computer
operations/processing
◦ database administrator and other computer
service functions
 especially database administrator (DBA) and
systems development
 DBA authorizes access
◦ maintenance and new systems development
◦ data library and operations
11

Many advantages to using DDP, yet there
are control implications:
◦ incompatible software among various work
centers
◦ data redundancy may result
◦ consolidation of incompatible tasks
◦ lack of standards
12

Corporate computer services
function/information center may help to alleviate
potential problems associated with DDP by
providing:
◦
◦
◦
◦
central testing of commercial hardware and software
user services staff
standards setting body
reviewing technical credentials of prospective systems
professionals
13
Organizational Structure
Internet
& Intranet
Operating
Data
System
Management
Internet
& Intranet
Systems
Development
EDI Trading
Systems
Partners
Maintenance Applications
Personal Computers
Computer Center Security
General Control Framework for CBIS Exposures
Audit objectives:
◦ physical security internal control protects the
computer center from physical exposures
◦ insurance coverage compensates the organization
for damage to the computer center
◦ operator documentation addresses routine
operations as well as system failures
Considerations:






location away from human-made and natural
hazards
utility and communications lines underground
keep windows closed – use air filtration systems
access limited to operators and other necessary
workers; others required to sign in and out
fire suppression systems should be installed
backup power supplies
16



Transaction authorization is separate from
transaction processing.
Asset custody is separate from recordkeeping responsibilities.
The tasks needed to process the transactions
are subdivided so that fraud requires
collusion.
Control Objective 1
Authorization
Control Objective 2
Authorization
Processing
Custody
Custody
Control Objective 3
Authorization
Task 1
Task 2
TRANSACTION
Recording
Recording
Task 3
Task 4





Review corporate policy on computer security
◦ Verify that security policy is communicated to employees
Review documentation to determine if individuals or groups
are performing incompatible functions
Review systems documentation and maintenance records
◦ Verify that maintenance programmers are not also design
programmers
Observe if segregation policies are followed in practice.
◦ Example: check operations room access logs to determine if
programmers enter for reasons other than system failures
Review user rights and privileges
◦ Verify that programmers have access privileges consistent
with their job descriptions
Review insurance coverage on
hardware, software, and physical
facility
 Review operator documentation, run
manuals, for completeness and
accuracy
 Verify that operational details of a
system’s internal logic are not in the
operator’s documentation


Disaster recovery plans (DRP) identify:
◦ actions before, during, and after the disaster
◦ disaster recovery team
◦ priorities for restoring critical applications

Audit objective – verify that DRP is
adequate and feasible for dealing with
disasters
 Major
IC concerns:
◦ second-site backups
◦ critical applications and databases
 including supplies and documentation
◦ back-up and off-site storage
procedures
◦ disaster recovery team
◦ testing the DRP regularly


Disaster recovery plan
◦ Include all actions to be taken
before, during, and after disaster
◦ Disaster Recovery Team identified
◦ critical applications
(modules/programs)
must be identified
 restore these applications first
Backups and off-site storage
procedures
◦ databases and applications
◦ documentation
◦ supplies
23




Mutual Aid Pact - agreement between two or more
organizations (with compatible computer facilities)
to aid each other with their data processing needs
Empty Shell/Cold Site - involves two or more user
organizations that buy or lease building and
remodel it into computer site, but without computer
equipment
Recovery Operations Center/Hot Site - completely
equipped site; very costly and typically shared
among many companies
Internally Provided Backup - companies with
multiple data processing centers may create internal
excess capacity
24



Evaluate adequacy of second-site backup
arrangements
Review list of critical applications for
completeness and currency
Verify that procedures are in place for
storing off-site copies of applications and
data
◦ Check currency back-ups and copies


Verify that documentation, supplies, etc.,
are stored off-site
Verify that disaster recovery team knows
its responsibilities
◦ Check frequency of testing the DRP
From Appendix

Attestation:
◦ CPA is engaged to issue written communication that
expresses conclusion about reliability of written
assertion that is responsibility of another party.

Assurance:
◦ professional services that are designed to improve
quality of information, both financial and non-financial,
used by decision-makers
◦ includes, but is not limited to attestation


An independent attestation by
professional (CPA) regarding the faithful
representation of the financial statements
Three phases of a financial audit:
◦ familiarization with client firm
◦ evaluation and testing of internal controls
◦ assessment of reliability of financial data


External auditors – represent interests of
third party stakeholders (financial
institutions, shareholders, other creditors,
etc.)
Internal auditors – serve an independent
appraisal function within the organization
◦ Often perform tasks which can reduce external
audit fees and help to achieve audit efficiency and
reduce audit fees

Since most information systems employ IT, the IT audit
is a critical component of all external and internal
audits.
IT audits:
◦ focus on the computer-based aspects of an organization’s
information system
◦ assess the proper implementation, operation, and control of
computer resources


Systematic procedures are used
Evidence is obtained
◦ tests of internal controls
◦ substantive tests


Determination of materiality for weaknesses
found
Prepare audit report & audit opinion
Phases of an IT Audit
the probability the auditor will issue an
unqualified (clean) opinion when in fact the
financial statements really are materially
misstated.



Inherent risk is associated with unique
characteristics of business/industry of client.
Control risk is likelihood that the control
structure is flawed because controls are either
absent or inadequate to prevent/detect errors
in the accounts.
Detection risk: the risk that auditors are
willing to take that errors not detected/
prevented by the control structure, and will
also not be detected by the auditor.
38