Chapter 9 - Accounting and Information Systems Department

advertisement
IT Controls Part I:
Sarbanes-Oxley &
IT Governance
Accounting Information Systems, 5th edition
James A. Hall





Key features of Sections 302 and 404 of
Sarbanes-Oxley Act
Management and auditor responsibilities
under Sections 302 and 404
Risks of incompatible functions and how to
structure IT function
Controls and security of organization’s
computer facilities
Key elements of disaster recovery plan
2

The 2002 Sarbanes-Oxley (SOX) Act
established new corporate governance rules
◦ Created company accounting oversight board
◦ Increased accountability for company officers and
board of directors
◦ Increased white collar crime penalties
◦ Prohibits a company’s external audit firms from
providing financial information systems
3

Section 302—in quarterly and annual
financial statements, management must:
◦ certify the internal controls over financial reporting
◦ state responsibility for internal control design
◦ provide reasonable assurance as to the reliability of
the financial reporting process
◦ disclose any recent material changes in internal
controls
4

Section 404—in annual report on internal
control effectiveness, management must:
◦ state responsibility for establishing /maintaining
adequate financial reporting internal control
◦ assess internal control effectiveness
◦ Refer to the external auditors’ attestation report
on management’s internal control assessment
◦ provide explicit conclusions on the effectiveness
of financial reporting internal control
◦ Identify the framework management used to
conduct their internal control assessment
 Examples – COSO or COBIT
5
http://www.microsoft.com/msft/reports/ar08/10k_fr_con.html
6


Modern financial reporting is driven by
information technology (IT)
IT initiates, authorizes, records, and reports
the effects of financial transactions.
◦ Financial reporting internal controls are
inextricably integrated to IT.

COSO identifies two groups of IT controls:
◦ application controls – apply to specific
applications and programs, and ensure data
validity, completeness and accuracy
◦ general controls – apply to all systems and
address IT governance and infrastructure,
security of operating systems and databases, and
application and program acquisition and
development
7


Pre-SOX, audits did not require internal control tests.
◦ Only required to be familiar with client’s internal control
◦ Audit consisted primarily of substantive tests (tests of
account balances)
SOX – radically expanded scope of audit
◦ Issue new audit opinion on management’s internal control
assessment
◦ Required to test internal control affecting financial
information, especially internal control to prevent fraud
◦ Collect documentation of management’s internal control
tests and interview management on internal control changes
8
 Tests
of controls – tests to
determine if appropriate internal
controls are in place and
functioning effectively
 Substantive testing – detailed
examination of account balances
and transactions
9


Audit objective – verify that individuals in
incompatible areas are segregated to minimize
risk while promoting operational efficiency
internal controls, especially segregation of
duties, are affected by the type of
organizational structure:
◦ Centralized model
◦ Distributed model
10
President
CENTRALIZED COMPUTER
SERVICES FUNCTION
VP
Marketing
VP Computer
Services
Systems
Development
New Systems
Development
Database
Administration
VP
Finance
Data
Processing
Data
Computer
Preparation Operations
Data
Library
President
VP
Finance
Treasurer
Work
station
Data
Control
Systems
Maintenance
DISTRIBUTED ORGANIZATIONAL
STRUCTURE
VP
Marketing
VP
Operations
Work
station
VP
Administration
Manager
Plant X
Controller
Work
station
VP
Operations
Work
station
Work
station
Manager
Plant Y
Work
station
11

Need to separate:
◦ systems development from computer
operations/processing
◦ database administrator and other computer
service functions
 especially database administrator (DBA) and
systems development
 DBA authorizes access
◦ maintenance and new systems development
◦ data library and operations
(assumes internally developed software)
12

Many advantages to using DDP, yet there
are control implications:
◦ incompatible software among various work
centers
◦ data redundancy may result
◦ consolidation of incompatible tasks
◦ lack of standards
13

Corporate computer services
function/information center may help to alleviate
potential problems associated with DDP by
providing:
◦
◦
◦
◦
central testing of commercial hardware and software
user services staff
standards setting body
reviewing technical credentials of prospective systems
professionals
14
Organizational Structure
Internet
& Intranet
Operating
Data
System
Management
Internet
& Intranet
Systems
Development
EDI Trading
Systems
Partners
Maintenance Applications
Personal Computers
Computer Center Security
General Control Framework for CBIS Exposures
15
Audit objectives:
◦ physical security internal control protects the
computer center from physical exposures
◦ insurance coverage compensates the organization
for damage to the computer center
◦ operator documentation addresses routine
operations as well as system failures
(centralized or DDP)
16
Considerations:






location away from human-made and natural
hazards
utility and communications lines underground
keep windows closed – use air filtration systems
access limited to operators and other necessary
workers; others required to sign in and out
fire suppression systems should be installed
backup power supplies
(centralized or DDP)
17



Transaction authorization is separate from
transaction processing.
Asset custody is separate from recordkeeping responsibilities.
The tasks needed to process the transactions
are subdivided so that fraud requires
collusion.
18





Review corporate policy on computer security
◦ Verify that security policy is communicated to employees
Review documentation to determine if individuals or groups
are performing incompatible functions
Review systems documentation and maintenance records
◦ Verify that maintenance programmers are not also design
programmers
Observe if segregation policies are followed in practice.
◦ Example: check operations room access logs to determine if
programmers enter for reasons other than system failures
Review user rights and privileges
◦ Verify that programmers have access privileges consistent
with their job descriptions
19
Review insurance coverage on
hardware, software, and physical
facility
 Review operator documentation, run
manuals, for completeness and
accuracy
 Verify that operational details of a
system’s internal logic are not in the
operator’s documentation

20

Disaster recovery plans (DRP) identify:
◦ actions before, during, and after the disaster
◦ disaster recovery team
◦ priorities for restoring critical applications

Audit objective – verify that DRP is
adequate and feasible for dealing with
disasters
21
 Major
IC concerns:
◦ second-site backups
◦ critical applications and databases
 including supplies and documentation
◦ back-up and off-site storage
procedures
◦ disaster recovery team
◦ testing the DRP regularly
22


Disaster recovery plan
◦ Include all actions to be taken
before, during, and after disaster
◦ Disaster Recovery Team identified
◦ critical applications
(modules/programs)
must be identified
 restore these applications first
Backups and off-site storage
procedures
◦ databases and applications
◦ documentation
◦ supplies
23




Mutual Aid Pact - agreement between two or more
organizations (with compatible computer facilities)
to aid each other with their data processing needs
Empty Shell/Cold Site - involves two or more user
organizations that buy or lease building and
remodel it into computer site, but without computer
equipment
Recovery Operations Center/Hot Site - completely
equipped site; very costly and typically shared
among many companies
Internally Provided Backup - companies with
multiple data processing centers may create internal
excess capacity
24



Evaluate adequacy of second-site backup
arrangements
Review list of critical applications for
completeness and currency
Verify procedures are in place for storing
off-site copies of applications/ data
◦ Check currency back-ups and copies


Verify that documentation, supplies, etc.,
are stored off-site
Verify that disaster recovery team knows
its responsibilities
◦ Check frequency of testing DRP
25
26
Download