Advanced Accounting Information Systems Day 18 IT Auditing Wrap-up / Control Frameworks Introduction October 5, 2009 Announcements – Revised syllabus – Assignment 3 – Assignment 4 Outline for today Continuous auditing example Hot dog cart case Validating Computer Programs Tests of programs change controls – responsibility system of computer program development and maintenance Program comparison – Control total tests Review of systems software – Operating system software – Utility programs that do basic ‘housekeeping’ chores such as sorting and copying – Program library software that controls and monitors storage of programs – Access control software that controls logical access to programs and data files Validating users and access privileges Continuous auditing – – – – – Embedded audit modules or audit hooks (SCARF) Exception reporting Transaction tagging Snapshot technique Continuous and intermittent simulation IT Auditing Today Component of IT governance – Process of using IT resources effectively to meet organizational objectives – Two objectives • Focus on use of IT strategically to fulfill the organizational mission and to compete effectively • Making sure that organization’s IT resources are managed effectively and that management controls IT related risks Fraud triangle (SAS 99) Incentive / pressure Opportunity rationalization SOX Section 201 – services outside scope of practice of auditors Section 302 – corporate responsibility for financial reports Section 404 – management assessment of IC – Small companies must now comply – see SEC press release Continuous Auditing In groups of two to three, answer the following questions: – List two definitions of continuous auditing in the paper and explain how they differ – Develop your own definition of continuous auditing – Approximately what year did continuous auditing start in? Continuous Auditing In groups of two to three, answer the following questions: – Identify factors influencing whether internal auditing can be appraised as attaining continuous auditing status – How does continuous auditing differ from continuous monitoring? Continuous Auditing – American Electric Power In groups of two to three, answer the following questions: – How does American Electric Power implement continuous auditing? – What technology does American Electronic Power internal auditing use to implement continuous auditing – What is a safety audit? Continuous Auditing - Microsoft In groups of two to three, answer the following questions: – What factors did Microsoft expect when it developed its continuous auditing program? – What problems did it actually encounter? – Is Microsoft using continuous auditing or continuous monitoring (or both) today? Explain.. – How does Microsoft internal audit monitor is business activities for possible fraud? Continuous Auditing – Hospital Corporation of America In groups of two to three, answer the following questions: – How does Hospital Corporation of America (HCA) determine which automated audits to implement? – Give examples of variables HCA monitors. – How does HCA reduce the threat that senior management could manipulate their financial statements? Hot Dog Cart Case What business objectives do you expect your new employee to achieve? What operational and financial risks do you face with allowing an employee to run your hot dog cart? Hot Dog Cart Case How can the problem of lack of segregation of duties be addressed when you are away from the business? Hot Dog Cart Case What controls could you develop to mitigate (notice I did NOT say completely eliminate) the operational and financial risks identified above while achieving your business objectives? Hot Dog Cart Case How can we organize the controls identified above to ensure that our business objective is achieved? Questions for Wednesday Identify two control frameworks discussed in our textbook and determine if either framework would be useful if you were considering expanding your hot dog cart business