Professional Documents
Culture Documents
2.
The PCAOBs Auditing Standard No. 2 endorses the use of COSO as the framework
for control assessment.
3.
4.
The objectives of application controls are to ensure the validity, completeness, and
accuracy of financial transactions.
5.
Examples include:
6.
General controls apply to all systems. They are not application specific. General
controls include controls over IT governance, the IT infrastructure, security and
access to operating systems and databases, application acquisition and
development, and program changes.
7.
8.
9.
11.
General controls apply to a wide range of exposures that systematically threaten the
integrity of all applications processed within the CBIS environment. Some examples
of general controls are controls against viruses and controls to protect the hardware
from vandalism. Application controls are narrowly focused on exposures within
specific systems. Some examples of application controls are controls to make sure
that each employee only receives one paycheck per pay period and controls to
ensure that each invoice gets paid only once.
12.
13.
14.
Many firms that do not use CASE tools with automatic documentation features face
this problem because the sytems professionals do not find this task as interesting as
the design, testing, and implementation steps. Further, the systems professionals
are typically eager or pressured to move on to another project before documentation
is complete. Job security is another reason for poor systems documentation.
15.
16.
a.
b.
c.
d.
e.
f.
18.
Fault tolerance is the ability of the system to continue operation when part of the
system fails due to hardware failure, application program error, or operator error.
Various levels of fault tolerance can be achieved by implementing redundant system
components.
19.
RAID is the use of parallel disks that contain redundant elements of data and
applications. If one disk fails, the lost data are automatically reconstructed from the
redundant components stored on the other disks.
20.
21.
The auditor cannot be an advocate of the client, but must attest to whether GAAP
and other appropriate guidelines have been adequately met.
22.
23.
Assurance services are professional services that are designed to improve the
quality of information, both financial and nonfinancial, used by decision makers. The
domain of assurance services is intentionally unbounded so that it does not inhibit
the growth of future services that are currently unforeseen. For example, assurance
services may be contracted to provide information about the quality or marketability
of a product.
24.
25.
26.
a.
b.
c.
d.
systematic process
obtaining evidence
ascertaining the degree of correspondence with established criteria
communicating results
Materiality refers to the size of the effect of a transaction. From a cost-benefit point
of view, a threshold is set, above which the auditor is concerned with the correct
recording and effects of transactions.
28.
The auditors perform an analysis and assessment of audit risk that includes an
investigation of the organizations general controls and application controls. The
primary techniques for gathering evidence at this phase are using questionnaires,
interviewing management, reviewing systems documentation, and observing
activities.
29.
The tests of controls phase involves determining whether internal controls are in
place and whether they function properly. The substantive testing phase involves a
detailed investigation of specific account balances and transactions.
30.
Audit risk is the probability that the auditor will render an unqualified (clean) opinion
on financial statements that are, in fact, materially misstated.
31.
32.
Inherent risk is associated with the unique characteristics of the business or industry
of the client. Firms in declining industries are considered to have more inherent risk
than firms in stable or thriving industries. Inherent risk will not be reduced by internal
control. Control risk is the likelihood that the control structure is flawed because
internal controls are either absent or inadequate to prevent or detect errors in the
accounts. Internal controls may be present in firms, yet the financial statements may
be materially misstated due to circumstances outside the control of the firm. For
example, a customer, on the verge of bankruptcy, has an outstanding Accounts
Receivable that is unlikely to be collected. Detection risk is the risk that auditors are
willing to accept that errors are not detected or prevented by the control structure.
Typically, detection risk will be lower for firms with higher inherent risk and control
risk.
33.
The relationship between tests of controls and substantive testing is directly related
the auditors risk assessment. The stronger the internal controls, the less substantive
testing the auditor must do.
34.
The auditor should review the current organization chart, mission statements, job
descriptions of key functions, systems maintenance records, and programmer
authority tables. Actual behavior should be observed to see whether the job
descriptions are in line with the tasks people are actually performing. Sometimes, job
descriptions may turn out be theoretical in nature, while the reality is quite different.
36.
a.
b.
c.
d.
e.
DISCUSSION QUESTIONS
1.
Section 302 requires that corporate management (including the CEO) certify
quarterly and annually their organizations internal controls over financial reporting.
The certifying officers are required to:
a. have designed internal controls.
b. disclose any material changes in the companys internal controls that have
occurred during the most recent fiscal quarter.
2.
3.
The SEC has made specific reference to the Committee of the Sponsoring
Organizations of the Treadway Commission (COSO) as a recommended control
framework. Furthermore, the PCAOBs Auditing Standard No. 2 endorses the use of
COSO as the framework for control assessment. Although other suitable frameworks
have been published, according to Standard No. 2, any framework used should
encompass all of COSOs general themes.
4.
Auditors had the option of not relying on internal controls in the conduct of an audit
and therefore did not need to test them. Instead, auditors could focus primarily on
substantive tests. Under SOX, management is required to make specific assertions
regarding the effectiveness of internal controls. To attest to the validity of these
assertions, auditors are required to test the controls.
6.
7.
This involves:
a. Selecting the financial accounts that have material implications for financial
reporting.
b. Identifying the application controls related to those accounts.
c. Identifying the general controls that support the application controls. The sum of
these controls, both application and general, constitute the relevant internal
controls over financial reporting that need to be reviewed.
8.
9.
The bank that has its data stored for all of its branches on one mainframe computer
is at greater risk of access control. All of the firms records are centrally housed.
Once a perpetrator gains unauthorized access to the system, the data for all 10
branches are at risk. The perpetrator would have to breach security for each of the
13 branch computers that store its data on its own minicomputers. Thus, the bank
with all of its data centrally stored on a mainframe is more vulnerable to access
control. The primary disaster of concerns in California are earthquakes and fires.
The bank with a central mainframe in San Francisco is probably at the greatest risk
of damage from both earthquakes and fires. If that system is destroyed, all of the
branches lose their processing capability, and possibly stored data.
10.
The lowest cost method is internally provided backup. With this method,
organizations with multiple data-processing centers may invest in internal excess
capacity and support themselves in the case of disaster in one data processing
center.. In terms of cost, the next highest method is the empty shell where two or
more organizations buy or lease space for a data-processing center. The space is
made ready for computer installation; however, no computer equipment is installed.
This method requires lease or mortgage payments, as well as payment for air
conditioning and raised floors. The risk of this method is that the hardware, software,
and technicians may be difficult, if not impossible, to have available in the case of a
natural disaster. Further, if multiple members systems crash simultaneously, an
allocation problem exists. The method with lowest risk, and also the highest cost, is
The critical applications should be identified and prioritized by the user departments,
accountants, and auditors. The applications should be prioritized based on the
impact to the short-run survival of the firm. The frequency with which the priorities
need to be assessed depends on the amount and kinds of changes that are made to
systems over time. Firms that make changes frequently should reassess priorities
frequently.
12.
The existence or occurrence assertion affirms that all assets and equities
contained in the balance sheet exist and that all transactions in the income
statement actually occurred.
The completeness assertion declares that no material assets, equities, or
transactions have been omitted from the financial statements.
The rights and obligations assertion maintains that assets appearing on the
balance sheet are owned by the entity and that the liabilities reported are
obligations.
The valuation or allocation assertion states that assets and equities are valued in
accordance with generally accepted accounting principles and that allocated
amounts such as depreciation expense are calculated on a systematic and rational
basis.
The presentation and disclosure assertion alleges that financial statement items
are correctly classified (e.g., long-term liabilities will not mature within one year) and
that footnote disclosures are adequate to avoid misleading the users of financial
statements.
Having the internal auditing function report to the controller is unacceptable. If the
controller is aware of or involved in a fraud or defalcation, then he/she may give
false or inaccurate information to the auditors. The possibility that the auditors may
lose their jobs if they do not keep certain matters quiet also exists. Further, the fraud
may be occurring at a level higher than the controller, and the controller may fear
losing his/her job if the matter is pursued. The best route is to have the internal
auditing function report directly to the board of directors.
15.
Virtually all audits involve some form of computer-based system. Thus, financial
auditing must include the IS auditing.
16.
In the CBIS environment, the data needed to perform audit tests are contained in
computer files that must be extracted using specialized audit software.
17.
Assessing systems development controls require more judgment than some of the
other areas.
18.
19.
MULTIPLE CHOICE
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
PROBLEMS
1.
a. When talking of the physical environment, the auditors are not just talking of the
potential threat of physical intruders and sabotage, but also of environmental
hazards such as fires, floods, wind, earthquakes or power outages. Though these
occurrences are relatively rare, they still should be accounted for, as they can
seriously hamper operations. The company would not only just lose the
investment in the servers and computer systems but also the data and ability to
do business. As is evident software checks cannot prevent such losses.
b. These are the six control features that contribute directly to the security of the
computer server environment:
i. Physical Location: The physical location of the computer center affects the
risk of disaster directly. The computer center should be away from humanmade and natural hazards as much as possible, such as processing plants,
gas and water mains, airports, high-crime areas, flood plains, and geological
faults.
ii. Construction: Ideally, a computer center should be located in a single-story
building of solid concrete with controlled access. Utility and communication
lines should be underground. The building windows should not open. An air
filtration system should be in place that is capable of excluding dust, pollen,
and dust mites.
iii. Access: Access should be limited to operators and other employees who work
there. Programmers and analysts who need access to correct program errors
should be required to sign in and out. The computer center should maintain
accurate records of all such events to verify access control. The main
entrance to the computer center should be through a single door, though fire
exits with alarms are important. Lose circuit camera with video recording is
also highly advisable.
iv. Air Conditioning: Mainframes and servers, as in the case with Avatar, have
heavy processing volumes. These are designed to work at their optimal levels
only within a narrow range of conditions, most importantly the temperature.
Computers operate best in a temperature range of 70 to 75 degrees Fahrenheit
and a relative humidity of 50 percent. Logic errors and static electricity risks can
be mitigated by proper use of air conditioning.
v. Fire Suppression: major features should include:
1. Automatic and manual alarms: Placed in strategic locations connected to
fire stations.
2. Automatic fire extinguishing system: These should not be water sprinklers;
use carbon dioxide or halon extinguishers.
3. Manual fire extinguisher.
4. Fire exits: Clearly marked and illuminated.
vi. Power Supply: Commercially provided electrical power presents several
problems that can disrupt the computer centers operations including total power
failures brownouts and power fluctuationall of which could have severely
Programmers should have limited access to computers to include only testing and
debugging activities.
3.
The computer operators supervisor should have access to the computer room.
The tasks of programming, operations, and control should be separated.
Reconciliation of the computer log should be conducted by the computer
operations supervisor or other independent employee.
EDP system documentation should also include programs, flowcharts, and
operator instructions.
A computerized master price list file should be used to record the prices.
Processing controls, such as completeness tests, validation tests, and
reasonableness tests, should be put in place to assure that errors in the input
records will be detected when processing occurs.
Control totals, hash totals, and record counts should be implemented to ensure
the authorization of data and to prevent data losses from going unnoticed or
being improperly changed.
The numerical sequence of shipping notices should be checked by the computer
to report any missing numbers.
Billing and cash collections should be separate from accounts receivable.
The invoices should not be forwarded to the billing clerk; they should be
forwarded to someone else, such as the mailroom clerk, to mail to the customers.
The billing clerk should maintain a copy of the adding machine tapes to reconcile
with the daily sales register.
4.
5.
Since the employee will have performed several highly incompatible tasks, this
company needs to employ strong password access controls and constantly require
their employees to change their passwords, especially since they have had the
opportunity to either design or view authorization access tables. Further, strong
controls over program maintenance, such as program modification reports, are also
a necessity. The key is that when an employee transfers from one job to another,
he/she should absolutely have no access to perform any functions in any of the
previous positions.
7.
SunGard separates its recovery services into three groups: high availability, systems
recovery, and end-user recovery. Each contains specific services companies can
utilize to ensure continuity under the most drastic situations. Together, the services
support the most extensive disaster recovery plan.
The goal of high availability is to ensure the ongoing availability of information, to
eliminate exposure to lost information, to reduce overall business risk, and to help
ensure that the revenue stream will stay intact. Many companies rely on redundant
storage to ensure the availability of information under uncertainty. If data is damaged
or erased, the company can use the backup information to recover lost records and
continue normal processing. The problem that exists is that many firms process and
store files at the same location. This exposes backup files to the same risks as the
information system. To remedy this problem SunGard offers a data mirroring system
b.
9.
a.
b.
c.
may also assist the external auditors with their review of the internal control
system.
The responsibilities of the Micro Dynamics audit committee in the financial
reporting process include:
obtaining assurance that the organizations control system is adequate and
effective, to identify risk and exposure, and that the financial disclosures made
by management reasonably reflect the financial position, results of operations,
and changes in cash flow.
reviewing the progress of the audit and the final audit findings.
acting as a liaison between the auditors and the board of directors.
The internal auditor must have and maintain objectivity, which implies no
subordination of judgment to another and arises from an independent mental attit
ude which views events on a factual basis without influence from feelings,
prejudice, opinions, or interests.
The analysis is as follows:
i. The internal auditors objectivity is not impaired by the preparation of policy
statements on internal control. The preparation of policy statements to guide
others in the development and implementation of internal controls is a
responsibility of the internal audit staff.
ii. The internal auditors objectivity is impaired. To maintain objectivity, the auditor
should not perform operational assignments that are included as part of the
independent evaluation and verification of a proper system of internal control.
Separation of duties must be maintained.
iii. Objectivity is not impaired in the review of the budget for relevance and
reasonableness if the internal auditor has no responsibility for establishing or
implementing the budget. However, the review of variances and explanations
would impair objectivity, as this is an area that would normally be reviewed
during an operational audit.
iv. Objectivity is impaired to the extent that the internal auditor has been involved
in the design and installation of internal accounting controls as there will be
little confidence in audit findings issued by the individual who designed and
installed the system being audited.
v. The preparation of accounting records will materially impair the internal
auditors objectivity by involving the auditor in day-to-day operations.
The director of internal audit reports directly to the corporate controller.
i. This reporting relationship adversely affects the objectivity of the internal audit
department. The corporate controller is responsible for the accounting system
and related operational transactions. The internal audit staff is responsible for
the independent and objective review and examination of the accounting
system and related operational transactions. Independence and objectivity
may not exist because the internal audit staff is responsible for reviewing
the work of the corporate controller, the person to whom it reports.
ii. No, the responses for requirement (b) would not be affected by the internal
audit staff reporting to an audit committee rather than the corporate controller.
In order to maintain objectivity, the internal audit staff should refrain from
a. This company needs to make sure that the following items are included in their
LAN and PC design.
i. Data encryption techniques for the sending of sensitive data from one file to
another over the LAN.
ii. Access controls for files on the LAN file server.
iii. Access controls for data on hard drives of the personal computers.
iv. Backup policy and procedures for data on the file server and the PCs.
v. Software support policy.
vi. Virus protection for the LAN and for the PCs.
vii. Output policy regarding which documents may be printed on the server
printer.
b. If the following controls are not implemented, the following exposures may
surface:
i. sensitive files may be intercepted as they are traveling around the LAN
cabling devices.
ii. unauthorized access to sensitive files on the file server and user PCs.
iii. data loss from poor backup.
iv. incompatible file formats between workers.
v. data loss from viruses.
vi. passwords stolen from trojan horse devices.
vii. sensitive printouts being printed on a common printer.