CHAPTER 15

IT CONTROLS PART I: SARBANES-OXLEY

AND IT GOVERNANCE
REVIEW QUESTIONS
1.

The chapter concentrates on internal control and audit responsibilities pursuant to

Sections 302 and 404.

2.

The PCAOBs Auditing Standard No. 2 endorses the use of COSO as the framework
for control assessment.

3.

Application controls and general controls

4.

The objectives of application controls are to ensure the validity, completeness, and
accuracy of financial transactions.

5.

Examples include:

A cash disbursements batch-balancing routine that verifies that the total

payments to vendors reconciles with the total postings to the accounts payable
subsidiary ledger.
An account receivable check digits procedure that validates customer account
numbers on sales transactions.
A payroll system limit check that identifies employee time card records with
reported hours worked in excess of the predetermined normal limit.

6.

General controls apply to all systems. They are not application specific. General
controls include controls over IT governance, the IT infrastructure, security and
access to operating systems and databases, application acquisition and
development, and program changes.

7.

In a manual authorization system, management and auditors can verify compliance

with established authorization rules by observing the employees involved and
reviewing their work. In an automated authorization system, the authorization is
unobserved by management and control failure may go unnoticed until the firm
experiences some undesirable symptoms.

8.

In a CBIS environment, it would be inefficient and contrary to the objectives of

automation to separate such tasks and processing and recoding a transaction
among several different application programs merely to emulate a manual control
model. Further, the reason for separating tasks is to control against the negative
behavior of humans; in a CBIS the computer performs the tasks, not humans.

9.

a. Transaction authorization is separate from transaction processing.

b. Asset custody is separate from record-keeping responsibilities.
c. Separation of tasks so that no one individual or group is responsible for
authorization, recording, and custody.

2008 Cengage Learning

Chapter 15 Page 458

10.

Computer fraud and losses from disaster

11.

General controls apply to a wide range of exposures that systematically threaten the
integrity of all applications processed within the CBIS environment. Some examples
of general controls are controls against viruses and controls to protect the hardware
from vandalism. Application controls are narrowly focused on exposures within
specific systems. Some examples of application controls are controls to make sure
that each employee only receives one paycheck per pay period and controls to
ensure that each invoice gets paid only once.

12.

The operations activities should be separated from systems development and

maintenance activities, and any relationships between these two groups should be
through formal and controlled channels. The systems development and maintenance
groups create and maintain the applications. The operations personnel run the
systems and should have no input in their design. The less the operations personnel
know about the applications logic and control parameters, the less likely they are to
make unauthorized changes to these applications for personal gain.

13.

One problem that may occur is inadequate documentation. Documenting is not

considered as interesting a task as designing, testing, and implementing a new
system, thus a systems professional may move on to a new project rather than
spend time documenting an almost complete project. Job security may be another
reason a programmer may not fully document his or her work. Another problem that
may occur is the increased potential for fraud. If the original programmer generates
fraudulent code during development, then this programmer, through maintenance
procedures, may disable the code prior to audits. Thus, the programmer can
continue to cover his or her tracks.

14.

Many firms that do not use CASE tools with automatic documentation features face
this problem because the sytems professionals do not find this task as interesting as
the design, testing, and implementation steps. Further, the systems professionals
are typically eager or pressured to move on to another project before documentation
is complete. Job security is another reason for poor systems documentation.

15.

The role of a corporate computer services department differs in that it is not a

completely centralized model. Instead, the group plays the role of provider of
technical advice and expertise to distributed computer services. Thus, it provides
much more support than would be received in a completely distributed model. A
corporate computer services department provides a means for central testing of
commercial hardware and software in an efficient manner. Further, the corporate
group can provide users with services such as installation of new software and
troubleshooting hardware and software problems. The corporate group can establish
systems development, programming, and documentation standards. The corporate
group can aid the user groups in evaluating the technical credentials of prospective
systems professionals.

16.

Incompatibility, redundancy, consolidating incompatible activities, acquiring qualified

professionals, and lack of standards

2008 Cengage Learning

Chapter 15 Page 459

17.

a.
b.
c.
d.
e.
f.

physical location controls

construction controls
access controls
air conditioning controls
fire suppression controls
power supply controls

18.

Fault tolerance is the ability of the system to continue operation when part of the
system fails due to hardware failure, application program error, or operator error.
Various levels of fault tolerance can be achieved by implementing redundant system
components.

19.

RAID is the use of parallel disks that contain redundant elements of data and
applications. If one disk fails, the lost data are automatically reconstructed from the
redundant components stored on the other disks.

20.

The purpose of an audit is to provide an independent attestation as to the fairness

and accuracy of the financial statements.

21.

The auditor cannot be an advocate of the client, but must attest to whether GAAP
and other appropriate guidelines have been adequately met.

22.

The attest service is an engagement in which a practitioner is engaged to issue a

written communication that expresses a conclusion about the reliability of a written
assertion that is the responsibility of another party (SSAE No. 1, AT Sec. 100.01).

23.

Assurance services are professional services that are designed to improve the
quality of information, both financial and nonfinancial, used by decision makers. The
domain of assurance services is intentionally unbounded so that it does not inhibit
the growth of future services that are currently unforeseen. For example, assurance
services may be contracted to provide information about the quality or marketability
of a product.

24.

The three conceptual phases of auditing are: 1) familiarization with the

organizations business, 2) evaluating internal controls, and 3) analyzing financial
data. Conceptually, no difference exists between IT auditing and general auditing. IT
auditing is typically a subset of the overall audit; the portion that involves computer
technology is the subset.

25.

External auditors represent the interests of third-party stakeholders in the

organization, such as stockholders, creditors, and government agencies. External
auditing is conducted by certified public accountants who are independent of the
organizations management. Internal auditors represent the interests of
management. Internal auditing tasks include conducting financial audits, examining
an operations compliance with legal obligations, evaluating operational efficiency,
detecting and pursuing fraud within the firm, and conducting EDP audits.

26.

a.
b.
c.
d.

systematic process
obtaining evidence
ascertaining the degree of correspondence with established criteria
communicating results

2008 Cengage Learning

Chapter 15 Page 460

27.

Materiality refers to the size of the effect of a transaction. From a cost-benefit point
of view, a threshold is set, above which the auditor is concerned with the correct
recording and effects of transactions.

28.

The auditors perform an analysis and assessment of audit risk that includes an
investigation of the organizations general controls and application controls. The
primary techniques for gathering evidence at this phase are using questionnaires,
interviewing management, reviewing systems documentation, and observing
activities.

29.

The tests of controls phase involves determining whether internal controls are in
place and whether they function properly. The substantive testing phase involves a
detailed investigation of specific account balances and transactions.

30.

Audit risk is the probability that the auditor will render an unqualified (clean) opinion
on financial statements that are, in fact, materially misstated.

31.

Errors are unintentional mistakes while irregularities are intentional

misrepresentations to perpetrate a fraud or mislead the users of financial
statements. Errors are a concern if they are numerous or sizable enough to cause
the financial statements to be materially misstated. Processes that involve human
actions will contain some amount of human error. Computer processes should only
contain errors if the programs are erroneous, or if systems operating procedures are
not being closely and competently followed. Errors are typically much easier to
uncover than misrepresentations, thus auditors typically are more concerned with
whether they have uncovered any and all irregularities.

32.

Inherent risk is associated with the unique characteristics of the business or industry
of the client. Firms in declining industries are considered to have more inherent risk
than firms in stable or thriving industries. Inherent risk will not be reduced by internal
control. Control risk is the likelihood that the control structure is flawed because
internal controls are either absent or inadequate to prevent or detect errors in the
accounts. Internal controls may be present in firms, yet the financial statements may
be materially misstated due to circumstances outside the control of the firm. For
example, a customer, on the verge of bankruptcy, has an outstanding Accounts
Receivable that is unlikely to be collected. Detection risk is the risk that auditors are
willing to accept that errors are not detected or prevented by the control structure.
Typically, detection risk will be lower for firms with higher inherent risk and control
risk.

33.

The relationship between tests of controls and substantive testing is directly related
the auditors risk assessment. The stronger the internal controls, the less substantive
testing the auditor must do.

34.

The following are examples of general control areas:

a.
b.
c.
d.
e.

operating system controls

data management controls
organizational structure controls
systems development controls
systems maintenance controls

2008 Cengage Learning

Chapter 15 Page 461

f. computer center security and controls
g. Internet and intranet controls
h. electronic data interchange controls
35.

The auditor should review the current organization chart, mission statements, job
descriptions of key functions, systems maintenance records, and programmer
authority tables. Actual behavior should be observed to see whether the job
descriptions are in line with the tasks people are actually performing. Sometimes, job
descriptions may turn out be theoretical in nature, while the reality is quite different.

36.

a.
b.
c.
d.
e.

tests of physical construction

tests of the fire detection system
tests of access control
tests of the backup power supply
tests of the backup power supply

DISCUSSION QUESTIONS
1.

Section 302 requires that corporate management (including the CEO) certify
quarterly and annually their organizations internal controls over financial reporting.
The certifying officers are required to:
a. have designed internal controls.
b. disclose any material changes in the companys internal controls that have
occurred during the most recent fiscal quarter.

2.

Section 404 requires the management of public companies to assess the

effectiveness of their organizations internal controls over financial reporting and
provide an annual report addressing the following points: 1) A statement of
managements responsibility for establishing and maintaining adequate internal
control. 2) An assessment of the effectiveness of the companys internal controls
over financial reporting. 3) A statement that the organizations external auditors has
issued an attestation report on managements assessment of the companies internal
controls. 4) An explicit written conclusion as to the effectiveness of internal control
over financial reporting. 5) A statement identifying the framework used by
management to conduct their assessment of internal controls.

3.

The SEC has made specific reference to the Committee of the Sponsoring
Organizations of the Treadway Commission (COSO) as a recommended control
framework. Furthermore, the PCAOBs Auditing Standard No. 2 endorses the use of
COSO as the framework for control assessment. Although other suitable frameworks
have been published, according to Standard No. 2, any framework used should
encompass all of COSOs general themes.

4.

Consider an organization with poor database security controls. In such a situation,

even data processed by systems with adequate built-in application controls may be
at risk. An individual who can circumvent database security may then change, steal,
or corrupt stored transaction data. Thus, general controls are needed to support the
functioning of application controls, and both are needed to ensure accurate financial
reporting.

2008 Cengage Learning

Chapter 15 Page 462

5.

Auditors had the option of not relying on internal controls in the conduct of an audit
and therefore did not need to test them. Instead, auditors could focus primarily on
substantive tests. Under SOX, management is required to make specific assertions
regarding the effectiveness of internal controls. To attest to the validity of these
assertions, auditors are required to test the controls.

6.

No Auditors are permitted to simultaneously render a qualified opinion on

managements assessment of internal controls and render an unqualified opinion on
the financial statements. In other words, it is technically possible for auditors to find
internal controls over financial reporting to be weak, but conclude through
substantive tests that the weakness did not cause the financial statements to be
materially misrepresented.

7.

This involves:
a. Selecting the financial accounts that have material implications for financial
reporting.
b. Identifying the application controls related to those accounts.
c. Identifying the general controls that support the application controls. The sum of
these controls, both application and general, constitute the relevant internal
controls over financial reporting that need to be reviewed.

8.

Standard No. 2 places new responsibility on auditors to detect fraudulent activity.

The standard emphasizes the importance of controls designed to prevent or detect
fraud that could lead to material misstatement of the financial statements.
Management is responsible for implementing such controls and auditors are
expressly required to test them.

9.

The bank that has its data stored for all of its branches on one mainframe computer
is at greater risk of access control. All of the firms records are centrally housed.
Once a perpetrator gains unauthorized access to the system, the data for all 10
branches are at risk. The perpetrator would have to breach security for each of the
13 branch computers that store its data on its own minicomputers. Thus, the bank
with all of its data centrally stored on a mainframe is more vulnerable to access
control. The primary disaster of concerns in California are earthquakes and fires.
The bank with a central mainframe in San Francisco is probably at the greatest risk
of damage from both earthquakes and fires. If that system is destroyed, all of the
branches lose their processing capability, and possibly stored data.

10.

The lowest cost method is internally provided backup. With this method,
organizations with multiple data-processing centers may invest in internal excess
capacity and support themselves in the case of disaster in one data processing
center.. In terms of cost, the next highest method is the empty shell where two or
more organizations buy or lease space for a data-processing center. The space is
made ready for computer installation; however, no computer equipment is installed.
This method requires lease or mortgage payments, as well as payment for air
conditioning and raised floors. The risk of this method is that the hardware, software,
and technicians may be difficult, if not impossible, to have available in the case of a
natural disaster. Further, if multiple members systems crash simultaneously, an
allocation problem exists. The method with lowest risk, and also the highest cost, is

2008 Cengage Learning

Chapter 15 Page 463

the recovery operations center. This method takes the empty shell concept one step
furtherthe computer equipment is actually purchased and software may even be
installed. Assuming that this site is far enough away from the disaster-stricken area
not to be affected by the disaster, this method can be a very good safeguard.
11.

The critical applications should be identified and prioritized by the user departments,
accountants, and auditors. The applications should be prioritized based on the
impact to the short-run survival of the firm. The frequency with which the priorities
need to be assessed depends on the amount and kinds of changes that are made to
systems over time. Firms that make changes frequently should reassess priorities
frequently.

12.

The attest service is defined as an engagement in which a practitioner is engaged to

issue, or does issue, a written communication that expresses a conclusion about the
reliability of a written assertion that is the responsibility of another party. The
following requirements apply to attestation services:

Attestation services require written assertions and a practitioners written

report.
Attestation services require the formal establishment of measurement criteria
or their description in the presentation.
The levels of service in attestation engagements are limited to examination,
review, and application of agreed-upon procedures.

Assurance services constitute a broader concept that encompasses, but is not

limited to, attestation. Assurance services are professional services that are
designed to improve the quality of information, both financial and nonfinancial, used
by decision makers. Assurance services are intended help people make better
decisions by improving information. This information may come as a by-product of
the attest function or it may ensue from an independently motivated review.
13.

The existence or occurrence assertion affirms that all assets and equities
contained in the balance sheet exist and that all transactions in the income
statement actually occurred.
The completeness assertion declares that no material assets, equities, or
transactions have been omitted from the financial statements.
The rights and obligations assertion maintains that assets appearing on the
balance sheet are owned by the entity and that the liabilities reported are
obligations.
The valuation or allocation assertion states that assets and equities are valued in
accordance with generally accepted accounting principles and that allocated
amounts such as depreciation expense are calculated on a systematic and rational
basis.
The presentation and disclosure assertion alleges that financial statement items
are correctly classified (e.g., long-term liabilities will not mature within one year) and
that footnote disclosures are adequate to avoid misleading the users of financial
statements.

2008 Cengage Learning

Chapter 15 Page 464

14.

Having the internal auditing function report to the controller is unacceptable. If the
controller is aware of or involved in a fraud or defalcation, then he/she may give
false or inaccurate information to the auditors. The possibility that the auditors may
lose their jobs if they do not keep certain matters quiet also exists. Further, the fraud
may be occurring at a level higher than the controller, and the controller may fear
losing his/her job if the matter is pursued. The best route is to have the internal
auditing function report directly to the board of directors.

15.

Virtually all audits involve some form of computer-based system. Thus, financial
auditing must include the IS auditing.

16.

In the CBIS environment, the data needed to perform audit tests are contained in
computer files that must be extracted using specialized audit software.

17.

Assessing systems development controls require more judgment than some of the
other areas.

18.

Exposureunauthorized program changes

Controlsegregation of duties
Audit Objectiveto verify that programmers and operators do not perform
incompatible tasks
Test of Controlreview of organization chart, job descriptions, password controls,
and physical access controls

19.

Computing center security is an area where judgment is necessary to determine if

the controls in place are adequate from a cost benefit standpoint. Preparing for
disasters is difficult since one can only speculate as to the disaster and its
consequences.

MULTIPLE CHOICE
1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

2008 Cengage Learning

Chapter 15 Page 465

PROBLEMS
1.

a. When talking of the physical environment, the auditors are not just talking of the
potential threat of physical intruders and sabotage, but also of environmental
hazards such as fires, floods, wind, earthquakes or power outages. Though these
occurrences are relatively rare, they still should be accounted for, as they can
seriously hamper operations. The company would not only just lose the
investment in the servers and computer systems but also the data and ability to
do business. As is evident software checks cannot prevent such losses.
b. These are the six control features that contribute directly to the security of the
computer server environment:
i. Physical Location: The physical location of the computer center affects the
risk of disaster directly. The computer center should be away from humanmade and natural hazards as much as possible, such as processing plants,
gas and water mains, airports, high-crime areas, flood plains, and geological
faults.
ii. Construction: Ideally, a computer center should be located in a single-story
building of solid concrete with controlled access. Utility and communication
lines should be underground. The building windows should not open. An air
filtration system should be in place that is capable of excluding dust, pollen,
and dust mites.
iii. Access: Access should be limited to operators and other employees who work
there. Programmers and analysts who need access to correct program errors
should be required to sign in and out. The computer center should maintain
accurate records of all such events to verify access control. The main
entrance to the computer center should be through a single door, though fire
exits with alarms are important. Lose circuit camera with video recording is
also highly advisable.
iv. Air Conditioning: Mainframes and servers, as in the case with Avatar, have
heavy processing volumes. These are designed to work at their optimal levels
only within a narrow range of conditions, most importantly the temperature.
Computers operate best in a temperature range of 70 to 75 degrees Fahrenheit
and a relative humidity of 50 percent. Logic errors and static electricity risks can
be mitigated by proper use of air conditioning.
v. Fire Suppression: major features should include:
1. Automatic and manual alarms: Placed in strategic locations connected to
fire stations.
2. Automatic fire extinguishing system: These should not be water sprinklers;
use carbon dioxide or halon extinguishers.
3. Manual fire extinguisher.
4. Fire exits: Clearly marked and illuminated.
vi. Power Supply: Commercially provided electrical power presents several
problems that can disrupt the computer centers operations including total power
failures brownouts and power fluctuationall of which could have severely

2008 Cengage Learning

Chapter 15 Page 466

detrimental effects to the server system. The company should look into surge
protectors, generators, batteries, and voltage regulators.
2.

Programmers should have limited access to computers to include only testing and
debugging activities.

3.

The computer operators supervisor should have access to the computer room.
The tasks of programming, operations, and control should be separated.
Reconciliation of the computer log should be conducted by the computer
operations supervisor or other independent employee.
EDP system documentation should also include programs, flowcharts, and
operator instructions.
A computerized master price list file should be used to record the prices.
Processing controls, such as completeness tests, validation tests, and
reasonableness tests, should be put in place to assure that errors in the input
records will be detected when processing occurs.
Control totals, hash totals, and record counts should be implemented to ensure
the authorization of data and to prevent data losses from going unnoticed or
being improperly changed.
The numerical sequence of shipping notices should be checked by the computer
to report any missing numbers.
Billing and cash collections should be separate from accounts receivable.
The invoices should not be forwarded to the billing clerk; they should be
forwarded to someone else, such as the mailroom clerk, to mail to the customers.
The billing clerk should maintain a copy of the adding machine tapes to reconcile
with the daily sales register.

a. When setting systems standards in a distributed processing environment,

discuss the pertinent factors about:
1. Computer hardware factors that need to be considered include:
understanding the primary applications for which the equipment will be
used.
the operating system for each type of hardware and whether appropriate
software is available for the desired applications.
file options such as hard disk drives, Zip drive, floppy diskettes, or CDROM.
communication considerations such as interface between microcomputers
(LANs), mainframe compatibility for downloading and uploading
information, and technical specifications of communication protocol.
2. Controls considerations include:
clear, well-written, tested documentation for hardware and software
adequate maintenance contracts, and software support
adequate user training
adequate security provisions for file protection, effective password policy,
appropriate database access authority, backup procedures for internal
record integrity, and off-site storage procedures for disaster recovery

2008 Cengage Learning

Chapter 15 Page 467

4.

5.

b. The benefits of having standardized hardware and software include:

cost savings from quantity discounts and multiple use of software licensing
agreements.
technological growth capabilities such as network compatibility.
standardized and centralized system backup procedures for both hardware
and software and provisions for facility sharing in the event of breakdowns.
improved standard operating procedures and software implementation through
experience by a large user base with distributed knowledge.
c. The memorandum is likely to create the following concerns:
The memorandum suggests a lack of understanding of user needs that may
inhibit their cooperation.
The new policy does not provide for an adequate transition period for
converting existing department applications to the prescribed ones.
Compensating controls that Gustave most likely found include:
mandatory vacations for all employees.
joint operation by two or more operators.
rotation of operator duties.
adequate supervision of all EDP operations.
comparison of actual computer times to an average or norm.
investigation of all excess computer time (errors).
periodic comparison of program code to an archived copy.
use of a computer activity log.
a. The computer security weaknesses present at Hill Crest Corporation that
made it possible for a disastrous data loss to occur include:
not housing the data-processing facility in a building constructed of fireretardant materials, instead using one with exposed wooden beams and a
wooden-shingled exterior.
the absence of a sprinkler (halon) system and a fire-suppression system
under a raised floor; fire doors.
an online system with infrequent (weekly) tape backups. Backups, with
checkpoints and restarts, should be performed at least daily. Grandfather
and Father backup files should be retained at a secure off-site storage
location.
data and programs should have been kept in a library separate from the dataprocessing room, with the library area constructed of fire-retardant materials.
lack of a written disaster recovery plan with arrangements in place to use and
alternate off-site computer center in the event of a disaster or an extended
service interruption. There was a phone list of DP personnel, but without
assigned responsibilities as to actions to be taken when needed.
lack of complete systems documentation kept outside the data-processing
area.
b. The components that should have been included in the disaster recovery plan at
Hill Crest Corporation to ensure computer recovery within 72 hours include the
following:

2008 Cengage Learning

Chapter 15 Page 468

A written disaster recovery plan should be developed with review and

approval by senior management, data-processing management, end-user
management, and internal audit.
Backup data and programs should be stored at an off-site location that will be
quickly accessible in an emergency, should be provided for.
The disaster recovery team should be organized. Select the disaster recovery
manager, identify the tasks, segregate into teams, develop an organization
chart for disaster procedures, match personnel to team skills and functions,
and assign duties and responsibilities to each member.
The duties and responsibilities of the recovery team include:
obtaining use of a previously arranged alternate data-processing facility;
activating the backup system and network.
retrieving backup data files and programs, restoring programs and data,
processing critical applications, and reconstructing data entered into the
system subsequent to latest saved backup/restart point.
c. Factors, other than those included in the disaster recovery plan itself, that should
be considered when formulating the plan include:
arranging business interruption insurance in addition to liability insurance.
ensuring that all systems and operations documentation is kept up to date and
is easily accessible for use in case of a disaster.
performing a risk/cost analysis to determine the level of expense that may be
justified to obtain reasonable, as opposed to certain, assurance that recovery
can be accomplished in 72 hours.
6.

Since the employee will have performed several highly incompatible tasks, this
company needs to employ strong password access controls and constantly require
their employees to change their passwords, especially since they have had the
opportunity to either design or view authorization access tables. Further, strong
controls over program maintenance, such as program modification reports, are also
a necessity. The key is that when an employee transfers from one job to another,
he/she should absolutely have no access to perform any functions in any of the
previous positions.

7.

SunGard separates its recovery services into three groups: high availability, systems
recovery, and end-user recovery. Each contains specific services companies can
utilize to ensure continuity under the most drastic situations. Together, the services
support the most extensive disaster recovery plan.
The goal of high availability is to ensure the ongoing availability of information, to
eliminate exposure to lost information, to reduce overall business risk, and to help
ensure that the revenue stream will stay intact. Many companies rely on redundant
storage to ensure the availability of information under uncertainty. If data is damaged
or erased, the company can use the backup information to recover lost records and
continue normal processing. The problem that exists is that many firms process and
store files at the same location. This exposes backup files to the same risks as the
information system. To remedy this problem SunGard offers a data mirroring system

2008 Cengage Learning

Chapter 15 Page 469

where data from a clients information system is sent directly to a SunGard location
for backup and storage. Within minutes after a disaster occurs, clients can access
up-to-date information that was lost or damaged.
System recovery focuses on recovering mainframe and/or distributed systems
quickly and efficiently. To do this, SunGard provides specialized teams of up to
2,000 technicians working around the clock to get clients systems running properly.
These teams use a process called Silhouette OS to understand and repair individual
systems. Silhouette OS automatically monitors each clients operating system
environment, and regularly transmits a system profile to a repository at SunGard.
The profile is created using the following information: operating system data,
hardware configuration, storage devices, performance tuning parameters, networks,
system boot files, and configuration files. The server can then be rebuilt any time in
a reliable, repeatable manner at a SunGard site. This reduces recovery time and
financial losses from downtime.
End-user recovery is dedicated to maintain employee productivity until systems are
repaired and functional. One technique used is to provide a disaster recovery center. These
centers provide fully furnished workstations, high-speed Internet access, all necessary
hardware and software, and communication devices for the clients use. Each center is
secure and maintains a backup power supply. Similar to the disaster recovery center is the
mobile recovery. SunGard maintains a fleet of over 40 mobile recovery centers that provide
the same benefits as the traditional recovery center, but can be brought directly to
the client. The mobile centers provide workstations for up to 50 employees, and are
guaranteed to be at the clients site within 48 hours of the disaster. Together, the
disaster recovery center and the mobile center will reduce employee downtime
during a disaster and minimize losses.
8.

a. The role of each of the following in the establishment, maintenance, and

evaluation of Micro Dynamics system of internal control is as follows:
i. Management has the overall responsibility for protecting company assets
and, therefore, for establishing, maintaining, and evaluating the internal
control system.
ii. The audit committees primary responsibility involves assisting the board of
directors in carrying out its responsibilities as they relate to the organizations
accounting policies, internal control, and financial reporting practices. The
audit committee assists management and the board in fulfilling its fiduciary
and accountability responsibilities, and helps maintain a direct line of
communication between the board and the external and internal auditors.
iii. The external auditor reviews the organizations control structure, including the
control environment, accounting systems, and control procedures, to assess
the control risks for financial statement assertions. In addition, the external
auditor would inform the company of any material weaknesses found during
the review.
iv. The internal audit department performs both operational and financial audits
to determine compliance with established policies and procedures, and
reports its findings and recommendations to management or the audit
committee for evaluation and corrective action. The internal audit department

2008 Cengage Learning

Chapter 15 Page 470

b.

9.

a.

b.

c.

may also assist the external auditors with their review of the internal control
system.
The responsibilities of the Micro Dynamics audit committee in the financial
reporting process include:
obtaining assurance that the organizations control system is adequate and
effective, to identify risk and exposure, and that the financial disclosures made
by management reasonably reflect the financial position, results of operations,
and changes in cash flow.
reviewing the progress of the audit and the final audit findings.
acting as a liaison between the auditors and the board of directors.
The internal auditor must have and maintain objectivity, which implies no
subordination of judgment to another and arises from an independent mental attit
ude which views events on a factual basis without influence from feelings,
prejudice, opinions, or interests.
The analysis is as follows:
i. The internal auditors objectivity is not impaired by the preparation of policy
statements on internal control. The preparation of policy statements to guide
others in the development and implementation of internal controls is a
responsibility of the internal audit staff.
ii. The internal auditors objectivity is impaired. To maintain objectivity, the auditor
should not perform operational assignments that are included as part of the
independent evaluation and verification of a proper system of internal control.
Separation of duties must be maintained.
iii. Objectivity is not impaired in the review of the budget for relevance and
reasonableness if the internal auditor has no responsibility for establishing or
implementing the budget. However, the review of variances and explanations
would impair objectivity, as this is an area that would normally be reviewed
during an operational audit.
iv. Objectivity is impaired to the extent that the internal auditor has been involved
in the design and installation of internal accounting controls as there will be
little confidence in audit findings issued by the individual who designed and
installed the system being audited.
v. The preparation of accounting records will materially impair the internal
auditors objectivity by involving the auditor in day-to-day operations.
The director of internal audit reports directly to the corporate controller.
i. This reporting relationship adversely affects the objectivity of the internal audit
department. The corporate controller is responsible for the accounting system
and related operational transactions. The internal audit staff is responsible for
the independent and objective review and examination of the accounting
system and related operational transactions. Independence and objectivity
may not exist because the internal audit staff is responsible for reviewing
the work of the corporate controller, the person to whom it reports.
ii. No, the responses for requirement (b) would not be affected by the internal
audit staff reporting to an audit committee rather than the corporate controller.
In order to maintain objectivity, the internal audit staff should refrain from

2008 Cengage Learning

Chapter 15 Page 471

performing non-audit functions such as management decision making, design
and installation of systems, record keeping, operational duties, etc.
10.

a. This company needs to make sure that the following items are included in their
LAN and PC design.
i. Data encryption techniques for the sending of sensitive data from one file to
another over the LAN.
ii. Access controls for files on the LAN file server.
iii. Access controls for data on hard drives of the personal computers.
iv. Backup policy and procedures for data on the file server and the PCs.
v. Software support policy.
vi. Virus protection for the LAN and for the PCs.
vii. Output policy regarding which documents may be printed on the server
printer.
b. If the following controls are not implemented, the following exposures may
surface:
i. sensitive files may be intercepted as they are traveling around the LAN
cabling devices.
ii. unauthorized access to sensitive files on the file server and user PCs.
iii. data loss from poor backup.
iv. incompatible file formats between workers.
v. data loss from viruses.
vi. passwords stolen from trojan horse devices.
vii. sensitive printouts being printed on a common printer.

2008 Cengage Learning