You are on page 1of 48

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Module 7: Information technology auditing


Overview
Modules 1 to 6 outline a conceptual framework and methodology for flexibly planning the design of an internal audit. This module describes the distinguishing features of auditing in an IT environment, showing you how to adapt the auditing processes to IT auditing. Specifically, Module 7 looks at the impact of IT on internal auditing and the changing field of IT auditing. You are introduced to two frameworks that assist with the evaluation of IT controls. You learn how such controls are used in computer communications, networking, and end-user environments. The module concludes with a look at the challenges of auditing in this environment where emerging technology is a constant. The pervasive use of technology in organizations today means that, for an internal auditor, understanding the impact of information technology on internal auditing, governance, risk, and control is essential. This module provides this important background information, which is a prerequisite to the modules that follow. In Modules 8, 9, and 10, you apply what you have learned to specific audit engagement situations. You consider how to plan and perform internal audits of the following functions: marketing, purchasing, production, human resources, treasury, and strategic planning. You also learn how internal auditing differs in the private, not-for-profit, and government sectors.

Test your knowledge


Begin your work on this module with a set of test-your-knowledge questions designed to help you gauge the depth of study required.

Information Systems Audit and Control Association (ISACA), an association that provides guidance in auditing controls for computer systems, has an online glossary of terminologies that can be used as an additional resource for further reference (not examinable).

Learning objectives
7.1 7.2 How IT affects the internal audit process Explain the concerns for internal auditors around IT auditing. (Level2) IT auditing Discuss how IT auditing has developed in response to the specialized skills required to audit IT systems. (Level1) Risk in an IT environment Identify the various IT risks and explain how they affect an organization. (Level1) IT control frameworks Discuss the prevalent IT control frameworks governing technology audits: the IIAs Global Technology Audit Guide (GTAG) 1, Information Technology Controls, and ISACAs Control Objectives for Information and Related Technology (COBIT) . (Level2) General controls Identify the types of general controls used to address risks in an IT environment, and develop audit procedures to test their operating effectiveness. (Level1) Application controls Identify the types of application controls (procedures) used to address risks in an IT environment, and develop audit procedures to test their operating effectiveness. (Level1) Communications network controls

7.3 7.4

7.5

7.6

7.7

7.8

7.9 7.10

Outline the types of controls used to address risks in an IT communications and networking environment. (Level2) Controls for end-user computing Analyze the advantages and risks of an end-user computing environment and the types of controls used. (Level 1) Emerging technologies and the auditor Explain the implications of emerging technologies for the internal auditing profession. (Level2) Impact of e-commerce Determine the impact of e-commerce on internal auditing. (Level2) Module summary Print this module

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

MU1 Module 7: Test your knowledge


1. This is the risk that naturally exists in a particular business or situation. Which of the risks listed below best matches this definition? a. b. c. d. Technological risk Enterprise risk Specific risk Inherent risk

2. A controller became aware that a competitor appeared to have access to the companys pricing information. The internal auditor determined that the leak was occurring during the electronic transmission of data from branch offices to the head office. Which of the following controls would be most effective in preventing the leak of information? a. b. c. d. Asynchronous transmission Encryption Use of fibre-optic transmission lines Use of passwords

3. Responsibility for the control of end-user computing exists at the organizational, departmental, and individual user level. Which of the following should be a direct responsibility of the end users themselves? a. b. c. d. Acquisition of hardware and software Taking of equipment inventories Strategic planning of end-user computing Physical security of equipment

4. Systematic and rigorous testing of programmed controls reduces the risk of misplaced reliance on which of the following? a. b. c. d. Management oversight to ensure adequate procedures Proliferation of knowledge-based systems Closer linkage between organizational strategy and information Automated controls

5. Which of the following is not a benefit of using IT in solving audit problems? a. b. c. d. 6. Which of the It helps reduce audit risk. It improves the timeliness of the audit. It increases audit opportunities. It improves the auditors judgment. following control objectives does not address application systems?

a. Controls designed to ensure that data are not lost, damaged, manipulated, or corrupted while being retrieved or updated b. Controls designed to ensure the continued reliability of data through the transaction processing cycle c. Controls designed to ensure that all authorized transactions are initially captured, once only, and are accurately recorded d. Controls designed to ensure that new application systems development projects are only initiated if they are included in the IT strategic plan 7. Guidance for auditors to assess the control environment and control systems in an IT context is

provided through various control frameworks and guidelines. Which of the following statements is true ? a. COBIT, published by the Information System Audit and Control Foundation, is geared towards management controls and does not address control objectives relating to application controls, which are of more relevance to the external auditor. b. CGA-Canada Auditing Guideline No. 6, when used together with COBIT and the CICA ITControl Guidelines by a skilled auditor, will provide adequate guidance on assessing both general computer controls and application controls. c. A computer audit specialist will always be needed to assess a clients use of technology because the guidelines are complex and information technology is changing all the time. d. Auditors always have a choice of whether to audit "through the computer" or "around the computer," depending on how much time and the level of skills required to assess the general computer controls and programmed controls in accounting application systems. 8. Each day, after all processing is finished, a bank performs a backup of its online deposit files and retains it for seven days. Copies of each days transaction files are not retained. Which of the following is the correct assessment? a. This is valid because having a weeks worth of backups permits recovery even if one backup is unreadable. b. This is risky because restoring from the most recent backup file would omit subsequent transactions. c. This is valid because it minimizes the complexity of backup/recovery procedures if the online file has to be restored. d. This is risky because no checkpoint/restart information is kept with the backup files. 9. The accountant who prepared a spreadsheet model for workload forecasting left the company, and her successor was unable to understand how to use the spreadsheet. Which of the following would be the best control for preventing such situations from occurring in the future? a. b. c. d. Solutions Monitor use of end-user computing resources. Ensure end-user computing efforts are consistent with strategic plans. Ensure documentation standards exist and are followed. Make adequate backups for spreadsheet models.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

MU1 Module 7: Test your knowledge solutions


1. a. Incorrect. Technological risk exists as a result of using technology to meet enterprise objectives. b. Incorrect. Enterprise risk is the risk of the firm not achieving its objectives. c. Incorrect. Specific risk exists as a result of the location or method of operation of a particular function. d. Correct. The risk that naturally exists in a particular business or situation is inherent risk. 2. a. Incorrect. Asynchronous transmission is a method of data transmission, not a means of safeguarding data. b. Correct. Although data may be accessed by tapping into the transmission line, the encryption key is necessary to understand the data being sent. c. Incorrect. Although fibre-optic transmission lines are difficult to tap, their use will not prevent theft of unencrypted data by someone who has access to them. d. Incorrect. Although passwords will control access at the sending location and the head office computer, they will not prevent someone from tapping the transmission line. a. Incorrect. Acquisition of hardware and software is an organizational and departmental responsibility. b. Incorrect. Taking equipment inventories is an organizational responsibility. c. Incorrect. Strategic planning is an organizational and departmental responsibility. d. Correct. An individual user is ordinarily responsible for the physical security of the equipment used. a. Incorrect. Testing of programmed controls does not eliminate the need for management oversight, which is an essential element of every control structure. b. Incorrect. Reliance on knowledge-based systems is not misplaced if knowledge bases are adequate. c. Incorrect. Closer linkage between organizational strategy and information is a strength, not a weakness. d. Correct. More pervasive use of automated controls increases the need for more systematic and rigorous testing of the development, implementation, and functioning of programmed controls. Fewer compensating manual controls exist in computerized systems than in manual systems. a. Incorrect. IT allows more data to be reviewed and reduces audit risk. b. Incorrect. IT can expedite the audit. c. Incorrect. IT can be used to implement a new approach to the audit of an application or function. d. Correct. Judgment is the fruit of an auditors formal education, professional experience, and personal qualities. IT is merely a tool for achieving audit objectives; it does not improve the auditors judgment. a. b. c. d. Incorrect. This is an application control objective storage. Incorrect. This is an application control objective processing. Incorrect. This is an application control objective input. Correct. Strategic planning and the prioritizing of application systems development projects are elements of general controls, not application controls.

3.

4.

5.

6.

7.

a. Incorrect. COBIT does address control objectives at the application system level. b. Correct. It is best to use a combination of available guidelines and control

c.

d.

8.

a. b.

c.

d. 9. a. b. c. d.

frameworks to demonstrate due diligence in assessing controls within an information technology environment. Incorrect. Although a computer audit specialist may be used, it is not essential when an auditor has sufficient computer audit skills and the information technology environment is not overly complex. Incorrect. Time and lack of knowledge are never valid reasons for restricting your scope. If you plan to place reliance on internal controls in a computerized environment, you will need to examine the controls built into the system. Incorrect. The practice of not retaining daily transaction data is unsound because the bank loses a days transactions for each backup that is unreadable. Correct. Backups should always be made to ensure that any lost information can be restored. However, not retaining each days transaction files is risky because information received since the last backup file was created will be lost. Incorrect. The practice of not retaining daily transaction data certainly minimizes complexity, but at the expense of losing transaction data if the online file must be restored from backup. Incorrect. Checkpoint/restart information is not needed. The backups are created after all processing is finished for the day. Incorrect. Lack of monitoring is not the reason the accountants successor could not use the forecasting model. Incorrect. Lack of consistency is not the reason the accountants successor could not use the forecasting model. Correct. The accountants successor could not use the forecasting model because of inadequate documentation. Incorrect. Maintaining adequate backups is necessary, but lack of adequate backup is not the reason why the accountants successor could not use the forecasting model.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

7.1How IT affects the internal audit process


Learning objective

Explain the concerns for internal auditors around IT auditing. (Level 2)


Required reading

Online reading 7.1-1 , CGA-Canada Auditing Guideline No. 6: Auditing in an EDP environment (Level 2)
LEVEL 2

Information technology (IT) is not a new concept for the auditing profession. Every organization has either one or more computers onsite or a network of computers. In addition, technological change has accelerated over the past three decades and has made a significant impact on audits. For example, there has been a migration from centralized batch processing of transactions to distributed and networked information systems and webbased, real-time, online update and information retrieval. Technological change has created an increased reliance on both general controls and automated IT application system controls because there are fewer points of manual intervention in systems. In order to evaluate the adequacy of internal controls in an IT environment and determine the extent to which the controls are operating effectively, an internal auditor must have a good understanding of IT control objectives and criteria.

Concerns for internal auditors


The high degree of reliance on IT by organizations has raised some concerns for internal auditors: Lack of senior management expertise adversely affects senior managers ability to understand, use, and control information technology. This is much less of a concern today than it was a decade or so ago as computers have become more prevalent and IIAs control frameworks such as the GTAGs and the Information Systems Audit and Control Foundations Control Objectives for Information and Related Technology (COBIT) have been developed. These developments have helped in addressing this issue. Distorted information produced by improperly designed or controlled computer systems can adversely affect the reliability of corporate information and the decisions based on it. In computerized systems, poor design and control can result in information being processed improperly. Because of the networking of systems (including access to the Internet) and concentration of data, organizations are more vulnerable to error, malfunction, computer viruses, and attacks by computer hackers or disgruntled employees. Computers perform repetitious tasks that can result in systematic error. (For example, programmed computational errors will always be wrong.) The nature of computerized processing has resulted in less visible or physical evidence for the auditor. Complex information-processing systems can be sophisticated and may be difficult to understand and audit.

In manual systems, authorization can usually be traced to an individual. In some computer systems, authorizations can be automated (for example, credit authorization in point-of-sale or credit card systems). With these systems, controls must be in place to govern the automated authorizations embedded in application programs. Rapid developments in IT make for continuous change in the IT environment. This results in a need for changes in controls. The internal auditor also needs to keep abreast of the IT changes in the organization. Despite these concerns, the use of information technology provides an opportunity to improve controls. Properly designed controls built into IT systems can provide better quality and more timely financial and operational information, thereby enhancing the decision-making process.

Standards and guidelines


Standard 1210.A3 (Reading 2-1) states that Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing. Read Online reading 7.1-1 for general guidance on how to audit in an IT environment. (Although its focus is from the perspective of the external auditor, this reading provides helpful information for internal auditors as well.)

Impact on the internal audit process


An IT environment does not change the objective or scope of an internal audit, but it does change the way data or information is processed and stored, and will likely affect the internal control procedures. In general, an IT environment affects the following areas:
Skills and competence required of the auditor

In order to evaluate the adequacy of internal controls in an IT environment and assess their operating effectiveness, the internal auditor must have a good understanding of IT internal control objectives and criteria, as explained in Online reading 7.1-1, section 3. Like external auditors, internal auditors must have sufficient understanding of the IT environment to plan the audit, sufficient knowledge of IT to implement the audit procedures, and sufficient skills to competently evaluate the results.
Work performed by others

It is not necessary for every internal auditor to have the skills of an IT audit specialist. Where appropriate, audit teams can include IT audit specialists from within the internal audit department or outsourced resources when the necessary skills are not available internally.
Planning

Planning activities need to consider the IT environment and systems. See section 5 of Online reading 7.1-1 (but remember that this is written from an external audit perspective). Internal auditors should always consider whether using computer-assisted audit techniques will improve the effectiveness and efficiency of their work.
Accounting system and internal control

Internal controls in computerized systems are more difficult to evaluate than those in manual systems. To assess the adequacy of controls in computer systems, auditors must understand how the computer system works and how programmed controls are implemented. This is addressed in section 4 of Online reading 7.1-1 and covered more fully in later topics in this module.
Audit evidence

In evaluating audit evidence, auditors must determine if the computer systems process the information correctly and maintain accurate records. With the exception of small, less complex systems, it may not be sufficient for auditors to audit around the computer, examining only the input and output. Auditing around the computer refers to obtaining assurance by tracing output back to input source documents and vice versa, without directly evaluating the computer system and how the information is processed. Thus, auditors may need to audit through the computer. Auditing through the computer refers to evaluating the programmed controls in the computer to determine if they are adequate and effective. Here are some points to consider: Computer-assisted audit techniques (CAATs) may be required because of the absence of input documents or audit trail.

Timing may be affected if data are not retained for the whole period covered by the audit engagement.

CAATs may be used to improve the efficiency and effectiveness of the compilation of audit evidence and analysis. Prerequisites for the use of CAATs include the availability of computer facilities and software, and the auditor must have the necessary technical competence to perform or supervise the use of CAATs . (The use of CAATs was covered in Topic 5.5, and additional illustrations are included in Topics 8.3 and 9.3.)

Impact on internal control


The impact of IT on internal control is described in section 4 of Online reading 7.1-1. The following control elements are affected by IT.
Organizational structure

Concentration of functions and knowledge: generally, the number of people involved in processing information is reduced and knowledge of the system may be concentrated, resulting in reduced segregation of duties in the absence of effective access controls. In addition, management competency with respect to IT affects internal control. Concentration of programs and data: this may result in increased risk of unauthorized access to, and alteration of, data and programs.
Nature of processing

Absence of input documents (online order entry, automated approvals/matching) Lack of a visible transaction trail (stored in computer files, perhaps for limited period) Lack of visible output (results of processing may not be printed in all cases) Ease of remote access to data and programs Vulnerability of systems and networks to exposure to hacking and unauthorized access
Design and procedural aspects

Consistency of performance: this can be more reliable, but incorrect programming logic will result in persistent errors. Programmed control procedures: these facilitate fully-automated controls (reasonableness and limit tests of field values, enforcement of segregation of duties through security profiles, and user IDs and passwords) and computer-assisted controls (error and exception reports that need manual attention). Single transaction update of multiple files or tables: erroneous entries may affect various records.

Systems-generated transactions: these involve no visible input or authorization. Vulnerability of data and program storage media: these may be exposed to theft, loss, or intentional or accidental destruction.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

7.2IT auditing
Learning objective

Discuss how IT auditing has developed in response to the specialized skills required to audit IT systems. (Level 1)
Required reading

Reading 7-1, IPPF Practice Guide: Integrated Auditing (Level 1) Online reading 7.2-1, Global Technology Audit Guide (GTAG) 16: Data Analysis Technologies, pages 1-6 and 14-16 (Level 1)
LEVEL 1

The concerns of using IT for internal auditing have led to the need for internal auditors who have specialized knowledge of IT. This specialty is known as IT auditing (also computer auditing or EDP auditing). Online reading 7.2-1 explains how most internal auditing projects now require data analysis, and how the technology can be used throughout all phases of the audit. The technology is also used to perform continuous auditing testing, which was introduced in Topic 3.6. Reading 7-1, Practice Guide: Integrated Auditing, describes how the knowledge of specialist information systems auditors is sometimes integrated into a single audit approach to produce a more effective outcome through a holistic approach. In an integrated audit, the audit team looks at several aspects of performance including, but not limited to, financial, operational, IT, regulatory, compliance environmental, and fraud. Exhibit 7.2-1 identifies several IT activities that are required to accomplish the mission of the IT internal audit unit.
Exhibit 7.2-1: Activities required to accomplish the mission of an IT internal audit unit
Keep current with those leading-edge technologies being considered to support and enable business operations. Obtain an understanding of how new technology will relate to the business processes. Foster an understanding and appreciation of the risks and controls associated with current technology among the internal and IT auditor community in order to ensure audit coverage and permit the auditors to move forward and keep pace with constantly changing leading-edge technologies. Seek out technological audit tools to add to the toolkits of the IT and non-specialist internal auditors. Interface with, or at a minimum, provide support and counsel to the internal auditors on audit issues associated with application systems that interface with business processes undergoing audit. Maintain open lines of communication with operational and IT management to identify and review plans that call for the introduction of new technologies, and advise and support management regarding the risk/control environment related to such technologies. Advise and counsel management to develop corporate computer policy and standards committees. Establish and maintain involvement with professional auditing organizations in order to share and validate concerns and solutions.

Source: Adapted from Allan R. Paliotta, A Personal View of a World Class IT Auditing Function , ISACA website (www.isaca.org), October 1999.

Because technology keeps changing and the pace of its advances is certain to accelerate, auditors must understand the risks and exposures created by firms adopting new and emerging technologies. Auditors can, in fact, capitalize on technological advances while at the same time making sure that the organization is protected from security threats.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

7.3Risk in an IT environment
Learning objective

Identify the various IT risks and explain how they affect an organization. (Level 1)
Required reading

Online reading 7.3-1: Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan (Section 5) (Level 1) Reading 7-2, Diagnosis for IT Risk (Level 1) Reading 7-3, Mobile computing (Level 1) Reading 7-4, Making Risk Assessments Useful (Level 1)
LEVEL 1

How risk affects IT


IT control frameworks support a risk-management-based approach to control; that is, controls are identified and implemented in proportion to the risk that must be managed. To manage risk effectively in an IT environment, both risk analysis and risk assessment must be performed. Risk management is not static; it is a dynamic, ongoing process because business objectives change, which in turn causes risk, control techniques, and the costs of control to change. Although some risk is acceptable in every organization, there must be a balance between the use of controls and the net risk that remains after implementing controls that are designed to reduce the risk. Because change is inevitable within an organization, risk assessment should be performed on a periodic basis to identify new risks and reassess existing risks to ensure that the risk level at any point in time is acceptable and manageable. The risk assessment process should lead the CAE to establish internal audit work schedule priorities.

Types of risk in an IT environment


The CICA Information Technology Control Guidelines define the following risk categories: Inherent risk is the risk that naturally exists in a particular business or situation. An example of inherent risk is the possibility of incurring financial and other losses if a companys computerprocessing facilities were to be damaged by fire, flood, or other disaster. Specific risk exists as a result of the location or method of operation of a particular function. An example of specific risk is the possibility of financial and other losses if an explosion occurred at a chemical plant on the site adjacent to the companys computer-processing facility. Technological risk exists as a result of using technology to meet enterprise objectives. Examples of technological risk include the risk of technological obsolescence, failure to maintain necessary skill sets, the availability of support services, and the reliability of technology. As explained earlier in the course, business risk and enterprise risk are broader concepts than these IT risks. Online reading 7.1-1 lists a number of risks that may be applicable in a specific IT environment that would change the risk assessment: Absence of a visible audit trail System-generated transactions Existence of proper internal controls

Competence of management with respect to the IT environment Pervasiveness and complexity of the IT environment Conversion from manual procedures to IT procedures Conversion from one IT application to another Data access controls Unwarranted reliance on computer-generated information Segregation of incompatible functions Adequacy of security and back-up procedures IT risks can manifest themselves through any of the following: Unauthorized disclosure, modification, or destruction of information, whether deliberate or accidental Unintentional errors and omissions during processing Disruptions in processing due to natural or man-made disasters Failure to exercise due care and diligence in the implementation and operation of the IT system Risk management should be integrated into every phase of the IT systems development life cycle (SDLC). Exhibit 7.3-1 describes the characteristics of each SDLC phase and how risk management can be performed in support of each phase.
Exhibit 7.3-1: Integration of risk management into the SDLC
SDLC phases Phase 1 Initiation Phase characteristics The need for an IT system is expressed and the purpose and scope of the IT system is documented. The IT system is designed, purchased, programmed, developed, or otherwise constructed. Support from risk management activities Identified risks are used to support the development of the system requirements, including security requirements and a security concept of operations (strategy). The risks identified during this phase can be used to support the security analyses of the IT system that may lead to architecture and design trade-offs during system development. The risk management process supports the assessment of the system implementation against its requirements and within its modelled operational environment. Decisions regarding risks identified must be made prior to system operation. Risk management activities are performed for periodic system reauthorization (or reaccreditation), or whenever major changes are made to an IT system in its operational, production environment (for example, new system interfaces). Risk management activities are performed for system components that will be disposed of or replaced to ensure that the hardware and software are properly disposed of, that residual data is appropriately handled, and that system migration is conducted in a secure and systematic manner.

Phase 2 Development or acquisition

Phase 3 Implementation

The system security features should be configured, enabled, tested, and verified.

Phase 4 Operation or maintenance

The system performs its functions. Typically the system is being modified on an ongoing basis through the addition of hardware and software and by changes to organizational processes, policies, and procedures. This phase may involve the disposition of information, hardware, and software. Activities may include moving, archiving, discarding, or destroying information, and sanitizing the hardware and software.

Phase 5 Disposal

Source: Gary Stoneburner, Alice Goguen, and Alexis Feringa, Risk Management Guide for Information Technology Systems (National Institute of Standards and Technology, U.S. Department of Commerce, Gaithersburg, MD, 2002), page 5.

Section 5 of GTAG 11 (Online reading 7.3-1) provides an overview of the process of identifying IT risks as part of an overall risk-based audit plan. This material also provides insight into current best practices for performing an IT risk assessment. Reading 7-2 outlines a top-down, risk-based methodology to help identify the key risks in IT business processes. Reading 7-3 discusses the complex but important risks associated with mobile computing. Reading 7-4 provides practical guidance on assessing IT security risk and ensuring it is useful.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

7.4IT control frameworks


Learning objective

Discuss the prevalent IT control frameworks governing technology audits: the IIAs Global Technology Audit Guide (GTAG) 1, Information Technology Controls, and ISACAs Control Objectives for Information and Related Technology (COBIT) . (Level 2)
Required reading

Online reading 7.4-1, Control Objectives for Information and Related Technology (COBIT) 4.1 Excerpt (Level 2) Online reading 7.4-2, Global Technology Audit Guide (GTAG) 1: Information Technology Controls, pages 3- 25 (Level 2)
LEVEL 2

GTAG 1 outlines the importance of information technology controls (Online reading 7.4-2): Although technology provides opportunities for growth and development, it also provides the means and tools for threats such as disruption, deception, theft, and fraud. Outside attackers threaten our organizations, yet trusted insiders are a far greater threat. Fortunately, technology can also provide protection from threats, as you will see in this guide. Executives should know the right questions to ask and what the answers mean. For example: Why should I understand IT controls? One word: Assurance. Executives play a key role in assuring information reliability. Assurance comes primarily from an interdependent set of business controls, plus the evidence that controls are continuous and sufficient. Management and governance must weigh the evidence provided by controls and audits and conclude that it provides reasonable assurance. This guide will help you understand the evidence. What is to be protected? Lets start with trust . Trust enables business and efficiency. Controls provide the basis for trust, although they are often unseen. Technology provides the foundation for many perhaps most business controls. Reliability of financial information and processes now mandated for many companies is all about trust. Where are IT controls applied? Everywhere. IT includes technology components, processes, people, organization, and architecture collectively known as infrastructure as well as the information itself. Many of the infrastructure controls are technical, and IT supplies the tools for many business controls. Who is responsible? Everybody. But you must specify control ownership and responsibilities, otherwise no one is responsible. When do we assess IT controls? Always. IT is a rapidly changing environment, fueling business change. New risks emerge at a rapid pace. Controls must present continuous evidence of their effectiveness, and that

evidence must be assessed and evaluated constantly. How much control is enough? You must decide. Controls are not the objective; controls exist to help meet business objectives. Controls are a cost of doing business and can be expensive but not nearly as expensive as the probable consequences of inadequate controls. IT controls are essential to protect assets, customers, and partners, and sensitive information; demonstrate safe, efficient, and ethical behavior; and preserve brand, reputation, and trust. In todays global market and regulatory environment, these are all too easy to lose.1 Now read pages 3 to 25 of Online reading 7.4-2 on information technology controls.

COBIT
The Information Systems Audit and Control Association through the IT Governance Institute issued its Control Objectives for Information and Related Technology (COBIT) 4.1 , in 2007 (Online reading 7.4-1). Although an expanded COBIT framework, known as COBIT 5, has been issued in 2012, it is a complex business framework for the governance and management of enterprise IT. COBIT 4.1 is still in use; it is more specific to IT controls, and it is the framework referenced by the IIA Global Technology Audit Guides (GTAGs). The COBIT framework has become recognized as an authoritative IT model designed to help corporate management understand and manage the risks associated with information technology. It is harmonized with other standards and continuously updated. COBIT helps answer the question relating to the minimum level of controls that is necessary. It is a control model to meet the needs of IT governance and ensure the integrity of information. COBIT supports IT governance by providing a framework to ensure the following needs are met: IT IT IT IT is aligned with the business. enables the business and maximizes benefits. resources are used responsibly. risks are managed appropriately.

Implementing COBIT allows for the following: Better alignment based upon a business focus An understandable view of IT for management Clear ownership and responsibilities General acceptability with third parties and regulators Shared understanding among all stakeholders based on a common language Fulfillment of the COSO requirements for the IT control environment The COBIT framework is organized under four broad domains: Planning and organization Acquisition and implementation Delivery and support Monitoring The four domains are further subdivided into 34 IT processes, with 3 to 30 detailed control objectives for each process (a total of 302 objectives). Most of the control objectives relate to general controls, but some attention is also given to application controls. COBIT provides internal and external auditors with a tool to substantiate their opinion on IT internal controls for the assessment of control risk (control environment, risk management processes, information systems, control procedures, and monitoring of controls). However, it is primarily aimed at providing management with a structured framework to demonstrate sound IT governance because it focuses on business objectives. Given

that there are 302 control objectives, evaluation of each control objective would be a daunting task.

For an additional overview, review these PowerPoint slides on COBIT Overview .


1 The Institute of Internal Auditors, Global Technology Audit Guide (GTAG) 1: Information Technology Controls,

March 2005, Copyright The Institute of Internal Auditors (IIA), Altamonte Springs, FL.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

7.5General controls
Learning objective

Identify the types of general controls used to address risks in an IT environment, and develop audit procedures to test their operating effectiveness. (Level 1)
Required reading

Online reading 7.4-2, Global Technology Audit Guide 1: Information Technology Controls, pages 16-21 (Level 1)
LEVEL 1

Begin your consideration of controls in a computerized environment by reading pages 16-21 of Online reading 7.4-2. General controls are controls that are implemented to support overall computerized information processing activities. The general control components are as follows: Organization and management controls Separation of duties Financial controls Change management controls Physical and environmental controls Application systems acquisition, development, and maintenance controls Computer operations controls Systems software controls (security) Program and data access controls (security) Physical security Backup and recovery controls Physical security requires that adequate safeguards be taken to prevent accidental or deliberate loss of hardware, software, and data. Appropriate security measures must be in place to prevent loss caused by natural hazard, man-made hazard, error, fraud, or sabotage. Although general controls may more appropriately apply to larger and more sophisticated computer environments, most internal auditors will still find this information useful. All general computer control components will not necessarily have equal importance for each situation or environment. However, a basic understanding of the concepts will help you exercise your judgment in different environments.

Systems development audits


One of the greatest risks in an IT environment is usually that of systems development projects failing to meet their objectives and/or exceeding time and cost budgets. Most organizations with extensive IT systems have had one or more major projects that were unsuccessful or, while successful, achieved success at excessive cost. To prevent history repeating itself, such organizations often engage in lessons learned exercises to establish the cause of the failures. The failures can often be traced directly to a lack of appropriate controls during the systems development project. Internal auditors can make a major contribution to such exercises because of their focus on appropriate controls. Better still, they can assist in the development and monitoring of effective controls to reduce the likelihood of such a failure occurring.

Continuity of operations

In many organizations, continuity of operations is an often neglected control area. However, it is an essential element in ensuring the survival of most modern businesses, especially when the organization depends on its automated information systems and electronic information to conduct its business. There are two elements to continuity of operations: Business continuity planning (BCP), which covers the development and update of plans, assigning responsibilities, obtaining contact names and numbers, periodic testing of the plans, and back-up procedures and off-site storage requirements. IT recovery planning, which encompasses both preventive measures to mitigate disruptive incidents and recovery plans to restore IT resources if need be. There are two aspects of backup: Backing up data and application programs and storing them offsite so the applications and data can be recovered Taking backups at various stages of data processing so that if a batch job fails, processing can be restored to the most recent backup and the job can run again A common term used for ensuring continuity of operations is disaster recovery planning (DRP). This term is often used to refer to the planned procedures for restoring the IT environment and processing capabilities to an acceptable level following a disaster such as fire, flood, power failure, or earthquake. A planning committee is typically in place to develop and implement these measures. In connection with DRP, the internal auditors role includes assisting with the assessment of risks, evaluating the design of the DRP, and periodically reviewing whether the plan is current.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

7.6Application controls
Learning objective

Identify the types of application controls (procedures) used to address risks in an IT environment, and develop audit procedures to test their operating effectiveness. (Level 1)
Required reading

Online reading 7.6-1 , Global Technology Audit Guide (GTAG) 8: Auditing Application Controls, pages 1-13 (Level 1)
LEVEL 1

Application controls are control standards and techniques designed to meet the control objectives for a specific business process, such as payroll or inventory management. Application controls are grouped into the traditional categories of input, processing (including storage), and output. These categories are relevant regardless of the application processing environment (batch, online, real-time, client-server). The effectiveness of application controls is influenced by the strength of general controls described in Topic 7.5

Types of application controls


Control procedures can be either manual or programmed: Manual control proceduresare performed manually by users with computer assistance but with no reliance on automated processing . They act as an independent check and balance on automated operations. Programmed controls involve the use of automated processing within the application to perform control-related functions. They can be either computer assisted or fully automated:

With computer-assisted control procedures, computer-produced data are used together with manual user procedures. With fully automated control procedures, the complete control procedure is executed by computer.
An example of a computer-assisted control procedure is a computerized inventory order system, which permits prices to be entered by an authorized individual to override a standard price master file and prints a report of all price overrides. The control procedure of reviewing and approving the listing of price overrides uses the price override report, and depends on the program to correctly identify and report all price overrides. Examples of fully automated application control procedures within computer programs include the use of edit checks, such as checking digits to ensure the validity of account numbers, and matching electronic purchase orders with goods received. In addition, application programs contain critical application processes, which perform computations or operations that cannot be verified independently. In the absence of such independent verification, reliance is placed on the critical application processes.1 Automated control procedures can be found in the following areas: Within application code: these control procedures require an experienced programmer to modify

them if the business rules change. Within parameter settings: these are the values that can be set within systems to determine how transactions will be processed. Within tables: these can be modified by end users. Application controls can be either preventive or detective: Preventive controls are designed to prevent data entry or processing errors from occurring. Detective controls are designed to identify areas or problems after the fact . Although detective controls are effective, there is a risk of the data being incorrect, if only for a matter of minutes or hours, before the control is performed and the error corrected. As enterprises use real-time processing in their computer-operating environments, the need for strong preventive controls increases. It is more efficient to prevent errors in files and databases than to correct them after the fact. However, detective controls are still important in most situations. In any application, a balance of preventive and detective controls is required. Online reading 7.6-1, Global Technology Audit Guide 8 on auditing application controls, sets out guidance on the performance of risk-based audits of the controls over application systems. The following exhibit provides an overview of the application processing cycle.

Exhibit 7.6-1: A generic application systems control model

Many organizations outsource some of their application processing activities to other organizations. This is most commonly done for payroll processing. The scope of internal audit work includes reviewing the risk management and control processes related to outsourced IT activities. This type of engagement requires specific planning.

1 CICA, IT Control Guidelines, pages 285-286. Reproduced with permission.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

7.7Communications network controls


Learning objective

Outline the types of controls used to address risks in an IT communications and networking environment. (Level 2)
No required reading LEVEL 2

Communications networks are complex combinations of hardware and software with many technical protocols. In light of the risk implicit in communications and networking technologies, management needs to establish a framework of network security controls. An adequate network security level must be maintained to protect the organization from a variety of external threats such as denial-of-service attacks and hacking. Management should assess the risk to the organization and its business from its Internet and other telecommunications connections. If, for example, the organizations LAN/WAN contains highly confidential information, or if applications process a large number of high dollar amount financial transactions, the risk of attack is much higher and a higher level of security control should be installed. Security controls may include such measures as firewalls, intranets, or non-use of the Internet altogether. Following is a brief description of firewalls and intranets: Firewalls are either hardware or software, or a combination of the two, designed to separate one network from another for security purposes. A firewall is installed between the router and the LAN, and provides protection against unauthorized access to services on the LAN from the outside (such as from the Internet). It protects the LAN from attacks by hackers using the external connection as the gateway into the LAN.

Intranets are internal information systems based on Internet technology, web services, communication protocols, and HTML publishing. Organizations use intranets to provide customers, suppliers, and staff with timely information in a secure private corporate network.

Audits of services provided by third parties


Organizations are using the Internet and corporate intranets for a variety of purposes. Access to the information available to employees, vendors, and customers is often provided through one or more third-party service providers. Use of such third-party service providers exposes the organization to a range of risks. Where such risks are assessed as high, internal auditors should consider expanding the scope of their work to include assessment of the risk management and control processes related to the use of such third-party service providers. These audit engagements need to be planned to meet the specific circumstances of the organization.

Additional network controls


In performing audits of network operations, it is important for the internal auditor to understand that the Internet can have a significant impact on risks, exposures, and controls. In essence, the Internet is another means of communication between an organization and the outside world. The auditor should evaluate the effectiveness of the organizations risk management program by independently assessing risks, reviewing policies, assessing the design of controls, and testing them. To ensure communications network security, the following should be in place: Sign-on procedures and passwords should be implemented.

Security measures such as alarms and locks on doors should be in place to protect physical access to equipment. Access control software should require periodic password changes, and data access should be limited to authorized individuals. Audit trails of security violations and usage statistics should be prepared, analyzed, and followed up. Sensitive data should be controlled through encryption, diskless workstations, and so on. Sensitive data files should be backed up and stored off-site. Concurrent or simultaneous access to data should be controlled. Controls should be in place for administering IDs and passwords, monitoring logs, and monitoring compliance with software licenses and agreements. Controls should be in place to change and delete passwords, as well as to automate log-on procedures. A network control group should exist with responsibility to monitor network performance and implement recovery procedures. Audit trails should exist at both the network and applications system levels to support the ongoing operation of the network and provide information to reconstruct events occurring within the system. Access controls should be in place for files being transferred. The system must give ready access to authorized users and offer strict exclusion to non-users. Controls over distributed processing should be in place to ensure data consistency. Any file transfer (e-mail attachment or Internet download) may hold a virus. Virus-scanning software must be in place and used to protect systems from this threat. Posting of confidential e-mail messages on the Internet should be avoided. Access to various Internet sites by the organizations staff should be logged so that management can review such access to ensure legitimate use; filters can be used to restrict access to inappropriate internet sites. Where dial-in connection through the Internet is permitted by the organization, the system should keep a log of all successful and unsuccessful accesses so that irregular usage or attempted break-ins can be detected and prevented.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

7.8Controls for end-user computing


Learning objective

Analyze the advantages and risks of an end-user computing environment and the types of controls used. (Level 1)
Required reading

Reading 7-5, Evaluating risk assessment and controls over end-user computing (Level 1)
LEVEL 1

Risks and benefits of end-user computing


When end users (the users or business department as opposed to the IT department) develop and/or support their own IT services and process their own information, it is called end-user computing. It is characterized by widely available computing power and the ability to share resources through a range of connectivity strategies. In this environment, information processing is often performed outside of the classical framework of controls that has traditionally been implemented by IT professionals. End-user computing allows individuals to work directly with off-the-shelf software to create applications and analyze data without help from IT professionals, except for support as needed. End-user computing has several benefits: Employee development of solutions increases the likelihood that applications will meet the employees needs with respect to functionality and timeliness. Bureaucracy is reduced. Innovation, creativity, and business understanding are enhanced. End-user computing on personal computers can be less expensive than mainframe processing. Maintenance and operation may be less complicated and expensive for applications running on personal computers compared with mainframes. Because many people now create their own applications such as spreadsheets, the IT department has lost much of its previous control over the production and storage of information. As a result, accepted control standards are often absent or not consistently applied to end-user applications. The end-user environment presents several risks: A lack of compatibility can develop if end users are permitted to acquire any type of hardware and software for personal use. For example: There may be difficulties in sharing information and networking. Hardware, operating systems, and application systems may be incompatible. It may be impossible to flexibly deploy staff because of different software knowledge and the personal nature of applications that have been developed. Maintenance costs may increase. In small organizations, where end-user computing is supported entirely by one individual, incompatible functions are not easily segregated. Employees can misdirect time and energy developing applications of questionable value to the organization. Cost-benefit analysis may not be performed, and the primary responsibilities of staff may be neglected.

Documentation is often inadequate, hindering transferability and maintenance. Basic system functionality tends to be inadequately tested. Programmed internal controls and audit functionality are not designed into applications or are inadequately tested. End-user data may duplicate and not be reconcilable to other organizational data.

Control framework for end-user computing


Although there are clear benefits to introducing end-user computing, there are also unique risks, when individual users create and modify programs without appropriate controls. Control approaches based on centralized controls should be adapted to address these specific risks while not impeding innovation, creativity, and productivity improvements. The key management issues relate to controlling access to corporate information resources and providing users with training, supervision, and support to assure the overall effectiveness of end-user strategies. In end-user environments, controls are needed to ensure that information processing is complete, accurate, authorized, secure, and timely, and that appropriate management and audit trails are operating. In addition, controls must be implemented to ensure that locally-developed software is reliable and maintainable, information is shared throughout the organization, and appropriate backup and documentation of applications are in place. The framework design variables of intensity, invasiveness, and cost of controls implemented must be balanced with the risks associated with each end-user application. Managements control framework should focus on the development and use of end-user applications that affect critical operations and are used by many people. For example, if data loss or disclosure could have a significant and/or immediate impact on competitive advantage, customer service, business continuity, or company operating performance, it would be considered high risk and therefore warrant tighter control. Appropriately designed interview questions such as the following can identify risks associated with end-user applications: Is the applications data confidential, potentially valuable to competitors, or potentially embarrassing to the organization in the wrong hands? Do the data significantly impact relationships with customers or vendors? Are the data shared with or used by other departments that may be significantly affected? Are the data used as the primary or only basis for making certain kinds of significant decisions? Are the data used for financial accounting, taxation, or other external reporting purposes? There should be central control of end-user computing through management policy directives, and a computer consulting group/information centre, structured to support efficiency and productivity. Controls should be designed to ensure that several users can produce essential reports and program changes are tested, documented, and approved before implementation. Software compatibility and documentation standards are critical for end-user computing given the need for staff mobility. Finally, there should be procedures to maintain and dispose of confidential output. The challenge for internal auditors is to maintain their proficiency by staying abreast of ongoing advances, to evaluate managements risk assessment, and to provide sound advice on the design and effectiveness of managements control framework to minimize identified risks. Internal auditors can also be a positive force by acting as control specialists or consultants in end-user computing. Reading 7-5 describes some important areas for the internal auditor to consider in evaluating managements risk assessment and controls over end-user computing.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

7.9 Emerging technologies and the auditor


Learning objective

Explain the implications of emerging technologies for the internal auditing profession. (Level 2)
Required reading

Reading 7-6, The borderless enterprise (Level 2) Reading 7-7, The Cloud and Your Data (Level 2)
LEVEL 2

For many emerging technologies, existing control systems may not be sufficient, requiring auditors to consider the new risks and controls related to emerging technologies. Today, emerging technologies in widespread use include e-commerce, application service providers (ASP), e-appliances, wireless networks, social media, and cloud computing. Application service providers offer software for users to access on the Internet instead of from a standalone computer. E-appliances include special-purpose devices designed for accessing the Internet, such as e-mail devices, web tablets, and web-enabled telephones. Wireless networks allow users to download e-mail messages and connect to the Internet without connecting through telephone or cable lines. Information technology is a driving force in global commerce, and both public and private sector organizations are preparing for the technological challenges of the third millennium. The Internet has eclipsed all predecessor technologies in its impact. As its use grows exponentially, it has become an indispensable tool for organizations to relay information, form collaborative alliances, reduce operating costs, and generally transform the way business is conducted. The role of internal auditors as partners and consultants in business and information technology planning will likely grow. They will be challenged to maintain adequate knowledge of emerging technologies and propose appropriate security and control measures to their organizations and clients on a timely basis. Auditors will need both business and technology skills, and will need to update them continuously through training and development. They will need to proactively explore new technologies to achieve auditing efficiencies through improved communications, sharing of successful practices, greater collaboration, and team-based approaches to work. The impact of emerging technologies on the audit process is referenced in the Committee of Sponsoring Organizations of the Treadway Commissions (COSO) mission statement for an IT audit. According to COSO, the mission of IT internal auditing is using appropriate technological tools and expertise to evaluate the adequacy and effectiveness of control systems that address the risks resulting from the entitys use of technology to help achieve its business objectives. Reading 7-6 explains how new technologies are forcing companies to consider which risks to control when technology extends corporate activity beyond traditional corporate boundaries. Reading 7-7 discusses the benefits and risks offered by external service providers of cloud computing.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

7.10Impact of e-commerce
Learning objective

Determine the impact of e-commerce on internal auditing. (Level 2)


Required reading

Reading 7-8, Audit implications of e-commerce (Level 2)


Level 2

Electronic commerce (e-commerce) is the buying and selling of goods and services on the Internet, especially the World Wide Web. In e-commerce, financial transactions are conducted electronically between businesses or between a business and its customers. There are two main aspects of e-commerce: Electronic data interchange (EDI) and web-based (Internet) e-commerce . Until fairly recently, many organizations did not venture into e-commerce because of the cost of setting up the appropriate applications and security concerns relating to opening up their systems to the world. However, with the Internet proving to be cost-effective and security concerns being addressed through technological advances, e-commerce is now a viable option for almost every organization in the world, regardless of size.

Electronic data interchange (EDI)


EDI is the exchange of documents in a standardized electronic format between business partners (referred to as trading partners). It is commonly used for purchase orders, invoices, payments, and receipts, such as via electronic funds transfers (EFT). EDI may significantly change an organizations workflow in comparison to a manual system. For example, instead of processing a paper document (such as a purchase or sales order, shipping or bill of lading form, or cheque) to initiate a transaction, trading partners transmit and receive business transactions directly into computer applications, such as an order entry program through an EDI network. The EDI transmission process generally has three phases: Application interface extracts the electronic transaction from, or passes it to, the internal business application processing systems (such as sales and accounts receivable). EDI translator translates the data from the internal business application processing systems into an agreed-on standard format. Communications interface is the media used for transmitting and receiving EDI electronic documents, which are enclosed within message envelopes (with a header and trailer to define the beginning and end of a transaction). EDI transactions can be transmitted and received in two ways: Point-to-point is a direct computer-to-computer private link with the business partner. This method enables the sponsoring organization to control the system access and not rely on third parties for computer processing. However, there are some significant disadvantages , including the following: The need to establish links with each trading partner, which restricts business relationships The need for common protocols, and hardware and software compatibility with the business partner

Value-added network (VAN) is a third-party service that provides a store and forward function for the trading partners. The VAN operates as a mailbox for participating businesses, where the sender transmits EDI transactions to the VAN, which then places the data in the intended recipients mailbox. The recipient then accesses the mailbox and retrieves the EDI transactions. Although VANs can be costly, there are several advantages to using this type of arrangement: There is no need for common protocols between trading partners. It allows one trader to deal with many partners (no need for multiple point-to-point connections). A third-party report is likely to be available from a VAN service provider, to enable reliance to be placed on controls implemented at the organization. It provides increased security because it authenticates the sender and recipient and can act as a network firewall for the trading partners.

Web-based (Internet) e-commerce


EDI is useful for high-volume applications and is ideal for pure computer-to-computer commerce. However, there must be a pre-established trading partner relationship that is not geared to Internet customers. The Internet has helped convert EDI into electronic commerce and has many advantages over EDI: E-commerce through the Internet is able to handle all types of transactions. It is not tied to specific vendors. It provides the ability to accept new customers interactively. The common use of cash or credit card before delivery eliminates losses caused by bad debt. It is global in scope. It is relatively inexpensive to implement. As e-commerce becomes an increasingly important business tool, it may be argued that the biggest risk for organizations is to ignore it. By not competing electronically, organizations may lose business to enterprises that use the Internet for marketing, accepting orders, and receiving payments. This is a business risk to be addressed by management. Reading 7-8 describes the audit implications of e-commerce, including control objectives and how to deal with the threat of hackers. Keep in mind that this topic is a high-level overview of e-commerce. An entire course could be devoted to auditing e-commerce applications. However, there are established criteria for auditing the subject matter, and there will likely be audit programs that guide you through the audit of an e-commerce application.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Module 7 summary
Information technology auditing
Module 7 looks at the impact of IT on internal auditing and the changing field of IT auditing. You are introduced to two frameworks that assist auditors with the evaluation of IT controls. The use of such controls is outlined, especially as they apply to computer communications, networking, and end-user environments. The module concludes with a look at the challenges of auditing in this environment where emerging technology is a constant.

Explain the concerns for internal auditors around IT auditing.


IT auditing began to develop when it was clear that internal auditors did not have the technical skills to analyze information stored in computer systems. It was recognized that it was no longer enough to simply analyze data in and data out, ignoring what happened to information as it was processed and stored. The impacts of auditing in an IT environment are two-fold: The concerns for internal auditors: the high degree of reliance organizations place on the use of IT has raised some specific concerns for auditors. The effect of IT on internal auditing: in spite of these concerns, IT also provides an opportunity to improve controls. Specifically, an IT environment affects the following areas as they relate to internal audit: Skills and competence required of the auditor Work performed by others for which the auditor is responsible Planning Accounting system and internal control Audit evidence An IT environment also has an impact on the following aspects of internal control: Organizational structure Nature of processing Design and procedural aspects

Discuss how IT auditing has developed in response to the specialized skills required to audit IT systems.
Computer programs (such as ACL) have been developed specifically to assist auditors to extract information to be used in the audit and to perform data analysis auditing activities. Other computer programs such as application programs, system software, and other utility programs can also be used by internal auditors to audit IT systems. Auditors realized that auditing IT systems required more technical knowledge, which in turn led to the development of IT auditing. As newer, emerging technologies are implemented, it is imperative that IT auditors remain current. However, as IT systems become an integral component of any enterprise, all internal auditors must also be computer literate.

Identify the various IT risks and explain how they affect an organization.
IT control frameworks support a risk management-based approach to control. The following are the risk categories identified in the CICA IT Control Guidelines: Inherent risk : the risk that naturally exists in a particular business or situation

Specific risk : the risk resulting from a location or method of operation of a particular function Technological risk : the risk of using technology to meet enterprise objectives The fact that IT control frameworks support a risk management-based approach to control means that where such control frameworks are used, controls are identified and implemented in proportion to the risk that must be managed. To manage risk effectively in an IT environment, both risk analysis and risk assessment must be performed. Auditors must be able to explain the impact of IT risk to managers who are unaware of such risks.

Discuss the prevalent IT control frameworks governing technology audits: the IIAs Global Technology Audit Guide (GTAG) 1, Information Technology Controls, and ISACAs Control Objectives for Information and Related Technology (COBIT).
Control frameworks have been developed to assist with the comprehensive evaluation of controls in an IT environment, providing guidelines for both general and applications controls: GTAG: Global technology audit guides have been developed by the IIA as a framework for technology audits. COBIT: This framework is becoming increasingly recognized as an authoritative IT governance model designed to help corporate management to understand and manage the risks associated with information technology.

Identify the types of general controls used to address risks in an IT environment, and develop audit procedures to test their operating effectiveness.
General controls are controls implemented to support overall computerized information processing activities, and include the following: Organization and management controls Separation of duties Financial controls Change management controls Physical and environmental controls Application systems acquisition, development, and maintenance controls Computer operations controls System software controls (security) Program and data access controls (security) Physical security Backup and recovery controls Audit procedures designed to test the operating effectiveness of general controls can often be performed using systems-oriented computer-assisted audit techniques and automated continuous monitoring.

Identify the types of application controls (procedures) used to address risks in an IT environment and develop audit procedures to test their operating effectiveness.
Application controls are control standards and techniques that are designed to meet the control objectives for a specific business process. Types of application control procedures include the following: Manual control procedures Programmed controls The application processing cycle is comprised of the following steps:

Input Processing Output Management or transaction trails Limitations to application controls include the following: Failure to consider controls in relation to business risks, resulting in ineffective or inefficient control techniques Over-reliance on application-based control techniques Errors in application system functions/processing Failure to provide a management trail for reviewing the processing of transactions Testing of application controls can be performed by doing the following: Inspecting system configurations Inspecting user acceptance testing Inspecting or reperforming reconciliations Reperforming the control activity on system data Inspecting user access listings Reperforming the control activity using test data

Outline the types of controls used to address risks in an IT communications and networking environment.
The internal auditor needs to evaluate the following: Firewalls, designed to separate one network from another for security purposes Intranets, designed to provide customers, suppliers, and staff with timely information in a secure, private corporate network Other specific network controls put in place by the organization

Analyze the advantages and risks of an end-user computing environment and the types of controls used.
Information processing using end-user computing is outside of the computer controls traditionally implemented by IT professionals. Because creating applications is easy for end users, IT departments have difficulty maintaining control over production and storage of information. For this reason, accepted control standards are either absent from end-user applications or inconsistently applied. At the same time, there are many benefits to end-user computing such as reduced bureaucracy and enhanced innovation. Classical methods of control need to be adapted to compensate for the specific risks of end-user computing. Intensity, invasiveness, and cost of controls must be balanced with the risks associated with each end-user application. The challenge for internal auditors is to stay abreast of ongoing advances, evaluate managements risk assessment, and provide advice on controls to minimize identified risks. The following are areas for consideration by management when evaluating its risk assessment and control framework for end-user computing: Policy directives and standards Support Application development Documentation Segregation of non-compatible duties Security

Explain the implications of emerging technologies for the internal auditing profession.
Emerging technologies are new, and therefore existing control systems may not be sufficient. Internal auditors are now acting as partners and consultants in business and IT planning roles that will continue to grow as new technologies emerge. Internal auditors will be challenged to maintain adequate knowledge of emerging technologies and to propose appropriate security and control measures to their organizations and clients on a timely basis. Internal auditors will require business and technology skills, updated continuously through training and development. They must proactively explore new technologies to achieve auditing efficiencies through improved communications, sharing of successful practices, greater collaboration, and a team-based approach to work.

Determine the impact of e-commerce on internal auditing.


E-commerce can take many forms; the following are the most common: EDI transactions (based on standardized transaction formats between trading partners) Web-based transactions (open to the public over the Internet) The internal auditor needs to evaluate the following areas of e-commerce: Authentication between the trading parties Confidentiality Access controls using firewalls to protect the internal IT systems Virus scanning and eradication systems Non-repudiation controls Hackers pose a specific risk for all organizations, especially those involved in e-commerce. Hackers are individuals who attack computer installations and should never be underestimated. The internal auditor should ensure that all controls are in place to safeguard the organization from this risk.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Module 7: Self-test
1. Multiple choice a. There are different control frameworks that assist internal auditors in evaluating internal controls in an IT environment. Which of the following best describes the four domains around which the COBIT framework is organized? 1. Planning and organization; acquisition and implementation; delivery and support; monitoring 2. Planning and organization; acquisition and implementation; systems development; systems security 3. Delivery and support; systems development; systems security; plans for IT personnel continuity 4. Planning and organization; acquisition and development; delivery and support; plans for IT personnel continuity b. IT has had an impact on the way auditors approach an audit. Which of the following statements does not represent an effect of a client computerizing their accounting systems? 1. If interest calculation computer programs are not properly designed and tested, there is an increased risk that all transactions with an interest component will be incorrect. 2. In manual systems, all control processes are visible. However, when an accounting system is computerized, the control procedures are built into the application system, and previously manual control procedures are no longer visible. The auditor will not need to examine manual control procedures because automated control processes will now have to be tested. 3. The combined skills and competence required of the audit team will need to include the ability to identify and evaluate internal controls in an IT environment. 4. The use of a computer to assist with audit steps can improve the effectiveness and efficiency of the audit. Thus, the auditor could now consider opportunities for using CAATs where the client has computerized his/her accounting systems. c. For general controls in an IT environment, which of the following statements is true ? 1. The area responsible for computer operations should be responsible for application systems maintenance, running batch programs, and backing up application system data and programs. 2. Application systems development should be subject to a formal methodology, which includes defined standards within a formalized approach in initiating the system requirement, investigating the feasibility of the system, defining user requirements, systems design, program construction, acceptance testing, conversion, and implementation. 3. To enable users to fully utilize the available functions in the inventory system, the program documentation should be made available to all warehousing staff. 4. Emergency changes to application system programs that are required due to program failure should always be required to follow the control

processes established for changes initiated by the application system users. d. Which of the following statements represents a programmed application control? 1. The accounts receivable system generates an aged list of customer accounts for review and follow-up by the credit control manager. 2. The credit control manager reviews the customers financial statements for the past financial year before revising the credit limits in the sales and accounts receivable system. 3. The operating system automatically initiates a daily data back-up batch run at midnight. 4. A personal identification number must be entered into a keypad located at the entrance to the computer room before personnel are granted access. e. An internal auditor is reviewing the adequacy of existing policies and procedures concerning end-user computing activities. Which of the following is the auditor testing? 1. 2. 3. 4. An application control An organizational control An environmental control A systems control

Solution 2. CASE STUDY T7-1: Auditing personal computer environments Your company has invested heavily in personal computing resources with the intent of reducing the amount of paperwork and spending on communications. Many of the personal computers are networked to provide automated office communications. Others are used for word processing and important business applications. A central IT support group has specified hardware and software requirements, and has provided assistance to purchasing in the vendor selection process. Before any acquisitions can take place, company procedures require a cost-benefit study. Senior management has expressed concern about the proliferation of personal computers and the relatively poor results. Correspondence and reports are not as timely as expected and often contain errors. It has become difficult to tell which personal system contains the most authoritative figures, and occasionally, information produced fails to coincide with rules of thumb used by seasoned managers. As an internal auditor, you have contributed to the cost-benefit study by conducting a special review of personal computer installations. You reported your findings and recommendations to the senior management committee. The audit review found that equipment was underutilized and that the benefits originally expected were not being realized. Local management and staff had plenty of ideas, but found it difficult to make new applications operational. Those systems that were functioning were poorly documented. Information on the hard drives and network file servers was seldom backed up, and the staff operating the personal computers had difficulty using some of the software. Some managers had hired consultants to help program their applications, but found the costs excessive. There was little evidence of any IT development and acquisition methodology when new applications were being developed.
Required

On the basis of your findings, draft your recommendations with respect to the assignment of responsibilities between the IT group, the managers who use the personal computers, and the internal audit function.

Solution 3. CASE STUDY T7-2: Personal Printing Inc. Concerns have been raised about a plan your CEO has tabled with the board of directors, which entails making significant investments in a variety of emerging technologies over the next five years. The board seems generally unfamiliar and uncomfortable with these emerging technologies. It is whispered that the senior management team is quietly planning to make a takeover bid on one of the competitors whom the board members view as a renegade in terms of e-commerce activities and radical product lines. Apparently, when pressed for information, your CEO seems unable to clearly state what returns these investments will produce, what the payback period will be, or even how some of the technologies are intended to work. Needless to say, there is skepticism among some of the older members of the board. As internal auditor, you are requested to make a presentation to the companys audit committee to advise whether funds that would otherwise be available for dividend increases are being misdirected, and how the audit department proposes to find out.
Required

Prepare the presentation by identifying opportunities and risks of the venture, and then describe your role in the evaluation.

Solution 4. CASE STUDY T7-3: Meander Inc. You are the IT audit specialist in the internal audit department at Meander Inc., a growing distributor of building supplies. Having just completed an examination of the companys information technologies, you are reviewing your audit working papers in preparation for drafting the internal audit report. Your working papers highlight the following issues: a. The information systems and technology manager (ISTM) presently reports to the director of finance, who reports to the vice-president of finance. The ISTM has repeatedly requested replacements to upgrade the aging connectivity infrastructure to a fibre-optic cable standard that would be capable of supporting requirements for greater bandwidths and faster response times. Sadly, these requests have been denied and priority has been given to the implementation of a new financial accounting application package. If steps are not taken to remedy this situation, erosion of online response times of the integrated marketing, inventory, purchasing system (IMIPS) is to be expected, and marketings demands for video-conferenced national sales meetings and customer liaison will not be achieved. b. Transaction files on tape are used daily to update the various master files, including Meander Inc.s payroll system, which continues to be processed at the mainframe computing facility in Unionville. As a cost-cutting measure taken during the recession, it was decided that transaction tapes would be sent directly to the tape recycling facility at the end of each payroll run.

c. Daily integrated marketing, inventory, purchasing system (IMIPS) activity summaries and exception reports are written onto a network storage drive for laser printing at a later date. You noted that these summaries and exception reports have not yet been printed for the last 11 working days. d. To economize on salary and benefit costs, the two former positions of Accounting Systems User Analyst and Accounting Systems Operator have been combined into one position. The qualifications, ability, and experience of the incumbent are good. e. Your review of recent software enhancements and upgrades indicated that the program, which computes interest on overdue accounts receivable, was modified recently. The changes were designed and programmed by the accounting systems user analyst/operator, independently tested by operating systems department staff, and checked by the manager of processing operations.
Required

Draft the findings and recommendations section of the internal audit report to Meander Inc.s management. Solution 5. CASE STUDY T7-4: Nut Case, Inc. From a review of your prior years working papers and from audit planning discussions with John Case and Mary Nut (the directors), William Bates (the IT division head), and Justin Balance (the chief accountant), you have gathered the general information relating to the business and related information technology environment of Nut Case, Inc. You determine that for the past few years, William has been the driving force behind the growth and sophistication of Nut Cases information systems and has received enthusiastic support from the directors. Executive management support has particularly been forthcoming from Mary, who considers herself to be highly computer-literate and has personally been involved in the hiring of the IT staff. The use of computerized systems has increased steadily over the past few years to the point where, according to Justin, the running of Nut Case is now totally dependent on its system. Mary mentioned that they had experienced some technical hitches earlier in the year when they connected to the Internet to take advantage of electronic communication with customers and suppliers. William advised that the companys use of web-based technology is in the initial testing phase and will not be in place by the end of the current financial year. He further explained that they are very conservative in their approach, following established standards and procedures, and have defined their planned future use of technology in a detailed strategy document. (He provided you with a copy of the strategy and annual business plans for the IT division, as well as with a status of implementation as of two months ago.) William advised that we like to run a tight ship here, and instil in our managers and staff the need to adhere to good business practices and technology standards. He further explained that the IT policies and procedures (which were assessed as appropriate and effective in the previous audit) have been further improved to incorporate the recommendations made by an independent consulting firm who had performed a penetration attack test following Nut Cases implementation of the web server. These recommendations related to improving the firewall. William further stated, I have advised my managers that they need to comply with and contribute to the maintenance of the policies and procedures. He also indicated that the COBIT framework was used as the basis for developing a self-evaluation of Nut Cases IT governance and controls. You also interviewed the IT managers from the technical support, operations, and systems development departments.

The managers are proud of the IT divisions achievements and emphasized their efforts in the operational and strategic planning process. The technical support manager remarked that it was hard work and involved long hours, but it was worth it. Just look at the results. You establish that progress against the IT operational plan is discussed at the IT divisions monthly management meeting and the strategic plan is monitored on a continuous basis. After all, said the operations manager, Mary wants to know how we are doing at the quarterly IT steering committee meetings. The managers all expressed that they fully understood what was expected of them and were happy in their jobs. We have not lost a single technical person in the last 18 months, which is remarkable considering the career opportunities in the market today, the systems development manager added. The technical support manager gave you a diagram of the computer environment (Exhibit S7-1).
Exhibit S7-1: Nut Case computer environment overview

This is our environment and we have had outstanding performance so far, with almost no downtime for our users. The main LAN with the applications, database, and print servers are located in the main administrative building in the basement. The servers themselves are located in the computer room, which has a protected environment. A flea could not get into that place. Its like Fort Knox! stated the operations manager, who added, We have to use a magnetic card and then key in a code to actually get into the computer room. You later observed this operation and noticed that the entrance and room were monitored by closed circuit cameras. You also confirmed with the security department that all movement to and from the computer room was logged, and the logs were submitted to William Bates each morning. The technical support manager also advised that the factory and warehouse servers (although located outside the main administration building) were in locked rooms to which only the LAN

administrators in his section had access. Oh, and by the way, all the network hubs and routers, in fact all the network components, are secured in locked wiring closets. We cannot be too careful, added the technical support manager. You later confirmed that the buyer, sales, and IT LAN servers were also located in the computer room and the workstations were on the second floor. You also noticed that the factory was fenced and a small contingent of security guards observed all employees who entered and exited the factory and office premises. The operations manager advised that six months ago, the organization had conducted a renewed risk assessment of the impact that a significant interruption would have on Nut Cases business. Following this assessment of the application systems and the technology infrastructure required to support them, we have recently signed a hot site agreement with Keep Up and Running Inc. They have a very similar set-up to us and it will not be a major task to recover from a disaster, the systems development manager added. The operations manager agreed, and proceeded to extensively explain how well the first full recovery test went and how it confirmed that the business continuity plan would work. (You later confirmed the successful recovery of all major application systems from the off-site backups with the chief accountant and warehouse manager, Dave Stored.) The operations manager further explained that her section is responsible for migrating all approved program changes from the test environment into production and for running all the batch jobs, including the application system and database backups. We also distribute the reports to the factory and warehouse managers each morning. The accounting section, the buyers, and sales area collect their own output. The operations manager further indicated that it is policy for the operations section to ensure that the ZapEm anti-virus software is installed and running on all servers and loaded on all workstations. She told you that ZapEm fires up on the workstations each day when the user first logs onto the network. We send out a monthly newsletter to all staff to keep them aware of the threat from viruses. We also provide the help desk with the newsletters and we have not had a single report of a virus in the past 10 months. The technical support section is responsible for the installation and maintenance of equipment and systems software, and for the system and network security. We only provide access to the network and applications on receipt of a memo from the responsible manager. Each day, I review all new user IDs and changes made to existing user access rights, if any. In addition, I make sure that all user accounts are promptly disabled for employees who leave Nut Case. The technical support manager added, The policy from the IT steering committee is clear, and I agree with their requirements for the password rules we have set up on our networks. You subsequently review the password policies and note that the system should enforce a minimum password length of seven characters; require a mix of alpha, numeric, and special characters; enforce changes every 35 days; and disallow the reuse of the previous 10 passwords. You also establish that a default password nutcase is used for all new user IDs. This must be changed on the new employees first login. From discussions with user managers, you are told that their staff have only five attempts to log into the network before they are locked out and must phone the technical support area to enable them to get back into the system. In response to your question on the systems development methodology, the systems development manager stated, We have a well-defined, tried, and tested set of procedures and standards. Most of our major application systems are proprietary, and we followed an intensive evaluation phase together with the users before we selected the vendor whose product was the best fit. Thats from a business-needs and technological point of view. You subsequently confirmed the high level of user involvement in the selection and testing of each module, as well as any changes to systems, before the systems were implemented, through discussions with the chief accountant, warehouse manager, and sales manager. You also reviewed the change management committee minutes and noted that changes were evaluated and approved by the committee. It also reviewed any emergency changes that were made. The systems development manager added that the major application system modules were as follows: Implemented in prior years:

General ledger Project management and job costing in the factory Implemented at the beginning of the current financial year: Sales and accounts receivable Capital assets Implemented five months into the current financial year: Purchases and accounts payable Cash management, including electronic funds transfers from customers and to suppliers You establish that the system modules are fairly integrated.
Required

Assess the IT general controls at Nut Case, Inc. Include a conclusion as to the strength of the general controls. Hint : Base your answer on the discussion of general controls provided in Topic 7.5. Solution

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 7 Solution 1
a. 1. Correct. These are the four domains of the COBIT framework. 2. Incorrect. Systems development falls under acquisition and implementation, and systems security under delivery and support 3. Incorrect. Systems development falls under acquisition and implementation, systems security under delivery and support, and continuity also falls under delivery and support. 4. Incorrect. Continuity falls under delivery and support. b. 1. Incorrect. In contrast to manual calculations where interest computation errors would likely be ad hoc and detected by independent checking/reviews, computer program errors would be systemic rather than random. This would be an effect of computerization that an auditor would have to consider. 2. Correct. Manual control processes would still be relevant in a computerized system. It is generally not possible to automate all control procedures and some human intervention would be required (such as review and approval of accounts receivable write-off entries). 3. Incorrect. To evaluate the adequacy of internal controls in an IT environment, it is necessary for an auditor to either have or use a specialist to assess IT internal control objectives and control techniques. 4. Incorrect. The use of CAATs can certainly improve the effectiveness (100% testing instead of sampling) and efficiency (speed of calculation, sample selection, summarization, trend analysis and analytical procedures) of an audit. c. 1. Incorrect. Computer operations should not be responsible for application systems maintenance. Application systems programmers should maintain systems and computer operations should transfer authorized changes into the production libraries. (Ensure authorized changes to programs through separation of duties.) 2. Correct. A formal systems development methodology should be used to ensure that the system delivers as expected and according to standards. 3. Incorrect. Access to program documentation should be restricted to application programmers. Users of application systems should not have free access to the documentation, because this increases the risk of unauthorized transactions through exploitation of system weaknesses. 4. Incorrect. Emergency changes cannot be subject to the same control procedures as planned changes. Because emergency changes often arise due to program failure, corrective action is taken immediately and the change is subsequently reviewed and approved. d. 1. Correct. This is a computer-assisted control procedure that combines computerproduced data with manual user procedures. 2. Incorrect. This is a manual procedure. 3. Incorrect. This is a general (business continuity) control. 4. Incorrect. This is a physical access (general) control. e. 1. Incorrect. Application controls are specific to the flow of transactions. 2. Correct. Organizational control concerns the proper segregation of duties and responsibilities within the information systems department. These duties are specified by the policies and procedures for the various information system

functions such as end-user computing. 3. Incorrect. Environmental controls influence the effective operation of all internal controls. 4. Incorrect. Systems control is not a sufficiently specific response.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 7 Solution 2
CASE STUDY T7-1: Auditing personal computer environments

Note: The purpose of this case is to show how the purchase and use of personal computers can be less beneficial than expected by a company. It helps to highlight the importance of assigning appropriate responsibilities to systems staff, management, and auditors in order to improve the effectiveness of the companys personal computer systems. It puts you in the position of the internal auditor who is expected to recommend changes to alleviate the problems identified. A number of valid approaches to this case are possible. One such approach follows. If the responsibilities for the development, acquisition, implementation, use, and maintenance of personal computer systems are shared, the organization will probably optimize its investment in personal computing resources. Users need help in acquiring and developing new applications, and require guidance in operating and maintaining existing ones. Central control by IT professionals over system development generally does not work because the users can easily program personal computers. It is recommended that the delegation of authority to the IT group gives the group responsibility for the following: Providing policies and standards to guide users when developing systems, maintaining programs, and operating equipment Maintaining specialized software Providing training to users on system operation and maintenance Dealing with operating problems It is recommended that authority delegated to managers responsible for the use of personal computers should be clear and should include the following: Ensuring adherence to policies and standards Appointing a site administrator who knows and understands the operations and equipment, to apply the policies and standards, and identify trouble spots on a timely basis Defining training needs Monitoring results It is recommended that the responsibilities of the internal auditing group include the following: Analyzing policies and procedural guidelines for completeness and practicality Examining computer applications and sites critical to effective business operations Evaluating the extent to which data assets, programs, and equipment are adequately safeguarded Reviewing non-critical applications periodically, as priorities permit

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 7 Solution 3
CASE STUDY T7-2: Personal Printing Inc.

Your presentation should identify opportunities and risks associated with the CEOs plan and present a clear sense of the role the internal audit team will play in assisting the board of directorsto discharge its responsibilities. Structure and content of the presentation should address the following areas:
Opportunities

It is likely essential for this organizations management to aggressively pursue opportunities to capture and harness emerging technologies to contribute to the achievement of increased share values and profitability. The prospects for an ability to pay future dividends may be enhanced. In a dynamic and highly competitive global economy, private and public sector organizations must commit large segments of their total resources to capture and harness technologies to maintain their effectiveness or competitive position, and to ensure the fulfillment of key strategic, operating, and financial goals. This approach may also have a significant impact on the longevity, competitive position, and long-term success of the company. New information technologies can help the organization pursue innovative ways of doing business, supply vital information to support management decisions at all levels of the organization, and help to control and reduce costs.
Risks

While there are some opportunities, there are also significant risks of failing to effectively manage the development and acquisition of emerging technologies. Below are some possible outcomes when the development/acquisition of IT is not well managed: Strategic, operational, and financial goals of the organization may not be achieved. Information technologies may not work properly to meet the functionality needs of users, possibly producing inaccurate, incomplete, or untimely information that is inadequate to support management decision making. Information technologies may not be developed, acquired, or successfully implemented on time, negatively impacting operational effectiveness and the firms competitive position. Information technologies may not be developed within reasonable cost targets established through an approved financial budget. IT solutions may be implemented when more cost-effective options, such as outsourcing, might have been pursued. New information technologies may be developed or acquired, or existing ones modified, with inadequate controls that can permit errors, departures from acceptable accounting principles, and potentially, fraud. To leading competitors in the IT arena, innovation can be costly and may create anxiety among risk-averse customers.

Business operations may be interrupted if information technologies fail to work properly, potentially causing significant financial loss and jeopardizing the business continuity.
The internal auditors role

The internal auditor should evaluate areas in IT development and acquisition projects, including the contribution to the organization, and present these evaluations to the board of directors. Main areas to examine would include strategic, operational, and financial planning processes; organization design and accountability frameworks; staff motivation; and monitoring and evaluation processes. Improvements in control systems and practices in these areas are likely to lead to greater profitability, share value, competitive position, corporate longevity, and ability to pay increasing future dividends. As agents of constructive change, internal auditors are probably most effective when they identify opportunities to strengthen new IT designs and implementation plans at a time when improvements can be made with the least effort and cost. This implies a degree of active and ongoing participation as a member of project teams, which is not typical of the internal auditors approach in other settings. Over a projects life, different team players are normally involved in projects with different intensities as projects unfold. Users, for example, are critically involved in identifying needs at the beginning of projects; IT professionals take on a leadership role in the middle part of projects for the systems analysis, design, and software coding components; and all players are keenly interested in testing and conversion activities. As these are key areas of interest, the internal auditor will do the following: Monitor the projects compliance with the organizations IT development and acquisition methodology, which establishes project management standards Evaluate the design and execution of system and acceptance testing Closely monitor and evaluate the planning and execution of the conversion from the old technology to the new technology Furthermore, in light of the internal auditors training and professional expertise, he or she may be the most capable individual on the project team to advise on matters such as internal control requirements, management or audit trail needs, integrated CAAT design, the correct implementation of appropriate accounting principles, and overall cost-effectiveness.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 7 Solution 4
CASE STUDY T7-3 Meander Inc. OBSERVATIONS AND RECOMMENDATIONS

a. Observation : The information technology department reports at too low a level in the organization and within a single function of the organization. IT investments have assumed a bias towards financial reporting applications at the expense of serving the current and expected future operational needs of departments such as marketing. During the audit, we noted that the information systems and technology manager (ISTM) reports to the director of finance. The system storage capacity has reached critical limits, and the computer systems department has been unable to obtain sufficient resources to pursue needed upgrades in connectivity to support marketing and sales activities. The effect will be significant reductions in customer service levels and potential loss of the companys competitive position. Recommendation : Given the critical need to develop the companys connectivity infrastructure, we recommend that the ISTM report directly to the vice-president level. We also recommend that resources be redeployed from lower-priority investments and made available to purchase the needed fibre-optic network infrastructure. b. Observation : Controls with respect to continuity of processing are not adequate because there is presently no provision for backing up transaction data. There is the risk of permanent loss of transaction details if system problems develop. Detailed transactions could not be reconstructed because the only record is stored on transaction tapes that are not retained but are recycled at the end of each payroll run. Recommendation : Back-up systems and practices should be developed and documented to strengthen continuity controls. This would include backup for files, programs, hardware (alternate facilities), and contingency plans, all to ensure continuous operation of information processing and business operations support in the event of system failure. c. Observation : There is inefficient use of management information leading to a weakness in management/supervisory control systems and practices. At present, there is a significant delay in printing some of the daily transaction summaries and exception reports. We noted several instances where computer runs from the previous week had not been printed. Failure to make these reports available for timely managerial review, analysis, and follow-up undermines managements control of this application system. Recommendation : Management control information should be provided to management for a timely review, analysis, and follow-up. d. Observation : There is inadequate segregation of non-compatible duties within the IT function. To ensure an appropriate level of control, the duties of system analysis, design, and programming should be separate from information processing operations. The proposed segregation of duties is primarily to prevent illicit manipulation of information or related resources and the simultaneous ability to conceal such actions. Recommendation : The duties of systems analysis, design, and programming should be separated from IT operations. Duties should be arranged such that different individuals from

separate functional areas perform these two important functions. e. Observation : Control systems and practices are not in place to ensure user approval of enhancements and upgrades to application programs. We found that accounts receivable management did not approve changes to the accounts receivable program in connection with the calculation of interest charges. Although the changes were tested and independently approved by staff in IT operations, it is important that the users, who have the best knowledge of the correct operation of the system and fiduciary accountability, should approve all program changes. Recommendation : Management of the primary user department should approve all application program changes.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 7 Solution 5
CASE STUDY T7-4: Nut Case Inc. Assessment of general computer controls

You should identify the general control framework and the key controls associated with each area, as follows:
Organization and management

There are well-defined responsibilities, which are communicated and accepted by the IT and user communities. IT management has maintained up-to-date policies, procedures, and standards covering all significant IT and end-user computing activities. The strategic and operation plans are current, and IT projects and performance are closely monitored by senior management through the IT steering committee. There is adequate segregation of duties between IT operations and the user functions. Management is using a generally accepted control framework tool (COBIT).
Application systems acquisition, development, and maintenance

The organization has complied with its formal systems development and acquisition methodology. The accounting system modules were thoroughly evaluated (with a high level of user involvement) and tested prior to being accepted by user management and implemented. The implementation of the new module was well controlled through the change management Committee.
Change control (Application system maintenance)

There are strong controls over changes, including emergency change review. The operations section is responsible for migrating all approved program changes.
Computer operations

Strong anti-virus policies, procedures, and techniques are in place. Access to computer operations is restricted to authorized personnel through strong physical access controls: Good perimeter physical security around the factory and office locations Use of card keys to gain access to office areas well controlled File servers and network components are physically secured After-hours logging and monitoring of offices and computer locations
System software controls

Strong logical access controls (password protected) are in place over software programs.
Data entry and program controls

Physical security :
Use of card keys to gain access to the computer room well controlled After-hours logging and monitoring of access to the computer room

Logical access controls in place:


All access provided is authorized and reviewed.

Firewall is in place to protect local networks and was improved early in the year. Penetration testing results are positive. Strong password policies are in place and implemented (automated enforcement). Creation of new user accounts is closely monitored. Inactive user accounts are removed on a timely basis. Good intrusion prevention, account lockout, and response procedures are in place.
Continuity of operations

Planning for recovery is based on a risk assessment. Backups are taken regularly and stored off-site. Arrangement has been made for an alternate site and this has been recently tested. Nut Case has an up-to-date business continuity plan, which was tested during the year.
Overall conclusion

The general IT controls at Nut Case, Inc. have been appropriately designed and implemented and, as far as the evidence reviewed indicates, appear to be working effectively.