Hall Chapter 15

SOX Sections 302 and 404 (internal control and audit responsibilities)
Section 302
-

Requires corporate management to certify financial and other information

contained in an organizations quarterly and annual report
Certifying officers should have designed the internal controls or caused them to
be designed and to provide reasonable assurance as to the reliability of the
financial reporting process
Disclose material changes in internal controls

Section 404
-

Requires the management of public companies to assess the effectiveness of

their internal controls over financial reporting
Management should address the ff.:
o Describe the flow of transactions
o Asses both the design and operating effectiveness of selected internal
controls related to material accounts using risk-based approach
o Assess possibility of fraud and internal controls relating to them
o Evaluate and conclude on the adequacy of controls over the FS reporting
process
o Evaluate entity-wide controls that corresponds to the components of SAS
78

SEC recommends SAS 78/COSO as the control framework

Relationship b/w IT Controls and Financial Reporting
IS controls:
1. Application controls ensures validity, completeness and accuracy of financial
transactions; have a direct impact on the integrity of data
2. General controls(a.k.a. general computer controls or information technology
controls) not application-specific but apply to all systems; have an effect on
transaction integrity; needed to support the functioning of applications
controls
*Both are needed to ensure accurate financial reporting
Audit Implications of Sections 302 and 404
-

SOX mandates auditors attest to managements assessment of internal

controls
Issuance of a separate audit opinion in addition to opinion on fairness of FS
PCAOB requires auditors to understand the transaction flows of the entity
Requires management to provide external auditors w/ documented evidence of
functioning controls related to selected material accounts in its report on
control effectiveness
Perform quarterly to identify any material modifications in controls over
financial reporting
o Interview management regarding changes in IC

Hall Chapter 15
Evaluate implications of misstatements identified by the auditor
Determine whether changes in IC are likely to materially affect IC over
financial reporting
SOX places responsibility on auditors to detect fraudulent activities and
emphasize the importance of controls designed to prevent or detect fraud that
could lead to material misstatement
Management is responsible for implementing controls and auditors are
responsible to test them
o
o

Computer Fraud
-

Includes theft, misuse or misappropriation of:

o Computer hardware
o Assets by
Altering the logic of computer software
Altering computer-related records and files
Includes theft or illegal use of computer-readable information
Includes theft, corruption, illegal copying or intentional destruction of computer
software

General model of accounting IS - portrays the key stages of IS

1. Data collection
a. Control objective to ensure that event data entering the system are
valid, complete and free from material errors
b. Most important stage
c. Most common access point for perpetrating computer fraud
d. Network systems expose organizations to transaction frauds from
remote locations
i. Masquerading gain access to the system from a remote site by
pretending to be an authorized user
ii. Piggybacking perpetrator at a remote site taps in to the
telecommunications lines and latches on to an authorized user
who is logging in to the system; after gaining access, masquerade
iii. Hacking involves piggybacking or masquerading activities; their
motives are not usually to defraud for financial gain
2. Data processing
a. Data collected are processed to produce information
b. Include mathematical algorithms, statistical techniques and posting and
summarizing procedures
c. Frauds
i. Program Fraud
1. Creating illegal programs that can access data files to alter,
delete or insert values into accounting records
2. Destroying or corrupting a programs logic using a computer
virus
3. Altering program logic to cause the application to process
data incorrectly
Salami Fraud involves modifying the rounding logic of the
program so it no longer adds the one cent randomly
ii. Operations Fraud

Hall Chapter 15
1. Misuse or theft of the firms computer resources
2. Often involves using the computer to conduct personal
business
3. Database management
a. Physical repository for financial and nonfinancial data
b. Database management fraud
i. includes altering, deleting, corrupting, destroying, or stealing an
organizations data
ii. access to database files are essential for this
iii. often associated with transaction of program fraud
iv. can access the database from a remote site and browse files for
useful information
v. logic bomb a destructive routine that can be inserted into a
program ; at a specified time or when certain conditions are met,
it erases the data files that the program accesses
4. Information generation
a. Process of compiling, arranging, formatting and presenting information
to users
b. Information can be operational document or published financial
statement
c. Fraud Steal, misdirect or misuse computer output
d. Scavenging low-tech but effective technique; involves searching
through the trash of the computer center for discarded output --- useful
information
e. Eavesdropping listening to output transmissions over
telecommunications lines use data encryption; it is practically
impossible to prevent a determined perpetrator from accessing data
communication channels
* Uses a risk-based approach rather than a one-size-fits-it-all approach to the
design and assessment of controls
* Size and complexity of the organization needs to be considered in determining
nature and extent of controls that are necessary
IT Governance Controls
-

Concept relating to the decision rights and accountability for encouraging

desirable behavior in the set of IT
Not all IT governance relate specifically to control issues that SOX addresses
and that are outlined on the COSO framework
o Organizational Structure Controls
Tendency in an IT environment is to consolidate activities
Operational tasks that should be separated
Transaction authorization and transaction processing
Record keeping and asset custody
Transaction-processing tasks among individuals to avoid
collusion
* Focus of segregation control shifts from the organizational level to
higher-level organizational relationships w/in the IT function

Hall Chapter 15
Organizational Control Issues on the Generic Models:
1. Centralized
a. Separate systems development from the computer
operations
b. Separate the database administrator from other functions
i. Database administrator (DBA) vs. other IT functions
ii. DBA responsible for a number of critical tasks
pertaining to database security; its function is
organizationally independent
1. Create database scheme
2. Create subschema (user views) how database
access control
3. Assign access authority to users
4. Monitor database usage
5. Plan for future expansion
c. Separate DBA from systems development access control
d. Separate new systems development from maintenance
i. Systems development
1. Systems analysis group works with the user to
produce a detailed design of the new system
2. Programming codes the programs according to
the design specifications
ii. Programmer usually maintains the system
inadequate documentation & fraud
iii. Possible explanations for inadequate documentation:
1. Documenting is not as interesting as designing,
testing and implementing them
2. Job security to be indispensable to the
company
iv. Having sole responsibility for maintenance is an
important element in the duplicitous programmers
scheme
e. Superior structure for systems development
i. New systems development responsible for
designing, programming and implementing new
systems projects
ii. Systems maintenance maintenance of successful
projects
iii. Solves the inadequate documentation problem
2. Decentralized/Distributed Data Processing Model (DDP)
a. End-user departments control IT services
b. Consolidate functions that are traditionally separated and
distribute functions that are consolidated in centralized
c. Implications
i. Incompatibility software might not match hardware;
usage of different and incompatible technology might
impair internal communications
ii. Redundancy data common to many users

Hall Chapter 15
iii. Acquiring qualified professionals hard to attract
qualified personnel small opportunity
iv. Lack of standards unevenly applied or nonexistent
* Usually firms are somewhere in b/w the extreme points
* DDP control problems can be overcome by implementing a
corporate IT function has a different mission than that of the
centralized IT function; provides technical advice and expertise to the
various distributed IT functions
Creating a Corporate IT Function

Central testing of commercial software and hardware to plan

acquisitions
User services provides technical help to users during installation
of new software and in troubleshooting hardware and software
problems
Standard-setting body to improve relatively poor control
environment
Personnel review corporate group is better at evaluating
applicants

Audit Objectives relating organizational structure verify that

individuals in incompatible areas are segregated in accordance with
the level of potential risk and in a manner that promotes a working
environment, where formal relationships need to exist b/w
incompatible tasks

Audit procedures relating to organizational structure

Review the corporate policy on computer security. Verify that the
security policy is communicated to employees
Review documentation to determine if individuals or groups are
performing incompatible functions
Review systems documentation and maintenance records. Verify
that maintenance programmers are not also design programmers
Observe if segregation policies are followed in practice.
Review user rights and privileges. Verify that programmers have
access privileges consistent with their job descriptions
Computer Center Security and Controls
Control features that contribute to computer center security
1. Physical Location should be away from human-made and
natural hazards
2. Construction ideally, located in a single-storey building of
solid construction with controlled access; utility and
communications lines should be underground; bldg. windows
should not open; presence of air filtration system
3. Access limited access and sign in and sign out practice;
main entrance should be through a single door; fire exits w/
alarms are necessary; CCTV

Hall Chapter 15
4. Air conditioning for computer to function at its best; best in
temp. range of 70-75 degrees Fahrenheit and relative
humidity of 50%
5. Fire Suppression fire is the most common threat to firms
computer equipment
6. Fault Tolerance Controls ability of the system to continue
operations when part of the system fails because of hardware
failure, application program error or operator error; redundant
system components can help achieve fault tolerance
a. Redundant arrays of independent disks (RAIDS) 2
disks when one fails, lost data are automatically
reconstructed from the redundant components stored
on the other
b. Uninterruptible power supplies short-term backup
power to shut down in a controlled manner; must be
able to run computer and air-conditioning
* Total failure can occur only in the event of failure of multiple
components
Audit objectives relating to computer center security evaluate
the controls governing computer center security; verify:
1. Physical security controls are adequate to reasonably
protect the organization from physical exposures
2. Insurance coverage is adequate
3. Operator documentation is adequate to deal w/ routine
operations or system failures
Audit procedures for assessing physical security controls
1. Test of physical construction look at architectural plans
2. Test of fire detection system fire systems should be tested
regularly
3. Test of access control observe process by w/c access is
permitted
4. Test of fault tolerance control
Audit procedures for verifying insurance coverage annually
review insurance coverage
Audit procedures for verifying adequacy of operator
documentation

1. Run manual used to run certain aspects of the system;

must be reviewed for completeness and accuracy
Disaster Recovery Planning
Comprehensive statement of all actions to be taken before, during
and after a disaster
Second-site backup provide for duplicate data processing
facilities

Hall Chapter 15

The empty shell (cold site plan) company buys or leases a

building that will serve as a data center availability of
hardware needed to restore data processing function is the
problem
The recovery operations center (hot site) fully equipped
backup data center that many companies may share
Internally provided backup mirrored data center by
Pershing
Immediate recovery efforts should focus on restoring applications
and data that are critical for the organizations short-run survival;
primarily a business function responsibility of management to
know w/c to prioritize
All data files, application documentation and supplies needed to
perform critical function should be specified here backup daily,
as a minimum
Disaster Recovery Team team members should be experts in
their areas and have assigned tasks
Traditional control concerns do not apply in this setting business
continuity is the primary consideration
Test DRP periodically surprise carry as far as is economically
feasible

Audit objective in assessing DRP verify that managements disaster

recovery plan is adequate and feasible for dealing with a catastrophe
that could deprive the organization of its computing resources
Audit procedures for assessing DRP
1. Second-site backup evaluate adequacy of the backup site
arrangement
2. Critical application list review the list of critical application and
ensure that it is current and complete
3. Backup critical applications and critical data files verify if
procedures are in place to backup stored off-site copies of critical
application and data
4. Backup supplies, source documents and documentation store offsite
5. The disaster recovery team list the names , addresses and
emergency numbers of the members; verify if members are
current employees and are aware of their assigned responsibilities
Outsourcing the IT Function
-

Benefits: improved core business performance and IT performance and

reduced IT costs
Core competency theory organization should focus exclusively on its core
business competencies
Commodity IT assets not unique in the organization; easily acquired in the
market
Specific IT assets unique to the organization and support its strategic
objectives

Hall Chapter 15
-

Transaction cost economics theory firms should retain certain specific noncore IT assets in-house; supports outsourcing of commodity but not of specific
CEOs perception of what is a commodity IT assets is important for IT
outsourcing decisions
Inherent risks: failure to perform (vendors performance will affect you). Vendor
exploitation (dependency on the vendor might be taken advantage of the
vendor), outsourcing costs exceed benefits (immediate costs but expected
benefits are not yet realized), reduced security, loss of strategic advantage
(affects IT strategic planning and its business planning functions)
Audit implications of IT outsourcing SAS 70 --- prepared by vendors auditor
vendor can give it to his client and the client can show it to his auditor
o Management is still responsible of ensuring adequacy of IT internal
controls

APPENDIX
Attest Services vs. Assurance Services
- Attestation:
o Practitioner is engaged to issue a written communication that expresses a
conclusion about the reliability of a written assertion that is the
responsibility of another party
o Requirements:
Written assertions and a practitioners written report
Formal establishment of measurement criteria or their description in
the presentation
The levels of services in attestation engagements are limited to
examination, review and application of agreed-upon procedures
- Assurance:
o professional services that are designed to improve the quality of
information, both financial and non-financial, used by decision-makers
o includes, but is not limited to attestation
External Financial Audit an attestation performed by an expert who expresses an
opinion regarding the presentation of FS
Auditing Standards 10 GAAS
Statements on Auditing Standards
-

By AICPA
Are authoritative pronouncements because every member of the profession
must follow their recommendations or be able to show why as SAS does not
apply in a given situation

External Auditing vs. Internal Auditing

-

External auditing --- independent auditing --- financial audit --- represents
interest of third party stakeholders
If internal auditor reports directly to controller, external auditors reliance on the
work of internal auditor should not be made possible ( dont rely)

IT Audit focuses on the computer-based aspects of an organizations IS

Hall Chapter 15
Auditing is a systematic process of objectively obtaining and evaluating evidence
regarding assertions about economic actions and events to ascertain the degree of
correspondence b/w those assertions and established criteria and communicating the
results of interested users.
The Structure of an IT Audit

Audit
Planning
-

Obje
ctiv
e: to

obtain sufficient information about the firm to plan the other phases of audit
Analysis of audit risk is extensively done here
Identify principal exposures and controls that attempt to reduce them

Tests of Controls
-

Objective: determine whether adequate internal controls are in place and

functioning properly

Substantive Testing
-

Focuses on financial data

Involves a detailed investigation of specific account balances and transactions
Information needed to perform substantive tests are contained in the data filed
that often must be extracted using CAATs

Assessing Audit Risk and Designing Tests of Controls

-

Audit risk probability that auditor will render an unqualified (clean) opinion on
FS that are materially misstated
Errors unintentional mistakes
Irregularities intentional misrepresentation to perpetrate a fraud or to mislead
the users of FS
Auditors objective: minimize audit risk by performing tests of controls and
substantive tests

Audit Risks Components

1. Inherent risks - associated with the unique characteristics of the business or
industry of the client; cannot be changed by auditors

Hall Chapter 15
2. Control risks likelihood that the control structure is flawed because controls are
either absent or inadequate to prevent or detect errors in the accounts
3. Detection risks risk that auditors are willing to accept that errors not detected or
prevented by the control structure will also not be detected by auditors; must be
set at an acceptable level --- planned detection risk --- that influences the level of
substantive test to be performed
Relationship b/w tests of controls and substantive tests
-

Both are auditing techniques used for reducing total audit risk
Their relationship varies depending on the auditors risk assessment
Strong internal control low control risk less substantive testing
Weak IC high control risk more substantive testing (to reduce total audit
risk)
When controls are strong, auditors may limit substantive testing
Substantive testing is time consuming and also costly