IT AUDIT SOLUTIONS MANUAL

Chapter 3
Discussion Questions
3-1. Why is it important to identify and assess IT risk prior to developing IT internal controls? Auditors who concentrate on internal controls, rather than risk, might over-control. IT internal controls should serve the purpose of mitigating risk. They do not exist for their own sake. By assessing risk first, IT auditors focus only on those controls that add value by accomplishing this goal. 3-2. This chapter identified four types of IT risks: business, audit, security, and continuity risks. Discuss the similarities and differences among them. Business risk concerns inability to meet business goals and objectives. Audit risk stems from the failure of the audit to accomplish its goals and objectives. Security risk concerns data access and integrity. Continuity risk concerns the information system's availability and back up process. The risks are similar in that each results in an IT failure that impacts business effectiveness and efficiency. They all result from a failure in IT governance. They are different in the sense that they are each associated with a different aspect of risk and also in the nature of the impact they might have. 3-3. One approach to risk assessment is to identify threats, vulnerabilities, and acceptable risk levels. What vulnerabilities might exist for a business organizations intranet? There are several threats and associated vulnerabilities associated with a business organization's intranet. Vulnerabilities include impaired data confidentiality and privacy through remote or on-site access by unauthorized users, increased exposure to programmed threats such as viruses through remote or on-site access by unauthorized users and lack of maintained anti-virus software, and unauthorized access to assets by unauthorized users. 3-4. Describe three risk indicators that might be associated with a companys intranet. There are many risk indicators associated with a company's intranet. Network and ebusiness security are discussed in Chapters 6 and 7. Three risk indicators for a company's intranet would be: 1. Failure to maintain firewall security 2. Failure to maintain intrusion detection software 3. Failure to maintain user profile security, which includes multiple access levels and passwords

3-5. Why would an organization accept some level of risk? It is pretty much impossible to control against every type and level of risk and it is certainly not going to be cost-effective to do so. IT managers will often say that they have trouble sleeping at night because they know that they're vulnerable to risks. The budgets just aren't big enough to control for everything. Organizational entities need to assess risk and analyze it to determine what's acceptable and what isn't. They also need to weigh the costs of controls against various risks and their likelihood of occurrence. 3-6. What is the difference between COSO and ISO 9000? COSO is an internal control model or framework. ISO9000, on the other hand, is a set of standards of quality control. Both internal controls that protect IT assets and quality controls that improve processes can contribute to organizational effectiveness as they increase confidence. ISO9000 certification provides external organizational stakeholders with some comfort regarding quality. COSO does not entail certification and so, in that sense it may be more difficult to convey to the public that an organization has incorporated their internal control framework. 3-7. Discuss each of the five components of COSO. Which do you think is most important to an effective internal control system? The control environment is the overall organizational attitude toward control, especially that of top management. Because this attitude is likely to drive internal control emphasis, funding, and compliance in an organization, it is probably the most important component. Risk assessment is another component, which emphasizes the identification, measurement, and evaluation of risk. Control activities are the specific internal control procedures and policies. Information and communication concern the need to acquire and communicate information necessary to fulfill management strategies and objectives. Finally, monitoring ensures that an internal control system continues to operate as intended. 3-8. Go to the www.aicpa.org and view the new Trust Services Principles and Criteria. How does this new model incorporate SysTrustTM? The AICPA combined WebTrust and SysTrust principles and criteria under a new set of Trust Services Principles and Criteria, effective January 1, 2003. The SysTrust and WebTrust services had some commonalities that the AICPA sought to use to create a harmonized trust framework. The primary change is in terms of structure, order, and working of Principles and Criteria in order to obtain harmony. There are no new principles but the old SysTrust Principle of Maintainability is now subsumed under other principles. The new set of Principles are: Security, Availability, Processing Integrity, and Online Privacy and Confidentiality. SysTrust now has a two-month minimum

reporting period. Another change is that the SysTrust logo may now be used as a seal under specified conditions. There are other changes as well, but these are the primary ones. 3-9. How might an auditor use an internal control flowchart? Do you agree that a flowchart is a better documentation for internal control than an internal control narrative? An auditor may use an internal control flowchart to identify areas where controls are either strong or weak. Sometimes the creation of the flowchart itself will assist the auditor in obtaining an understanding of the system sufficient to identify internal control areas of concern. Flowcharts are superior to narratives if the auditor has some familiarity or training in developing and analyzing flowcharts. At a minimum, the auditor must be knowledgeable about the symbols used in the flowchart. Narratives of more than one paragraph are very difficult to follow. 3-10. Discuss the importance of monitoring risks and controls. What components would exist in a structure for monitoring risks and controls in a large, global public corporation? Monitoring risks and controls is important because in the absence of monitoring, controls are likely to be circumvented, and/or fall by the wayside. Internal controls frequently impede operational efficiency. For example, required authorizations add an extra step to a process. Monitoring controls ensures that employees continue to observe controls that have been implemented to mitigate risks. Monitoring risks ensures that new risks are identified and risks that no longer pose a threat have their associated controls eliminated. A large, global public corporation is likely to employ an internal audit staff. The internal audit staff can set up a plan for regular monitoring of risks and controls. This size corporation will also have external auditors to evaluate risks and controls.

Exercises
3-11. Mi Mexico, Inc., a national fast food restaurant chain, recently hired consultants to build a data mart containing its sales data. The company owns and operates 174 stores, with average annual revenue of $650,000 per store. Mi Mexico has an enterprise information system that integrates its accounting, human resource, and distribution subsystems. Appropriate sales data from the enterprise system is automatically sent to

the data mart. The marketing and sales department queries the data mart to learn about

sales trends and patterns. Jeff Ewing, the CIO recently met with Sylvia Rangel, the CFO, and Juan Hernandez from the Internal Audit department, to discuss risks and controls related to the new data mart. Required: 1. Describe any business, audit, security, or continuity risks that may be associated with the new data mart. The primary business risk is that the data mart fails to meet the business objectives for which it was designed. The internal audit staff will want to make sure that the information gleaned from the data mart is actually adding value in terms of improved customer satisfaction and retention, in increased sales from new customers, and perhaps information about sales related to various stores and menu items. The audit risks include inherent, control, and detection risks. Because a data mart uses secondary data, that is data that has already been used for operational purposes, data errors or misstatements are not likely to have the same impact as operational data. However, if there are errors in moving the data from operations to the data mart that are systematic, there is a chance that analysis of data mart information will lead to inaccurate conclusions. Data mart security includes data integrity and access. The data in the data mart has likely been audited at its source but some data will be transformed during the "data scrubbing" process that is necessary prior to its entry in the data mart. The logic associated with this scrubbing is important. Data in the data mart must have integrity in order to provide useful information. Since the data mart will include a lot of historical sales data, the data is sensitive with respect to competitors. Therefore, physical and logical access security is very important. As for continuity risk, again the fact that the data is not operational reduces the impact of its loss. Certainly there will be a cost to losing the data in the mart, but the loss will not impede operations. 2. How might Mi Mexico go about identifying specific risks and controls introduced by the new data mart? Mi Mexico can use the techniques described in this chapter to identify the risks and controls associated with the new data mart. They can use the approach described in Figure 3-3 and identify threats, vulnerabilities, and acceptable risk levels. Another approach would be to identify the risk indicators associated with a data mart. There is

likely to be guidance available for this from many sources, including the consultants who helped to create the data mart. Mi Mexico can look to the COSO framework for guidance on developing a system of internal controls over the data mart risk indicators. 3-12. Cyber Com is an Internet start-up company that offers business intelligence software and consulting services to help companies with customer relationship management. The business is quite new and has just recently completed a successful initial public offering (IPO). All of managements energies have been consumed with growing the business and successfully going public. As a result, there has not been much time devoted to internal control. The company uses state of the art technologies to manage its business. These include an enterprise-wide information system, electronic commerce, an Intranet, and a knowledge management system. The CEO has recently issued a directive to Joy Bridges, the CFO, to work with the companys auditor to see how they should proceed in developing an internal control system that manages the companys IT risks. Required: 1. How might you use COSO, CobiT , ISO 9000, or Six Sigma to help in constructing such an internal control system? ISO 9000 and Six Sigma are likely to be more useful in evaluating quality in a company that has been around a bit longer. A new company, such as CyberCom, should be most concerned with IT risks and controls, rather than the efficiency and quality of its processes at this point. COSO could help in developing an internal control system. The company could apply a risk assessment approach, such as one of the two described in the chapter, to determine risks. The auditor could develop a set of risk indicators for each technology and implement controls to mitigate the risks. Another option is to use CobiT to develop a comprehensive set of internal controls for the company. CobiT would be very useful as a structure to identify controls over the acquisition and deployment of IT, as well as over other specialized IT and IT processes.

2. After developing an internal control system to manage IT risks, Joy thinks it might be a good idea to have the companys auditor conduct a Systems Reliability Assurance engagement to test the controls. Explain the value this might add. This is a great idea. By using the structure for Systems Reliability Assurance, the auditor will be approaching risk and control from yet another vantage point. This may highlight some components that were missed in developing the system of internal control initially. Further, once the system meets the principles and criteria in the AICPA Trust engagement standards, CyberCom will be able to publicize its compliance. This may help to assure customers, suppliers, investors, and creditors that the company has appropriate controls over its IT risks. 3-13. Schneider Manufacturing, Inc. employs 236 salaried and hourly workers. All employees are paid on a weekly basis. The companys accounting information system includes a payroll module that records payroll expenses, issues checks, and updates the general ledger. The following is an internal control narrative for the payroll system: Hourly employees clock in and out to record their hours worked. Salaried employees do not report time, but they must complete a form available on the companys Intranet to account for vacation and sick days. Each week, departmental supervisors deliver time cards to the payroll office. The supervisors also deliver the completed and authorized vacation and sick day forms. A payroll clerk checks the cards and forms to see that they are complete and then enters them into the payroll system through a PC. The payroll software checks the entered data against employee files to verify the existence of employees and retrieve pay rates. The software contains several internal controls. For example, it checks to make sure that time worked does not exceed 60 hours a week. The software also makes sure that employees do not exceed allotted vacation and sick days. The payroll system either issues checks encoded with a digital signature, or makes direct deposits to employee bank accounts for those employees who have chosen this option. The payroll clerk prints the checks and gives them to the appropriate departmental supervisors for distribution to employees. The payroll system also produces a payroll register. The Accounting Department supervisor receives a copy of the payroll register. Required: 1. Prepare an internal control flowchart for Schneider Manufacturings payroll system, identifying internal controls as shown in Figure 3-7.

Employees
Hourly employees clock in and out 1

Supervisors
Time cards

Payroll Office
Time cards

1
Authorize vacation and sick day forms and print

Salaried employees enter sick and vacation days online

Printed out sick and vacation day forms

Printed out sick and vacation day forms

Payroll clerk checks cards and forms

3 Payroll clerk enters data into payroll system

Payroll software performs control checks

4 Payroll software produces checks or direct deposits

Payroll register Payroll checks 5 Payroll checks

2. Can you identify any internal control weaknesses associated with Schneider Manufacturings payroll system? Control Weaknesses: 1. Supervisors do not appear to check time cards 2. Should not be a need to print out vacation and sick forms. 3. Payroll data should automatically enter the system. 4. The company should consider mandatory direct deposit. 5. Supervisors do not appear to check payroll checks for reasonableness.