SlideShare a Scribd company logo

Chapter 15-Accounting Information System

Download as PPTX, PDF
R
RejiePantinople

Accounting ppt

Education
1 of 19
IT CONTROLS Part I: Sarbanes- Oxley and IT Governance
LEARNING OBJECTIVES: AFTER STUDYING THIS CHAPTER, YOU SHOULD:  Understand the key features of Sections 302 and 404 of the Sarbanes-Oxley Act  Understand management and auditor responsibilities under Sections 302 and 404.  Understand the risks of incompatible functions and how to structure the IT function.  Be familiar with the controls and precautions required to ensure the security of an organization’s computer facilities.  Understand the key elements of a disaster recovery plan.  Be familiar with the benefits, risks, and audit issues related to IT outsourcing.
 SOX of 2022 established new corporate governance regulations and standards for public companies registered with the Securities and Exchange Commission (SEC).  Section 302 requires corporate management (including the CEO) to certify financial and other information contained in the organization’s quarterly and annual reports.  Section 404 requires the management of public companies to assess the effectiveness of their organization’s internal controls over financial reporting. OVERVIEW OF SOX SECTIONS 302 and 404
Relationship between IT Controls and Financial Reporting Information technology drives the financial reporting processes of modern organizations. Automated systems initiate, authorize, record, and report the effects of financial transactions. • Application control ensure the validity, completeness, and accuracy pf financial transactions. • General controls have other names in other frameworks, including general computer controls and information technology controls. Whatever name is used, they include controls over IT governance, IT infrastructure, security and access to operating systems and databases, application acquisition and development, and program changes. Two broad groupings of information system controls • APPLICATION CONTROLS • GENERAL CONTROLS
Computer Controls and Auditing
IT GOVERNANCE CONTROL IT governance is a broad concept relating to the decision rights and accountability for encouraging desirable behavior in the use of IT. Although important, not all elements of IT governance relate specifically to control issues that SOX addresses and that are outlined in the COSO framework Organizational Structure Controls Previous chapters have stressed the importance of segregating incompatible duties within manual activities. Specifically, operational tasks should be separated to: 1. Segregate the task of transaction authorization from transaction processing. 2. Segregate record keeping from asset custody. 3. Divide transaction-processing tasks among individuals so that fraud will require collusion between two or more individuals.
SEGREGATION OF DUTIES WITHIN THE CENTRALIZED FIRM Separating Systems Development from Computer Operations The segregation of systems development (both new systems development and maintenance) and operations activities is of the greatest importance. The responsibilities of these groups should not be comingled. Systems development and maintenance professionals acquire (by in-house development and purchase) and maintain systems for users. Operations staff should run these systems and have no involvement in their design and implementation. Consolidating these functions invites fraud. With detailed knowledge of an application’s logic and control parameters along with access to the computer operations, an individual could make unauthorized changes to application logic during execution. Such changes may be temporary (on the fly) and will disappear with little or no trace when the application terminates. Separating the Database Administrator from Other Functions Another important organizational control is the segregation of the database administrator (DBA) function from other IT functions. The DBA is responsible for a number of critical tasks pertaining to database security, including creating the database schema, creating user views (subschemas), assigning access authority to users, monitoring database usage, and planning for future expansion
Separating the DBA from Systems Development Programmers create applications that access, update, and retrieve data from the database. To achieve database access, therefore, both the programmer and the DBA need to agree as to the attributes and tables (the user view) to make available to the application (or user) in question. Separating New Systems Development from Maintenance Some companies organize their systems development function into two groups: systems analysis and programming. The systems analysis group works with the user to produce a detailed design of the new system. The programming group codes the programs according to these design specifications
Incompatibility Distributing responsibility for the purchases of software and hardware can result in uncoordinated and poorly conceived decisions. Organizational users, working independently, may select different and incompatible operating systems, technology platforms, spreadsheets, word processing, and database packages, which can impair internal communications. Redundancy Autonomous systems development activities throughout the firm can result in the creation of redundant applications and databases. Programs that one user creates that could be used with little or no change by others will be redesigned from scratch rather than shared. Likewise, data common to many users may be reproduced, resulting in a high level of data redundancy Consolidating Incompatible Activities The redistribution of IT functions to user areas can result in the creation of many very small units. Achieving an adequate segregation of duties may be economically or operationally infeasible in this setting. Thus, one person (or a small group) may be responsible for program development, program maintenance, and computer operations The Distributed Model
Acquiring Qualified Professionals End users are typically not qualified to evaluate the technical credentials and relevant experience of prospective IT employees. Also, because the organizational unit into which these candidates are entering is small, opportunities for personal growth, continuing education, and promotion are limited. For these reasons, distributed IT units may have difficulty attracting highly qualified personnel. Lack of Standards For the aforementioned reasons, standards for systems development, documentation, and evaluating performance tend to be unevenly applied or nonexistent in the distributed environment
Computer Center Security and Controls Fires, floods, wind, sabotage, earthquakes, or even power outages can deprive an organization of its data processing facilities and bring to a halt those functions that are performed or aided by the computer. Although the likelihood of such a disastrous event is remote, the consequences to the organization could be serious. If a disaster occurs, the organization not only loses its investment in data processing facilities, but more importantly, it also loses its ability to do business
● Physical Location The physical location selected for a computer center can influence the risk of disaster. To the extent possible, the computer center should be located away from human-made and natural hazards, such as processing plants, gas and water mains, airports, high-crime areas, flood plains, and geological faults. ● Construction Ideally, a computer center should be located in a single-story building of solid construction with controlled access (discussed in the following section). Utility (power and telephone) and communications lines should be underground. The building windows should not open. An air filtration system should be in place that is capable of excluding pollens, dust, and dust mites
● Access Access to the computer center should be limited to the operators and other employees who work there. Programmers and analysts who occasionally need to correct program errors should be required to sign in and out. The computer center should maintain accurate records of all such events to verify the function of access control. The main entrance to the computer center should be through a single door, although fire exits with alarms are necessary. To achieve a higher level of security, closed- circuit cameras and video recording systems should monitor access. • Air Conditioning Computers function best in an air-conditioned environment. For mainframe computers, providing adequate air-conditioning is often a requirement of the vendor’s warranty. Computers operate best in a temperature range of 70 to 75 degrees Fahrenheit and a relative humidity of 50 percent. Logic errors can occur in computer hardware when temperatures depart significantly from this range. Also, the risk of circuit damage from static electricity is increased when humidity drops. High humidity, on the other hand, can cause molds to grow and paper products (such as source documents) to swell and jam equipment
● Fire Suppression The most common threat to a firm’s computer equipment is fire. Half of the companies that suffer fires go out of business because of the loss of critical records, such as accounts receivable. The implementation of an effective fire-suppression system requires consultation with specialists.
Audit Procedures for Assessing Physical Security Controls TESTS OF PHYSICAL CONSTRUCTION. The auditor should obtain architectural plans to determine that the computer center is solidly built of fireproof material. There should be adequate drainage under the raised floor to allow water to flow away in the event of water damage from a fire in an upper floor or from some other source. In addition, the auditor should assess the physical location of the computer center. The facility should be located in an area that minimizes its exposure to fire, civil unrest, and other hazards TESTS OF THE FIRE DETECTION SYSTEM. The auditor should establish that fire detection and suppression equipment, both manual and automatic, are in place and are tested regularly. The fire-detection system should detect smoke, heat, and combustible fumes. The evidence may be obtained by reviewing official fire marshal records of tests, which are stored at the computer center. TESTS OF ACCESS CONTROL. The auditor must establish that routine access to the computer center is restricted to authorized employees. Details about visitor access (by programmers and others), such as arrival and departure times, purpose, and frequency of access, can be obtained by reviewing the access log. To establish the veracity of this document, the auditor may covertly observe the process by which access is permitted
Audit Procedures for Verifying Insurance Coverage The auditor should annually review the organization’s insurance coverage on its computer hardware, software, and physical facility. The auditor should verify that all new acquisitions are listed on the policy and that obsolete equipment and software have been deleted. Audit Procedures for Verifying Adequacy of Operator Documentation Computer operators use documentation called a run manual to run certain aspects of the system. In particular, large batch systems often require special attention from operators.
Disaster Recovery Planning A disaster recovery plan (DRP) is a comprehensive statement of all actions to be taken before, during, and after a disaster, along with documented, tested procedures that will ensure the continuity of operations. Although the details of each plan are unique to the needs of the organization, all workable plans possess common features. Providing Second-site Backup A necessary ingredient in a DRP is that it provides for duplicate data processing facilities following a disaster. The viable options available include the empty shell, recovery operations center, and internally provided backup
• Backup Data Files Often-cited benefits of IT outsourcing include improved core business performance, improved IT performance (because of the vendor’s expertise), and reduced IT costs. By moving IT facilities offshore to low labor-cost areas and/or through economies of scale (by combining the work of several clients), the vendor can perform the outsourced function more cheaply than the client firm could have otherwise. PERFORMING BACKUP AND OFF-SITE STORAGE PROCEDURES • Backup Documentation • Backup Supplies and Source Documents Outsourcing the IT Function
Distinctions between Commodity assets and Specific assets Commodity IT assets are not unique to a particular organization and are thus easily acquired in the marketplace. These include such things as network management, systems operations, server maintenance, and help-desk functions. Specific IT assets, in contrast, are unique to the organization and support its strategic objectives. Because of their idiosyncratic nature, specific assets have little value outside their current use. Such assets may be tangible (computer equipment), intellectual (computer programs), or human. Examples of specific assets include systems development, application maintenance, data warehousing, and highly skilled employees trained to use organization-specific software.

Recommended

373512722-Employee-Leave-Management-System.docx
373512722-Employee-Leave-Management-System.docx373512722-Employee-Leave-Management-System.docx
373512722-Employee-Leave-Management-System.docxsanthoshyadav23
 
III SEM MCA-Module 4 -Ch2.pdf- Securing IoT
III SEM MCA-Module 4 -Ch2.pdf- Securing IoTIII SEM MCA-Module 4 -Ch2.pdf- Securing IoT
III SEM MCA-Module 4 -Ch2.pdf- Securing IoTRAJESHWARI M
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.gueste080564
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computingguestc1bca2
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.renetta
 
Book 2_Bab 11_Information Technology and ERM.pdf
Book 2_Bab 11_Information Technology and ERM.pdfBook 2_Bab 11_Information Technology and ERM.pdf
Book 2_Bab 11_Information Technology and ERM.pdfnoygemma2
 
Securing your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSecuring your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSridhar Karnam
 
Whitepaper: 4 Approaches to Systems Integration
Whitepaper: 4 Approaches to Systems IntegrationWhitepaper: 4 Approaches to Systems Integration
Whitepaper: 4 Approaches to Systems IntegrationAudacia
 

Recommended

373512722-Employee-Leave-Management-System.docx
373512722-Employee-Leave-Management-System.docx373512722-Employee-Leave-Management-System.docx
373512722-Employee-Leave-Management-System.docxsanthoshyadav23
 
III SEM MCA-Module 4 -Ch2.pdf- Securing IoT
III SEM MCA-Module 4 -Ch2.pdf- Securing IoTIII SEM MCA-Module 4 -Ch2.pdf- Securing IoT
III SEM MCA-Module 4 -Ch2.pdf- Securing IoTRAJESHWARI M
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.gueste080564
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computingguestc1bca2
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.renetta
 
Book 2_Bab 11_Information Technology and ERM.pdf
Book 2_Bab 11_Information Technology and ERM.pdfBook 2_Bab 11_Information Technology and ERM.pdf
Book 2_Bab 11_Information Technology and ERM.pdfnoygemma2
 
Securing your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSecuring your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSridhar Karnam
 
Whitepaper: 4 Approaches to Systems Integration
Whitepaper: 4 Approaches to Systems IntegrationWhitepaper: 4 Approaches to Systems Integration
Whitepaper: 4 Approaches to Systems IntegrationAudacia
 
Cloud Based Development for Medical Pharmacy and DCA Application
Cloud Based Development for Medical Pharmacy and DCA ApplicationCloud Based Development for Medical Pharmacy and DCA Application
Cloud Based Development for Medical Pharmacy and DCA ApplicationIRJET Journal
 
Computer Audit an Introductory
Computer Audit an IntroductoryComputer Audit an Introductory
Computer Audit an IntroductoryMNorazizi HM
 
A Framework for Dead stock Management System for in-house computer engineerin...
A Framework for Dead stock Management System for in-house computer engineerin...A Framework for Dead stock Management System for in-house computer engineerin...
A Framework for Dead stock Management System for in-house computer engineerin...theijes
 
IRJET- In-House File Tracking System
IRJET- In-House File Tracking SystemIRJET- In-House File Tracking System
IRJET- In-House File Tracking SystemIRJET Journal
 
Cloud Storage and Security
Cloud Storage and SecurityCloud Storage and Security
Cloud Storage and SecurityShashank Srivastava
 
Print report
Print reportPrint report
Print reportVed Prakash
 
Best Practices for Microsoft-Based Plant Software Address Reliability, Cost, ...
Best Practices for Microsoft-Based Plant Software Address Reliability, Cost, ...Best Practices for Microsoft-Based Plant Software Address Reliability, Cost, ...
Best Practices for Microsoft-Based Plant Software Address Reliability, Cost, ...ARC Advisory Group
 
Advantages of Electronic Permit System.pdf
Advantages of Electronic Permit System.pdfAdvantages of Electronic Permit System.pdf
Advantages of Electronic Permit System.pdfOlivia Wilson
 
Advantages of Electronic Permit System.pdf
Advantages of Electronic Permit System.pdfAdvantages of Electronic Permit System.pdf
Advantages of Electronic Permit System.pdfHarry George
 
Advantages of Electronic Permit System
Advantages of Electronic Permit SystemAdvantages of Electronic Permit System
Advantages of Electronic Permit SystemOlivia Wilson
 
Patch Management
Patch ManagementPatch Management
Patch ManagementRadhakrishna Shamanna
 
Qtility - Content Management Strategies 2015
Qtility - Content Management Strategies 2015Qtility - Content Management Strategies 2015
Qtility - Content Management Strategies 2015clarkems
 
CMGT 400 Grading Rubric Learning Team – CMGT 400 Week 4 Learning Tea.docx
CMGT 400 Grading Rubric Learning Team – CMGT 400 Week 4 Learning Tea.docxCMGT 400 Grading Rubric Learning Team – CMGT 400 Week 4 Learning Tea.docx
CMGT 400 Grading Rubric Learning Team – CMGT 400 Week 4 Learning Tea.docxmccormicknadine86
 
HOW-CLOUD-IMPLEMENTATION-CAN-ENSURE-MAXIMUM-ROI.pdf
HOW-CLOUD-IMPLEMENTATION-CAN-ENSURE-MAXIMUM-ROI.pdfHOW-CLOUD-IMPLEMENTATION-CAN-ENSURE-MAXIMUM-ROI.pdf
HOW-CLOUD-IMPLEMENTATION-CAN-ENSURE-MAXIMUM-ROI.pdfAgaram Technologies
 
Moving to the cloud
Moving to the cloudMoving to the cloud
Moving to the cloudPedro Alexander Romero Tortosa
 
bankauditinITEnv
bankauditinITEnvbankauditinITEnv
bankauditinITEnvDr Vijay Pithadia Director
 
bankauditinITEnv
bankauditinITEnvbankauditinITEnv
bankauditinITEnvDr Vijay Pithadia Director
 
ch10.pptx
ch10.pptxch10.pptx
ch10.pptxgdfgdfgdf1
 
RP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfRP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfwardell henley
 
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachThe 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachProtected Harbor
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaVirag Sontakke
 

More Related Content

Similar to Chapter 15-Accounting Information System

Cloud Based Development for Medical Pharmacy and DCA Application
Cloud Based Development for Medical Pharmacy and DCA ApplicationCloud Based Development for Medical Pharmacy and DCA Application
Cloud Based Development for Medical Pharmacy and DCA ApplicationIRJET Journal
 
Computer Audit an Introductory
Computer Audit an IntroductoryComputer Audit an Introductory
Computer Audit an IntroductoryMNorazizi HM
 
A Framework for Dead stock Management System for in-house computer engineerin...
A Framework for Dead stock Management System for in-house computer engineerin...A Framework for Dead stock Management System for in-house computer engineerin...
A Framework for Dead stock Management System for in-house computer engineerin...theijes
 
IRJET- In-House File Tracking System
IRJET- In-House File Tracking SystemIRJET- In-House File Tracking System
IRJET- In-House File Tracking SystemIRJET Journal
 
Best Practices for Microsoft-Based Plant Software Address Reliability, Cost, ...
Best Practices for Microsoft-Based Plant Software Address Reliability, Cost, ...Best Practices for Microsoft-Based Plant Software Address Reliability, Cost, ...
Best Practices for Microsoft-Based Plant Software Address Reliability, Cost, ...ARC Advisory Group
 
Advantages of Electronic Permit System.pdf
Advantages of Electronic Permit System.pdfAdvantages of Electronic Permit System.pdf
Advantages of Electronic Permit System.pdfOlivia Wilson
 
Advantages of Electronic Permit System.pdf
Advantages of Electronic Permit System.pdfAdvantages of Electronic Permit System.pdf
Advantages of Electronic Permit System.pdfHarry George
 
Advantages of Electronic Permit System
Advantages of Electronic Permit SystemAdvantages of Electronic Permit System
Advantages of Electronic Permit SystemOlivia Wilson
 
Qtility - Content Management Strategies 2015
Qtility - Content Management Strategies 2015Qtility - Content Management Strategies 2015
Qtility - Content Management Strategies 2015clarkems
 
CMGT 400 Grading Rubric Learning Team – CMGT 400 Week 4 Learning Tea.docx
CMGT 400 Grading Rubric Learning Team – CMGT 400 Week 4 Learning Tea.docxCMGT 400 Grading Rubric Learning Team – CMGT 400 Week 4 Learning Tea.docx
CMGT 400 Grading Rubric Learning Team – CMGT 400 Week 4 Learning Tea.docxmccormicknadine86
 
HOW-CLOUD-IMPLEMENTATION-CAN-ENSURE-MAXIMUM-ROI.pdf
HOW-CLOUD-IMPLEMENTATION-CAN-ENSURE-MAXIMUM-ROI.pdfHOW-CLOUD-IMPLEMENTATION-CAN-ENSURE-MAXIMUM-ROI.pdf
HOW-CLOUD-IMPLEMENTATION-CAN-ENSURE-MAXIMUM-ROI.pdfAgaram Technologies
 
RP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfRP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfwardell henley
 
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachThe 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachProtected Harbor
 

Similar to Chapter 15-Accounting Information System (20)

Cloud Based Development for Medical Pharmacy and DCA Application
Cloud Based Development for Medical Pharmacy and DCA ApplicationCloud Based Development for Medical Pharmacy and DCA Application
Cloud Based Development for Medical Pharmacy and DCA Application
 
Computer Audit an Introductory
Computer Audit an IntroductoryComputer Audit an Introductory
Computer Audit an Introductory
 
A Framework for Dead stock Management System for in-house computer engineerin...
A Framework for Dead stock Management System for in-house computer engineerin...A Framework for Dead stock Management System for in-house computer engineerin...
A Framework for Dead stock Management System for in-house computer engineerin...
 
IRJET- In-House File Tracking System
IRJET- In-House File Tracking SystemIRJET- In-House File Tracking System
IRJET- In-House File Tracking System
 
Cloud Storage and Security
Cloud Storage and SecurityCloud Storage and Security
Cloud Storage and Security
 
Print report
Print reportPrint report
Print report
 
Best Practices for Microsoft-Based Plant Software Address Reliability, Cost, ...
Best Practices for Microsoft-Based Plant Software Address Reliability, Cost, ...Best Practices for Microsoft-Based Plant Software Address Reliability, Cost, ...
Best Practices for Microsoft-Based Plant Software Address Reliability, Cost, ...
 
Advantages of Electronic Permit System.pdf
Advantages of Electronic Permit System.pdfAdvantages of Electronic Permit System.pdf
Advantages of Electronic Permit System.pdf
 
Advantages of Electronic Permit System.pdf
Advantages of Electronic Permit System.pdfAdvantages of Electronic Permit System.pdf
Advantages of Electronic Permit System.pdf
 
Advantages of Electronic Permit System
Advantages of Electronic Permit SystemAdvantages of Electronic Permit System
Advantages of Electronic Permit System
 
Patch Management
Patch ManagementPatch Management
Patch Management
 
Qtility - Content Management Strategies 2015
Qtility - Content Management Strategies 2015Qtility - Content Management Strategies 2015
Qtility - Content Management Strategies 2015
 
CMGT 400 Grading Rubric Learning Team – CMGT 400 Week 4 Learning Tea.docx
CMGT 400 Grading Rubric Learning Team – CMGT 400 Week 4 Learning Tea.docxCMGT 400 Grading Rubric Learning Team – CMGT 400 Week 4 Learning Tea.docx
CMGT 400 Grading Rubric Learning Team – CMGT 400 Week 4 Learning Tea.docx
 
HOW-CLOUD-IMPLEMENTATION-CAN-ENSURE-MAXIMUM-ROI.pdf
HOW-CLOUD-IMPLEMENTATION-CAN-ENSURE-MAXIMUM-ROI.pdfHOW-CLOUD-IMPLEMENTATION-CAN-ENSURE-MAXIMUM-ROI.pdf
HOW-CLOUD-IMPLEMENTATION-CAN-ENSURE-MAXIMUM-ROI.pdf
 
Moving to the cloud
Moving to the cloudMoving to the cloud
Moving to the cloud
 
bankauditinITEnv
bankauditinITEnvbankauditinITEnv
bankauditinITEnv
 
bankauditinITEnv
bankauditinITEnvbankauditinITEnv
bankauditinITEnv
 
ch10.pptx
ch10.pptxch10.pptx
ch10.pptx
 
RP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfRP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdf
 
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachThe 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
 

Recently uploaded

Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaVirag Sontakke
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupJonathanParaisoCruz
 
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitolTechU
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxEyham Joco
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerunnathinaik
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfUjwalaBharambe
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxAvyJaneVismanos
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...M56BOOKSTORE PRODUCT/SERVICE
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfadityarao40181
 

Recently uploaded (20)

Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of India
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized Group
 
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptx
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptx
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developer
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdf
 

Chapter 15-Accounting Information System

  • 1. IT CONTROLS Part I: Sarbanes- Oxley and IT Governance
  • 2. LEARNING OBJECTIVES: AFTER STUDYING THIS CHAPTER, YOU SHOULD:  Understand the key features of Sections 302 and 404 of the Sarbanes-Oxley Act  Understand management and auditor responsibilities under Sections 302 and 404.  Understand the risks of incompatible functions and how to structure the IT function.  Be familiar with the controls and precautions required to ensure the security of an organization’s computer facilities.  Understand the key elements of a disaster recovery plan.  Be familiar with the benefits, risks, and audit issues related to IT outsourcing.
  • 3.  SOX of 2022 established new corporate governance regulations and standards for public companies registered with the Securities and Exchange Commission (SEC).  Section 302 requires corporate management (including the CEO) to certify financial and other information contained in the organization’s quarterly and annual reports.  Section 404 requires the management of public companies to assess the effectiveness of their organization’s internal controls over financial reporting. OVERVIEW OF SOX SECTIONS 302 and 404
  • 4. Relationship between IT Controls and Financial Reporting Information technology drives the financial reporting processes of modern organizations. Automated systems initiate, authorize, record, and report the effects of financial transactions. • Application control ensure the validity, completeness, and accuracy pf financial transactions. • General controls have other names in other frameworks, including general computer controls and information technology controls. Whatever name is used, they include controls over IT governance, IT infrastructure, security and access to operating systems and databases, application acquisition and development, and program changes. Two broad groupings of information system controls • APPLICATION CONTROLS • GENERAL CONTROLS
  • 6. IT GOVERNANCE CONTROL IT governance is a broad concept relating to the decision rights and accountability for encouraging desirable behavior in the use of IT. Although important, not all elements of IT governance relate specifically to control issues that SOX addresses and that are outlined in the COSO framework Organizational Structure Controls Previous chapters have stressed the importance of segregating incompatible duties within manual activities. Specifically, operational tasks should be separated to: 1. Segregate the task of transaction authorization from transaction processing. 2. Segregate record keeping from asset custody. 3. Divide transaction-processing tasks among individuals so that fraud will require collusion between two or more individuals.
  • 7. SEGREGATION OF DUTIES WITHIN THE CENTRALIZED FIRM Separating Systems Development from Computer Operations The segregation of systems development (both new systems development and maintenance) and operations activities is of the greatest importance. The responsibilities of these groups should not be comingled. Systems development and maintenance professionals acquire (by in-house development and purchase) and maintain systems for users. Operations staff should run these systems and have no involvement in their design and implementation. Consolidating these functions invites fraud. With detailed knowledge of an application’s logic and control parameters along with access to the computer operations, an individual could make unauthorized changes to application logic during execution. Such changes may be temporary (on the fly) and will disappear with little or no trace when the application terminates. Separating the Database Administrator from Other Functions Another important organizational control is the segregation of the database administrator (DBA) function from other IT functions. The DBA is responsible for a number of critical tasks pertaining to database security, including creating the database schema, creating user views (subschemas), assigning access authority to users, monitoring database usage, and planning for future expansion
  • 8. Separating the DBA from Systems Development Programmers create applications that access, update, and retrieve data from the database. To achieve database access, therefore, both the programmer and the DBA need to agree as to the attributes and tables (the user view) to make available to the application (or user) in question. Separating New Systems Development from Maintenance Some companies organize their systems development function into two groups: systems analysis and programming. The systems analysis group works with the user to produce a detailed design of the new system. The programming group codes the programs according to these design specifications
  • 9. Incompatibility Distributing responsibility for the purchases of software and hardware can result in uncoordinated and poorly conceived decisions. Organizational users, working independently, may select different and incompatible operating systems, technology platforms, spreadsheets, word processing, and database packages, which can impair internal communications. Redundancy Autonomous systems development activities throughout the firm can result in the creation of redundant applications and databases. Programs that one user creates that could be used with little or no change by others will be redesigned from scratch rather than shared. Likewise, data common to many users may be reproduced, resulting in a high level of data redundancy Consolidating Incompatible Activities The redistribution of IT functions to user areas can result in the creation of many very small units. Achieving an adequate segregation of duties may be economically or operationally infeasible in this setting. Thus, one person (or a small group) may be responsible for program development, program maintenance, and computer operations The Distributed Model
  • 10. Acquiring Qualified Professionals End users are typically not qualified to evaluate the technical credentials and relevant experience of prospective IT employees. Also, because the organizational unit into which these candidates are entering is small, opportunities for personal growth, continuing education, and promotion are limited. For these reasons, distributed IT units may have difficulty attracting highly qualified personnel. Lack of Standards For the aforementioned reasons, standards for systems development, documentation, and evaluating performance tend to be unevenly applied or nonexistent in the distributed environment
  • 11. Computer Center Security and Controls Fires, floods, wind, sabotage, earthquakes, or even power outages can deprive an organization of its data processing facilities and bring to a halt those functions that are performed or aided by the computer. Although the likelihood of such a disastrous event is remote, the consequences to the organization could be serious. If a disaster occurs, the organization not only loses its investment in data processing facilities, but more importantly, it also loses its ability to do business
  • 12. ● Physical Location The physical location selected for a computer center can influence the risk of disaster. To the extent possible, the computer center should be located away from human-made and natural hazards, such as processing plants, gas and water mains, airports, high-crime areas, flood plains, and geological faults. ● Construction Ideally, a computer center should be located in a single-story building of solid construction with controlled access (discussed in the following section). Utility (power and telephone) and communications lines should be underground. The building windows should not open. An air filtration system should be in place that is capable of excluding pollens, dust, and dust mites
  • 13. ● Access Access to the computer center should be limited to the operators and other employees who work there. Programmers and analysts who occasionally need to correct program errors should be required to sign in and out. The computer center should maintain accurate records of all such events to verify the function of access control. The main entrance to the computer center should be through a single door, although fire exits with alarms are necessary. To achieve a higher level of security, closed- circuit cameras and video recording systems should monitor access. • Air Conditioning Computers function best in an air-conditioned environment. For mainframe computers, providing adequate air-conditioning is often a requirement of the vendor’s warranty. Computers operate best in a temperature range of 70 to 75 degrees Fahrenheit and a relative humidity of 50 percent. Logic errors can occur in computer hardware when temperatures depart significantly from this range. Also, the risk of circuit damage from static electricity is increased when humidity drops. High humidity, on the other hand, can cause molds to grow and paper products (such as source documents) to swell and jam equipment
  • 14. ● Fire Suppression The most common threat to a firm’s computer equipment is fire. Half of the companies that suffer fires go out of business because of the loss of critical records, such as accounts receivable. The implementation of an effective fire-suppression system requires consultation with specialists.
  • 15. Audit Procedures for Assessing Physical Security Controls TESTS OF PHYSICAL CONSTRUCTION. The auditor should obtain architectural plans to determine that the computer center is solidly built of fireproof material. There should be adequate drainage under the raised floor to allow water to flow away in the event of water damage from a fire in an upper floor or from some other source. In addition, the auditor should assess the physical location of the computer center. The facility should be located in an area that minimizes its exposure to fire, civil unrest, and other hazards TESTS OF THE FIRE DETECTION SYSTEM. The auditor should establish that fire detection and suppression equipment, both manual and automatic, are in place and are tested regularly. The fire-detection system should detect smoke, heat, and combustible fumes. The evidence may be obtained by reviewing official fire marshal records of tests, which are stored at the computer center. TESTS OF ACCESS CONTROL. The auditor must establish that routine access to the computer center is restricted to authorized employees. Details about visitor access (by programmers and others), such as arrival and departure times, purpose, and frequency of access, can be obtained by reviewing the access log. To establish the veracity of this document, the auditor may covertly observe the process by which access is permitted
  • 16. Audit Procedures for Verifying Insurance Coverage The auditor should annually review the organization’s insurance coverage on its computer hardware, software, and physical facility. The auditor should verify that all new acquisitions are listed on the policy and that obsolete equipment and software have been deleted. Audit Procedures for Verifying Adequacy of Operator Documentation Computer operators use documentation called a run manual to run certain aspects of the system. In particular, large batch systems often require special attention from operators.
  • 17. Disaster Recovery Planning A disaster recovery plan (DRP) is a comprehensive statement of all actions to be taken before, during, and after a disaster, along with documented, tested procedures that will ensure the continuity of operations. Although the details of each plan are unique to the needs of the organization, all workable plans possess common features. Providing Second-site Backup A necessary ingredient in a DRP is that it provides for duplicate data processing facilities following a disaster. The viable options available include the empty shell, recovery operations center, and internally provided backup
  • 18. • Backup Data Files Often-cited benefits of IT outsourcing include improved core business performance, improved IT performance (because of the vendor’s expertise), and reduced IT costs. By moving IT facilities offshore to low labor-cost areas and/or through economies of scale (by combining the work of several clients), the vendor can perform the outsourced function more cheaply than the client firm could have otherwise. PERFORMING BACKUP AND OFF-SITE STORAGE PROCEDURES • Backup Documentation • Backup Supplies and Source Documents Outsourcing the IT Function
  • 19. Distinctions between Commodity assets and Specific assets Commodity IT assets are not unique to a particular organization and are thus easily acquired in the marketplace. These include such things as network management, systems operations, server maintenance, and help-desk functions. Specific IT assets, in contrast, are unique to the organization and support its strategic objectives. Because of their idiosyncratic nature, specific assets have little value outside their current use. Such assets may be tangible (computer equipment), intellectual (computer programs), or human. Examples of specific assets include systems development, application maintenance, data warehousing, and highly skilled employees trained to use organization-specific software.