This document outlines the objectives and key topics to be covered in Chapter 15 of the textbook "Accounting Information Systems, 6th edition". It will discuss the key provisions of Sections 302 and 404 of the Sarbanes-Oxley Act, including management responsibilities for internal controls over financial reporting. It will also cover IT controls related to financial reporting, risks of incompatible functions in IT organizational structures, controls over computer facilities, and elements of an effective disaster recovery plan.

1. Accounting Information Systems, 6th
edition
James A. Hall
COPYRIGHT © 2009 South-Western, a division of Cengage Learning. Cengage Learning and South-Western
are trademarks used herein under license

2. Objectives for Chapter 15
Key features of Sections 302 and 404 of the Sarbanes-
Oxley Act
Management and auditor responsibilities under
Sections 302 and 404
Risks of incompatible functions and how to structure
the IT function
Controls and security of an organization’s computer
facilities
 Key elements of a disaster recovery plan

3. Sarbanes-Oxley Act
The 2002 Sarbanes-Oxley (SOX) Act established
new corporate governance rules
Created company accounting oversight board
Increased accountability for company officers and
board of directors
Increased white collar crime penalties
Prohibits a company’s external audit firms from
providing financial information systems

4. SOX Section 302
Section 302—in quarterly and annual financial
statements, management must:
certify the internal controls (IC) over financial
reporting
state responsibility for IC design
provide reasonable assurance as to the reliability of
the financial reporting process
disclose any recent material changes in IC

5. SOX Section 404
Section 404—in the annual report on IC
effectiveness, management must:
state responsibility for establishing and maintaining
adequate financial reporting IC
assess IC effectiveness
reference the external auditors’ attestation report on
management’s IC assessment
provide explicit conclusions on the effectiveness of
financial reporting IC
identify the framework management used to conduct
their IC assessment, e.g., COBIT

6. IT Controls & Financial Reporting
Modern financial reporting is driven
by information technology (IT)
IT initiates, authorizes, records, and
reports the effects of financial
transactions.
Financial reporting IC are
inextricably integrated to IT.

7. COSO identifies two groups of IT
controls:
application controls – apply to specific
applications and programs, and ensure
data validity, completeness and accuracy
general controls – apply to all systems and
address IT governance and infrastructure,
security of operating systems and
databases, and application and program
acquisition and development
IT Controls & Financial Reporting

8. Sales CGS AP CashInventory
Significant
Financial
Accounts
Order Entry
Application Controls
Cash Disbursements
Application Controls
Purchases
Application Controls
Related
Application
Controls
Systems Development and Program Change Control
Database Access Controls
Operating System Controls
Supporting
General
Controls
Controls
for
Review
IT Controls & Financial Reporting

9. SOX Audit Implications
Pre-SOX, audits did not require IC tests.
Only required to be familiar with client’s IC
Audit consisted primarily of substantive tests
SOX – radically expanded scope of audit
Issue new audit opinion on management’s IC
assessment
Required to test IC affecting financial information,
especially IC to prevent fraud
Collect documentation of management’s IC tests
and interview management on IC changes

10. Types of Audit Tests
Tests of controls – tests to determine
if appropriate IC are in place and
functioning effectively
Substantive testing – detailed
examination of account balances and
transactions

11. Organizational Structure IC
Audit objective – verify that individuals in
incompatible areas are segregated to
minimize risk while promoting operational
efficiency
IC, especially segregation of duties, affected
by which of two organizational structures
applies:
Centralized model
Distributed model

12. President
VP
Marketing
VP Computer
Services
VP
Operations
VP
Finance
Systems
Development
Database
Administration
Data
Processing
New Systems
Development
Systems
Maintenance
Data
Control
Data
Preparation
Computer
Operations
Data
Library
President
VP
Marketing
VP
Finance
VP
Operations
IPU IPU IPU IPU IPU IPU
VP
Administration
Treasurer Controller
Manager
Plant X
Manager
Plant Y
CENTRALIZED COMPUTER
SERVICES FUNCTION
DISTRIBUTED ORGANIZATIONAL
STRUCTURE

13. Segregation of Duties
Transaction authorization is separate from
transaction processing.
Asset custody is separate from record-
keeping responsibilities.
The tasks needed to process the
transactions are subdivided so that fraud
requires collusion.

14. Segregation of Duties
Authorization
Authorization
Authorization
Processing
Custody Recording
Task 1 Task 2 Task 3 Task 4
Custody Recording
Control Objective 1
Control Objective 3
Control Objective 2
TRANSACTION

15. Centralized IT Structure
Critical to segregate:
systems development from computer
operations
database administrator (DBA) from other
computer service functions
DBA’s authorizing and systems development’s
processing
DBA authorizes access
maintenance from new systems development
data library from operations

16. Distributed IT Structure
Despite its many advantages, important
IC implications are present:
incompatible software among the various
work centers
data redundancy may result
consolidation of incompatible tasks
difficulty hiring qualified professionals
lack of standards

17. Organizational Structure IC
A corporate IT function alleviates
potential problems associated with
distributed IT organizations by
providing:
central testing of commercial hardware and
software
a user services staff
a standard-setting body
reviewing technical credentials of
prospective systems professionals

18. Audit Procedures
Review the corporate policy on computer
security
Verify that the security policy is communicated
to employees
Review documentation to determine if
individuals or groups are performing
incompatible functions
Review systems documentation and
maintenance records
Verify that maintenance programmers are not
also design programmers

19. Audit Procedures
Observe if segregation policies are followed in
practice.
E.g., check operations room access logs to
determine if programmers enter for reasons
other than system failures
Review user rights and privileges
Verify that programmers have access privileges
consistent with their job descriptions

20. Audit objectives:
physical security IC protects the computer
center from physical exposures
insurance coverage compensates the
organization for damage to the computer
center
operator documentation addresses routine
operations as well as system failures
Computer Center IC

21. Computer Center IC
Considerations:
man-made threats and natural hazards
underground utility and communications lines
air conditioning and air filtration systems
access limited to operators and computer center
workers; others required to sign in and out
fire suppressions systems installed
fault tolerance
redundant disks and other system components
backup power supplies

22. Audit Procedures
Review insurance coverage on hardware,
software, and physical facility
Review operator documentation, run
manuals, for completeness and accuracy
Verify that operational details of a
system’s internal logic are not in the
operator’s documentation

23. Disaster Recovery Planning
Disaster recovery plans (DRP) identify:
actions before, during, and after the disaster
disaster recovery team
priorities for restoring critical applications
Audit objective – verify that DRP is
adequate and feasible for dealing with
disasters

24. Disaster Recovery Planning
Major IC concerns:
second-site backups
critical applications and databases
including supplies and documentation
back-up and off-site storage procedures
disaster recovery team
testing the DRP regularly

25. Second-Site Backups
Empty shell - involves two or more user
organizations that buy or lease a building
and remodel it into a computer site, but
without computer equipment
Recovery operations center - a
completely equipped site; very costly and
typically shared among many companies
Internally provided backup - companies
with multiple data processing centers may
create internal excess capacity

26. DRP Audit Procedures
Evaluate adequacy of second-site backup
arrangements
Review list of critical applications for
completeness and currency
Verify that procedures are in place for
storing off-site copies of applications and
data
Check currency back-ups and copies

27. DRP Audit Procedures
Verify that documentation, supplies, etc.,
are stored off-site
Verify that the disaster recovery team
knows its responsibilities
Check frequency of testing the DRP

28. From Appendix

29. Attestation versus Assurance
Attestation:
practitioner is engaged to issue a written
communication that expresses a conclusion
about the reliability of a written assertion that
is the responsibility of another party.
Assurance:
professional services that are designed to
improve the quality of information, both
financial and non-financial, used by decision-
makers
includes, but is not limited to attestation

30. Attest and Assurance Services

31. What is an External Financial Audit?
An independent attestation by a
professional (CPA) regarding the faithful
representation of the financial statements
Three phases of a financial audit:
familiarization with client firm
evaluation and testing of internal controls
assessment of reliability of financial data

32. Generally Accepted Auditing Standards
(GAAS)

33. Auditing Management’s Assertions

34. External versus Internal
Auditing
External auditors – represent the interests
of third party stakeholders
Internal auditors – serve an independent
appraisal function within the organization
Often perform tasks which can reduce
external audit fees and help to achieve audit
efficiency and reduce audit fees

35. What is an IT Audit?
Since most information systems employ IT, the IT
audit is a critical component of all external and
internal audits.
IT audits:
focus on the computer-based aspects of an
organization’s information system
assess the proper implementation, operation,
and control of computer resources

36. Elements of an IT Audit
Systematic procedures are used
Evidence is obtained
tests of internal controls
substantive tests
Determination of materiality for weaknesses
found
Prepare audit report & audit opinion

37. Phases of an IT Audit

38. Audit Risk is...
the probability the auditor will issue an
unqualified (clean) opinion when in fact
the financial statements are materially
misstated.

39. Three Components of Audit
Risk
Inherent risk – associated with the unique
characteristics of the business or industry of the client
Control risk – the likelihood that the control
structure is flawed because controls are either absent
or inadequate to prevent or detect errors in the
accounts
Detection risk – the risk that errors not detected or
prevented by the control structure will also not be
detected by the auditor