Tugas SIA II

Rizkania Arum P
20181211005

• Resume mengenai Auditing IT Controls Part I: Sarbanes oxley and IT Governance

External audit is an independent attestation performed by an expert who expresses
an opinion regarding financial statement presentation. Audit objextive is associated
with assuring fair presentation of financial statements. SEC requires annual financial
audit for public companies, CPA’s role is to collect and evaluate evidence to render an
opinion, independence is key and external auditors follow strict rules, the rules is
defined by SEC, FASB, AICPA and federal law (SOX) but SEC has final authority, PCAOB
has replaced to a great extend the funciton served by the FASB and AICPA.
Auditors express an opnion as to if financial statements are in conformity with
generally accepted accounting stanards (GAAP), guided by generally accepted auditng
standards. Auditing is a systematic and logical process with three phases: planning, test
of controls, and substantive testing. IT audit involves specialized procedures directed
towards client’s technology wich adds complexity to the audit.

First phase is audit planning where the objective is to obtain sufficient information
about the firm to plan other phases, one of the way to obtain information is through
questionnaries, managgement interviews, reviews and observation. The objective of
teset of controls phase is to determine if adequate internal controls are in place and
functioning. Evidence gathering includes both manual and computer aided audit tools
and techniques, at the end of this phase auditor assesses quality of internal controls by
assigning a level for control risk. Gathering evidence pertaining to financial data inlvoves
detailed investigations of accounts and transactions called substantive tests.
Management claims about content of financial statements. implicit assertion that
account balances and transactions are free from material errors and complete, valid
and accurate. Auditors use substantive tests to validate management claims.
 The probability of auditor will render an unqualified opinion on financial statements
that are in fact, materially misstated because of undectected errors, irregularities or
both. Some of the audit risk are inherent risk which is associated with unique
characterisitic of client’s business or industry, control risk is the like lihood that control
structure is flaws because controls are either absent or inadequate, detection risk is the
risk auditors are willing to take taht errors not detected or prevenred by the control
structure will also go undetected during suubstantive testing. Auditors use audit tisk
components to determine the scope, nature, and timing of substantive tests. The
stronger the internal controls structure, as etermined through tests of controls, the
lower the control risk the less substantive tesring the auditr must do. When effective
controls are in place, auditor may limit substantive testing and when controls are weak.
Substantive testing must be increased. Upon completion of the audit, auditor submits
an audit report to the audit committee of the board of directors. It also includes an
opinion on the fair presentation of the financial statements and an opinion on the
quality of internal controls over financial reporting.
SOX of 2002 established corporate governance regulations and standards for public
companies registered with the SEC. Section 302 focuses on internal controls and
requires corporate management, including the CEO to certify financial and other
information contained in quarterly and annual reports, certify the internal controls over
financial reporting, state responsibility for internal controls design and provide
reasonable assurance as to the reliability of the financial reporting process, disclose anu
recent material changes in internal controls. Section 404 requires mangement of public
companies to assess the effectiveness of internal controls over financial reporting.
Annual report must describe the flow of transaction, including IT aspects, assess design
and operating effectiveness of IC related to material accounts, assess potential for fraud
and evaluate controls designed to prevent of detect it. Evaluate and conclide on the
adequacy of controls over the financial statements reporting process, evaluate general
controls that correspond to COSO internal control framework.
The relation betweent IT controls and financial reporting and audit implications of
sections 302 and 404, COSO identifies two groups of IT controls: (a) Application cotrols
are related to specific appliations and ensure validity, completeness and accuracy of
financial transaction. (b) General controls apply to all systems and address IT
governance and infrastucture, security of operating systems and database, and
application and program acquisition, change, and development. SOX dramitcally
expanded role of eternal auditors: must attest to the quality of internal contols by
issuing a new audit opinion in addition to the opinion of fairness, must review relevant
internal controls over financial reporting and collect documented evidence of
funcitioning controls from management, responsible for detecting fraudulent activity
by testing controls designed to prevent or detect fraud.

Computer fraud inlcudes theft, misuse misappropriation of assets by altering

computer radable records and files or by altering logic of computer software. The
control objective of data collection is to ensure that event data entered are valid,
complete and free from material error. If input data is inaccurate, the result is
inaccurate output, which may impact the financial statements, most common access
point is at the data collections stage. Collected data generally must bu processed to
produce information.data processing fraud fall into two classes: (a) Program fraud
includes altering programs to allow illegal access to and/or manipulation of data or
destroying programs with a virus. Database management fraud is often associated
with transaction or program fraud. Database management fraud includes altering,
deleting, corrupting, destroting, or stealing an organization’s data. Usually it is
conducted by disruntled or ex-employee. (b) Operations fraud is the misuse of
company computer resources, such as using the computer for personal business. One
of the example of computer fraud is information generation, its the process of
compiling, arranging, formatting, and presenting information to users. Common draud
at this stage is to steal, misdirect or misuse computer output. Scavenging invloves
searching the trash for discarded output, eavesdropping involves listening to output
transmissions over telecommunication lines.
Oragnizational structure controls are being divided into a couple of parts. The are
segregations of duties whithin the centalized firm, (1) Separate systems development
from computer operations. Its very important that responsibilities are not comingled,
consolidating functions invites fraud. (2) Separate the database administrator from
other functions. Delegating administrator functions to others who perform
incompatible tasks theatens database integrity. (3) Separate new systems development
from maintenance. Failures to do this promotes inadequated documentation and fraud,
poor system documenatation is a significant prolem for firms seeking SOX compliance,
poor documented systems are difficult to interpret, test and debug. When the
programmer has maintenance responsibility, potential for fraud is increased and may
continuefor years without detection.
The distributed data processing model (DDP), reorganize the IT function intro small
units that are distribured to end users and placed under their controls. The advantage
of DDP are cost reduction from reduced hardware costs, elimination of centralized data
conversion and reduced application complexity, improved cost controls responsibility
and user staisfaction, backups. The disadvantages of DDP are mismanagement of
organization wide resources, hardware and software incompatibility issues, redundant
tasks and consolidating incompatible activities, difficulty hirin qualified professionals
and lack of standards.
A corporate IT function alleviates some control problems associated with DDP by
providing central testing of commercial hardware and software, user services staff, a
standard setting body and personnel review. Audit objective is to ascertain whether
individuals serving in incompatible areas are appropriately segregated by reviewing
corporate policy on computer security, review relevant documentation to determing if
incompatible functions are being performed by individuals ot groups, verivy that
maintenance programmers are not original programmers, determing that the
segregation policy is being followed, review access logs and user roles to verify proper
access.
Control featires that contibute to computer center security are physical location can
influence the risk of disaster, as can building contruction and an air conditioned
environment, access shoulr be limited with security cameras monitoring access, fire
alarms should be both automatic and manual, fault tolerance is the ability of the system
to continue operating when part of the system fails. Audit objectives are to determine
whether controls governing computer center security are adequate to reasonably
protect from phusical damages or losses, insurance coverage adequate or losses,
insurance coverage is adequate, operator documentation is adequate.
Disater recovery planning (DRP) is a comprehensive statement od all acrion to be
taken before, during, and after a disaster. Necessary ingredient is a duplicate data
processing faciility such as empty shell involves an arrangement for a building to serve
as a data center, with recovery depending on timely availability of hardware, recovery
operation center (ROC) is a completely equipped site which is very costlu and typically
shared by many companies, internally provided backup is possuble for lager companies
with multiple data processing centers. Procedures needed to identify critical
applications and data files of the orm o be restored. For most organizarions, short term
survival requires restoration of functions that generate sufficient cash flow to satisfy
obligantions. All files, applications, documentation and supplies needed to perform
 critical fuctions should be specified in the DRP backup data files at least daily, backup
documentation, supplies, and source documents. Disaster recovery team members
should be experts in their areas and have assigned tasks. DRP tests are important and
should be performed periodically. The audit objective is to verify plan adequacy and
feasibility: evaluate adequacy of the backup site arrangement, review list of critical
applications, verivy backup proceduresm supplies, documments, and docummentation,
verify the members of the disaster recover team.
Outsourcing the IT functions. Logic follows from core competency theory,
organizations should focus on core business and outsource non-core areas such as IT.
Commodity IT assets are easily acquired in the marketplace such as networ
management, help desk functions, etc. Specifiv IT assets are uniques to the
organization, support its strategic objective and not easily replaced. Transaction cost
economics (TCE) conflicts with core competency theory, firms should retain certain
specific IT assets in house and outsource commodity assets which asre easily replaced
or obtained. Risks inheren to IT outsourcing consist of failure to perform, vendor
exploitation, costs exceed benefits, reduced security, loss of strategic advantage. Audit
implication of IT outsourcing, can outsource IT but not management responsibility
under SOC for ensuring adequate IT internal controls, SSAE 16 is the standard auditors
use to determine if processes and controls at third party vendors ad adequate, service
provider auditors issue two type of SSAE reports; type 1 attest to vendor management’s
system description and suitability of design of controls, thype 2 adds the operating
effectiveness of controls to the report.
• SOX contain many sections, discuss section 302 and 404 A&B! Define audit risk!
Section 302 of the Sarbanes-Oxley Act focuses on disclosure controls and
procedures, plus the personal accountability of signing officers. SOX 302 requires that
the principal executive and financial officers of a company, typically the CEO and CFO,
personally attest that financial information is accurate and reliable. They must make
these attestations within the quarterly 10-Q and annual 10-K reports filed with the SEC.
Section 404 requires that companies annually assess and report on the effectiveness
of their internal control structure. This is management’s assessment and testing of the
company’s internal controls and procedures for financial reporting. The focus of this
testing is to evaluate and report on the design and operating effectiveness of the
controls.
The frequency of SOX 302 requirements is quarterly. Companies conduct a survey,
as described above, and include signed certifications with their quarterly filings with the
SEC. The quarterly certification ensures that the signing officers have evaluated the
effectiveness of the organization’s internal controls as of a date within 90 days prior to
the report. SOX 404 requirements, on the other hand, are continuous with an annual
independent audit, and their documented findings must be included with each year’s
financial report.
The three types of audit risk are as follows:
- Control risk. This is the risk that potential material misstatements would not be
detected or prevented by a client's control systems.
- Detection risk. This is the risk that the audit procedures used are not capable of
detecting a material misstatement.
 - Inherent risk. This is the risk that a client's financial statements are susceptible to
material misstatements.
• What is the relationship between test of controls and substantive test? Define general
controls!
Substantive testing is very different from testing controls. Substantive tests verify
whether information is correct, whereas control tests determine whether the
information is managed under a system that promotes correctness. Some level of
substantive testing is required regardless of the results of control testing.
General controls, in accounting, are the policies and procedures to assure proper
operation of computer systems, including controls over network operations, software
acquisition and maintenance, and access security.
• Explain the outsourcing risk of failure to perform! Explain vendor exploitation!
Explained why reduced security is an outsourcing risk! Explain how IT outsourcing can
lead to loss of strategic advantage?
Risks that cause an outsourced project to fail:
- High expectations
- Lack of communication
- Low quality work
- Conflicting interest
- Negative public opinion
Once the client firm has divested itself of specific assets it becomes dependent on
the vendor. The vendor may exploit this dependency by raising service rates to an
exorbitant level. As the client’s IT needs develop over time beyond the original contract
terms, it runs the risk that new or incremental services will be negotiated at a premium.
This dependency may threaten the client’s long-term flexibility, agility, and
competitiveness and result in even greater vendor dependency.
Outsourcing any part of your business is a risky step, as it means handing over control
to another company. The outsourcing supplier may do a better job of the outsourced
process than you could, and for a lower cost, but there is also a chance it will get things
wrong. If the securit is reduced theres a chance that the process might go wrong. The
higher the risk, the more checking you will need to do with the prosperctive supplier. In
all circumstances you need to get to know them and how they work.
Because there’s a sensitive information such as payroll, medical records, and
banking/mortgage records that can be seen by the other party. Theres also hidden cost
to outsourcing IT this includes the contracr between companies, s well as legal costs
incurred.

• Create data flow diagram and flowchart from internal controls case 3: General
manufacturing inc-Internal control assesment
• Analyze the physical internal control weaknesses in the system from internal control
cas 3: General manufacturing inc-Internal control assesment