MGT422

What are IT controls?

IT controls are controls that provide reasonable assurance that
the IT system of an organization operates as intended
the data is reliable
the system is in compliance with IT laws and regulations

Criteria of IT system
Completeness: transactions recorded are complete.
Authorization: Only authorized transactions are recorded; Only authorized personnel have
access.
Accuracy: All transactions recorded are accurate; Periodic checks to ensure accuracy.
Timeliness: All transactions are recorded timely; Periodic checks to ensure operational
efficiency.
Occurrence: Only transactions that occur have been recorded; Reflect real assets and liabilities.
Efficiency: Cost benefit analysis; Scalable systems.

Components of AIS
IT infrastructure & architecture: LAN, WAN, DBMS, Mainframe, hardware.
Software: Systems and Applications.
People: CIO, Development and maintenance personnel. Quality assurance personnel, security
personnel.
Procedures: accounting procedures, user procedures, system operations procedures.
Information: ownership and classification, access.
Internal controls & security measures: discussed throughout.

Advantages of DBMS
Data independence
Data redundancy in storage reduced
Increases data accessibility

Disadvantages of BDMS
Costly
Slower processing
Longer Periodic updates
 Chapter 2
Sources of IT problems
Incomplete design
Software crash or glitch
Hardware malfunctioning
Incorrect system use and operation
Poor maintenance or upgrade issues
Environmental and Acts of God

Audit Risk = Inherent Risk x Control Risk x Detection Risk

Impact of IT on inherent risk

Inherent risk is the risk of an error or misstatement occurring in absence of controls.
IT systems are increasingly changing how information is processed and stored. E.g. Ecommerce
increases inherent risk.

Impact of IT on control risk.

Control risk is the risk of an error or misstatement occurring due to control failure.

Impact of IT on detection risk.

Detection risk is the risk of audit procedures failing to detect an error or misstatement.
IT may increase detection risks because the audit trail is less visible, data structure is more
complicated and systems are more integrated.
IT may can decrease detection risk because it allows for computer assisted audit techniques.

How IT affects audit risk.

IT may increase audit risk because management may fail to understand the complex audit
systems of an organisation.

Overall IT increases audit risk due to

Reduced audit trail
Less segregation of duties
Open access
System complexity
 Automotive parts incorporated

IT Audit Planning Memorandum

To: Partner
From: CPA
About: API corporation engagement

Inherent risk
1. This is the first year of the information system in operation. Therefore, there is a greater risk of
inherent risk because it has not been evaluated or tested in the past for completeness and
accuracy.
2. The system is spread over five branches across the country in addition to the head office, which,
inherent risk due to greater threat of system failure, software crash and glitch, or system hack.
3. Increases in automation decreases paper trail and thereby inherently increases risk.

Control risk
1. Back up of data uses tape system the tape may be damaged.
2. Customers complete applications online which without having to be in person and validate their
verification.
3. The bar codes may be misused or mishandled by skipping items.
4. No indication of type or strength of password.
5. System ID and passwords are sent by mail.
6. Poor segregation of duties.

Detection risk
1. The system incorporates multiple features including order entry, invoicing, receivables and
collection. Therefore, there is a greater risk of detecting a misstatement due to a high number of
features.
2. WAN requires technical knowledge which increases detection risk.

How inherent risk affects control risk and detection risk.

A high inherent risk may be offset by effective controls.
Determine detection risk after assessing inherent risk and control risk.

Adopt a substantive audit approach.

 Chapter 3

What is IT strategy

Incorporates the IT infrastructure & architecture, software, and people.

The IT strategy is created alongside and complements the business strategy.

What is IT governance

IT governance incorporates IT procedures and monitoring.

What are the two types of IT controls?

Preventive: Controls that prevent an action or event from occurring.

Detective: Controls that detect an action or event after it has occurred.

What is the scope of IT controls?

General scope: A general IT control is designed, developed, and implemented before an

application control. General controls incorporate: Organization controls, software controls,
access controls, system development controls, network controls, disaster prevention and data
recovery controls, software change controls.
Application scope: An application IT control is specific to one system or a suite of related
systems.

What are organization controls?

Organization controls incorporate: IT governance, Organization chart & job description,

Segregation of duties, hiring practises and, policies & procedures.

What are the components of the IT department?

Systems development
Computer operations
Quality assurance
Security
Database administration

What are the components of the computer operations function?

Hardware support
Server administration
Database administration
Network operations
Operations scheduling and monitoring
Data backup and retention
Help desk
Capacity planning
Incident response
 Why does IT require segregation of duties?

To prevent fraud and error

To focus expertise on efficiency

How do you audit Backup procedures?

Visit off-site location

Review Backup plans and procedures including IT personal & their roles and duties.
Assess adequacy of backup frequency

What is the difference between a cold, warm, and hot site?

Hot = Hardware + software + data

Warm = Hardware

Soft = FUCKKKED
 Progressive Realtors Ltd.

To: President of ISD

From: CPA

Date: 14th February 2017

About: Progressive Realtors Ltd. IT system

This report serves to provide recommendations to adequately control the activities of the Information
Technology Division, including the ASP operation.

Issue: Transactions are keyed by keying clerks

Risks:
The keying clerks may fail to enter the correct keys.
Inefficiency resulting from the system rejecting the entire batch file instead of each incorrect
transaction.
Recommendations:
Number each transaction so only incorrect transactions are rejected and reviewed instead of the
entire batch file. A number system will also assist in evaluating completeness.
Introduce a log in system so that key clerks are more diligent in their work.

Issue: Important functions such as the mortgage system can be accessed from any of the 300
workstations.
Risks:
There is a greater threat of data theft
There is a threat to data confidentiality
Recommendations:
Data ownership and classification should be defined so only required personnel can access the
data.
There should be a log-in process including password protection.

Issue: Files are sometimes updated by the users with non-essential" data issued by a user department
clerk without hard copy documentation.
Risks:
Risk of human error.
Non-essential data is still useful.
Recommendations:
The employee should submit a signed form, which, should be processed and stored in the
employees file.
 Chapter 4
What can go wrong with poor systems development?
Inaccurate bookkeeping
Excessive operating costs
Built-in fraud
Budget overruns
Erroneous management decisions

What may lead to poor systems development?

Poor budgeting
Inadequate time allocation
Inadequate testing
Incompetent personnel

Source Code: code written by a programmer.

Object code: code executed by a computer.

What are the pros and cons of customized systems?

Pros: Can make modifications; better suited to the needs of the organization
Cons: More expensive; more chances of bugs

What are the pros and cons of off-the-shelf systems?

Pros: Less bugs; cheaper
Cons: May not meet all the needs of the organization.

What are three types of software?

1. Open source
Pros: Anyone can make modifications; no cost.
Cons: May not meet needs.
2. Proprietary
Pros: Customized by proprietor
Cons: Comes at a cost.
3. In house developed:
Pros: Meets needs
Cons: Expensive

What are the four types of conversion?

Parallel conversion: both systems are used simultaneously.
Direct conversion: Transition from old system to new system is at one specific point in time.
Phased conversion: Transition is done over time.
Pilot conversion: Both system are used in one location.
What are some segregation of duties in development?
Developers, testers, users are different personnel.

What are four types of testing?

Stress testing
String testing
UAT testing
Unit testing

What are some systems development controls?

Hiring policies and procedures
Testing and review controls
Management approval controls