Download Board Members & Information Systems in Auditing: Governance & Controls and more Exams Information Systems in PDF only on Docsity!
311
STANDARDS REFERENCED IN THIS CHAPTER No standards are referenced in this chapter.
Corporate governance and
entity-level controls
“Tone at the top” is a familiar phrase to most of us—it means
that the attitudes and actions of the board, executive, and
management have a pervasive impact upon the rest of the
organization. The “tone at the top” has a similar effect upon
the financial statement audit—if these management strate-
gies are ineffective, it is possible that the remainder of the con-
trol systems are also floundering, and cannot be tested.
Entity-level controls help to implement the “tone at the top,” as
such controls affect the whole organization. All types of
accountants will benefit from understanding a range of entity-
level controls and how they can be tested.
LEARNING OBJECTIVES
1 Explain the relationship between corporate governance
strategies and risk management. Define the term “enterprise
risk management (ERM) framework.” Describe the techniques
that the auditor uses to document and assess design and
operating effectiveness of corporate governance.
2 Define information technology (IT) governance. Describe
the attributes of good IT governance. Explain the impact of
general controls on the audit process. State the effects of
information systems on the eight-phase audit process.
3 State the effects of advanced information systems on the
audit.
4 Provide examples of other entity-level controls. Link the
impact of entity-level controls to specific audit objectives.
Using a laser chequing application, provide an example of the
effect of general information systems controls on the audit of
transactions and balances at the audit objective level.
312
Healthy Corporate Governance Corrects Functional Flaws
Plato Construction Ltd. (Plato) is a newly acquired subsidiary of Largesse Construction Canada Inc. (Largesse), a public company that operates across Canada, performing construction ser- vices from design and project management through to actual construction. Largesse purchased Plato, a private company owned by Edward Platonu and five other individuals, in December 2007. Plato had been in operation for over 25 years and was a well-respected, profitable company in the Alberta construction industry, specializing in oil and gas construction. Largesse has a stan- dard package of internal control procedures, which were provided to Plato for implementation. During a routine audit by Largesse’s auditors for compliance with internal controls for the 2008 audit, it was noted that several Largesse policies and procedures were not being fol- lowed. The auditors investigated further and found evidence that Edward had circumvented internal controls in the areas of subcontracting, construction material disposal, and payroll. Specifically, Edward had given subcontracts to paint several buildings to his brother Ted without going to tender, as required by the new policies. Edward also had his house and cottage painted by Ted and charged it to Plato as a $20,000 subcontract cost on a large construction project. Edward had a private bank account under the name of Plato Construction (a sole proprietor- ship that had been registered about 10 years ago), which he called a social fund. Demolition material that had been disposed of, like scrap steel, was used to fund this bank account. Bank records indicated that deposits into this account amounted to $250,000 for the first eight months of 2008. Edward said he used these funds to (1) give cash bonuses to employees (no tax receipts were issued for these bonuses), (2) pay for golf trips or other vacations for the exec- utive team, and (3) have social functions with employees and their families. Edward had retained receipts and filed tax returns for Plato Construction as a social management organization.
IMPORTANCE TO AUDITORS
When fraud like this is discovered, auditors work closely with management and look to the nature of management’s response to assess the quality of corporate governance and the con- trol environment. In this situation, the auditors met with the senior management of Largesse and its audit committee immediately after the discovery of potentially fraudulent activities. The audit committee instructed the auditors to complete a full investigation by engaging the firm’s forensic examiners. Largesse and its audit committee also engaged legal counsel. Largesse’s internal auditors were part of the team and were asked to provide recommenda- tions for improvement to internal controls to prevent recurrence of control breakdowns. Reports from all the professional teams were provided to the audit committee. As a result of these findings and after several months of investigation, Edward’s employment was terminated. Plato’s controller, vice-president of operations, and director of construction continued >
(^314) PART 2 I THE AUDIT PROCESS
Table 10-1 Board Member Sample Tasks and Expertise
Sample Task Expected Expertise
Approve hiring of chief executive officer Human resources, personnel evaluation
Approve risk assessment framework and Industry expertise, strategic planning, awareness of monitor risk evaluation process potential risks, risk assessment methodologies
Review and approve organizational and Long-term planning, strategic planning, business strategies and changes thereto industry-specific expertise
Review and approve information systems Ability to link information systems strategy to strategy and changes thereto business strategy; understand information systems terminology, impact, and alternatives; industry-specific expertise
Approve information systems acquisitions, Understand information systems terminology, business acquisitions, or contracts over impact, and alternatives; industry-specific specified dollar limits expertise
Approve auditors and financial statements Financial or accounting competence; understand complex accounting terminology and be able to ask the right questions
Oversee the work of the internal auditors Understand risks that the organization is exposed to and alternative ways of addressing those risks
include the board of directors, its subcommittees (such as the audit committee), exec- utives, and senior management. Many non-profit and public sector organizations have similar structures of governance. Smaller organizations could have an advisory committee instead of an independent board. There has been increased scrutiny of the processes and qualifications of directors and management, with new laws and regulations imposing tasks or certifications. Before we talk about risk assessment, we briefly look at these two issues.
Role and Certification Escalation
THE ESCALATING ROLE OF BOARD MEMBERS AND THE AUDIT COMMITTEE Board mem- bers are elected by shareholders, often nominated by groups of shareholders or by management. Depending upon the type of organization, a certain percentage of the directors need to be independent (i.e., non-management, with other restrictions such as ownership or restrictions that vary by type of organization). Regulatory responses to corporate fraud, such as the Sarbanes-Oxley Act in the United States and Canadian Security Regulations in Canada, have included increased requirements for directors on the boards of public companies. Table 10-1 lists some of the tasks expected of board members and the related expertise that would need to be present in at least one board member. As a subcommittee of the board of directors, the audit committee is composed of board members who preferably have financial expertise. There would also be other subcommittees, perhaps addressing responsibilities such as corporate strategy, risk management, IT, or privacy. There are many resources available to directors, such as training by professional organizations, experts in their own industry, auditors (external and internal), and online and text resources. As an example, Table 10-2 lists from the CICA website sample resources titled “20 Questions a Board Member (or Director) Should Ask,” with the topic, effective date, and purpose. Many other professional organizations provide resources. For example, the Institute of Internal Auditors has its own publication titled “The Audit Committee: Internal Audit Oversight,” which is intended to provide guidance to the audit committee in overseeing the internal audit
function. This is available (along with other standards and guidance documents) at www.theiia.org/quality. The scope of the topics listed in Tables 10-1 and 10-2 illustrates that board mem- bers are expected to oversee all strategic and high-level functions of the organization for effective corporate governance to occur. In the next section, we will look at some of the regulatory influences that have forced this level of detail upon boards, including oversight of management certifications.
REGULATORY INFLUENCES ON THE BOARD AND MANAGEMENT Private companies and other small businesses have some of the same regulations to deal with as do larger organizations, that is, dealing with income and employee taxes, regulatory filings, and requirements of their investors and shareholders. Specific regulations for particular industries or groups (such as financial institutions, brokers, and Canadian registered charitable organizations) are beyond the scope of this text. Here, we will deal with some of the specific requirements of Canadian public companies. An important issue that could be complex for many organizations is the coming conversion to International Financial Reporting Standards (IFRS). Canadian public companies are required to follow GAAP as codified by the Canadian Institute of Chartered Accountants Accounting Handbook and by current best business practices. This conversion takes place for fiscal years commencing on or after January 1, 2011. The change to IFRS may affect the way that an organization records certain transac- tions (such as methods of costing projects or recording foreign exchange and hedging activities). This would mean a change in the methods of recording and tracking these transactions and a resultant change to automated information systems. Associated
CHAPTER 10 I CORPORATE GOVERNANCE AND ENTITY-LEVEL CONTROLS 315
Table 10-2 Questions that Board Members Should Ask
Topic Effective date of publication and purpose*
Codes of conduct 2005, Typical content for a code of conduct; help in assessing organizational culture and ethical practices
Crisis management 2008, Awareness of elements of successful crisis management
Executive compensation 2003, Balancing shareholder accountability with effective motivation and compensation of executives, including methods of remuneration
Information technology (IT) 2004, Assistance in assessing IT strategies, effectiveness, and controls
Internal audit 2007, Understanding the functions of internal audit and questions to ask of internal audit, with some internal audit best practices
International financial reporting 2008, Explains issues associated with the conversion, with detail standards (IFRS) conversions appropriate for audit committee members
Management’s discussion and 2008, Clarification of current legal and regulatory disclosures with analysis methods for discussion with management
Strategy 2006, Methods to assess management’s development and update of strategy; guide to active involvement in the process as well as approval
Not-for-profit strategy and 2008, Understanding directors’ responsibilities in this area, planning including budgeting
Risk assessment 2006, Help in considering the effectiveness of risk assessment and working with management in this process
*Available from the CICA website Research and Guidance section, under Risk Management and Governance: www.rmgb.ca/publications/index.aspx.
CHAPTER 10 I CORPORATE GOVERNANCE AND ENTITY-LEVEL CONTROLS 317
Table 10-3 Canadian Public Company National Policy Requirements
Management Certifications Board or Audit Committee (AC) Requirements
A majority of the directors should be independent (an absence of a direct or indirect material relationship with the company)
The board should have a disclosed written mandate that includes responsibility for the following: a) Satisfaction with the integrity of the CEO and other executive officers and an organizational culture of integrity. b) Adopting and approving an annual strategic plan and strategic planning process that includes risk assessment. c) Identifying principal risks and systems to manage them. d) Succession planning, communication policies, internal controls, and management information systems. e) Approaches to corporate governance, including principles and guidelines. f) Ethical business conduct and the use of independent judgment.
The audit committee should have a written charter. Specific responsibilities are in Multilateral Instrument 52–110, Audit Committees, available from www.osc.gov.on.ca.
That interim and annual filings do not contain any AC: Review and approve MD&A; be financially literate misrepresentations (includes financial statements, management discussion and analysis [MD&A])
Interim and annual financial statements are fairly presented AC: Review and approve financial statements; recommend to the board the external auditor and the audit fee; pre-approve any non-audit work; manage the relationship between the company and the external and internal auditors
For the above filings, that they have designed (or caused to AC: Review disclosures prior to release have designed) internal controls over financial reporting and disclosures
Certify which internal control framework was used to design Approve internal control framework to be used internal controls
For annual filings, that the effectiveness of the above controls Understand the decision process for deciding have been evaluated and the conclusions disclosed in MD&A* what is or is not a material weakness
For annual and interim filings, that any material (or potentially AC: Review filings prior to release material) changes in internal controls have been disclosed*
That material internal control weaknesses, their impact, and AC: Review filings prior to release any plan for remediation have been disclosed in MD&A
That any fraud involving management or significant employees AC: Review filings prior to release has been disclosed to the external auditors and the board
That any permitted exclusions are described in MD&A AC: Review filings prior to release (e.g., proportionately consolidated entities)
Establish policies or procedures for dealing with complaints and concerns about accounting or auditing matters
Note: Public companies that are considered to be venture capital or debt-only companies are exempted from the certifications marked with an *. Sources: 1. National Instruments (NI) 52–109, Certification of Disclosure in Issuers’ Annual and Interim Filings; 52–110, Audit Committees; 58–101, Disclosure of Corporate Governance Practices; 58–201, Effective Corporate Governance, www.osc.gov.on.ca, Accessed: August 14, 2009. 2. McCallum, Leslie, “Canada’s New Rule on Internal Control Certifications Effective for December 2008 Year-Ends,” Mondaq Business Briefing, September 7, 2008, www.mondaq.com, Accessed: December 22,
(^318) PART 2 I THE AUDIT PROCESS
Table 10-4 Organizational Types with Possible Cultural Norms
Organizational Type with Description Possible Example with Cultural Norm
Entrepreneurial structure: Small, owner-operated or owner-managed, typified by informal decision making and unstructured processes.
Example: Small manufacturing company producing specialized products. Cultural norm: Customer is king, and production schedules will be rapidly modified to meet customer needs.
Bureaucracy: Multiple levels of management working in a slowly changing environment, providing relatively standard products or services. May be divisionalized (with many locations and a central headquarters), or professional (relying upon technical expertise with strong department heads and a weak head office).
Example: Financial institution such as a bank. Cultural norm: Codified procedures must always be followed. Exceptions require approval and must be documented.
Adhocracy: Teams of multidisciplinary individuals work on specific projects or assignments and are expected to react rapidly to changing needs. Teams are broken up and reformed for specific assignments.
Example: Consulting or public accounting firm. Cultural norm: Deadlines must be met, and employees will work the necessary hours to produce high-quality work by the specified time.
For example, the CEO may regularly play golf with selected customers and suppliers, attend industry workshops, have industry data sheets provided, and review the opera- tional reports of the organization in formal and informal settings. Such a CEO should be well placed to respond to proposals for new products or IT. Organizational culture also includes business ethics, work ethics, and written and unwritten business practices. Senior executives, who clearly separate personal costs from business costs, encourage differences in opinion, and use business mistakes as valuable business lessons, use their own actions to encourage employees to come for- ward with unethical business practices. A codified set of business ethics and code of conduct help promote an honest, ethical environment where employees can partici- pate and feel valued. If, on the other hand, management berates employees for mis- takes, making them feel small and stupid, then employees will be indirectly encouraged to not ask questions and may feel that they are entitled to unauthorized benefits that come their way, such as gifts from customers or suppliers—opening the way to large-scale bribery and theft. A codified, ethical culture where management behaves in alignment with the code supports healthy corporate governance. If the code of conduct is simply words, unsupported by management actions, then the entire organization could be prone to unethical business practices.
ENTERPRISE RISK MANAGEMENT AND RISK MANAGEMENT FRAMEWORKS Recall that a risk is a description of what could go wrong. In an organizational context, this means risks are events that could prevent the organization from achieving its objectives. Note that this includes a description of the event, its likelihood, timing, and what could happen—either positive or negative consequences. Risk can be managed for- mally or informally, for part or all of an organization. An organization that has enterprise risk management (ERM) has embodied risk management into its culture, such that every employee is aware of and addresses risk management. With ERM, each business activity has been given the mandate, training, and support to manage risks using a coordinated and integrated approach that helps to inform senior manage- ment’s actions. This requires the role of a centralized risk management coordinator (perhaps even a chief risk officer) or risk management committee. Risks, like internal controls, should be “everyone’s business.” We define enterprise risk management as an organizational process that assists the organization in providing reasonable
Risk—description of what could go wrong. In an organizational con- text, this means risks are events that could prevent the organization from achieving its objectives. A risk description includes a description of the event, its likeli- hood, timing, and what could happen—either positive or negative consequences.
Enterprise risk management (ERM)—an organizational process that assists the organization in providing reasonable assurance of achieving its objectives. ERM is applied strategically and across the organization, a process designed to identify and manage potential risks that may affect the organiza- tion within the organization’s risk appetite.
(^320) PART 2 I THE AUDIT PROCESS
Prior to selecting a risk management framework, it is important that the organiza- tion decide how it will define risk, how its corporate governance team will be involved in the risk management process, and how criteria for selecting such a framework will be determined. The organization may require specialist assistance to select a suitable risk management framework, as well as training or consulting assistance for the implementation process. Table 10-5 lists the components of the COSO Enterprise Risk Management— Integrated Framework, describes the component, and indicates how the board of directors and senior management can help to ensure effective implementation of the risk framework. The final column lists an audit technique that the auditor could use to assess the quality of corporate governance of the ERM process. The table illustrates that the board is required to have more than a simple review and approval process— it is expected to evaluate management’s recommendations and analyses by using its own expertise to add to the risk management process.
Auditor Evaluation of Corporate Governance
As explained in Chapter 9, corporate governance is the crucial component of the control environment, as governance practices help to create the tone and organiza- tional culture within an organization. Figure 10-1 on page 322 illustrates that the cor- porate governance structure follows from the business mission, vision, and the strategies for achieving the mission and vision. The audit of the overall effectiveness of corporate governance needs to consider the organizational structure and maturity of the organization. (For example, does the organization effectively deal with change?) Management attitudes and the ethical environment of the organization are important factors that the auditor needs to document. An effective management and board of directors will work together to develop and evolve the strategies needed to run the business. These will include strategies in the areas of risk management (discussed in the previous section), information systems, human resources, operations, and others. Using the ERM process as a model, each strategy would have a development phase, assessment phase, and implementation phase. The implementation phase would include controls to ensure that the strate- gies are implemented, information and communication to promote awareness and communication, and monitoring for ongoing evaluation and adjustment. Effective governance will also look at the alignment of each of the strategies with the overall business mission and purpose, to help prevent the organization working at cross purposes (for example, a production strategy that has poor quality control or uses inef- fective IT systems).
As if there were not enough specific business practices forced upon an organization, there is now the potential for an ERM review by Standard and Poor’s, a rating agency. An organiza- tion’s ERM capabilities in five categories (culture, controls, emerging issues, risk and capital modelling, and strategic risk management) will be summarized to provide an overall classi- fication ranging from Excellent to Weak. It is possible that low ratings could result in an increase in an organization’s borrow- ing costs.
What can an organization do to prepare for a review by its auditors or by S&P? It can adopt a recognized ERM framework, document its governance processes, and document how it actu- ally conducts its enterprise risk management processes.
Sources: 1. “Criteria: Summary of Standard & Poor’s Enterprise Risk Management Evaluation Process for Insurers (Criteria 11-26-2007),” www2.standardandpoors .com/portal/site/sp/en/us/page.article/2,1,6,4,1148449517749.html, Accessed: December 23, 2008. 2. Schanfield, Arnold and Dan Helming, “12 top ERM imple- mentation challenges,” Internal Auditor, December 2008, p. 41–44.
new standards 1 0 - 1
Standard and Poor’s (S&P’s) ERM Review?
CHAPTER 10 I CORPORATE GOVERNANCE AND ENTITY-LEVEL CONTROLS 321
Table 10-5 Auditing Governance of Enterprise Risk Management
COSO Enterprise Risk Management—Integrated Framework Examples of Effective Corporate Audit Techniques to Audit the Component and Example Governance of the Component Component’s Corporate Governance
Internal environment: Risk culture, encompassing attitudes and behaviours; includes management philosophy and risk tolerance, ethical values, and integrity
- (^) Mandatory training for board members on the concepts of enterprise risk management.
- (^) Board approval of ERM framework and code of ethics. - (^) Inspect board ERM training program. - (^) Inspect board minutes and supporting documents justifying selection of ERM framework. - (^) Inspect code of ethics.
Objective setting: Setting of risk tolerance objectives in alignment with organizational mission, vision, and strategy
- (^) Board evaluation and approval of agreed risk terminology and
- (^) of management’s recommended risk tolerances. - (^) Inspect board minutes and supporting documents justifying risk tolerance objectives. - (^) Inquire of board members and management regarding the process for setting risk tolerances.
Event identification: Both internal and external events that could affect the ability to achieve the organization’s objectives should be included, considering separately those that are risks and opportunities, with the latter directed toward the strategic planning process.
- (^) Management clearly provides a strategy for identifying risks.
- (^) Board approves management’s strategy and provides feedback. - (^) Compare the organization’s identified risks to risks identified by the auditor during the client business risk assessment phase of the financial statement audit, looking for gaps. - (^) Inspect board minutes and supporting documents where approval of risk assessment strategy is provided.
Risk assessment: Methodically consider the potential impact and likelihood of risk events.
- (^) Board approves risk assessment methodology and
- (^) re-evaluates tolerances in light of the summarized risk evaluations. - (^) Inspect risk assessment documentation. - (^) Inspect board minutes approving risk methodology and risk tolerances.
Risk response: Based upon the risk tolerance objectives, select one of four approaches for dealing with the risk:
- Acceptance: Do nothing.
- Avoidance: Eliminate the activity that causes the risk.
- Mitigation: Reduce the effects of the risks by taking appropriate action.
- Transference: Outsource, transfer, or share the risk using methods such as insurance or transfer of business processes. - (^) Board evaluates management’s recommendations for risk responses. - (^) Compare risk responses to recommendations of external or internal auditors or other specialized reports. - (^) Inspect documents recommending risk response activities. - (^) Inspect board minutes of approval. - (^) Inspect reports of specialists recommending specific courses of action with respect to risk responses.
Information and communication: Information is gathered and communicated about the risk management process throughout all levels of the organization.
- (^) Inquire of management and request documentation to support information and communication methods; evaluate adequacy. - (^) Obtain copies of and inspect regular communications.
Monitoring: ERM is monitored, feedback provided, and changes to the process made as needed.
- (^) Evaluate management recommendations for change to ERM process. - (^) Inspect board minutes with respect to process and approval of change to ERM process.
Sources: 1. Committee of Sponsoring Organizations of the Treadway Commission, 2004, “Enterprise Risk Management—Integrated Framework, Executive Summary,” www.coso.org/ERM-IntegratedFramework.htm, Accessed: December 23, 2008. 2. Schanfield, Arnold and Dan Helming, “12 top ERM implementation challenges,” Internal Auditor, December 2008, p. 41–44.
Control activities: Policies and practices for ensuring that the identified risk responses are actually completed.
- (^) Evaluate and approve management’s plan for ERM control activities. - (^) Document the control activities, evaluate design effectiveness, and conduct tests of ERM control activities where reliance will be placed on the controls.
The public accountant’s goal in auditing corporate governance includes develop- ing the client risk profile and effectively planning and conducting the audit. (Refer to the inside front cover of this text.) Effective corporate governance may reduce client business risk, as discussed in Chapter 5, and result in a lower assessed control risk, as explained in Chapter 9.
By understanding how the board and its committees (especially the audit commit- tee) work, the auditor will be able to assess how active an oversight role should be taken with respect to the entity’s accounting and financial reporting policies and prac- tices. Answers to these questions will enable the audit team to consider whether corporate governance strategies provide a supportive backbone to the control environ- ment at the organization. Professional judgment and involvement of the senior members of the audit team would be required to reach a general conclusion about the overall quality of corporate governance.
IT Governance and the Audit of General Information Systems Controls
As shown in Figure 10-1, IT governance needs to be considered in terms of the orga- nization’s overall mission, vision, and business strategy. After discussing IT gover- nance, we will look at the relationship between general information systems controls and the financial statement audit planning process.
IT Governance
Just as corporate governance has received increased attention, including the develop- ment of current and more specific standards, so has IT governance. In 2007, ISACA introduced a new certification, Certified in the Governance of Enterprise informa- tion technology (CGEIT), which emphasizes the importance of this process. IT gov- ernance is defined as the policies, practices, and procedures that help IT resources add value while considering costs and benefits. Auditing in Action 10-1 looks at one aspect of information systems governance, security policies. In this section we look both at what IT governance is and what it is not. IT gover- nance is more than security, since it encompasses the entire organization where IT and business components work together, and involves crucial concepts such as sys- tems development life cycle management. Accomplishing IT governance means that responsible management needs to have the authority and methodologies to accom- plish the organization’s IT goals. We also explore the nature of value realization and value management. Security is only one of many policy areas that are included in information systems. Other areas include disaster recovery planning (discussed in Chapter 7), systems acquisition and maintenance policies, and organizational structure. In addition to adding value, the goal of IT governance is to help prevent disastrous failures, such as information systems implementations that make transaction process- ing cumbersome or too costly. IT governance rests within a coherent information sys- tems strategy that is developed and aligned with the organizational strategy and culture, and updated as necessary. IT governance is a crucial subset of corporate governance. Similar to the assess- ment of overall corporate governance, evaluation of IT governance starts with the cultural and operating environment of the management information systems (MIS) functional areas. MIS should be viewed as a partner within the business rather than an adversary or servant. IT dependence should be avoided. Such dependence occurs when there is a disconnection between the business strategy and the MIS operations, exhibited when senior management, such as other executives and the board, abdicate supervision of IT. This tends to result in the reliance upon a small group of individuals within the organization for MIS needs, requirements, or opera- tions. Instead, the CIO (chief information officer) should be a participant in execu- tive meetings, with feedback, decision making, and information flowing among members of the executive team and other parts of the organization. There should be an absence of political games with respect to IT and other resources within the organization. For example, a history of failed, over-budget, or problematic information
CHAPTER 10 I CORPORATE GOVERNANCE AND ENTITY-LEVEL CONTROLS 323
2
IT governance—the policies, prac- tices, and procedures that help IT resources add value while consid- ering costs and benefits.
IT dependence—a disconnection between the business strategy and the MIS operations.
(^324) PART 2 I THE AUDIT PROCESS
systems implementations could be an indication of inadequate management of issues such as data ownership and succession planning associated with IT. Next, we look at the accountability, authority, and decision methodologies used with respect to IT. Appropriate IT governance is linked to enterprise risk manage- ment methods and a sound control environment. The use of an information systems steering committee with executive membership helps guide and oversee MIS processes. Control and audit are considered throughout the development, operations, and maintenance of systems. For example, for e-commerce systems or business func- tions that make extensive use of other online systems, reconciliation, audit, and test- ing capabilities should be built into systems, rather than added on after development is complete. Third, a value realization and delivery framework helps the MIS department to accomplish both the demand and supply side of operations. As each system is consid- ered and evaluated, there should be continuous assessment for alignment with the business needs and strategies. Purchasing or implementing systems simply because they are the “newest toy on the block” results in fragmented, inefficient processing. However, environmental scanning with respect to new technologies adopted or avail- able can help the organization identify obsolescence or other factors that could require IT changes. Finally, to enable value realization, value management methodologies should be in place. Examination and assessment of MIS throughout the systems life cycle can be facilitated by internal audit or by rotational testing by the external auditors. Opera- tional objectives such as effectiveness, efficiency, and economy are used. The organi- zation could develop or purchase metrics to monitor and control the value assessment process.
It seems that wherever you look, there are security breaches or attempted attacks on private data involving hundreds of thou- sands of individuals. In early 2007, Talvest Mutual Funds (owned by the Canadian Imperial Bank of Commerce) announced that a file with over 470,000 customer account details had been lost. In March 2008, a Trojan horse program called Sinowal was credited with tracking over more than 300,000 online bank account details over a period of three years, and in July 2008 WestJet airlines mys- teriously disabled credit card check-ins at Canadian airports as a security measure. Other security measures include banning social websites, such as Facebook, from local area network access. When considering an organization’s security policy, the audi- tor will look at several characteristics:
(1) Is the policy comprehensive? For example, does it consider regulatory requirements (such as privacy laws), security threats that are linked to the enterprise’s risk assessments and all of the different types of information systems in use at the organization? (2) Is the policy current? In addition to new technologies and software, the organization needs to update the policy for changes in laws and regulations, consider new threats (such as new viruses), and update its software (perhaps due to updates in data encryption practices).
(3) Has the policy been communicated? Using the COSO framework, information and communication means that employees have been trained, the policy has been imple- mented, and this communication is part of controls and monitoring. (4) Is it compulsory? Practices that are optional likely will not be in use. Controls and business practices should help make the policy a routine part of organizational life. (5) Is it realistic? The security policy should have a broad set of principles that can readily be converted into controls and actions that can be implemented by the systems and peo- ple of the organization. The internal or external auditor charged with evaluation of the security policy will look at each of the above characteristics and design tests that will help examine them. Sources: 1. Chandra, Ishwar, “The five C’s of IT policy,” Internal Auditor, December 2008, p. 23–24. 2. Chung, Andrew, “University bans Facebook access,” Toronto Star, September 20, 2008, p. A4. 3. Jackson, Brian, “Theories abound about data breach at Canadian airport,” www.itbusiness.ca, Accessed: October 20, 2008. 3. Keiser, Gregg, “Terrible Trojan steals 500,000 bank account, credit card logins,” www.itbusiness.ca, Accessed: March 11, 2008. 4. Mavin, Duncan, “Security breach at CIBC,” National Post, www.canada.com, Accessed: July 7, 2007.
auditing in action 1 0 - 1
Auditing Security Policies
(^326) PART 2 I THE AUDIT PROCESS
audit challenge 1 0 - 2
Hillsburg Hardware Limited in Transition
Back in 1990, when Hillsburg Hardware Limited had only 50 customers, the industry standard of a local area network with a single central server was more than adequate. All software consisted of standard packaged software. There were no onsite data processing personnel, and operating functions were shared among accounting and general staff. The receptionist was responsible for initiating backup before she left in the evening and the general manager kept a copy offsite at his home. The controller was responsible for maintaining password security profiles that controlled access rights. General controls were as follows:
- (^) Organization and management controls Management had a policy of establishing segregation of duties as much as possi- ble with the existing personnel. Functions considered incom- patible with respect to financial systems were separated.
- (^) Systems acquisition, development, and maintenance controls All software used was packaged software. The software was used in its original form (not modified). Software was obtained only in object code (machine language), so it could not be modified by Hillsburg Hardware personnel.
- (^) Operations and information systems support Company offices were open from 8:00 a.m. to 5:00 p.m. The network was left up and running 24 hours per day. A maintenance contract was kept with a major support organization to provide onsite sup- port in the event of equipment failure. Staff were initially trained in the software packages used and had software man- uals to refer to in the event of queries. The controller prepared a set of instructions (about three pages) to be used in the event that a major disaster destroyed the building and the local area network. These instructions were intended to allow Hillsburg Hardware Limited personnel to resume operations at a local area network owned by their support organization for a fee of $500 per hour. Two years ago, Hillsburg finally updated its aging collection of systems to an integrated database management system run- ning on a mid-range minicomputer as the main server. Smaller servers were introduced to host email and office management products (such as word processing and spreadsheets). More sophisticated packaged accounting software was acquired, with support provided by the software supplier. Data in the databases can be exported into spreadsheet files so that staff can prepare their own reports if needed. The company now has over 200 workstations (a combina- tion of microcomputers and specialized cash registers) updating information and accessing the storage systems attached to the minicomputer, and three full-time information systems person- nel. The information systems manager works on and supervises a range of functions, such as technical support for staff and clients and updating the website. The website was custom devel- oped, but maintenance is handled internally. Passwords are maintained by the controller’s executive assistant.
To maintain security, data from the ONHAND (Online Niche- Hardware Availability Notification Database) customer database is ported across to a group of stand-alone high-end microcom- puters every night so that customers can inquire about the avail- ability of products and the status of their orders via the internet. internet access by customers is handled via an ISP (internet Ser- vice Provider). Hillsburg decided that there would be no direct data communications access from the minicomputer and from staff computers—a small group of machines is available for staff to check email. This machine configuration is also used for elec- tronic data interchange transactions between Hillsburg and 10 key suppliers. Transactions are copied to and from the mini- computer systems three times per day.
- (^) Current organization and management controls There has been no change in policy. Duties are segregated as much as practical. Information systems support personnel do not have access to accounting data. A database administrator, who reports to the controller, is responsible for maintaining the data dictionary.
- (^) Current systems acquisition, development, and maintenance controls Accounting software is still packaged software, main- tained externally. Information systems personnel cannot change the accounting software. The website and the elec- tronic data interchange software are maintained internally. Changes to these two pieces of software must be approved jointly by the chief financial officer and the vice-president, operations.
- (^) Current operations and information systems support All sys- tems have current anti-virus software, and firewalls are in place for the group of internet-accessible machines. Company offices are now open from 7:00 a.m. to 6:00 p.m. All systems are left up and running 24 hours a day. There is a more com- prehensive backup and disaster recovery plan. Selected staff walk through this plan as a test every six months to ensure that systems changes have been accounted for. There are maintenance plans for all purchased hardware and software.
CRITICAL THINKING QUESTIONS
- Describe IT governance controls that should be in place at Hillsburg Hardware Limited. State the purpose of each con- trol that you describe.
- List general controls present for the current systems at Hills- burg Hardware Limited for each general control category. For each control, state the risk that the control mitigates and how the auditor would test the control.
- Identify apparent or potential control weaknesses for the current systems at Hillsburg Hardware Limited. What risks are associated with these weaknesses? What compensating controls would you look for?
?
CHAPTER 10 I CORPORATE GOVERNANCE AND ENTITY-LEVEL CONTROLS 327
- (^) Systems acquisition (software is acquired from an outside vendor and imple- mented as is, or modified and implemented)
- (^) Turnkey software development (custom software development is contracted to an outside party)
Where custom program development is routinely undertaken, formal method- ologies with appropriate checkpoints should exist, as should a method of evaluating systems once they have been implemented. Policies to monitor ongoing program changes should also exist. When software systems are purchased, management should ensure that the software is consistent with organizational objectives. The type of process used will affect the nature of controls that need to be examined by the auditor. Again, using the terminology of Information Technology Control Guidelines, the acquisition process is broken down into five phases:
- Investigation. In this first phase, it is determined whether the proposed system should actually be obtained.
- Requirements analysis and initial design. Then, it is necessary to identify and doc- ument the overall functionality and purpose of the proposed system.
- Development (or acquisition) and system testing. Specific functionality of the new system is identified and developed/acquired and tested.
- Conversion, implementation, and post-implementation review. Data are converted from the old to the new system, live running of the system commences, and the system is evaluated to determine whether it satisfies the entity’s needs.
- Ongoing maintenance. Changes to the system are made as necessary.
For the evidence-gathering process, as part of the documentation of knowledge of business, the auditor will determine what types of systems are in place, paying partic- ular attention to those of financial or operational significance. The auditor will then make inquiries regarding the information systems change process: Are information systems developed, modified, or acquired, and have there been any changes in the current year? Where changes have taken place, the auditor may be required to con- duct a conversion audit (discussed in Chapter 18), as well as assess changes to con- trols due to the new or modified systems. The complexity of the software development or acquisition process needs to be determined to assess inherent risks. An overview of the process would be obtained during the preparation of the knowledge of business for the client. Controls over the acquisition or development process are part of the control environment and general information systems controls. Accordingly, such controls affect assessments of control risk and the ability to conduct tests associated with specific audit objectives at the assertion level (discussed in the final section of this chapter). Poor controls over pro- gram quality could mean that the auditor is unable to rely upon automated or com- bined controls for the affected transaction cycles. Acquisition controls need to be documented and, should reliance be placed on software programs during the audit, they would need to be tested, as discussed in Chapter 9. Table 10-6 on the next page provides examples of potential controls for each phase of the acquisition process, with a suggested audit technique to test the control, should the auditor choose to rely upon it.
OPERATIONS AND INFORMATION SYSTEMS SUPPORT As with other types of general controls, the level of complexity needed to manage operations and support of systems depends upon the complexity of systems in use. Hardware configuration, types of operating systems, and whether support is handled in-house or outsourced affect the types of controls in place at the organization.
Hardware configuration As part of the knowledge of business, the auditor would determine the type of equipment in use by the entity, where it was located, how it was interconnected, and whether data communications or internet/intranet access was
Internal versus outsourced support Most organizations using local machines or small- to medium-sized local area networks outsource their hardware and software support. As organizations get larger, they handle their own hardware and software support (by means of a help desk function or as part of the information systems sup- port function) or adopt a hybrid model. In the hybrid model, some functions are out- sourced (perhaps queries regarding packaged software), while others (such as office management software) may be handled in house. The auditor will need to consider security and access rights given to support personnel in order to determine whether or not they are super-users. If these personnel have the ability to make program changes, then the auditor would need to examine the program maintenance process and con- sider whether financial systems are affected. An important issue addressed during the audit of general controls is information systems access. Organizational controls set policies and development controls address access to program changes, while operational controls include access rights given to individual users and super-users. Access controls in an automated system are used to enforce segregation of duties, a crucial aspect of both the control environment and
CHAPTER 10 I CORPORATE GOVERNANCE AND ENTITY-LEVEL CONTROLS 329
Table 10-7 Impact of Information Systems on Financial Statement Audit Phases
Audit Phase Example of Impact of Automation on Audit Process
Risk Assessment
Risk Response
Reporting
- Client risk profile •^ Understand information systems hardware and software infrastructure.
- (^) Document and assess IT governance processes.
- Preplanning •^ Identify availability of specialist expertise in the audit staff.
- Plan the audit •^ Document and assess IT control environment including IT general controls and disaster recovery plans.
- (^) Test general controls where reliance is intended.
- (^) Document and assess key automated and combined application controls; consider each application separately to ensure adequate controls, such as segregation of duties, are in place, using passwords or other techniques.
- Ongoing evaluation, quality control, and final evidence gathering
- (^) Ongoing evaluation should incorporate team meetings and recommendations from IT specialists assigned to the engagement.
- Substantive tests •^ Conduct substantive or dual-purpose tests by means of direct access to client data files (consider the use of spreadsheet software, generalized audit software, or specialized report writers).
- Tests of control •^ Test automated and combined application controls where reliance is intended.
- (^) Consider use of computer-assisted audit techniques for tests of controls (such as the use of test data and integrated test facilities).
- Design further audit procedures
- (^) Design audit programs, considering the use of computer-assisted audit techniques and the ability to access data in client files (discussed further in Chapters 13 and 14).
- Complete quality control and issue auditor’s report
- (^) Consider independent information systems specialist review for high-risk engagements.
(^330) PART 2 I THE AUDIT PROCESS
individual functional system controls. If the auditor intends to rely upon segregation of duties in an automated environment, then access rights controls will need to be documented and tested. This discussion is a highly summarized view of general information systems con- trols. You will learn more about such controls if you take a course on information sys- tems auditing, or you could consult an information systems auditing text or a journal such as the Information Systems Audit and Control Journal.
IMPACT OF INFORMATION SYSTEMS ON THE EIGHT-PHASE AUDIT PROCESS Every audit that you encounter will likely have heavily automated systems, with some advanced issues, such as data communications, web-based purchasing, in-house custom develop- ment, or enterprise-wide processing (also called enterprise resource processing). Our last section in this chapter examines a selection of advanced computing issues, overviewing the impact on the audit. Here, we look at the pervasive effect that computing and infor- mation systems have upon the audit process. Table 10-7 on the previous page lists the audit phases, with examples of the impact of automation on the audit process. The main points from Table 10-7 are the reliance on and integration of findings from information systems audit specialists for IT governance, general controls, and methods of testing for automated or combined information systems controls. Special- ists could also be used to develop or run computer-assisted audit techniques.
Advanced Information Systems and the Audit Process
Along with the use of the internet, computing via wireless platforms and multi-user systems has become common. There is a big difference, however, between using these services as an individual user, and having basic business functions rely upon them. An organization is considered to have advanced information systems when its systems have one or more of the following characteristics:
- Custom-designed operational or strategic information systems.
- Use of data communications (including internet) and multiple locations.
- Use of paperless systems such as EDI or EFT.
- Use of database management systems.
- Integrated computing, such as ERP systems The existence of each of these characteristics affects the nature of information systems processing at the organization and thus also affects the audit process. Here we describe the characteristics, and the last section of the chapter describes the effects on internal controls.
Extent of Custom-Designed Operational and Strategic
Information Systems
In the previous section, we listed the forms of software acquisition as being in-house development, acquisition from an outside vendor, and turnkey software development (where an outsider prepares custom software). Here, we compare custom software to standard packaged software. Figure 10-2 summarizes the advantages and disadvan- tages of these two types of software. Increased use of customization can improve a business entity’s ability to create a strategic information system —a system that provides competitive advantage or improved efficiency of operations. However, should strategic information systems fail or have errors, they increase costs and risks to the business. During the audit planning process, the auditor identifies the nature of such systems and the type of development process. In highly automated or integrated systems, auditors prefer to rely on the com- puter systems, since it is more efficient to test programmed controls than to conduct tests of details. Where the system development process is complex or error prone, the
Strategic information system—a system that provides competitive advantage or improved efficiency of operations.
C10-4 Provide two examples of effective IT governance practices.
C10-5 List the three cate- gories of general controls. For each category, provide an example of an audit step that could be conducted.
C10-6 List two tasks that information systems audit specialists could complete during the financial state- ment audit.
concept check
3
