This case does not include a complete description of the entity or the industry, nor does it provide comprehensive Information on auditing; it is only Intended to provide the Information that will be accessory and helpful In completing this case study and answering discussion questions. The IT Controls Overview and IT General Controls Overview sections in the Appendix 1 provide relevant terms and definitions that will be used throughout the case. Portfolio Structure and Business Softies Is one of several entitles In a portfolio (companies, partnerships, Joint ventures) that are owned by a single parent company.
The shares of the parent company are 100% owned by one individual of high net worth. The Company assembles laptop computers from purchased components and sells those laptop computers. Softies has been established In this business for a number of years. Product Strategy and Customers Softie’s product strategy is based on obtaining low-cost components through the negotiated supply agreements in order to offer laptops at competitive prices to its customers. The final customer Is described as a person who needs only the basic computer functionalities (Internet, word processing, etc. At the lowest possible cost. The Company’s customers are mainly retailers or significant Individual purchasers (e. G. , volume purchases by educational facilities). The competition for laptop imputer sales is Intense and cost containment Is a critical element of profitability. Product Description Softies has standard product configuration lists with a limited range of custom configurations allowed. No custom configurations are provided to retailers. The key suppliers for the Company are Microsoft, various chip suppliers (Intel, MAD, Asian suppliers). ND various other hardware and software suppliers. Some of these suppliers are located in different countries, where there is up to six weeks lead time for receiving component parts. Suppliers are continually improving their own reduces and enter into discussions with the Company for any changes to the product range to Incorporate them. As such, there are two forces In product development – the customer and the supplier. Generally, Softies builds to order but holds a minimal amount of laptop inventory available to satisfy customers’ immediate needs. However, the Company does hold component stock.
The Company does not develop Its own software for Inclusion in the laptops; Instead, it purchases all software from several vendors for freeloading on the laptops and the cost of that software is just a pass-through from company to end customer. Sales tit variable commissions that may change based on the product being sold. Sales are made under the Softies Computers brand name, sometimes with retailer- designated packaging. Sales are recognized when goods are dispatched. There are currently six key retail customers that make up 60% of the Company’s sales and there are no export sales.
IT Environment Softies uses SAP software in an enterprise resource planning (ERP) environment, which integrates all data and processes within the organization into a unified system, aside from the use of an internally developed application, Firsthand, to manage production and inventory. SAP is running on a UNIX server while Firsthand is running on a Windows server. Both applications allow personnel to connect to them via Windows client workstations. The Company has a website (where the customer can place orders) which is linked to the ERP system. The website is also linked to credit card companies (to get authorization from the bank).
The Company has a firewall system and an intrusion detection system to secure the transactions. Softies is the sole occupant of a modern one-story building in an industrial park. The building is secured through locks controlled by an electronic badge reader system. The building is also protected by security and fire alarm systems that are connected to the police department and fire department, respectively. The SAP and Firsthand servers along with the other key network servers are housed in a specially constructed computer room within the facility. This room has one door that is protected by a lock controlled by the badge reader system.
The badge reader system logs all access to the door. Audit strategy and approach Softies Computers (“Softies” or the “Company’) has engaged our firm to perform an audit of their financial statements for the year ending December 31 , 2008. Our audit approach requires that we perform a risk based audit in which the amount of substantive testing (“work”) we perform is contingent on how effective the Company’s internal controls are, the risk of the environment the company is operating in, and the amount of risk the firm is willing to accept for issuing an improper audit opinion (I. . , Audit Risk Formula: Audit Risk = Control Risk x Inherent Risk x Detection Risk). Our Audit Strategy includes following steps – 1 . We identified significant business processes that affect the significant accounts, disclosures and related assertions for the financial statements. Appendix 2) 2. For each significant process, we identified the threats’ in the processing stream and where data errors could occur in processing transaction types that would have an impact on the financial statements. These are the points where controls are needed to prevent or detect those errors. Appendix 3) 3. Based on the identified processes, the threats and the control table, Coefficients IT general controls environment was assessed throughout the audit period (as opposed to a single point in time). (Appendix 4) 4. When IT general controls issues or exceptions were found, each was analyzed to determine the potential impact to the financial statement audit via application and IT-dependent manual controls relying on those IT general controls. Your task for this case IQ: Classify the following controls in one of the three categories – A.
IT General accounts are reviewed by the Credit Manager The system requires all shipments to have a complete and valid sales order number Bank reconciliations are prepared by the Receivables Clerk and reviewed timely by the Controller Physical access to the server room is restricted The system allows the Purchasing Manager to only approve component purchases up to $1 5,000 B. Manage System and Application Changes; Logical Access; Other IT General Controls: Operations Controls. HER communicates all employee terminations to the administration team for access removal.
A request to change an existing program or develop a new program must be submitted in writing and be approved by management. An intrusion detection system (IDS) monitors activity on the firewalls and web servers. Unusual activity is communicated on a real-time basis to the Network Operations Center. The Network Operations Center is then responsible for taking appropriate follow-up action on identified incidents. SAP requires all swords be at least eight characters and contain at least one uppercase letter and one number.
Only members of the production control team are allowed to migrate (move) items into the production (live) environment. Q: As a result of the IT general control issues and exceptions noted in the case study, the audit team has determined the functioning of the SAP application controls and IT-dependent manual controls may no longer be fully relied upon and we must change the audit strategy and rely less on Softie’s internal control environment. Thus, the audit team has decided to substantively test some of the sales transactions.
The following information (simplified for case purposes) was obtained from the SAP system. Please identify at least three suspicious transactions that should be investigated and indicate how those could be related to a breakdown in the SAP IT general controls as noted in the case. Remember, as a general rule, IT general control issues and exceptions do not directly result in financial statement misstatements or fraud.
They are looking for real recommendations they can implement eased upon a solid framework of controls. Be sure to convey the benefits of the recommendations and provide Justification for why each initiative/recommendation will achieve a specific capability or return. Appendix 1 IT controls overview In larger clients, it is very rare for management’s internal controls not to depend heavily on the IT systems and their related controls. It is important to understand the differences between two key auditing terms dealing with IT controls: IT general (or process) controls and application controls: IT general controls are those which ensure that a client’s IT systems operate correctly.
These controls primarily focus on ensuring that changes to applications are properly authorized, tested, and approved before they are implemented and that only authorized persons and applications have access to data, and then only to perform specifically defined functions. Application controls are automated controls that apply to the processing of individual transactions. They include such controls as edit checks, validations, calculations, business. In many situations, we also identify manual controls, which are often detective in nature, that rely upon computer-produced information. We refer to these s IT-dependent manual controls. In such situations, we consider not only the sensitivity of the control, but also whether there are controls over the completeness and accuracy of computer-produced information.
For example, management reviews a monthly variance report and follows up on significant variances. Because management relies on the computer-produced report to identify and generate the variances, we also validate that there are IT general controls in place to ensure that the variance report is complete and accurate. Both IT-dependent manual and application controls have the same objective, which is to provide reasonable assurance that all transactions are valid, properly authorized and recorded, and are processed completely, accurately, and in a timely basis. The difference is that application controls are automated, while IT-dependent manual controls are not. These rely on computer-produced information. T general controls overview Effectiveness of IT general controls, primarily program change and logical access controls (data and file access controls), influences our ability to rely on application controls, IT-dependent manual controls, and electronic audit evidence. The following revised an overview of the three IT general controls discussed in this case: Manage System and Application Changes, Logical Access, and Other IT General Controls: Operations Controls. Manage System and Application Changes Process: Maintain IT Procedures for Acquisition, Development or Major Changes to Application Software Objectives: Controls provide reasonable assurance that: Application and system software are acquired or developed to effectively support financial reporting requirements. Policies and procedures that define required acquisition and maintenance processes have been developed and are maintained.
Rationale: Acquiring and maintaining system and application software includes the design, acquisition/building, and deployment of systems that support the achievement of business objectives. This process includes major changes to existing systems. This is where controls are designed and implemented to support the initiating, authorizing, recording, processing and reporting of financial information and disclosures. Deficiencies in this area may have a significant impact on financial reporting and disclosures. For instance, without sufficient controls over application interfaces, financial information may not be complete or accurate. Policies and procedures include the System Development Life Cycle (OSDL) methodology, the process for acquiring, developing and maintaining applications, as well as required documentation.
For some organizations, these include service level agreements, operational practices, and training materials. Policies and procedures support an organization’s commitment to performing business process activities in a consistent and objective manner. Objective: Controls provide reasonable assurance that: Systems are appropriately tested and validated prior to being placed into production ND associated controls operate as intended and support financial reporting requirements. Rationale: Installation, testing, and validating relate to the migration of new systems into production. Before such systems are installed, appropriate testing and validation must be performed to ensure that systems are operating as designed.
Without adequate testing, systems may not function as intended and may provide invalid information, which could result in unreliable financial information and reports. Process: Manage Changes System changes of financial reporting significance are authorized and appropriately Estes before being moved to production. Rationale: Managing changes addresses how an organization modifies system functionality to help the business meet its financial reporting objectives. Deficiencies in this area could significantly impact financial reporting objectives. For instance, changes to the programs that allocate financial data to accounts require appropriate approval and testing prior to changes to ensure classification and reporting integrity.
Typical activities that occur in controlling system and application changes include: Obtaining authorized requests for new systems development or for authorized hangers to existing systems 0 Categorizing and proportioning authorized and approved requests 0 Implementing or modifying the technology infrastructure to support solutions 0 Managing the acquisition or modification of solutions and infrastructure 0 Installing and certifying the solution or modification, including developing test approaches and plans, executing the testing, conducting user acceptance testing, approving the solution for use in production, and executing established procedures for migrating programs into production 0 Performing post-implementation reviews and follow-up Establishing procedures for emergency system modifications 0 Monitoring of the procedures and controls related to the process Logical Access Process: Acquire and Maintain Technology Infrastructure/Configuration Technology infrastructure is acquired so that it provides the appropriate platforms to support financial reporting applications. IT components (as they relate to security, processing, and availability) are well protected, would prevent any unauthorized Rationale: The process of acquiring and maintaining technology infrastructure includes the design, acquisition/building, and deployment of systems that support applications and communications.
Infrastructure components, including servers, networks, and databases, are critical for secure and reliable information processing. Without an adequate infrastructure, there is an increased risk that financial reporting applications will not be able to pass data between applications, financial reporting applications will not operate, and critical infrastructure failures will not be detected in a timely manner. Configuration management ensures that security, availability, and processing integrity controls are set up in the system and maintained through its life cycle. Insufficient configuration controls can lead to security and availability exposures that may permit unauthorized access to systems and data and impact financial reporting.
Process: Ensure Systems Security Financial reporting systems and subsystems are appropriately secured to prevent unauthorized use, disclosure, modification, damage, or loss of data. Only authorized persons have access to data to perform specifically defined functions (I. E. , segregation of duties). Rationale: Managing systems security includes both physical and logical controls that prevent unauthorized access. These controls typically support authorization, authentication, nonresidential, data classification, and security monitoring. Deficiencies in this area could significantly impact financial reporting and disclosures. For instance, insufficient controls over transaction authorization may result in inaccurate financial reporting.
Typical activities that occur in controlling logical access include: 0 Defining security requirements (including both physical and logical aspects) 0 Identifying and implementing physical and logical control solutions that meet security requirements 0 Enforcing segregation of duties 0 Managing connections with business partners and public networks 0 Establishing security awareness practices 0 Maintaining appropriate documentation 0 Monitoring of the procedures and controls related to the process Other IT General Controls: Operations Controls Process: Manage IT Operations Authorized programs are executed as planned and deviations from scheduled processing are identified and investigated, including controls over Job scheduling, processing, error monitoring, and system availability. Service levels are defined and provides a common understanding of performance levels with which the quality of services will be measured. Any problems and/or incidents are responded to, corded, resolved, or investigated for resolution. Rationale: Managing operations addresses how an organization maintains reliable application systems in support of the business to initiate, authorize, record, process, and report financial information.
Deficiencies in this area could significantly impact an entity’s financial reporting and disclosures. For instance, lapses in the continuity of application systems may prevent an organization from recording financial transactions and, thereby, undermine its integrity. The process of defining and managing service levels addresses how an organization tests the functional and operational expectations of its users and, ultimately, the objectives of the business. Roles and responsibilities are defined and an accountability and measurement model is used to ensure services are delivered, as required. Deficiencies in this area could significantly impact financial reporting and disclosure of an entity.
For instance, if systems are poorly managed or system functionality is not delivered as required, financial information may not be processed as intended. Managing problems and incidents addresses how an organization identifies, comments, and responds to events that fall outside of normal operations. Deficiencies in this area could significantly impact financial reporting. Process: Manage Data (including backup) Data recorded, processed, and reported remains complete, accurate, and valid throughout the update and storage process.