In: Accounting
Smith, a certified public accounting firm, was engaged to audit the financial statements of the Sky-is-the-Limit company. The company has its own IT installation. While obtaining an understanding of internal control, Smith found that Sky-is-the-Limit lacked proper segregation of the programming and operating functions. Smith analyzed the internal control surrounding the system to ensure that the corporate governance was being maintained, and he concluded that the existing compensating general control activities provided reasonable assurance that the objectives of internal control were being met.
Prepare a letter addressed to the board of directors that discusses the following:
TO: Board of Directors
FROM: Auditor
DATE: 21 st July 2020
SUBJECT: Risk Management
In a properly functioning IT environment, it means that auditing is done in a computing or automated environment. Here, the primary goal of internal control i.e., to separate programming and operating functions can be attained through restricting the system operators from not only accessing the computers but also making any output or input in the same computers. In other words, operators should not be allowed to input/output any information, file, document, and/or operating program details. They should also be restricted from changing the any of the operating programs.
At the time of production processing, the system programmers must be restricted from getting into the computer room as well as operating anything in that room. In line with this, scheduling must be done by the system operators before production processing takes place. Additionally, scheduling must be tested by the operators prior to production processing to ensure that no more programming is required. This means that once the computers begin operating, the work of the programmers ends there as the operators take over.
The three subdivisions of information systems management include corporate, team, and individual (Robertson, 2005). Corporate level of information systems management is all about how corporate information including procedures, policies, and controls as formulated by the executives is useful for the entire company. In regard to the scenario at hand, it is out of the lack of proper corporate information from Sky-is-the-Limit?s management that the company lacks segregation of operating and programming functions. Although the corporate governance is maintained and the available general control activities indicated that the objectives of internal control were met, there need to be policies, procedures, and control in Sky-is-the-Limit that create a gap between the programming department and the operating department.
As the name suggests, the team as a subdivision of information systems management deals with all the information that is shared within business units, divisions, departments, and teams. The information shared at team level may be fundamental to the day to day activities of a given department but of little importance. Example of such information includes meeting minutes, department-specific content, and project documentation. From the situation at hand, the team is key if Sky-is-the-Limit is to have segregation of programming and operating functions. Even though there is a need to maintain collaborating tools between the programming and operating units in Sky-is-the-Limit, separation of functions will be very critical. Following the creation of programming and operating departments, it will be easy to establish independence in each of the function (Robertson, 2005). The roles and responsibilities of each department must be clearly defined. Also, the information meant for either of the department should not be shared unless that information is deemed important to the other department.
Last but not least, individual is the lowest subdivision of information systems management. This subdivision comprises personal information needed by the staff in the entire company including spreadsheets, financial statements, financial reports, and files that relates to roles and responsibilities of certain jobs. At personal level, the system operators and the programmers must be knowing what they are specifically supposed to do before, during and after production processing. An operator should not perform the functions of a programmer. Similarly, a programmer should not perform the functions of an operator (Robertson, 2005).