Question

Question 1

The capabilities of computer systems have advanced rapidly over the past several decades. In many organizations, the entire data has been computerised and all the information is available only in digital media. In this changed scenario, auditors have to adapt their methodology to changed circumstances. The approach of auditors to evaluate internal controls has changed accordingly. The continual development is changing the way organization works. Many companies have introduced Information Technology (IT) audit function because it is considered to be a valuable element of management control which provides assurance to the business audit committee and management and adds to the organization’s credibility with investors and creditors. Management is responsible for establishing and maintaining a system of internal financial controls and in some cases, may be required by regulators to provide written certification of the adequacy of the controls. Legal and regulatory requirements are changing fast and companies must make sure they are aware of the latest rules. Presence of controls in a computerized system is significant from the audit point of view
The Business and Financial Educational Services provider Company Limited is an organizations that do not have an IT audit function. The company is considering to establish one. They are work shopping their company size and type of business, source of capital and risk factors that warrant such an investment. They agree that the potential benefits of the IT audit function should be assessed and compared against the estimated costs. IT audit function should ensure the establishment and compliance to IT Controls in the organizations computer system. They are undecided on the decision to establish an IT audit function. They think the decision should involve the CEO, CFO, and audit committee. The following is a list of criteria they are considering:
1. The audit committee wants to get independent and objective assurance on the adequacy of internal controls from someone other than the CEO or CFO.
2. The CEO wants to get independent and objective assurance on the adequacy of internal controls from someone other than the CFO or line managers.
3. The CFO wants to get independent and objective assurance on the adequacy of internal controls from someone other than the line managers.
4. The organization gets too large or geographically dispersed for frequent and economical first-hand monitoring of controls by the audit committee, CEO or CFO.

Required:
a. You are an IT Audit consultant who is familiar with the works of the company and is well connected to the company. In a meeting with the CEO, CFO, and audit committee the CEO has asked that you name and explain the broad categories of IT Audit controls (if any) that must be put in place in their work environment.
b. Carefully consider the scenarios in the submissions provided and write out your report to be submitted to the Audit committee. From your submissions the Audit committee decided to fully contract you to support the management of the company to develop and put in place some General IT control tools. You decided to constitute and hold a sub-project committee
meeting to discuss the details on the following.
i. IT policies and standards.
ii. Physical controls (access and environment).
iii. Logical access controls.
iv. Business continuity
v. Disaster recovery controls.

QUESTION 2
In accounting, the financial transactions are recorded, processed and presented to generate financial statements that is useful to the readers, in making decisions. It is often said that both
manual and computerized accounting systems are based on the same principles, conventions and concept of accounting and auditing. However, they differ in their mechanism (devices, instruments and tools used). The manual auditor uses pen and paper, to record and document transactions. Whereas computerized auditing makes use of computers and internet, to document transactions electronically. Auditors should adequately document the audit evidence in working papers, including the basis and extent of the planning, work performed and the findings of the audit.
Documentation includes a record of:
1. The planning and preparation of the audit scope and objectives
2. The audit programme
3. The evidence collected on the basis of which conclusions are arrived at.
4. All work papers including general file pertaining to the organization and system
5. Points discussed in interviews clearly stating the topic of discussion, person interviewed,
position and designation, time and place.
6. Observations as the auditor watched the performance of work. The observations
may include the place and time, the reason for observation and the people involved.
7. Reports and data obtained from the system directly by the auditor or provided by the
audited staff. The auditor should ensure that these reports carry the source of the report,
the date and time and the conditions covered.
8. At various points in the documentation the auditor may add his comments and clarifications
on the concerns, doubts and need for additional information. The auditor should come
back to these comments later and add remarks and references on how and where these
were resolved.

Required;

It is the practice that the report should be timely, complete, accurate, objective, convincing, and as clear and concise as the subject permits. Briefly explain what the following headings entails with relevant examples how an IT Audit report can be broadly structured under the following headings:
i. IT Audit Report.
ii. Introduction.
iii. Objectives.
iv. Scope and Methodology.
v. Audit Results.
vi. Findings.
vii. Conclusions.
viii. Recommendations.
ix. Noteworthy Management Accomplishments.
x. Limitations that were faced.

QUESTION 3
You are a manager in the audit department of Huntsman & Co, a firm of Chartered Certified Accountants, responsible for the audit of several companies and for evaluating the acceptance
decisions in respect of potential new audit clients. One of your audit clients is Redback Sports Co, which operates a chain of sport and leisure centres across the country. The client invited you into a meeting with the CEO and CFO. According to the CEO of the company “the incessant development of information technology is changing the way their organization works in many ways. The pen and paper of manual transactions have made way for the online data entry of computerized applications; the locks and keys of filing cabinets have been replaced by passwords and identification codes that restrict access to electronic files. The implementation of innovative technology is helping their organizations to improve the efficiency of their business processes and considerably increase their data processing and transmission capacity, but has also introduced new vulnerabilities that need to be controlled”. The CFO was concerned about the new vulnerabilities. He is asking how these vulnerabilities could be controlled You quickly responded by saying that assessing the adequacy of each control requires new methods of auditing. With the increase in the investment and dependence on computerized systems by the company, it has become imperative for audit to change the methodology and approach to audit because of the risks to data integrity, abuse, privacy issues etc. An independent audit is required to provide assurance that adequate measures have been designed and are operated to minimize the exposure to various risks.

Required:

i. The CEO is asking if there is any difference between your regular Audit periodically conducted and an IT Audit. You are required to identify, name and explain the core
differences between your Internal Audits periodically conducted and an IT Audit.

ii. Explain 5 objectives of an IT Audit to Redback Sports Co.
iii. Explain 5 benefits that Redback Sports Co. may derive from an effective IT Audit.
iv. The CFO of Redback Sports Co. is asking that you explain the processes to follow to undertake an effective IT Audit for the company and how long you think it will take them to be ready for your audit. Name and explain the Phases of the Audit Process.

Answer 1

Solution 1 (for Question 1)

a) Information technology controls form part of an entity's internal controls. Existence of efficient IT controls ensure confidentiality of data and effective management of the IT system on the whole. There are two broad categories of IT Audit controls.

1) Information Technology General Controls

2) Information Technology Application Controls

Information Technology General Controls (ITGC) establishes control over the following

• Overall IT systems and its operations
• Changes in the program
• Access to data, records and information
• Development of new programs

Such controls enhance the reliability of the information generated by the IT system.

Information Technology Application controls establishes control over the entire process begining with the input of data to the output of the information. Thus, these controls are also known as input-processing-output controls. Such controls may encompass the following based on the purpose of a particular application.

• Validity of the data is controlled through the validity checks
• Completeness check ensures that no data has been omitted from the beginning to the end of the processing
• Integrity of the data is ensured by the input controls
• All the users of the information are identified by the identification controls
• Authorisation controls allow only approved users to access the information
• Mathematical accuracy of the data is checked using the forensic controls on the basis of inputs and outputs.

These controls are designed to perform the above mentioned checks automatically thereby ensuring accuracy and completion in the processing of data.

b) The following matters are to be focussed upon in order to establish the General IT Controls

• As the first step, certain rules and procedures those could be termed as IT policies and standards are to be established. Therefore the users would be aware of their limits and would facilitate them to perform their work in a better way. Also, issues, if any, can be reported and resolved in a timely manner.
• Control mechanisms such as CCTV, alarm system, electronic access, sensors, natural surveillance etc are to be put in place to ensure that the systems (hardware) are physically safe from unauthorized access.
• The programs, softwares and other information stored in the system are to be protected using Logical Access Controls such as application controls, security packages, passwords, encriptions, firewall etc
• It is to be ensured that a copy of the data stored in the system is securely stored elsewhere as a back up. This would facilitate the entity to retrieve the data if anything is lost due to an unforeseen disaster.
• Policies and procedures are to be set to identify the errors and incidents those could have an impact over the continuity of the business.