Question

Scenario 1: Using IT to Gain a Competitive Edge

Judiciously leveraging advances in IT is a fundamental enabler of SHR’s business strategy. In fact, SHR is recognized within the industry as a leader in the use of IT to gain operational efficiencies. For example, SHR implemented electronic data interchange (EDI) with its primary vendors several years ago to streamline its purchasing process and to maintain an uninterrupted ow of incoming inventory to its distribution centers and retail stores. The company places special emphasis on IT controls.

Illustrative business objectives and associated risks pertinent to SHR’s heavy reliance on IT are expressed as follows:

Business Objective 1: Align the company’s IT strategies with its business strategies. Judiciously leverage advances in IT to streamline the company’s business processes and information systems, gain operational efficiencies, and increase shareholder value.

Business Risk 1a: Insufficient, irrelevant, unreliable, inaccurate, and/or untimely information may cause management to make poor IT investment decisions.

Business Risk 1b: Failure to effectively and efficiently integrate acquired IT resources into business processes may adversely affect operational performance and cause unacceptable returns on IT investments. Business

Objective 2: Safeguard the company’s resources against misuse and loss.

Business Risk 2: Unauthorized company personnel and/or outside parties may access the company’s information systems and misuse or misappropriate proprietary information and other assets.

Business Objective 3: Accurately record all valid, and only valid, purchase transactions on a timely basis.

Business Risk 3a: Failure to record a valid purchase transaction may cause inventory and accounts payable to be understated.

Business Risk 3b: Recording an invalid purchase transaction may cause inventory and accounts payable to be overstated.

Business Risk 3c: Recording a valid purchase transaction in the wrong accounting period may cause inventory and accounts payable to be understated or overstated. Auditing Entity-Level Controls

Business Objective 4: Process purchase transactions efficiently, that is, with a minimum of time, effort, expense, and waste.

Business Risk 4: Disruption or corruption of electronic transmissions between the company and its EDI vendors may cause delays in processing purchase transactions, which in turn will cause inventory shortages at the distribution centers and retail stores.

Use the business objectives and risks stated above as the basis for answering the following questions. As he or she deems necessary, your instructor will facilitate the formulation of collective answers to certain questions that will serve as uniform starting points for answering subsequent questions. Students may want to refer to chapter 7, “Information Technology Risks and Controls,” as they complete the Scenario 2 Activities.

Scenario 1 Activities to Answer Questions 1-4 including parts A & B on 2 &4.

1. SHR’s senior management team understands the importance of aligning the company’s IT strategies with its business strategies. Identify two types of IT strategic decisions senior management already has made or is likely to make in the foreseeable future. Clearly explain the linkage between these IT strategic decisions and SHR’s business strategies.

2. Sound decision-making requires high-quality information.

a. What information does senior management need to make informed IT strategic decisions?

b. Identify the entity-level controls you would expect to be in place to ensure that senior management has high-quality information upon which to base its IT strategic decisions.

3. Explain what role, if any, internal audit should have in the IT strategic decision-making process.

4. One of SHR’s business strategies is to selectively acquire companies that complement its core competencies.

a. Explain the effects a business acquisition could have on the inherent risk of failure to effectively and efficiently integrate acquired IT resources into its business processes.

b. Describe the entity-level controls SHR should have in place to mitigate these effects.

Answer 1

Q1.

ANS:SHR's Senior management has made the following 2 IT strategic decision that are given below:

• Electronic Data Interchange: SHR has already implemented electronic data interchange with its primary vendors which enables them to align their business process and to maintain uniterrupted flow of inventory throughout its distribution centre and retail store.
• Process-Level Controls: Non-entity-level controls established by process owners to mitigate the risks threatening the process and to provide assurance that process objectives are achieved. These controls are generally consistent in nature across processes but may vary in their execution from one process to another. Examples include: Reconciliation of key accounts,Monitoring of specific transaction.

Q2.

ANS(A): These are the following information senior management need to make informed IT strategic decision:

• Identification of Business objective.
• Identification of Business process
• Identification of IT requirement
• Evaluation of Information technology
• Aliginig Business objective with that of IT Decision.
• Procurement of IT
• Implementation of Information technology.

(B)

ANS:Thses are the following entity-level controls that would expect to be in place to ensure that senior management has high-quality information upon which to base its IT strategic decisions:

Entity level control: Controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved.

• Governance control: Establish the control culture and expectations of the organization. Examples include: Audit committee oversight of internal controls, Senior management’s attitude toward financial reporting.
• Management-Oversight Controls: Entity-level controls established by management (for example, business unit and line management) to mitigate risks threatening the business unit and to provide assurance that business unit objectives are achieved. These controls are generally consistent in nature among business units but may vary in their execution from one business unit to another. Examples include: Monthly analyses of budget versus actual results, IT physical and environmental controls.

Q3.

ANS:These are the following role internal audit should have in the IT Strategic decision making process:

• Organizationwide policy protocol.
• IT general controls.
• External and internal benchmarking
• Employee communication system
• Robust internal Audit function
• Issue escalation system.
• Fraud prevention and detection programme.

Q4.

ANS(A): These are the following effects a business acquisition could have on the inherent risk of failure to effectively and efficiently integrate acquired IT resources into its business processes:

• The inability to generate operating efficiencies and leverage IT may adversely affect the company’s profits.
• Failure to successfully integrate newly acquired businesses may adversely affect the company’s performance.
• Integeration risk:  integrating the operations of two companies proves to be a much more difficult task in practice than it seemed in theory. This may result in the combined company being unable to reach the desired targets in terms of cost savings from synergies and economies of scale.
• Culture clash: aquisition may fail because the corporate cultures of the potential partners are so dissimilar.

(B)ANS: These are the following entity-level controls SHR should have in place to mitigate these effects:

• Controls over management override
• The company’s risk assessment process
• Centralized processing and controls, including shared service environments.
• To establish and promote a culture of integrity, compliance, competence, and accountability; doing the right thing.
• To reduce entity-level risks to acceptable levels.