Words: 2448
Since the relation between Digit and the information produced by an organization’s various application programs is indirect, understanding how Digit interact and affect an auditors risk assessment is often challenging for students. This case helps students assess overall DIGIT risk within an organization’s information systems. Students identify specific strengths and weaknesses within five DIGIT areas, provide a risk assessment for each area, and then evaluate an organization’s overall level of DIGIT risk within the context of an integrated audit.
Keywords: internal controls; general control; DIGIT; risk assessment. INTRODUCTION he Sardines-Solely Act (SOX 2002) and the Public Company Accounting Oversight Board (ABACA) Auditing Standard No. 5 (ABACA 2007) require that he organization’s chief executive officer (CEO) and chief financial officer (SCOFF) include an assessment of the operating effectiveness of their internal control structure over financial reporting when issuing the annual report.
External auditors must review management’s internal control assessment as part of an annual integrated audit of an organization’s internal controls over financial reporting. In short, accountants-?external auditors, internal auditors, and management accountants at all levels-?are actively involved in helping their respective organizations comply with SOX-related internal control acquirement. Because of the pervasiveness of IT in organizations, the information systems themselves contain many internal controls.
As a result, both internal and external auditors must develop an understanding of the IT environment and its related processes and controls, including the IT general controls (DIGIT), by performing risk assessment procedures. Although deficiencies in Digit do not directly result in misstated financial statements or material Carolyn Strand Norman is an Associate Professor at Virginia Commonwealth University, Mark D. Payne is an Executive Director at Ernst & Young, and Valerian P.
Veneered is an Associate Professor at the University of Richmond. The authors thank Nancy Beggaring, Fay Birthing, Jason Moons, Tony Hubbard, Tanya Lee, John McLain, Richard Newark, Brad Tuttle, Ralph Aviator, Marcia Widener-Watson, Chris Wolfe, participants at the 2007 American Accounting Association Annual Meeting, and our anonymous reviewers for their helpful suggestions on earlier versions of this case. We gratefully acknowledge William Sanders, Information Systems Department, Virginia Tech, for the matrix pronunciation materials. 3 64 Norman, Payne, and Veneered intro weaknesses, they can indirectly cause or contribute to application control deficiencies (Center for Public Company Audit Firms 2004). Since the relation between Digit and the information produced by an organization’s various application programs is indirect, understanding how Digit interact and affect an auditors risk assessment is often challenging for students. Accordingly, our case offers accounting faculty an assignment or project that is a “real world,” comprehensive supplement to textbook materials on the topic of risk and Digit.
THE CASE Several months ago, you started working at a large public accounting firm as n IT staff auditor. You are currently working on your first assignment, an DIGIT review of the Foods Fantastic Company (FCC). FCC is a publicly traded, regional grocery store chain, headquartered in Mason, Maryland, and includes 50 stores located in the mid-Atlantic area. The centralized data center is in Mason. FCC relies on an integrated suite of application programs that include state-of-the-art software to manage merchandise replenishment, storyteller sales forecasting, and point-of-sale data.
For example, FCC relies on bar code scanners and credit/debit card readers. To maintain its competitive edge in its market area, FCC recently implemented a fingerprint bio-coding payment system in all of its stores. This new systems implementation required that F-FCC change several of its general-ledger application programs; in particular, those related to its cash receipts processing. FCC does not use any outside service organizations to provide its IT services.
Sophie Ewing, the audit senior who heads up your team, decided that because of Off’s complex and sophisticated IT processing, an IT General Control (DIGIT) review is mandatory to meet ASS ass’s risk assessment procedures and SOX Section 404 Management Assessment of Internal Controls requirements. You know that an DIGIT review is very important because Digit provide the foundation for reliance on any financial information PC’s systems produce. Your evaluation will affect the financial auditor in assessing the risk of material misstatement in Off’s financial, and consequently, the audit plan.
At your first team meeting, Sophie announced that your firm’s network security specialists would review the technical issues related to Off’s internal controls. They will evaluate Off’s operating systems, its telecommunications software, and its network configuration and firewalls. In preparation for the meeting, Sophie encouraged you to review the key provisions included in ASS 109, SOX Section 404, applicable sections of ABACA Auditing Standard No. , and your firm’s internal guidance, which groups Digit into the following five areas: IT management, systems development, data security, change management, and business continuity planning (BCC). IT Management IT managements key concepts include ITS position within the organization, whether IT goals are aligned with the organization’s strategic goals, the use Of an IT steering committee, and whether the IT department’s structure remotes proper segregation of duties to protect the organization’s assets. Your primary concerns are: ; Does FCC have an IT strategic plan?
To whom does the Chief Information Officer (CIO) report? What key responsibility areas report to the CIO? Does FCC have an IT steering committee? Is so, who are the members? Issues in Accounting Education, February 2009 Assessing Information Technology General Control Risk: An Instructional Case 65 Systems Development The key concepts within systems development include the existence of a new systems implementation methodology, project management, pre- and post- implementation reviews, quality control, adequate testing, and demonstrated compliance with the selected implementation methodology.
Based on this understanding, your team’s primary concerns are: ; Does FCC design, develop, and implement systems in a logical fashion? Does the organization consider internal controls as an integral part of systems design or does it retrofit them after implementation? To what extent is Off’s Internal Audit department involved in systems development activities? Is it part of the project review team? Is it a voting member of the team? In particular, how well did FCC manage the placement and implementation of its new fingerprint bio-coding payment system?
Data Security The critical concepts within data security include adherence to an established information security policy, access approval on a need-to-know basis, periodic rotation or change of access controls, monitoring exception reporting, and incident response. Data security has both physical and logical aspects. On the physical side, data security includes physical access and environmental controls over the data center computer room. On the logical side, data security includes policies related to password configuration, change, and history restrictions.
Logical security also includes prompt review, modification, or removal of access due to personnel transfers, promotions, and terminations. Your team’s primary concerns are: ; How well does FCC control physical access to its data center computer room? Is Off’s computer room adequately protected against environmental dangers, such as fire? Does FCC control logical access to its information systems? In particular, how does it control the logical access of terminated or transferred employees? Does FCC have a current IT security policy? Does FCC produce access violation reports? Do FCC IT personnel adhere to IT policy and follow IT procedures?
For example, do appropriate personnel review any access violation reports and take the prescribed action? Change Management Change Managements key concepts include documented change procedures, user authorization and approval, separation of duties in implementing changes, management review, quality control, and adequate testing. Your audit team’s primary concerns are: ; Does FCC have (and follow) formal change management procedures? In particular lard, did FCC follow these procedures when making any necessary changes to its current application programs because of the new bio-coding payment system?
For example: Were the changes approved? Did the programmers adequately test the changes before putting them into production? Did the application programmer(s) that made the code changes, test the changes, and/or put them into production? Business Continuity Planning Key concepts of BCC are management’s expectations regarding a timely recovery of processing capabilities, the existence of a written plan, the currency of the plan, offset 66 storage of both the plan and data files, and testing of the plan. Your audit team’s main concerns are: Does FCC have a written BCC plan? Is it current?
When is the last time FCC tested its plan? Does FCC back up its software and data? How often? Where do they store the backups? Did F-FCC need to recover its systems using its backups during the past fiscal year? Information Collected During the DIGIT Review Under Sophie Awning’s direction, you and other members of the audit team worked very diligently reviewing Off’s policies and procedures, interviewing FCC client personnel, and observing FCC various operations and procedures related to its Digit. First, your team created an organization chart to document the Off’s management structure (see Exhibit 1).
Exhibit 2 reflects the information your team collected from interviews, observations, and reviews of corroborating documentation related to r-PC’s Digit. EXHIBIT 1 Foods Fantastic Company Organization Chart Executive Vice President and Chief Financial Officer Senior Vice President and Controller Senior Vice President, Internal Audit Vice President, Applications and Chief Information Officer (CIO) Operations and Treasurer Information Security Database Administration (Currently Vacant) EXHIBIT 2 Foods Fantastic Company IT General Control (DIGIT) Review Notes Notes from meetings with the Chief Financial Officer (SCOFF):
Foods Fantastic Company (FCC) implemented a new bio-coding payment system in all of its stores this past fiscal year. Off’s IT Executive Steering Committee develops IT policies and reviews the overall operations of the IT department. The voting members of the committee are: 1. 2. 3. 4. 5. 6. 7. The Senior Vice President (Serve) and Chief Information Officer (CIO) UP, UP, Data Base Administration (DAB) UP, Operations UP, Information Security (IS) Executive Vice President and Chief Financial Officer (SCOFF) Serve, Internal Audit The IT Executive Steering Committee revised Off’s security policy in 2005.
The lice addresses all organizational security issues including IT. FPC has no documented business continuity or disaster recovery plan. Management believes such a plan is cost-prohibitive for an organization of its size and FCC has never experienced any major business disruption. In case of disaster, the data center manager would retrieve the most recent backup tapes that are stored offset. FCC would use these files to recover its systems.
Notes from meetings with the Serve, Internal Audit: Off’s Internal Audit Department is involved as a voting member of the project teams responsible for design, development, and implementation of new rejects. Internal audit performs epistemological reviews on all projects over $2 million. The new bio-coding payment system was 25 percent over its initial time budget and 40 percent over its initial dollar budget. Notes from meetings with the CIO: The UP, Applications is currently responsible for the DAB function. However, the CIO reviews the logs that show the actions of the Application Up’s user ID.
FPC has an IT strategic plan, which is consistent with its corporate strategic plan. The IT strategic plan outlines the objectives and strategies that the information systems group will implement to assist FCC in meeting its overall equines objectives. FCC adopted Structured Systems Analysis and Design Methodology (SAD), an endocrinologist standard for systems development and project management. All projects (buy or build) follow the applicable SAD phases. The CIO periodically reviews each project’s required budget-to-actual reconciliation.
Off’s security policy states that the UP, IS is to conduct a user audit on a quarterly basis. The appropriate department manager reviews electronically submitted reports that list each users profile, note changes on the reports, and return the reports to the UP, IS. The UP then makes the appropriate edification based on the returned reports. The UP maintains the reports, and initials and dates the report after completing all modifications. Notes from meetings with the UP, Human Resources: FPC is currently interviewing individuals to assume the Dab’s responsibilities and hopes to hire someone within the next six to eight months.
Aside from the security policy, management does not provide any formalized security awareness programs related to data security. Each month, the Human Resources department forwards a Transfers and Terminations report to the UP, IS. (continued on next page) 68 EXHIBIT 2 (continued) Notes from meetings with the UP, Applications: The UP, Applications assigns a project manager and develops an initial time and dollar budget for each new development project. IT personnel adequately tested the new bio-coding payment system prior to its implementation. This testing included integration testing, stress testing, and user acceptance testing.
User departments corroborated their testing and acceptance of the new system. Application programmers do not have access to the computer room unless escorted by data center personnel (e. G. , an operator). FCC instituted formal procedures for change management. The UP, Applications is responsible for change management and maintains all documentation in a fireproof vault in his office. A Change Request form initiates all application software changes, including required software upgrades. A user completes the form, which the user’s department manager approves.
The user forwards the request form to the UP, Applications, who logs each request in a Change Request Log. The UP performs an initial analysis and feasibility study and estimates the required development hours. The Change Request log is a listing of all requested changes and the status of the change request. The UP, Applications uses this log to track open items and follow up on changes not completed within the original time estimate. The UP, Applications assigns the change request to an applications programmer and issues the current system’s documentation to the programmer.
The applications programmer copies the source code from the system’s production region to its development region and makes the change. The programmer works in the systems development region using test data. The programmer tests the change first within the affected module and then within the entire application. Changes are never tested against production data. The programmer updates the necessary system’s documentation. The applications programmer migrates the code to the system’s test region. A second programmer performs systems integration testing, volume testing, and user acceptance testing, again using test files.
The second programmer then performs a quality review of the change, including a sharecropper analysis, and reviews the updated systems documentation. Upon completion of testing, the user who requested the change and the appropriate department manager review the test results and accept the change by signing the original request form. The UP, Applications reviews the user-approved quest form on which the department manager has indicated that s / he is satisfied that the program is ready for implementation.