AIS Chapter 14 - Auditing IT Controls Part I: Sarbanes-Oxley and IT Governance

access controls

controls that ensure that only authorized personnel have access to the firm's assets

application controls

controls that ensure the integrity of specific systems (input, processing and output controls)

audit planning

the first step in the IT audit; the auditor gains a thorough understanding of the client's business. a major part of this phase is the analysis of audit risk

audit risk

probability that the auditor will render unqualified opinions on financial statements that are, in fact, materially mistated

computer fraud

theft, misuse, or misappropriation of assets by altering computer-readable records and files, or by altering the logic of computer software; the illegal use of computer-readable information; or the intentional destruction of computer software or hardware

control risk

the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts

core competency

theory underlying outsourcing that posits an organization should focus exclusively on its core business competencies while allowing outsourcing vendors to manage non-core areas such as IT functions efficiently

corporate IT function

coordinating IT unit that attempts to establish corporatewide standards among distributed IT units

database management fraud

altering, deleting, corrupting, destroying, or stealing an organization's data

detection risk

the risk the auditors are willing to take that errors not detected or prevented by the control structure will also not be detected by the auditor

disaster recovery plan (DRP)

comprehensive statement of all actions to be take before, during, and after a disaster, along with documented, tested procedures to ensure the continuity of operations

empty shell or cold site

arrangement that involves two or more user organizations that but or lease a building and remodel it into a computer site, but without the computer and peripheral equipment

fault tolerance

ability of the system to continue operation when part of the system fails due to hardware failures, application program error, or operator error

general computer controls

specific activities performed by persons or systems designed to ensure that business objectives are met.

general controls

controls that pertain to entity-wide concerns such as controls over the data center, organization databases, systems development, and program maintenance

information technology controls

include controls over IT governance, IT infrastructure, security, and access to operating systems and databases, application acquisition and development and program changes

inherent risk

the risk associated with the unique characteristics of the business or industry of the client

IT outsourcing

contracting with a third-party vendor to take over costs, risks, and responsibilities associated with maintaining an effective corporate IT function, including management of IT assets and staff and delivery of IT services such as data entry, data center operations, applications development, applications maintenance, and network management

management assertions

combination of tests of application controls and substantive tests of transaction details and account balances

off-site storage

storage procedure used to safeguard the critical resources

program fraud

techniques such as creating illegal programs that can access data files to alter, delete, or insert values into accounting records; destroying or corrupting a program's logic using a computer virus; or altering program logic to cause the application to process data incorrectly

recovery operations center (ROC)

arrangement involving two or more user organizations that buy or lease a building or remodel it into a completely equipped computer site

redundant arrays of independent disks (RAID)

use of parallel disks that contain redundant elements of data and applications

scavenging

searching through the trash of a computer center for discarded output

specific IT assets

assets unique to an organization that support its strategic objectives; have little value outside of their current use; may be tangible, intellectual, or human

statement on standards for attestation engagements no. 16 (SSAE 16)

definitive standard by which client organizations' auditors can determine whether processes and controls at the third-party vendor are adequate to prevent or detect material errors that could impact the client's financial statements.

substantive tests

tests that determine whether database contents fairly reflect the organization's transactions

tests of controls

tests that establish whether internal controls are functioning properly

uninterruptible power supplies

technologies that prevent data loss and system corruption due to power failure

lower, less

The stronger the internal control structure, as determined through tests of controls, the ________ the control risk, and the ________ substantive testing the auditor must do.

System Administrator

Responsible for the administration of the system they control (database admin, network admin etc.

System programmers

people who maintain operating programs and related hardware

System Analyst

analyzing and designing new programs; work with end users on needs and lead programming team

Application Programmer

write the actual programs that process data and produce reports

Data control

A job in computer operations - controls flow of all documents into and out of computer operations; schedule batches through data entry, monitor batch and ensures that batch total reconcile.

Computer operators

A job in computer operations - responsible for the computer; load program and data files, run the programs and produce output

File librarian

A job in computer operations - responsible for control of the file library (where all program files are stored)

Internally provided backup or hot site

companies with multiple data processing centers may create internal excess capacity and allow or recovery and backup