Auditing Information Systems and Controls: The Only Thing Worse Than No Control Is the Illusion of Control

Copyright © 2007 by Ed Danter.

ISBN:       Hardcover               978-1-4257-6340-4

                 Softcover                 978-1-4257-6322-0

                 eBook                       978-1-4653-2415-3

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from the copyright owner.

Rev. date: 09/16/2019

Xlibris

1-888-795-4274

www.Xlibris.com

575625

Contents

Preface

➢   What This Book Covers

➢   This Book’s Target Audience

➢   How to Use This Book

Part 1: Sarbanes Oxley and Regulatory Agencies

Chapter One       Sarbanes Oxley Highlights

➢   Introduction

➢   Background

➢   Section 302

➢   Section 404

➢   Other SOX Standards

➢   Summary

Chapter Two       Regulatory Agencies and Control Frameworks

➢   Introduction

➢   SEC

➢   ISACA

➢   Foreign Corrupt Practices Act

➢   AICPA (Cohen Commission)

➢   COSO

➢   COBIT

➢   AICPA (Jenkins Committee)

➢   COSO Fraud Report

➢   POB Report on Audit Effectiveness

➢   SOX Highlights

➢   Audit Standard #2

➢   Basel II Accord

➢   Summary

Part 2: Controls and IT Infrastructure

Chapter Three       Controls Overview

➢   Introduction

➢   Importance of Controls

➢   Control Benefits

➢   Control Axioms

➢   Principles of Control

➢   Summary

Chapter Four       Control Definitions

➢   Introduction

➢   Control Types

➢   Separation of Duties

➢   Summary

Chapter Five       Establishment of a Sound

IT Control Infrastructure

➢   Introduction

➢   Board of Directors

➢   The Audit Committee

➢   The CGO

➢   Audit Readiness Program

➢   Audit Teams

➢   Organization Chart

➢   Summary

Chapter Six       Proactive IT Control Activities

➢   Introduction

➢   Self-Assessments

➢   Peer Reviews

➢   Internal Audits

➢   Process Documentation

➢   Procedures

➢   Independent External Assessments

➢   Summary

Chapter Seven       Assessment of IT Controls and Evaluation of Effectiveness

➢   Introduction

➢   Validate and Record Issues

➢   Risk Assessments

➢   Establish Corrective Action Plans

➢   Remediation Testing

➢   Review with Audit Committee

➢   Assessment of Control Posture

➢   Risk Assessments on SOX Recommendations

➢   Executive Appraisals

➢   Summary

Part 3: The Audit Process

Chapter Eight       Internal Audit Process

➢   Introduction

➢   Kickoff meetings

➢   Requests

➢   Interviews

➢   Findings

➢   Status Meetings

➢   Recommendations

➢   Final Report

➢   Final Audit Report Distribution

➢   Final Audit Report Response

➢   Summary

Chapter Nine       Sarbanes Oxley Audit Process

➢   Introduction

➢   Separation of Duties

➢   SOX 404 Requirements

➢   Similarities to Traditional Audit Process

➢   Differences with Traditional Audit Processes

➢   Summary

Part 4: Audit Activities

Chapter Ten       Development/Maintenance Methodology and Project Management

➢   Introduction

➢   SEI

➢   Work Management Methodology

➢   Metrics

➢   Quality Management

➢   Project Risk Management

➢   Summary

Chapter Eleven       Production Change Management

➢   Introduction

➢   Work Authorizations

➢   Testing

➢   Issues Management

➢   Library Control

➢   Code Migration

➢   Summary

Chapter Twelve       Application Controls

➢   Introduction

➢   Application Ownership

➢   Application Documentation

➢   Input Controls/Output Controls/Interface Controls

➢   Balancing/Reconciliation

➢   Processing Controls

➢   Backup & Restart Procedures

➢   Application Access Controls

➢   Data Classification Controls

➢   Application Monitoring

➢   Service Level Agreements

➢   Summary

Chapter Thirteen       Operational Controls

➢   Introduction

➢   Security Responsibilities

➢   Logical Controls

➢   Physical Controls

➢   Business Continuity

➢   Summary

Part 5: New Challenges

Chapter Fourteen       Spreadsheets

➢   Introduction

➢   Background

➢   Potential Risks

➢   Proactive Measures

➢   Summary

Chapter Fifteen       Outsourcing IT Controls (SAS70)

➢   Introduction

➢   SAS70 Background

➢   Types of SAS70 Reports

➢   SAS70 Report Conclusion

➢   Benefits of a SAS70 Report

➢   SAS70 Process

➢   The Decision for a SAS70 report

➢   Timing of the SAS70 Audit

➢   Difference between a SAS70 Audit and a Traditional Audit

➢   Effect of SAS70 on Outsourcing

➢   Summary

To my wife Abby, who shared this journey with me from the beginning, who never stopped believing in me, who never allowed me to abandon hope and whose continuous inspiration, support and love helped me to achieve, what seemed at times, a never ending goal.

Preface

The only thing worse than no control, is the illusion of control. If you believe there’s no problem, you won’t think about fixing it. Why spend the resources, time, effort, and cost to correct problems that don’t exist? Having an illusion of control will encourage you to continue on the same course for months or years without any fear of being derailed. And when the train wreck becomes a reality, you’ll wonder how it happened. You must avoid the illusion of control to survive.

In recent years, frequent headlines have exposed unethical corporate behavior, misleading accounting practices, and incompetent and illegal auditing processes. Companies such as Enron, Adelphi, Xerox, Arthur Anderson, ImClone, Tyco, and WorldCom, to name a few, have given us a glimpse into the misbehavior of some executives and made the public aware of inadequacies in corporate governance, and the potential risk. Corporate greed and malfeasance have resulted in criminal indictments of corporate executives for inflating earnings, falsifying financial statements, disguising company financial conditions, and misappropriating assets. Many CEOs’ weak and inadequate leadership have resulted in the failure to detect shortcomings in control of business processes. This situation is compounded by some so-called external auditing professionals who have misled and deceived their clients—or conspired with them to deceive the public.

Corporate America is faced with a challenge today, a challenge unprecedented in our history. It has become a national imperative that corporations create programs and infrastructures to achieve audit readiness and guarantee the accuracy of corporate records. Executives should not and can not depend entirely on external audit reviews and recommendations. They must create internal audit programs and infrastructures to regain credibility and the confidence of shareholders. Meeting this challenge is critical to the survival and success of many business enterprises.

The federal government and leaders of our country are serious about facing the challenges and evolving dangers of corporate behavior, evidenced by the passing of the Sarbanes Oxley Act of 2002. The Act requires CEOs and CFOs to certify the accuracy of their financial statements, and mandates independent outside audit attestation of the operating effectiveness of controls and control structure over financial reporting. It imposes penalties for failure to comply. Pro-active corporations must establish the discipline of rigorous audit readiness programs and must ensure their continued successful execution. Internal audit committees must take measures to install checks and balances and self-policing practices to ensure integrity within their corporations. This is not optional. CEOs today are legally responsible for the correctness of their financial statements.

Today, corporate America is on shaky ground. The public’s reaction is difficult to measure. Stock market performance is volatile and unpredictable, and there are countless instances of financial disappointment and loss. Corporations at risk must redeem credibility, pass external audits, and demonstrate strong controls to the satisfaction of government. They must also be able to stand up to public scrutiny.

The repercussions of fraudulent and inappropriate accounting and control practices can be widespread. The company’s stockholders, creditors, and employees may suffer job loss and diminished retirement savings. Depositors in financial institutions, auditors, and accountants may be subject to investigations. Attorneys, insurers who write officers’ liability policies and experience large claims, customers who depend on the company’s products, merger companies who may enter into partnership based on erroneous finances, and even companies whose reputations can be tarnished by association, may all be affected.

It is critical that corporations regain a sense of ethical and honest behavior and return to basic effective corporate governance. As always, preventive and detective controls and adequate separation of duties need to be in place. It is vital that strong, solid, well executed audit programs be established to provide management teams with the necessary tools to restore trust and sound operations. Unfortunately, we can no longer put all of our faith in external audit organizations. Internal audit infrastructures must be the primary focus. Audit readiness emphasis needs to be placed on establishing ethical standards and expectations, education, behavior modification, preparation, and open and honest communications, and on the implementation of sound business practices and controls.

There is little doubt that when audit organizations are searching for essential business controls and auditability, they will be focusing on IT processes and controls, and they will be evaluating their effectiveness. Accurate financial statements and successful business processes are driven by and dependent upon the effectual implementation of solid, strong IT controls. Business functions are more closely integrated with IT controls than ever before. IT is the front end of business processes, the locomotive that powers the train. Most business functions today are either directly dependent on or are fed data from automated systems. The integrity of this data—that originates from IT systems and is reflected on a business statement and/or on a management report—is instrumental in driving important and sometimes critical business decisions. Its controls are essential to ensure that timely and accurate data is funneled to and digested by business processes. For businesses to disregard the importance of IT controls is as dangerous as ignoring the strength of a foundation when constructing a new house.

What This Book Covers

Auditing Information Systems and Controls: The Only Thing Worse Than No Control Is The Illusion of Control focuses on a new way to run a business, with a unique reporting structure and the formation of an internal independent audit organization. It proposes the establishment of an independent internal auditing group headed by a chief governance officer (CGO) or chief accounting executive (CAE) who reports directly to an audit committee, comprised of board of director members, who themselves must be totally independent. Independence is the most critical element in the success of this new audit approach and can not be emphasized enough. This will require an organizational change in most corporations and a revolutionary approach. Old paradigms in which the audit organization reported to the CEO or CFO will be discarded. These internal audit groups must serve as the eyes and ears of the public and board of directors. They will provide early warnings of inappropriate, fraudulent or ineffective practices and will report noncompliance with accepted basic control fundamentals and ethical behavior; they must do so without fear of reprisal.

Although I have seen many publications espousing the independence of a board of directors and the audit committee, the concept of a CGO/CAE who has governance responsibility and reports directly to the board of directors is somewhat unique. Not only is it the responsibility of the audit committee to provide direction, but it is essential that every executive officer and their staffs be on board and be fully supportive of the internal audit infrastructure. It is the synergy of these organizations working together that is required to prepare us for successful audits and to improve business controls.

Education is critical and should be of paramount importance in addressing this problem. Auditing Information Systems and Controls focuses on the establishment of effective corporate governance, describes how to install a sound audit governance infrastructure, and explains how to establish effective IT controls. This book not only addresses what is needed to comply with legislative mandates, but provides a roadmap, detailing steps on how to establish an infrastructure and audit readiness program to achieve compliance. In addition, there is a realization now by many corporations that the effectiveness of their business process controls is heavily dependent on the adequacy of their IT controls. This book educates current and future executives on the integration of business processes with IT controls.

This book is not confined to teaching audit fundamentals or explaining Sarbanes Oxley requirements. It combines these areas plus more. The book addresses many facets of IT controls, from the formation of an effective audit infrastructure and establishment of a controls framework, to today’s challenges, including Sarbanes Oxley compliance where IT management has been outsourced. You will learn what controls need to be implemented, why they need to be implemented, and how best to put the most effective organization in place to ensure audit success. It is not enough to know what is required via Sarbanes Oxley legislation and other government regulations—you have to know how what controls need to be established and how to ensure that they are in place.

This book provides an educational foundation for the creation of an infrastructure to successfully address the auditing process, and enhance the process for ensuring audit quality. The infrastructure should help detect fraudulent activity, enhance the education of future participants responsible for controls, and position corporations to pass the scrutiny of external audits. This is not the ultimate answer to all corporate financial reporting and control problems, nor does it guarantee successful audits. It is not a panacea, but a starting point and building block for reviving faith in corporate America today, one that our leaders of tomorrow will find invaluable.

Controls have been mandated in today’s corporate world, and this book helps you design a sound audit readiness program. It is a common cent$ approach to controls. You want to be able to pass any audit, but not at the expense of profits. Control is a balance between business benefits and costs. Corporations have no choice but to have controlled environments, but there is latitude to select controls that will minimize complexity and installation costs while still achieving a sound control posture, and without exposing corporations to any additional risks.

This book supplies you with:

➢ Knowledge of why controls are needed.

➢ Consequences of not establishing adequate controls.

➢ The knowledge, skill and motivation to design and implement effective control and auditability features.

➢ Information on the synergy required of various organizations on control and auditability.

➢ The ability to choose an infrastructure that ensures effective controls.

➢ Understanding of the business impact and increased costs and risks resulting from inadequate controls, emphasizing Sarbanes Oxley legislature.

➢ Ability to assess the current state of your IT control environment.

➢ Understanding the need to maintain a balance between business needs and controls while establishing sound control posture.

➢ Help in efforts to design controls necessary to meet the IT directives of Sarbanes Oxley that will close the gaps between your current control environment and where you need to be.

In this book, I provide a streamlined approach, a roadmap that offers a step-by-step approach addressing development of control and auditability features, pro-active internal audits and the audit process.

I also address the responsibilities of various individuals and groups. This includes the board of directors, the audit committee, the chief auditing executive or chief governance officer, audit teams and current or future corporate executives. Not only is it the responsibility of the audit committee to provide direction, but it is essential that every executive officer and their staffs be on board and fully supportive of the internal audit infrastructure.

The book points out that those executives should not depend on external auditing firms, and should place the responsibility for audit readiness on the establishment of a completely independent internal audit infrastructure. There is a direct correlation between the thoroughness of the internal audit process and the readiness for an external audit.

This Book’s Target Audience

Auditing Information Systems and Controls will benefit current and future corporate CEOs, CFOs, CIOs, boards of directors, and other executives who have or will have responsibility for ensuring that adequate controls are in place within their companies and that integrity and accuracy in financial reporting is achieved. Senior executives need to be well versed in internal control theory and practice to meet audit requirements. They must step up and enhance their knowledge of controls, understand their company’s overall audit compliance plans, and ensure that the two are effectively integrated.

Corporations can use this book to instruct internal management on IT controls. Auditing Information Systems and Controls focuses on how to establish IT controls, how to integrate IT controls with business process controls, how executives can assess IT controls and how corporations can prepare for audit readiness compliance. With the recent trials, convictions, and sentencing of corporate executives, the demands for a sound IT control infrastructure become more important and essential for corporate America, with penalties for noncompliance being imposed. It is unacceptable for executives in today’s corporate environment to be ignorant of IT controls.

This book particularly appeals to corporate management and their internal audit organizations where external organizations have been contracted to supply IT support, and where SAS70 reports are being requested for assessing control implementation and effective execution. This audience will grow as outsourcing expands; it is a rapidly evolving challenge. Compliance with Sarbanes Oxley in this environment is imposing unique demands both on professional auditing staffs and on corporate management.

Tomorrow’s executives are an important audience. We need to focus education not only on the corporate executives of today but on the executives of tomorrow. And the time is now. The book could be a primary source used for teaching selective auditing, business controls, or corporate governance courses. Use it as an educational reference for various subjects, such as teaching the importance and necessity of IT controls, understanding audit fundamentals, establishing an auditing infrastructure, implementing control policies and processes, and understanding Sarbanes Oxley requirements.

Eventually, every business graduate student studying for his or her MBA should be required to take a basic course on controls and corporate governance. A basic knowledge of this topic is essential for every future corporate executive. IT controls are integrated into today’s business processes and will play a significant role in business decisions in the years ahead.

How to Use This Book

Auditing Information Systems and Controls: is not meant to be an epochal discovery or to catapult corporate reporting to an idealistic summit. Its objective is simply to be an educational reference, to help us upright ourselves and put ourselves back on track. It is a book to be used by corporate executives who have, and will continue to have, what will seem to be a herculean mission at times: the resurrection of public faith in corporate America.

This book covers a broad scope, from the why’s and what’s of Sarbanes Oxley, to the establishment of the infrastructure and IT controls necessary for audit survival, to the audit process used by external auditors. Focus will be on addressing the how to efforts for the implementation of effective control activities.

This book need not be read in order, cover-to-cover; feel free to browse among the chapters and topics of particular relevance to you. I include case studies and real-life examples from my more than 20 years of audit experience (both as an auditee and auditor). I have worked for IBM for more than 35 years, and I am grateful for the opportunities that allowed me to enhance my audit experience and education. However, the opinions in this book are mine and do not necessarily reflect the opinions or positions of IBM.

Chapter One

Sarbanes Oxley Highlights

The wish to acquire more is admittedly a very natural and common thing; and when men succeed in this they are always praised rather than condemned. But when they lack the ability to do so and yet want to acquire more at all costs, they deserve condemnation for their mistakes.

—Niccolo Machiavelli

Introduction

As a result of corporate financial scandals that plagued corporate America in recent years, Congress passed the Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and frequently referred to as SOX, to build and restore confidence in public financial reporting.

SOX includes issues such as establishing a public accounting oversight board (PCAOB), auditor independence, corporate responsibility and enhanced financial disclosure. The Act requires the certification by CEOs and CFOs regarding the accuracy of their financial statements and requires independent outside audit attestation of the operating effectiveness of controls and control structure over financial reporting. It imposes associated penalties for failure to comply.

It is considered one of the most significant changes to United States securities laws since the New Deal in the 1930s. The Act grants additional powers and responsibilities to the U.S. Securities and Exchange Commission for regular reviews and enforcement. SOX legislature is a framework with SEC rules providing the details through the Public Company Accounting Oversight Board (PCAOB).

Is Sarbanes Oxley more effective than past legislature, and is it a deterrent that would have prevented any of the financial scandals that we have been subjected to over the last few years? We may not be where we ideally would like to with the legislature being an absolute deterrent against fraudulent behavior or erroneous financial reporting, but we are certainly on the right track. Examples of situations where there were indictments as a result of SOX legislature, and instances where there were punitive actions taken are:

July 28, 2005—A federal jury in Birmingham Alabama found Richard Scrushy, HealthSouth Corporation founder, not guilty of securities fraud, conspiracy and violating the Sarbanes Oxley Act of 2002. However, the SEC is requesting repayment of ill-gotten gains, seeking civil penalties, and asking the Birmingham federal court to bar Scrushy from being an officer or director in any public company.

January 27, 2005—Thomas Trauger, a former audit partner in Earnst & Young, was sentenced to 12 months in federal prison, ordered to pay a $5,000 fine, and undergo two years of supervised release for his part in altering and falsifying accounting records with the intent to impede a federal investigation. Earlier, on October 29, 2004, Thomas Trauger had pleaded guilty to falsifying records in a federal investigation in violation of the Sarbanes-Oxley Act. He admitted as part of this plea that he knowingly altered, destroyed and falsified records with the intent to impede and obstruct an investigation by the Securities and Exchange Commission (SEC). This is one of the first cases of document destruction brought under the recently enacted Sarbanes-Oxley Act.

December 25, 2005—Enron’s former chief accountant Richard Causey pled guilty as part of a plea bargain. Thirty-two charges were brought against Causey for fraud, conspiracy, and lying to auditors.

January 24, 2005—Andrew Fastow, chief financial officer for Enron, pleaded guilty to two counts of wire and securities fraud and agreed to serve a 10-year prison sentence.

October 24, 2006—Jeffrey Skilling, ex-Enron Chief Executive Officer, was sentenced to 24 years and 4 months in prison for fraud and inside trading. The charges stated that Skilling used various devices and schemes to manipulate Enron’s financial results from 1999 to 2001. Ken Lay, Enron founder, found guilty along with Jeffrey Skilling, died on July 5, 2006, before sentencing.

In time, SOX will be an even more effective deterrent. As fines and jail sentences increase, so will SOX effectiveness. A significant number of corporations are presently scrambling to put control infrastructures in place to be able to comply with SOX legislature. There is justified concern on the part of many CEOs and CFOs of not being compliant. They will need to establish and ensure effective execution of internal control infrastructures to avoid possible