Accounting and Information Systems:

a powerful combination

2COBIT – Controlling and Auditing IS

Internal Control: A Fundamental Accounting Concept

• Controls are policies, procedures, and information systems (IS) that protect assets from loss or embezzlement, support regulatory compliance, promote efficiency, and ensure accurate financial data

• In today’s IS enabled world, controls related to IS are very, very important because of:• Increasing regulation• Increasing IS risk

3COBIT – Controlling and Auditing IS

One Reason for Internal Control:Laws Require Them

• Bank scandals in the 80’s and later debacles at WorldCom and Enron brought us the Sarbanes-Oxley Act of 2002 (SOX)– Management is responsible for internal control

and financial reporting procedures and– Annual reports must asses internal controls

• Financial statements are expected to:– Be presented properly AND– Reflect what really happened

• Under SOX, officers submitting inaccurate certifications are subject to – A fine of up to $1m + 10 yrs – Or if purposeful, up to $5m + 20 years

4COBIT – Controlling and Auditing IS

A More Important Reason:IS Failure = Business Failure

• 2 out of 5 enterprises that experience a disaster go out of business within 5 years

• Oregon – Department of Corrections– AFAMIS 2005 - was still converting to software

that was already out of date – no disaster recovery plan – inaccurate data – security issues

• NASDAQ 2006 – Change management– A new piece of equipment caused incorrect data

to go out on the busiest trading day ever

• Canadian Utility TransAlta lost $24M to copy/paste errors in a spreadsheet

5COBIT – Controlling and Auditing IS

• Systematically controlled IS functions aim to:– Provide value, – Push the envelope, and – Mitigate risk

Business As Usual

Management Inattention

Information Systems and Risk

“We’ll write the documentation

later”

“We won’t get hacked, we’re too small to be on a hacker’s

radar”

“Pick the best solution for our department”

Scale and costSOX Compliance

Threat vulnerabilityIncreased IS dependence

IS’s role in organizational change

“There’s no real need for a log file”

“It will be plenty fast”

“We’ll delete that old user ID later”

6COBIT – Controlling and Auditing IS

Good IT Controls Ensure that an Organization

• Plans and organizes for effective IS– aim for strategic, sufficient, & secure

• Acquires new systems thoughtfully– they’ll do the right thing at the right price

• Delivers IS services effectively– reliable, cost effective, secure

• Monitors IS processes to make them better– measure your actions: expected cost?

expected reliability? expected results?

7COBIT – Controlling and Auditing IS

How Does an IS Auditor Know?Two (of the many) Tools to Help:

• Control Objectives for Information & Related Technology (COBIT):– Comprehensive checklists for IT,

supports auditing, doesn’t directly address software development or give a roadmap for improvement

• IT Infrastructure Library (ITIL): – IT service delivery and management best

practices

8COBIT – Controlling and Auditing IS

• Obtaining an understandingObtaining an understanding of business requirements-related risks, and relevant control measures

• Evaluating the appropriatenessEvaluating the appropriateness of stated controls

• Assessing complianceAssessing compliance by testing whether the stated controls are working as prescribed,

consistently and continuously

• Substantiating the riskSubstantiating the risk of the control objectives not

being met by using analytical techniques and/or

consulting alternative sources

What Does an Auditor Do?

9COBIT – Controlling and Auditing IS

How Can You Learn More?OSU’s Accounting/IS Program

• Why would you do the Accounting Information Systems option?– Strong IT skills help all accountants– Every audit has to consider the IS that

provides the data– IS auditing is a valuable specialty– Accounting firms also do IS consulting– Certified by ISACA to reduce experience

requirements for CISA certification