Upload
kerry-walsh
View
224
Download
0
Embed Size (px)
DESCRIPTION
3C OBI T – Controlling and Auditing IS One Reason for Internal Control: Laws Require Them Bank scandals in the 80’s and later debacles at WorldCom and Enron brought us the Sarbanes-Oxley Act of 2002 (SOX) –Management is responsible for internal control and financial reporting procedures and –Annual reports must asses internal controls Financial statements are expected to: –Be presented properly AND –Reflect what really happened Under SOX, officers submitting inaccurate certifications are subject to –A fine of up to $1m + 10 yrs –Or if purposeful, up to $5m + 20 years
Citation preview
Accounting and Information Systems:
a powerful combination
2COBIT – Controlling and Auditing IS
Internal Control: A Fundamental Accounting Concept
• Controls are policies, procedures, and information systems (IS) that protect assets from loss or embezzlement, support regulatory compliance, promote efficiency, and ensure accurate financial data
• In today’s IS enabled world, controls related to IS are very, very important because of:• Increasing regulation• Increasing IS risk
3COBIT – Controlling and Auditing IS
One Reason for Internal Control:Laws Require Them
• Bank scandals in the 80’s and later debacles at WorldCom and Enron brought us the Sarbanes-Oxley Act of 2002 (SOX)– Management is responsible for internal control
and financial reporting procedures and– Annual reports must asses internal controls
• Financial statements are expected to:– Be presented properly AND– Reflect what really happened
• Under SOX, officers submitting inaccurate certifications are subject to – A fine of up to $1m + 10 yrs – Or if purposeful, up to $5m + 20 years
4COBIT – Controlling and Auditing IS
A More Important Reason:IS Failure = Business Failure
• 2 out of 5 enterprises that experience a disaster go out of business within 5 years
• Oregon – Department of Corrections– AFAMIS 2005 - was still converting to software
that was already out of date – no disaster recovery plan – inaccurate data – security issues
• NASDAQ 2006 – Change management– A new piece of equipment caused incorrect data
to go out on the busiest trading day ever
• Canadian Utility TransAlta lost $24M to copy/paste errors in a spreadsheet
5COBIT – Controlling and Auditing IS
• Systematically controlled IS functions aim to:– Provide value, – Push the envelope, and – Mitigate risk
Business As Usual
Management Inattention
Information Systems and Risk
“We’ll write the documentation
later”
“We won’t get hacked, we’re too small to be on a hacker’s
radar”
“Pick the best solution for our department”
Scale and costSOX Compliance
Threat vulnerabilityIncreased IS dependence
IS’s role in organizational change
“There’s no real need for a log file”
“It will be plenty fast”
“We’ll delete that old user ID later”
6COBIT – Controlling and Auditing IS
Good IT Controls Ensure that an Organization
• Plans and organizes for effective IS– aim for strategic, sufficient, & secure
• Acquires new systems thoughtfully– they’ll do the right thing at the right price
• Delivers IS services effectively– reliable, cost effective, secure
• Monitors IS processes to make them better– measure your actions: expected cost?
expected reliability? expected results?
7COBIT – Controlling and Auditing IS
How Does an IS Auditor Know?Two (of the many) Tools to Help:
• Control Objectives for Information & Related Technology (COBIT):– Comprehensive checklists for IT,
supports auditing, doesn’t directly address software development or give a roadmap for improvement
• IT Infrastructure Library (ITIL): – IT service delivery and management best
practices
8COBIT – Controlling and Auditing IS
• Obtaining an understandingObtaining an understanding of business requirements-related risks, and relevant control measures
• Evaluating the appropriatenessEvaluating the appropriateness of stated controls
• Assessing complianceAssessing compliance by testing whether the stated controls are working as prescribed,
consistently and continuously
• Substantiating the riskSubstantiating the risk of the control objectives not
being met by using analytical techniques and/or
consulting alternative sources
What Does an Auditor Do?
9COBIT – Controlling and Auditing IS
How Can You Learn More?OSU’s Accounting/IS Program
• Why would you do the Accounting Information Systems option?– Strong IT skills help all accountants– Every audit has to consider the IS that
provides the data– IS auditing is a valuable specialty– Accounting firms also do IS consulting– Certified by ISACA to reduce experience
requirements for CISA certification