IT AUDIT

SOLUTIONS MANUAL
Chapter 3
Discussion Questions
3-1. Why is it important to identify and assess IT risk prior to developing IT internal
controls?
Auditors who concentrate on internal controls, rather than risk, might over-control. IT
internal controls should serve the purpose of mitigating risk. They do not exist for their
own sake. By assessing risk first, IT auditors focus only on those controls that add value
by accomplishing this goal.
3-2. This chapter identified four types of IT risks: business, audit, security, and
continuity risks. Discuss the similarities and differences among them.
Business risk concerns inability to meet business goals and objectives. Audit risk stems
from the failure of the audit to accomplish its goals and objectives. Security risk
concerns data access and integrity. Continuity risk concerns the information system's
availability and back up process. The risks are similar in that each results in an IT failure
that impacts business effectiveness and efficiency. They all result from a failure in IT
governance. They are different in the sense that they are each associated with a different
aspect of risk and also in the nature of the impact they might have.
3-3. One approach to risk assessment is to identify threats, vulnerabilities, and acceptable
risk levels. What vulnerabilities might exist for a business organizations intranet?
There are several threats and associated vulnerabilities associated with a business
organization's intranet. Vulnerabilities include impaired data confidentiality and privacy
through remote or on-site access by unauthorized users, increased exposure to
programmed threats such as viruses through remote or on-site access by unauthorized
users and lack of maintained anti-virus software, and unauthorized access to assets by
unauthorized users.
3-4. Describe three risk indicators that might be associated with a companys intranet.
There are many risk indicators associated with a company's intranet. Network and ebusiness security are discussed in Chapters 6 and 7. Three risk indicators for a company's
intranet would be:
1. Failure to maintain firewall security
2. Failure to maintain intrusion detection software
3. Failure to maintain user profile security, which includes multiple access levels
and passwords

3-5. Why would an organization accept some level of risk?

It is pretty much impossible to control against every type and level of risk and it is
certainly not going to be cost-effective to do so. IT managers will often say that they
have trouble sleeping at night because they know that they're vulnerable to risks. The
budgets just aren't big enough to control for everything. Organizational entities need to
assess risk and analyze it to determine what's acceptable and what isn't. They also need
to weigh the costs of controls against various risks and their likelihood of occurrence.
3-6. What is the difference between COSO and ISO 9000?
COSO is an internal control model or framework. ISO9000, on the other hand, is a set of
standards of quality control. Both internal controls that protect IT assets and quality
controls that improve processes can contribute to organizational effectiveness as they
increase confidence. ISO9000 certification provides external organizational stakeholders
with some comfort regarding quality. COSO does not entail certification and so, in that
sense it may be more difficult to convey to the public that an organization has
incorporated their internal control framework.
3-7. Discuss each of the five components of COSO. Which do you think is most
important to an effective internal control system?
The control environment is the overall organizational attitude toward control, especially
that of top management. Because this attitude is likely to drive internal control emphasis,
funding, and compliance in an organization, it is probably the most important component.
Risk assessment is another component, which emphasizes the identification,
measurement, and evaluation of risk. Control activities are the specific internal control
procedures and policies. Information and communication concern the need to acquire
and communicate information necessary to fulfill management strategies and objectives.
Finally, monitoring ensures that an internal control system continues to operate as
intended.
3-8. Go to the www.aicpa.org and view the new Trust Services Principles and Criteria.
How does this new model incorporate SysTrustTM?
The AICPA combined WebTrust and SysTrust principles and criteria under a new set of
Trust Services Principles and Criteria, effective January 1, 2003. The SysTrust and
WebTrust services had some commonalities that the AICPA sought to use to create a
harmonized trust framework. The primary change is in terms of structure, order, and
working of Principles and Criteria in order to obtain harmony. There are no new
principles but the old SysTrust Principle of Maintainability is now subsumed under other
principles. The new set of Principles are: Security, Availability, Processing Integrity, and
Online Privacy and Confidentiality. SysTrust now has a two-month minimum reporting

period. Another change is that the SysTrust logo may now be used as a seal under
specified conditions. There are other changes as well, but these are the primary ones.
3-9. How might an auditor use an internal control flowchart? Do you agree that a
flowchart is a better documentation for internal control than an internal control narrative?
An auditor may use an internal control flowchart to identify areas where controls are
either strong or weak. Sometimes the creation of the flowchart itself will assist the
auditor in obtaining an understanding of the system sufficient to identify internal control
areas of concern. Flowcharts are superior to narratives if the auditor has some familiarity
or training in developing and analyzing flowcharts. At a minimum, the auditor must be
knowledgeable about the symbols used in the flowchart. Narratives of more than one
paragraph are very difficult to follow.
3-10. Discuss the importance of monitoring risks and controls. What components would
exist in a structure for monitoring risks and controls in a large, global public corporation?
Monitoring risks and controls is important because in the absence of monitoring, controls
are likely to be circumvented, and/or fall by the wayside. Internal controls frequently
impede operational efficiency. For example, required authorizations add an extra step to
a process. Monitoring controls ensures that employees continue to observe controls that
have been implemented to mitigate risks. Monitoring risks ensures that new risks are
identified and risks that no longer pose a threat have their associated controls eliminated.
A large, global public corporation is likely to employ an internal audit staff. The
internal audit staff can set up a plan for regular monitoring of risks and controls. This
size corporation will also have external auditors to evaluate risks and controls.

Exercises
3-11. Mi Mexico, Inc., a national fast food restaurant chain, recently hired consultants to
build a data mart containing its sales data. The company owns and operates 174 stores,
with average annual revenue of $650,000 per store. Mi Mexico has an enterprise
information system that integrates its accounting, human resource, and distribution
subsystems. Appropriate sales data from the enterprise system is automatically sent to
the data mart. The marketing and sales department queries the data mart to learn about
sales trends and patterns. Jeff Ewing, the CIO recently met with Sylvia Rangel, the CFO,

and Juan Hernandez from the Internal Audit department, to discuss risks and controls
related to the new data mart.
Required:
1. Describe any business, audit, security, or continuity risks that may be associated with
the new data mart.
The primary business risk is that the data mart fails to meet the business objectives for
which it was designed. The internal audit staff will want to make sure that the
information gleaned from the data mart is actually adding value in terms of improved
customer satisfaction and retention, in increased sales from new customers, and perhaps
information about sales related to various stores and menu items.
The audit risks include inherent, control, and detection risks. Because a data mart uses
secondary data, that is data that has already been used for operational purposes, data
errors or misstatements are not likely to have the same impact as operational data.
However, if there are errors in moving the data from operations to the data mart that are
systematic, there is a chance that analysis of data mart information will lead to inaccurate
conclusions.
Data mart security includes data integrity and access. The data in the data mart has likely
been audited at its source but some data will be transformed during the "data scrubbing"
process that is necessary prior to its entry in the data mart. The logic associated with this
scrubbing is important. Data in the data mart must have integrity in order to provide
useful information. Since the data mart will include a lot of historical sales data, the data
is sensitive with respect to competitors. Therefore, physical and logical access security is
very important.
As for continuity risk, again the fact that the data is not operational reduces the impact of
its loss. Certainly there will be a cost to losing the data in the mart, but the loss will not
impede operations.
2. How might Mi Mexico go about identifying specific risks and controls introduced by
the new data mart?
Mi Mexico can use the techniques described in this chapter to identify the risks and
controls associated with the new data mart. They can use the approach described in
Figure 3-3 and identify threats, vulnerabilities, and acceptable risk levels. Another
approach would be to identify the risk indicators associated with a data mart. There is
likely to be guidance available for this from many sources, including the consultants who

helped to create the data mart. Mi Mexico can look to the COSO framework for
guidance on developing a system of internal controls over the data mart risk indicators.
3-12. Cyber Com is an Internet start-up company that offers business intelligence
software and consulting services to help companies with customer relationship
management. The business is quite new and has just recently completed a successful
initial public offering (IPO). All of managements energies have been consumed with
growing the business and successfully going public. As a result, there has not been much
time devoted to internal control. The company uses state of the art technologies to
manage its business. These include an enterprise-wide information system, electronic
commerce, an Intranet, and a knowledge management system. The CEO has recently
issued a directive to Joy Bridges, the CFO, to work with the companys auditor to see
how they should proceed in developing an internal control system that manages the
companys IT risks.
Required:
1. How might you use COSO, CobiT , ISO 9000, or Six Sigma to help in constructing
such an internal control system?
ISO 9000 and Six Sigma are likely to be more useful in evaluating quality in a company
that has been around a bit longer. A new company, such as CyberCom, should be most
concerned with IT risks and controls, rather than the efficiency and quality of its
processes at this point.
COSO could help in developing an internal control system. The company could
apply a risk assessment approach, such as one of the two described in the chapter, to
determine risks. The auditor could develop a set of risk indicators for each technology
and implement controls to mitigate the risks. Another option is to use CobiT to develop a
comprehensive set of internal controls for the company. CobiT would be very useful as a
structure to identify controls over the acquisition and deployment of IT, as well as over
other specialized IT and IT processes.
2. After developing an internal control system to manage IT risks, Joy thinks it might be

a good idea to have the companys auditor conduct a Systems Reliability Assurance
engagement to test the controls. Explain the value this might add.
This is a great idea. By using the structure for Systems Reliability Assurance, the auditor
will be approaching risk and control from yet another vantage point. This may highlight
some components that were missed in developing the system of internal control initially.
Further, once the system meets the principles and criteria in the AICPA Trust engagement
standards, CyberCom will be able to publicize its compliance. This may help to assure
customers, suppliers, investors, and creditors that the company has appropriate controls
over its IT risks.
3-13. Schneider Manufacturing, Inc. employs 236 salaried and hourly workers. All
employees are paid on a weekly basis. The companys accounting information system
includes a payroll module that records payroll expenses, issues checks, and updates the
general ledger. The following is an internal control narrative for the payroll system:
Hourly employees clock in and out to record their hours worked. Salaried
employees do not report time, but they must complete a form available on the companys
Intranet to account for vacation and sick days. Each week, departmental supervisors
deliver time cards to the payroll office. The supervisors also deliver the completed and
authorized vacation and sick day forms. A payroll clerk checks the cards and forms to
see that they are complete and then enters them into the payroll system through a PC.
The payroll software checks the entered data against employee files to verify the
existence of employees and retrieve pay rates. The software contains several internal
controls. For example, it checks to make sure that time worked does not exceed 60 hours
a week. The software also makes sure that employees do not exceed allotted vacation
and sick days.
The payroll system either issues checks encoded with a digital signature, or makes
direct deposits to employee bank accounts for those employees who have chosen this
option. The payroll clerk prints the checks and gives them to the appropriate
departmental supervisors for distribution to employees. The payroll system also produces
a payroll register. The Accounting Department supervisor receives a copy of the payroll
register.
Required:
1. Prepare an internal control flowchart for Schneider Manufacturings payroll system,
identifying internal controls as shown in Figure 3-7.

Employees
Hourly
employees
clock in and
out

Supervisors

Payroll Office

Time cards

Time cards

1
Authorize
vacation
and sick
day forms
and print

Salaried employees
enter sick and vacation
days online

Printed out sick

and vacation
day forms

Printed out sick

and vacation
day forms

Payroll
clerk
checks
cards and
forms

3
Payroll clerk enters
data into payroll
system

Payroll software
performs control
checks

4
Payroll software
produces checks or
direct deposits

Payroll register
Payroll checks

Payroll checks
5

2. Can you identify any internal control weaknesses associated with Schneider
Manufacturings payroll system?
Control Weaknesses:
1. Supervisors do not appear to check time cards
2. Should not be a need to print out vacation and sick forms.
3. Payroll data should automatically enter the system.
4. The company should consider mandatory direct deposit.
5. Supervisors do not appear to check payroll checks for reasonableness.