EQUITY FUNDING CORPORATION OF

AMERICA
BACKGROUND OF THE CASE
ACTORS BUSINESS MODEL

Stanley Goldblum Fred Levin

BOD Chairman Vice President
President Chief Financial Officer

ISSUES

E t h i c s and
Integrity
Control
Environment
Auditors’
Competence
Impairments
in Audit
COBIT 5 EFCA ASSESSMENT

MANAGEMENT GOVERNANCE
Align, Plan And Organize
07 Manage human resources  Identify key IT personnel while minimize reliance on single
✘Lack of key IT personnel individual’s performance through: (a) knowledge capture
✘Insufficient personnel skill and (documentation), knowledge sharing, succession planning
competencies and staff backup, (b) employ personnel development
✘Absence of Employee plan, and (c) apply and monitor personnel backup plan.
Performance Evaluation
 Maintenance of personnel skills and competencies
through: (a) formal career planning and development, (b)
monitoring of gaps between require and available skills,
and (c) regular reviews for assessments.
 Regular performance evaluation and provide timely
feedback as well as proper remuneration/ recognition
process.
COBIT 5 EFCA ASSESSMENT

MANAGEMENT
Align, Plan And Organize

11 Manage quality  Establish a QMS with a standard, formal and

✘Improper QMS continuous approach to quality management.
✘Violation of quality standards,
practices and procedures
 Align QMS with IT control framework and certification
✘Nonperformance of quality for key processes, organizational units, products or
monitoring, control and services
reviews
 Quality monitoring, control and reviews on an
ongoing and systematic basis.
COBIT 5 EFCA ASSESSMENT

MANAGEMENT
Align, Plan And Organize

13 Manage security  Develop ISMS policy that enables secure technology

✘Ineffective ISMS and business processes that are aligned with
✘Absence of information business requirements and enterprise security
security procedures management.
✘Failure to monitor and
review the ISMS  Maintain an Information security risk treatment plan.
COBIT 5 EFCA ASSESSMENT

MANAGEMENT
Build, Acquire and Implement

01 Manage programs and  Formulate and implement a stakeholder

projects engagement plan to manage their expectations.
✘Failure to maintain  Employ stage-gate reviews on projects and
standard approach for
programs
programs
✘Ineffective monitoring  Create project risk management plan aligned with
✘Compromised Project Risk the ERM framework.
Management
COBIT 5 EFCA ASSESSMENT

MANAGEMENT
Build, Acquire and Implement
02 Manage requirements  Employ peer reviews, model validation or operational
definition prototyping with the participation of various stakeholders.
✘Inadequate functional and  Performance of feasibility studies on potential solutions;
technical requirements
formulate a high-level acquisition/ development plan for
✘Failure to manage
requirement risk
larger projects.

03 Manage solutions  Create and execute Quality Assurance plan and

identification and build practices to achieve quality requirements.
✘Failure to provide quality
assurance
✘Failure to reassess and update
designs
 COBIT 5 EFCA ASSESSMENT

MANAGEMENT
Decision, Service and Support (DSS)
02 Manage service request  Continuous assessment of facilities- physical and IT-
and incidents and ensure its resiliency on identified risks. i.e
✘Unresolved incidents alternative power supply mechanisms, protection on
✘Failure to track incident physical alteration.
status and reports

04 Manage continuity  Initiate sustainable solutions addressing the root

✘Failure to assess continuity cause, with proper documentation and
plan communication.
✘Inadequate backup
 Proactive problem management- identify trends
arrangements
indicative of a problem.
 COBIT 5 EFCA ASSESSMENT

MANAGEMENT
Decision, Service and Support (DSS)

05 Manage security services  Implement a risk-based connectivity security policy

✘Indefinite network and and conduct penetration tests.
connectivity security
 Define user access rights and review user accounts
✘Lax Access Control
and privileges periodically.
✘Inadequate monitoring
 Define the criteria for the approval of access
requests and logging requirements.
 COBIT 5 EFCA ASSESSMENT

MANAGEMENT
Monitor, Evaluate and Assess (MEA)

01 Monitor, evaluate and • Align and continually maintain the monitoring and
assess performance and evaluation approach with the enterprise approach
conformance using suitable tools and systems for data processing
✘Prejudiced monitoringand data analysis.
approach • Objectively set process performance and
✘Unrealistic performance conformance targets that concise, attainable easy to
and conformance targets understand and will tailor to various management
✘Fictitious performance
needs.
reports
• Periodically validate the approaches used and
identify new or changed stakeholders, requirements
and resources.
 COBIT 5 EFCA ASSESSMENT

MANAGEMENT
Monitor, Evaluate and Assess (MEA)

02 Monitor, evaluate and • Obtain transparency for key stakeholders on the adequacy
assess the system of internal of the system of internal controls, providing trust in operations,
control. Manage confidence in the achievement of enterprise objectives and
requirements definition an adequate understanding of residual risk.
✘Override of business process • Ensure that control activities are in place and exceptions
controls are promptly reported, followed up and analyzed, and
✘Ineffective control and self- appropriate corrective actions are prioritized and
assessments implemented according to the risk management profile.
✘Unreported control
• Maintain plans and scope and identify evaluation criteria
deficiencies
for conducting self-assessments.
• Establish adherence to applicable codes of ethics and
standards and assurance standards.
 COBIT 5 EFCA ASSESSMENT

MANAGEMENT
Monitor, Evaluate and Assess (MEA)

03 Monitor, evaluate and • Ensure that the enterprise is compliant with all
assess compliance with applicable external requirements.
external requirements. • Obtain independent counsel, where appropriate, on
changes to applicable laws, regulations and standards.
• Identify and assess all potential compliance
requirements and the impact on IT activities in areas
such as data flow, privacy, internal controls, financial
reporting, industry-specific regulations, intellectual
property, health and safety.
COBIT 5 EFCA ASSESSMENT

GOVERNANCE
Evaluate, Direct, and Monitor

01 Ensure governance  Design a formal decision-making model.

framework setting and  Articulate the principles to align the ethical use and
maintenance. processing of information.
✘Failing governance system
✘Management inducement  Employ a reward system approach in directing
to fraud governance system.
✘Poor management  Provide a mechanism to render feedback and
oversight
review on governance effectiveness and
performance
COBIT 5 EFCA ASSESSMENT

GOVERNANCE
Evaluate, Direct, and Monitor

04 Ensure benefits delivery.  Strategic alignment in value creation- stakeholder

✘Usage of fraud requirements, IT issues, and economic opportunities.
 Risk-based and continuous evaluation of services
portfolio.
 Proactive approach on assessing value chain.
COBIT 5 EFCA ASSESSMENT

GOVERNANCE
Evaluate, Direct, and Monitor

05 Ensure stakeholder  Adhere to stakeholder communications and

transparency reporting requirements
✘Fraudulent reporting  Create an escalation guidelines and rules for
✘Insufficient stakeholder
validating and approving mandatory reports.
communications
 Regular assessment of stakeholder communication
and reporting systems.
IMPLICATION TO CIS AUDIT

Auditors’ Competence Impairments in the audit

process
IMPLICATION TO CIS AUDIT
The auditor F A I L S T O C O N S I D E R whether the personnel assigned to the
engagement have appropriate IT and Internet business knowledge to perform the
audit entity’s IT strategy and activities;
The auditor F A I L S T O U N D E R S T A N D technology used in operations

risks involved in using IT and entity’s

approach to managing those risks,

The auditor F A I L S T O U N D E R S T A N D to consider

the effect of the entity’s dependence on IT activities on
its ability to continue as a going concern.
The auditor F A I L S T O E X E R C I S E professional
Auditors’ Competence skepticism in conducting the audit.

The auditors should have considered consulting an expert to generate

evidences instead of using evidences given by EFCA in accordance
with PSA 620. Alternatively, they should decline the engagement.
IMPLICATION TO CIS AUDIT

The auditor F A I L S T O O B T A I N K N O W L E D G E of EFCA’s IT strategy and the

extent of its IT activities.

The auditor F A I L S T O I D E N T I F Y R I S K S relating to EFCA’s pervasive IT security

risks, especially the potential to suffer fraud by customers, employees and others
through unauthorized access
The auditor F A I L S T O C O L L E C T S U F F I C I E N T A N D
C O M P E T E N T E X T E R N A L E V I D E N C E relating to the
effectiveness of control procedures and highly rely on
management representation.

ERRONEOUS JUDGEMENT OF AUDIT RISK

= problematic risk response Impairments in the audit
process
= INABILITY TO DRAW CORRECT OPINION ON
THE FAIRNESS OF FS

“The aforementioned impairments in the audit process deteriorated the

ability of auditors in discharging their obligations.”
CONCLUSION

“ Po o r I T c o n t r o l s is utilized by EFCA to achieve their

desired and immediate targets at all cost, even if the
means were fraudulent, in lieu of the optimal and long-
term benefits to be derived from their IT system. Therefore,
an e f f e c t i ve I T c o n t r o l s plays critical part of a
computerized system in c r e a t i n g va l u e f o r bu s i n e s s . On
the part of CIS audit, sufficient knowledge and
technology skills in IT would e n h a n c e t h e a u d i t o r ’s a b i l i t y

”
i n d i s c h a r g i n g t h e i r o b l i g a t i o n s - to render an opinion on
EFCA’s FS.