This case does not include a complete description of the entity or the industry, nor does it provide comprehensive information on auditing; It is only intended to provide the information that will be necessary and helpful in completing this case duty and answering discussion questions. The IT Controls Overview and IT General Controls Overview sections in the Appendix 1 provide relevant terms and definitions that will be used throughout the case. Portfolio Structure and Business Softies is one of several entities in a portfolio (companies, partnerships, joint ventures) that are owned by a single parent company.
The shares of the parent company are 100% owned by one individual of high net worth. The Company assembles laptop computers from purchased components and sells those laptop computers. Softies has been established in this business for a number of years. Product Strategy and Customers Softie’s product strategy is based on obtaining low-cost components through the negotiated supply agreements in order to offer laptops at competitive prices to its customers.
The final customer is described as a person who needs only the basic computer functionalities (Internet, word processing, etc. ) at the lowest possible cost. The Company’s customers are mainly retailers or significant individual purchasers (e. G. , volume purchases by educational facilities). The competition for laptop computer sales is intense and cost containment is a critical element of profitability. Product Description Softies has standard product configuration lists with a limited range of custom configurations allowed.
No custom configurations are provided to retailers. The key suppliers for the Company are Microsoft, various chip suppliers (Intel, MAD, Asian suppliers), and various other hardware and software suppliers. Some of these suppliers are located in different countries, where there is up to six weeks lead time for receiving component parts. Suppliers are continually improving their own products and enter into discussions with the Company for any changes to the product range to incorporate them. As such, there are two forces in product development – the customer and the supplier.
Generally, Softies builds to order but holds a minimal amount Of laptop inventory available to satisfy customers’ immediate needs. However, the Company does hold component stock. The Company does not develop its own software for inclusion in the laptops; instead, it purchases all software from several vendors for freeloading on the laptops and the cost of that software is just a pass-through from company to end customer. Sales Sales of the laptops are performed through a commissioned sales force employees) with variable commissions that may change based on the product being sold.
Sales are made under the Softies Computers brand name, sometimes with retailer-designated packaging. Sales are recognized when goods are dispatched. There are currently six key retail customers that make up 60% of the Company’s sales and there are no export sales. IT Environment Softies uses SAP software in an enterprise resource planning (ERP) environment, which integrates all data and processes within the organization into a unified system, aside from the use of an internally developed application, Firsthand, to manage production and inventory.
SAP is running on a UNIX server while Firsthand is running on a Windows server. Both applications allow personnel to connect to them via Windows client workstations. The Company has a website (where the Customer can place orders) which is linked to the ERP system. The website is also linked to credit card companies (to get authorization from the bank). The Company has a firewall system and an intrusion detection system to secure the transactions. Softies is the sole occupant of a modern one-story building in an industrial park.
The building is secured through locks controlled by an electronic badge reader system. The building is also protected by security and fire alarm systems that are connected to the police department and fire department, respectively. The SAP and Firsthand servers along with the other key network servers are housed in a specially constructed computer room within the facility. This room has one door that is protected by a lock controlled by the badge reader system. The badge reader system logs all access to the door. UDDI strategy and approach Softies Computers (“Softies” or the “Company’) has engaged our firm to perform an audit of their financial statements for the year ending December 31, 2008. Our audit approach requires that we perform a risk based audit in which the amount of substantive testing (savor’s”) we perform is contingent on how effective the Company’s internal controls are, the risk of the environment the company is operating in, and the amount of risk the firm is willing to accept for issuing an improper audit opinion (I. ћ Audit Risk Formula: Audit Risk = Control Risk x Inherent Risk x Detection Risk). Our Audit Strategy includes following steps – 1 . We identified significant business processes that affect the significant accounts, disclosures and related assertions for the financial statements. Appendix 2) 2. F-or each significant process, we identified the ‘threats’ in the processing stream and where data errors could occur in processing transaction types that would have an impact on the financial statements.
These are the points where controls are needed to prevent or detect those errors. (Appendix 3) 3. Based on the identified processes, the threats and the control table, Coefficients IT general controls environment was assessed throughout the audit period (as opposed to a single point in time). (Appendix 4) 4. When IT general controls issues or exceptions were found, each was analyzed to determine the potential impact to the financial statement audit via application and IT-dependent man al controls relying on those IT general controls. Our task for this case IQ: Classify the following controls in one of the three categories- A IT General Control; Application Control; IT Dependent Manual Control Overdue receivable accounts are reviewed by the Credit Manager The system requires all shipments to have a complete and valid sales order number Bank reconciliations are prepared by the Receivables Clerk and reviewed timely by the Controller Physical access to the server room is restricted The system allows the Purchasing Manager to only approve component purchases up to $1 5,000 B.
Manage System and Application Changes; Logical Access; Other IT General Controls: Operations Controls. HER communicates all employee terminations to the administration team for access removal. A request to change an existing program or develop a new program must be submitted in writing and be approved by management. An intrusion detection system (IDS) monitors activity on the firewalls and web servers. Unusual activity is communicated on a real-time basis to the Network Operations Center. The Network Operations Center is then responsible for aging appropriate follow-up action on identified incidents.
SAP requires all passwords be at least eight characters and contain at least one uppercase letter and one number. Only members of the production control team are allowed to migrate (move) items into the production (live) environment. Q: As a result of the IT general control issues and exceptions noted in the case study, the audit team has determined the functioning of the SAP application controls and IT-dependent manual controls may no longer be fully relied upon and we must change the audit strategy and rely less on Softie’s internal intro environment. Thus, the audit team has decided to substantively test some of the sales transactions.
The following information (simplified for case purposes) was obtained from the SAP system. Please identify at least three suspicious transactions that should be investigated and indicate how those could be related to a breakdown in the SAP IT general controls as noted in the case. Remember, as a general rule, IT general control issues and exceptions do not directly result in financial statement misstatements or fraud. The misstatement or fraud may result from a breakdown in application controls r IT-dependent manual controls that was caused by the related breakdown in IT general controls.
It is important to understand the differences between two key auditing terms dealing with IT intros: IT general (or process) controls and application controls: IT general controls are those which ensure that a client’s IT systems operate correctly. These controls primarily focus on ensuring that changes to applications are properly authorized, tested, and approved before they are implemented and that only authorized persons and applications have access to data, and then only to perform specifically defined functions. Application controls are automated controls that apply to the processing of individual transactions. They include such controls as edit checks, validations, calculations, interfaces, and reporting. Application controls are prevalent throughout a client’s business.
In many situations, we also identify manual controls, which are often detective in nature, that rely upon computer-produced information. We refer to these as IT-dependent manual controls. In such situations, we consider not only the sensitivity of the control, but also whether there are controls over the completeness and accuracy of computer-produced information. For example, management reviews a monthly variance report and follows up on significant variances. Because management relies on the computer-produced report to identify and generate the variances, we also elated that there are IT general controls in place to ensure that the variance report is complete and accurate.
Both IT-dependent manual and application controls have the same objective, which is to provide reasonable assurance that all transactions are valid, properly authorized and recorded, and are processed completely, accurately, and in a timely basis. The difference is that application controls are automated, while IT-dependent manual controls are not. These rely on computer-produced information. It general controls overview Effectiveness of IT general controls, primarily program change and logical access controls (data and file access controls), influences our ability to rely on application controls, IT-dependent manual controls, and electronic audit evidence. The following provides an overview of the three IT general controls discussed in this case: Manage System and Application Changes, Logical Access, and Other IT General Controls: Operations Controls.
Manage System and Application Changes Process: Maintain IT Procedures for Acquisition, Development or Major Changes to Application Software Objectives: Controls provide reasonable assurance that: Application and system software are acquired or developed to effectively purport financial reporting requirements. Policies and procedures that define required acquisition and maintenance processes have been developed and are maintained. Rationale: Acquiring and maintaining system and application software includes the design, acquisition/building, and deployment of systems that support the achievement of business objectives. This process includes major changes to existing systems.
This is where controls are designed and implemented to support the initiating, authorizing, recording, processing and reporting of financial information and disclosures. Deficiencies in this area ay have a significant impact on financial reporting and disclosures. For instance, without sufficient controls over application interfaces, financial information may not be complete or accurate. Policies and procedures include the System Development Life Cycle (OSDL) methodology, the process for acquiring, developing and maintaining applications, as well as required documentation. For some organizations, these include service level agreements, operational practices, and training materials.
Policies and procedures support an organization’s commitment to performing business process activities in a consistent and objective manner. Process: Install & Accredit Systems (Testing) Objective: Controls provide reasonable assurance that: Systems are appropriately tested and validated prior to being placed into production and associated controls operate as intended and support financial reporting requirements. Rationale: Installation, testing and validating relate to the migration of new systems into production. Before such systems are installed, appropriate testing and validation must be performed to ensure that systems are operating as designed.
Without adequate testing, systems may not function as intended and may provide invalid information, which could result in unreliable financial information and reports. Process: Manage Changes System changes of financial reporting sign efficacy are authorized and appropriately tested before being moved to production. Rationale: Managing changes addresses how an organization modifies system functionality to help the business meet its financial reporting objectives. Deficiencies in this area could significantly impact financial reporting objectives. For instance, changes to the programs that allocate financial data to accounts require appropriate approval and testing prior to changes to ensure classification and reporting integrity.
Typical activities that occur in controlling system and application changes include: 0 Obtaining authorized requests for new systems development or for authorized changes to existing systems O Categorizing and proportioning authorized and approved requests D Implementing or modifying the technology infrastructure to support solutions D Managing the acquisition or modification of solutions and infrastructure Installing and certifying the solution or modification, including developing test approaches and plans, executing the testing, conducting user acceptance testing, approving the elution for use in production, and executing established procedures for migrating programs into production C Performing post-implementation reviews and follow-up C] Establishing procedures for emergency system modifications C] Monitoring of the procedures and controls related to the process Logical Access Process: Acquire and Maintain Technology Infrastructure/Configuration Technology infrastructure is acquired so that it provides the appropriate platforms to support financial reporting applications. IT components (as they relate to security, processing, and availability) are well protected, would reverent any unauthorized changes, and assist in the verification and recording of the current configuration. Rationale: The process of acquiring and maintaining technology infrastructure support applications and communications.
Infrastructure components, including servers, networks, and databases, are critical for secure and reliable information processing. Without an adequate infrastructure, there is an increased risk that financial reporting applications will not be able to pass data between applications, financial reporting applications will not operate, and critical infrastructure failures will not be detected in a timely manner. Configuration management ensures that security, availability, and processing integrity controls are set up in the system and maintained through its life cycle. Insufficient configuration controls can lead to security and availability exposures that may permit unauthorized access to systems and data and impact financial reporting.
Process: Ensure Systems Security Financial reporting systems and subsystems are appropriately secured to use, disclosure, modification, damage, or loss of prevent unauthorized data. Only authorized persons have access to data to perform specifically defined functions (I. E. , segregation of duties). Rationale: Managing systems security includes both physical and logical controls that prevent unauthorized access. These controls typically support authorization, authentication, nonresidential, data classification, and security monitoring. Deficiencies in this area could significantly impact financial reporting and disclosures. For instance, insufficient controls over transaction authorization may result in inaccurate financial reporting.