SOFTWARE PROGRAM INC.
IT Audit and Assurance
Question 1- Provide a brief description of the audit process required to satisfy the auditing of IT controls over financial reporting.
Following is a brief description of the Audit process that can be used to Audit Software Program INC. These steps described here follow the COBIT 5 framework. In this approach, the emphasis is on performing a Risk based evaluation of systems and processes.
The entire audit is accomplished in 3 phases
1.Planning the scope of the audit & assurance activity
a. Audit Subject – Software Program Inc, a provider of office productivity software including word processing, spreadsheet and presentation application. Their key stakeholders include:
I. Audit Committee/ Executive Management
I am assuming that the organization does not have a board yet as it has not become public. Therefore, the executive management functions as the audit committee. However, if a board were to be in place, there would be a need to distinguish between the Audit Committee and Executive Management
• Francis Vert – CIO of Software Program Inc.
• Mikhail Dobrasky – CFO of Software Program Inc.
• Hy Fenation – Director of IT Audit
• Dalton Walton – Engagement Manager
Their need is to provide assurance that effective internal controls are in place and in compliance in accordance with regulations and guidelines of the organization and secure in all aspects.
II. Business Owners
Their need is to review & manage the performance of their individual business processes and application
a. Audit objective
i. To provide reasonable assurance on the reliability of the financial reporting by ensuring that the Information technology controls are effectively implemented in compliance with the guidelines and regulations as laid out in the US Sarbanes-Oxley Act of 2002 and are in alignment with the organizational policies. Further, to provide assurance to that the risks have been assessed and steps are taken to mitigate these risks
ii. Provide reasonable assurance regarding the underlying processes that generate financial reporting including systems that hold financial data, the batch processing systems, license management etc.
b. Identifying the enablers and organizational resources
iii. Principles, policies and framework –
Software Program Inc. policies and principles are derived from Sarbanes-Oxley act of 2002. In addition, there are organizational process relating to security and risk management.
The framework of choice is COBIT 5 which sets the guidelines for the organization.
• Help manage various critical functions such as incidence and problem management
• Manages various new programs and initiatives
• Help deal with change management issues
• Manage potential risks
v. Organizational Structure
• Includes structure and reporting relations across various department within the organization such as IT department, finance, operations etc.
• Based on the objective of the audit, some departments may be audited more rigorously than the others
vi. Applications and Technical infrastructure
• Various applications such as administrative systems, finance systems, payment integration and online shopping sites etc. These systems and their architecture must be reviewed to identify applications that are need more testing than the others
vii. People, skills and competencies
• Key people & their access to various systems
• The definition of role, the skillsets and the day to day actions
2. Performing field work
a. Pre-audit planning:
i. Conduct risk assessment of various assets by taking into the account the potential risk they present to the organization. (Risk assessment is presented as a response to question 2)
ii. Further planning includes:
Technical skills and resources needed
– Budget and effort needed to complete the engagement
– Locations or facilities to be audited
– Roles and responsibilities among the audit team
– Time frame for the various stages of the audit
– Sources of information for test or review, such as functional flowcharts, policies, standards, procedures and prior audit work papers Point of contact for administrative and logistics arrangements
b. Implementation of the Audit process:
i. Compliance Testing
ii. Substantive Testing
(The concepts are provided as response to question 3)
3. Communication of the results to the management:
The audit team must present the key findings to the management highlighting the gaps, instances of non-compliance to regulation or guidelines. They must substantiate the audit findings with material evidence. Further, there should provide risk assessment and suggest controls and approaches to mitigate the risks.
Question 2 – Based on the presentations by the Software Program executives, perform a risk assessment of the infrastructure and applications to identify the processes that need to be included in the audit
The risk assessment is as follows:
1. Batch processes involves dealing of the invoices and the generation of checks. The failure to meet the intended objectives can result in high loss of revenue in addition to the damage of reputation with the customers. Hence, it can be categorized as high risk
2. Site Licensing Mechanism – 40 percent of the sales revenue comes from the Site licenses. One of the key functions of this mechanism is to ensure that the customers do not exceed their licenses. Failure of this mechanism allows customers access to the products even with an expired license and thereby adversely impacts the revenue of the organization. Therefore, it can be considered ‘High’ risk.
3. Support contracts can be for one, two or three years and include future upgrades. Therefore, we need to provide reasonable assurance to ensure that the sales are calculated accurately and mentioned in the data file. This mechanism represents 35 percent of sales and failure of this mechanism impacts the revenue directly. Hence it is also a high risk
4. The accounting system is a purchased online data application with MySQL database. It is responsible for online entry for the inventory, receivables, payables, payrolls and internal sales. Since multiple systems use the data including those systems that are used for financial reporting, the errors in the database in terms of redundancy and inconsistency can be catastrophic. Hence it is a high risk
5. Since 10% of the sales is accounted by the data file generated by the data stream hence the integrity of the data in the file must be checked. This can be categorized as medium risk.
Question 3 – Explain to Hy the process of evaluating control design and operating effectiveness.
Evaluation of control design and effectiveness is accomplished in two phases. In the first part called compliance testing, we evaluate the overall design of a control where the emphasis is to check if the control serves the business objective it was placed for. In the second phase called substantive testing, we evaluate operating effectiveness of a control. At this phase we analyze, if our controls are working effectively
The following is good example of compliance testing.
• The digital stream that processes payments must be in compliance with the PCI-DSS guidelines. In order to ensure this, the logs can be collected and verified using suitable software or relevant data.
Similarly, an instance of substantive testing is as follows:
• The data generated in the data file from the digital stream must be checked for consistency and integrity using automated tools, CAATs or utility software
Question 4 — Identify the processes you believe should be included in the evaluation of control design and operating effectiveness.
The following processes should be included in the evaluation of control design and operating effectiveness.
Any deviation or discrepancy from the normal functioning of the systems, or the controls should be evaluated and further reviewed rigorously in order to assess the risks related to it and appropriate level of management should be informed. This can be accomplished by the following process
1. Use of Computer aided audit tests – CAATS
Audit tests can done using tools that test using a sample and identify logical errors.
2. BCP and DR – Ensuring that there is a business continuity plan and disaster recovery plan in place
3. Vendor assessments: Ensuring that the vendor is following the SLA’s or not
4. Reperformance: It is the auditor’s independent execution of procedures or controls that were originally performed as part of the entity’s internal control, either manually or using CAATs
5. Automated collection of data:
Sample data can be collected and tested using CAATs like GAS and the utility software
CISA Review Manual, 2016 Edition