Action Items

1. Read the article below: Information Systems and Internal Control.
2. Write: Develop a bulleted list of 2 issues or best practices that you identified based on your reading of this article and how it may impact you while performing in an accounting position.

Information Systems and Internal Control.:

G1.02 Key Risk Factors

Key risk factors for Information Systems and Internal Control include the following:

• Controls may be designed for processes that are later changed though the introduction of new systems, resulting in the subsequent failure of those controls.
• Automated controls may be turned off in an effort to reduce manual intervention, resulting in erroneous transactions being processed by the system.
• Business process owners and upper management may fail to take action to mitigate technology risks because such risks are not presented in a nontechnical business context.
• Auditors may fail to uncover critical control weaknesses due to a lack of understanding of the technologies used and the inherent risks associated with them.
• Laws and regulations may be unknowingly violated because of a lack of knowledge of how certain customer data is subject to a higher standard of protection.

G1.03 Background

The evolution of computer technology is remarkable. It is common today for office workers to have networked computers on their desks, mobile devices in their pockets, notebook computers to take with them on business trips, wireless connectivity to the office, and Internet and e-mail functionality built into all of these devices. The lower cost of hardware and the convenience of the technology have created an insatiable demand for computing solutions to fit the needs of business.

The rapid pace of change within the IS industry complicates the task of auditing information systems. New technologies often introduce new risks. Today's innovations can become obsolete tomorrow. For this reason, this chapter focuses on broad concepts of internal control within the IS environment. Although certain products are discussed here, internal auditors should gain a solid understanding of the IS environment within their company.

Internal audit departments have always had a chronic shortage of IS auditors, and this is unlikely to change anytime soon. Generally, IS professionals have not gravitated toward the internal audit profession because more challenging and financially rewarding opportunities exist in systems development, systems security, and database management. Due to supply and demand issues and limitations on the number of IS professionals who are well versed in control concepts like COSO and COBIT, internal audit departments cannot always attract sufficient talent. Because of this reality, chief audit executives must develop alternative means to ensure an appropriate level of IS audit coverage.

As the auditing profession continues to try to do more with less, technological advances may overwhelm those audit departments that have not prepared adequately. Computer viruses and other malicious code are being introduced on a weekly basis. Hackers now gain access to computer systems that were thought to be impervious. Million-dollar transactions are routinely carried out via the Internet. Companies are betrayed by employees who sabotage the systems they were entrusted to develop. Despite this gloomy assessment, chief audit executives have tools they can use to address the risks of the new technology.

The foundation for adequate audit coverage of IS risks is technological competence. If the audit department does not have such competence, or does not anticipate recruiting it in the near term, other alternatives must be considered. The chief audit executive may need to recruit from the company's existing IS expertise, such as a rotational assignment on specific audit engagements. By tapping the company's internal IS resources, the chief audit executive may be able to meet short-term audit requirements. Another alternative is to retain the services of an outside service provider, such as one of the Big Four accounting firms or a specialized professional services firm that does not perform financial statement audits. The latter can offer certain cost advantages as well as avoiding conflict of interest and independence issues. The cost of any such outsourcing, sometimes referred to as co-sourcing, will need to be balanced against the risks of the computing environment in question. Although the fees charged by such organizations may at first glance appear prohibitively expensive, given the high cost of training and retaining professionals with hard-to-find skills that must be continuously maintained, it is often cheaper to co-source specific with third party providers than cultivate and maintain these skills internally. Audit departments can also better leverage the cost of bringing in these outside consultants by assigning an internal auditor as a liaison. The assigned internal auditor can expedite the gathering of evidence, thereby reducing the level of effort for the higher-paid consultant, while shadowing these specialists to learn how to perform these technical audits internally.

Practitioner's Tip: Buying Computers

For prospective purchasers of desktop or notebook computers, making the right choice has generally come down to two decision points. The first is whether to buy a top-of-the-line brand name or one that is known more for its economical pricing. When making such a decision, one should carefully weigh the total cost of ownership (TCO). You may save money on the initial purchase, but support issues also factor into the cost equation. If you are a large shop and will require dozens if not hundreds of computers, then support can become a very significant issue, especially when you consider productivity losses when auditors cannot access the data on their desktop or notebook computers. Compatibility between devices can also become more problematic when dealing with lesser known second-tier machines. The second factor to consider is whether to lease or buy. More and more, organizations are choosing to lease computers in order to remain technologically up to date. This is not just a matter of wanting to have cutting-edge equipment. There are also many practical reasons for periodically refreshing equipment. As new business systems and client software are rolled out, incompatibilities with older equipment can result in serious performance issues, including system response time and stability. It is usually asking for trouble to load just-released software on a four- to five-year-old machine. Again, this is where TCO comes into play. If you try to squeeze an extra two years of life out of that three-year-old machine, you will pay several times that amount in loss of productivity and increased support costs.