ACC 626 Term Paper KiengIv

8/11/2019 ACC 626 Term Paper KiengIv

1/31

UNIVERSITY OF WATERLOO SCHOOL OF ACCOUNTING AND FINANCE

ACC 626 Term PaperInforma!on e"#no$o%& !mpa" on

a''(ran"e en%a%emen) Impa" of

Sar*ane' O+$e&) Inerna$ Conro$' an,

O('o(r"!n%

Kieng Iv 20233702

6/30/2011

Abstract:

Information technology has created risks for businesses and auditors such as segregation of duties,complex revenue streams and computer crimes. C-suite executives should understand the impact thatinformation technology can have on their businesses. The profession and businesses manage these risks

through experts, frameworks, information technology tools and access management. There are newinformation technology tools, such as cloud computing, that need to be addressed by auditors becausethey create implications for internal controls and security of the business. This is something that is notcurrently addressed by the profession but must be addressed in order to meet the needs of their clients.


2/31

Table of ContentsIntroduction.................................................................................................................................................. 1

Information Technology Risk........................................................................................................................1

Managing Information Technology Risk.......................................................................................................4

Sarbanes Oxley Impact...............................................................................................................................

Outsourcing Information Technology........................................................................................................ ...!

"onclusion................................................................................................................................................. 1#

$ork "ited................................................................................................................................................. 11

%nnotated &ibliography.............................................................................................................................. 1'


3/31

Introduction

Information technology has re(olutioni)ed the business *orld through ho* it operates and inno(ates+

ho*e(er, the same technology has also created many risks *ithin the business *orld and should be a

main concern for "-suite executi(es. Information systems permeate all areas of organi)ations,

differentiate them in the marketplace, and consume increasing amounts of human and financial capital./1

The same information technology has had a per(asi(e impact on audit risk for internal and external

auditors. %uditors and the profession manage this relati(ely ne* risk in (arious *ays such as use of frame

*orks, assistance from specialists and information technology tools. This risk has increased significantly

due to the Sarbanes Oxley %ct 0##0. Sarbanes Oxley has had significant impact on internal controls and

internal control reporting, and it has increased the risk of outsourcing information technology processes.

This paper *ill also identify areas of risk *ith outsourcing information technology, sho* ho* the business

community manages that risk, and *ill identify any gaps not currently addressed that *ill need to be

addressed by the accounting profession.

Information Technology Risk

% sur(ey done by "omputer "rime and Security has sho*ed that 42 of unauthori)ed access *as

performed by insiders *ithin a company.0Insiders ha(e access to and kno*ledge of the system that is not

as readily a(ailable to outsiders. 3mployees can also damage the organi)ation through unintentional

means such as deleting important files, opening emails *ith (iruses, and other such accidental acts. To

mitigate the risk of intentional and unintentional damage, organi)ations need effecti(e access

management. Segregation of duties built into non-information technology processes need to be

implemented in the information technology en(ironment. $ith the use of information technology, capital

has replaced human capital in many traditional functions *ithin the *orkplace+ ho*e(er, the same

segregation of duties reuirements is still needed. %n example of this is the posting of 5ournal entries.

6rior to information technology, there may ha(e been the need to ha(e many accounting clerks to

manage all the 5ournal entries of the organi)ation+ nonetheless, *ith automated functions, the need for

accounting clerks is reduced. This is only an issue *hen functions need to be segregated. $ith fe*er

employees, organi)ations ha(e to ensure that no employee has too much access and this is easy to

1&orit), 3frim 7. 8Introduction to Internal "ontrol and the Role of Information Technology.8ComputerControl & udit !uide. 1th ed. $aterloo9 "entre for Information Integrity and Information Systems

%ssurance, 0#11. '-04. 6rint.0 Sillto*, 7ohn. 8Shedding :ight on Information Technology Risks.8 Internal uditor;ecember. $eb. 1 7une 0#11.?http9@@*eb.ebscohost.com.proxy.lib.u*aterloo.ca@ehost@pdf(ie*er@pdf(ie*erAsidB0fe1fd#'-'a4'-4b'd-a'f-4#db'4e4#c24#sessionmgr4C(idBDChidB1DE.

1


4/31


5/31

assertion that auditors need to test. One of the ma5or differences bet*een brick and mortar and online

sales is the collectability of the economic benefits. If an entity does not (alidate the method of payment for

online sales then fictitious transactions could be processed and re(enue could potentially be o(erstated+

ho*e(er, *ithout understanding the information technology en(ironment, auditors and the company *ould

not kno* that the re(enue cannot be recorded due to collectability issues until much later.

It is difficult to assess completeness and occurrence *ithout thorough understanding of controls for online

ad(ertising and other purely electronic re(enue streams such as (ideo games. Hor example, if re(enue is

recogni)ed *hen ad(ertisements are clicked on a *ebsite, then in order to capture *hen re(enue is

earned, the underlying information system has to capture the instances *hen ad(ertisements are clicked.

It is not enough to assess re(enue earned by the information captured by the system. %nother example is

if the batch transfer or the real-time transfer is corrupted or ne(er reaches the internal systems *hen

ad(ertisements are clicked, then the internal system *ill be inaccurate and the re(enues *ill be

misstated. This increases the risk of material misstatements to a greater extent than if there *ere noonline re(enue streams.

ot only does information technology increase the risk of material misstatement through complex re(enue

streams, accounting errors occur more often *hen there is information technology control deficiencies.

"ompanies *ith more information technology control deficiencies pay a higher audit fee and generally

employ smaller accounting firms.D:astly, auditors could issue the incorrect opinion if they do not

understand ho* the information technology impacts the business and this could lead to loss of reputation

and legal issues.

One of the top risks listed in the 0#1# Internal %udit "apabilities and eeds Sur(ey *as ability to assess

information technology risk, *hich also topped the list in 0##>. %lso high on the list is certification

standards for "O&IT. Managing director of 6roti(iti, Scott Jraham, stated that auditing information

technology processes and acti(ities should be one of the highest priorities in internal audit departments

gi(en that information technology enables (irtually all business functions/.!The Institute of Internal

%uditing has responded *ith this risk by introducing six standards co(ering topics including assessing

information technology go(ernance.

O(erall, there are many implications that information technology has created for the audit and the

businesses that utili)e information technology.

Jrant, Jerry G., Karen ". Miller, and Hatima %lali. 8The 3ffect of IT "ontrols on HinancialReporting.8 "anagerial uditing #ournal0'.! May 0#11.?http9@@***[email protected]*BpdfE.DIbid! 7aeger, 7aclyn. 8Sur(ey9 IT Risk, IHRS Top Internal %uditorsF $orries.8 $urvey% IT isk, I'$ TopInternal uditors( )orriesD.DD 4e-d!0f-4eDc-b4D-af4104#f!424#sessionmgr1CbdataB7npdJL>$h(c'NtbJl0S)0>*T1)aPRlQdbBbthC%B0!01E.

'


6/31

Managing Information Technology Risk

Information technology has increased audit risk and auditors had to address this risk by using information

technology specialists and information technology tools. The II% has pro(ided lots of material and training

to address the information technology issues *ithin internal audit. %s *ell, frame*orks such as "O&IT,

"OSO and IT"J ha(e pro(ided guidance for auditors to use in order to assess clientFs information

technology controls. :astly, %I"6% has clearly established that auditors are responsible for understanding

the role of information technology in the clientFs business.>

%I"6% has ad(ised auditors to consider using computer-related audit procedures, including information

technology specialists, *hen they obtain an understanding of client internal controls during audit

planning/.1#In a study done in the 7ournal of Information Systems, it *as found that 42 of sampled

engagements information technology specialist *ere used.11Information technology specialists are

generally in(ol(ed in the planning and performance of information technology controls testing to reduce

audit risk. The more complex the computer en(ironment, the more important it is to get an information

technology specialist in(ol(ed *hen performing an audit. %t ;eloitte, it is no* reuired to ha(e an IT

specialist in the audit planning at least e(ery three years because of the gro*ing importance of

information technology *ith the clientsF en(ironment produces the need to reduce the information

technology risk.10

The use of information technology specialist allo*s auditors to test sophisticated information technology

processes. Referring back to the example *ith electronic transfers, if an information technology specialist

is used, then the underlying system controls can be (erified *hether or not there is segregation of duties

issues and if there are unauthori)ed disbursements. %s *ell, online re(enue streams can be tested more

effecti(ely if the controls of the system are tested by information technology professors to (erify the

completeness and occurrence of those re(enue streams. Testing controls is not only necessary for these

complicated transactions, but also reduces the amount of substanti(e testing needed and creates audit

efficiencies.

>&edard, 7ean "., "ynthia 7ackson, and :ynford Jraham. 8Information Systems Risk Hactors, Risk%ssessments, and %udit 6lanning ;ecisions.8 $eb. 0! Mar. 0#11.

?http9@@aaah.org@audit@midyear@#'midyear@papers@Systems20#Risk20#Hactors20#and20#%udit20#6lanning20##>-1!.pdfE.1# 7ar(in, ;iane, 7ames &ierstaker, and 7ordan :o*e. 8%n In(estigation of Hactors Inuencing theLse of "omputer-Related %udit 6rocedure.8 #ournal of Information $ystems0' =9 1-00. $eb. 0'7une 0#11. ?http9@@***.bus.iastate.edu@d5an(rin@acct4!4!4@readings@#20#100-'.pdfE.117ar(in, ;iane, 7ames &ierstaker, and 7ordan :o*e. 8%n 3xamination of %udit Information TechnologyLse and 6ercei(ed Importance.8ccounting *ori+ons00.1 4e-d!0f-4eDc-b4D-af4104#f!424#sessionmgr1C(idBChidB1DE.106ryce, 7im. 8%"" 0 ;eloitte 6artner Inter(ie*.8 #' May 0#11. 3-mail.

4


7/31

In the past, !#2 of data files *ere processed using flat files and only 0#2 using databases. Go*e(er,

those percentages ha(e changed and no* !#2 of data files are processed using databases. The

implication is that record retention is not as clear, and as a result, audit trails are more complex or do not

exist in physical form.1'In order to obtain sufficient appropriate audit e(idence, computer assisted audit

techniues may be needed in situations such as the absence of input documents Hinancial auditors are reuired to gain an understanding of the

8entity and its en(ironment8 to ascertain the risk of material misstatement associated *ith that aspect of

the financial statements, and the "OSO model is extremely (aluable as a tool to comply *ith this

standard./0#"OSO pro(ides guidance on general, application, and physical controls. Jeneral controls

are controls that in general affect the computer systems &orit), 3frim 7. 8Introduction to Internal "ontrol and the Role of Information Technology.8ComputerControl & udit !uide. 1th ed. $aterloo9 "entre for Information Integrity and Information Systems

%ssurance, 0#11. '-04. 6rint.0#Singleton, Tommie. 8The "OSO Model9 Go* IT %uditors "an Lse It to 3(aluate the 3ffecti(eness ofInternal "ontrols.8 I$C. IS%"%. $eb. 04 7une 0#11. ?http9@@***.isaca.org@7ournal@6ast-Issues@0##D@olume-@6ages@The-"OSO-Model-Go*-IT-%uditors-"an-Lse-It-to-3(aluate-the-3ffecti(eness-of-Internal-"ontrols1.aspxE.


8/31

technologies employed by the entity in performing functions


9/31

safeguard its assets, check the accuracy and reliability of its accounting data, promote operating

efficiency, and encourage adherence to prescribed managerial policies/.0"ontrols entail t*o main (ie*s,

namely the cybernetic (ie* and socio-cultural (ie*. The cybernetic (ie* is based on the principles of a

self-monitoring system. It compromises of setting goals then follo*ing up if there are any de(iations. The

socio-cultural (ie* focuses on hiring good people, training, and sociali)ing employees into the culture of

the organi)ation. $hen beha(ioural processes are readily obser(able and goals, tasks and outcomes are

*ell specified then cybernetic is better to use since control can be better monitored o(er the process. If

the re(erse is true, then socio-cultural is superior to use. Go*e(er, most organi)ations use a combination

of socio-cultural and cybernetic. In addition to the (ie*s, there are fi(e components of an internal control

system and they are control en(ironment, risk assessment process, information system, control acti(ities,

and monitoring of controls.0

Sarbanes Oxley makes executi(es accountable for e(aluating and monitoring the effecti(eness of internal

control o(er financial reporting and disclosures.0D

%uditors must also attest to managementFs internalcontrol assessment and effecti(eness of controls. %n important component of internal controls is the

information technology controls, especially in entities that use computer systems extensi(ely. Ji(en the

importance of complying *ith Sarbanes Oxley and the harsh criticism of auditors from scandals in the

early 0###Fs, information technology controls ha(e increased the audit business risk and ha(e made

information technology risk e(en more important to manage. The cost of complying is high V audit fees

are higher and one of the biggest reasons is because of IT controls.0!

%n information system audit is assessing *hether the information systems and related resources in

safeguard assets maintain system and data integrity and a(ailability, pro(ide rele(ant and reliable

information, achie(e organi)ational goals effecti(ely, and consume resources efficiently. It also assesses

*hether internal controls that pro(ide assurance that business, operational, and control ob5ecti(es ha(e

been met and *hether undesired e(ents *ill be pre(ented or detected and corrected in a timely manner.

on-financial audit fees ha(e increased from 1>2 in 1>>0 to D>2 in 0##1 *hich indicates the continual

importance of IS auditing.0>Since 1>>#, the e(olution of the IS audit professional has changed from a

07ar(in, ;iane, 7ames &ierstaker, and 7ordan :o*e. 8%n In(estigation of Hactors Inuencing the Lse of"omputer-Related %udit 6rocedure.8 #ournal of Information $ystems0' =9 1-00. $eb. 0' 7une 0#11.?http9@@***.bus.iastate.edu@d5an(rin@acct4!4!4@readings@#20#100-'.pdfE.0"I"I% "%S '1 %ppendix 19

0D;amianides, Marios. 8SOP and IT Jo(ernance e* Juidance on IT "ontrols and"ompliance.8 Information $ystems "anagement May 0#11.?http9@@*eb.ebscohost.com.proxy.lib.u*aterloo.ca@ehost@detailA(idB'ChidB1DCsidBca14f>4e-d!0f-4eDc-b4D-af4104#f!424#sessionmgr1CbdataB7npdJL>$h(c'NtbJl0S)0>*T1)aPRlQdbBbthC%B1'#4D>E.0!Golmes, Monica "., and ;arian eubecker. 8The Impact Of The Sarbanes-Oxley %ct 0##0 On TheInformation Systems Of 6ublic "ompanies.8 Information $ystemD.0 May 0#11.?http9@@***.iacis.org@iis@0##iis@6;[email protected]>

D


10/31

secondary function to professionals that pro(ide (alue-added *ork *ith auditors *ho do not

understanding the *ork performed to finally, a key component of the risk assessment process. Sarbanes-

Oxley experts agreed that IT control *as a specific area likely to produce significant deficiencies by many

companies. %s the ma5ority of internal controls are embedded in automated systems, information system

auditors ha(e become a (ital part of complying *ith the standards, guidelines, and regulations/'#

Outsourcing Information Technology

Information technology and recent regulations, such as Sarbanes Oxley, ha(e unco(ered ne* risks for

organi)ations that outsource information technology. These same ne* risks for businesses ha(e also

pro(ided ne* assurance opportunities for public accounting firms to try and manage these risks for their

clients.

Sarbanes Oxley impacts outsourcing since management must report on controls of the organi)ation and

auditors must consider the risks of ha(ing mission critical applications outside of the organi)ation. It *as

found that Sarbanes Oxley increases pre-existing risks of large-scale information technology outsourcing

on compliance.'1One of the roles of management *ithin Sarbanes Oxley is to o(ersee of the internal

controls. Internal controls must be effecti(e or management *ill suffer conseuences, since information

technology outsourcing distances the information technology operations from management both

intellectually and physically. The managementFs inability to communicate *ith (endorsF leadership, *ho

are generally offsite, makes it more difficult to assess business strategy and information technology

issues, and *ill result in a higher likelihood that internal control failures *ill go undetected. In order to

audit these risks and outsourced controls, auditors must audit the outsourced organi)ations themsel(es or

recei(e S%S D# reports. This information could be more difficult to obtain if they are offshore companies.

There is an increased number of legislations, such as the passing of the follo*ing legislations+ the Gealth

Insurance 6ortability and %ccountability %ct of 1>> >>, Sarbanes-

Oxley %ct of 0##0, Sections 4#4 and '#0. The three rulings enforce protection of pri(acy, corporate

accountability, and establishment of internal controls throughout businesses. Thus, a need *as created

in many industries for a due diligence process that can aggregate many of the principles found *ithin

these three acts and pro(ide companies *ith a high le(el of assurance and confidence *hen using

ser(ice organi)ations for outsourcing critical business functions./'0This has created the need for S%S D#

and other eui(alent reporting. The importance of information technology assurance has increased *ith

ne* regulations and this has created many ne* opportunities for auditors.

'#Ibid'1

'0 ;enyer, "harles, and "hristopher ickell. 8%n Introduction to S%S D# %udits.8 enefits /aw#ournal. $eb. 0' 7une 0#11. ?http9@@***.csb.unc*.edu@people@I(ance(ich;@classes@MS%20#1@3xtra20#Readings20#on20#Topics@S%S20#D#@Intro20#to20#S%S20#D#20#%udits.pdfE.

!


11/31


12/31


13/31

Work Cited

&edard, 7ean "., "ynthia 7ackson, and :ynford Jraham. 8Information Systems Risk Hactors, Risk

%ssessments, and %udit 6lanning ;ecisions.8 $eb. 0! Mar. 0#11.?http9@@aaah.org@audit@midyear@#'midyear@papers@Systems20#Risk20#Hactors20#and20#%udit

20#6lanning20##>-1!.pdfE.

&e(eridge, 7ohn. CIT I"/0"01TTI1 )2$*. 66T.

&orit), 3frim 7. 8Introduction to Internal "ontrol and the Role of Information Technology.8Computer Control

& udit !uide. 1th ed. $aterloo9 "entre for Information Integrity and Information Systems

%ssurance, 0#11. '-04. 6rint.

"%S '1.1'

"I"I% "%S '1 %ppendix 19

;amianides, Marios. 8SOP and IT Jo(ernance e* Juidance on IT "ontrols and

"ompliance.8 Information $ystems "anagement May 0#11.

?http9@@*eb.ebscohost.com.proxy.lib.u*aterloo.ca@ehost@detailA(idB'ChidB1DCsidBca14f>4e-d!0f-

4eDc-b4D-

af4104#f!424#sessionmgr1CbdataB7npdJL>$h(c'NtbJl0S)0>*T1)aPRlQdbBbthC%

B1'#4D>E.

;enyer, "harles, and "hristopher ickell. 8%n Introduction to S%S D# %udits.8 enefits /aw #ournal. $eb.

0' 7une 0#11. ?http9@@***.csb.unc*.edu@people@I(ance(ich;@classes@MS%20#1@3xtra

20#Readings20#on20#Topics@S%S20#D#@Intro20#to20#S%S20#D#20#%udits.pdfE.

Jrant, Jerry G., Karen ". Miller, and Hatima %lali. 8The 3ffect of IT "ontrols on Hinancial

Reporting.8 "anagerial uditing #ournal0'.! May 0#11.

?http9@@***[email protected]*BpdfE.

Golmes, Monica "., and ;arian eubecker. 8The Impact Of The Sarbanes-Oxley %ct 0##0 On The

Information Systems Of 6ublic "ompanies.8 Information $ystemD.0 May

0#11. ?http9@@***.iacis.org@iis@0##iis@6;[email protected].

11


14/31

7aeger, 7aclyn. 8Sur(ey9 IT Risk, IHRS Top Internal %uditorsF $orries.8 $urvey% IT isk, I'$ Top Internal

uditors( )orriesD.DD 4e-d!0f-

4eDc-b4D-

af4104#f!424#sessionmgr1CbdataB7npdJL>$h(c'NtbJl0S)0>*T1)aPRlQdbBbthC%

B0!01E.

7ar(in, ;iane, 7ames &ierstaker, and 7ordan :o*e. 8%n 3xamination of %udit Information Technology Lse

and 6ercei(ed Importance.8ccounting *ori+ons00.1 4e-d!0f-

4eDc-b4D-af4104#f!424#sessionmgr1C(idBChidB1DE.

7ar(in, ;iane, 7ames &ierstaker, and 7ordan :o*e. 8%n In(estigation of Hactors Inuencing the Lse of

"omputer-Related %udit 6rocedure.8 #ournal of Information $ystems0' =9 1-00. $eb. 0' 7une0#11. ?http9@@***.bus.iastate.edu@d5an(rin@acct4!4!4@readings@#20#100-'.pdfE.

6ryce, 7im. 8%"" 0 ;eloitte 6artner Inter(ie*.8 #' May 0#11. 3-mail.

Rapp, 6eet. 8%uditing the "loud.8 'inancial 0xecutiveMay CdidB0#4!>!#D1CscalingBHL::CtsB1'#>D0>0>C(typ

eB6N;CrtB'#>CTSB1'#>D''4CclientIdB1D4E.

Sayana, %nantha. 8Lsing "%%Ts to Support IS %udit.8 Information $ystems Control1


15/31


16/31


17/31


18/31

Marios Jo(ernancee*Juidance onIT "ontrolsand"ompliance

SystemsManagement

0#11 cohost.com.proxy.lib.u*aterloo.ca@ehost@detailA(idB'ChidB1DCsidBca14f>4

e-d!0f-4eDc-b4D-af4104#f!424#sessionmgr1CbdataB7npdJL>$h(c'NtbJl0S)0>*T1)aPRlQdbBbthC

%B1'#4D>

Annotation

This article discusses ho* SOP has focused companies to impro(e their internal controls and maintainan effecti(e IT en(ironment in order to be compliant. This article further discusses ho* SOP has impactedexecuti(es and IS professionals.

$ith SOP regulation, IT professionals ha(e higher expectations to gi(e timely, accurate and(isible information *hile still maintaining high le(el security of these information assets

!! percent of senior business executi(es (ie* security as a top priority and D1 percent (ie*security as a positi(e in(estment due to more continuity and efficiency

SOP makes executi(es accountable for e(aluating and monitoring the effecti(eness of internalcontrol o(er financial reporting and disclosures

SOP has increased the need for companies to ha(e strong IT controls in place

One of the main criteria of IT go(ernance is to align IT *ith the o(erall business strategy

Hortune ## companies board members hardly discuss IT during board meetings V one out of tenboards ask IT uestions, t*o out of three appro(al IT strategy and six out of se(en directors areregularly informed about IT

Annotation #6

Author Title ofArticle

Perioical/!ebsite

"ol / $o /%ition

&ear'ublishe

Pages (ateaccesse

)ocation*ata base*!ebsite* lin+

7an(in,

;iane

&ierstaker,7ames

:o*e, 7ordan

%n

3xaminationof %uditInformationTechnologyLse and6ercei(edImportance

%ccounting

Gori)ons

ol. 00

o. 1

0##! 1-01 May 0!,

0#11

http9@@*eb.ebs

cohost.com.proxy.lib.u*aterloo.ca@ehost@pdf(ie*er@pdf(ie*erAsidBca14f>4e-d!0f-4eDc-b4D-af4104#f!424#sessionm

1
http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=15304579http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=15304579http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=15304579http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=15304579http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=15304579http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=15304579http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=15304579http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=15304579http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=15304579http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=15304579http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=15304579http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=15304579http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=15304579http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=15304579http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=15304579http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=15304579http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&vid=6&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&vid=6&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&vid=6&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&vid=6&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&vid=6&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&vid=6&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&vid=6&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&vid=6&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&vid=6&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&vid=6&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&vid=6&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=15304579http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=3&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=15304579http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&vid=6&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&vid=6&hid=17


19/31


20/31


21/31


22/31

Jraham,:ynford

7ackson,"ynthia

%udit6lanning

%uditing Issue 0 oo.ca@ehost@detailA(idB1#ChidB1DCsidBca14f>4e-d!0f-4eDc-b4D-

af4104#f!424#sessionmgr1CbdataB7npdJL>$h(c'NtbJl0S)0>*T1)aPRlQdbBbthC

%B1!##!4!>

Annotation

In this study, *e examine client characteristics identified by external auditors for actual audit clients,*hich are rele(ant to t*o important areas of systems risk9 system security and management informationuality/

It *as found that management information uality increased *ith the number of identified riskfactors but not the same result *as found for 3;6 security

3;6 security risks are associated *ith control acti(ities

Management information uality is associated *ith the control en(ironment

SOP %ct of 0##0 emphasi)es internal control *hich information systems play a key role

Managers must assess the effecti(eness of control design and the operating effecti(eness ofcontrols in the annual report

%uditors must also attest to managementFs internal control assessment and effecti(eness ofcontrols

The common 3;6 security risk factors included system security controls, outdated systems andmanagement style@attitude

The common management information risk factors included management style@attitude andmanagement competence

It *as found that only control acti(ities risk factors are significantly associated *ith audit planningfor 3;6 security

"ontrol en(ironment affects audit planning in management information uality but not 3;6security

Annotation #11


Perioical/!ebsite

"ol / $o /%ition

&ear'ublishe

Pages (ateaccesse


"han, Sally Sarbanes-Oxley9 the ITdimension9informationtechnologycanrepresent akey factor inauditorsXassessment

0##4 http9@@findarticles.com@p@articles@mim41'@is11@ain10##@

0#
http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=10&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=18008489http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=10&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=18008489http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=10&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=18008489http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=10&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=18008489http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=10&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=18008489http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=10&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=18008489http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=10&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=18008489http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=10&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=18008489http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=10&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=18008489http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=10&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=18008489http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=10&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=18008489http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=10&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=18008489http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=10&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=18008489http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=10&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=18008489http://findarticles.com/p/articles/mi_m4153/is_1_61/ai_n6152500/http://findarticles.com/p/articles/mi_m4153/is_1_61/ai_n6152500/http://findarticles.com/p/articles/mi_m4153/is_1_61/ai_n6152500/http://findarticles.com/p/articles/mi_m4153/is_1_61/ai_n6152500/http://findarticles.com/p/articles/mi_m4153/is_1_61/ai_n6152500/http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=10&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=18008489http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=10&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=18008489http://findarticles.com/p/articles/mi_m4153/is_1_61/ai_n6152500/http://findarticles.com/p/articles/mi_m4153/is_1_61/ai_n6152500/http://findarticles.com/p/articles/mi_m4153/is_1_61/ai_n6152500/


23/31

of financialreportingcontrols

Annotation

Sarbanes-Oxley %ct 0##0 presented both immediate and far-reaching compliance issues for companies,

especially in the areas of internal-control pro(isions of '#0 and 4#4. Juidance by the 6ublic "ompany%ccounting O(ersight &oard states that the nature and characteristics of a companyXs use of informationtechnology in its information system affect the companyXs internal control o(er financial reporting/.Go*e(er, this (ague guidance has audits ha(e had to pay special attention to the information technologycomponent of Sarbanes-Oxley.

The IT en(ironment must be re(ie*ed as part of the re(ie*ing of the larger control en(ironment

Some auditors ha(e found guidance through the use of "O&IT. Other guidance such as %I"6%FsS%S D#, Systrust and $ebtrust can be used for Sarbanes Oxley in a broader context

% key IT component of Sarbanes Oxley is mapping financial reporting control ob5ecti(es to ITcontrol ob5ecti(es. %n example is that authori)ation and safeguarding of assets relates to ITcontrol ob5ecti(e V ensuring information security, confidentiality and pri(acy

There are se(eral assertions related to IT controls including existence, occurrence, measurement,

completeness, accuracy, presentation and disclosure Through the examination of the IT control en(ironment, controls that donFt mitigate risks and

control *eaknesses *ill likely no longer exist after the examination There are the indirect benefit from Sarbanes Oxley of elimination of control redundancies, ser(ice

impro(ements or the identification of (alue-added pro5ects beyond compliance reuirements

Annotation #12


Perioical/!ebsite

"ol / $o /%ition

&ear'ublishe

Pages (ateaccesse


7aeger,7aclyn

Sur(ey9 ITRisk, IHRSTop Internal

%uditorsF$orries

"ompliance$eek

ol. D

Issue DD

0#1# '! May '1,0#11

http9@@*eb.ebscohost.com.proxy.lib.u*aterloo.ca@ehost@detailA(idB10ChidB1DCsidBca14f>4e-d!0f-4eDc-b4D-af4104#f!424#sessionmgr1CbdataB7npdJL>$h(c'NtbJl0S

)0>*T1)aPRlQdbBbthC

%B0!01

Annotation

This article discusses ho* IT has become e(en more important and has recei(ed more attention fromInternal %uditors. One of the top risk listed in the 0#1# Internal audit "apabilities and eeds Sur(ey *asability to assess IT risk, *hich also topped 0#1#.

01
http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/detail?vid=12&hid=17&sid=ca14f94e-d82f-4e7c-b475-a5f41240f864@sessionmgr15&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#db=bth&AN=52682551


24/31


25/31


26/31

!ebsite* lin+

Guang, Shi-Ming

Gung $ei-Gis

en, ;a(id".

"hang, I-"heng

7iang, ;ino

&uilding thee(aluationmodel of theIT generalcontrol for"6%s underenterprise

riskmanagement

;ecisionSupportSystems

ol. #

Issue #

0#11 >0-D#1 7une 1,0#11

http9@@*eb.ebscohost.com.proxy.lib.u*aterloo.ca@ehost@detailA(idB14ChidB1DCsidBca14f>4e-d!0f-4eDc-b4D-af4104#f!424#sessionmgr1CbdataB7npdJL>$h(c'NtbJl0S)0>*T1)aPRlQdbBbthC

%BD14DD>

Annotation

This paper e(aluates the Information Technology Jeneral "ontrol


27/31

InformationTechnologyRisks

oxy.lib.u*aterloo.ca@ehost@pdf(ie*er@pdf(ie*erAsidB0fe1fd#'-'a4'-4b'd-

a'f-4#db'4e4#c24#sessionmgr4C(idBDChidB1D

Annotation

This article discusses the (arious IT risk that a company can be exposed to.

% sur(ey by "omputer "rime and Security sho*s that 42 of unauthori)ed access by insiders Hinancial fraud and theft of information is the most costly crime and reuires insider kno*ledge

3mployees can also damage the organi)ation through unintentional means such as deletingimportant files, opening emails *ith (iruses, etc

To mitigate the risk of intentional and unintentional damage, organi)ations need effecti(e accessmanagement

This risk is increased if there are a large databases *ith sensiti(e information

Segregation of duties built into non-IT processes need to be implemented into the IT en(ironment

$hen e(aluating access control determine *hether or not systems allo*s common pass*ordssuch as usernames, spousesF or petsF names, etc and other pass*ord security settings

%uthori)ation of access should be examined as *ell. Security admin should not authori)e access.%ccess should be authori)ed by information o*ners.

3xternal attacks ha(e increased. Spam, *orms and (iruses are the most common type. The potential damage caused by external attacks include direct costs but also lost of reputation

Social engineering takes ad(antage of holes in peopleFs common sense

To protect against the threat of social engineering organi)ations need to educate employeesabout *hat kind of information they disclose

Organi)ations need to ensure that the right information is a(ailable to the right people at the righttime at the right place

One of the main *ays to ensure data accuracy is (alid is through field (alidation and inputcontrols

Annotation #17


Perioical/!ebsite

"ol / $o /%ition

&ear'ublishe

Pages (ateaccesse


Germanson,;ana R.

I(ance(ich,;aniel M.

;isasterReco(ery6lanning9$hat Section4#4 %udits

Management"onsulting

;ecember 0##D #-0 7une 1,0#11

http9@@content.ebscohost.com.proxy.lib.u*aterloo.ca@pdf1>00@pdf@0##

0
http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=2fe1fd03-3a43-4b3d-a36f-406db34e405c@sessionmgr4&vid=7&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=2fe1fd03-3a43-4b3d-a36f-406db34e405c@sessionmgr4&vid=7&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=2fe1fd03-3a43-4b3d-a36f-406db34e405c@sessionmgr4&vid=7&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=2fe1fd03-3a43-4b3d-a36f-406db34e405c@sessionmgr4&vid=7&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=2fe1fd03-3a43-4b3d-a36f-406db34e405c@sessionmgr4&vid=7&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=2fe1fd03-3a43-4b3d-a36f-406db34e405c@sessionmgr4&vid=7&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=2fe1fd03-3a43-4b3d-a36f-406db34e405c@sessionmgr4&vid=7&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=2fe1fd03-3a43-4b3d-a36f-406db34e405c@sessionmgr4&vid=7&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=2fe1fd03-3a43-4b3d-a36f-406db34e405c@sessionmgr4&vid=7&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=2fe1fd03-3a43-4b3d-a36f-406db34e405c@sessionmgr4&vid=7&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=2fe1fd03-3a43-4b3d-a36f-406db34e405c@sessionmgr4&vid=7&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=2fe1fd03-3a43-4b3d-a36f-406db34e405c@sessionmgr4&vid=7&hid=17http://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=2fe1fd03-3a43-4b3d-a36f-406db34e405c@sessionmgr4&vid=7&hid=17http://web.ebscohost.com.proxy.lib.uwaterloo.ca/ehost/pdfviewer/pdfviewer?sid=2fe1fd03-3a43-4b3d-a36f-406db34e405c@sessionmgr4&vid=7&hid=17http://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIA


28/31

I(ance(ish,Susan G.

Re(eal D@"6%@#1;ec#D@0!#>>#.pdfATB6C6B%CKB0!#>>#CSBRC;BbthC3b

sco"ontentBdJ7yMPb4kSep!4yO(sO:"mr#meK>Sry4Sbe$x$PSC"ontent"ustomerBdJ7yM6J(tkub7Rue6fgeyx44;tfI%

Annotation

This article discusses ho* SOP 4#4 re(eals material *eaknesses in disaster reco(ery planning th, 0## there *ere 1 public companies *ithmaterial *eaknesses in internal control o(er financial reporting that *ere ;R6 related

Out of the 1# companies there *ere 1# cases *here the deficiency in(ol(ed a lack of ;R6 orbackup and reco(ery plan

There *ere companies that had issues *ith storage of backups *here backups *ere onsiterather than offsite

"6%s are also encouraged to help companies implement and build effecti(e ;R6s

"ompanies that outsource IT should be a*are that ;R6 may fall outside of S%S D#

Updated since First Submission

Annotation #1.


Perioical/!ebsite

"ol / $o /%ition

&ear'ublishe

Pages (ateaccesse


7ar(in, ;iane

&ierstaker,7ames

:o*e, 7ordan

%nIn(estigationof HactorsInuencing

the Lse of

"omputer-Related

%udit6rocedure

7OLR%:OHIHORM%TIO SST3M

0' 0##> 1-00 7une 0',0#11

http9@@***.bus.iastate.edu@d5an(rin@acct4!4!4@readings@#20#100-'.pdf

Annotation

In this article, discusses ho* computer-related audit procedures are used and ho* control risk and auditfirm si)e influence those procedures.

0
http://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://www.bus.iastate.edu/djanvrin/acct484584/readings/05%201_22-3.pdfhttp://www.bus.iastate.edu/djanvrin/acct484584/readings/05%201_22-3.pdfhttp://www.bus.iastate.edu/djanvrin/acct484584/readings/05%201_22-3.pdfhttp://www.bus.iastate.edu/djanvrin/acct484584/readings/05%201_22-3.pdfhttp://www.bus.iastate.edu/djanvrin/acct484584/readings/05%201_22-3.pdfhttp://www.bus.iastate.edu/djanvrin/acct484584/readings/05%201_22-3.pdfhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://content.ebscohost.com.proxy.lib.uwaterloo.ca/pdf19_22/pdf/2007/CPA/01Dec07/28099606.pdf?T=P&P=AN&K=28099606&S=R&D=bth&EbscoContent=dGJyMNXb4kSepq84yOvsOLCmr0meqK9Srqy4SbeWxWXS&ContentCustomer=dGJyMPGvtk6uqbJRuePfgeyx44Dt6fIAhttp://www.bus.iastate.edu/djanvrin/acct484584/readings/05%201_22-3.pdfhttp://www.bus.iastate.edu/djanvrin/acct484584/readings/05%201_22-3.pdfhttp://www.bus.iastate.edu/djanvrin/acct484584/readings/05%201_22-3.pdf


29/31

S%S >4 informs auditors that assessing control risk as maximum and relying only on substanti(eis not effecti(e

%uditors should rely on computer-related audit procedures including the use of IT specialists*hen planning the audit

%udit firm si)e impacts *hether or not computer-related audit procedures are used becausegenerally larger firms ha(e clients *ith more complex computer systems

4'2 of participants in this study assessed control risk belo* maximum *hen examining clients*ith complex IT en(ironments

2 of the sampled engagements used IT specialists

:ess than half of the participants used "%%Ts for substanti(e testing

Annotation #1


Perioical/!ebsite

"ol / $o /%ition

&ear'ublishe

Pages (ateaccesse


Sayana,

%nantha S.

Lsing "%%Ts

to Support IS%udit

Information

Systems"ontrol7ournal

1 0##' 1-' 7une 0',

0#11

http9@@***.isa

ca.org@7ournal@6ast-Issues@0##'@olume-1@;ocuments@5pdf#'1-Lsing"%%TstoSupportIS%u.pdf

Annotation

This article describes the *hy there is a need for audit soft*are, ho* audit soft*are benefits theassurance engagement and ho* to use "%%Ts.

There is a need for audit soft*are *hen the task is far too difficult to perform manually and it ismore efficient and@or more effecti(e to perform using audit soft*are

The auditor must design the procedures and tests. This includes understanding the businessrules of the function and ho* the application functions.

%udit soft*are can perform 1##2 audit *hich gi(es more (alidity to the conclusion gi(en

$hen first implementing an audit soft*are there can be many issues

Annotation #20


Perioical/!ebsite

"ol / $o /%ition

&ear'ublishe

Pages (ateaccesse


&e(eridge,7ohn

CITI"/0"01T

TI1)2$*. 66T.

6o*er6oint6resentation

0D
http://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdf


30/31

Annotation

These slides describe *hat "O&IT is, *ho should use "O&IT, ho* "O&IT can help auditors and ho* touse it effecti(ely.

%uthoritati(e, up-to-date, international set of generally accepted IT control ob5ecti(es and controlpractices for day-to-day use by business managers and auditors/

IT go(ernance is structure of relationships and processes to direct and control the enterprise inorder to achieve the enterprise(s goals by adding value while balancing risk versus return over ITand its processes3

If you use computer generated information, need to assess reliability

"O&IT focuses on information ha(ing integrity and being secure and a(ailable/

"O&IT pro(ides auditors an excellent *ay to structure re(ie* and audit *ork

The goals of internal controls are The design, implementation, and proper exercise of a systemof internal controls should pro(ide 8reasonable assurance8 that managementXs goals are attained,control ob5ecti(es are addressed, legal obligations are met, and undesired e(ents do not occur/

"O&IT is aligned *ith "OSO, "O"O, "adbury and King

Annotation #21


Perioical/!ebsite

"ol / $o /%ition

&ear'ublishe

Pages (ateaccesse


;enyer,"harles

ickell,"hristopherJ.

%nIntroductionto S%S D#

%udits

&enefits :a*7ournal

ol. 0#

o. 1

0##D !-! 7une 0',0#11

http9@@***.csb.unc*.edu@people@I(ance(ich;@classes@MS

%20#1@3xtra20#Readings20#on20#Topics@S%S20#D#@Intro20#to20#S%S20#D#20#%udits.pdf

Annotation

This article offers an o(er(ie* of the S%S D# audit used to report on the processing of transactions byser(ice organi)ations,/ *hich can be done by completing either a S%S D# Type I or Type II audit. % S%SD# Type I is kno*n as reporting on controls placed in operation,/ *hile a S%S D# Type II is kno*n asreporting on controls placed in operation/ and tests of operating effecti(eness/

Recent legal legislation such as GI6%%, Jramm-:each-&ililey %ct and Sarbanes-Oxley %ct ha(eincreased corporate accountability and the creation of internal controls throughout organi)ations

Type I S%S D# report *ould issue an unualified opinion for a point in time and Type II report*ould be o(er a time period

0!
http://www.csb.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20Topics/SAS%2070/Intro%20to%20SAS%2070%20Audits.pdfhttp://www.csb.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20Topics/SAS%2070/Intro%20to%20SAS%2070%20Audits.pdfhttp://www.csb.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20Topics/SAS%2070/Intro%20to%20SAS%2070%20Audits.pdfhttp://www.csb.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20Topics/SAS%2070/Intro%20to%20SAS%2070%20Audits.pdfhttp://www.csb.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20Topics/SAS%2070/Intro%20to%20SAS%2070%20Audits.pdfhttp://www.csb.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20Topics/SAS%2070/Intro%20to%20SAS%2070%20Audits.pdfhttp://www.csb.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20Topics/SAS%2070/Intro%20to%20SAS%2070%20Audits.pdfhttp://www.csb.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20Topics/SAS%2070/Intro%20to%20SAS%2070%20Audits.pdfhttp://www.csb.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20Topics/SAS%2070/Intro%20to%20SAS%2070%20Audits.pdfhttp://www.csb.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20Topics/SAS%2070/Intro%20to%20SAS%2070%20Audits.pdfhttp://www.csb.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20Topics/SAS%2070/Intro%20to%20SAS%2070%20Audits.pdfhttp://www.csb.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20Topics/SAS%2070/Intro%20to%20SAS%2070%20Audits.pdfhttp://www.csb.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20Topics/SAS%2070/Intro%20to%20SAS%2070%20Audits.pdfhttp://www.csb.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20Topics/SAS%2070/Intro%20to%20SAS%2070%20Audits.pdfhttp://www.csb.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20Topics/SAS%2070/Intro%20to%20SAS%2070%20Audits.pdfhttp://www.csb.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20Topics/SAS%2070/Intro%20to%20SAS%2070%20Audits.pdfhttp://www.csb.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20Topics/SAS%2070/Intro%20to%20SAS%2070%20Audits.pdf


31/31

The benefits an unualified opinion from a S%S D# ser(ice report solidifies that the ser(iceorgani)ation has effecti(e controls in place

%uditors ha(e implemented an exhausti(e list of policies, procedures, and related controls thatmust be examined for this type of engagement./

S%S D# reports incorporate general and application controls but also expand into operational andhuman resource issues *hich makes the report more useful if the scope of the engagement is

larger Type II report reuires a minimum six month testing period and is tested through testing of

controls *hile Type I consists of inuiry and obser(ation of controls S%S D# reports uses a combination of many different standards such as "O&IT, "OSO, ISO

1DD>>, and many others.

Annotation #22


Perioical/!ebsite

"ol / $o /%ition

&ear'ublishe

Pages (ateaccesse


Singleton,Tommie

The "OSOModel9 Go*IT %uditors"an Lse It to3(aluate the3ffecti(enessof Internal"ontrols

IS%"%$ebsite

1 0## 7une 0',0#11

http9@@***.isaca.org@7ournal@6ast-Issues@0##'@olume-1@;ocuments@5pdf#'1-Lsing"%%TstoSupportIS%u.pdf

Annotation

In this article, IS%"% describes ho* auditors can apply "OSO model in performing auditors. It breaks the

"OSO model into fi(e categori)es V "ontrol 3n(ironment, Risk %ssessment, Information and"ommunication, "ontrol %cti(ities and Monitoring

"ontrol 3n(ironment9 This part of the "OSO model allo*s auditors to help comply *ith S%S 1#>.S%S 1#> reuires auditors to understand the entities en(ironment and to assess the risk ofmaterial misstatement

Risk %ssessment9 This part of the "OSO model helps auditors assess risk *ithin the entityFssystem of controls by identifying factors that increase risk such as changes in the operatingen(ironment.

Information and "ommunication9 This part of the model addresses that financial reportinginformation should not only be rele(ant but also timely.

"ontrol %cti(ities9 This part breaks control acti(ities into three categories V general, applicationand physical.

Monitoring9 This part discusses ho* controls should be monitored, assessed and re(ie*ed.
http://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdfhttp://www.isaca.org/Journal/Past-Issues/2003/Volume-1/Documents/jpdf031-UsingCAATstoSupportISAu.pdf

Date post:	03-Jun-2018
Category:	Documents
Upload:	libraolrack
View:	216 times
Download:	0 times