a202925199b97cb3e48d5bdd1256019671e960ebdoc

a202925199b97cb3e48d5bdd1256019671e960ebdoc

This preview shows page 14 - 17 out of 74 pages.

a202925199b97cb3e48d5bdd1256019671e960eb.doc
Image of page 14
a202925199b97cb3e48d5bdd1256019671e960eb.doc 15 General IT Controls General IT controls assure that access to the computer system is limited to people who have a right to the information. Appropriate delegation of authority sets limits on what levels of risk are acceptable and these limits determine the discretion of the employees delegated to authorize the main types of business transactions. Authorization may be general or specific. An example of general limits set by policy is product price lists, inventory reorder points, and customer credit limits. Specific authorization may be made on a case-by-case basis such as authorization of reduction in the price of a dress with buttons missing in a retail-clothing store. Computer Facility Controls Computer facilities may have several types of controls. General controls such as access controls or application controls such as passwords allow only authorized people admittance to the computer software. A very important general control is back-up and recovery procedures, as anyone who has had a system go down without current records being adequately backed up will tell you. Physical controls such as locks on the doors to the computer room and locked cabinets for software and back-up tapes protect the tangible components of a computer system. IT Risks The auditor should be aware that IT poses specific risks to an entity’s internal control including: Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both. For instance, individuals may inappropriately override such automated processes, by changing the amounts being automatically passed to the general ledger or to the financial a202925199b97cb3e48d5bdd1256019671e960eb.doc
Image of page 15
a202925199b97cb3e48d5bdd1256019671e960eb.doc 16 reporting system. Furthermore, where IT is used to transfer information automatically, there may be little or no visible evidence of such intervention in the information systems. Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or non-existent transactions or inaccurate recording of transactions. Particular risks may arise where multiple users access a common database. The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties thereby breaking down segregation of duties. A frequent problem in audits of small to medium sized businesses is that there is only one IT employee and he has unlimited access to all computer systems hardware and software, all security systems and all back-ups. A response to this risk is to have someone periodically review the security and access logs to monitor the IT employee’s activity.
Image of page 16
Image of page 17

You've reached the end of your free preview.

Want to read all 74 pages?

  • Spring '11
  • DONALDSTUHLMAN

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture