Home / Summaries / AIS [Hall] / system-user-application

IT controls : Sarbanes-Oxley and IT governance

15 important questions on IT controls : Sarbanes-Oxley and IT governance

What is section 404 of SOX?

Sect 404 - to assess the effectiveness of IC over financial reporting
Compliance with sect. 404, management needs to provide the external auditors with documented test results, performed by internal auditor/SOX specialist, of functioning controls as supporting evidence for assertions in its report on control effectiveness.

Which two information system controls groups are identified by COSO?

application control: designed to be application specific. The objectives are to ensure the validity, completeness & accuracy of financial transactions. e.g. cash disbursement batch balance is reconciles with the total postings to the a/c payable subsidiary ledger.
general control/general computer controls/information technology controls: It applies to all system, supporting application controls and have an affect on transaction integrity. e.g. database security

Which duties should be segregated within the centralized firm?

1. System development (SD) & maintenance have to be segregated from operation activities (the ones that run the systems).
2. Database administrator (DBA) has to be segregated from other IT functions.
3. DBA & SD
4. Separating New System Development from Maintenance
  • Higher grades + faster learning
  • Never study anything twice
  • 100% sure, 100% understanding
Discover Study Smart
Testimonial person
Sophia
Law student
Quotes

For my 1st exam I got a C. Then, I started looking for ways to learn better and I came across Study Smart. Since then I have scored a A+, A, A- and another A. I highly recommend it to everyone who wants to hear it. I am so happy with it!!

Testimonial person
John
Economics Student
Quotes

I was struggling to finish all my first-year subjects for 3 years. Then I discovered Study Smart, which helped me to finish all of them within 3 months.

Testimonial person
Sara
Public Administration Student
Quotes

Because of StudySmart, things are going well in many ways. Before, I always had study stress and no time for anything. Now I feel calm and confident (because of the program). I used to score a B, now I usually score an A or A+.

Testimonial person
Mary
Business Student
Quotes

Hey Chris, I really want to thank you very much for developing the platform, I usually got around C for my exams, now I scored an A+, an A and a A- !!

Testimonial person
Melanie
Psychology Student
Quotes

Since using Study Smart, my average has increased significantly. I even completed a statistics course with a A+ while I'm bad at statistics. I took on extra courses this year, because of Study Smart. Thanks so much!

Testimonial person
Jane
Nursing Studies
Quotes

Ever since I started studying with StudySmart I passed all my exams !!! No more re-sits!! At first, I was happy with a pass and now I only get good grades. Many thanks!

Testimonial person
Rose
Political Science Student
Quotes

I aced all the courses I studied with Study Smart. For law, I first scored a D, and now an A! I’m 100% sure that I’ll pass all the courses I study with Study Smart.

Testimonial person
Tina
Medicine Student
Quotes

I always thought I studied well. My grades were fine. I could never have imagined that applying these study skills would have such a huge and direct impact on my grades, my speed and the pleasure I have in learning.

Testimonial person
Julie
Marketing Student
Quotes

For the first time, I finally feel totally confident about the way I learn. I have the perfect overview and make great progress in terms of speed and the grades I get. Thanks, Chris!

Testimonial person
Matt
Industrial Engineering Student
Quotes

I immediately started to enjoy learning again, and my grades soared. All of a sudden, everything went better. I highly recommend Study Smart to all students..

Testimonial person
Emma
Law Student
Quotes

Being able to create my materials online made the process of studying so much smoother and quicker. I no longer have to spend a huge amount of my time on creating my summaries.

Testimonial person
Michael
Psychology Student
Quotes

At first, my notes were a mess. Now I use Study Smart to take my notes in a perfectly structured way. It helps me to save a lot of time and do other things I enjoy.

Testimonial person
Emily
Teacher
Quotes

Students that study with Study Smart get better grades. The system applies all the learning methods in such a way that both well-performing students and students who struggle perform much better.

Testimonial person
Richard
Literature Student
Quotes

Hi Chris, I would like to thank you very much. Last year I scored C on a course, and this year I got an A+ thanks to your method! Thank you very much!

Testimonial person
Madison
Parent
Quotes

The largest effect is that my child is more enthusiastic about school! Every parent wants their children to be happy at school, Study Smart made it happen.

Testimonial person
Robert
Accountant Student
Quotes

In high school, I failed several exams, and that has really changed now. I actually needed this tool very much back then. Since I started studying with StudySmart, I haven't had any D's. My average score is now an A and those are results I would have never had in the past

Testimonial person
James
Business and Science Student
Quotes

With my old method, I passed only 3 out of 8 courses. Since I started taking my notes digitally in Study Smart, I have passed all my courses on the first try. For me, StudySmart takes away the stress of wondering if I will pass or not.

Testimonial person
Christopher
Veterinarian Student
Quotes

Thanks to StudySmart, I passed all my exams, and with better grades than before! On top of that, I have mastered a very good study method now, which I am confident will help me earn my degree.

Why should systems development and maintenance by separated?

Risk when not segregated: With detailed knowledge of an application’s logic and control parameters along with access to the computer operations, an individual could make unauthorized changes to application logic during execution. Such changes may be temporary (on the fly) and will disappear with little or no trace when the application terminates.

Why should DBA be separated from other IT functions?

DBA is responsible for database security, incl. creating the database schema& user views, assigning access authority to users, monitoring database usage, and planning for future expansion. Risk when not segregated: Delegating these responsibilities to others who perform incompatible tasks threatens database integrity.

Why should DBA and SD be separated?

To achieve database access, both programmer and DBA need to agree as to the attributes and tables (the user view) to make available to the application or user in question. If done properly, this permits and requires a formal review of the user data needs and security issues surrounding the requests. Assigning responsibility for user view definition to individuals with programming responsibility removes this need to seek agreement and thus effectively erodes access controls to the DBMS.

Why should new systems development be separated from maintenance.

The programming group: codes the original programs and also maintain them during the maintenance phase of the system development life cycle. Risks of this approach: inadequate documentation and fraud.
When a system is poorly documented, it is difficult to interpret, test and debug. Maintenance group requires adequate documentation to perform their maintenance duties.

What are the IT control implications that management and accountants should recognize on DDP?

Incompatibility: distributing responsibility for the purchases of software and hardware can result in uncoordinated and poorly conceived decisions which can impair internal communications.
Redundancy: autonomous SD activities throughout the firm can result in the creation of redundant applications and database.
Consolidating Incompatible Activities, operationally infeasible for segregation of duty
Difficulty in Acquiring Qualified Professionals
Lack of Standards

What kind of advice and expertise does the corporate IT function provide to the various distributed IT functions?

Central testing of commercial software and hardware. They are better able to evaluate the merits of competing vendor hardware & software. After testing they can make recommendation to user areas for guiding acquisition decision.
User Services. Provides help in installation, troubleshooting hardware & software problems.
Standard-setting body. Establish & distribute to user areas appropriate standards for systems development, programming and documentation that will be compliant with SOX requirements.
Personnel review. The corporate group is better equipped than users to evaluate the technical credentials of prospective systems professionals.

What are the audit procedures that relate to organizational structure?

Obtain and review the corporate policy on computer security, verify that the security policy is well communicated.
Review relevant documentations: organizational chart, mission statement, job description for key functions to determine if individuals-groups perform incompatible function.
Review system documentation and maintenance records for a sample of applications. Verify that maintenance programmers are not the original design programmers.
Through observation, determine that the segregation policy is being followed. Review operations room access logs to determine if programmers enter the facility for reasons other than system failures.
Review user rights and privileges to ensure these are consistent with their job description.

What are the audit objectives related to computer center security?

(1) physical security controls are adequate to reasonably protect the organization from physical exposures
(2) insurance coverage on equipment is adequate to compensate the organization for the destruction-damage to its computer center. Auditors should annually review the insurance coverage, verify all new acquisitions are listed and obsolete equipments & software have been deleted.
(3) operator documentation is adequate to deal with routine operations as well as system failures.

What is an empty shell or cold site plan?

The empty shell or cold site plan is an arrangement where the company buys or leases a building that will serve as a data centre. Weakness: recovery depends on the timely availability of the necessary hardware to restore the data processing function.

What is a recovery operations center or hot site?

The recovery operations centre (ROC) or hot site is a fully equipped backup data center that many companies share. In the event of major disaster, a subscriber can occupy the premises and within a few hours, resume processing critical application.

What is an internally provided backup/ own remote mirrored data center?

Internally provided backup/own remote mirrored data center. It ensures functional compatibility among their data processing centers and minimize cutover problems in the event of a disaster.

What is a disaster recovery team?

The team members should be experts in their areas and have assigned tasks. Traditional
control concerns do not apply in this setting. Business continuity is the primary consideration. 

The question on the page originate from the summary of the following study material:

AIS [Hall]

View summary
  • A unique study and practice tool
  • Never study anything twice again
  • Get the grades you hope for
  • 100% sure, 100% understanding
Remember faster, study better. Scientifically proven.
Trustpilot Logo

Summaries related to The information system: an accountant's perspective