Transcript Corporate Governance & Entity

Corporate Governance and Entity-Level
Controls
Escalating Role of Board Members
• Corporate Fraud
• Qualifications of directors and management
Governance-2
Board Member Sample Tasks and Expertise
Sample Task
Expected Expertise
Approve hiring of chief executive officer
Human resources, personnel evaluation
Approve risk assessment framework and monitor risk
evaluation
Industry expertise, strategic planning, awareness of
potential risks, risk assessment methodologies
Review and approve organizational and business
strategies and changes thereto
Long-term planning, strategic planning, industry-specific
expertise
Review and approve information systems strategy and
changes thereto
Ability to link information systems strategy to business
strategy; understand information systems terminology,
impact, and alternatives; industry-specific expertise
Approve information systems acquisitions, business
acquisitions, or contracts over specified dollar limits
Understand information systems terminology, impact, and
alternatives; industry-specific expertise
Approve auditors and financial statements
Financial or accounting competence; understand complex
accounting terminology and be able to ask the right
questions
Oversee the work of internal auditors
Understand risks that the organization is exposed to and
alternative ways of addressing those risks
Governance-3
Organizational Structure and
Corporate Governance
• What has an effect on corporate governance?
• For example, an entrepreneurial structure
• What type of structure would a public company
probably have?
Governance-4
Enterprise Risk Management (ERM)
• What is ERM
• Risk management framework
Governance-5
Auditor Evaluation of Corporate
Governance
• What is the auditor’s goal?
• Typical tools used to understand the components of
corporate governance
Governance-6
IT Governance
• IT governance is crucial to the evaluation of
corporate governance
• Definition of IT governance
• IT governance is a crucial subset of
Governance-7
Evaluation of IT Governance by the Auditor
• Evaluation of IT governance
• What does the auditor look at next?
Governance-8
• Continuous assessment
• Value Management methodologies
Governance-9
Impact of General Information
Systems Controls on the Audit
There are three general control categories:
1. organization and management controls
2. systems acquisition, development, and maintenance
controls
3. operations and information systems support.
Governance-10
Organization and Management Controls
• Auditors consider
• Key question - Who are the super-users?
Governance-11
Systems Acquisition, Development, and
Maintenance Controls
• Auditors focus
• Typical types of software
•
•
•
•
Providing user interfaces
Providing security
Managing hardware and software
Information communication
Governance-12
Operations and Information Systems Support
• A number of things canb affect the types of controls
1. Hardware confirguration
• Auditor needs to determine
2. Operating system
Governance-13
3. Internal vs outsourced support
•
What is outsourcing?
•
Internal
Governance-14
Advanced Information Systems
• Advanced IS results in high complexity.
• Such systems have one or more of the following
characteristics:
1.
2.
3.
4.
5.
6.
Strategic information systems
Custom software
Multiple information processing locations
Database management systems
Paperless systems
Integrated computing
Governance-15
1. Strategic Information Systems
• Such systems provide a competitive advantage or
improve efficiency within an entity.
• The problems?
• Such systems can be extremely strategic
Governance-16
2. Custom Software
• Custom software is unique software designed for the
entity.
• How can it be developed?
• The key reasons why such software is chosen by
entities
Governance-17
Risks Associated with Custom Software
• Such systems are usually very costly
• Rigorous testing is required
Governance-18
Audit Impact of Custom Software
• Systems development process
• Risk of errors or unauthorized programs
Governance-19
3. Multiple Information Processing Locations
• Problems with data processed in multiple locations
• Programs could be inaccurate or unauthorized
• Access to programs and data
• Data sent from one location to another
Governance-20
4. Databases and Database Management
Systems (DBMS)
• Many software packages use a database as an
underlying file structure.
• Key concept of a DBMS
• The DBMS
Governance-21
Effects of a DBMS on Internal Controls
• Existence of a DBMS
• Typical general controls that are affected
a) Organization and management controls
b) Systems acquisition, development, and maintenance controls
c) Operations and information systems support
Governance-22
a) Organization and Management Controls
• The database administrator
• Auditor documentation
Governance-23
b) Systems Acquisition, Development and Maintenance
Added controls should exist to ensure that:
• Database development
• Programs
Governance-24
c) Operations and Information Systems Support
• Data security
• Each application cycle needs to be examined for controls over:
Governance-25
5. Paperless Systems
• A wide variety of paperless systems exist.
• Typical business data communications
– EDI (electronic data interchange)
– EFT (electronic funds transfer)
Governance-26
Impact of Paperless Systems on the Audit Engagement
• Where there is no paper trail
• Without a paper trail
Governance-27
6. Integrated Computing
• Increased leve of complexity
• Typical examples
– Enterprise Resource Planning (ERP)
– Relational databases
– The objective of such systems
Governance-28
Some Common Entity-Level
Controls
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Controls related to the control environment
Controls over management override
The company's risk assessment process
Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment
programs
Controls over the period-end financial reporting process
Policies that address significant business control and risk management practices
Whistle-blower hotline
Code of conduct
IT environment and organizations
Self-assessment
Oversight by the Board of Senior Management
Policies & procedures manual
Variance analysis reporting
Management triggers embedded within IT systems
Internal communication and performance reporting
Tone setting
Board/audit committee reporting
External communication
Segregation of duties
Accounts reconciliations
System balancing and exception reporting
Governance
Assignment of authority and responsibility
Hiring and retention practices
Fraud prevention/detection controls and analytical procedures
Governance-29
The Effects of Entity-Level Controls
• What can be affected?
• Any one of the control levels being absent or not
properly implemented
Governance-30
Relationship between Entity-Level Controls and
Specific Audit Objectives
• Entity-level controls can affect
Governance-31
Problem 10-21, Canadian 11th. Edition, Page 342
Friggle Corp. is a leasing and property management company located in Alberta. It provides financing to
organizations wishing to purchase equipment or property and manages apartments and condominium properties.
The company decided that it was time to upgrade its local area network. It decided to also purchase new
accounting software but wanted to retain its old unit maintenance software, which, although 10 years old, had an
easy-to-use interface that allowed maintenance personnel to track the maintenance work that they did in each
unit. The controller, Joe, decided that the company should purchase the software from Midland Computers,
which was owned by his brother-in-law, Tom. The prices were comparable with those of other computer
networks that he priced, and Midland happened to be close by. Using materials from industry magazines, Joe
decided that the best property management software to buy would be from Quebec; the software had received
rave reviews about being easy to use.
The implementation was scheduled for the weekend after the June month-end close so that systems could
be up and running by the following Monday. To Joe’s horror, when he arrived at work on Monday, computers
were still being unpacked and installed. Tom had difficulty following the installation instructions for the accounting
software, which was not up and running until the end of the week. General ledger details had to be manually
entered, since the software could not handle the structure of the old accounts. At the end of two weeks, Joe had
the old system put back up so that Friggle could catch up on transactions and get some work out the door. It
took three months of 12-hour days for all accounting staff to get the new system operational. Unfortunately, the
old maintenance systems would not work with the new operating system, and a new maintenance system had to
be evaluated and purchased.
Required
Assess the IT governance at Friggle Corp. For weaknesses that you identify, provide recommendations for
improvement.
Governance-32
Problem 10-22, Canadian 11th. Edition. Page 342
Turner Valley Hospital plans to install a database management system, Hosp Info, that will maintain patient
histories, including tests performed and their results , vital statistics, and medical diagnoses. The system will
also manage personnel and payroll, medical and non-medical supplies, and patient and provincial health-care
billings. The decision was taken by the board of the hospital on the advice of a consultant who was a former
employee of Medical Data Services Inc., the developer of Hosp Info.
Turner Valley Hospital’s chief information officer has come to your accounting firm to ask for advice on what
general controls she should ask Medical Data Services Inc. to install to preserve the integrity of the information in
the system and to deal with privacy issues.
The system would permit data about patients to be entered by doctors, nurses, and medical technologists.
Required
a) Describe in general terms the controls you would suggest for the system as a whole.
b) Considering the nature of Turner Valley Hospital, describe the potential risks the hospital should be
concerned about with respect to Hosp Info.
c)
What are the advantages of such a database management system?
d) How would the quality of general controls at the hospital affect your audit?
Governance-33