1. DISCUSSION QUESTIONS
1. Section 302 requires that corporate management (including the CEO) certify
quarterly and annually their organization’s internal controls over financial
reporting. The certifying officers are required to:
Chapter 1 Page 2
2. Section 404 requires the management of public companies to assess the
effectiveness of their organization’s internal controls over financial reporting
and provide an annual report addressing the following points: 1) A statement of
management’s responsibility for establishing and maintaining adequate internal
3. The SEC has made specific reference to the Committee of the Sponsoring
Organizations of the Treadway Commission (COSO) as a recommended
Chapter 1 Page 3
4. Consider an organization with poor database security controls. In such a
situation, even data processed by systems with adequate built-in application
5. Auditors had the option of not relying on internal controls in the conduct of an
audit and therefore did not need to test them. Instead, auditors could focus
6. No. Auditors are permitted to simultaneously render a qualified opinion on
management’s assessment of internal controls and render an unqualified
7. This involves:
Chapter 1 Page 4
8. Auditing Standard No. 2 places new responsibility on auditors to detect
fraudulent activity. The standard emphasizes the importance of controls
9. Computer fraud can occur at various points during computer processing. The
following summarizes the key areas of risk:
Data Collection fraud involves the data entry stage of
the process. Frauds of this type require little or no computer skills. The
perpetrator need only understand how the system works to enter data that it
Program fraud includes the following techniques: (1)
creating illegal programs that can access data files to alter, delete, or insert
values into accounting records; (2) destroying or corrupting a program’s logic
Operations fraud is the misuse or theft of the firm’s
computer resources. This often involves using the computer to conduct
Chapter 1 Page 5
Database Management fraud includes altering, deleting,
corrupting, destroying, or stealing an organization’s data. The most common
technique is to access the database from a remote site and browse the files for
Information Generation fraud is stealing, misdirecting,
or misusing computer output. One technique called scavenging involves
searching through the trash cans of the computer center for discarded output. A
Eavesdropping involves listening to output
transmissions over telecommunications lines. Available technologies enable
perpetrators to intercept messages being sent over unprotected telephone
Chapter 1 Page 6
10. The bank that has its data stored for all of its branches on one mainframe
computer is at greater risk of access control. All of the firm’s records are
centrally housed. Once a perpetrator gains unauthorized access to the system,
the data for all 10 branches are at risk. The perpetrator would have to breach
Chapter 1 Page 7
11. The lowest cost method is internally provided backup. With this method,
organizations with multiple data-processing centers may invest in internal
excess capacity and support themselves in the case of disaster in one data
processing center. In terms of cost, the next highest method is the empty shell
where two or more organizations buy or lease space for a data-processing
center. The space is made ready for computer installation; however, no
computer equipment is installed. This method requires lease or mortgage
payments, as well as payment for air conditioning and raised floors. The risk of
12. The critical applications should be identified and prioritized by management,
user departments, and auditors. The applications should be prioritized based
Chapter 1 Page 8
13. The attest service is defined as an engagement in which a practitioner is
engaged to issue, or does issue, a written communication that expresses a
14. The existence or occurrence assertion affirms that all assets and equities
contained in the balance sheet exist and that all transactions in the income
statement actually occurred.
The rights and obligations assertion maintains that assets appearing on the
balance sheet are owned by the entity and that the liabilities reported are
obligations.
Chapter 1 Page 9
The presentation and disclosure assertion alleges that
15. Having the internal auditing function report to the controller is unacceptable. If
the controller is aware of or involved in a fraud or defalcation, then he/she may
give false or inaccurate information to the auditors. The possibility that the
17. In the IT environment, the data needed to perform audit tests are contained in
19. Risk —unauthorized program changes
Chapter 1 Page 10
20. Computing center security is an area where judgment is necessary to
21. Once a client firm has outsourced specific IT assets, its performance becomes
linked to the vendor’s performance. The negative implications of such
dependency are illustrated in the financial problems that have plagued the huge
22. Once the client firm has divested itself of specific assets it becomes dependent
on the vendor. The vendor may exploit this dependency by raising service
rates to an exorbitant level. As the client’s IT needs develop over time beyond
23. Information outsourced to off-shore IT vendors raises unique and serious
questions regarding internal control and the protection of sensitive personal
data. When corporate financial systems are developed and hosted overseas,
Chapter 1 Page 11
24. Alignment between IT strategy and business strategy requires a close working
relationship between corporate management and IT management in the
concurrent development of business and IT strategies. This, however, is
difficult to accomplish when IT planning is geographically redeployed off-shore
25. SSAE 16 is an internationally recognized third party attestation report designed
for service organizations such as IT outsourcing vendors. SSAE 16, was
promulgated by the Auditing Standards Board (ASB) of the AICPA and replaced
Statement on Auditing Standards No. 70 (SAS 70). The SSAE 16 report, which
Chapter 1 Page 12
26. The Type I report is the less rigorous of the two and comments only on the
suitability of the controls’ design. The Type II report goes further and assesses
27. Carve-out Method: When using the carve-out method, service provider
management would exclude the subservice organization’s relevant control
Inclusive Method: When using the inclusive method of subservice organization
reporting the service provider’s description of its system will include the