IT Governance, Risk, and Compliance


March 30, 2012  8:48 PM

Irregularities and Illegal Acts Agreed-Upon Procedures Assessments – Part VII

Robert Davis Robert Davis Profile: Robert Davis

SOD controls are designed to reduce the opportunities for errors, mistakes, omissions, irregularities, and illegal acts perpetration and concealment. SOD is a primary internal control measure utilized for manual and automated systems. An autonomous function for computer data entry may exist within an enterprise. However, even if the entity distributes data entry (entering) responsibility to employees, SOD should be maintained. Furthermore; origination, processing, verification, signoff, and distribution responsibilities should be monitored and evaluated for violating SOD controls.

Protective measures should also be deployed to ensure information assets are maintained in a properly controlled and secured environment. Specifically, a physically and logically secure environment should exist at the GCC level. Regarding irregular and illegal acts, adequate IT personnel and inventory identification as well as access restrictions should be considered crucial controls. Pervasively, employing a competent information security manager can ensure continuous monitoring of general as well as application access.

View Part I of the Irregularities and Illegal Acts Agreed-Upon Procedures Assessments series here

March 27, 2012  9:05 PM

Irregularities and Illegal Acts Agreed-Upon Procedures Assessments – Part VI

Robert Davis Robert Davis Profile: Robert Davis

Computer usage in information processing systems frequently eliminates generally accepted accounting control principles regarding adequate SOF and SOD. In particular, manual system organization incompatibles are normally reassigned to distinct departments or personnel. Computerized information systems, however, have a tendency to consolidate incompatible functions and duties within the IT department. As a result, IT personnel are potentially in a position to commit irregular and/or illegal acts, if compensating controls do not exist.

SOF and SOD are considered organizational controls that may prevent, deter, and/or detect irregular and illegal acts. An entity’s IT management is responsible for sustaining an adequate Internal Control Structure (ICS) to safeguard information system assets. One of the factors an ICS relies on is maintaining adequate SOF between the various IT department units as well as other non-IT groups.

View Part I of the Irregularities and Illegal Acts Agreed-Upon Procedures Assessments series here


March 23, 2012  8:03 PM

Irregularities and Illegal Acts Agreed-Upon Procedures Assessments – Part V

Robert Davis Robert Davis Profile: Robert Davis

Effective policy, procedure, or directive compliance requires an extensive set of interrelated practices as well as processes. However, organizational policies, procedures, and directives may not incorporate controls or may reflect inadequate controls. Furthermore, organizational policies, procedures, and directives may be inaccurate, incomplete, or outdated. Conversely, regarding adequate controls, GCC organizational policies, procedures and directives should include computer security measures. Specifically, at a minimum, one organizational GCC policy and procedure should address unauthorized computer usage and requesting computer access.

Through key operations GCC; Segregation-of-Functions (SOF) and Segregation-of-Duties (SOD) supports policies, procedures, directives, and an organizational structure established to inhabit one individual from conducting unauthorized actions or gaining unauthorized access to assets or records. Assessing control existence and adequacy for an audit area are primary IT auditor responsibilities. Therefore, an IT auditor should study and evaluate policies, procedures, directives, SOF, and SOD controls as well as protection-of-information-assets to demonstrate due diligence regarding irregular and illegal act risks.

View Part I of the Irregularities and Illegal Acts Agreed-Upon Procedures Assessments series here


March 20, 2012  10:20 PM

Irregularities and Illegal Acts Agreed-Upon Procedures Assessments – Part IV

Robert Davis Robert Davis Profile: Robert Davis

At the IT level, general controls usually represent the policies, procedures, and directives applied to all or a large portion of an entity’s information systems and assist in ensuring their proper operation. Sub-categorically, ISACA defined general computer controls (GCC) are general controls, other than application controls, that relate to the environment within which computer based application systems are developed, maintained and operated, and therefore applicable to all applications. Furthermore, ISACA avers, pervasive controls are a general controls subset and appertain specifically to management and monitoring IT related activities.

Management is responsible for implementing and maintaining an adequate internal controls system. Whereby; policies, procedures and directives are the primary means to document management’s intentions regarding an organization. In this context, published policies, procedures, and directives reflect managements’ criteria for executing specific tasks.

View Part I of the Irregularities and Illegal Acts Agreed-Upon Procedures Assessments series here


March 16, 2012  8:26 PM

Irregularities and Illegal Acts Agreed-Upon Procedures Assessments – Part III

Robert Davis Robert Davis Profile: Robert Davis

Computer forensics (sometimes known as computer forensic science[1]) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information.” Nonetheless, an IT auditor should refrain from providing an opinion on results obtained through agreed-upon procedures unless required to testify in court proceeding.

Whether target data are in transit or at rest, it is critical that measures be in place to prevent the sought information from being destroyed, corrupted or becoming unavailable for forensic investigation. When evidence is at rest, adequate procedures should be followed to ensure evidential nonrepudiation. Volatile data capture assists investigators in determining the system state during the incident or event. Consequently, the utilization of functionally sound imaging software and practices is essential to maintaining evidential continuity.

View Part I of the Irregularities and Illegal Acts Agreed-Upon Procedures Assessments series here


March 13, 2012  7:39 PM

Irregularities and Illegal Acts Agreed-Upon Procedures Assessments – Part II

Robert Davis Robert Davis Profile: Robert Davis

Under most circumstances, financial auditors must plan tests that provide reasonable assurance that fraud does not exist. When an IT auditor is involved in an external financial statement audit, if they are following generally accepted financial audit standards, they must also perform tests providing reasonable assurance fraud does not exist. Consequentially, these requirements dictate following audit program fraud detection procedures for determining the extent of testing required and demonstrating auditor prudence. However, financial auditors commonly do not focus on the adequacy of IT general controls (ITGC). Instead, the emphasis is placed on IT application controls (ITAC). Nevertheless, given the impact of general controls on application controls, the IT auditor must vigorously pursue ensuring general control agreed-upon procedures are included in the fraud IT audit program.

View Part I of the Irregularities and Illegal Acts Agreed-Upon Procedures Assessments series here


March 9, 2012  10:14 PM

Irregularities and Illegal Acts Agreed-Upon Procedures Assessments – Part I

Robert Davis Robert Davis Profile: Robert Davis

Governmental statues may require an entity’s management design, implement, and maintain a system of internal controls; however, internal controls verification usually is an auditor attestation responsibility. To adequately perform this professional responsibility, an IT auditor should have knowledge of the types, traits, techniques, and modus operandi normally associated with irregular and illegal acts. For instance, an IT auditor must understand, compared to other crimes or improprieties, a key distinguishing fraud feature is false representation or concealment of a material fact.

Irregularities and/or illegal acts agreed-upon procedures maybe included in the “terms of reference” of a standard IT assurance engagement. Alternatively, agreed-upon procedures can be documented within a separate engagement letter. IT financial statement fraud and computer forensics are examples of potential agreed-upon procedures that may be undertaken as separate engagements. Nonetheless, if agreed procedures are a separate engagement, the IT auditor should not express any assurance concerning the subject matter examined during the course of performing assignment procedures.

Post Note: Irregularities and Illegal Acts Agreed-Upon Procedures Assessments contains redacted excerpts from Assuring IT Legal Compliance (Assurance Services)


March 6, 2012  8:43 PM

Auditing IT Governance – Part VIII

Robert Davis Robert Davis Profile: Robert Davis

Regarding audit staffing, potential IT governance engagement members should have the appropriate seniority and proficiency. Generally, when IT governance audit objectives involve a wide range of information system functions, assigned audit personnel should have extensive organizational knowledge and related processes understanding. These audit personnel criteria can be satisfied through a combination of formal education, relevant certification and/or professional experience. If after evaluating potential in-house audit engagement candidates, audit management determines the IT audit function does not have the required skill set, professional service outsourcing may be considered to enable an IT governance audit. For example, IT audit staff members may not have the appropriate business, technical, and/or framework knowledge to adequately perform a scheduled IT governance audit in a timely manner. Hence, audit management may consider IT governance audit outsourcing to complete the scheduled engagement.

View Part I of the Auditing IT Governance series here


March 2, 2012  10:12 PM

Auditing IT Governance – Part VII

Robert Davis Robert Davis Profile: Robert Davis

An IT auditor should include in the audit ambit relevant processes for planning, organizing, and monitoring the IT activity. Contextually, the audit ambit should include control systems for the use and protection of the full range of COBIT framework IT resources. Whereby, specifically; people, information, applications, and infrastructure are the IT resources that should be addressed within the IT governance audit ambit’s control systems.

Moreover, critical for a viable IT governance audit plan is the IT audit function’s organizational status. Specifically, internal IT audit organizational status may become a factor in determining whether to proceed with an IT governance audit. For instance, management may consider it inappropriate to grant internal IT auditors access to high-level business documents. Accordingly, organizational status may require hiring an independent third party to manage and perform the IT governance audit.

View Part I of the Auditing IT Governance series here


February 28, 2012  8:47 PM

Auditing IT Governance – Part VI

Robert Davis Robert Davis Profile: Robert Davis

Interpretively, an entity’s information systems represent the infrastructure to collect data, process transactions, and communicate operational results. In other words, an entity’s MIS represents the aggregation of personnel, computer hardware and software, with associated policies and procedures, allowing data processing to generate utilizable information for decision-making. For example, how the organization runs the entity’s mainframe, employs contractors, purchases hardware, and charges customers are MIS subject elements.

Control procedures should be considered performance processes for accomplishing control goals and/or objectives. Control procedures document and attempt to assure management’s operational intentions are carried out. Similar to policies, control procedures should provide for organizational assets safeguarding as well as promote effectiveness and efficiency.

View Part I of the Auditing IT Governance series here


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: