Auditing Information System: Security Management and Control - Assignment Example

Auditing Information System of Affiliation Auditing Information System This paper explores the studied of the first chapters in the course of Auditing Information System at Nova Southeastern University, these chapters are based on management security system, internal control, security and control assessment. The answers for this assignment are based on the material covered in the class and the research conducted on online (Internet) and offline (non-Internet). Keywords: accurate, authorization, changes, computer, development, program, security, system Assignment 1 Chapter 1 -Problem 5, Page 30 A. The purpose of each of the four controls, are as follow: 1- Authorization of transactions: this control is required to satisfactorily protect the company or entity assets against of any fraudulent or improper transactions. This control helps to a point to apply a validation and internal control. A conventional system of transaction authorization permits the use of a company’s resources basing on the goals and objectives of the management team. Transactions must be carried out in line with the terms of their broad or particular authorizations, but under the scrutiny of trustworthy personnel, who, in addition to being responsible, acts within the limits of the prescribed authority. 2- Complete and accurate record keeping is essential as it serves to ensure that expeditious and accurate accounting of all transactions or rather economic activities are done. Companies have the role of maintaining books of accounts that are not only detailed, but also indicate accurate transactions as well as dispositions of the company’s assets. In addition, keeping proper records are indispensable in so far as preparing financial statements that conform to GAAP standards is concerned. Physical controls entail all efforts to keep the assets, documents and records of a company away from dangers of destruction, loss or manipulation through alteration. 3- Internal verification describes the independent assessment of the accuracy and correctitude of work(s) done by another party. It involves a further review of the accounts for the assets relative to existing assets at specified periods. B. & C. Applications of the Controls: Violation/Remedy Okdale went ahead to transact the long-term securities by simply basing on the approval of the president rather than the approval of the entire board of directors. This action was in violation of the authorization protocol. As a remedy, there is need to employ a strategized formalized procedures. This is in addition to the company’s by-laws. Under such set of conditions, it is apparent that Okdale would not have sold the securities without the approval of the board of directors. The dividend and interest checks from Okdale are received by the treasurer who directly forwards to the accounting department. There is no record or entry that is made on the cash receipts book. As such, it is impossible to determine the receipt and deposition of all interest checks and dividend. Such action clearly contravenes the rule of complete and accurate record keeping. As a remedy to the problem, all checks should be forwarded to the group that normally opens stamps and logs incoming checks, and the checks should be recorded in the cash receipts book at the time of receipt. . (Otley, 1999)The interest and dividend checks (entries) should be reconciled by the accounting department to the monthly broker’s statements. These statements should be kept on file to assure that all checks have been received, deposited, and accounted for. The balance in the accounts as of the end of the month closely approximated the amounts shown on the broker’s statements. This is a violation of the complete and accurate records procedure and the internal verification procedure. Remedy- The accounting department must undertake the reconciliation of the differences and implement appropriate procedures to assure that the accounts and the brokerage statements are reconciled monthly. The treasurer has the authority to buy and sell securities, receives revenue, and makes journal entries related to securities. This is a violation of the authorization procedure. Remedy- Strengthen internal control so that the treasurer does not have conflicting duties. (Otley, 1999) Access to short-term securities is unrestricted in the accounting department. This is a violation of the physical controls procedure. Remedy- The short-term securities should be placed in a restricted facility such as a bank safe deposit box or a company safe. Access to short-term securities should be limited to a few responsible personnel and two people should be present each time the securities are accessed. Additionally, a log-book should be maintained to record any disposition of securities. Chapter 2- Problem 1, Page 63 Some of the control weaknesses present and the proper recommendation for correcting each of them are: EDP system should be out of bounds of the company’s staff. Programmers and support system personnel are the only people allowed to access the system but only when they are conducting maintenance services (Otley, 1999). The supervisor in charge of the operators of the EDP system should have unrestricted accessibility to the computer room. The roles of maintenance should be distinct from those of management and operations (Barth, et al, 2008). The task of reconciling the EDP log should be done by computer operations supervisor or any other independent employee (Barth, et al, 2008). EDP system documentation should be enhanced to include programs, flowcharts, and operator instructions. (Otley, 1999) An EDP master price list file should be used to record the prices automatically for every invoice. Processing controls, such as completeness tests, validation tests, and reasonableness tests, should be put in place to assure that errors in the input records are detected when processing occurs. Control totals, hash totals, and record counts should be implemented to ensure the accuracy of all EDP data and to prevent errors from going unnoticed or being improperly tallied. (Vaivio, 2008) The numerical sequence of shipping notices should be checked by the EDP system and any missing number should appear on summary control totals that are reviewed The EDP system operators’ supervisor. Billing and cash collections should made separate from accounts receivable. (BARTH, Chapter 3-Problem 9, Page 127 BBC Inc. is initiating a top down implementation of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework. The COSO framework will enable BBC to establish a firm corporate strategy for rick management, internal control and fraud deterrence. The necessity of a trickle down implementation creates a unique circumstance that BBC’s management must engage and solve in a fluid transition. The introduction of the COSO framework will require BBC to integrate a corporate wide computer information system that by nature will create a number of potentially hazardous security and control issues that must be resolved prior to system implementation date. The COSO Enterprise Risk Management Framework expands on BBC’s internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management. While it is not intended to and does not replace the internal control framework companies such as BBC will utilize the new capacity of the framework to move toward a fuller risk management process which by nature will be more stable and secure for management. Security BBC should conduct workshops and seminars to enlighten the employees of the corporation on how to use the system. Amongst the training items are the policies and procedures that the users need to know as well as virus risks and effective measures to counter them. Updating the virus definitions should be conducted as frequent as possible by the administrator. For instance, it is recommended for the process to be done on a daily basis rather than on a weekly basis. In the event a user enters password incorrectly for a three times (subsequently), the system should autonomously disallow in further attempts. This is a security measure to prevent suspicious individuals from trying to access accounts that belong to other users (Otley, 1999). In case such a scenario takes place, the system should log the attempt and notify the administrator of the system on the date and time the suspicious activity took place. Further, Otley (1999) recommends that passwords should be reframed at least two times every year. A system whose password is changed regularly tends to be more secure than that whose password fairly remains the same. Also, it is important to incorporate software that rejects ‘weak’ passwords. This would compel the user to provide passwords that are much more secure. Event monitoring should be employed especially during the auditing trail of the system. This feature allows the system to keep records of the user including name, information regarding the tasks carried out, and the specific periods they logged into the system. Another person, preferably a high rank manager, should have the authority to access the event log. This is crucial as it would deter irresponsible system administrator from conspiring to hide fraudulent activities involving the computer system. Appropriate fire extinguishing equipment should be installed to take care of eventualities such as fire. For instance, automatic fire extinguishing systems that dispense fire suppressant gases should be used in place of water extinguishers. This is because the latter has the ability of destroying the computers. Systems Development Computer monitoring and maintenance should only be designated to specific person(s). This individual(s) will take full responsibility of the purchasing and installation of software on company computers. Also, for the sake of reliability and compatibility, these software should be purchased from a single provider. Program Changes The administrator of the system should not be part and parcel of the original computer programming and set-up as they will be updating the system when required. In addition, such an administrator should be kept away from any knowledge relating to making and hiding illegal changes. An account of all the changes made on the system should be safely kept. The development of a systemic process can aid in mitigating problems that could jeopardize the entire system. References Otley, D. (1999). Performance Management: A Framework for Management Control Systems research. Management Accounting Research, 10(4), 363-382. Vaivio, J. (02/2008). Qualitative Management Accounting Research: Rationale, Pitfalls and Potential. Qualitative Research in Accounting and Management, 5(1), 64-86. BARTH, M. B., LANDSMAN, W., & LANG, M. (2008). International Accounting Standards and Accounting Quality. Journal of Accounting Research, 46(3), 467-498. Read More