IT Risks & Controls

W6DQ1-IT Risks & Controls

All auditors and most accountants should have a solid understanding of IT systems, including hardware, communication networks, software, databases and other infrastructure elements, in order to assess basic IT risks and controls.

Generally, IT controls can be grouped into 2 major areas; “IT general controls” and “application controls”. Application (such as Accounts Receivable, Accounts Payable, Payroll, Inventory, etc) controls can be further broken down into 3 major areas: input, processing and output controls.  IT general controls are controls activities performed within the IT organization or the technology that IT supports in order for the applications to function. This grouping concept is similar to the “entity-wide” vs “process-level” controls discussed in prior weeks.

For this DQ, we’ll cover both IT General Controls and Application Controls, as follows:

1.  The lack of availability to an organization’s IT system can have significant impact; thus, organizations typically have an IT Disaster Recovery plan (IT general control) for such situations.   Search the web for a situation where a company has had such an “IT disaster” and discuss the following:

• a.  General description of the IT disaster, including scope of the problem, impact to its operations and corrective actions.
• b.  What do you think are the key obstacle(s) or challenge(s) for a company to have an effective IT Disaster b.Recovery Plan?

2.  Choose at least two (2) other major or significant IT risks to discuss, including the following elements:

• a.  Specific nature of the IT risk , whether it’s an application or general IT control and a discussion of its likelihood and significance of the risk.
• b.  Is this IT risk more a technical or human issue or both? Please provide your reasoning.

W6DQ2-Fraud Situations

A.  Search the internet to gain a deeper understanding of a recent and major case of “fraud” within an organization.  Describe the circumstances that surrounded the fraud, including but not limited to:

1.  Who was involved, financial impact and consequences.

2.  Detail nature of how it was perpetrated (i.e. control breakdown, mgmt override, collusion)

3.  Were the control breakdowns of “entity-level controls” and/or  “process-level controls”?  Please support your argument.

4.  What role, in any, the internal auditors and external auditors played.  If no involvement, should or could the IA have detect this fraud?  Why or why not?

B.  Discuss whether you believe that only a small portion of the frauds that occur within a company are ever discovered.   Back up your reasoning with facts, examples or other arguments.  Make sure to critique at least one other student’s posting in addition to your own.

• c.  Discuss whether your think future technological advances will enhance or reduce this risk.
• d.  Discuss the type of control(s) that could/should be implemented to mitigate such risk.

Make sure you critique or respond to another classmate’s post.