Sofitech Computers Module Essay Example

end customer. Sales involve variable commissions that may vary depending on the product being sold, and they are made under the Softies Computers brand name. Sometimes, retailer-designated packaging is used. Sales are recognized when goods are dispatched.There are currently six main retail customers that account for 60% of the Company's sales and there are no sales made for export purposes. In terms of its IT environment, Softies utilizes SAP software in an enterprise resource planning (ERP) setup that integrates all organizational data and processes into a unified system. Alongside this, the company also employs an internally developed application called Firsthand to manage production and inventory. The SAP software operates on a UNIX server while Firsthand runs on a Windows server. Both applications allow personnel to access them through Windows client workstations. Connected to the ERP system is the company's website, which enables customers to place orders. This website is also linked to credit card companies in order to obtain authorization from the bank. For security purposes, Softies has implemented a firewall system and an intrusion detection system for safeguarding transactions. The company occupies a single-story building within an industrial park, where access is controlled through locks that are managed by an electronic badge reader system. Additionally, the building is further protected through security and fire alarm systems that are directly connected to respective emergency services such as the police and fire departments. All key network servers, including the SAP and Firsthand servers, are strategically located in a specially constructed computer room within the facility. This room is accessed through a single door which is protected by a lock controlled by the badge reader system.The badge

reader system is responsible for logging all access to the door. Softies Computers has hired our firm to conduct an audit of their financial statements for the year ending December 31, 2008. Our audit approach involves conducting a risk-based audit, where the amount of testing we perform is dependent on the effectiveness of the Company's internal controls, the risk of the operating environment, and the firm's tolerance for issuing an improper audit opinion. Our Audit Strategy consists of several steps:
1. Identifying important business processes that impact significant accounts, disclosures, and related assertions in the financial statements. (See Appendix 2)
2. Identifying threats in the processing stream for each significant process that could result in data errors affecting the financial statements. Controls are implemented at these points to prevent or detect such errors. (See Appendix 3)
3. Assessing Coefficients IT general controls environment throughout the audit period, rather than at a single point in time, based on the identified processes, threats, and control table. (See Appendix 4)When conducting the financial statement audit, any issues or exceptions related to IT general controls were examined. This analysis focused on the potential impact on the audit through application and IT-dependent manual controls that rely on those IT general controls.

Now, your task is to classify the following controls into one of three categories:

A. IT General Controls:
1.

IT General accounts are reviewed by the Credit Manager.
2. The system requires all shipments to have a complete and valid sales order number.
3. Bank reconciliations are prepared by the Receivables Clerk and reviewed timely by the Controller.
4. Physical access to the server room is restricted.
5. The system allows the Purchasing Manager to

only approve component purchases up to $1,500.

B. Manage System and Application Changes; Logical Access; Other IT General Controls: Operations Controls:
1. HER communicates all employee terminations to the administration team for access removal.
2. A request to change an existing program or develop a new program must be submitted in writing and be approved by management.
3. An intrusion detection system (IDS) monitors activity on the firewalls and web servers.
4. Unusual activity is communicated on a real-time basis to the Network Operations Center.
5. The Network Operations Center is then responsible for taking appropriate follow-up action on identified incidents.
6. SAP requires all passwords to be at least eight characters long and contain at least one uppercase letter and one number.

Only members of the production control team can migrate items into the production environment. Due to IT general control issues and exceptions in the case study, the audit team no longer fully relies on SAP application controls and IT-dependent manual controls. Therefore, the audit strategy must change, and some sales transactions will undergo substantive testing.

The following simplified information was obtained from the SAP system. Identify three suspicious transactions that may be related to a breakdown in SAP IT general controls. It's important to note that IT general control issues and exceptions do not directly result in financial statement misstatements or fraud.

Recommendations are needed based on a solid framework of controls that can be implemented. The benefits and justification for each initiative/recommendation should be clearly conveyed. Appendix 1 provides an overview of IT controls, which are heavily relied upon in management's internal controls in larger clients.

Understanding the differences between IT general controls and application controls is crucial when

auditing IT controls. IT general controls focus on ensuring that a client's IT systems are functioning properly. They involve authorizing, testing, and approving changes to applications before implementation, as well as controlling access to data to perform specific functions. On the other hand, application controls are automated controls that apply to individual transaction processes. These include edit checks, validations, calculations, and business-related controls. It is also important to consider manual controls, which depend on computer-generated information and are often detective in nature. In such cases, we assess the sensitivity of the control and whether there are controls in place to ensure the completeness and accuracy of computer-produced information. For instance, when management reviews a monthly variance report and follows up on significant variances, we validate the presence of IT general controls to ensure the report's completeness and accuracy.Both IT-dependent manual and application controls serve the same purpose: ensuring that all transactions are valid, properly authorized, recorded, and processed accurately and in a timely manner. The difference between them is that application controls are automated, while IT-dependent manual controls rely on computer-generated information.

The effectiveness of IT general controls, such as program change and logical access controls, greatly influences our ability to rely on application controls, IT-dependent manual controls, and electronic audit evidence. The three IT general controls discussed in this case are: Manage System and Application Changes, Logical Access, and Other IT General Controls: Operations Controls.

The Manage System and Application Changes process aims to maintain IT procedures for acquiring, developing, or making major changes to application software. The objectives of this process are to ensure that application and system software effectively support financial reporting requirements and

that policies and procedures defining the required acquisition and maintenance processes are developed and maintained.

The rationale for acquiring and maintaining system and application software is to design, acquire/build, and deploy systems that support business objectives. This process involves making major changes to existing systems. Controls are implemented in this process to support financial information and disclosures, including initiating, authorizing, recording, processing, and reporting. Deficiencies in this area can have a significant impact on financial reporting accuracy. Policies and procedures, such as the System Development Life Cycle (OSDL) methodology, acquisition and maintenance processes, and required documentation, are included in this process. Some organizations also have service level agreements, operational practices, and training materials. These policies and procedures ensure consistent and objective business process activities. The objective is for controls to provide reasonable assurance that systems are properly tested, validated before production, and that associated controls effectively support financial reporting requirements. The rationale for installation, testing, and validating is related to migrating new systems into production.

Before installing such systems, it is important to perform thorough testing and validation to ensure their proper functioning. Without adequate testing, there is a risk of systems not functioning as intended, potentially resulting in unreliable financial information and reports. The process of managing changes in system functionality is crucial in helping businesses achieve their financial reporting objectives. Any deficiencies in this area can have a significant impact on those objectives. For example, changes in programs that allocate financial data to accounts require approval and testing to ensure the integrity of classification and reporting.

In controlling system and application changes, typical activities include obtaining authorized requests for new systems development or authorized

changes to existing systems, categorizing and prioritizing approved requests, implementing or modifying the technology infrastructure to support solutions, managing the acquisition or modification of solutions and infrastructure, installing and certifying the solution or modification including testing and user acceptance, conducting post-implementation reviews and follow-up, establishing procedures for emergency system modifications, and monitoring process procedures and controls. The logical access process involves acquiring and maintaining technology infrastructure/configuration to support financial reporting applications. This includes protecting IT components related to security, processing, and availability in order to prevent unauthorized access. The process includes designing, acquiring/building, and deploying systems that support applications and communications.

Infrastructure components such as servers, networks, and databases play a critical role in ensuring secure and reliable information processing. Without a sufficient infrastructure, there is an increased risk of data transmission issues between financial reporting applications, the inability for financial reporting applications to function, and a failure to promptly detect critical infrastructure failures. Configuration management is responsible for establishing and maintaining security, availability, and processing integrity controls throughout the system's life cycle. Insufficient configuration controls can result in security and availability vulnerabilities, potentially granting unauthorized access to systems and data, which can impact financial reporting.

Process: Ensuring Systems Security Financial reporting systems and subsystems must be adequately secured to prevent unauthorized use, disclosure, modification, damage, or loss of data. Only authorized individuals should have access to perform specific functions (e.g., segregation of duties). Rationale: Managing systems security encompasses both physical and logical controls that prevent unauthorized access. These controls typically support authorization, authentication, non-repudiation, data classification, and security monitoring. Deficiencies in this area can significantly affect financial reporting and disclosures.Insufficient transaction authorization controls may

lead to inaccurate financial reporting. Typical activities involved in controlling logical access include defining security requirements (both physical and logical aspects), implementing control solutions, enforcing segregation of duties, managing connections with partners and networks, establishing security awareness practices, maintaining documentation, and monitoring procedures and controls. Other IT general controls related to managing IT operations involve executing authorized programs as planned, identifying and investigating deviations from scheduled processing, controlling job scheduling, processing, error monitoring, and system availability. Service levels define performance levels for measuring service quality. Any problems or incidents are responded to, recorded, resolved, or investigated for resolution. Managing operations ensures reliable application systems support the business's initiation, authorization, recording, processing, and reporting of financial information. Deficiencies in this area can significantly impact an entity's financial reporting and disclosures.Lapses in application system continuity can hinder an organization's ability to record financial transactions and undermine its integrity. Defining and managing service levels is crucial for testing user expectations and meeting business objectives. Roles and responsibilities are clearly stated, with an accountability and measurement model in place to ensure proper service delivery. Deficiencies in this area could greatly affect financial reporting and entity disclosure. Poor management or inadequate system functionality may prevent correct processing of financial information. Management of problems and incidents involves identifying, commenting, and responding to events outside of normal operations, which can also have a significant impact on financial reporting. The process of managing data, including backup, ensures that recorded, processed, and reported data remains complete, accurate, and valid throughout the update and storage process.