1. Accounting and Information Systems: a powerful combination

2. 2C OBI T – Controlling and Auditing IS Internal Control: A Fundamental Accounting Concept Controls are policies, procedures, and information systems (IS) that protect assets from loss or embezzlement, support regulatory compliance, promote efficiency, and ensure accurate financial data In today’s IS enabled world, controls related to IS are very, very important because of: Increasing regulation Increasing IS risk

3. 3C OBI T – Controlling and Auditing IS One Reason for Internal Control: Laws Require Them Bank scandals in the 80’s and later debacles at WorldCom and Enron brought us the Sarbanes-Oxley Act of 2002 (SOX) –Management is responsible for internal control and financial reporting procedures and –Annual reports must asses internal controls Financial statements are expected to: –Be presented properly AND –Reflect what really happened Under SOX, officers submitting inaccurate certifications are subject to –A fine of up to $1m + 10 yrs –Or if purposeful, up to $5m + 20 years

4. 4C OBI T – Controlling and Auditing IS A More Important Reason: IS Failure = Business Failure 2 out of 5 enterprises that experience a disaster go out of business within 5 yearsgo out of business within 5 years Oregon – Department of Corrections –AFAMIS 2005 - was still converting to software that was already out of date – no disaster recovery plan – inaccurate data – security issuesAFAMIS 2005 NASDAQ 2006 – Change management –A new piece of equipment caused incorrect data to go out on the busiest trading day everincorrect data Canadian Utility TransAlta lost $24M to copy/paste errors in a spreadsheetCanadian Utility TransAlta lost $24M

5. 5C OBI T – Controlling and Auditing IS Systematically controlled IS functions aim to: –Provide value, –Push the envelope, and –Mitigate risk Business As Usual Management Inattention Information Systems and Risk “We’ll write the documentation later” “We won’t get hacked, we’re too small to be on a hacker’s radar” “Pick the best solution for our department” Scale and cost SOX Compliance Threat vulnerability Increased IS dependence IS’s role in organizational change “There’s no real need for a log file” “It will be plenty fast” “We’ll delete that old user ID later”

6. 6C OBI T – Controlling and Auditing IS Good IT Controls Ensure that an Organization Plans and organizes for effective IS –aim for strategic, sufficient, & secure Acquires new systems thoughtfully –they’ll do the right thing at the right price Delivers IS services effectively –reliable, cost effective, secure Monitors IS processes to make them better –measure your actions: expected cost? expected reliability? expected results?

7. 7C OBI T – Controlling and Auditing IS How Does an IS Auditor Know? Two (of the many) Tools to Help: Control Objectives for Information & Related Technology (C OBI T): –Comprehensive checklists for IT, supports auditing, doesn’t directly address software development or give a roadmap for improvement IT Infrastructure Library (ITIL): –IT service delivery and management best practices

8. 8C OBI T – Controlling and Auditing IS Obtaining an understanding Obtaining an understanding of business requirements-related risks, and relevant control measures Evaluating the appropriateness Evaluating the appropriateness of stated controls Assessing compliance Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously Substantiating the risk Substantiating the risk of the control objectives not being met by using analytical techniques and/or consulting alternative sources What Does an Auditor Do?

9. 9C OBI T – Controlling and Auditing IS How Can You Learn More? OSU’s Accounting/IS Program Why would you do the Accounting Information Systems option? –Strong IT skills help all accountants –Every audit has to consider the IS that provides the data –IS auditing is a valuable specialty –Accounting firms also do IS consulting –Certified by ISACA to reduce experience requirements for CISA certification