Complete Caselet 5 Software Programs Inc. for the Caselets [5, pages 16-17]. Wri

Question

Complete Caselet 5 Software Programs Inc. for the Caselets [5, pages 16-17]. Write at most 4 pages on the 4 questions at the end.

## this is the information on page 16-17 and the question is below *****
Caselets: IT Governance Institute. IT Governance Using CobiT®® and ValIT"!, 3rd Edition. 2010.ITGovernance Using CobiT® and Val ITTM:
Caselets, 3rd Edition
16 © 2 0 1 0 I SACA . A l l r ig h t s r e s e r v e d .
5. Caselet: Software Programs Inc.
Learning Objective
Software Programs Inc. was selected to focus on IT audit’s approach to the audit of the financial statement.
Introduction
Hy Fenation is Director of IT Audit for Software Programs. He has been working with AuditGen PC, the external auditor, to prepare for
the annual audit. Software Programs recently became a public company and is now required to include an integrated audit of the financial
statements as well as the internal controls that support the financial statements. Hy has met with the engagement partner, Dalton Walton,
to discuss internal audit’s participation in the audit of IT control and must now document a plan.
Background
Company
Software Programs is a provider of office productivity software, including word processing, spreadsheet and presentation applications.
During 2009, Software Programs initiated an initial public offering (IPO) and was required to satisfy the internal control provisions of the
US Sarbanes-Oxley Act of 2002.
Industry
Software Programs is in the software development and sales business. This process includes the development, sales, distribution and
maintenance of business software. Software Program’s primary competition includes Microsoft® with its Office applications and also
includes OpenDocuments.org, a freeware provider of software.
Key Players
The key players are:
• Hy Fenation, Director of IT Audit, Software Programs
• Dalton Walton, Audit Partner, AuditGen PC
• Mikhail Dobrasky, Chief Financial Officer (CFO), Software Programs
• Francois Vert, Chief Information Officer (CIO), Software Programs
Issue
Dalton Walton has met with internal audit management to discuss the annual external audit of Software Programs. Software Programs
operates distinct networks that are protected by firewalls:
• Administrative systems—This network includes the financial systems: general ledger, receivables, payables, sales, inventory
and payroll.
• Research and development (R&D)—All applications development and testing are performed on the R&D network. Once applications
have been tested, they are transferred to a production library for distribution.
• Web operations—This network includes the sales and support web site, which also includes the call centre operations.
Mikhail Dobrasky, CFO, provided an overview of critical operations. The highlights of this presentation are:
• Software is developed and tested, after which a release to manufacturing (RTM) version is produced. This version is sent to Digital
Stream for production. Two versions of software are created—media and download.
– Digital Stream maintains the download version on its web site. Customers may buy a copy and download it. As these are credit card
transactions, Digital Stream will process the payments, obtain the remittance from the credit card processor, and remit sales figures
and payments to Software Programs on a monthly basis. Download sales revenue represents 10 percent of sales.
– Media versions are sent to the Software Programs distribution centre where they are placed into the finished goods inventory.
• Software Programs performs all sales and distribution of media from inventory and either invoices the customers directly or accepts
credit card payments. Media sales revenue represents 15 percent of sales.
• Software Programs sells site licences to its customers using in-house, direct-sales staff. R&D has developed a complex licencing
mechanism to ensure that site licence customers do not exceed their licences. Site licence revenue represents 40 percent of sales.
• Software Programs provides support either as a fee per incident or via support contracts. Support contracts can be for one, two or three
years and include future upgrades. Per-incident support is infrequent and not material. Support contract revenue represents 35 percent
of sales.
Francois Vert, CIO, provided an overview of the IT architecture:
• The accounting system is a purchased application from PearTree Software Inc. It operates on a dedicated Linux computer with the
MySQL® database. PearTree uses an online entry process for receivables, payables, payroll entry, internal sales (media, licence and
support sales) and inventory. Batch processes are initiated through an automated scheduler, nightly, to process invoices, process
materials receiving and generate checks. Digital Stream provides a data file containing download sales, which are updated through a
batch process monthly.
• Site licences and the licence management system operate on a separate Windows server on the administrative systems network. This
application feeds the accounting system with site licence sales. All adjustments to site licence sales are also processed on this system.
• Support contract sales operate on the same physical equipment as site licence sales, but are processed by a separate application.
• Since the Software Programs software operates on Macintosh, Windows and Linux platforms, the R&D organisation maintains test
environments for each platform. Software development utilises a baseline C code, with platform-dependent extensions developed for
each platform.
Hy Fenation, Direcctor of IT Audit, has indicated that the internal audit department has adopted the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) framework as its control framework and COBIT as its framework for governing
and controlling IT.
Decision to Be Made
Hy Fenation has asked you to assist him in preparing the planning document for the audit.
Questions
Hy has requested you prepare the following:
1. Provide a brief description of the audit process required to satisfy the auditing of IT controls over financial reporting. Hy indicated that
he believed there were six processes.
2. Based on the presentations by the Software Programs executives, perform a risk assessment of the infrastructure and applications to
identify the processes that need to be included in the audit.
3. Explain to Hy the process of evaluating control design and operating effectiveness.
4. Identify the processes you believe should be included in the evaluation of control design and operating effectiveness.
5. Caselet: Software Programs Inc.

Explanation / Answer

Three common issues usually arise that if expected can be managed effectively. First, is the confusion among auditors and senior management regarding the differences between continuous auditing and continuous monitoring. Second, is the need for auditors to understand the role of continuous auditing as a meta control. And third, is the concern that implementingg continuous auditing will lead to a loss of independence and objectivity as audit professionals become operationally involved in the process.

·Continuous Monitoring Vs. Continuous Auditing

            Typically, continuous monitoring is a management function to ensure that company policies, procedures, and business processes are operating effectively and addresses management's responsibility to assess the adequacy and effectiveness of internal controls.

·Meta Control

            Continuous auditing also tends to be dynamic in nature (i.e., the auditor can turn continuous audit processes on and off based on current system loads by reconfiguring these activities according to the internal audit plan). Therefore, by monitoring particular configurable items, continuous auditing provides an additional level of controls and acts as a metal control.

·Independence and Objectivity

            Finally, because continuous audit activities are different from those taking place during a more traditional audit, audit principles need to be re-conceptualized. This is because continuous auditing often places the auditor in the middle of the transaction flow.

·Key Steps to Implementing Continuous Auditing

2.Based on the presentations by the Software Programs executives, perform a risk assessment of the infrastructure and applications to
identify the processes that need to be included in the audit.

Risk Assessment, as part of Risk Management. It consists of several processes:

            Risk Management recognizes risk, accesses risk, and takes measures to reduce risk, as well as measures for risk maintenance on an acceptable level. The main aim of Risk Assessment is to make a decision whether a system is acceptable, and which measures would provide its accept- ability. For every organization using IT in its business process it is significant to conduct the risk assessment. Numerous threats and vulnerabilities are presented and their identification, analys is, and evaluation enables evaluation of risk impact and proposing of suitable measures and controls for its mitigation on the acceptable level. In the process of risk identification, its sources are distinguished by a certain event or incident. In that process, the knowledge about the organization, both internal and external, has an important role. Besides, past experiences from this or a similar organization about risk issues, are very useful. We can use many techniques for identifying risk: checklists, experienced judgments, flow charts, brainstorming, Hazard and Operability studies, scenario analysis is, etc.

3& 4.Explain to Hy the process of evaluating control design and operating effectiveness.

            Operating effectiveness involves evaluating whether internal control is operating as designed. (Was the control performed? Was the control consistently performed? Was the control performed by a person who had the necessary authority and qualifications to perform the control effectively?).

Related Questions

Navigate

• Browse (All)
• Browse C
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.