MAINTENANCE OF INFORMATION TECHNOLOGY CONTROLS (STUDY OBJECTIVE 11)

Over time, the cost of computer hardware and software has dramatically decreased, while computing power has vastly increased. This means that today most small companies can afford to maintain computerized accounting systems, while larger companies place even greater reliance on computer-based systems. Information technology now plays such an important role in organizations that any failure in these systems can halt such ongoing operations as sales, manufacturing, or purchasing. IT systems have become the lifeblood of operations for most companies.

There is a paradox in this increased use of information technology. Computerized systems increase the efficiency and effectiveness of the organizations that use them; but at the same time, they increase vulnerability. The more that an organization relies on information technology, the greater the risks are, including unauthorized access, hackers, business interruption, and data inaccuracies. These extra risks call attention to the need for internal controls over and above those described in the COSO report.

In response to this need, the Information Systems Audit and Control Association (ISACA) developed an extensive framework of information technology controls, entitled COBIT, for Control Objectives for Information Technology.⁹ COBIT is extremely important guidance for those who design or audit IT systems. The AICPA and the Canadian Institute of Chartered Accountants have jointly developed IT control guidelines, related to COBIT, commonly referred to as the Trust Service Principles.¹⁰ This guidance addresses risks and opportunities of information technology, and the most recent version became effective in 2006. The Trust Services Principles are designed to be the written guidance for CPAs who provide assurance services for organizations. Many types of work performed by CPAs can be called assurance services, but the specific types covered by the Trust Services Principles are Trust Services, SysTrust^®, and WebTrust^®. For these services, a CPA firm is hired to examine the company's IT and Web-based systems and to issue a subsequent opinion and recommendations about the security, availability, processing integrity, privacy, and confidentiality of the systems. In other words, these principles describe the type of IT controls that an IT auditor would expect to find in an audit of IT systems.

In the subsequent chapters of this text that include business processes and controls, the Trust Services Principles' internal control structure will be used as the context in which IT internal controls are described. For any business process, there should be both accounting internal controls as in COSO, and IT controls as in the Trust Services Principles. The following section describes the Trust Services Principles.

Risk and controls in IT are divided into five categories in the Trust Services Principles, as follows:

1. Security. The risk related to security is unauthorized access, which may be both physical access and logical access. An example of unauthorized physical access would be a person breaking into the computer room and damaging computer equipment. An example of logical access would be an unauthorized hacker stealing data such as credit card numbers. Internal controls must be designed and implemented to limit both types of unauthorized access.
2. Availability. The risk related to availability is system or subsystem failure due to hardware or software problems. An example of a risk that can cause interruptions to the system would be a virus that causes the system to slow down or fail. Internal controls can be implemented to limit the chances of failure and thereby help improve availability of the system to process information and support ongoing business.
3. Processing integrity. The risk related to processing integrity could be inaccurate, incomplete, or improperly authorized information. An example of this type of risk would be an error in entering hours worked for a worker's pay. The person keying hours worked into the payroll software might accidentally type an incorrect number of hours. Controls should be implemented to reduce erroneous, incomplete, or unauthorized transactions or data.
4. Online privacy. The risk in this area is that personal information about customers may be used inappropriately or accessed by those either inside or outside the company. An example is the theft of credit card numbers when orders are placed through the company website. Internal controls should be implemented to limit the chance of personal information being misused.
5. Confidentiality. The risk related to confidentiality is that confidential information about the company or its business partners may be subject to unauthorized access during its transmission or storage in the IT system. Examples of confidential information are banking information and price lists. Most companies do not wish to allow price lists to be available to competitors. Controls can be implemented to limit unauthorized access to confidential information.

When IT controls are being considered, it is important to understand the nature of the risks so that the controls can be designed and used to limit these risks. As in the case of COSO accounting controls, any IT control implemented should have benefits that exceed the costs of the control. As the risks and controls are described, many controls can be effective in several of the five categories. For example, the use of a password when a user logs in should be of assistance in limiting risks related to security, availability, processing integrity, privacy, and confidentiality. That is, the use of passwords helps limit unauthorized access that could result in security problems (security), theft of private or confidential data (privacy and confidentiality), unauthorized transactions being processed (processing integrity), and hacking that interrupts system processing (availability). The next chapter describes risks and controls in the first four categories: security, availability, processing integrity, and confidentiality. Because privacy is more closely related to e-commerce, it is discussed in the chapter on e-business and e-commerce, later in the text.