Windy Atmawardani Rachman (21207174)
SMAK01-7
Auditing 2
1. How does IT governance fit into an organization’s overall governance?
Answer :
IT governance fit into an organization’s overall governance by The certification has been specifically developed for professionals who have a significant management, advisory, or assurance role relating to the governance of IT. The certification promotes the advancement of professionals who wish to be recognized for their IT governance-related experience and knowledge.
The certification is also intended to support the growing business demands related to IT governance, increase the awareness and importance of IT governance good practices and issues and define the roles and responsibilities of the professionals performing IT governance work
Beside that This certification will benefit the individual, through recognition of their professional knowledge and competencies; skill-sets; abilities and experiences, and will enhance their professional standing. It will also add value to the enterprises they support through the demonstration of a visible commitment to excellence in IT governance practices.
2. The Executive Summary makes five recommendations for management with respect to IT. What are these recommendations?
Answer :
Recommendations for management with respect to IT consist of :
- Establish an overall cross-functional compliance team and a dedicated sub team managed by a director level person. The team should be supported by C-level executives and include executive from finance, IT, legal, marketing and affected business units.
- Coordinate IT activities within the scope of an overall security and disaster recovery plan.
- Have Finance or Audit take final responsibility to ensure compliance with SOX. Marketing should take the lead on customer data usage decisions affecting privacy as well as the Do Not Call Registry. IT is one input to the whole process.
3. How would an auditor likely view a company’s IT environment if the organization had implemented the above recommendations?
Answer :
An auditor likely view a company’s IT environment if the organization had implemented the above recommendations is a judgmental approach to assessing the effect IT has on the auditor’s study and evaluation of internal controls and the nature and extent of substantive testing may no longer be adequate. Such an approach allows auditors too much leeway to decide whether to perform tests of controls or bypass such tests and only perform substantive tests. SAS 941 provides auditors with much-needed guidance regarding the effect of IT on internal controls.
The standard requires tests of controls in certain situations, regardless of the level of control risk2 set by the auditor. The evaluation of internal controls is not complete until the auditor obtains a sufficient understanding of the controls’ design and determines whether critical internal controls are present in the automated environment, in operation and working as intended. Public Company Accounting Oversight Board (PCAOB) Standard No. 23 upholds SAS 94 and discusses the IT control objectives to consider in assessing internal controls for US Securities and Exchange Commission registrants.
