Case Study 4 – Due 11/10 Scenario 1 Consolidated Company (Audit Program for Access Controls) Jason Saving is an IT auditor for a large, public accounting firm. His manager has assigned him to the Consolidated Company audit. The IT auditors must complete several evaluating and testing procedures in order to help determine the scope of financial audit. The IT auditors also need to evaluate IT controls to provide the financial auditors with information in order to form an opinion on internal controls as part of Sarbanes-Oxley compliance. Consolidated Company manufactures automotive parts and supplies them to the largest automakers. The company has approximately 1,500 employees and has manufacturing operations and offices in three locations. Consolidated uses a mid-sized ERP software program for manufacturers that they acquired and implemented two years ago. You need to develop an audit program to examine logical access to the ERP system. According to the Security Administrator at Consolidated, each employee is assigned a unique User ID and password when they join the company. The company is very concerned about security, so there is no remote access to the ERP system. The ERP system requires that users change their passwords every six months. System and group settings assigned to each User ID determine what parts of the ERP systems are available to each user. (Explain your answers in detail. Your answer to each question should be at least 100 words.) 1. Explain how a deficiency in controls over User IDs and passwords might affect the financial statements. 2. Why is it necessary to examine User IDs and passwords? 3. Describe at least four control procedures that Consolidated should have in place to ensure that only authorized users access the system and that user access is limited according to their responsibilities. Scenario 2 Basic Requirements (Systems Reliability Assurance) Kara and Scott Baker own a small retail company, Basic Requirements, with one store located in a small college town and a website through which customers can make purchases. The store sells traditional but up-to-date clothing for young women such as tee-shirts, jeans, chinos, and skirts. The store has been open for 10 years, and the owners added the online shopping capability just last year. Online business has been slow, but Kara and Scott believe that as student customers graduate from the university they will use the online site to continue to have access to their favorite store from their college days. The store’s website has many features. It classifies clothing by type, and customers can view items in various colors. To purchase an item, the user clicks on the icon depicting the desired product and adds it to an individual online shopping basket. The customer can view the basket and make a purchase at any time while browsing the site. When checking out at the site, a new customer must first register, providing billing and shipping information, as well as credit card data. Returning customers log in with the identification code and password they created when they registered. They also use that method to check on an order status. If a customer forgets their login information, they can simply click on a link to have it emailed to them. Once a user registers, Basic Requirements’ system will automatically add their email address to a file that they use to regularly send out emails about sales and other promotions. Kara and Scott are concerned about internal controls in their business. They especially worry because they know that their web access creates some special risks. They have asked one of their customers who is an accounting student at the university to evaluate the reliability of their information system with respect to security, availability, and privacy. (Explain your answers in detail. Your answer to each question should be at least 100 words.) 1. Identify two security, availability, and privacy risks that Basic Requirements faces. 2. For each risk identified above, describe two internal controls Basic Requirements should use to protect against these risks. 3. The accounting student who is evaluating the reliability of Basic Requirements’ information sys- tem is interested in becoming an IT auditor. Describe some of the specific actions an IT auditor would take to verify that Kara and Scott have adequate controls in place concerning privacy. Page 1 of 2 ACCT 4020 Case Study Guidelines 1. Your full name and case study number should appear on the first page (refer to case study exemplar posted on eCourseware). 2. Your typed answer sheet do not need to include the scenarios. 3. Number your answers correctly so your instructor can refer to them. 4. Type your answers single-spaced, with margins of standard width (usually 1 inch on the sides and bottom and 1 1/2 inch on the top). Use Times New Roman font size 12. 5. You must acknowledge the sources of all your information and any ideas or interpretations you have taken from other works. These references are usually placed into notes, with a bibliography at the end of the paper that lists all works used. 6. Plagiarism. This serious academic offense can take many forms, including using another writer’s phrase without putting it into quotation marks, not giving the source for a quotation, taking information from other works without acknowledgment, presenting other people’s ideas as if they were your own, or submitting content that you did not write. 7. You may not use content you wrote for one course to fill an assignment in another class. 8. Submit your case studies to the submission dropbox on eCourseware. You will be submitting the assignment to “OriginalityCheck” in order to check for plagiarism. “OriginalityCheck” will generate a report identifying the extent to which your paper matches with other sources. Some level of matching is inevitable, due to references, etc. If your paper matches other sources in excess of 30%, I will review the report and determine if plagiarism is present. If 50% matches and I find that no plagiarism has occurred, i.e., 50% of the paper is based on properly cited quotes, I will nonetheless reduce the grade on the premise that the majority of the thoughts represented in the paper are based on someone else’s work.