Auditors test the computer controls for effectiveness through inquiry and observation. Auditors also review the computer security programs, risk policies, procedures, and standards on all major systems and facilities. They further check on who is responsible for monitoring, backups, log-ins, passwords, and vulnerabilities. In addition, auditors should check for the risk of errors, risk of fraud, effectiveness of application controls, risk of financial statement misstatements regarding security of data and assets, and relevant components of internal control.
In 1998 and 1999, Y2K was a term that was used to describe an anticipated computer problem that would occur in the year 2000. When reading the year, computers were originally designed to read two numbers instead of four numbers. Many people thought items that were run by computers would be unable to read the year 2000 and would revert back to the year 1900, potentially causing systems to fail. Many industries had to implement disaster recovery or contingency plans in preparation for this failure. As a result, auditors had to be prepared to review those plans.
Auditors must be prepared to test the effectiveness of controls and be able to evaluate a disaster recovery or contingency plan. Read the information provided in the Week 7 Application Form (linked below) about Anthony's Orchard's information system.
Week 7 Application Form
Evaluate the organizational structure and access to system program controls for Anthony's Orchard. Write a 2- to 3-page paper discussing the MDAC system and controls. Consider the following:
How would you delegate duties differently?
Did the organization use enough methods of asset protection and control provided by those methods?
What are the risks associated with the system?
What would you have done differently with system program control to improve asset protection?
Overall, does Anthony's Orchard have an effective disaster recovery/contingency plan? Your 2- to 3-page paper should reflect the application of the resources presented this week, as well as knowledge gained from previous weeks' required or optional readings.
The security of a company's data, assets, customer information, financial statements, and systems is imperative for a business to run effectively and with a sense of confidence.
You've been learning about this topic, and how it's created, tested, and improved in your class. Your assignment mentions that you should support your work in your paper with specific citations from this past week's Learning Resources, along with any other resources you choose. Be sure to include citations where appropriate as you take the following and develop your paper.
In terms of Anthony's Orchard and MDAC's systems and controls, you're being asked to assess how secure, effective, and appropriate it is as well as how it might be improved.
How would you delegate duties differently?
What first strikes me is that Anthony's Orchard ("AO") chooses to not have any full-time personnel responsible for data processing and systems. It completely relies upon MDAC, a vendor - albeit a reputable one based on its share price, executive team, and Board of Directors organization - to handle everything. While it seems that MDAC is more than capable of managing this, wouldn't it make sense to have at least one person who worked for Anthony's Orchard, maybe a CIO, be the direct point-person and contact for MDAC? Otherwise, although we're given a good amount of information on the teams and their respective responsibilities at MDAC, there's no meaningfully effective line of communication between the company and the vendor. I would certainly think that would ensure optimized communications regarding planned and unplanned events. Otherwise, how do the teams at MDAC know exactly who to partner with at Anthony's Orchard? The vendor contract has stated limitations regarding access which implies that in the event of a disaster, or even an unexpected occurrence, MDAC will ...
This topic discusses the different types of security, controls, checks, processes, and procedures that are used to ensure a company's data and asset privacy. It considers both the effectiveness of the above as well as how often the tests and reviews are done. Importantly, it also focuses on the responsibilities of the business itself versus the vendor its hired to do these things.