Collins Harp Enterprises Recommending It systems development controls   Mark S

Subject:AccountingPrice: Bought3

Share With

Collins Harp Enterprises Recommending It systems development controls

 

Mark S. Beasley · Frank A. Buckless· Steven M. Glover · Douglas F. Prawitt LEARNING OBJECTIVES After completing and discussing this case you should be able to [1] Recognize risks associated with the IT organizational structure and systems development processes at a potential audit client [2] Identify general IT-related controls that, if implemented, could reduce risks associated with IT systems development [3] Communicate negative information to a potential new audit client in a way that might lead to new audit services for that company BACKGROUND You are the new information technology (IT) audit specialist at the accounting frm of Townsend and Townsend, LLP. One of the audit partners, Harold Mobley, asked you to evaluate the efectiveness of general and application IT-related controls for a potential new audit client, Collins Harp Enterprises, which is a privately-held business. During a round of golf last week, an executive of Collins Harp Enterprises asked Harold to have someone with good IT training look at the company’s IT systems development process. Harold recently summarized the following information about Collins Harp’s IT systems development process based on his recent conversation with Linda Seth, IT Vice President at Collins Harp. IT SUMMARY Because of the company's unique business processes, Collins Harp Enterprises develops most of its computer software applications in-house. Over the past several years, Linda Seth has been able to hire several good software programmers with relatively strong programming experience. She has assembled a team of five programmers who handle most of the application and systems programming needs. Because of their strong backgrounds, Ms. Seth involves all five programmers in new application developments or modifications to existing applications and also involves all of them in operating, security, utility, and other system software programming and maintenance tasks. The staff is relatively versatile, and any one of them is able to handle the programming demands of most changes. Linda notes that because the programmers are typically more “free-spirited,” she prefers to give the programmers relatively free latitude in the development of new applications or modifications to existing applications. She comments that the programmers like to view their work as a form of art. As a result, she notes that the programmers “attack” the programming logic development using their own, unique programming style and approach. She believes that such “freedom” for the programming staff enhances the quality of the application development. New applications are generally initiated by Linda after she identifies suggestions for changes to existing applications based on conversations with similar IT personnel at other companies. Because she regularly attends IT development conferences, she believes that she is in the best position to identify ways to improve current application procedures. Occasionally, non-IT personnel (like accounting department personnel who work with the accounting systems) identify suggested changes. Linda notes that she generally hears about application changes or new application ideas from non-IT personnel in informal settings such as over lunch in the company cafeteria or when bumping into people in the office hallways. She also monitors emerging trends in the industry, such as the growing use of cloud computing. When that occurs, she makes a mental note to take back to her programming staff. When applications are developed or changes are made, the assigned programmer generally telephones or emails the non-IT personnel primarily responsible for the application to discuss the programmer’s suggested modification and to get their unofficial “blessing” to proceed. Occasionally, the programmer meets with the respective personnel, if requested. However, the programmers generally feel that such meetings have limited benefit because users have very little understanding of the programming logic used. If the programmer is making a modification to an existing application, he or she makes a copy of the current version of the software program being used so that they don’t have to reprogram the entire application. Before beginning, the programmer generally tries to meet with the programmer who was previously involved with any programming associated with this application to get a “big picture feel” for the application. Given the small size of the programming staff, the programmer can generally identify the person last involved with this application by talking with the other programmers. The programmer locates documents related to the programming logic maintained in the programming department’s files. Generally, this documentation includes electronic files and memos that contain the programmer's notes about his or her programming logic used to program the software application. The newly assigned programmer is able to recreate a trail of the most recent modifications to the application from these notes. Programmers test all application developments and modifications. To increase the independence of the testing, Linda assigns a different programmer to perform the testing of the application before implementation. The test programmer creates a fictitious data set by copying one of the actual data sets used in the relevant application. The test programmer performs a test of the new application or modification and documents the results. Linda says that there are tight controls over program testing because of her detailed reviews of all program test results and personal approval of each program before implementation into live production. And, she adds that copies of all test results are maintained in the files for subsequent review. Once Linda believes that the program is accurately processing the test data, she approves the program for implementation into live production. Linda notes that it is a big event for the programmers when their application is ready for implementation. She comments that the programmers take pride in the completion of the project and that all the programmers celebrate once the project programmer announces that he or she has compiled the final version into object code and forwarded the object code version to the IT Librarian.

[1] The Committee of Sponsoring Organizations of the Treadway Commission (widely known as COSO) revised its Internal Control - Integrated Framework to update its guidance to reflect a number of advancements in best practices, including those related to information technologies. Visit COSO's website (www.coso.org) to obtain an Executive Summary of the revised Internal Control - Integrated Framework. Review that summary to answer the following questions: [a] What are the five components of internal control? [b] What is the relationship between the components of internal control and the principles of internal control and how many principles are in the framework? [c] One of the principles describes the importance of general controls. Identify the component of internal control that principle addresses and describe why COSO embedded that principle in that component.

[2] Review auditing standards or COSO's Internal Control - Integrated Framework to answer the following questions: [a] What are "technology general controls"? [b] How do "technology general controls" differ from "automated controls"? [c] What is the main focus of general controls over technology acquisition, development, and maintenance processes?

[3] Harold would like you to prepare a draft letter to Linda Seth that [a] Describes deficiencies in the Collins Harp IT system development and program change process. [b] Provides a brief description explaining your primary concern for each defciency noted in part [a]. [c] Includes a recommendation of an IT system development control that could be implemented to minimize your concern for each deficiency described in part [a]. Remember you are writing to Linda Seth at Collins Harp. Therefore, prepare your response in a letter (not memo) format. Be sure to be professional in your response. You want to pinpoint obvious deficiencies without being offensive, given that Collins Harp could become a new client. As an alternative to preparing a draft letter, your instructor may ask you to complete the worksheet on the following page (Note: You can download an electronic version of the worksheet at www.pearsonhighered.com/beasley).