|
|
 |
|
AlphaCo: A Teaching Case on Information Technology Audit and Security 1
Hüseyin Tanriverdi
Jonathan Harrison
Ketan S. Mesuria Joshua Bertsch
Po-Ling Hsiao
David Hendrawirawan
ABSTRACT
Recent regulations in the United States (U.S.) such as the Sarbanes-Oxley Act of 2002 require top management of a public firm to provide reasonable assurance that they institute internal controls that minimize risks over the firm’s operations and financial reporting. External auditors are required to attest to the management’s assertions over the effectiveness of those internal controls. As firms rely more on information technology (IT) in conducting business, they also become more vulnerable to IT related risks. IT is critical for initiating, recording, processing, summarizing and reporting accurate financial and non-financial data. Thus, understanding IT related risks and instituting internal control mechanisms that minimize them have become important and created an urgent need for professionals who are equipped with IT audit and security skills and knowledge. However, there is severe shortage of teaching cases that can be used in courses aimed at training such professionals. This teaching case begins to address this gap by fostering classroom discussions around IT audit and security issues. It revolves around a hacking incident that compromised online order processing systems of AlphaCo and led to some fraudulent activity. The hacking incident raises a series of questions about IT security vulnerabilities, internal control deficiencies, integrity of financial statements, and independent auditors’ assessment of fraud in the context of the Sarbanes-Oxley Act. The case places students in the roles of executives, IT managers, and auditors and encourages them to discuss several important questions: how and why did the hacking incident happen; what harm did it cause to the firm; how can the firm prevent such hacking incidents in the future; if they do happen, how can the firm detect hacking incidents and fraud sooner; how do auditors assess the impact of such incidents in the context of a financial statement audit; and whether the management and auditors have responsibility in detecting and publicly reporting fraud? The case also facilitates the teaching of relevant conceptual frameworks such as COSO (Committee of Sponsoring Organizations of the Treadway Commission) and COBIT (Control Objectives for Information and related Technology).
Keywords: Information technology, risk, internal control, security, hacking, audit, fraud, financial reporting, compliance, Sarbanes-Oxley Act, teaching case 1. AlphaCo is a fictitious company. The purpose of this teaching case is to serve as a basis for classroom discussions rather than to illustrate effective or ineffective handling of IT audit and security issues. Hypothetical facts and scenarios are used to enrich classroom discussions. Resemblance to any real company is unintentional. The teaching case is prepared by Joshua Bertsch, Jonathan Harrison, Poling Hsiao, and Ketan Mesuria as part of their student team project in the IT Audit & Security Course at the Red McCombs Business School. The project was completed under the professional guidance of David Hendrawirawan and the academic supervision of Professor Hüseyin Tanriverdi. The project won the Best Student Project Award of the Austin Chapter of ISACA during the 2005 spring semester.
|
Copyright © 2006 Association of Digital Forensics, Security and Law (ADFSL)