IT Audit and Control: Freddie Mac Scandal - Comprehensive Analysis
VerifiedAdded on 2021/05/27
|11
|2505
|343
Report
AI Summary
This report provides an in-depth analysis of the IT audit and control failures associated with the Freddie Mac scandal. It begins with an executive summary and table of contents, followed by an introduction to the case. The report identifies managerial and organizational risks, including disgruntled employees, risks from mobile devices, unpatched devices, and third-party services. It then discusses audit methodologies, encompassing planning, risk analysis, evaluation of internal controls, auditing testing, and reporting risks. The report examines post-implementation auditing processes within the regulatory environment of Freddie Mac. It classifies primary IT controls and their effects on business operations, including how technologies, processes, and people can work in harmony. It also classifies security controls and business continuity planning. The report further explores the impact of IT auditing on business operations and decision-making, as well as professional, legal, and ethical responsibilities. Finally, it concludes with a summary of findings and includes a list of references. This report is designed to provide a comprehensive understanding of the IT audit and control failures that occurred at Freddie Mac and their implications.
Running head: IT AUDIT AND CONTROL
IT Audit and Control
(Freddie Mac Scandal)
Name of the student:
Name of the university:
Author Note
IT Audit and Control
(Freddie Mac Scandal)
Name of the student:
Name of the university:
Author Note
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1IT AUDIT AND CONTROL
Executive summary
The study focuses on IT audit controls for Freddie Mac, a government-sponsored organization of
Virginia. Various IT controls and their effects on the business are discussed here. Further, various
legal, professional and ethical responsibilities during IT audits are discussed in this report.
Executive summary
The study focuses on IT audit controls for Freddie Mac, a government-sponsored organization of
Virginia. Various IT controls and their effects on the business are discussed here. Further, various
legal, professional and ethical responsibilities during IT audits are discussed in this report.
2IT AUDIT AND CONTROL
Table of Contents
1. Introduction:......................................................................................................................................3
2. Identification of managerial and organization risks:.........................................................................3
3. Audit methodologies, reviewing auditing and post implementation auditing:..................................4
3.1. Audit methodologies and designing:..........................................................................................4
3.2. Processes in post implementation auditing at the regulatory environment of Freddie Mac:......5
4. Classification of primary IT controls and effect on various related business operations for
managing risks of business and assuring system effectiveness:............................................................6
5. Classification of security controls and business continuity planning:...............................................6
6. Impact of IT auditing on business operations for decision making:..................................................7
7. Discussion on professional, legal, and ethical responsibilities:.........................................................8
7.1. Professional Roles:.....................................................................................................................8
7.2. Legal roles:.................................................................................................................................8
7.3. Ethical roles:...............................................................................................................................8
8. Conclusion:........................................................................................................................................8
9. References:......................................................................................................................................10
Table of Contents
1. Introduction:......................................................................................................................................3
2. Identification of managerial and organization risks:.........................................................................3
3. Audit methodologies, reviewing auditing and post implementation auditing:..................................4
3.1. Audit methodologies and designing:..........................................................................................4
3.2. Processes in post implementation auditing at the regulatory environment of Freddie Mac:......5
4. Classification of primary IT controls and effect on various related business operations for
managing risks of business and assuring system effectiveness:............................................................6
5. Classification of security controls and business continuity planning:...............................................6
6. Impact of IT auditing on business operations for decision making:..................................................7
7. Discussion on professional, legal, and ethical responsibilities:.........................................................8
7.1. Professional Roles:.....................................................................................................................8
7.2. Legal roles:.................................................................................................................................8
7.3. Ethical roles:...............................................................................................................................8
8. Conclusion:........................................................................................................................................8
9. References:......................................................................................................................................10
3IT AUDIT AND CONTROL
1. Introduction:
The Freddie Mac is a leading public and government-sponsored enterprise at Virginia. The
accounting scandal was witnessed by the company in June 2003 as it revealed that had undergone
though misstated earnings by about 5 billion dollars.
The following report discusses various control and audit controls for Freddie Mac along with
designing review auditing. Then it has classified the primary IT controls and their effect on various
related business operations for managing business risks along with assuring system effectiveness.
Then it has discussed and described ethical, legal and professional roles for IT audits.
2. Identification of managerial and organization risks:
The various managerial and organizational risks related to conducting and planning for
Freddie Mac’s IT audits and controlling activities are discussed below.
Disgruntled employees Here the internal attacks can be seen as one of the active threats to face
system and data. Different kinds of rogue employees, particular members
of IT group of Freddie Mac having knowledge and access to admin
accounts, data centres and networks have been able to cause serious
harm.
The risk from Mobile
Devices
Here, data theft has been a high vulnerability as employees use mobile
devices for sharing data, get access to Freddie Mac’s information or ever
neglect changes to mobile passwords. The mobile security breaches have
been affecting more than 50% of organization worldwide in the current
age (Chou, 2015). Hence, Freddie Mac has embraced BYOD since they
1. Introduction:
The Freddie Mac is a leading public and government-sponsored enterprise at Virginia. The
accounting scandal was witnessed by the company in June 2003 as it revealed that had undergone
though misstated earnings by about 5 billion dollars.
The following report discusses various control and audit controls for Freddie Mac along with
designing review auditing. Then it has classified the primary IT controls and their effect on various
related business operations for managing business risks along with assuring system effectiveness.
Then it has discussed and described ethical, legal and professional roles for IT audits.
2. Identification of managerial and organization risks:
The various managerial and organizational risks related to conducting and planning for
Freddie Mac’s IT audits and controlling activities are discussed below.
Disgruntled employees Here the internal attacks can be seen as one of the active threats to face
system and data. Different kinds of rogue employees, particular members
of IT group of Freddie Mac having knowledge and access to admin
accounts, data centres and networks have been able to cause serious
harm.
The risk from Mobile
Devices
Here, data theft has been a high vulnerability as employees use mobile
devices for sharing data, get access to Freddie Mac’s information or ever
neglect changes to mobile passwords. The mobile security breaches have
been affecting more than 50% of organization worldwide in the current
age (Chou, 2015). Hence, Freddie Mac has embraced BYOD since they
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
4IT AUDIT AND CONTROL
have been facing exposure towards risks from the devices over corporate
network lying behind a firewall that also includes VPN. This takes place
as the application installs various malware or various Trojan software.
They have been accessing the network connection of the devices.
Unpatched or different
unpatchable devices
Here, this refers to the network devices like routers and printers
employing firmware and software in operation. However, there has been
a patch for vulnerability within them that has to be created or sent, or the
hardware has not been designed to help them to be upgraded. This
happened after finding the vulnerabilities.
Third-party services Since the technology has become a part of more complex and specialized
system, Freddie Mac has been depending more on the vendors and
outsourcers for maintaining and supporting systems. For instance, the
organization has often been outsourcing maintenance and managing of
the POS and point-of-sale systems to the third party service providers
(Vasarhelyi & Halper, 2018). Apart from this, the third-parties have been
using distant access tolls for connecting the network of the company.
However, they have not been following various best practices of security.
For instance, they have been using similar default passwords for remotely
connecting every client. As the hackers come to know the password, they
get the foothold towards all the networks of the clients.
3. Audit methodologies, reviewing auditing and post implementation auditing:
3.1. Audit methodologies and designing:
For Freddie Mac these are analyzed below
have been facing exposure towards risks from the devices over corporate
network lying behind a firewall that also includes VPN. This takes place
as the application installs various malware or various Trojan software.
They have been accessing the network connection of the devices.
Unpatched or different
unpatchable devices
Here, this refers to the network devices like routers and printers
employing firmware and software in operation. However, there has been
a patch for vulnerability within them that has to be created or sent, or the
hardware has not been designed to help them to be upgraded. This
happened after finding the vulnerabilities.
Third-party services Since the technology has become a part of more complex and specialized
system, Freddie Mac has been depending more on the vendors and
outsourcers for maintaining and supporting systems. For instance, the
organization has often been outsourcing maintenance and managing of
the POS and point-of-sale systems to the third party service providers
(Vasarhelyi & Halper, 2018). Apart from this, the third-parties have been
using distant access tolls for connecting the network of the company.
However, they have not been following various best practices of security.
For instance, they have been using similar default passwords for remotely
connecting every client. As the hackers come to know the password, they
get the foothold towards all the networks of the clients.
3. Audit methodologies, reviewing auditing and post implementation auditing:
3.1. Audit methodologies and designing:
For Freddie Mac these are analyzed below
5IT AUDIT AND CONTROL
Planning:
Here, the expert teams have understood the operations, internal controls and various
information systems. They have been constructing audit timetable meeting the necessities.
Risk analysis:
This knowledge is helpful to analyze financial reporting risks especially business critical
sectors (Newton et al., 2015).
Evaluation of internal controls:
They are the key towards becoming a more stable organization. Here improvements are to be
suggested along testing the internal testing controls.
Auditing testing:
Freddie Mac uses sophisticated tools that includes data interrogation software and analyze
the transactions and balances and develop the operations.
Reporting risks:
Here Freddie Mac can apply extra check assuring the accuracy of the task. Then they change
the raw results to actionable insights such that one can drive improvements quickly to access the
organization (Leitch, 2016).
3.2. Processes in post implementation auditing at the regulatory environment of Freddie Mac:
Freddie Mac has decided to create a post-implementation audit for the current case. This has
been top-to-bottom analysis of hard and soft benefits from strategic information system, project
management process to deploy that and security system. Since IT has been miscalculating the
number of people needed to use that system ROI has been driven down by the cost to order extra
Planning:
Here, the expert teams have understood the operations, internal controls and various
information systems. They have been constructing audit timetable meeting the necessities.
Risk analysis:
This knowledge is helpful to analyze financial reporting risks especially business critical
sectors (Newton et al., 2015).
Evaluation of internal controls:
They are the key towards becoming a more stable organization. Here improvements are to be
suggested along testing the internal testing controls.
Auditing testing:
Freddie Mac uses sophisticated tools that includes data interrogation software and analyze
the transactions and balances and develop the operations.
Reporting risks:
Here Freddie Mac can apply extra check assuring the accuracy of the task. Then they change
the raw results to actionable insights such that one can drive improvements quickly to access the
organization (Leitch, 2016).
3.2. Processes in post implementation auditing at the regulatory environment of Freddie Mac:
Freddie Mac has decided to create a post-implementation audit for the current case. This has
been top-to-bottom analysis of hard and soft benefits from strategic information system, project
management process to deploy that and security system. Since IT has been miscalculating the
number of people needed to use that system ROI has been driven down by the cost to order extra
6IT AUDIT AND CONTROL
licenses (Yee et al., 2017). Here, the POA has also displayed that the system has saved the company
with about more than 100,000 dollars per year.
4. Classification of primary IT controls and effect on various related business
operations for managing risks of business and assuring system effectiveness:
Primary IT controls Effects on Freddie Mac’s business controls
How technologies,
processes and people
can work harmony
As the users get access when the request gets approved, this gets routed to
access coordinates of information security utilizing the documenting
processes to grant access. As soon as the access gets granted and process to
share user’s password and ID has been followed, the technical access
control system of the system can take over.
Determining
whether to disclose
the IT controls
As the time general public is aware, a community of hackers develops
workable exploits and then they disseminate that far and wide to take
advantages of the flaws. This happens before it can be closed down or
patched (Vovchenko et al., 2017). Due to this, they are open disclosure
benefits in general public more than that is acknowledged by those critics
who have claimed to provide the hackers with the similar data.
5. Classification of security controls and business continuity planning:
Classifying the security controls:
The organization security policies have been encompassing environmental and physical
security assuring that all the sensitive resources and facilities of processing get secured. Then they
are protected through defined security controls that are linked to business risks. Further, the
authorization has been the function to specify access privileges and rights to resources that related to
licenses (Yee et al., 2017). Here, the POA has also displayed that the system has saved the company
with about more than 100,000 dollars per year.
4. Classification of primary IT controls and effect on various related business
operations for managing risks of business and assuring system effectiveness:
Primary IT controls Effects on Freddie Mac’s business controls
How technologies,
processes and people
can work harmony
As the users get access when the request gets approved, this gets routed to
access coordinates of information security utilizing the documenting
processes to grant access. As soon as the access gets granted and process to
share user’s password and ID has been followed, the technical access
control system of the system can take over.
Determining
whether to disclose
the IT controls
As the time general public is aware, a community of hackers develops
workable exploits and then they disseminate that far and wide to take
advantages of the flaws. This happens before it can be closed down or
patched (Vovchenko et al., 2017). Due to this, they are open disclosure
benefits in general public more than that is acknowledged by those critics
who have claimed to provide the hackers with the similar data.
5. Classification of security controls and business continuity planning:
Classifying the security controls:
The organization security policies have been encompassing environmental and physical
security assuring that all the sensitive resources and facilities of processing get secured. Then they
are protected through defined security controls that are linked to business risks. Further, the
authorization has been the function to specify access privileges and rights to resources that related to
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7IT AUDIT AND CONTROL
information and computer security to get access control in particular (Christ et al., 2015). The
operation security has been identifying critical data to finding whether any friendly task is seen
through enemy intelligence. This has helped in determining data retrieved through adversaries that
could be interpreted to be helpful for them. Freddie Mac’s network security has covered various
types of computer networks both under private and public used for daily tasks, making
communication among the business, conducting transactions, people and government agencies.
Business continuity plan:
For Freddie Mac, business continuity plan has been a vital function for their business. They
have been helpful for identifying processes and systems that can be sustained. Further, it is useful to
detail the ways to maintain risks. Moreover, it has considered possible business disruptions.
Necessities of IT audits and relationship with financial reporting:
The IT audits for Freddie Mac have been vital to secure their business and encourage thriving
that. It has been focusing on ensuring robust internal control systems for minimizing the risk of
deliberate and accidental errors. The potential creditors and stakeholders have analyzed the Freddie
Mac’s financial statements and measure various financial ratios (Bin-Abbas & Bakry, 2014). This
has been with the data they have contained for identifying the economic strengths and drawbacks. It
has also been helpful to determine whether the company has been a good credit or investment risk.
The mangers have used them for aiding decision making.
6. Impact of IT auditing on business operations for decision making:
Freddie Mac’s IT auditing has a great impact on their decision-making in the presence of the
going-concern uncertainties that have been characterized as two-stage procedures. Here, the first
stage has been to identify the potential continuous problems and the second stage has been to find
information and computer security to get access control in particular (Christ et al., 2015). The
operation security has been identifying critical data to finding whether any friendly task is seen
through enemy intelligence. This has helped in determining data retrieved through adversaries that
could be interpreted to be helpful for them. Freddie Mac’s network security has covered various
types of computer networks both under private and public used for daily tasks, making
communication among the business, conducting transactions, people and government agencies.
Business continuity plan:
For Freddie Mac, business continuity plan has been a vital function for their business. They
have been helpful for identifying processes and systems that can be sustained. Further, it is useful to
detail the ways to maintain risks. Moreover, it has considered possible business disruptions.
Necessities of IT audits and relationship with financial reporting:
The IT audits for Freddie Mac have been vital to secure their business and encourage thriving
that. It has been focusing on ensuring robust internal control systems for minimizing the risk of
deliberate and accidental errors. The potential creditors and stakeholders have analyzed the Freddie
Mac’s financial statements and measure various financial ratios (Bin-Abbas & Bakry, 2014). This
has been with the data they have contained for identifying the economic strengths and drawbacks. It
has also been helpful to determine whether the company has been a good credit or investment risk.
The mangers have used them for aiding decision making.
6. Impact of IT auditing on business operations for decision making:
Freddie Mac’s IT auditing has a great impact on their decision-making in the presence of the
going-concern uncertainties that have been characterized as two-stage procedures. Here, the first
stage has been to identify the potential continuous problems and the second stage has been to find
8IT AUDIT AND CONTROL
out whether the specific company has been receiving a qualified opinion (He et al., 2017). Various
results have indicated that the audit quality has been affecting the possibility that Freddie Mac, being
an economically distressed organization has received an opinion. Here, the probability has been
influencing by the ability of the auditor to find out financial uncertainties. However, this has also
been the auditor’s decision making that must refer what kind of opinion can be financially issued.
7. Discussion on professional, legal, and ethical responsibilities:
7.1. Professional Roles:
Here the auditors are liable to perform and plan audits to be seen as a reasonable assurance
regarding whether financial statements. They must be free of various material misstatements caused
by fraud and errors.
7.2. Legal roles:
The auditors have been engaged to provide various services to Freddie Mac. Here each of them has
been having their related liabilities, right and duties. Then the central activity of the auditor has been
producing reports of auditors over Freddie Mac’s yearly reports and accounts (Chang et al., 2014).
7.3. Ethical roles:
Though individuals performing quality audits have not been the members of ASQ, some
underlying principles are applied to ethics of audits (Abbott et al., 2016). Here, the team leaders
must need to comply totally with the customs, regulations and rules of Freddie Mac during an audit.
8. Conclusion:
Planning IT audit for Freddie Mac has included various steps that are understood from the
study. The report has been helpful to understand information and perform planning. The next step
out whether the specific company has been receiving a qualified opinion (He et al., 2017). Various
results have indicated that the audit quality has been affecting the possibility that Freddie Mac, being
an economically distressed organization has received an opinion. Here, the probability has been
influencing by the ability of the auditor to find out financial uncertainties. However, this has also
been the auditor’s decision making that must refer what kind of opinion can be financially issued.
7. Discussion on professional, legal, and ethical responsibilities:
7.1. Professional Roles:
Here the auditors are liable to perform and plan audits to be seen as a reasonable assurance
regarding whether financial statements. They must be free of various material misstatements caused
by fraud and errors.
7.2. Legal roles:
The auditors have been engaged to provide various services to Freddie Mac. Here each of them has
been having their related liabilities, right and duties. Then the central activity of the auditor has been
producing reports of auditors over Freddie Mac’s yearly reports and accounts (Chang et al., 2014).
7.3. Ethical roles:
Though individuals performing quality audits have not been the members of ASQ, some
underlying principles are applied to ethics of audits (Abbott et al., 2016). Here, the team leaders
must need to comply totally with the customs, regulations and rules of Freddie Mac during an audit.
8. Conclusion:
Planning IT audit for Freddie Mac has included various steps that are understood from the
study. The report has been helpful to understand information and perform planning. The next step
9IT AUDIT AND CONTROL
has been to retrieve risk by the audit approach that is needed to analyse risks and help IT auditors to
undertake decisions. For Freddie Mac, the risk-based approach discussed above has been depending
on various operational and internal controls along with knowledge of the business. These kinds of
risk analysis decisions have been helpful to relate to the cost-benefit analysis to manage known risks.
has been to retrieve risk by the audit approach that is needed to analyse risks and help IT auditors to
undertake decisions. For Freddie Mac, the risk-based approach discussed above has been depending
on various operational and internal controls along with knowledge of the business. These kinds of
risk analysis decisions have been helpful to relate to the cost-benefit analysis to manage known risks.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
10IT AUDIT AND CONTROL
9. References:
Abbott, L. J., Daugherty, B., Parker, S., & Peters, G. F. (2016). Internal audit quality and financial
reporting quality: The joint importance of independence and competence. Journal of
Accounting Research, 54(1), 3-40.
Bin-Abbas, H., & Bakry, S. H. (2014). Assessment of IT governance in organizations: A simple
integrated approach. Computers in Human Behavior, 32, 261-267.
Chang, S. I., Yen, D. C., Chang, I. C., & Jan, D. (2014). Internal control framework for a compliant
ERP system. Information & Management, 51(2), 187-205.
Chen, Y., Smith, A. L., Cao, J., & Xia, W. (2014). Information technology capability, internal
control effectiveness, and audit fees and delays. Journal of Information Systems, 28(2), 149-
180.
Chou, D. C. (2015). Cloud computing risk and audit issues. Computer Standards & Interfaces, 42,
137-142.
Christ, M. H., Masli, A., Sharp, N. Y., & Wood, D. A. (2015). Rotational internal audit programs
and financial reporting quality: Do compensating controls help?. Accounting, Organizations
and Society, 44, 37-59.
He, X., Pittman, J. A., Rui, O. M., & Wu, D. (2017). Do social ties between external auditors and
audit committee members affect audit quality?. The Accounting Review, 92(5), 61-87.
Leitch, M. (2016). Intelligent internal control and risk management: designing high-performance
risk control systems. Routledge.
Newton, N. J., Persellin, J. S., Wang, D., & Wilkins, M. S. (2015). Internal control opinion shopping
and audit market competition. The Accounting Review, 91(2), 603-623.
9. References:
Abbott, L. J., Daugherty, B., Parker, S., & Peters, G. F. (2016). Internal audit quality and financial
reporting quality: The joint importance of independence and competence. Journal of
Accounting Research, 54(1), 3-40.
Bin-Abbas, H., & Bakry, S. H. (2014). Assessment of IT governance in organizations: A simple
integrated approach. Computers in Human Behavior, 32, 261-267.
Chang, S. I., Yen, D. C., Chang, I. C., & Jan, D. (2014). Internal control framework for a compliant
ERP system. Information & Management, 51(2), 187-205.
Chen, Y., Smith, A. L., Cao, J., & Xia, W. (2014). Information technology capability, internal
control effectiveness, and audit fees and delays. Journal of Information Systems, 28(2), 149-
180.
Chou, D. C. (2015). Cloud computing risk and audit issues. Computer Standards & Interfaces, 42,
137-142.
Christ, M. H., Masli, A., Sharp, N. Y., & Wood, D. A. (2015). Rotational internal audit programs
and financial reporting quality: Do compensating controls help?. Accounting, Organizations
and Society, 44, 37-59.
He, X., Pittman, J. A., Rui, O. M., & Wu, D. (2017). Do social ties between external auditors and
audit committee members affect audit quality?. The Accounting Review, 92(5), 61-87.
Leitch, M. (2016). Intelligent internal control and risk management: designing high-performance
risk control systems. Routledge.
Newton, N. J., Persellin, J. S., Wang, D., & Wilkins, M. S. (2015). Internal control opinion shopping
and audit market competition. The Accounting Review, 91(2), 603-623.
1 out of 11
Related Documents
![IT Risk Management Assessment Report - [University Name], Semester 1](/_next/image/?url=https%3A%2F%2Fdesklib.com%2Fmedia%2Fimages%2Fuh%2Fc2a146aa60cb40e0a8ed17fba41ce197.jpg&w=256&q=75)
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.