ACC661: accounting systems control and audit


Fall 2002


Course Outline


Instructor:         Kaustav Sen

Office:              484 W, One Pace Plaza, NY 10038

Telephone:        (212) 346 1989


Course URL:

Office Hours:    Monday           11.30 am - 2.30 pm

Wednesday      4.00 pm - 5.30 pm

Co-requisites:   IS 623




This course encompasses audit and control issues associated with advanced accounting information systems.  Discussions address topics related to the conducting of accounting information systems audits.  Also considered during the course are the management control framework, the application control framework, evidence collection, and evidence evaluation. 




After completing the course, students should be able to:

1.      Understand the concepts and current practices related to information systems governance and audit.

2.       Integrates information technology and business concepts as it related to auditing.

3.      Become familiar with the COBIT framework and other ISACA / IT Governance Institute resources.

4.      Understand the CISA exam content areas.


Course Materials


Text: Information Systems Control and Audit by R. Weber, Prentice Hall, 1999.



1.      Information Technology Control and Audit by F.Gallegos, D. Manson and S. Allen-Senft, Auerbach, 1999.

2.      CISA Review Technical Information Manual, ISACA

3.      COBIT 3 rd Edition, ISACA





Course Delivery


Due to the small class size, this course is being offered as a tutorial. It will have features of both an in-class traditional course and an on-line distance learning course. A combination of this type allows us to retain the advantages that both forms offer: opportunity to interact face to face as well as allow the flexibility of course delivery offered by the internet technology. It is important to realize that unlike a traditional course, because there will be fewer lectures, you have to take the initiative to read more on your own rather than learn by listening to lectures.


Internet Requirements


As a major portion of this class will require on-line access and communication, it is recommended that you have access to the Internet on a regular basis. The course materials will be available on the Blackboard website for this course. All announcements will be posted there as well. All assignments should be turned in electronically using the digital drop-box feature in Blackboard. All communication will done using email. Blackboard uses your Pace email to communicate. Please make sure you either check your Pace email account regularly or have set it up to forward messages to another email that you access on a regular basis. You will not be able to operate in this class without email and Internet access.      




The overall course grade is determined out of 100 points distributed as follows:


            Final Exam                                                                     20

            Cases                                                                             40

            Discussion Board                                                            40

            Total                                                                            100


The expected grade distribution for this course is:

            A- and higher                                                               > 90

            B- to B+                                                                      80-90

            C- to C+                                                                      70-80

            D to D+                                                                       65-70

            F                                                                                  < 65


There are no points for class attendance or participation , including participation in on-line discussion boards. However, it is required to demonstrate learning efforts and enhance knowledge.



Students with Disabilities


Please contact the Coordinator of Services for Students with Disabilities in New York at 212-346-1526 if you have a disability for which you need an academic accommodation.


Make-up exams


No make-ups for midterms and finals will be allowed except in cases of genuine medical or other emergencies. In the event of such an emergency, you should contact me at your earliest opportunity to arrange a make-up.


Academic Dishonesty (Cheating)


The Pace University policy with regard to academic dishonesty (cheating) is described in the catalog, and provides penalties for students who either cheat on exams and papers, or help others cheat, ranging from reduction in grade to expulsion from the university. Anyone who either cheats on an exam, or helps another to cheat on an exam in this course will get a failing grade.




Class schedule


Week  Meet in-class Topics                                                                         Chapter


1          Yes (09-13)     Introduction                                                                              1

                                    IS audit process                                                           

·        Overview of Information Systems Auditing

·        IT governance domains

·        COBIT framework and guidelines

Reading:                 “IT Governance—Putting it in Perspective” by H. Parkes, IS Control Journal, V3, 2001

                              “Corporate Governance and ICT: A Marriage of Reason” by J. Bourdariat, IS Control Journal, V6, 2001


2                    No (09-20)      Control concepts                                                                      1,2

·        Physical and Logical access

·        Preventive, Detective and Corrective controls

·        Various types of risk                                                                

Risk and Control concepts                                            Notes

                                    Logical                                                                         Notes

                                    Physical                                                                        Notes

Reading:           “Intrusion, Attack, Penetration—Some Issues” by C. Mahadevan, IS Control Journal, V6, 2001


3          Yes (09-27)     COBIT 1 – Planning & Organization                            

·        Identify how IT contributes to the achievement of the business objectives

·        Realization of the strategic vision from different perspectives

·        Organization as well as technological infrastructure plan

Reading:           COBIT  – Planning & Organization  Materials from ISACA


4.         No (10-04)      Management, planning and organization of IS                3         

·        IS Strategies and Management Practices

·        Organizational Structure

·        Evaluating the Planning and Organizational functions

IS Management and Organization                                  Notes

Reading:           “Harnessing IT for Secure, Profitable Use” by E. Guldentops, IS Control Journal, V5, 2001


5.         Yes (10-11)     COBIT 2 – Acquisition & Implementation                                 5,6

·        Identification, development /acquisition of IT solutions to implement IT strategy

·        Implementation into business processes

·        Continuation of the life cycle of existing systems through maintenance

Readings:          COBIT  – Acquisition & Implementation Materials from ISACA

                        “How to Audit CRM Implementations” by P. Balcazar, IS Control Journal, V4, 2001


6.         No (10-18)      Technical infrastructure and operation practices             4,8,12                         

·        Network Operations and Production Control

·        Management of Outsourced Operations

·        Systems development and management control, Capacity Planning

Operations                                                                   Notes

                                    Networking and telecommunications                 Notes

                                    Object-oriented systems                                               Notes

                                    Database systems                                                         Notes

Readings:          “VPN: Confidentiality on Public Networks” by R. Norris, IS Control Journal, V3, 2001

“Choosing the Best Solution for your Network Security” by A. Carasik, IS Control Journal, V3, 2001

“VPN—New Issues for Network Security” by A. Abdullah, IS Control Journal, V5, 2001


7.         Yes (10-25)     Protection of information assets                                     10       

·        Measures of Asset Safeguarding and Data Integrity

·        Types of Exposure and Threats

·        Nature of the Global Evaluation Decision and Cost-Effectiveness Considerations

Cryptography                                                   Notes

Data validation                                                              Notes

Reading:           “Managing Data Integrity and Accuracy Effectively” by R. Lobb II, IS Control Journal, V5, 2001

“e-Commerce Security—Public Key Infrastructure” by R. Bria, IS Control Journal, V5, 2001                        

“Doctor’s Orders” by S. Ross, IS Control Journal, V5, 2001


8.         No (11-01)      COBIT 3 – Delivery & Support

·        Delivery of required services including security and continuity

·        Support processes

·        Application controls

Reading:           COBIT  – Delivery & Support from ISACA

Change control: Audit Program and ICQ from ISACA


9.         Yes (11-08)     Disaster recovery and business continuity                                  7

·        Business continuity planning issues

·        Off-site alternatives and security concerns

·        Evaluation of the plan

                                    Business Continuity Planning                                         Notes

Reading:           BCP: Audit Program and ICQ from ISACA


10.       Yes (11-15)     COBIT 4 – Monitoring                                                 7

·        Assessment of IT processes for quality and compliance with controls objectives

·        Management’s oversight of the organization’s control process

·        Independent assessment by external or internal audit

Readings          COBIT  – Monitoring  Materials from ISACA

“Twenty Most Critical Internet Security Vulnerabilities” from  SANS Institute, V2.100, 2001


11.              Yes (11-22)     Controls in business applications                                               9,11-15           

·        Input, Processing and Output controls

·        Communication controls

·        Database controls

                        Applications                                                                 Notes

Quality Assurance                                                         Notes

Readings          “Manager’s Guide to ERP Systems” by L. Pang, IS Control Journal, V4, 2001

“Risk and Governance Issues for ERP Applications” by S. Addison, IS Control Journal, V4, 2001

“Understanding the Many Faces of SAP Connectivity in E-Commerce” by R. Johnson, IS Control Journal, V4, 2001


12.       No (11-29)      Business process evaluation and risk management                      20-23

·        Characteristics and Types of Performance Measurement Tools

·        Performance Measurement and Data Integrity

·        Risk and control concepts

   Risk Assessment                                                           Notes

            Exposure Analysis                                                        Notes

Readings          “Overview of Principal IT Evaluation Models” by C. Kimpton and D. Martin, IS Control Journal, V5, 2001

“Presenting Penetration Test to Management” by A. Leiman, IS Control Journal, V5, 2001


13.       Yes  (12-06)    IS Audits                                                                                  16-19

                                                Audits                                                                          Notes

                                    Standards (ISACA)                                                      Notes

Readings:          Generic Application Review: Audit Program and ICQ from ISACA

                                    Networking: Audit Program and ICQ from ISACA

                                    PKI: Audit Program and ICQ from ISACA


14.       No (12-13)      Exam week