Assessing Information Systems and the CPA Exam

By Kenneth W. Boyd

All CPAs work closely with technology. The CPA exam’s business environment and concepts (BEC) test covers the concepts an accountant uses to assess IT needs and decide on spending. Technology may be one of the largest costs your company incurs.

As technology becomes more complex, companies process and store an increasing amount of data. You’ll consider the steps a CPA takes to protect company data from theft.

Deciding on computer technology needs

New technology — or improving existing technology — often requires additional spending. To make an informed decision on a technology need, consider the amount of additional revenue the technology will help you generate.

Suppose you own a catering business. To staff your catering jobs, you e-mail from your list of part-time employees and track the catering jobs they work in an Excel document. You determine that an automated system of staffing would save time, allowing you to grow your catering sales by 10 percent.

If the cost of the automated system is less than the profit from a 10 percent increase in sales, investing in the technology makes economic sense.

The BEC test may have you assess technology spending by considering cost savings. Consider the same catering example. Suppose the owner is paying a part-time employee $10,000 a year to handle staffing. If an automated system can handle staffing, the part-time staffing employee can perform catering jobs instead.

The former staffing person now works on revenue-producing catering work. If the automated system costs less than $10,000, buying the new technology makes sense.

Every firm needs a disaster recovery plan for their IT department. This topic is presented on nearly every BEC test. In the event of a disaster (flood, tornado, power outage), a business needs a written plan to “restart” their technology operations. Traditionally, disaster recovery meant having equipment (computers, servers, phones) at a separate location. If a disaster occurs, the IT department simply moves to the other location and operates from there.

Technology now allows companies to set up disaster recovery through cloud computing. Cloud computing means that all of the company’s data is continually backed up on servers at another location. A firm may have an internal department provide this process, or hire an outside firm. If a disaster occurs, the IT department can access and use the company data that is backed up on the cloud.

Weighing IT security

All businesses need to set up controls to prevent sensitive computer data from being lost or stolen. Customers, regulators, and company shareholders all insist on IT security. Loss or theft of computer information can result in upset customers, loss of business, and possible legal issues.

Segregation of duties is a critical internal control used to reduce the risk of theft. Whenever possible, these three IT duties should be divided among different people:

  • Programming: IT staff that is writing code and creating programs to solve business problems

  • Operating: Workers using IT tools (hardware and software) to run the day-to-day business operations

  • Library: The database administrator or librarian, who maintains, adds, updates, and files all the records for the company.

Suppose, for example, that you manage a trucking company. You have a dispatching department that sends trucks to their destinations and monitors shipments. The programming department wrote a software application for the dispatching process.

If the programmers had access to the IT activity in the dispatching (operations) department, they could potentially manipulate the process. A programmer, for example, could send trucks to destinations that the programmer personally controls. The programmer could bypass the billing process so that shipments she controls are never billed.

When you see a BEC test question on IT security, consider the impact of a lack of segregation of duties.