– Hello, I’m Charlotte Roberts, VP of eLearning here at UWorld Roger CPA Review, and it’s a privilege to be here with you today. You are in for a treat, as today we’re going to learn a little bit more about IT environment and infrastructure, and what you’ll need to know about this topic as a practicing CPA. This is the key topic right now as the CPA exam is evolving to put increased emphasis on technology. Accordingly, this topic includes a lot of new and updated information that has been brought to the forefront of the exam just this past July. We’ll start the learning process today on IT environment and infrastructure by looking at a sample question from our award winning Kubik. Now for some of you, starting with a question may seem uncomfortable because you’re accustomed to a more traditional, linear learning style where you would sit and watch a lecture, then read the book, take notes, and then go through the practice questions. However, at UWorld, what makes us so unique and different is active learning. This evidence-based learning methodology centers around the principle that students learn by doing to maximize retention and improve learning outcomes. When preparing for the CPA exam, if you think about it, the doing is working directly in the practice questions. So let’s open up one of our questions on IT environment and infrastructure, shall we? Okay, so here we are in our question for today, let’s go through it together. An audit client provided a list of software applications it is currently using. The list included the name and version number of each application, as well as the name of the vendor from whom the client purchased that location. Which of the following fields in that list is relevant to the auditor’s risk assessment? So then we see here, our answer choices, A, B, C, and D, is looking for the combination of the two variables. The name of the vendor, software version number, and in which of the following fields in that list, the combination is relevant to the auditors risk assessment? So let’s take a look, and I’m gonna say I answer C. So my assumption here is that the name of the vendor is not important, but the software version number is. Let’s show the correct answer. Okay, so we see that I unfortunately got the answer incorrect, maybe you were at shouting at the screen, pointing to answer A, which A is correct here, that the name of vendor and software version number is relevant to the auditor’s risk assessment. So first we’re gonna see some statistics show up, showing me and you what percentage of students in our course are selecting the correct answer. You know, I’m in good company as kind of C being the runner up. Let’s take a look at the answer explanation to better understand a little bit more of this concept. So you’re gonna see here immediately, I’m gonna be presented with a visual. At UWorld, this may be a table, a chart, an illustration working through a math problem, but this visual here is going to be provided to really help me understand what I’m about to read as I go through the thorough answer explanation. including the visual here, right at the top of our answer explanations is very unique to UWorld, exclusively as the only review provider that includes this level of detail within our questions and answers. So let’s go ahead and continue to go through on what a real rich quality answer looks like in our program. So as we go through the answer, again, let’s keep the question in mind, which of the following fields in that list is relevant to the auditor’s risk assessment? Let’s say both is relevant. Let’s understand a little bit better why. In order to assess the risk of material misstatement, an auditor must understand the entity and its environment, including its internal control. To do so, it is essential to understand the entity’s IT systems, including the software it uses. For example, software that is not up to date can create a host of processing problems, and security vulnerabilities. In addition, because virtually every business uses multiple software applications, problems in the interaction among these applications can create a risk of material misstatement. If interacting applications were created by different vendors, or if the software use is not the most recent version, there may be errors in mapping data between the applications. So again, here, you’re starting to see kind of in those the bolded answers we’re looking at different vendors, and recent version and why the combination of the two is so important. For example, if the system used for accounts payable was created by XYZ Software, and requires a six digit vendor ID number. So here we go, here’s the visual, we’ve got accounts payable system developed by XYZ, and it requires a six digit vendor ID number, but the system used for purchasing was created by ABC applications and requires an eight digit number. So here we have the purchasing system by a different vendor, ABC, with an eight digit number. These numbers must be matched to each other. If an error occurs in the mapping, it could cause errors in the accounting records. And so we can see here in the visual, we’ve got an eight digit requirement here, six digit here, and then it’s between the two of them, and error can occur in the mapping. So then we round out the answer with the things to remember. So this is kind of, again, accumulative answer of the problem that we just worked through and the visual. So things to remember and take a step back, is problems in the interaction of various software applications can create a risk of material misstatement. The risk is heightened when the applications were created by different vendors, or one is not up to date. So we see here both are very important, and relevant to the auditor’s risk assessment. The name of the vendor and the version number as errors can occur when they’re not mapped together. Now, in this particular example of this UWorld Roger CPA review question, we had a thorough answer explanation provided to us on why A was correct, and because A is the only combination that works of the two variables, we therefore figured out why B, C, and D are incorrect. However, this is just one example of our question bank, where other types of questions in addition to providing why, if the answer is correct, also provide a very thorough and detailed explanation on why the three alternative answers are incorrect. So again, this is just one example of a question you might see in UWorld Roger CP Review from IT environment and infrastructure. Now let’s take a step back, and look at the even bigger picture within audit, understanding an entity and its environment, and then specifically dive into IT environment infrastructure, as we just did here with this question. Now this concept, IT environment infrastructures cover several subtopics, including new material on both ERP systems, and software, and cloud computing. So without further ado, here’s your instructor, Roger Phillips, CPA, CGMA, teaching you IT environment and infrastructure.

– Alrighty, let’s talk about IT environment and infrastructure. Now with IT, what we’re looking at in the audit exam is we’re concerned with the use of the computer, and the objectives are still the same, but the procedures may change. And the objectives with IT is basically what? Gathering information. Now, when auditing, we focus on the auditor’s understanding of the client’s IT environment in order to perform what we call an effective and an efficient audit. Now the use of IT affects several areas like the initiation, the authorization, the recording, the processing, and the reporting of transactions. Now it also affects the five components of crime. Remember the internal control structure elements, that’s control environment, risk assessment, control activities, information and communication, and of course, monitoring. Now we have different approaches to auditing that information. We can audit through the computer, we can audit around the computer, or we can audit what we call with the computer. So we’re looking at around, through, and with. The first one, which is auditing around the system, and that’s used with a less complex IT environment, because we’re kind of looking at the print and the documents and performing manual tests. So we’re looking at the inputs and the outputs, so we’re kind of going around the software. So we’re not testing the IT controls. It’s more of what we call a substantive approach audit. Now, when you do this, you cannot give an opinion on the effectiveness of internal control, because instead of going through the computer, you’re going what? Around the computer again, looking at the inputs and the outputs. Auditing through the computer, that’s used with a more complex IT environment. In this particular case, you need to understand and test the controls, you’re trying to see are they operating effectively? And that way you can reduce the quantity of substantive testing you’re gonna do, this is called the combined approach, ’cause we’re looking at both TFC, tests of controls, and substantive testing. Auditing with the computer, that can be used in either of the other two, around or through, and in this case, we’re gonna use something called CAATs, which are computer assisted audit techniques, which we’ll talk about in a different section. And you may also use something called GAS, G A S, which is generalized audit software, in order to perform things like data analytics. All righty, let’s talk about the characteristics of an IT environment. Now that is dependent upon certain elements like the size, the number of employees, and the types of computers we’re actually using. Now, back in the olden days, we had very few computers with very few personnel. Now we have a huge increase in what we call access points, which creates a lot more risk for any IT system, because people can access the system globally, right? Remotely, so that creates a lot more risk. Now, some of the benefits of IT, first of all, our consistency, right? Computers are not subject to random errors, whereas humans are, right? Because humans have feelings, right? Computers are like my ex-girlfriend, they have no feelings, right? That’s why she’s an ex. But in other words, there was a story once when they said, if you, you know, on Monday, everyone’s hung over on Friday, everyone’s working for the weekend. So if you can buy a car that was built on a Wednesday, for example, chances are, it was much more better built, all right? Now with the computer program, it’s operating effectively, you don’t need to test individual transactions because if it’s programmed correctly, it will do the same thing correctly consistently, right? Time and time again. If it’s programmed incorrectly, obviously it will make the same mistake, but the benefit of an IT system is consistency. Another one is timeliness, right? Because timely, it’s quick, it’s efficient. For example, tax programs, or when I was in college, I did VITA, Volunteer Income Tax Assistance. There, we didn’t have computers, so it was manual. I would do someone’s taxes, and then at the end, they’d say, oh, here I have this there’s this deductible? And I would say, no, because I didn’t want to start over. Now, you go sure, you put it in line 27. Boom, and it updates everything very quickly, very efficiently. Analysis, it’s great for analytical procedures, the study of data comparisons and relationships where we’re looking at dollar or percentage changes. Monitoring, and that would be monitoring by the computer system itself, kind of like my server. Circumvention controls are difficult to circumvent or to go around, right? Therefore you really don’t expect too many, or any exceptions. Segregation of duties, we talk about Noah and the ARCCs, Authorization Recording Custody Comparison, well if you have good security controls, that will help to prevent incompatible functions by being done by the same person. Some of the risks of IT, well there are two major risks the auditor’s concerned with. One is unauthorized access, and the other one is called the audit trail. Unauthorized access that says, for example, that someone doesn’t have the authority, but they hack into your system and they can destroy or alter your files. In the news, you hear about, you know, Russia hacking in and grabbing, you know, oil companies’ information and so on, and then holding ransomware. So that’s unauthorized access, that’s always a risk. Audit trail, which is basically an electronic visible trail, you want to be able to trace the information into the statements and into the reports, and then back to the original input documents. So we’ll talk about tracing and vouching, things like that, but your concerned with the audit trail. What are some of the other risks? First of all, over-reliance, right? And a lot of times you assume, oh, the IT system, the computer spit this out. It must be correct, it must have been done properly. Maybe not, unauthorized changes in programs. Now unauthorized program changes that could occur, you might recall from your college class where the teacher said someone was inputting information, but they knew enough about programming, so they change it to take one penny off everybody’s deposit. Well, you’re not gonna really notice a penny difference, but you do billions of transactions, and suddenly you’re rich, right? So that would be something where it was an unauthorized program change. Failure to change, that means that you’re not updating for new tax law changes, or new changes in the system, new rules. So, you know, we assume the software is up to date, maybe it isn’t. Manual intervention, so when manually inputs or accesses the information or alters the files and then finally loss of data, which is always kind of scary, that would be a catastrophic data loss. That’s why you want to make sure you have backup, right? We talk about hot sites, cold sites, and backup of data. You want to make sure you have the backup, because you don’t want to lose, what? Your data. Now let’s talk about the IT department itself, okay? Now I just talked about a bunch of benefits and risks of IT, and that’s in order to control these risks, it’s important that the IT systems are operating as designed. So when IT department will normally include different departments or different operations, like systems development and maintenance, operations, and other technical services. Now with systems development and maintenance, we’re looking at, okay, who are these people who’s involved in this area? First of all, with a systems analyst, they’re the person they go out, they ask the questions, and then they see what the company needs, and they set up the flow chart. So they’re the intermediary between the users, and the programmers. We have an application programmer, they basically take the flow chart, converted into machine-readable language. They write the program, test the program, debug the program. They also develop the instructions for the operators, that way they know how to run the programs. We have a database administrator, and they do exactly that, they maintain the data or the database. So those are all the different people that are involved in development and maintenance. So you can see how, for example, the programmer who sets up the program, what they’re doing basically is making sure that everything that’s getting into the system is authorized, so when we talk about our can kind of think of authorization because we want to make sure that what gets into the system should be getting in there, that it’s properly authorized. Then we have operations and that deals with data input, data output, data input, data output. So the data control department, they basically collect the data for input, and then they take the final reports, and they disseminate or distribute that information. The data control clerk, they schedule the jobs for the computer. Data entry, that’s the person who’s sitting there inputting, so they’re converting that information into machine readable language or into machine readable information. So what’s a good control? To make sure the person inputting is computer illiterate. What I mean by that is they don’t know a lot about programming because otherwise, as we said earlier, they could access the software, make a change, and take a penny off every deposit. So they’re not only controlling the input, but then they would control the output. So with data input, you can think about they’re in charge of kind of like recording. When you’re recording the information in ARCC. We also have a computer operator, they operate the computer, they schedule the daily work for the computer. The librarian, they’re in charge of safeguarding and maintaining the programs and data files. So in a sense, they’re safeguarding that information, so they’re kind of like control or custody of that information. Now, other technical services, that would include the network administrator, they’re maintaining computer networks and network connections, how it’s all connected together. The systems programmer, they’re updating and maintaining the operating systems, and then the systems administrator or tech support, we’re all familiar with tech support, right? I’m on the phone with them all the time, but they’re upgrading and monitoring the software, and the hardware as well. Now the security administrator, they’re responsible for their staff, the security of the system. So that would be like an access control, and user password maintenance. And as we all know, passwords are important. They say you should update them every 60 to 90 days, for example. And I read this somewhere that I loved. It said passwords are like underwear. Don’t let people see them, change them often, and don’t share them with strangers, all right? So that’s basically what makes up your, what? Your IT department. Now let’s talk about centralized versus distributed processing. Now, centralized processing back in the olden days, computers were expensive, they were large, right? They took up a huge room for example, and you had a single computer, remote terminals to connect to one of the computers, and that was kind of called centralized processing. Today, we have what we call distributed processing. That’s where you have a large volume of tasks, many different employees, different locations, different computers using for example, remote access, so now we need to connect to them to form a network. Now, why do we need to connect different computers together? That way we can share things like peripheral. We can share things like printers, and data, and programs, and information that’s being stored on the servers, for example. So that would be what we call distributed processing. All right, let’s talk about networks. Now, there are different types of networks. There’s the intranet, extranet, and of course you’re all familiar, hopefully with the internet, inter. All right, now, since the data is being accessed by the computer, and it’s no longer being held on a single computer, you need to be able to connect to each other in some way to form what we call a network. And in doing so that’s where we have intra, extra, and internet. Now the intra, intra means within, right? That would be intranet, intra, within a single company, like a local network, which is limited to an organization. For example, you study hard, you go to take the CPA exam at Prometrics. That would be an intranet because you log on, you look at the complete the exam, but it’s all within that building, right? You can’t get outside the building and say, hey, Raj, is it answer A or answer C, right? You wish. We have an extranet, and that would be like an intranet, but it’s connected to a select external customer. External, right, extranet. So that would be an external customer, or network, or vendor rather, so that would be like when your inventory ordering. So let’s say, for example, I’m connected to this outside company. When my inventory drops below a certain level, it’ll automatically print out a purchase order, and send it to that external party and order goods. We’ll talk about that later called a van of value added network. That would be an example of an extranet. Then of course, we have the internet. What is the internet? It’s an international collection of networks made up of independently owned computers. So it’s considered something we’ll talk about called a large WAN, or a wide area network. Now, when we talk about internet, that would be like the word inter means between, like an interview or intercompany transactions is between companies. So what are we looking at the internet for? We use it for like shopping, right? I gotta love my Amazon, order something, get it 24 hours later. Dating, I order a date, get it 20- No. E-bay, studying for the CPA exam, right? Your remote login, and for example, you go in through the cloud and you’re accessing our course, you’re studying the product and so forth. So when we talk about the WWW, that’s the worldwide web. And we use that for data communications, as I said, remote log and file transfer, email. newsgroups, and all that kind of stuff. Back in the olden days when I was your age, we had what we call the blinking C colon, and you couldn’t do anything till you started like, programming it in today’s day and age, you go to Google and you’re typing something, misspell it, and it still pops it up, did you mean this? Now with network configurations, that deals with, okay, how do we actually link the computers together? And there’s different ways called land LAN, VAN, WAN, Thank you ma’am, right? So LAN is a local area network, kind of like I mentioned earlier, that is where the users are within the same geographical area, the same building, the same cables, close proximity for example, so that’s where they’re kind of all together. That’s called a local area network, maybe within my office. We have a VAN. That’s what I mentioned value-added network, that is where you link different companies files together. And as I said, kind of like the manufacturer and the supplier, different companies, where like an extranet. Then we have VPN, which is a virtual private network, VPN, and that’s where you access networks from remote location. So for example, when I’m writing the books and I want to send it over to Jay, for example, my amazing editor and writer, it’s too big a file to email. So I will put it on a VPN, a virtual private network. She will then go in and grab the book, and then take it and then edit it and update it, and so on and so forth. So that’s how we’re transferring these big files between each other, but it’s a private network, not for everybody else’s eyes, for your eyes only, right? That’s an old “James Bond” movie. All right, WAN is not WHAM, that’s a different music group. Like, “Wake Me Up Before You Go.” Anyway, WAN is a wide area network. That’s where we have again, the internet, different locations, phone lines, satellites. So we’re connecting that way. We use encryption, encryption is where, for example, you put in a credit card number and it comes out with a bunch of Xs, that’s encrypted, so if someone grabs it or hacks it, they can’t steal your credit card number. We’re using here remote locations, and as I said, that’s basically a WAN. Think of the internet, WWW. A wireless LAN, WLAN. That would be for short range, like 10 feet or less. That’s what we use like in your office where you’re using your ear buds or speakers or printers, or, you know, you go to Starbucks for example, to study for CPA Review, and you’re connected to their wifi and Bluetooth and so on. So that’s for a short range, that’s called wireless LAN. Alrighty, let’s talk about enterprise resource planning, or ERP systems. And basically this is packaged what we call off the shelf business type of software. And that way a company can manage their resources, their materials, inventory, human resources, financial resources, and we’re doing this for the company’s information processing needs kind of like Oracle NetSuite. Now, what are some of the advantages of ERP, or business software? First of all, timely analysis, right? That we managers can process and analyze the information more timely, right on a timely basis when they need it. Unified system, so it helps to unify and consolidate the different business functions. Interactivity, that way you can interact with the customers and the vendors IT systems. A continuous audit, so it contains what we call embedded audit and monitoring modules. So that way you’re always keeping track of what’s going on, no surprises. A clear audit scope, it makes the consideration of audit scope less complex, but some of the risks that relate to ERP, implementation and operation risks. In other words, when you implement the ERP system, it might disrupt the total operations or the system could fail, and that would stop the company’s operations, which is very bad, right? So the implementation risk of when you’re actually introducing it. Reduce segregation of duties. We always talk about knowing the ARCCs to segregate the certain things. Well since ERP consolidates the business functions, which is good, it could also be bad in the sense that you have a breakdown in your segregation of duties. Other risks, data access, you need to access the data in order to do things like an audit, right? ‘Cause you’re gonna look at like database tables, data flows, but the ERP system may make it more difficult to actually access that data because of the computer procedures, and the different types of controls that we put into the system. Business process risk, and that’s when a company uses packaged ERP software, it may need to change business processes. And this can obviously increase the process interdependence risk, so that if one business process fails, it can also affect the entire system. So bearing all this in mind, are we actually better off with custom software that is custom designed for us, or off the shelf pre-packaged applications? Now with custom applications, obviously you’re having someone come out and make this, it’s gonna be more expensive, but it can also offer much more flexibility for your individual enterprise or business, but it could also present a challenge to the auditor. In other words, they may need to somehow develop custom audit packages. For example, back when I started this company, I used to purchase someone else’s homework software. And for years my wife was like, we got to create our own, we got to create our own. I was like, yeah, it’s expensive and timely, and this. Well, about 15 years ago, we finally said let’s create our own, and our own custom application, and guess what? It was the best thing we ever did, because we could then customize it for our students, for our program, interact it with our books and so on and so forth. So it was a great thing, but it was a large investment upfront, because obviously it’s expensive as opposed to buying it or renting it from someone else, or using some kind of pre-packaged application. Now keep in mind from the auditor’s perspective, with pre-packaged or off the shelf software, that has already been tested, it’s been debugged. If the vendor is reliable, it’s gonna be much more reliable, so there’s less inherent risk, right? The risk inherent in any element account or item. If it’s custom designed or customized software for you, that means it’s created for you. That means it’s new, but it hasn’t all actually been thoroughly tested, hasn’t properly been debunked, so obviously you’re going to have a higher risk or a higher inherent risk. Now you’ll see this chart in your notes, and we’re talking about packaged applications versus custom applications, packaged versus custom. So you kind of understand the basic differences. When we look at this first one about packaged applications, packaged or off the shelf, the purpose mass produced for general use, right? ‘Cause it’s for your company and everyone else’s company, that means it’s gonna be upfront costs are lower. It’s gonna be less expensive, it’s cheaper. Ownership, you don’t own it, right? In other words, you’re gonna have to license it and pay for it every year. Like we spend a fortune on our Salesforce licenses, for example. Features, they may not meet all of your business needs, right? Because it’s difficult to customize it for your individual company, because it’s more of a generalized software. Business processes, general business processes, and those that relate to what we call best practices, but again, not necessarily your business, and then the maturity model. Well, it’s gonna be more mature, right? Because it’s been tested and retested. And as I said earlier, if it’s been more tested, therefore there’s less inherent risk. When we talk about custom applications designed specifically for you, the purpose custom produced for a specific user, kind of like my example about our software. Upfront costs, obviously are gonna be much more expensive, higher upfront cost because I had to hire all these developers and so on. Ownership, the great thing is you own it, right? It’s wholly owned. Our software, we own it. We don’t have to pay a licensing fee anymore. The features should meet your specific business requirements because you can customize it. So it’s not like a best practices, but it’s more designed for you. And then maturity model that varies because again, was it tested in the developmental stage? It’s a less mature area, therefore higher inherent risks. Now let’s talk about that last box, which talks about the maturity model. Now we use the maturity model to evaluate how close a developing application is to being complete, and capable of improvement through what we call qualitative measures and feedback. So these risks exist in both packaged, and custom applications. What are some of the things we’re concerned with, we’re concerned with, you know, business interruption, right? Is the company gonna be interrupted as far as the business flow? System security database security, because we don’t want people to access the system or access our data, process interdependency. But as I mentioned again, less mature, higher inherent risk, more mature, lower inherent risk. Now maturity of an application can be defined at one of five different phases. And the farther along we are in addressing these risk, it correlates to where we are in the maturity model, or how mature this software is, for example. So there are five phase in the maturity model we’re gonna look at. We have the initial phase, developing phase, defined phase, managed, and optimized. So you’ll see here this chart, and when we look at this chart, you’ll see going down the side on the left, initial developing, define, manage, and optimize and the risk, and then we’re gonna look at the people, processes, and the programs. So for each of these, so we have these five phases. We’re gonna look at all of these areas. And this is a tool again, that helps us to assess the effectiveness of the people, the processes and the programs, and we’re trying to figure out what we need to do in order to improve performance. So for example, in the initial phase, right? That’s the least mature. We’re just starting out. So there’s more inherent risk. So we’re looking at the people, uncoordinated, there’s no really set staff that’s designing this, the processes, no formal security or access processes, the programs, there’s no security, there’s no control. We’re just initial, we’re just setting it up. Then we have the developing. So we developed a plan and some basic controls. So we’re looking at the people, leadership is established and formal communication. The processes, the basic governance, risk management processes. The programs are basic controls with very little or no documentation. In the defined phase, now we’ve implemented the plan. So the people, we now have established roles and responsibilities, so they know more or less what they’re supposed to be doing. The processes security access process are in place. Minimal verification. The programs, the controls have been implemented and documented, the controls are reliant on the individual IT staff. Now, when we’re managing it, now we’re up and running. We’re managing the plan, so the people roles and responsibilities are clearly defined. The processes, formal security processes have been established, verification and measurement processes also have been established. The programs, the controls are now monitored and measured. Compliance levels have been established. Some controls are now automated, for example, so they’re managed. Then finally in the optimized phase, we’re like, okay, how can we optimize it? How can we make it better? The people, we have a culture to always improve, right? So we have established staff that are now focused on the security, the processes, and the technology. With processes, we have a comprehensive surety and risk management processes are in place. So we want to make sure they’re being run properly, and risks are understood, and they’re being evaluated quantitatively. And then as far as the programs, the controls are fully implemented. They’re automated, they’re continuously being monitored. If there’s an issue, it’ll spit out a report, for example. Controls are now subject to continuous improvement processes. So again, the farther along we are in this, what we call maturity model or the different phases, the less inherent risk exists. So that’s what we’re concerned with when we’re dealing with ERP, the system, and the maturity model. All right, let’s talk about client server computing versus what we call cloud computing. Now with client server, that’s when you have several client computers called workstations, and we have these in order to access a service, the server computer, the server serves the clients basically. So the unit users can access the information, add information, edit, delete data on the server. So in my office, for example, we would have several different servers where we would also store lots of data, so that’s the client server computing, versus cloud computing, and that allows the company to use the internet, for example, to access and use services and applications that run on remote third party infrastructure. So basically you’d have data centers available to many users over the internet, and they could be used for a single company, or available to multiple companies, which we’ll call the public cloud, which we’ll look at later, okay? So when you access course, for example, cloud computing. Now, why is this good? First of all, minimum upfront costs, because you’re using third party hardware and software. It allows companies to get up and running much faster, right? Because they have improved manageability, less maintenance, for example, and it’s great for data storage or using a browser to access web based applications, right? Because like my iPhone, where do I store all my data? In the cloud, for example, right? So that’s what we’re looking at, why this is good. With cloud computing, it often involves using off the shelf software that isn’t developed or modified in house. Therefore, you know, you’re buying it off the shelf. You didn’t create it yourself. It’s less expensive, it’s cheaper, you’ll have reduced or no backend hardware requirements, so it reduces the need to have an onsite IT staff, or IT resources, that will what? Save you money, save you resources. So cloud-based service arrangements, there’s different types. We’re gonna talk about, you know for example, SaaS, PaaS, and infrastructure as well. So when we’re looking at this first one, we’re talking about SaaS, which is software as a service, and you’ll hear people just be like, SaaS, SaaS, SaaS. Basically it’s software that’s available via a third party over the internet. Now, a method of software delivery, and it allows you to use the program over the internet without having the software on your device. In this web based model, the outside service provider, the company providing that software, hosts and maintains the servers, the databases and the code. So for example, if you’re using things like Dropbox or Salesforce, Slack, HubSpot, right? We use all these things in our company as well, that’s called SaaS or software as a service. Now the users, us, we purchase a license to use the vendor hosted software, and we’re doing it on a subscription basis, right? So as I said earlier, we pay a fortune in Salesforce subscriptions, for example, but it requires no technical IT staff, so you’re gonna save money in that end, and that means the user of the SaaS, which is us, we don’t have to have an IT staff. Obviously we do because we have other programs, but in general, if you buy the SaaS, you don’t. The SaaS provider is responsible for the controls that are related to things like the availability. So people can access it, the data storage and the IT hardware as well. Another type is called platform as a service, or PaaS, and this is where the hardware and software tools are available over the internet. So it’s where the service provider delivers a platform to the clients that allows them to develop, to run and manage business applications without needing to build and maintain the infrastructure themselves. So that’s kind of nice, right? We’re outsourcing all of that, but we have access to it. So the PaaS provider would provide the hardware, the storage and the operating system over the network. That’s what the PaaS provider is giving us. This would then reduce the cost and complexity associated with both software and hardware management. Now you do need some IT staff, and that’s because the past user is responsible for the software applications, the controls as well, and also the development and deployment of the applications. So you do need to have a little bit more of a staff than say SaaS, so PaaS, you’ll need more people. The PaaS provider would be responsible for the operational activities, the maintenance and management of the provided hardware storage and the operating systems. So some examples of PaaS would be for example, Microsoft Azure, Asure, Azure, and Google App Engines, right? So that would be an example of different types of paths or platform as a service. Now, infrastructure as a service, that’s called IaaS. IaaS, I don’t know. I don’t know if you have a good pneumonic for that. Now this is where you have control of the actual physical resources and equipment such as network hardware. Now with IaaS, it’s an instant computing infrastructure, it’s managed over the internet. So that way accompany can use things like Azure, and they would manage the infrastructure, but you would purchase, install, configure and manage your own software. But again, you have control of that actual physical equipment and the resources available. In this model, it allows the user the freedom to deploy their systems in a manner that’s consistent with what they need, right? But a larger technical IT staff would be required by the user in order to maintain all the software, and all the systems. So those are some of the cloud-based service arrangements that are available. That’s your SaaS, your PaaS, and your IaaS. Now, with cloud-based service arrangements, you can use two or more of these models we just talked about at the same time. So for example, a company may offer a payroll system, which would be considered a SaaS, right? Software as a service, who in turn relies on the Amazon Web Servers, AWS, to provide their infrastructure as a service, or their IaaS. Now this is also where certain reports come into play, and you’ll hear about SOC 1 and SOC 2 reports, and that stands for Systems and Organization Control reports. And we’re gonna discuss that in another section, but this is where the auditor who didn’t have direct access to the systems and the sub systems used by the SaaS and the IaaS providers. Therefore the auditor generally will rely on the reports of the review of the controls and the results of control testing for these service organizations. So for example, payroll processing, right? A lot of us outsource payroll processing, and that company, what are some payroll companies, I’m trying to think anyway… These companies, we don’t audit their financial statements, someone else goes out there and they give us one of these SOC reports, right? A System Organization Control report, and they give us a report saying, yes, ADP, right? ADP looks like their books and records are good. So we’re not the one auditing ADP’s control, someone else is, and we get that report called a system and organization control report. And that way, you know, we’re getting that report. So we feel like, okay, because this number on the financial statements, right, whose statements are they? It’s management, so this number on the financial statements, that from pay personnel and payroll that was calculated externally, but we get the report from the auditor who audited company, because management is also concerned with the SOC report to be sure that they too have complementary controls in place as well. Now, with cloud deployment methods, clouds could be available to a single organization, or multiple organizations. So we talk about public, private, hybrid for example. So there’s four general types that we’re going to look at. So we’re gonna have public, private, hybrid community. So with public cloud, the public cloud, that’s where a service provider makes resources available to exactly that, the public, and that’s through the internet. So it could be things like storage or applications, or software, right? So AWS and Microsoft Azure, as I said earlier, those would be examples of public cloud. Private cloud, this is where the services are offered over the internet or a private internal network, but only to select users. So instead of to the general public, the data is more private, right? So the data is controlled within the company. So for example, like disaster recovery, right? That would be where I’m trying to recover my data, in case I lose it. A hybrid is kind of a mixture of public and private. And so it makes a private cloud with one or more public cloud services. So it’s a mix of vendor cloud services, internal cloud computing architectures, and classic IT infrastructure. AWS also offers this kind of hybrid cloud as well. And then we have a community cloud, that’s where the cloud infrastructure is shared by several companies, and supports a specific community that is a shared concern. So they might, for example, have a similar mission or similar objectives, similar security requirements. So this allows systems and services to be accessible by a group of several different organizations, call that community, that way they can share the information. So for example, IBM soft layer cloud for federal agencies, so you’ve got all these agencies that would be that community. Salesforce also now offers some of these different types of services as well. Now, when we talk about these cloud-based service arrangements, obviously there are advantages, and of course there’s always risks. So what are some of the advantages? First of all, global access, right? Services are available to any location, including remote, or at home, or worldwide globally, right? That’s a good thing, can also be a risk, but that’s a good thing. Another advantage, uniform deployment. Users have uniform or the same experience, and the same version of all cloud hosted applications. Centralized administration, administration verification, and access can be controlled from a central location for all the users and the cloud hosted applications, so that’s centralized. Now, what are some of the risks? Security risks, obviously. As I said earlier, it’s global, which could be great, but it’s also global, that introduces identity and access management risks, for example, as well as cyber threats, right? Because global, all of a sudden, you’ve got Russia coming in and trying to break in. Deployment risk, since this subscriber doesn’t control the applications or hardware, we’re relying on the cloud service vendor to do things like updates and upgrades, and we’re hoping they’re doing it correctly, and we’re hoping they do it on a timely basis, because they’re the ones making this available to us. Finally, service delivery risk, their service may be disrupted, and it wasn’t any fault of ours, right? The subscriber did nothing wrong, but all of a sudden our services interrupted. So obviously, those would be some of the different types of risks. All right, we have other business systems as well. For example, transaction processing systems. That deals with where we’re recording transactions. So for example, processing transactions, like airplane reservations, right? We’re sitting there going, I’m tired of studying, I’m burnt out, I need a vacation. You go online and you go, I’m gonna book a vacation. Or payroll processing, right? Deals with the dinero, the dollars. Cash receipts, disbursements. So the computer is recordkeeping and reporting the information, that’s transaction processing. Management reporting systems is used to provide us with timely information to help us make management type decisions. So that would be management reporting. Now some other business systems include things called decision support systems, and that provides the user with easy access to decision models and data. And that way it helps us to support the decision-making CAS, hence the name decision support. Customer Relationship Management, it’s called CRM, and that’s used to manage the customer relationship data. So things like marketing and sales, and business development data, right? Because you want to have that with all the different customers. You want to keep data, keep clear information, who you’ve talked to, who you haven’t, when you talk to them last and so on, and that can be part of an ERP system, and it is used to keep track of past, present, and potential customers looking back currently, and the future as well. A supply chain management called SCM, and talks about the flow of the supply chain, the goods from the supplier all the way through to the customer. So we’re gonna manage the supply chain, and that includes things like purchasing, conversion, right? Let’s say we raw materials, work in process, finished goods. We’re converting into a finished good, and then logistics processes. We want to know logistically, where is the stuff? Where is it, where’s the beef? All right, it’s used by purchasing, manufacturing, warehousing, and also their shipping department. We have executive support information, and this helps to support executive decisions. And this would be for things that are non routine decisions, like identifying new acquisitions, what should we acquire? What companies, what businesses, what industries also keeping track of things like competitors. Analytical processing system, that’s software to analyze data, to retrieve data, to ask questions, to analyze it, write analytical processing. Expert system, that uses AI. AI is known as artificial intelligence, and that has a built in hierarchy of rules acquired from human experts, right? So the system helps define the problem, and provide recommendations to solve the problem. Now, how do transactions get processed? And this deals with how do we get information into the system? We can do batch processing, or online real-time processing. Batch processing is where you accumulate data, and you accumulate and periodically batch it into the system. So for example, there’s a delay between the transaction occurs, and the books and records are updated. Like, you go to the bank to make it a deposit. So I go to the bank, make a deposit, they’ll take it, periodically batch it into the system. That’s like a periodic inventory system. Online, real time, OLRT, or online transaction processing, OLTP. That would be more of an immediate. In other words, as the transaction occurs, it immediately updates the books and records. We call that more of a perpetual or ongoing online real-time inventory system. Let’s say I take money out of the bank, withdrawals. Well the withdraw better get recorded immediately, otherwise I could go to another branch, and take more money out because it hasn’t been processed. So you want to make sure those things are processed immediately, that’s what we’re talking about between batch processing, there’s a little delay. Online real time is immediate. All right, let’s talk about IT enablement. Now, in the olden days, we use computers to crunch numbers for example, and that was about it. Now we use technology to be more efficient, to reduce costs, to ensure that data is accurate and timely. And this is achieved through what we call business process re-engineering or BPR. And that’s when you redesign business processes, things that we normally do in the company, to use newer technologies in order to automate manual tasks, and then obviously capture the data that you need. Now, this was easily achieved because computers, they got faster, they got more powerful, they became less expensive, they got smaller, for example. So think of the iPhone, right? Your smartphone. This came out, believe it or not, 2007. I know, I feel like I’ve been living this thing forever, and I can’t imagine living without it, and that’s why my Apple stock has done so well. As far as Samsung as well, but basically it deals with mobile computing. So for example, if I had an expense in the olden days, it was all manual paperwork. You got the piece of paper, you filled out the expense report, you took a picture of it. You mailed it in, stick it in the mail. They got it, they opened it up. They hopefully paid it. They cut a check, they gave it to you. You got the check, you walk to the bank, you deposit the check. Now I take a picture of the receipt, I submit it on a website. It reads it, it requests the approval. They do an EFT, electronic fund transfer. The payment goes to my bank, done, all right? That’s an example of where we’re making that business process, it’s been re-engineered over time. That’s called BPR, business process re-engineering. Some other examples of technology that we may use to enhance the business process includes a big one, which is electronic commerce, or e-commerce, just doing business. Think of shopping on Amazon. EDI, electronic data interchange, blockchain, robotic process automation, RPA, artificial intelligence, which is AI. So these are all some examples. Let’s start out with e-commerce, and when I see e-commerce again, think of Amazon versus the old brick and mortar physical stores, for example. So think back on the pandemic, for example, like 2020, when the whole kind of shut down for a long time. Now, what happened? Everybody stopped going to brick and mortar stores, they all went to Amazon, went online. They went shopping. Obviously my Amazon stock, thank goodness I had some, went crazy, right? ‘Cause everyone was stuck at home. What do they do? They shop. They also went out and adopted dogs, right? Everybody got a dog, which was great until they went back to work, and now the dogs are depressed, but that’s a different story. Now, when looking at this, what happened? Amazon went crazy, but the brick and mortar stores sadly went bankrupt, right? That’s why you saw these vacancies, for example. So brick and mortar stores went bankrupt. They closed their doors because they couldn’t compete. That’s because of what? E-commerce. Now e-commerce uses technology to enhance the processes of transactions between the company, its customer, and business partners. Now the technology used includes things like the internet, multimedia, web browsers, proprietary networks, ATM’s, home banking, and their traditional approach to EDI, but mainly it’s all done, what? Through the internet. Now let’s talk about EDI, which is electronic data interchange, and that allows a company to have an inventory program. For example, automatically send an order to the supplier when your inventory quantity is running low. So for example, inventory runs below a certain level, automatically prints out a purchase order, which goes to the vendor. They fill the order, they ship the goods. That would be for example, a VAN or a value added network, which we talked about earlier. That’s when a network allows one computer to initiate an action for another. So that’s like between a supplier and a customer. Now, certain EDI considerations for us to talk to each other, what do we need? Strict standards. Now, strict standards are needed in the form of data, so both the computers understand it to ensure completeness and accuracy because we got to talk to each other in order to make that purchase order go through. Translation, software is needed to convert the data between the standard use for EDI, and the form needed. Because when I send it, they’ve got to be able to take this information, and translate it so they can machine read it. And now the process of identifying which field, which is called data mapping, identifies the field. So that’s important so they can identify the fields, the information that I’m sending. Unauthorized access, we want to make sure data is encrypted. So for example, when I’m sending my credit card information through the internet, I want to make sure it doesn’t get hacked and someone steals it, so maybe it comes out with a bunch of Xs, like when you buy airline tickets, right? You go online, you put your credit card in. Usually you can’t read other than the last four digits, for example. You want to have a firewall to limit unauthorized access firewall programs, that’s a firewall program or a device, it prevents unauthorized access into your network. For example, in your car when you’re driving, that area between you and the engine is called the firewall. If the engine blows up, we don’t want fire coming into the car, into the cockpit and frying you for example, right? So we want to keep the fire out of you, we want to keep them out of your network. What are some advantages of EDI? It eliminates the need for human intervention, so it reduces errors and increases, what? Efficiency, ’cause I can process that, get that order out much more quickly. When inventory is automatically ordered, it’s shortens the business cycle, right? So that eliminates that gap between when you realize we’re out and we have to go, so it’s all computerized. Payments are automatically made and received, reduces your accounts receivable, ’cause you’re gonna get that turnover much more quickly. Some advantages, EDI enables us to communicate without the use of paper. EFT, electronic fund transfers, and sales over the internet. Scanning devices, which simplifies the recording of the process. So in other words, when you’re scanning the information, reading a QR code, it sends information to trading partners as a transaction occurs. So these are all some of the advantages. Now obviously, e-commerce risks. The challenges are proving to the buyer that the seller is who they say they are, because we have a lot of people called impossible, right? No I’m Bob Smith, no I’m Bob, will the real Bob Schmidt please stand up? For example, internet dating, right? Then you go online and you go, hey, who’s this guy? He looks- I’m Raj, I’m 26 years old, right? I’m really 80. So, or an email that says, I’ve got $20 million for you, I’m in this country, and I just need you to send me gift cards. So, you know, we want to make sure they really are who they say they are. Some of the other risks, confidentiality, right? Potential customers are concerned about providing personal information to unknown vendors. So in other words, you want to make sure that it’s confidential, right? I just heard this commercial where they’re trying to talk about security, and it says, hey, I get free tater tots if I give you a copy of my driver’s license and my social security number, what a deal, right? So they’re trying to show you that people are too freely giving away their personal, confidential information. Data integrity, we want to make sure unauthorized alteration or deletion, you know, like getting at data integrity, make sure it doesn’t get exposed to a hacker. Availability, you want to watch my course 24/7, for example. If it shuts down, we’ve got to make sure that we have IT people on hand to fix this issue in the middle of the night. Other risks, authentication, make sure the parties prove their identities before we actually go through with the transaction. Because again, it could be sent by an imposter. We call that spoofing, spoofing. Some of the controls might be echoing of transmitted documents back to the sender, or digital signatures to prove their identity. A lot of times we have these digital signatures to make sure you are who you say you are. A non-repudiation, after the transaction is executed, authentication makes sure that neither can deny the validity or the terms of the transaction. We don’t want you to try to set it aside, you know, non-repudiation to repudiate the transaction, or have it set aside. A power shift to customers. The power now is really in the hands of the customer, because it’s very easy for them to shift between suppliers, right? In other words they go, hey, this is too much money. Or, I don’t like the way you’re treating me, I’m gonna buy it elsewhere, I’m gonna leave you, buh-buh bye, bye, bye, and you lose the sale. So that’s the power shift. So the shift goes to the customers, because they have lots of other opportunities, options, a lot of options out there. Misuse of information, that’s something we want to avoid. Some of the controls would be security mechanisms and procedures, firewall mechanisms between the internet and the company’s private network, a way to identify the participants. Again, you want to make sure that the information is not being misused. Improper distribution of the information, we want to make sure that the information is not being given to the wrong people. So we need routing verifications, message acknowledgement that says you actually have it. You know, when I log onto my online trading, stock trading accounts, they send me a validation code to make sure it was actually me, that I have to get from my phone in order to get into the system so I can actually access it. Another one would be reduction in the paper audit trail, which could be both good or bad, because that creates special challenges to the auditor. For example, detection risk may not be reduced through substantive testing, control risks may be reduced to achieve an acceptable level of audit risk, so it has to be reduced, so control risk must be reduced. And controls must be built into the system to ensure the validity of the information that is being captured. That my friends is what? IT enablement.

– We hope you learned a lot about this critical topic, and hopefully laughed a little as you were in class with Roger. As a UWorld Roger CPA Review student, we provide you with the tools you need to master concepts, difficult concepts, just like the ones that were discussed here, and of course pass the CPA exam. Now, actually study for the CPA exam, you are going to want to ensure that you’re not only studying with the industry’s highest quality material, both within the lectures and the questions and answers that you’re going to be practicing within, but also on a platform that’s innovative, designed for you, helping ensure that as you study, you’re having the greatest experience moving through the material even more efficiently. So, within UWorld Roger CPA Review, I’m excited to share with you a couple more features included in our courses, including our smart technology. So with our smart technology, provided within our review courses and products, is you’re going to be provided very specific targets to hit as you move through the material. The two targets are going to help you aim at ensuring that as you’re going through the quizzes, that you’re hitting the scores necessary, and practicing the right amount of questions to really ensure success on exam day. Once you hit both targets in smart path, predictive technology, you’re gonna have the confidence to move on to the next chapter. If you’re not hitting your targets, smart path is going to provide you a very clear path on what you need to do. Perhaps maybe go watch a couple more Rodger lectures, take a certain part of the textbook, reread that. Continuing to practice the questions on what you need to do in order to close those gaps, hit the targets, and move through. It’s with smart path predictive technology that our students are passing the CPA exam, and going through our material three times faster. So it’s gonna save you hours of study time. In addition with our smart technology, we also include our digital flashcards. I highly you to go check that out, that allows you to build flashcards with space repetition within them. Basically, as you go through the digital deck, the concepts that you’ve really mastered, you don’t need to feed them right away. Let’s bury them in the digital deck, the concepts that you’re struggling with, you need to see them more often until you empty that mastery. All of this, including much more. Again, also seeing seamlessly between desktop and mobile apps. So everything was in our course, also you have access on the mobile app, therefore making every moment a study moment, whether you’re on the train or maybe standing in line, your flashcards, your Roger videos, practicing your cue bank, TBS, multiple choice question you can do so all on the mobile app. So with that, I encourage you, if you have not already to go visit our website and dive right in and start your free seven day trial. While you’re in that experience, check out a couple more IT environment infrastructure questions, watch perhaps a couple more Rodger lectures. Really get a good feel for what it would be like to be a student in UWorld Roger CPA Review, and join all the other students that have come before you that passed with a 94%, that pass with our program. This is an example right here of one of the many courses and products that we provide to help ensure CP exam success, and it’s actually our most popular package, our elite unlimited course. Comes with everything that you see here plus much, much more with unlimited time access, includes that fully featured mobile app, as I already mentioned, access to all of our award-winning content, all of the things your technology, including smart path, and then also something really important, it includes free updates. Very important, because as the CPA exam continues to evolve and change, so will the course and you’ll have complimentary updates and access to them. Now, if you’re already in another test prep, or looking to supplement what you’re currently doing, I do want to note that we do offer per part. So single section course, so perhaps maybe not the full four part course experience, but maybe you, you know, you’re trying to audit with another review provider, and you keep getting the score 70, 71. You’re really looking to get that 75 and pass, but what you’re currently doing is just not working. Definitely encourage you to come, take a look at a single section opportunity where you would still have great access to the Roger lectures, the high quality questions, smart path, and more, and just supplement with, for example, a single section opportunity. Regardless of a single section, full course opportunity with the elite unlimited course, I highly encourage you again, go in, visit our website, try that seven day free trial and really experience what it would be like to successfully study, and pass the CPA exam with UWorld Roger CPA Review. Thank you for joining me today to learn a little bit more about IT environment infrastructure, on behalf of UWorld, Roger Philip, and myself, I thank you, and hope you have a great day.