Controls (ITGCs) Information Technology (“IT”) environments continue to increase in complexity with ever greater reliance on the information. IT general controls (ITGC) are the basic controls that can be applied to IT systems Logical access controls over applications, data and supporting infrastructure. Effect of ITGC on Application. Controls. • Effective IT general controls: – Help make sure that application controls function effectively over time.
|Published (Last):||9 November 2010|
|PDF File Size:||20.11 Mb|
|ePub File Size:||7.19 Mb|
|Price:||Free* [*Free Regsitration Required]|
In business and accountinginformation technology controls or IT controls are specific activities performed by persons or systems designed to ensure that business objectives are met.
They are a subset of an enterprise’s internal control. IT control objectives relate to the confidentiality, integrity, and availability of data and the overall management of the IT function of the business enterprise. IT controls are often described in two categories: ITGC include controls over the Information Technology IT environment, computer operations, access to programs and data, program development and program changes.
IT application controls refer to transaction processing controls, sometimes called “input-processing-output” controls. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. IT departments in organizations are often led by a Chief Information Officer CIOwho is responsible for ensuring effective information technology controls are utilized.
They help ensure the reliability of data generated by IT systems and support the assertion that systems operate as intended and that output is reliable. ITGC usually include the following types of cobtrols. IT application or program controls are fully automated i. These controls vary based on the business purpose of the specific application.
These controls may also help ensure the privacy and security of data transmitted between applications.
Categories of IT application controls may include:. Financial accounting and enterprise resource planning systems are integrated in the initiating, authorizing, processing, and reporting of financial data and may be involved in Sarbanes-Oxley compliance, controsl the extent they mitigate specific financial risks. It consists of domains and processes. The basic structure indicates that IT processes satisfy business requirements, which is enabled by specific IT control activities.
It also recommends best practices and methods of evaluation of an enterprise’s IT controls. The five components of COSO can be visualized as the horizontal layers of a three-dimensional cube, with the COBIT objective iygc to each individually and in aggregate.
SOX part of United States federal law requires the chief executive and chief financial officers of public companies to attest to the accuracy of financial reports Section and require public companies to establish adequate internal controls over financial reporting Section Passage of SOX resulted in an increased focus on IT controls, as these support financial processing and therefore fall into the scope of management’s assessment of internal control under Section of SOX.
This scoping decision is part of the entity’s SOX top-down risk assessment. In addition, Statements on Auditing Standards No. To comply with Sarbanes-Oxley, organizations must understand how the financial reporting process works and must be able to identify the areas where technology plays a critical part.
In considering which controls to include in the program, organizations should recognize that IT controls can have a direct or indirect impact on ckntrols financial reporting process. For instance, IT application controls that ensure completeness of transactions can be directly related to financial assertions.
Access controls, on the other hand, exist within these applications or within their supporting systems, jtgc as databasesnetworks and operating systemsare equally important, but do not directly align to a financial assertion.
Application controls are generally aligned with a business process that gives rise to financial reports. While there are many IT systems operating within an organization, Sarbanes-Oxley compliance only focuses on those that are associated with a significant account or related business process and mitigate specific material conrrols risks. This focus on risk enables management to significantly reduce the scope of IT general control testing in relative to prior years.
Fines and imprisonment for those who knowingly and willfully violate this section with control to 1 destruction, alteration, or falsification of records in federal investigations and bankruptcy and 2 destruction of corporate audit records. Section requires public companies to disclose information about material changes in their financial condition or operations on a rapid basis.
Companies need to determine whether their existing financial systems, such as enterprise resource management applications are capable of providing data in real time, or if the organization will need to add such capabilities or use specialty software to access the data.
Companies must also account for iygc that occur externally, such as changes by customers or business partners that could materially impact its own financial positioning e.
Information technology controls
To comply with Sectionorganizations should assess their technological capabilities in the following categories:. Section of Sarbanes-Oxley requires public companies and their public accounting firms to maintain all audit or review work papers for a period of five years from the end of the fiscal period in which the audit or review was concluded.
This includes electronic records which are created, sent, or received in connection with an audit or review.
As external auditors rely to a certain extent on the work of internal audit, it would imply that internal audit records must also comply with Section iitgc In conjunction with document retention, another issue is that of the security of storage media and how well electronic documents are protected for both current and future use.
The five-year record controols requirement means that current technology must be able to support what was stored five years ago.
Information technology controls – Wikipedia
Audit data retained today may not be retrievable not because of data degradation, but because of obsolete equipment and storage media. Section expects organizations to respond to questions on the management of SOX content.
IT-related issues include policy and standards on record retention, protection and destruction, online storage, audit trails, integration with an enterprise repository, market technology, SOX software and more.
In addition, organizations should be prepared to defend the quality of their records management program RM ; comprehensiveness ccontrols RM i. PC-based spreadsheets or databases are often used to provide critical data or calculations related to financial risk areas within the scope of a SOX assessment.
Financial spreadsheets are often categorized as end-user computing EUC tools that have historically been absent traditional IT controls. They can support complex calculations and provide significant flexibility. However, with flexibility and power comes the risk of errors, an increased potential for fraud, ittgc misuse for critical spreadsheets not following the software development lifecycle e. To remediate and control spreadsheets, public organizations may implement controls such as:.
Responsibility for control over spreadsheets is a shared responsibility with the business contros and IT. The IT organization is typically concerned with providing a secure shared drive for storage of the spreadsheets and data backup.
The business personnel are responsible for the remainder. From Wikipedia, the free encyclopedia. Retrieved from ” https: Privacy Information technology governance.
Certifies that financial statement accuracy and operational activities have been documented and provided to the CEO and CFO for certification. Operational processes are documented and practiced demonstrating the origins of data within the balance sheet.
SOX Section Sarbanes-Oxley Act Section mandates that all publicly traded companies must establish internal controls and procedures for financial reporting and must document, test and maintain those controls and procedures to ensure their effectiveness.
Public companies must disclose changes in their financial condition or operations in real time to protect investors from delayed reporting of material events.