IT General controls student version
ISSUES IN ACCOUNTING EDUCATION
Vol. 24, No. 1
February 2009 pp. 63–76
Assessing Information Technology
General Control Risk:
An Instructional Case
Carolyn Strand Norman, Mark D. Payne, and
Valaria P. Vendrzyk
ABSTRACT: Information Technology General Controls (ITGCs), a fundamental category of internal controls, provide an overall foundation for reliance on any information produced by a system. Since the relation between ITGCs and the information produced by an organization’s various application programs is indirect, understanding how ITGCs interact and affect an auditor’s risk assessment is often challenging for students. This case helps students assess overall ITGC risk within an organization’s information systems. Students identify specific strengths and weaknesses within five ITGC areas, provide a risk assessment for each area, and then evaluate an organization’s overall level of ITGC risk within the context of an integrated audit.
Keywords: internal controls; general control; ITGC; risk assessment.
INTRODUCTION he Sarbanes-Oxley Act (SOX 2002) and the Public Company Accounting Oversight
Board (PCAOB) Auditing Standard No. 5 (PCAOB 2007) require that the organization’s chief executive officer (CEO) and chief financial officer (CFO) include an assessment of the operating effectiveness of their internal control structure over financial reporting when issuing the annual report. External auditors must review management’s internal control assessment as part of an annual integrated audit of an organization’s internal controls over financial reporting. In short, accountants—external auditors, internal auditors, and management accountants at all levels—are actively involved in helping their respective organizations comply with SOX-related internal control requirements.
Because of the pervasiveness of IT in organizations, the information systems themselves contain many internal controls. As a result, both internal and external auditors must develop an understanding of
Vol. 24, No. 1
February 2009 pp. 63–76
Assessing Information Technology
General Control Risk:
An Instructional Case
Carolyn Strand Norman, Mark D. Payne, and
Valaria P. Vendrzyk
ABSTRACT: Information Technology General Controls (ITGCs), a fundamental category of internal controls, provide an overall foundation for reliance on any information produced by a system. Since the relation between ITGCs and the information produced by an organization’s various application programs is indirect, understanding how ITGCs interact and affect an auditor’s risk assessment is often challenging for students. This case helps students assess overall ITGC risk within an organization’s information systems. Students identify specific strengths and weaknesses within five ITGC areas, provide a risk assessment for each area, and then evaluate an organization’s overall level of ITGC risk within the context of an integrated audit.
Keywords: internal controls; general control; ITGC; risk assessment.
INTRODUCTION he Sarbanes-Oxley Act (SOX 2002) and the Public Company Accounting Oversight
Board (PCAOB) Auditing Standard No. 5 (PCAOB 2007) require that the organization’s chief executive officer (CEO) and chief financial officer (CFO) include an assessment of the operating effectiveness of their internal control structure over financial reporting when issuing the annual report. External auditors must review management’s internal control assessment as part of an annual integrated audit of an organization’s internal controls over financial reporting. In short, accountants—external auditors, internal auditors, and management accountants at all levels—are actively involved in helping their respective organizations comply with SOX-related internal control requirements.
Because of the pervasiveness of IT in organizations, the information systems themselves contain many internal controls. As a result, both internal and external auditors must develop an understanding of
References: Bines, J. 2002. A beginner’s guide to auditing the AS / 400 operating system. Information Systems Control Journal, Volume 2. Available at: http: / / www.isaca.org. Center for Public Company Audit Firms. 2004. A Framework for Evaluating Control Exceptions and Deficiencies, Version No. 3. Available at: http: / / cpcaf.aicpa.org. Public Company Accounting Oversight Board (PCAOB). 2007. An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements. Auditing Standard No. 5. Washington, D.C.: PCAOB. U.S. House of Representatives. 2002. The Sarbanes-Oxley Act of 2002. Public Law 107-204 [H. R. 3763]. Washington, D.C.: Government Printing Office. See also: http: / / www.sarbanesoxley.com. Issues in Accounting Education, February 2009