Itgc Case Study
ISSUES IN ACCOUNTING EDUCATION Vol. 24, No. 1 February 2009 pp. 63–76
Assessing Information Technology General Control Risk: An Instructional Case
Carolyn Strand Norman, Mark D. Payne, and Valaria P. Vendrzyk
ABSTRACT: Information Technology General Controls (ITGCs), a fundamental category of internal controls, provide an overall foundation for reliance on any information produced by a system. Since the relation between ITGCs and the information produced by an organization’s various application programs is indirect, understanding how ITGCs interact and affect an auditor’s risk assessment is often challenging for students. This case helps students assess overall ITGC risk within an organization’s information systems. Students identify specific strengths and weaknesses within five ITGC areas, provide a risk assessment for each area, and then evaluate an organization’s overall level of ITGC risk within the context of an integrated audit. Keywords: internal controls; general control; ITGC; risk assessment.
T
INTRODUCTION he Sarbanes-Oxley Act (SOX 2002) and the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 (PCAOB 2007) require that the organization’s chief executive officer (CEO) and chief financial officer (CFO) include an assessment of the operating effectiveness of their internal control structure over financial reporting when issuing the annual report. External auditors must review management’s internal control assessment as part of an annual integrated audit of an organization’s internal controls over financial reporting. In short, accountants—external auditors, internal auditors, and management accountants at all levels—are actively involved in helping their respective organizations comply with SOX-related internal control requirements. Because of the pervasiveness of IT in organizations, the information systems themselves contain many internal controls. As a result, both internal and external auditors must develop an understanding
Assessing Information Technology General Control Risk: An Instructional Case
Carolyn Strand Norman, Mark D. Payne, and Valaria P. Vendrzyk
ABSTRACT: Information Technology General Controls (ITGCs), a fundamental category of internal controls, provide an overall foundation for reliance on any information produced by a system. Since the relation between ITGCs and the information produced by an organization’s various application programs is indirect, understanding how ITGCs interact and affect an auditor’s risk assessment is often challenging for students. This case helps students assess overall ITGC risk within an organization’s information systems. Students identify specific strengths and weaknesses within five ITGC areas, provide a risk assessment for each area, and then evaluate an organization’s overall level of ITGC risk within the context of an integrated audit. Keywords: internal controls; general control; ITGC; risk assessment.
T
INTRODUCTION he Sarbanes-Oxley Act (SOX 2002) and the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 (PCAOB 2007) require that the organization’s chief executive officer (CEO) and chief financial officer (CFO) include an assessment of the operating effectiveness of their internal control structure over financial reporting when issuing the annual report. External auditors must review management’s internal control assessment as part of an annual integrated audit of an organization’s internal controls over financial reporting. In short, accountants—external auditors, internal auditors, and management accountants at all levels—are actively involved in helping their respective organizations comply with SOX-related internal control requirements. Because of the pervasiveness of IT in organizations, the information systems themselves contain many internal controls. As a result, both internal and external auditors must develop an understanding
References: American Institute of Certified Public Accountants (AICPA). 2006. Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. Statement on Auditing Standards (SAS) No. 109. New York, NY: AICPA. Ashbaugh, H., K. Johnstone, and T. Warfield. 2002. Outcome assessment of a writing-skill improvement initiative: Results and methodological implications. Issues in Accounting Education 17 (2): 123–148. Bagranoff, N., and P. Brewer. 2003. PMB investments: An enterprise system implementation. Journal of Information Systems 17 (Spring): 85–106. Committee of Sponsoring Organizations (COSO). 1992. Internal Control—Integrated Framework. New York, NY: AICPA. ———. 2004. Enterprise Risk Management—Integrated Framework. New York, NY: AICPA. Coppage, R., and G. French. 2002. Restructuring management accounting education. Cost Management 16 (2): 40–49. Janvrin, D. 2003. St. Patrick Company: Using role-play to examine internal control and fraud detection concepts. Journal of Information Systems 17 (Fall): 17–39. Messmer, M. 2001. Enhancing your writing skills. Strategic Finance 82 (7): 8–10. O’Donnell, E., and J. Moore. 2005. Are accounting programs providing fundamental IT control knowledge? The CPA Journal 75 (5): 64–66. Public Company Accounting Oversight Board (PCAOB). 2007. An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements. Auditing Standard No. 5. Washington, D.C.: PCAOB. Reinstein, A., and M. Houston. 2004. Using the Securities and Exchange Commission’s ‘‘plain English’’ guidelines to improve accounting students’ writing skills. Journal of Accounting Education 22 (1): 53–67. Riordan, D., M. Riordan, and M. Sullivan. 2000. Writing across the accounting curriculum: An experiment. Business Communications Quarterly 63 (3): 49–59. Rothenburg, E. 2002. How writing across the curriculum can be incorporated into accounting programs. The CPA Journal 72 (4): 14. Issues in Accounting Education, February 2009