ITGC Audit Process
Why are IT General Controls important to the audit?
ITGCs help ensure that application and IT Dependent manual controls continue to function as designed -they are pervasive
Change Management
-Approve Change -Test Change -Ensure code modification/development is performed in a segregated, controlled environment (separate from production)
The best application control is a ____ control.
AUTO
ITGCs are what kind of control?
Internal and Prevent Controls
What will tell you if the report design has been changed?
Change Management
A Change Management Process weakness could lead to:
-Inaccurate data in the system -Increased audit testing
User Accounts
-Practice separation of duties -Should create audit trails -Each person has a unique User ID and login info
Configurable controls:
-Require more testing -Involves the issue of Separation of Duties of Change Management and Audit Logs -Can be turned on and off
Super User Account
-a role that can typically do everything in the system -generally someone in IT has this role, not someone on the business side -generally only one person in this role
Any time we have master data that feeds into automatic application controls...
...we often have ITD Controls set in place to monitor the accuracy of the master data
What is the sample size for Automated Application Controls Testing?
1
3 Environments of Change Management
1. Development - developers should never have access to production 2. Testing - separation of duties, documentation 3. Production - separation of duties - only change management staff have write access
Inherent Application Controls:
1. Have an initial audit sample size of 1 2. often require test data to be prepared to fully test the control
ITGCs are test by financial statement auditors to...
1. Help provide reasonable assurance that ITD-manual controls operated correctly during the entire audit period 2. Help determine if automated application controls can be relied upon to help produce accurate data in the financial statements
What are the different ITGCs?
1. Management system and application changes (Change Management) 2. Logical Access Controls 3. Operations Controls
ITGC: Change Management Process
1. Request Change 2. Development Environment 3. Testing 4. Promote Change 5. Back-Out Procedures 6. ITD Report Reconciliations
A company has the following control in place; all user account creation requests must be documented by the Business Process Owner; reviewed and implemented by the IT Systems Administrator. Your sample for testing this control should come from:
All accounts created from past year. -you are comparing all of the created accounts against proper documentation
CrUD
Create, Update, Delete -Falls under Separation of Duties (SOD) -Who has access to create, update, and delete data in the system at any step in the process
Separation of Duties
Dividing responsibilities between two or more people to limit fraud and promote accuracy of accounting records.
IT General Controls (ITGC)
IT processes and related controls that are generally applied to support the computer application level -they support automated application controls -they support the ITD controls
What determines who can run reports?
Logical Access Controls (LAC)
What determines who has access to the underlying data on a report?
Logical Access Controls (LAC)
ITD Control Test Sample Size
Many
Logical Access Controls (LAC)
Role-Based access control -only people that actually are Sales Reps should be assigned the Sales Rep role
Access Rights
The Sales Rep role should only be able to do things within the system on a Need-to-Know basis
ITD Control Validation and Testing Example:
To validate the design of the report: 1. Add a new Vendor in test/training environment 2. Run the VendorAdditionITD_Query_Report from the test/training environment and confirm that the Vendor entered is displayed on the report appropriately 3. Confirm that report can't be changed after it is created by the system 4. Confirm SQL