They help ensure the reliability of data generated by IT systems and support the assertion that systems operate as intended and that output is reliable. ITGC usually include the following types of controls: Control environment, or those controls designed to shape the corporate culture or " tone at the top. Logical access policies, standards and processes - controls designed to manage access based on business need. Incident management policies and procedures - controls designed to address operational processing errors. Problem management policies and procedures - controls designed to identify and address the root cause of incidents.
|Published (Last):||4 May 2012|
|PDF File Size:||16.54 Mb|
|ePub File Size:||14.87 Mb|
|Price:||Free* [*Free Regsitration Required]|
They help ensure the reliability of data generated by IT systems and support the assertion that systems operate as intended and that output is reliable. ITGC usually include the following types of controls: Control environment, or those controls designed to shape the corporate culture or " tone at the top. Logical access policies, standards and processes - controls designed to manage access based on business need. Incident management policies and procedures - controls designed to address operational processing errors.
Problem management policies and procedures - controls designed to identify and address the root cause of incidents. Technical support policies and procedures - policies to help users perform more efficiently and report problems.
Physical security - controls to ensure the physical security of information technology from individuals and from environmental risks. IT application controls[ edit ] IT application or program controls are fully automated i. These controls vary based on the business purpose of the specific application. These controls may also help ensure the privacy and security of data transmitted between applications.
Categories of IT application controls may include: Completeness checks - controls that ensure all records were processed from initiation to completion. Validity checks - controls that ensure only valid data is input or processed. Identification - controls that ensure all users are uniquely and irrefutably identified. Authentication - controls that provide an authentication mechanism in the application system.
Authorization - controls that ensure only approved business users have access to the application system. Input controls - controls that ensure data integrity fed from upstream sources into the application system. Financial accounting and enterprise resource planning systems are integrated in the initiating, authorizing, processing, and reporting of financial data and may be involved in Sarbanes-Oxley compliance, to the extent they mitigate specific financial risks.
It consists of domains and processes. The basic structure indicates that IT processes satisfy business requirements, which is enabled by specific IT control activities. COSO[ edit ] The Committee of Sponsoring Organizations of the Treadway Commission COSO identifies five components of internal control: control environment , risk assessment , control activities, information and communication and monitoring, that need to be in place to achieve financial reporting and disclosure objectives; COBIT provide a similar detailed guidance for IT, while the interrelated Val IT concentrates on higher-level IT governance and value-for-money issues.
The five components of COSO can be visualized as the horizontal layers of a three-dimensional cube, with the COBIT objective domains-applying to each individually and in aggregate. The four COBIT major domains are: plan and organize, acquire and implement, deliver and support, and monitor and evaluate.
IT controls and the Sarbanes-Oxley Act SOX [ edit ] SOX part of United States federal law requires the chief executive and chief financial officers of public companies to attest to the accuracy of financial reports Section and require public companies to establish adequate internal controls over financial reporting Section In addition, Statements on Auditing Standards No.
IT controls that typically fall under the scope of a SOX assessment may include: Specific application transaction processing control procedures that directly mitigate identified financial reporting risks. There are typically a few such controls within major applications in each financial process, such as accounts payable, payroll, general ledger, etc. The focus is on "key" controls those that specifically address risks , not on the entire application.
IT general controls that support the assertions that programs function as intended and that key financial reports are reliable, primarily change control and security controls; IT operations controls, which ensure that problems with processing are identified and corrected. Identifying the IT systems involved in the initiation, authorization, processing, summarization and reporting of financial data; Identifying the key controls that address specific financial risks; Designing and implementing controls designed to mitigate the identified risks and monitoring them for continued effectiveness; Documenting and testing IT controls; Ensuring that IT controls are updated and changed, as necessary, to correspond with changes in internal control or financial reporting processes; and Monitoring IT controls for effective operation over time.
To comply with Sarbanes-Oxley, organizations must understand how the financial reporting process works and must be able to identify the areas where technology plays a critical part. In considering which controls to include in the program, organizations should recognize that IT controls can have a direct or indirect impact on the financial reporting process.
For instance, IT application controls that ensure completeness of transactions can be directly related to financial assertions. Access controls, on the other hand, exist within these applications or within their supporting systems, such as databases , networks and operating systems , are equally important, but do not directly align to a financial assertion.
Application controls are generally aligned with a business process that gives rise to financial reports. While there are many IT systems operating within an organization, Sarbanes-Oxley compliance only focuses on those that are associated with a significant account or related business process and mitigate specific material financial risks.
This focus on risk enables management to significantly reduce the scope of IT general control testing in relative to prior years.
IT General Controls Audit
Information technology controls