IT General Controls are one of the most important areas to review as part of C-SOX key controls.It makes sense – almost all business use some form of ERP system including automated financial reporting systems. The accuracy and reliability of financial reporting depend to a large extent on the IT controls that an organization has in place. IT controls are usually separated into IT Application controls and IT General controls.
IT Application Controls – these are controls that relate to specific computer software applications and the individual transactions. For example, a company would usually place restrictions on which personnel have authorization to access its general ledger so as to revise its chart of accounts, posting / approving journal entries etc. In order to enact this policy and restrict access, the general ledger software package would require the necessary functionality. Furthermore, assuming the functionality exists, does the company have a policy in place, and is there evidence that the general ledger authorizations align with the policy? Controls around application access are obviously very important and need to be reviewed closely as part of the certification process.
In my experience, IT Application controls are extremely important to monitor. Consider the impact of incorrect pricing on reported revenues. The employees that have access to change pricing within the ERP system should be authorized by the appropriate level of management. A list of employees having access to pricing modifications should be reviewed periodically. Furthermore, the system should be secure so that only authorized employees can have access. This may sound very logical and straightforward, but without ongoing vigilance and monitoring by management, it is very likely that some unauthorized employees may have access. Incorrect pricing leads to incorrect revenues. Remember – revenue recognition has been cited as the number one cause of errors regarding financial reporting.
IT General Controls – similar to Entity Controls, these are also considered to be “pervasive” controls that relate to the overall management of the information systems and processing environments that internal controls depend upon. The CICA Handbook specifically mentions program development, program changes, computer operations, and access to programs and data as being within scope. Some of the key processes/controls that need to be reviewed include:
• Eliminating unauthorized or incompatible user access to IT applications.
• Ensuring the accuracy and completeness of data within applications and transferring between applications (interfaces).
• Changing the functionality or development of IT applications.
• Creating, storing and accessing backup information, physical security and infrastructure management.
• Spreadsheet Controls (EUCA – End User Computer Applications – Excel, Access etc).
In essence, the IT function within a company is the source of the majority of data, information and reports – management relies on this to prepare financial statements, and therefore it is critical that strong controls exist in this environment.
The auditing text that I am using as part of the CGA Executive program has some excellent information, and I am including some excerpts from Auditing, an International Approach, Smieliauskas and Bewley, Pages 232-233.
IT General controls are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. These controls apply to mainframe, server, and end-user environments. General IT controls commonly include:
• Controls over data centre and network operations
• System software acquisition, change and maintenance
• Access security
• Application system acquisition, development, and maintenance.
Other IT General control activities include physical controls such as:
• Physical security of assets, including adequate safeguards such as secured facilities over access to assets and records,
• Authorization for access to computer programs and data files.
• Periodic counting and comparison with amounts shown on control records e.g. / comparing the results of cash, security, and inventory counts with accounting records.
Separation of the duties performed by analysts, programmers and operators is another important general IT control. The general idea is that anyone who designs a processing system should not do the technical programming work, and anyone who performs either of these tasks should not be the computer operator when “live” data are being processed. Persons performing each function should not have access to the equipment. Computer systems are susceptible to manipulative handling, and the lack of separation of duties along the lines described should be considered a serious weakness in general control. The control group or similar monitoring by the user departments can be an important compensating factor for weaknesses arising from lack of separation of duties in computerized systems”.
In my experience, IT audit professions and often involved with IT General and IT Application controls review and testing. I would certainly agree that the IT professional should have involvement and oversight during the initial documentation and design of C-SOX tests, however since the internal controls is at the heart of these projects, accounting professionals who have a solid knowledge of financial reporting and internal controls are also very well equipped to manage these projects successfully.