IT General Controls
In a general sense, COSO defines the internal controls as, “A process, effected by an entity’s board of directors, management, and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in the effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicable laws and regulations.” IT general controls (ITGC) are, internal controls applied to all components of information technology (IT) environment. Such as operating systems, IT infrastructure, databases, and supporting IT applications. ITGCs have three types of controls: Preventive Controls that prevent errors, or security breaches from occurring. Detective Controls, detect errors or breaches that trigger preventive controls, and Corrective Controls, fix errors or breaches once they have been detected. These controls can range in nature from governance policies and procedures to the implementation of those policies. The most common area of ITGCs are:
Logical access controls
Change management controls
IT operation controls
System development life cycle controls
The main objectives of ITGCs are to provide reasonable assurances that the appropriate developments and the utilization of the available applications, align with the organization objectives. Also, ensure the integrity of data files, IT operations, and applications. The table below provides a brief description of the objective of the most common areas of ITGCs:
Controls
Objectives
Change Management
– Only appropriately authorized, tested and approved changes are made
Logical Access
– Only authorized persons have access to the system and they can only perform specifically authorized functions
System Development Life Cycle Controls
– Appropriate development life cycle that fits the organization’s environment and align with overall objectives.
– Deviations from scheduled processing are identified and resolved in a timely manner.
Financial
– Completeness, Accuracy, Validity, Authorization of financial reporting.
Operational & IT
– IT resources and applications are continuing to function properly as planned over time.
– Confidentiality, Integrity, Availability, Effectiveness and Efficiently.
– Ability to trace actions and transactions.
IT controls provides assurances for the “business”, that IT applications and processes are set to support and carry on the “business” objectives. Also, control and/or mitigate the identified risks of the organization’s use of technology. Those controls became essential for organizations, to be able to achieve their objectives and gain competitive advantage. Ineffective ITGCs will result in failure to achieve the business objectives. By identifying and understanding the key ITGCs and the risks associated with them, the CAE can create audit plans to tests those controls periodically. And then, report the testing results, findings to the board of directors to take the necessary steps. Testing the ITGCs is the auditor way to provide reasonable assurances for the organization’s board of directors.
Risks associated with Systems Development IT General Control:
There are various phases involved in systems development. Practically, each phase will have its own risks with respect to systems development general control. Some of the risks associated with systems development are as follows:
Inadequate budget
Impractical project schedule
Allocation of appropriate resources
Changing end user needs
Non- compliance with industry regulations
Lack of communication between project management team and system designers/developers
Inaccurate data conversion
Improper documentation of plan, design and maintenance
Examples of control objectives for system development:
As new system development involves significant financial transactions, controls should provide reasonable assurance that new system developed accurately processes and reports these transactions.
An adequate SDLC methodology has been established to serve as a basis for controlling development and maintenance activities, and the SDLC methodology is consistent with organization’s business and end-user objectives and strategies.
User acceptance testing must be performed for all system development projects. User signoff is required before the system can be migrated into the production environment.
The organization’s SDLC includes security, availability, and processing integrity requirements of the organization.
A plan including the procedures for transfers between development to test and from test to production environment, and reviews and approvals from business owners, stakeholders, senior management for the same are obtained and documented.
The systems development methodology requires parallel and or pilot testing plans for all new systems.
Data conversion plans should include requirements for verifying that all critical data elements in existing systems are converted into the new system.
Preventive, detective, and corrective controls for system development
Preventive controls are proactive controls which prevent errors from occurring. Preventive controls for system development are as follows:
Segregation of duties: Development and maintenance activities should be separated. Operations and maintenance duties should also be separated. Developers maintaining the software could lead to defective coding and fraud.
Monitoring: Monitoring should be in place to make sure that the development is conducted in structured manner. The application should have a consistent data definition. Organization should have standards for application development. Code reviews should be done regularly.
Documentation: User requirements should be documented. Scope should be clearly defined. The achievements should be measured. Formal process of system design should be followed to ensure that the requirements and controls are designed into the system.
Detective controls are reactive controls which identify problem after its occurrence. These controls detect errors missed out by preventive controls. Detective controls for system development are as follows:
Analytics: The organization should have a proper analytic system to help system development in case of any problems faced. Analysis of the problems faced earlier should be carried out.
Reviews: Reviews of problems faced, and fixes provided should be carried out.
Monitoring: The fixes being provided should be monitored. The fixes being provided should be in alignment with the organization standards. Incidents reported, and the fixes provided should be documented. Proper communication with the customer should be maintained and well documented
Corrective controls correct errors or incidents after they are detected. Corrective controls for system development are as follows:
Risk mitigation
Change the controls as needed to eliminate errors in future
Change control management
Tests to be performed to provide reasonable assurance for control objectives:
User acceptance testing:
The purpose of this test is to make sure that the system developed are in terms with the user specifications. Some tests to validate user acceptance testing:
Does the system requirement document provide adequate information?
Have all systems developed as a unit or integrated satisfy the organization standards?
Did each phase of systems development obtain necessary approvals from respective business owners?
Parallel and pilot testing:
Systems and programs developed are to be tested as a single unit, as part of an integrated system to ensure the systems are reliable and efficient. Unit testing involves testing components individually whereas parallel testing involves multiple systems or programs and check for compatibility. Below are few tests to validate testing of system development:
Does the testing document provide adequate information?
Whether unit testing results in desired output?
Are all systems units compatible during integrated testing?
Was every unit tested?
Did testing meet the audit requirements?
Data conversion:
Conversion of data from an existing system is a crucial process for the developed system to function according to business and user requirements. The following are some tests to test if the data conversion is accurate.
Is data conversion required for the developed system?
What data validation procedures are in place?
What methods are being used to convert data from existing system?
Is there a backup strategy in place?
SDLC procedures:
SDLC procedures are in place to make sure each phase is implemented in compliance to organization standards. Some tests to identify the procedures are
To what extent does the project management team responsible for systems development?
Are the requirements document of design, maintenance compliant with organization standards?
Was Internal audit team involved during systems development phases?
Works Cited:
Ben Miron, “Understanding IT General Controls”, Sep 9th, 2008, www.resourcenter.net/images/AHIA/Files/2008/AnnMtg/Handouts/TrackB5.pdf, accessed on 2 Oct 2018
Global Technology Audit Guide (GTAG®) 1, 2nd edition, “Information Technology Risk and Controls”, accessed on 3 Oct 2018
“Types of Risks in Software Projects”, Oct 8th, 2018, www.softwaretestinghelp.com/types-of-risks-in-software-projects/, accessed on 9 Oct 2018
Ozren Durkovic, Lazar Rakovic, “Risks in Information Systems Development Projects”, Management Information Systems, Vol.4 2009, No.1,2009, pp013-019, Apr 24th, 2009, www.ef.uns.ac.rs/mis/archive-pdf/2009%20-%20No1/MIS2009_1_3.pdf, accessed on 8 Oct 2018
INTOSAI working group, “Auditing Systems Development”, www.intosaiitaudit.org/intoit_articles/27_p18top30.pdf, accessed on 9 Oct 2018
IT General Controls Questionnaire | KnowledgeLeader, Web, Oct 11, 2017, www.knowledgeleader.com/KnowledgeLeader/Content.nsf/Web+Content/QuestionnairesITGeneralControls!OpenDocument, accessed on 9 Oct 2018
GTAG 1: Information Technology Risk and Controls, 2nd Edition https://chapters.theiia.org/montreal/ChapterDocuments/GTAG%201%20%20Information%20technology%20con trols_2nd%20ed.pdf, accessed on 9 Oct 2018
Paul.M. Perry, “Information Technology General Controls and Best Practices”, Web, 5 Apr 2016,
www.techbirmingham.com/wp-content/uploads/2016/04/IT-General-Control-Presentation_PaulPerry.pdf, accessed on 9 Oct 2018
“System Development Life Cycle Audit Program”, www.all.net/books/audit/kits/sdlcpgm.html, accessed on 10 oct 2018
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order formOnce we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignmentAs soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download