...Controls for Information Technology (IT) and Reporting and Evaluation Jami L. Valek ACC-544 January 28, 2013 Christine Errico Controls for Information Technology (IT) and Reporting and Evaluation Information Technology (IT) controls are activities that are specifically performed to ensure that business objectives are met through the use of people and systems. IT control objectives are related to the business enterprise’s confidentiality, integrity, availability of data, and the overall management of the IT functions. There are two types of IT controls: IT general controls, which are controls over the IT environment, computer operations, access to programs and data, program development and program changes; and IT application controls, which refer to transaction processing controls (“Information Technology Controls”, 2013). IT General Controls are the foundation of a company’s IT control structure. With IT General Controls, data that is generated can be deemed more reliable and assertion that systems are operating as intended is supported. IT General Controls usually include controls that are designed to: * Shape the corporate environment through control environment; * Ensure that changes are authorized and meet business requirements through changes in management procedures; * Protect the integrity of program controls through source code/document version controls procedures; * Ensure effective management of IT projects through software development life...
Words: 507 - Pages: 3
... 63–76 Assessing Information Technology General Control Risk: An Instructional Case Carolyn Strand Norman, Mark D. Payne, and Valaria P. Vendrzyk ABSTRACT: Information Technology General Controls (ITGCs), a fundamental category of internal controls, provide an overall foundation for reliance on any information produced by a system. Since the relation between ITGCs and the information produced by an organization’s various application programs is indirect, understanding how ITGCs interact and affect an auditor’s risk assessment is often challenging for students. This case helps students assess overall ITGC risk within an organization’s information systems. Students identify specific strengths and weaknesses within five ITGC areas, provide a risk assessment for each area, and then evaluate an organization’s overall level of ITGC risk within the context of an integrated audit. Keywords: internal controls; general control; ITGC; risk assessment. INTRODUCTION he Sarbanes-Oxley Act (SOX 2002) and the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 (PCAOB 2007) require that the organization’s chief executive officer (CEO) and chief financial officer (CFO) include an assessment of the operating effectiveness of their internal control structure over financial reporting when issuing the annual report. External auditors must review management’s internal control assessment as part of an annual integrated audit of an organization’s internal controls over financial reporting...
Words: 6299 - Pages: 26
...Internal Controls for Information Technology ACC 544 September 2, 2013 Miriam Shealy Internal Controls for Information Technology Internal controls for Information Technology are important as they help protect the company’s assets. Internal controls are necessary to comply with the security of the company’s information. Internal controls will be reviewed in this document as well as how can the company review its security over their internal controls. The assets of the company need to be protected. In order to do so, the company needs to review for risks. The company needs to develop a plan for what internal control measures they would want to put into place. Internal controls will help guide how we protect our assets against threats and vulnerabilities. Threats to a company’s assets can be known or unknown. A hacker of the system can bring parts of a system down or lose some data. It also can completely take down the system. A company should have a threat agent that would help identify such a task. The IT team will need to correct and fix this quickly. It is necessary to have firewalls in the system that will help protect against vulnerabilities. Vulnerabilities for the system would be not protecting the system. If there is not a firewall or security agent assigned to the system the information can be stolen and damaged by any type of threat. The company should take steps of system control with monitoring, managing, and having back...
Words: 643 - Pages: 3
...Controls for IT and Reporting University of Phoenix Internal Controls ACC 544 August 22, 2011 Controls for IT and Reporting As more business processes become streamlined and automated, many companies rely heavily on technology and the support from their Information Technology departments. Information technology has the largest responsibility within an organization. Information technology is responsible for the implementation and maintenance of the hardware and software within a company. Information technology is responsible for ensuring that the hardware and software are secure and align with the company’s needs, business operations, goals and objectives. Information technology serves as a mechanism of supporting internal control systems and reporting. Most information, including financial records, that are generated, circulated, and reported within a company are electronic. Therefore, the threat of information technology being compromised is prevalent. Companies must take precautions to protect their systems and choose proper internal controls for information technology and reporting. This includes evaluating the internal controls system’s effectiveness and answering the following questions: • Is the design and operation of the internal control system up-to-date with technological advancements? • Is the internal control system and reporting in compliance with Sarbanes-Oxley Act of 2002? • Does the current system identify existing controls that are inefficient...
Words: 570 - Pages: 3
...here, such as Data Base Detail 10 Court Type (Category table) 10 Employee(Object table) 10 Equipment (Category table) 10 Member (Object table) 11 Membership Type (Category table) 11 Payment (Transaction table) 11 Rental Record (Intersection table) 12 Schedule (Transaction table) 12 Information Technology Controls for XYZ Recreation center 14 ADD A TiTLE, Such s overview of Controls 14 Control Details 14 Control classification zone 15 Type 16 Implementation 17 Metrics 17 Compensating Control 18 Change log 19 PRJ 1 19 PRJ 2 20 Exclusive summary Going to stadium is an enduring activities among Americans, especially among those college students. Those people are keen to exercise their body day by day. It brings our company, XYZ Stadium, large amount of clients and incomes. What’s more, other organizations are willing to rent our space to hold their activities such as sport event. However, these good news challenge us in management process especially in check-in process which we did not think it over carefully before. To mitigate these problem, our company pushes and implement a sequence of system associated with the check-in process to control and prevent existing and potential risks. Our check-in system is mainly constituted by a main process and two sub-processes. The main process is a general and simple process which our clients will face directly. It’s an almost automatic process operating and recording by computer system after staffs...
Words: 5460 - Pages: 22
...characteristics of IT systems. Choose the best response. a. Effective management of information technologies in an organization embraces the viewpoint that (1)most technologies reduce existing risk conditions. (2)technologies reduce some types of risks while introducing new types of risks to be managed. (3)technologies generally increase an organization’s overall net risks. (4)the objective of technology implementations is to increase profitability on a net basis. b. Which of the following is generally not considered a category of IT general controls? (1)Controls that determine whether a vendor number matches the pre-approved vendors in the vendor master file. (2)Controls that restrict system-wide access to programs and data. (3)Controls that oversee the acquisition of application software. (4)Controls that oversee the day-to-day operation of IT applications. c. As general IT controls weaken, the auditor is most likely to (1)reduce testing of automated application controls done by the computer. (2)increase testing of general IT controls to conclude whether they are operating effectively. (3)expand testing of automated application controls used to reduce control risk to cover greater portions of the fiscal year under audit. (4)ignore obtaining knowledge about the design of general IT controls and whether they have been implemented. d. Which of the following is an example of an application control? (1)The client uses access security software to limit access to each of the accounting...
Words: 1276 - Pages: 6
... The system flow chart of the existing system is as follows: Answer c: There are many physical internal control weaknesses are present in the given system. Some of them are described here. * Physical count of inventory * wasteful and inefficient use of resources * poor management decisions * unintentional errors recording or processing data * accidental loss or destruction of records * loss of assets through employee carelessness * lack of compliance by employees with management policies The above are all the some weaknesses which are not present. If management wants to overcome these weaknesses in short time then first change the policy and make new strategy and immediately implement on the business to get the good results in less time. If the organization keeps going on the old policies and with the weaknesses then it will lead a failure or may be shutdown of operations in future. Internal control means different things to different people. This causes confusion among businesspeople, legislators, regulators and others. Resulting miscommunication and different expectations cause problems within an enterprise. Problems are compounded when the term, if not clearly defined, is written into law, regulation or rule. This report deals with the needs and expectations of management and others. It defines and describes internal control to: 1. Establish a common definition serving the needs of different parties. 2. Provide a standard against...
Words: 1027 - Pages: 5
...Information System Auditing Assignment Name ACC/542 Date Sanders Moran Information System Auditing Assignment The article selected for this assignment is titled “Implementing the IT-Related Aspects of Risk-Based Auditing Standards”. It is an overview of the importance of performing a Risk-based audit and the necessary steps auditors take in implementing risk assessment within their audit. Two sets of standards drove the need for risk assessment for IT controls. The first; AICPA SAS 104-111 (Risk Assessment Standards Toolkit) which covers the risk assessment standards and the key points auditors need to consider when incorporating them in an audit. Second, PCAOB AS 5; Audit of Internal Control over Financial Reporting that is Integrated with an Audit of inherent risk. My paper will cover the following topics outlined in the article: benefits of risk-based auditing, planning a risk assessment procedure, gaining an understanding of the IT environment, risk assessment, determining whether further audit procedures (FAP) are necessary, designing and performing FAP, and evaluating Audit Findings. Recommended approach and Benefits of Risk-Based Auditing The layout of the article closely resembles the top-down approach that is required by AS 5. This approach is basically how the auditor performs their auditing procedures; not necessarily the order in which they do them. Top-down “begins at the financial statement level and with the auditor’s understanding of the overall risks...
Words: 1103 - Pages: 5
...always evaluate the design and test the operating effectiveness of a company’s internal control. The key procedures of the evaluation of design are fulfilled by inquires, observations, and inspections. The same procedures can be used to test the operating effectiveness as well. Re-performance of controls is another method to test the operating effectiveness depending on different situations. Some of the key considerations related to the evaluation of design and the testing of operating effectiveness are summarized as follows: Information technology considerations Auditors should understand a company’s information technology (IT), including the system-generated data and reports, which are required by PCAOB. When assessing a company’s risk of material misstatement, auditors should pay great attention towards both manual and automated controls equipped by the company. Auditors should identify the control activities from the internal IT system performed by management. Just like the case stated, when testing the risk #1 and #2, auditors use the company’s manual or automated IT controls. This obviously requires auditors to obtain enough understandings over ZOU’s IT system. Auditors use the knowledge to identify the preventive and detective controls, which helps to evaluate the design. Information technology general controls (ITGC) are important aspects of a company’s manual or automated controls. The effectiveness of a...
Words: 1930 - Pages: 8
...Kyle Welch 2/19/2015 Fraud Paper In the movie “Office Space”, three men at an Information Technology company begin to commit computer fraud. They embezzle (steal) a fraction of a penny from each of the company’s financial transactions to a separate account of their own. Because the amount of money seems so small, it seems unlikely that anybody would notice the missing money. The fraud they commit in the movie is referred to as misappropriation of assets, which is the embezzlement of company assets by directors, other fiduciaries or employees. Misappropriation of assets is the most common and widespread fraud reported by companies. Whenever an employee commits fraud it is because of three elements, either combined or individually the reason behind their crimes. The first reason somebody would commit fraud is pressure, their incentive. In the movie “Office Space”, the main character seems to feel emotional pressure to steal from the company. He maybe had strong feelings of resentment to the company or felt they were treating him unfairly. He was constantly called in to work on weekends when he was supposed to be off, and also was not receiving a salary very appealing to him. The second reason somebody would commit fraud is the opportunity, the condition or situation that allows a person or organization to commit and conceal a dishonest act and convert it to personal gain. In the movie the main character has a friend at the company who says he can put a virus into their...
Words: 759 - Pages: 4
...Summary With the proliferation of Internet, the information systems have become increasingly essential for the performance of the firms, since it could provide the conveniences and create one source of competitive advantages. The major objective of the report is to explore some accounting information systems related issues, in order to provide a clear and logic overview of accounting information system. To be more specific, first of all, the report will attempt to discuss four questions about SOX, sequential, non accounting services and physical control. After that, the report will analyze two case studies, and then discuss the relevant topics related to accounting information systems in detailed. Content Introduction 1 The influences of SOX on provision of attest and advisory services 1 Background Information on SOX 2 Description of attest and advisory services 2 Influences of SOX on attest and advisory services 3 Comparison among sequential, block, group alphabetic and mnemonic codes 3 The rationality of non accounting services for external auditors 4 Prohibited non-audit services 4 Argument on prohibition 5 Six Classes of Physical Controls 5 Case of Bern Fly Rod Company 7 The previous situation 7 Potential internal control issues and exposures 7 Preventive measures for Bern Fly Rod Company 8 Case of Stand-Alone PC-Based Accounting System 9 Physical internal control weaknesses 9 IT Controls in PC-Based Accounting System 9 Conclusion 10 ...
Words: 3055 - Pages: 13
...Guide to Internal Control and Internal Control Services Members in government, both mangers and auditors, must understand the concepts of internal control and independence and the effect they have on the CPA practitioners that the government hires for both its financial statement audits and for other nonaudit engagements related to internal control services. As auditing standards have evolved, the auditors may no longer default to a maximum control risk but now should obtain a sufficient understanding of internal control by performing risk assessment procedures to evaluate the design of controls relevant to an audit of financial statements and to determine whether they have been implemented.1 This may result in the auditor spending additional time. Additionally, internal control deficiencies identified by an auditor that upon evaluation are considered significant deficiencies or material weaknesses should be communicated in writing to management and those charged with governance.2 This standard also has led to a great deal of discussion about what is or is not a control and what role an auditor can play, with respect to the client’s system of internal control. Even if a CPA practitioner does not perform audits but performs reviews and compilations, it is important that he or she understand internal control because of the possible independence ramifications. A CPA practitioner’s independence would be impaired if he or she establishes or maintains internal control for a client.3 This...
Words: 4795 - Pages: 20
...Chapter 12 Take Home Quiz |1. Typical controls developed for manual systems which are still important in IT systems include: | |a. proper authorization of transactions. | |b. competent and honest personnel. | |c. careful and complete preparation of source documents. | |d. all of the above. | | | |2. ______ controls prevent and detect errors while transaction data are processed. | |a. Software | |b. Application | |c. Processing | |d. Transaction | | | |3. Which of the...
Words: 501 - Pages: 3
...Case 13-9 ZOU’s Fencing Controls ZOU Fencing Inc. (ZOU Fencing or the Company) is a public company in the United States that files quarterly and annual reports with the SEC. ZOU Fencing has five manufacturing facilities located in Missouri and produces and provides chain-link fencing to customers throughout the Midwest (Wisconsin, Indiana, Michigan, Ohio, Illinois, and Iowa) via rail car. ZOU Fencing sells chain-link fencing to customers under free on board (FOB) shipping point terms. Therefore, revenue is recorded when goods are shipped from the respective warehouse. ZOU Fencing currently uses a sophisticated warehouse management system (the Warehouse K-Series System), which allows the Company to (1) record sales upon shipment of goods out of the warehouse, (2) automatically price fence sales on the basis of standard pricing tables, and (3) generate multiple reports for the evaluation of ZOU Fencing’s operations. Engagement Team Note: Materiality was determined to be $5 million. At year-end, the engagement team evaluated the internal controls related to revenue. This evaluation was done through inquiries of appropriate personnel and consideration of the results of other audit procedures including: (1) updating the risk assessment procedures (including the understanding of internal control) and substantive procedures, (2) considering the result of the entity’s monitoring of controls (or our testing of the entity’s monitoring of controls), and (3) obtaining an update...
Words: 2449 - Pages: 10
...IT General Controls Risk Assessment Report Foods Fantastic Company Thomas Woods 12/7/2012 ------------------------------------------------- Background: ------------------------------------------------- In accordance with our IT audit plan, the Foods Fantastic Company (FFC) Audit Team has performed an ITGC review of the 5 critical ITGC areas and in-scope applications so as to enable the audit team to follow a controls-based audit approach and be able to rely on the IT controls in place at FFC. FFC is a publicly traded, regional grocery store located in the mid-Atlantic region which relies on many state-of-the-art IT systems and software and which are all managed in-house. Purpose: We hope to gain comfort that FFC’s systems, IT practices, and risk management procedures are working properly and are operationally effective within a well-controlled IT environment and to meet the requirements that are outlined in SAS 109 and SOX Section 404 Management Assessment of Internal Controls. Considering that the FFC IT environment has a direct impact on the account balances and financial statements, it is imperative that we provide assurance over IT controls prior to the financial statement audit and assess the risk of material misstatement in the different areas of the IT environment. Scope: ------------------------------------------------- Our team initially reviewed key provisions included in SAS 109, SOX Section 404, PCAOB Auditing Standard No.5, and FFC policies...
Words: 1551 - Pages: 7