...Assessing Information Technology General Control Risk: An Instructional Case Carolyn Strand Norman, Mark D. Payne, and Valaria P. Vendrzyk ABSTRACT: Information Technology General Controls (ITGCs), a fundamental category of internal controls, provide an overall foundation for reliance on any information produced by a system. Since the relation between ITGCs and the information produced by an organization’s various application programs is indirect, understanding how ITGCs interact and affect an auditor’s risk assessment is often challenging for students. This case helps students assess overall ITGC risk within an organization’s information systems. Students identify specific strengths and weaknesses within five ITGC areas, provide a risk assessment for each area, and then evaluate an organization’s overall level of ITGC risk within the context of an integrated audit. Keywords: internal controls; general control; ITGC; risk assessment. INTRODUCTION he Sarbanes-Oxley Act (SOX 2002) and the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 (PCAOB 2007) require that the organization’s chief executive officer (CEO) and chief financial officer (CFO) include an assessment of the operating effectiveness of their internal control structure over financial reporting when issuing the annual report. External auditors must review management’s internal control assessment as part of an annual integrated audit of an organization’s internal controls over financial reporting. In short...
Words: 6299 - Pages: 26
...IT General Controls Risk Assessment Report Foods Fantastic Company Siqi Li Oct 29TH 2013 Foods Fantastic Company is a public company which mainly operating regional grocery store in Maryland. This Company relies on application programs, such as bar-code scanner, to entre sales to the system. The FFC majority depends on the computer system to run their business. Based on this situation, the Information General Controls review is necessary for this company as the reason that ITGC is the foundation of every categories of the internal control. To review the ITGC will help the audit committee to determine the risk assessment of the internal controls in the company’s information system. The ITGC mainly classified by five areas, such as IT Management, Data Security, Change Management, System Development and Business Continuity Planning. The auditor need to review all the internal controls for this five area to define the risk assessment level in order to main and improve the company’s information system. This will help the company keep operating their business by using their information system correctly and continuously. As I am one of the external auditor team for Foods Fantastic Company, we work to auditor the company’s internal controls for the information technology general control respective. Our team first review the company’s internal controls through five areas that I have talked above; and set up the key aspects for review, which we specialized to suit the FFC....
Words: 1057 - Pages: 5
...Program.......................................................................7 2. OVERVIEW OF INTERNAL CONTROLS OVER FINANCIAL REPORTING 2.1 2.2 2.3 2.4 2.5 Introduction ....................................................................................................................8 Definition of Internal Control ........................................................................................8 COBIT..........................................................................................................................11 Responsibility for Internal Control System .................................................................13 Conclusion ...................................................................................................................14 3. TOP-DOWN, RISK-BASED APPROACH 3.1 3.2 3.3 3.4 3.5 Introduction ..................................................................................................................15 Risk Identification........................................................................................................17 Controls Identification .................................................................................................18 Execution and Evaluation ............................................................................................21 Roadmap for Implementation of a Top-Down, Risk Based...
Words: 45404 - Pages: 182
...State of Maryland – Risk Assessment Findings & Recommendations In the course of this Risk Assessment, we reviewed the statements that were made by Aviel. D. Rubin, professor at Johns Hopkins University, in his report dated July 23, 2013. In general, SAIC made many of the same observations, when considering only the source code. While many of the statements made by Mr. Rubin were technically correct. Mr. Rubin did not have a complete understanding of the State of Maryland’s implementation of the AccuVote-TS voting system, and the election process controls or environment. The State of Maryland procedural controls and general voting environment reduce or eliminate many of the vulnerabilities identified in the Rubin report. However, these controls, while sufficient to help mitigate the weaknesses identified in the July 23 report, do not, in many cases meet the standard of best practice or the State of Maryland Security Policy. This Risk Assessment has identified several high-risk vulnerabilities in the implementation of the managerial, operational, and technical controls for AccuVote-TS voting system. If these vulnerabilities are exploited, significant impact could occur on the accuracy, integrity, and availability of election results. In addition, successful exploitation of these vulnerabilities could also damage the reputation and interests of the SBE and the LBEs. This Risk Assessment also identified numerous vulnerabilities with a risk rating of medium...
Words: 887 - Pages: 4
...Proposal for Design Controls of Outflows ACC/544 Proposal for Design Controls of Outflows The appropriate controls of outflows for a successful company are to access effectively risks mechanisms to identify opportunities or potential pitfalls. Risks assessments are necessary at various levels within an organization. Some frequently performed risks assessments include: Strategic risks assessments (relates to the organizations mission and strategic objectives). Operational risks assessments (relates to financial performance and condition). Internal risks assessments (relate to the value drivers of the company covering strategic, financial, operational, and compliance issues). Financial statement risks assessments (relates to a material misstatement of financial statements). Fraud risk assessments (relates to fraud that has the potential to affect the ethics and compliance standards of the company). Market risks assessments (relates to market movements that affect performance or risks exposure). Credit risks assessments (relates to a failure in obligation of the borrower). Customer risks assessments (relates to customers impact on the organizations reputation and financial position). Supply chain risks assessments (relates to the creation of products and services). Products risk assessments (relates to an organization production from inception to birth). Security risks assessments (relates to physical assets and information protection and security)...
Words: 1684 - Pages: 7
...FAO FOOD AND NUTRITION PAPER NUMBER 65 RISK MANAGEMENT AND FOOD SAFETY Report of a Joint FAO/WHO Consultation Rome, Italy, 27 to 31 January 1997 ISSUED BY THE FOOD AND AGRICULTURE ORGANIZATION OF THE UNITED NATIONS IN COLLABORATION WITH THE WORLD HEALTH ORGANIZATION ROME, 1997 The designation employed and the presentation of material in this publication do not imply the expression of any opinion whatsoever on the part of the Food and Agriculture Organization of the United Nations concerning the legal status of any country, territory, city or area or of its authorities, or concerning the delimitation of its frontiers or boundaries. First issued in March 1997 in PDF format: reissued in April 1997 with corrections. The copyright in this document is vested in the Food and Agriculture Organization of the United Nations. Application for permission to reproduce this book, in whole or in part, by any method or process, should be addressed, with a statement of the purpose and extent of the reproduction desired, to the Director, Publications Division, Food and Agriculture Organization of the United Nations, Via delle Terme di Caracalla, 00100 Rome, Italy. FAO, Rome, 1997 CONTENTS CONTENTS ................................................................................................................................... iii LIST OF ACRONYMS....................................................................................................................v 1...
Words: 12565 - Pages: 51
...of information for decision makers. Attestation services: 鉴证服务 A type of assurance service in which the public accounting firm issues a written communication that expresses a conclusion about the reliability of a written assertion of another party. Audit of historical financial statements: A form of attestation services, the auditor issues a written report expressing an opinion about whether the F/S is in material conformity (一致) with accounting standards. e.g.: listed company must provide shareholders with annual financial statements that are audited by an independent accounting firm. Review of historical cost financial statements: A form of attestation services, a public accounting firm issues a written report that provides less assurance than an audit as to whether the financial statements are in material conformity with accounting standards. Auditing standards: Establish mandatory (强制) requirements and provide explanatory (解释) guidance to auditors in fulfilling their professional responsibilities in the audit of financial reports. Auditing: Is the accumulation and evaluation of evidence about information to determine and report on the degree of correspondence between the information and established criteria. Auditing should be performed by a competent, independent person. Compliance audit: 合规性审计 One of three primary types of audits, a review of an organization’s financial records performed to determine whether the organization is following specific procedure, rules or regulations...
Words: 4162 - Pages: 17
...Chapter 1—Auditing and Internal Control TRUE/FALSE 1. Corporate management (including the CEO) must certify monthly and annually their organization’s internal controls over financial reporting. ANS: F PTS: 1 2. Both the SEC and the PCAOB require management to use the COBIT framework for assessing internal control adequacy. ANS: F PTS: 1 3. Both the SEC and the PCAOB require management to use the COSO framework for assessing internal control adequacy. ANS: F PTS: 1 4. A qualified opinion on management’s assessment of internal controls over the financial reporting system necessitates a qualified opinion on the financial statements? ANS: F PTS: 1 5. The same internal control objectives apply to manual and computer-based information systems. ANS: T PTS: 1 6. The external auditor is responsible for establishing and maintaining the internal control system. ANS: F PTS: 1 7. Segregation of duties is an example of an internal control procedure. ANS: T PTS: 1 8. Preventive controls are passive techniques designed to reduce fraud. ANS: T PTS: 1 9. The Sarbanes-Oxley Act requires only that a firm keep good records. ANS: F PTS: 1 10. A key modifying assumption in internal control is that the internal control system is the responsibility of management. ANS: T PTS: 1 11. While the Sarbanes-Oxley Act prohibits auditors from providing non-accounting services to their audit clients, they are not prohibited from performing such services for non-audit clients...
Words: 5161 - Pages: 21
... Business Impact Analysis and Risk Assessment for Information Resources General Information & Process Description Introduction The IT Security and Policies area within Information Technology Services is responsible for establishing policies to ensure that Iowa State University has a secure information technology environment. This document defines a process for departments to perform a business impact analysis and risk assessment for their information resources. Once an assessment has been done, the resulting documents should be maintained and regularly reviewed by the department. By using the business impact analysis and risk assessment tool defined in this document, departments have the capability to identify and respond to risks for their systems and information resources. Departments are encouraged to contact the Information Technology Security and Policies area at 4-2588 if they have specific questions or if they would like to arrange a meeting to discuss the process on an individual basis. Business Impact Analysis and Risk Assessment Guaranteed absolute security in today’s information technology environments is not realistic. However, it is important to have a process of identifying resources and associated risks, determining their magnitude, and identifying what safeguards are needed. That process is what we are referring to as business impact analysis and risk assessment. It is the department’s responsibility...
Words: 3038 - Pages: 13
...FEDERAL INFORMATION SYSTEM CONTROLS AUDIT MANUAL (FISCAM) This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office Washington, DC 20548 February 2009 TO AUDIT OFFICIALS, CIOS, AND OTHERS INTERESTED IN FEDERAL AND OTHER GOVERNMENTAL INFORMATION SYSTEM CONTROLS AUDITING AND REPORTING This letter transmits the revised Government Accountability Office (GAO) Federal Information System Controls Audit Manual (FISCAM). The FISCAM presents a methodology for performing information system (IS) control 1 audits of federal and other governmental entities in accordance with professional standards, and was originally issued in January 1999. We have updated the FISCAM for significant changes affecting IS audits. This revised FISCAM reflects consideration of public comments received from professional accounting and auditing organizations, independent public accounting firms, state and local audit organizations, and interested individuals on the FISCAM Exposure Draft issued on July 31, 2008 (GAO-08-1029G). GAO would like to thank the Council of the Inspectors General on Integrity and Efficiency...
Words: 174530 - Pages: 699
...Summary of Internal Control Definition Chapter 07 Internal Control A process, effected by the entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding, achievement of (the entity’s) objectives on: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved. 7-2 Control Objectives In each area of internal control (financial reporting, operations and compliance) Control objectives and Sub objectives exist Foreign Corrupt Practices Act Passed in 1977 in response to American corporation practice of paying bribes and kickbacks to officials in foreign countries to obtain business The Act Requires an effective system of internal control Makes illegal payment of bribes to foreign officials Example: Area of financial reporting Top level objective – prepare and issue reliable financial information Detailed level applied to A/R sub objectives • All goods shipped are accurately billed in the proper period • Invoices are accurately recorded for all authorized shipments and only for such shipments • Authorized and only authorized sales returns and allowances are accurately recorded • The continued completeness and accuracy of A/R is ensured • Accounts receivable records are safeguarded 7-3 7-4 Controls over Financial Reporting Preventive Aimed...
Words: 1559 - Pages: 7
...“HENRI COANDA” AIR FORCE ACADEMY ROMANIA “GENERAL M.R. STEFANIK” ARMED FORCES ACADEMY SLOVAK REPUBLIC INTERNATIONAL CONFERENCE of SCIENTIFIC PAPER AFASES Brasov MANAGEMENT METHODS AND TECHNIQUES USED TO ENSURE THE INTERNAL AUDIT PERFORMANCE Marian SFETCU Phd. Student, Faculty of Economics Sciences and Business Administration of „Babeș - Bolyai” University of Cluj Napoca.E-mail: marian_sfetcu@yahoo.com. Tel: 0720 760 220 Abstract: This approach shows a research on the usage of managemental methods on the internal audit activity through qualitative and quantitative indicators of performance assurance. Balanced Scorecard, the management method and tool, referred to the Dashboard, contributes to the internal audit performance through resource planning, setting objectives and scope of the audit, communication and approval, following the recommendations, deferring to the code of ethics and how to achieve the objectives. The listed indicators, are components of the proposed management methods and tools, and they define efficency, effectiveness, economy and quality, all elements of the internal audit performance. Keywords: methods and techniques, audit, corporate governance, internal control system, performance indicators, Balanced Scorecard, Dashboard. JEL: M 42 1. INTRODUCTION The importance of using the management methods and techniques concerning the internal audit, is given by providing a new approach to this problem, which highlights the need to ensure...
Words: 5439 - Pages: 22
...CHIEF FINANCIAL OFFICERS, CHIEF OPERATION OFFICERS, CHIEF INFORMATION OFFICERS, AND PROGRAM MANAGERS FROM: Linda M. Springer Controller SUBJECT: Revisions to OMB Circular A-123, Management’s Responsibility for Internal Control OMB Circular No. A-123 defines management's responsibility for internal control in Federal agencies. A re-examination of the existing internal control requirements for Federal agencies was initiated in light of the new internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002. Circular A-123 and the statute it implements, the Federal Managers’ Financial Integrity Act of 1982, are at the center of the existing Federal requirements to improve internal control. This circular reflects policy recommendations developed by a joint committee of representatives from the Chief Financial Officer Council (CFOC) and the President’s Council on Integrity and Efficiency (PCIE). The policy changes in this circular are intended to strengthen the requirements for conducting management’s assessment of internal control over financial reporting. The circular also emphasizes the need for agencies to integrate and coordinate internal control assessments with other internal control-related activities. The revised circular is effective for FY 2006. Agencies should take steps in FY 2005 to prepare for its implementation. OMB plans to continue to work closely with the CFOC and the PCIE to provide further implementation...
Words: 12138 - Pages: 49
...ES/ER/TM-117/R1 Risk Assessment Program Quality Assurance Plan This document has been approved by the East Tennessee Technology Park Technical Information Office for release to the public. Date: 11/20/97 ES/ER/TM-117/R1 Risk Assessment Program Quality Assurance Plan Date Issued—November 1997 Prepared by Environmental Management and Enrichment Facilities Risk Assessment Program Prepared for the U.S. Department of Energy Office of Environmental Management under budget and reporting code EW 20 LOCKHEED MARTIN ENERGY SYSTEMS, INC. managing the Environmental Management Activities at the East Tennessee Technology Park Oak Ridge Y-12 Plant Oak Ridge National Laboratory Paducah Gaseous Diffusion Plant Portsmouth Gaseous Diffusion Plant under contract DE-AC05-84OR21400 for the U.S. DEPARTMENT OF ENERGY APPROVALS Risk Assessment Program Quality Assurance Plan ES/ER/TM-117/R1 November 1997 [name] Sponsor, U.S. Department of Energy Date [name] U.S. Department of Energy Environmental Management Quality Assurance Program Manager Date [name] Environmental Management and Enrichment Facilities Quality Assurance Specialist Date [name] Environmental Management and Enrichment Facilities Risk Assessment Manager Date [name] Environmental Management and Enrichment Facilities Risk Assessment Program Quality Assurance Specialist Date PREFACE This Quality Assurance Plan (QAP) for the Environmental Management and Enrichment Facilities (EMEF) Risk Assessment Program...
Words: 11450 - Pages: 46
...Office of the New York State Comptroller Division of Local Government and School Accountability LOCAL GOVERNMENT M ANAGEMENT GUIDE Management’s Responsibility for Internal Controls Thomas P. DiNapoli State Comptroller For additional copies of this report contact: Division of Local Government and School Accountability 110 State Street, 12th floor Albany, New York 12236 Tel: (518) 474- 4037 Fax: (518) 486- 6479 or email us: localgov@osc.state.ny.us www.osc.state.ny.us October 2010 Table of Contents Who’s Responsible.............................................................................................................. 2 The Origin - Committee of Sponsoring Organizations ......................................................... 4 Integrated Internal Control Framework - The Big Picture ..................................................... 5 The Five Essential Elements of the Internal Control Framework ........................................... 6 Limitations of Internal Controls ..........................................................................................15 The Impact of Information Technology ...............................................................................16 The Role of Internal Auditors and Audit Committees ..........................................................17 Conclusion ....................................................................................................................... 20 Additional Resources...
Words: 8114 - Pages: 33
