Internal Controls & IT General Controls 2(a)

Question 1

What is ITGC and its purpose?

Answer 1

• IT General Controls
• Provide assurance automated controls and programmed accounting procedures performing correctly in period examined (if directly impact RMM)
• ITGCs are pervasive controls that operate w/in IT environment
• Generally does not directly lead to or cause RMM but affect some element of financial reporting systems or process can lead to or causes RMM
• Chain effect from ITGC to RMM

Question 2

What is the ITGC “Control Environment”?

Answer 2

• Refers to mgmt of IT function
• Include controls and activities at org level and certain IT function activities

ITGC equiv to :

• COSO’s “Control Environment”
• COBIT’s Plan and Organize (PO) domain

Question 3

What is one primary goal of effective “Control Environment”?

Answer 3

• Ensure data processing in systems and technologies occurs in controlled environment, supporting data integrity and security

Question 4

What are 4 areas in the ITGC “Control Environment”?

Answer 4

(1) Strategic Planning
(2) Policies and Procedures
(3) Risk Mgmt
(4) HR Mgmt of IT Personnel

Question 5

Under the ITGC “Control Environment”, what is included in “Strategic Planning”?

Answer 5

(1) IT Strategic Plan
- Ensure IT function aligned w/ entity’s strategies, goals, objectives
(2) Strategic approach to budgeting of IT, divided into 2 parts:
(a) Operational budget (employees, op exp)
(b) Capital budget (major IT capital projects, systems, hardware, software)
(3) Controls needed to ensure objectives are being met
- Ex: Report to BoD about IT function related to strategic planning

Question 6

Under the ITGC “Control Environment”, what is included in “Policies and Procedures”?

Answer 6

• Policies on IT function

- Describe how IT will be managed for effectiveness, efficiency and meet mgmt’s expectations

Question 7

Under the ITGC “Control Environment”, what is included in “Risk Mgmt”?

Answer 7

• Part of Control Environment is IT Risk Assessment, outcome s/b documentation of IT Risk Mgmt
• Should have formal process to ID, mitigate and document IT-related risks
• Identical w/ COSO’s “risk assessment” and COBIT’s Planning and Org process of “assess risk”

Question 8

Under the ITGC “Control Environment”, what is included in “HR Mgmt of IT Personnel”?

Answer 8

Involves IT working w/ HR on:

(1) IT Skill Set - ID proper competencies
(2) Hiring and Firing Policies
- Key elements would be to ID and document certifications and education needed for IT jobs
(3) Performance Evaluation
(4) Training and Professional Dev

Question 9

IT Governance Institute (ITGI) defines IT governance as:

Answer 9

… to understand and manage risks w/ implementing new technologies, and addressing enterprise challenges and concerns such as:

(a) aligning IT and business strategy
(b) cascading strategy and goals down the enterprise
(c) providing org structure that facilitates implementation of strategy and goals
(d) insisting IT control framework be adopted and implemented
(e) measuring IT’s performance
- IT governance is responsibility of BODs and Exec Mgmt
- Integral part of enterprise governance and consists of leadership and org structures and processes that ensure org’s IT sustains and extends org’s strategy and objectives