Information technology controls
Information technology controls (or IT controls) are specific activities performed by persons or systems to ensure that computer systems operate in a way that minimises risk. They are a subset of an organisation's internal control. IT control objectives typically relate to assuring the confidentiality, integrity, and availability of data and the overall management of the IT function. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC includes controls over the hardware, system software, operational processes, access to programs and data, program development and program changes. IT application controls refer to controls to ensure the integrity of the information processed by the IT environment. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework (Control Objectives for Information Technology) is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches.
IT general controls (ITGC)
ITGC represent the foundation of the IT control structure. They help ensure the reliability of data generated by IT systems and support the assertion that systems operate as intended and that output is reliable. ITGC usually include the following types of controls:
- Control environment, or those controls designed to shape the corporate culture or "tone at the top."
- Change management procedures - controls designed to ensure the changes meet business requirements and are authorized.
- Source code/document version control procedures - controls designed to protect the integrity of program code
- Software development life cycle standards - controls designed to ensure IT projects are effectively managed.
- Logical access policies, standards and processes - controls designed to manage access based on business needs.
- Incident management policies and procedures - controls designed to address operational processing errors.
- Problem management policies and procedures - controls designed to identify and address the root cause of incidents.
- Technical support policies and procedures - policies to help users perform more efficiently and report problems.
- Hardware/software configuration, installation, testing, management standards, policies, and procedures.
- Disaster recovery/backup and recovery procedures, to enable continued processing despite adverse conditions.
- Physical security - controls to ensure the physical security of information technology from individuals and from environmental risks.
IT application controls
IT application or program controls are fully automated (i.e., performed automatically by the systems) and designed to ensure the complete and accurate processing of data, from input through output. These controls vary based on the business purpose of the specific application. These controls may also help ensure the privacy and security of data transmitted between applications. Categories of IT application controls may include:
- Completeness checks - controls that ensure all records were processed from initiation to completion.
- Validity checks - controls that ensure only valid data is input or processed.
- Identification - controls that ensure all users are uniquely and irrefutably identified.
- Authentication - controls that provide an authentication mechanism in the application system.
- Authorization - controls that ensure only approved business users have access to the application system.
- Input controls - controls that ensure data integrity fed from upstream sources into the application system.
- Forensic controls - control that ensures data is scientifically correct and mathematically correct based on inputs and outputs
IT controls and the CIO/CISO
An organization's Chief Information Officer or Chief Information Security Officer is typically responsible for the security, accuracy and the reliability of the systems that manage and report the company's data, including financial data.
Internal control frameworks
COBIT (Control Objectives for Information Technology)
COBIT is a widely utilized framework containing best practices for the governance and management of information and technology, aimed at the whole enterprise. It consists of domains and processes. The basic structure indicates that IT processes satisfy business requirements, which are enabled by specific IT activities. COBIT defines the design factors that should be considered by the enterprise to build a best-fit governance system. COBIT addresses governance issues by grouping relevant governance components into governance and management objectives that can be managed to the required capability levels.<ref>COBIT 2019, Governance and Management objectives, p.9</ref>
COSO
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) identifies five components of internal control: control environment, risk assessment, control activities, information and communication and monitoring, that need to be in place to achieve financial reporting and disclosure objectives; COBIT provides similar detailed guidance for IT, while the interrelated Val IT concentrates on higher-level IT governance and value-for-money issues. The five components of COSO can be visualized as the horizontal layers of a three-dimensional cube, with the COBIT objective domains applying to each individually and in aggregate. The four COBIT major domains are: plan and organize, acquire and implement, deliver and support, and monitor and evaluate.
IT controls and the Sarbanes-Oxley Act (SOX)
SOX (part of United States federal law) requires the chief executive and chief financial officers of public companies to attest to the accuracy of financial reports (Section 302) and require public companies to establish adequate internal controls over financial reporting (Section 404). Passage of SOX resulted in an increased focus on IT controls, as these support financial processing and therefore fall into the scope of management's assessment of internal control under Section 404 of SOX.
The COBIT framework may be used to assist with SOX compliance, although COBIT is considerably wider in scope. The 2007 SOX guidance from the PCAOB<ref>PCAOB Auditing Standard No 5</ref> and SEC<ref>SEC Interpretive Guidance</ref> state that IT controls should only be part of the SOX 404 assessment to the extent that specific financial risks are addressed, which significantly reduces the scope of IT controls required in the assessment. This scoping decision is part of the entity's SOX 404 top-down risk assessment. In addition, Statements on Auditing Standards No. 109 (SAS109)<ref>"AICPA Statement on Auditing Standards No. 109" (PDF). Archived from the original (PDF) on 2008-04-07. Retrieved 2007-09-01.</ref> discusses the IT risks and control objectives pertinent to a financial audit and is referenced by the SOX guidance.
IT controls that typically fall under the scope of a SOX 404 assessment may include:
- Specific application (transaction processing) control procedures that directly mitigate identified financial reporting risks. There are typically a few such controls within major applications in each financial process, such as accounts payable, payroll, general ledger, etc. The focus is on "key" controls (those that specifically address risks), not on the entire application.
- IT general controls that support the assertions that programs function as intended and that key financial reports are reliable, primarily change control and security controls;
- IT operations controls, which ensure that problems with the processing are identified and corrected.
Specific activities that may occur to support the assessment of the key controls above include:
- Understanding the organization’s internal control program and its financial reporting processes.
- Identifying the IT systems involved in the initiation, authorization, processing, summarization and reporting of financial data;
- Identifying the key controls that address specific financial risks;
- Designing and implementing controls designed to mitigate the identified risks and monitoring them for continued effectiveness;
- Documenting and testing IT controls;
- Ensuring that IT controls are updated and changed, as necessary, to correspond with changes in internal control or financial reporting processes; and
- Monitoring IT controls for effective operation over time.
To comply with Sarbanes-Oxley, organizations must understand how the financial reporting process works and must be able to identify the areas where technology plays a critical part. In considering which controls to include in the program, organizations should recognize that IT controls can have a direct or indirect impact on the financial reporting process. For instance, IT application controls that ensure the completeness of transactions can be directly related to financial assertions. Access controls, on the other hand, exist within these applications or within their supporting systems, such as databases, networks, and operating systems, which are equally important, but do not directly align to a financial assertion. Application controls are generally aligned with a business process that gives rise to financial reports. While there are many IT systems operating within an organization, Sarbanes-Oxley compliance only focuses on those that are associated with a significant account or related business process and mitigate specific material financial risks. This focus on risk enables management to significantly reduce the scope of IT general control testing in 2007 relative to prior years.
Section
|
Title
|
Description
|
302 | Corporate Responsibility for Financial Reports | Certifies that financial statement accuracy and operational activities have been documented and provided to the CEO and CFO for certification |
404 | Management Assessment of Internal Controls | Operational processes are documented and practiced demonstrating the origins of data within the balance sheet. SOX Section 404 (Sarbanes-Oxley Act Section 404) mandates that all publicly traded companies must establish internal controls and procedures for financial reporting and must document, test and maintain those controls and procedures to ensure their effectiveness. |
409 | Real-time Issuer Disclosures | Public companies must disclose changes in their financial condition or operations in real time to protect investors from delayed reporting of material events |
802 | Criminal Penalties for Altering Documents | Requires public companies and their public accounting firms to retain records, including electronic records that impact the company’s assets or performance.
Fines and imprisonment for those who knowingly and willfully violates this section with respect to (1) destruction, alteration, or falsification of records in federal investigations and bankruptcy and (2) destruction of corporate audit records. |
Real-time disclosure
Section 409 requires public companies to disclose information about material changes in their financial condition or operations on a rapid basis. Companies need to determine whether their existing financial systems, such as enterprise resource management applications are capable of providing data in real-time, or if the organization will need to add such capabilities or use special software to access the data. Companies must also account for changes that occur externally, such as changes by customers or business partners that could materially impact their own financial positioning (e.g. key customer/supplier bankruptcy and default).
To comply with Section 409, organizations should assess their technological capabilities in the following categories:
- Availability of internal and external portals - Portals help route and identify reporting issues and requirements to investors and other relevant parties. These capabilities address the need for rapid disclosure.
- Breadth and adequacy of financial triggers and alert - The organization sets the trip wires that will kick off a Section 409 disclosure event.
- Adequacy of document repositories – Repositories play a critical role for event monitoring to assess disclosure needs and provide mechanism to audit disclosure adequacy.
- Capacity to be an early adopter of Extensible Business Reporting Language (XBRL) – XBRL will be a key tool to integrate and interface transactional systems, reporting and analytical tools, portals and repositories.
See also
- Continuous Auditing
- Data governance
- Information technology audit
- IT risk
- IT risk management
- Public Company Accounting Oversight Board
References
<references/>
- Coe, Martin J. "Trust services: a better way to evaluate I.T. controls: fulfilling the requirements of section 404." Journal of Accountancy 199.3 (2005): 69(7).
- Chan, Sally, and Stan Lepeak. "IT and Sarbanes-Oxley." CMA Management 78.4 (2004): 33(4).
- Goodwin, Bill. "IT should lead on Sarbanes-Oxley." Computer Weekly 27 April 2004: p5.
- Gomolski, Barbara. "The top five issues for CIOs." Computerworld January 2004: 42(1).
- Hagerty, John. "Sarbanes-Oxley Is Now a Fact of Business Life-Survey indicates SOX IT-compliance spending to rise through 2005." VARbusiness Nov. 15 2004: 88.
- Altiris.com
- "IT Control Objectives for Sarbanes Oxley: The Importance of IT in the Design, Implementation, and Sustainability of Internal Control over Disclosures and Financial Reporting." itgi.org. April 2004. IT Governance Institute. 12 May 2005
- Johnston, Michelle. "Executing an IT Audit for Sarbanes-Oxley Compliance." informit.com. 17 September 2004
- "Importance of Monitoring IT General Controls and IT Application Controls." [1]. 30 may 2022
- Lurie, Barry N. "Information technology and Sarbanes-Oxley compliance: what the CFO must understand." Bank Accounting and Finance 17.6 (2004): 9 (5).
- McCollum, Tim. "IIA Seminar Explores Sarbanes-Oxley IT Impact." IT Audit 6 (2003).
- McConnell Jr., Donald K, and George Y. Banks. "How Sarbanes-Oxley Will Change the Audit Process." aicpa.org (2003).
- Munter, Paul. "Evaluating Internal Controls and Auditor Independence under Sarbanes-Oxley." Financial Executive 19.7 (2003): 26 (2).
- “Perspectives on Internal Control Reporting: A Resource for Financial Market Participants." Deloitte & Touche LLP, Ernst & Young LLP, KPMG LLP, PricewaterhouseCoopers LLP. December 2004.
- Piazza, Peter. "IT security requirements of Sarbanes-Oxley." Security Management June 2004: 40(1).
- "Sarbanes-Oxley Section 404: An overview of PCAOB's requirement." KPMG. April 2004.
- "Sarbanes-Oxley Spending in 2004 More Than Expected: Spending for section 404 compliance averaged $4.4 million in 2004, a survey finds." InformationWeek March 22, 2005.
- "The Impact of Sarbanes-Oxley on IT and Corporate Governance." serena.com 12 May. 2005
- Five Steps to Success for Spreadsheet Compliance. Compliance Week, July 2006.
- Pcaobus.org, PCAOB’s New Audit Standard for Internal Control Over Financial Reporting is Approved by the SEC.