INFORMATION

TECHNOLOGY
GENERAL
CONTROL
Information technology controls
In business and accounting, Information technology controls (or IT controls) are specific
activities performed by persons or systems designed to ensure that business objectives are
met. They are a subset of an enterprise's internal control. IT control objectives relate to the
confidentiality, integrity, and availability of data and the overall management of the IT
function of the business enterprise. IT controls are often described in two categories: IT
general controls ITGC and IT application controls. ITGC include controls over the
information technology (IT) environment, computer operations, access to programs and data,
program development and program changes. IT application controls refer to transaction
processing controls, sometimes called "input-processing-output" controls. Information
technology controls have been given increased prominence in corporations listed in the
United States by the Sarbanes-Oxley Act. The COBIT Framework (Control Objectives for
Information Technology) is a widely-used framework promulgated by the IT Governance
Institute, which defines a variety of ITGC and application control objectives and
recommended evaluation approaches. IT departments in organizations are often led by a
Chief Information Officer (CIO), who is responsible for ensuring effective information
technology controls are utilized.

IT General Controls (ITGC)

ITGC represent the foundation of the IT control structure. They help ensure the reliability of
data generated by IT systems and support the assertion that systems operate as intended and
that output is reliable. ITGC usually include the following types of controls:

 Control Environment, or those controls designed to shape the corporate culture

or "tone at the top."
 Change management procedures - controls designed to ensure changes meet
business requirements and are authorized.
 Source code/document version control procedures - controls designed to
protect the integrity of program code
 Software development life cycle standards - controls designed to ensure IT
projects are effectively managed.
 Logical Access policies, standards and processes - controls designed to
manage access based on business need.
 Incident management policies and procedures - controls designed to address
operational processing errors.
 Problem management policies and procedures - controls designed to identify
and address the root cause of incidents.
 Technical support policies and procedures - policies to help users perform
more efficiently and report problems.
 Hardware/software configuration, installation, testing, management standards,
policies and procedures.
 Disaster recovery/backup and recovery procedures, to enable continued
processing despite adverse conditions.
  Physical Security - controls to ensure the physical security of information
technology from individuals and from environmental risks

IT Application Controls
IT application or program controls are fully-automated (i.e., performed automatically by the
systems) designed to ensure the complete and accurate processing of data, from input through
output. These controls vary based on the business purpose of the specific application. These
controls may also help ensure the privacy and security of data transmitted between
applications. Categories of IT application controls may include:

 Completeness checks - controls that ensure all records were processed from initiation
to completion.
 Validity checks - controls that ensure only valid data is input or processed.
 Identification - controls that ensure all users are uniquely and irrefutably identified.
 Authentication - controls that provide an authentication mechanism in the application
system.
 Authorization - controls that ensure only approved business users have access to the
application system.
 Input controls - controls that ensure data integrity fed from upstream sources into the
application system.

IT Controls and the Chief Information Officer/Chief

Information Security Officer
The organization's chief information officer (CIO) or chief information security officer
(CISO) is typically responsible for the security, accuracy and the reliability of the systems
that manage and report the company's data, including financial data. Financial accounting and
Enterprise Resource Planning systems are integrated in the initiating, authorizing, processing,
and reporting of financial data and may be involved in Sarbanes-Oxley compliance; to the
extent they mitigate specific financial risks.

Internal Control Frameworks - COBIT and COSO

COBIT

COBIT is a widely-utilized framework containing best practices for both ITGC and
application controls. It consists of domains and processes. The basic structure indicates that
IT processes satisfy business requirements, which is enabled by specific IT control activities.
It also recommends best practices and methods of evaluation of an enterprise's IT controls.

COSO

The Committee of Sponsoring Organizations of the Treadway Commission (COSO)

identifies five components of internal control: control environment, risk assessment,
control activities, information and communication and monitoring, that need to be in
place to achieve financial reporting and disclosure objectives; COBIT provide a similar
detailed guidance for IT, while the interrelated Val IT concentrates on higher-level IT
governance and value-for-money issues. The five components of COSO can be visualized as
the horizontal layers of a three-dimensional cube, with the COBIT objective domains-
applying to each individually and in aggregate. The four COBIT major domains are: plan and
organize, acquire and implement, deliver and support, and monitor and evaluate.

IT controls and the Sarbanes-Oxley Act (SOX)

SOX requires the chief executive and chief financial officers of public companies to attest to
the accuracy of financial reports (Section 302) and require public companies to establish
adequate internal controls over financial reporting (Section 404). Passage of SOX resulted in
an increased focus on IT controls, as these support financial processing and therefore fall into
the scope of management's assessment of internal control under Section 404 of SOX.

The COBIT framework may be used to assist with SOX compliance, although COBIT is
considerably wider in scope. The 2007 SOX guidance from the PCAOB and SEC state that
IT controls should only be part of the SOX 404 assessment to the extent that specific
financial risks are addressed, which significantly reduces the scope of IT controls required in
the assessment. This scoping decision is part of the entity's SOX 404 top-down risk
assessment. In addition, Statements on Auditing Standards No. 109 (SAS109) discusses the
IT risks and control objectives pertinent to a financial audit and is referenced by the SOX
guidance.

IT controls that typically fall under the scope of a SOX 404 assessment may include:

 Specific application (transaction processing) control procedures that directly mitigate

identified financial reporting risks. There are typically a few such controls within
major applications in each financial process, such as accounts payable, payroll,
general ledger, etc. The focus is on "key" controls (those that specifically address
risks), not on the entire application.
 IT general controls that support the assertions that programs function as intended and
that key financial reports are reliable, primarily change control and security controls;
 IT operations controls, which ensure that problems with processing are identified and
corrected.

Specific activities that may occur to support the assessment of the key controls above include:

 Understanding the organization’s internal control program and its financial reporting
processes.
 Identifying the IT systems involved in the initiation, authorization, processing,
summarization and reporting of financial data;
 Identifying the key controls that address specific financial risks;
 Designing and implementing controls designed to mitigate the identified risks and
monitoring them for continued effectiveness;
 Documenting and testing IT controls;
 Ensuring that IT controls are updated and changed, as necessary, to correspond with
changes in internal control or financial reporting processes; and
 Monitoring IT controls for effective operation over time.
To comply with Sarbanes-Oxley, organizations must understand how the financial reporting
process works and must be able to identify the areas where technology plays a critical part. In
considering which controls to include in the program, organizations should recognize that IT
controls can have a direct or indirect impact on the financial reporting process. For instance,
IT application controls that ensure completeness of transactions can be directly related to
financial assertions. Access controls, on the other hand, exist within these applications or
within their supporting systems, such as databases, networks and operating systems, are
equally important, but do not directly align to a financial assertion. Application controls are
generally aligned with a business process that gives rise to financial reports. While there are
many IT systems operating within an organization, Sarbanes-Oxley compliance only focuses
on those that are associated with a significant account or related business process and
mitigate specific material financial risks. This focus on risk enables management to
significantly reduce the scope of IT general control testing in 2007 relative to prior years.

Section Title Description

Corporate Certifies that financial statement accuracy and operational
302 Responsibility for activities have been documented and provided to the CEO
Financial Reports and CFO for certification
Operational processes are documented and practiced
demonstrating the origins of data within the balance sheet.
Management SOX Section 404 (Sarbanes-Oxley Act Section 404)
404 Assessment of mandates that all publicly-traded companies must establish
Internal Controls internal controls and procedures for financial reporting and
must document, test and maintain those controls and
procedures to ensure their effectiveness.
Public companies must disclose changes in their financial
Real-time Issuer
409 condition or operations in real time to protect investors from
Disclosures
delayed reporting of material events
Requires public companies and their public accounting firms
to retain records, including electronic records that impact the
company’s assets or performance.
Criminal Penalties
802 for Altering
Fines and imprisonment for those who knowingly and
Documents
wilfully violate this section with respect to (1) destruction,
alteration, or falsification of records in federal investigations
and bankruptcy and (2) destruction of corporate audit records.

Real-time disclosure

Section 409 requires public companies to disclose information about material changes in their
financial condition or operations on a rapid basis. Companies need to determine whether their
existing financial systems, such as enterprise resource management applications are capable
of providing data in real time, or if the organization will need to add such capabilities or use
specialty software to access the data. Companies must also account for changes that occur
externally, such as changes by customers or business partners that could materially impact its
own financial positioning (e.g. key customer/supplier bankruptcy and default).
To comply with Section 409, organizations should assess their technological capabilities in
the following categories:

 Availability of internal and external portals - Portals help route and identify
reporting issues and requirements to investors and other relevant parties.
These capabilities address the need for rapid disclosure.

 Breadth and adequacy of financial triggers and alert - The organization

sets the trip wires that will kick off a Section 409 disclosure event.

 Adequacy of document repositories – Repositories play a critical role for

event monitoring to assess disclosure needs and provide mechanism to audit
disclosure adequacy.

 Capacity to be an early adopter of Extensible Business Reporting

Language (XBRL) – XBRL will be a key tool to integrate and interface
transactional systems, reporting and analytical tools, portals and repositories.

Section 802 & Records retention

Section 802 of Sarbanes-Oxley requires public companies and their public accounting firms
to maintain all audits or review work papers for a period of five years from the end of the
fiscal period in which the audit or review was concluded. This includes electronic records
which are created, sent, or received in connection with an audit or review. As external
auditors rely to a certain extent on the work of internal audit, it would imply that internal
audit records must also comply with Section 802.

In conjunction with document retention, another issue is that of the security of storage media
and how well electronic documents are protected for both current and future use. The five-
year record retention requirement means that current technology must be able to support what
was stored five years ago. Due to rapid changes in technology, some of today’s media might
be outdated in the next three or five years. Audit data retained today may not be retrievable
not because of data degradation, but because of obsolete equipment and storage media.

Section 802 expects organizations to respond to questions on the management of SOX

content. IT-related issues include policy and standards on record retention, protection and
destruction, online storage, audit trails, integration with an enterprise repository, market
technology, SOX software and more. In addition, organizations should be prepared to defend
the quality of their records management program (RM); comprehensiveness of RM (i.e.
paper, electronic, transactional communications, which includes emails, instant messages,
and spreadsheets that are used to analyze financial results) , adequacy of retention life cycle,
immutability of RM practices, audit trails and the accessibility and control of RM content.

End-user application / Spreadsheet controls

PC-based spreadsheets or databases are often used to provide critical data or calculations
related to financial risk areas within the scope of a SOX 404 assessment. Financial
spreadsheets are often categorized as end-user computing (EUC) tools that have historically
been absent traditional IT controls. They can support complex calculations and provide
significant flexibility. However, with flexibility and power comes the risk of errors, an
increased potential for fraud, and misuse for critical spreadsheets not following the software
development lifecycle (e.g. design, develop, test, validate, deploy). To remediate and control
spreadsheets, public organizations may implement controls such as:

 Inventory and risk-rank spreadsheets that are related to critical financial risks
identified as in-scope for SOX 404 assessment. These typically relate to the key
estimates and judgments of the enterprise, where sophisticated calculations and
assumptions are involved. Spreadsheets used merely to download and upload are less
of a concern.
 Perform a risk based analysis to identify spreadsheet logic errors. Automated tools
exist for this purpose.
 Ensure the spreadsheet calculations are functioning as intended (i.e., "baseline" them).
 Ensure changes to key calculations are properly approved.

Responsibility for control over spreadsheets is a shared responsibility with the business users
and IT. The IT organization is typically concerned with providing a secure shared drive for
storage of the spreadsheets and data backup. The business personnel are responsible for the
remainder