IT General Controls

In a general sense, COSO defines the internal controls as, “A process, effected by an entity’s board of directors, management, and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in the effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicable laws and regulations.” IT general controls (ITGC) are, internal controls applied to all components of information technology (IT) environment. Such as operating systems, IT infrastructure, databases, and supporting IT applications. ITGCs have three types of controls: Preventive Controls that prevent errors, or security breaches from occurring. Detective Controls, detect errors or breaches that trigger preventive controls, and Corrective Controls, fix errors or breaches once they have been detected. These controls can range in nature from governance policies and procedures to the implementation of those policies. The most common area of ITGCs are:

Logical access controls

Change management controls

IT operation controls

System development life cycle controls

The main objectives of ITGCs are to provide reasonable assurances that the appropriate developments and the utilization of the available applications, align with the organization objectives. Also, ensure the integrity of data files, IT operations, and applications. The table below provides a brief description of the objective of the most common areas of ITGCs:

Controls

Objectives

Change Management

–          Only appropriately authorized, tested and approved changes are made

Logical Access

–          Only authorized persons have access to the system and they can only perform specifically authorized functions

System Development Life Cycle Controls

–          Appropriate development life cycle that fits the organization’s environment and align with overall objectives.

–          Deviations from scheduled processing are identified and resolved in a timely manner.

Financial

–          Completeness, Accuracy, Validity, Authorization of financial reporting.

Operational & IT

–          IT resources and applications are continuing to function properly as planned over time.

–          Confidentiality, Integrity, Availability, Effectiveness and Efficiently.

–          Ability to trace actions and transactions.

IT controls provides assurances for the “business”, that IT applications and processes are set to support and carry on the “business” objectives. Also, control and/or mitigate the identified risks of the organization’s use of technology. Those controls became essential for organizations, to be able to achieve their objectives and gain competitive advantage. Ineffective ITGCs will result in failure to achieve the business objectives. By identifying and understanding the key ITGCs and the risks associated with them, the CAE can create audit plans to tests those controls periodically. And then, report the testing results, findings to the board of directors to take the necessary steps. Testing the ITGCs is the auditor way to provide reasonable assurances for the organization’s board of directors. 

Risks associated with Systems Development IT General Control:

 There are various phases involved in systems development. Practically, each phase will have its own risks with respect to systems development general control. Some of the risks associated with systems development are as follows:

Inadequate budget

Impractical project schedule

Allocation of appropriate resources

Changing end user needs

Non- compliance with industry regulations

Lack of communication between project management team and system designers/developers

Inaccurate data conversion

Improper documentation of plan, design and maintenance 

Examples of control objectives for system development:

As new system development involves significant financial transactions, controls should provide reasonable assurance that new system developed accurately processes and reports these transactions.

An adequate SDLC methodology has been established to serve as a basis for controlling development and maintenance activities, and the SDLC methodology is consistent with organization’s business and end-user objectives and strategies.

User acceptance testing must be performed for all system development projects. User signoff is required before the system can be migrated into the production environment.

The organization’s SDLC includes security, availability, and processing integrity requirements of the organization.

A plan including the procedures for transfers between development to test and from test to production environment, and reviews and approvals from business owners, stakeholders, senior management for the same are obtained and documented.

The systems development methodology requires parallel and or pilot testing plans for all new systems.

Data conversion plans should include requirements for verifying that all critical data elements in existing systems are converted into the new system.

Preventive, detective, and corrective controls for system development

Preventive controls are proactive controls which prevent errors from occurring. Preventive controls for system development are as follows:

Segregation of duties: Development and maintenance activities should be separated. Operations and maintenance duties should also be separated. Developers maintaining the software could lead to defective coding and fraud.

Monitoring: Monitoring should be in place to make sure that the development is conducted in structured manner. The application should have a consistent data definition. Organization should have standards for application development. Code reviews should be done regularly.

Documentation: User requirements should be documented. Scope should be clearly defined. The achievements should be measured. Formal process of system design should be followed to ensure that the requirements and controls are designed into the system.

Detective controls are reactive controls which identify problem after its occurrence. These controls detect errors missed out by preventive controls. Detective controls for system development are as follows:

Analytics: The organization should have a proper analytic system to help system development in case of any problems faced. Analysis of the problems faced earlier should be carried out.

Reviews: Reviews of problems faced, and fixes provided should be carried out.

Monitoring: The fixes being provided should be monitored. The fixes being provided should be in alignment with the organization standards. Incidents reported, and the fixes provided should be documented. Proper communication with the customer should be maintained and well documented

Corrective controls correct errors or incidents after they are detected. Corrective controls for system development are as follows:

Risk mitigation

Change the controls as needed to eliminate errors in future

Change control management

Tests to be performed to provide reasonable assurance for control objectives:

User acceptance testing:

The purpose of this test is to make sure that the system developed are in terms with the user specifications. Some tests to validate user acceptance testing:

Does the system requirement document provide adequate information?

Have all systems developed as a unit or integrated satisfy the organization standards?

Did each phase of systems development obtain necessary approvals from respective business owners?

Parallel and pilot testing:

Systems and programs developed are to be tested as a single unit, as part of an integrated system to ensure the systems are reliable and efficient. Unit testing involves testing components individually whereas parallel testing involves multiple systems or programs and check for compatibility. Below are few tests to validate testing of system development:

Does the testing document provide adequate information?

Whether unit testing results in desired output?

Are all systems units compatible during integrated testing?

Was every unit tested?

Did testing meet the audit requirements?

Data conversion:

Conversion of data from an existing system is a crucial process for the developed system to function according to business and user requirements. The following are some tests to test if the data conversion is accurate.

Is data conversion required for the developed system?

What data validation procedures are in place?

What methods are being used to convert data from existing system?

Is there a backup strategy in place?

 SDLC procedures:

SDLC procedures are in place to make sure each phase is implemented in compliance to organization standards. Some tests to identify the procedures are

To what extent does the project management team responsible for systems development?

Are the requirements document of design, maintenance compliant with organization standards?

Was Internal audit team involved during systems development phases?

Works Cited:

Ben Miron, “Understanding IT General Controls”, Sep 9th, 2008, www.resourcenter.net/images/AHIA/Files/2008/AnnMtg/Handouts/TrackB5.pdf, accessed on 2 Oct 2018

Global Technology Audit Guide (GTAG®) 1, 2nd edition, “Information Technology Risk and Controls”, accessed on 3 Oct 2018

“Types of Risks in Software Projects”, Oct 8th, 2018, www.softwaretestinghelp.com/types-of-risks-in-software-projects/, accessed on 9 Oct 2018

Ozren Durkovic, Lazar Rakovic, “Risks in Information Systems Development Projects”, Management Information Systems, Vol.4 2009, No.1,2009, pp013-019, Apr 24th, 2009, www.ef.uns.ac.rs/mis/archive-pdf/2009%20-%20No1/MIS2009_1_3.pdf, accessed on 8 Oct 2018

INTOSAI working group, “Auditing Systems Development”, www.intosaiitaudit.org/intoit_articles/27_p18top30.pdf, accessed on 9 Oct 2018

IT General Controls Questionnaire | KnowledgeLeader, Web, Oct 11, 2017, www.knowledgeleader.com/KnowledgeLeader/Content.nsf/Web+Content/QuestionnairesITGeneralControls!OpenDocument, accessed on 9 Oct 2018

GTAG 1: Information Technology Risk and Controls, 2nd Edition https://chapters.theiia.org/montreal/ChapterDocuments/GTAG%201%20%20Information%20technology%20con trols_2nd%20ed.pdf, accessed on 9 Oct 2018 

Paul.M. Perry, “Information Technology General Controls and Best Practices”, Web, 5 Apr 2016,

www.techbirmingham.com/wp-content/uploads/2016/04/IT-General-Control-Presentation_PaulPerry.pdf, accessed on 9 Oct 2018

“System Development Life Cycle Audit Program”, www.all.net/books/audit/kits/sdlcpgm.html, accessed on 10 oct 2018