Information technology controls
   HOME

TheInfoList



OR:

In
business Business is the practice of making one's living or making money by producing or Trade, buying and selling Product (business), products (such as goods and Service (economics), services). It is also "any activity or enterprise entered into for pr ...
and
accounting Accounting, also known as accountancy, is the measurement, processing, and communication of financial and non financial information about economic entities such as businesses and corporations. Accounting, which has been called the "languag ...
, information technology controls (or IT controls) are specific activities performed by persons or systems designed to ensure that business objectives are met. They are a subset of an enterprise's
internal control Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad ...
. IT control objectives relate to the confidentiality, integrity, and availability of data and the overall management of the IT function of the business enterprise. IT controls are often described in two categories: IT general controls ( ITGC) and IT application controls. ITGC include controls over the
Information Technology Information technology (IT) is the use of computers to create, process, store, retrieve, and exchange all kinds of data . and information. IT forms part of information and communications technology (ICT). An information technology system (I ...
(IT) environment, computer operations, access to programs and data, program development and program changes. IT application controls refer to transaction processing controls, sometimes called "input-processing-output" controls. Information technology controls have been given increased prominence in corporations listed in the
United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territorie ...
by the Sarbanes-Oxley Act. The
COBIT COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance. The framework is business focused and defines a set of generic processes for the ma ...
Framework (Control Objectives for Information Technology) is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches. IT departments in organizations are often led by a chief information officer (CIO), who is responsible for ensuring effective information technology controls are utilized.


IT general controls (ITGC)

ITGC represent the foundation of the IT control structure. They help ensure the reliability of data generated by IT systems and support the assertion that systems operate as intended and that output is reliable. ITGC usually include the following types of controls: :* Control environment, or those controls designed to shape the corporate culture or "
tone at the top "Tone at the top" is a term that originated in the field of accounting and is used to describe an organization's general ethical climate, as established by its board of directors, audit committee, and senior management. Having good tone at the top ...
." :*
Change management Change management (sometimes abbreviated as CM) is a collective term for all approaches to prepare, support, and help individuals, teams, and organizations in making organizational change. It includes methods that redirect or redefine the use of ...
procedures - controls designed to ensure the changes meet business requirements and are authorized. :*
Source code In computing, source code, or simply code, is any collection of code, with or without comments, written using a human-readable programming language, usually as plain text. The source code of a program is specially designed to facilitate the wo ...
/
document A document is a written, drawn, presented, or memorialized representation of thought, often the manifestation of non-fictional, as well as fictional, content. The word originates from the Latin ''Documentum'', which denotes a "teaching" or ...
version control In software engineering, version control (also known as revision control, source control, or source code management) is a class of systems responsible for managing changes to computer programs, documents, large web sites, or other collections o ...
procedures - controls designed to protect the integrity of program code :*
Software development life cycle In software engineering, a software development process is a process of dividing software development work into smaller, parallel, or sequential steps or sub-processes to improve design, product management. It is also known as a software deve ...
standards - controls designed to ensure IT projects are effectively managed. :* Logical access policies, standards and processes - controls designed to manage access based on business needs. :*
Incident management An incident is an event that could lead to loss of, or disruption to, an organization's operations, services or functions. Incident management (IcM) is a term describing the activities of an organization to identify, analyze, and correct hazards ...
policies and procedures - controls designed to address operational processing errors. :*
Problem management Problem management is the process responsible for managing the lifecycle of all problems that happen or could happen in an IT service. The primary objectives of problem management are to prevent problems and resulting incidents from happening, to ...
policies and procedures - controls designed to identify and address the root cause of incidents. :*
Technical support Technical support (abbreviated as tech support) is a call centre type customer service provided by companies to advise and assist registered users with issues concerning their technical products. Traditionally done on the phone, technical suppor ...
policies and procedures - policies to help users perform more efficiently and report problems. :* Hardware/
software Software is a set of computer programs and associated documentation and data. This is in contrast to hardware, from which the system is built and which actually performs the work. At the lowest programming level, executable code consists ...
configuration, installation, testing, management standards, policies, and procedures. :*
Disaster recovery Disaster recovery is the process of maintaining or reestablishing vital infrastructure and systems following a natural or human-induced disaster, such as a storm or battle.It employs policies, tools, and procedures. Disaster recovery focuses on t ...
/
backup and recovery In information technology, a backup, or data backup is a copy of computer data taken and stored elsewhere so that it may be used to restore the original after a data loss event. The verb form, referring to the process of doing so, is "wikt:back u ...
procedures, to enable continued processing despite adverse conditions. :*
Physical security Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). Physica ...
- controls to ensure the physical security of information technology from individuals and from environmental risks.


IT application controls

IT application or program controls are fully automated (i.e., performed automatically by the systems) and designed to ensure the complete and accurate processing of data, from input through output. These controls vary based on the business purpose of the specific application. These controls may also help ensure the privacy and security of data transmitted between applications. Categories of IT application controls may include: *Completeness checks - controls that ensure all records were processed from initiation to completion. *Validity checks - controls that ensure only valid data is input or processed. *Identification - controls that ensure all users are uniquely and irrefutably identified. *Authentication - controls that provide an authentication mechanism in the application system. *Authorization - controls that ensure only approved business users have access to the application system. *Input controls - controls that ensure data integrity fed from upstream sources into the application system. *Forensic controls - control that ensures data is scientifically correct and mathematically correct based on inputs and outputs


IT controls and the CIO/CISO

The organization's Chief Information Officer (CIO) or
Chief Information Security Officer A chief information security officer (CISO) is a senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately pr ...
(CISO) is typically responsible for the
security Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...
,
accuracy Accuracy and precision are two measures of ''observational error''. ''Accuracy'' is how close a given set of measurements (observations or readings) are to their ''true value'', while ''precision'' is how close the measurements are to each other ...
and the
reliability Reliability, reliable, or unreliable may refer to: Science, technology, and mathematics Computing * Data reliability (disambiguation), a property of some disk arrays in computer storage * High availability * Reliability (computer networking), a ...
of the systems that manage and report the company's data, including financial data. Financial accounting and
enterprise resource planning Enterprise resource planning (ERP) is the integrated management of main business processes, often in real time and mediated by software and technology. ERP is usually referred to as a category of Business management tools, business management ...
systems are integrated in the initiating, authorizing, processing, and reporting of financial data and may be involved in Sarbanes-Oxley compliance, to the extent they mitigate specific financial risks.


Internal control frameworks


COBIT (Control Objectives for Information Technology)

COBIT COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance. The framework is business focused and defines a set of generic processes for the ma ...
is a widely utilized framework containing best practices for the governance and management of information and technology, aimed at the whole enterprise. It consists of domains and processes. The basic structure indicates that IT processes satisfy business requirements, which are enabled by specific IT activities. COBIT defines the design factors that should be considered by the enterprise to build a best-fit governance system. COBIT addresses governance issues by grouping relevant governance components into governance and management objectives that can be managed to the required capability levels.


COSO

The
Committee of Sponsoring Organizations of the Treadway Commission The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992 (and subsequently re-released in 20 ...
(COSO) identifies five components of internal control:
control environment A control environment, also called "Internal control environment", is a term of financial audit, internal audit and Enterprise Risk Management. It means the overall attitude, awareness and actions of directors and management (i.e. "those charged w ...
,
risk assessment Broadly speaking, a risk assessment is the combined effort of: # identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e. hazard analysis); and # making judgments "on the to ...
, control activities, information and communication and monitoring, that need to be in place to achieve
financial reporting Financial statements (or financial reports) are formal records of the financial activities and position of a business, person, or other entity. Relevant financial information is presented in a structured manner and in a form which is easy to un ...
and disclosure objectives;
COBIT COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance. The framework is business focused and defines a set of generic processes for the ma ...
provide a similar detailed guidance for IT, while the interrelated
Val IT Val IT is a governance framework that can be used to create business value from IT investments. It consists of a set of guiding principles and a number of processes and best practices that are further defined as a set of key management practices to ...
concentrates on higher-level IT governance and value-for-money issues. The five components of COSO can be visualized as the horizontal layers of a three-dimensional cube, with the
COBIT COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance. The framework is business focused and defines a set of generic processes for the ma ...
objective domains applying to each individually and in aggregate. The four
COBIT COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance. The framework is business focused and defines a set of generic processes for the ma ...
major domains are: plan and organize, acquire and implement, deliver and support, and monitor and evaluate.


IT controls and the Sarbanes-Oxley Act (SOX)

SOX (part of
United States federal law The law of the United States comprises many levels of codified and uncodified forms of law, of which the most important is the nation's Constitution, which prescribes the foundation of the federal government of the United States, as well as va ...
) requires the chief executive and chief financial officers of public companies to attest to the accuracy of financial reports (Section 302) and require public companies to establish adequate internal controls over financial reporting (Section 404). Passage of SOX resulted in an increased focus on IT controls, as these support financial processing and therefore fall into the scope of management's assessment of internal control under Section 404 of SOX. The COBIT framework may be used to assist with SOX compliance, although COBIT is considerably wider in scope. The 2007 SOX guidance from the PCAOB and SEC state that IT controls should only be part of the SOX 404 assessment to the extent that specific financial risks are addressed, which significantly reduces the scope of IT controls required in the assessment. This scoping decision is part of the entity's
SOX 404 top-down risk assessment Sox most often refers to: * Boston Red Sox, an MLB team * Chicago White Sox, an MLB team * An alternate spelling of socks Sox may also refer to: Places * SOX, Sogamoso Airport's IATA airport code, an airport in Colombia Computing and technolo ...
. In addition, Statements on Auditing Standards No. 109 (SAS109) discusses the IT risks and control objectives pertinent to a financial audit and is referenced by the SOX guidance. IT controls that typically fall under the scope of a SOX 404 assessment may include: *Specific application (transaction processing) control procedures that directly mitigate identified financial reporting risks. There are typically a few such controls within major applications in each financial process, such as accounts payable, payroll, general ledger, etc. The focus is on "key" controls (those that specifically address risks), not on the entire application. *IT general controls that support the assertions that programs function as intended and that key financial reports are reliable, primarily change control and security controls; *IT operations controls, which ensure that problems with the processing are identified and corrected. Specific activities that may occur to support the assessment of the key controls above include: *Understanding the organization’s
internal control Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad ...
program and its
financial reporting Financial statements (or financial reports) are formal records of the financial activities and position of a business, person, or other entity. Relevant financial information is presented in a structured manner and in a form which is easy to un ...
processes. *Identifying the IT systems involved in the initiation, authorization, processing, summarization and reporting of financial data; *Identifying the key controls that address specific financial risks; *Designing and implementing controls designed to mitigate the identified risks and monitoring them for continued effectiveness; *Documenting and testing IT controls; *Ensuring that IT controls are updated and changed, as necessary, to correspond with changes in internal control or financial reporting processes; and *Monitoring IT controls for effective operation over time. To comply with Sarbanes-Oxley, organizations must understand how the financial reporting process works and must be able to identify the areas where technology plays a critical part. In considering which controls to include in the program, organizations should recognize that IT controls can have a direct or indirect impact on the financial reporting process. For instance, IT application controls that ensure the completeness of transactions can be directly related to financial assertions. Access controls, on the other hand, exist within these applications or within their supporting systems, such as
database In computing, a database is an organized collection of data stored and accessed electronically. Small databases can be stored on a file system, while large databases are hosted on computer clusters or cloud storage. The design of databases sp ...
s,
network Network, networking and networked may refer to: Science and technology * Network theory, the study of graphs as a representation of relations between discrete objects * Network science, an academic field that studies complex networks Mathematics ...
s, and
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
s, which are equally important, but do not directly align to a financial assertion. Application controls are generally aligned with a
business process A business process, business method or business function is a collection of related, structured activities or tasks by people or equipment in which a specific sequence produces a service or product (serves a particular business goal) for a parti ...
that gives rise to financial reports. While there are many IT systems operating within an organization, Sarbanes-Oxley compliance only focuses on those that are associated with a significant account or related business process and mitigate specific material financial risks. This focus on risk enables management to significantly reduce the scope of IT general control testing in 2007 relative to prior years. {, border="1" cellpadding="5" cellspacing="1" align="center" , - , style="border-bottom:3px solid grey;" , , style="border-bottom:3px solid grey;" , , style="border-bottom:3px solid grey;" , {{center, Description , - , style="border-bottom:3px solid grey;" , 302 , style="border-bottom:3px solid grey;" , Corporate Responsibility for Financial Reports , style="border-bottom:3px solid grey;" , Certifies that financial statement accuracy and operational activities have been documented and provided to the CEO and CFO for certification , - , style="border-bottom:3px solid grey;" , 404 , style="border-bottom:3px solid grey;" , Management Assessment of Internal Controls , style="border-bottom:3px solid grey;" , Operational processes are documented and practiced demonstrating the origins of data within the balance sheet. SOX Section 404 (Sarbanes-Oxley Act Section 404) mandates that all publicly traded companies must establish internal controls and procedures for financial reporting and must document, test and maintain those controls and procedures to ensure their effectiveness. , - , style="border-bottom:3px solid grey;" , 409 , style="border-bottom:3px solid grey;" , Real-time Issuer Disclosures , style="border-bottom:3px solid grey;" , Public companies must disclose changes in their financial condition or operations in real time to protect investors from delayed reporting of material events , - , style="border-bottom:3px solid grey;" , 802 , style="border-bottom:3px solid grey;" , Criminal Penalties for Altering Documents , style="border-bottom:3px solid grey;" , Requires public companies and their public accounting firms to retain records, including electronic records that impact the company’s assets or performance. Fines and imprisonment for those who knowingly and willfully violates this section with respect to (1) destruction, alteration, or falsification of records in federal investigations and bankruptcy and (2) destruction of corporate audit records.


Real-time disclosure

Section 409 requires public companies to disclose information about material changes in their financial condition or operations on a rapid basis. Companies need to determine whether their existing financial systems, such as enterprise resource management applications are capable of providing data in real-time, or if the organization will need to add such capabilities or use special software to access the data. Companies must also account for changes that occur externally, such as changes by customers or business partners that could materially impact their own financial positioning (e.g. key customer/supplier bankruptcy and default). To comply with Section 409, organizations should assess their technological capabilities in the following categories: :*Availability of internal and external portals - Portals help route and identify reporting issues and requirements to investors and other relevant parties. These capabilities address the need for rapid disclosure. :*Breadth and adequacy of financial triggers and alert - The organization sets the trip wires that will kick off a Section 409 disclosure event. :*Adequacy of document repositories – Repositories play a critical role for event monitoring to assess disclosure needs and provide mechanism to audit disclosure adequacy. :*Capacity to be an early adopter of
Extensible Business Reporting Language XBRL (eXtensible Business Reporting Language) is a freely available and global framework for exchanging business information. XBRL allows the expression of Semantics#Computer science, semantic meaning commonly required in business reporting. Th ...
(XBRL) – XBRL will be a key tool to integrate and interface transactional systems, reporting and analytical tools, portals and repositories.


Section 802 & Records retention

Section 802 of Sarbanes-Oxley requires public companies and their public accounting firms to maintain all audit or review work papers for a period of five years from the end of the fiscal period in which the audit or review was concluded. This includes electronic records which are created, sent, or received in connection with an audit or review. As
external auditor An external auditor performs an audit, in accordance with specific laws or rules, of the financial statements of a company, government entity, other legal entity, or organization, and is independent of the entity being audited. Users of these enti ...
s rely to a certain extent on the work of internal audit, it would imply that internal audit records must also comply with Section 802. In conjunction with document retention, another issue is that of the security of storage media and how well electronic documents are protected for both current and future use. The five-year record retention requirement means that current technology must be able to support what was stored five years ago. Due to rapid changes in technology, some of today’s media might be outdated in the next three or five years. Audit data retained today may not be retrievable not because of data degradation, but because of obsolete equipment and storage media. Section 802 expects organizations to respond to questions on the management of SOX content. IT-related issues include policy and standards on record retention, protection, and destruction, online storage, audit trails, integration with an enterprise repository, market technology, SOX software and more. In addition, organizations should be prepared to defend the quality of their
records management Records management, also known as records and information management, is an organizational function devoted to the information management, management of information in an organization throughout its records life-cycle, life cycle, from the time of ...
program (RM); comprehensiveness of RM (i.e. paper, electronic, transactional communications, which includes
email Electronic mail (email or e-mail) is a method of exchanging messages ("mail") between people using electronic devices. Email was thus conceived as the electronic ( digital) version of, or counterpart to, mail, at a time when "mail" meant ...
s,
instant message Instant messaging (IM) technology is a type of online chat allowing real-time text transmission over the Internet or another computer network. Messages are typically transmitted between two or more parties, when each user inputs text and trigge ...
s, and
spreadsheet A spreadsheet is a computer application for computation, organization, analysis and storage of data in tabular form. Spreadsheets were developed as computerized analogs of paper accounting worksheets. The program operates on data entered in cel ...
s that are used to analyze financial results), adequacy of the retention life cycle, the immutability of RM practices,
audit trail An audit trail (also called audit log) is a security-relevant chronological record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific ...
s and the accessibility and control of RM content.


End-user application / Spreadsheet controls

PC-based spreadsheets or databases are often used to provide critical data or calculations related to financial risk areas within the scope of a SOX 404 assessment. Financial spreadsheets are often categorized as end-user computing (EUC) tools that have historically been absent from traditional IT controls. They can support complex calculations and provide significant flexibility. However, with flexibility and power comes the risk of errors, an increased potential for fraud, and misuse for critical spreadsheets not following the software development lifecycle (e.g. design, develop, test, validate, deploy). To remediate and control spreadsheets, public organizations may implement controls such as: *Inventory and risk-rank spreadsheets that are related to critical financial risks identified as in-scope for SOX 404 assessment. These typically relate to the key estimates and judgments of the enterprise, where sophisticated calculations and assumptions are involved. Spreadsheets used merely to download and upload are less of a concern. *Perform a risk-based analysis to identify spreadsheet logic errors. Automated tools exist for this purpose. *Ensure the spreadsheet calculations are functioning as intended (i.e., "baseline" them). *Ensure changes to key calculations are properly approved. Responsibility for control over spreadsheets is a shared responsibility with the business users and IT. The IT organization is typically concerned with providing a secure shared drive for storage of the spreadsheets and data backup. The business personnel are responsible for the remainder.


See also

* Chief information officer *
Chief information security officer A chief information security officer (CISO) is a senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately pr ...
*
Continuous Auditing Continuous auditing is an automatic method used to perform auditing activities, such as control and risk assessments, on a more frequent basis. Technology plays a key role in continuous audit activities by helping to automate the identification of ...
*
Data governance Data governance is a term used on both a macro and a micro level. The former is a political concept and forms part of international relations and Internet governance; the latter is a data management concept and forms part of corporate data govern ...
*
Information technology audit An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the inform ...
*
IT risk Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Re ...
*
IT risk management IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.: :''The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an ...
*
Public Company Accounting Oversight Board The Public Company Accounting Oversight Board (PCAOB) is a nonprofit corporation created by the Sarbanes–Oxley Act of 2002 to oversee the audits of public companies and other issuers in order to protect the interests of investors and further t ...
*
Risk IT Risk IT, published in 2009 by ISACA,ISACA THE RISK IT FRA ...
* Sarbanes-Oxley Act


References

*Coe, Martin J. "Trust services: a better way to evaluate I.T. controls: fulfilling the requirements of section 404." Journal of Accountancy 199.3 (2005): 69(7). *Chan, Sally, and Stan Lepeak. "IT and Sarbanes-Oxley." CMA Management 78.4 (2004): 33(4). *Goodwin, Bill. "IT should lead on Sarbanes-Oxley." Computer Weekly 27 April 2004: p5. *Gomolski, Barbara. "The top five issues for CIOs." Computerworld January 2004: 42(1). *Hagerty, John. "Sarbanes-Oxley Is Now a Fact of Business Life-Survey indicates SOX IT-compliance spending to rise through 2005." VARbusiness Nov. 15 2004: 88.
Altiris.com
*"IT Control Objectives for Sarbanes Oxley: The Importance of IT in the Design, Implementation, and Sustainability of Internal Control over Disclosures and Financial Reporting.
itgi.org
April 2004. IT Governance Institute. 12 May 2005 *Johnston, Michelle. "Executing an IT Audit for Sarbanes-Oxley Compliance.
informit.com
17 September 2004 *"Importance of Monitoring IT General Controls and IT Application Controls.

30 may 2022 *Lurie, Barry N. "Information technology and Sarbanes-Oxley compliance: what the CFO must understand." Bank Accounting and Finance 17.6 (2004): 9 (5). *McCollum, Tim. "IIA Seminar Explores Sarbanes-Oxley IT Impact." IT Audit 6 (2003). *McConnell Jr., Donald K, and George Y. Banks. "How Sarbanes-Oxley Will Change the Audit Process.
aicpa.org
(2003). *Munter, Paul. "Evaluating Internal Controls and Auditor Independence under Sarbanes-Oxley." Financial Executive 19.7 (2003): 26 (2). *“Perspectives on Internal Control Reporting: A Resource for Financial Market Participants." Deloitte & Touche LLP, Ernst & Young LLP, KPMG LLP, PricewaterhouseCoopers LLP. December 2004. *Piazza, Peter. "IT security requirements of Sarbanes-Oxley." Security Management June 2004: 40(1). *"Sarbanes-Oxley Section 404: An overview of PCAOB's requirement." KPMG. April 2004. *"Sarbanes-Oxley Spending in 2004 More Than Expected: Spending for section 404 compliance averaged $4.4 million in 2004, a survey finds." InformationWeek March 22, 2005. *"The Impact of Sarbanes-Oxley on IT and Corporate Governance.
serena.com
12 May. 2005
Five Steps to Success for Spreadsheet Compliance
Compliance Week, July 2006.
Pcaobus.org
PCAOB’s New Audit Standard for Internal Control Over Financial Reporting is Approved by the SEC. Privacy Controls