The evolution of ITGC: IT General Controls, IT Dependent Controls & IT Specific Controls.

• Author: Chiu, George
• Position: Information tech

A recent increase in PCAOB scrutiny had SOX practitioners experiencing a steep learning curve in 2014. Amongst many focal points highlighted by the PCAOB comment letters are information technology dependencies--such as sensitive access to and interfaces between financial reporting systems, system enforced segregation of duties, system generated reports supporting business process controls and internal controls surrounding end-user computing tools.

IT general controls, while still being evaluated for design and operational effectiveness, no longer provide sufficient support when evaluating the operational effectiveness of internal controls over financial reporting. Efforts spent to identify the linkage between internal controls over financial reporting and the supporting IT infrastructure should not go to waste. Instead, SOX practitioners should leverage the knowledge gained to drive higher audit efficiency.

Control

Companies traditionally rely on generic user provisioning and de-provisioning controls, and high-level, periodic user reviews to mitigate risks surrounding unauthorized access to sensitive financial data. Best practices have suggested SOX practitioners instead identify key master data, identify data owners and develop controls surrounding granting, removing, and periodic recertification of access to these data.

An example of a control: Users access to maintain Vendor Master Data is periodically recertified to prevent unauthorized access to Vendor Master. Ownership of such controls generally resides with the business process owners, while supporting organizations--such as IT and HR--provide information to support the performance of the control. In this example, it would be a listing of users with access to maintain Vendor Master Data and associated employee title.

Too Many Systems?

System enforced segregation of duties is not new to seasoned SOX practitioners. However, increased focus has been placed on cross-system segregation of duties. With the recent increase in mergers and acquisitions, acquirers are often left with multiple complex enterprise resource planning that supports their financial reporting process.

As CFOs continue to push for doing more with less, many finance resources are asked to perform their routine activities using multiple system platforms. This has led to a reduced transparency in how key functions are segregated physically and systematically to reduce and prevent manual errors and fraud. A segregation of...