Assessing Information Technology General Control Risk: An Instructional Case Carolyn Strand Norman, Mark D. Payne, and Valaria P. Vendrzyk ABSTRACT: Information Technology General Controls (ITGCs), a fundamental category of internal controls, provide an overall foundation for reliance on any information produced by a system. Since the relation between ITGCs and the information produced by an organization’s various application programs is indirect, understanding how ITGCs interact and affect an auditor’s risk assessment is often challenging for students. This case helps students assess overall ITGC risk within an organization’s information systems. Students identify speciﬁc strengths and weaknesses within ﬁve ITGC areas, provide a risk assessment for each area, and then evaluate an organization’s overall level of ITGC risk within the context of an integrated audit. Keywords: internal controls; general control; ITGC; risk assessment.
INTRODUCTION he Sarbanes-Oxley Act (SOX 2002) and the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 (PCAOB 2007) require that the organization’s chief executive ofﬁcer (CEO) and chief ﬁnancial ofﬁcer (CFO) include an assessment of the operating effectiveness of their internal control structure over ﬁnancial reporting when issuing the annual report. External auditors must review management’s internal control assessment as part of an annual integrated audit of an organization’s internal controls over ﬁnancial reporting. In short, accountants—external auditors, internal auditors, and management accountants at all levels—are actively involved in helping their respective organizations comply with SOX-related internal control requirements. Because of the pervasiveness of IT in organizations, the information systems themselves contain many internal controls. As a result, both internal and external auditors must develop an understanding of the IT environment and its related processes and controls, including the IT general controls (ITGCs), by performing risk assessment procedures. Although deﬁciencies in ITGCs do not directly result in misstated ﬁnancial statements or material
Carolyn Strand Norman is an Associate Professor at Virginia Commonwealth University, Mark D. Payne is an Executive Director at Ernst & Young, and Valaria P. Vendrzyk is an Associate Professor at the University of Richmond. The authors thank Nancy Bagranoff, Faye Borthick, Jason Emmons, Tony Hubbard, Tanya Lee, John McLain, Richard Newmark, Brad Tuttle, Ralph Viator, Marcia Weidenmier-Watson, Chris Wolfe, participants at the 2007 American Accounting Association Annual Meeting, and our anonymous reviewers for their helpful suggestions on earlier versions of this case. We gratefully acknowledge William Sanders, Information Systems Department, Virginia Tech, for the matrix prioritization materials.
Norman, Payne, and Vendrzyk
control weaknesses, they can indirectly cause or contribute to application control deﬁciencies (Center for Public Company Audit Firms 2004). Since the relation between ITGCs and the information produced by an organization’s various application programs is indirect, understanding how ITGCs interact and affect an auditor’s risk assessment is often challenging for students. Accordingly, our case offers accounting faculty an assignment or project that is a ‘‘real world,’’ comprehensive supplement to textbook materials on the topic of risk and ITGCs. THE CASE Several months ago, you started working at a large public accounting ﬁrm as an IT staff auditor. You are currently working on your ﬁrst assignment, an ITGC review of the Foods Fantastic Company (FFC). FFC is a publicly traded, regional grocery store chain, headquartered in Mason, Maryland, and includes 50 stores located in the mid-Atlantic area. The centralized data center is in Mason. FFC relies on an integrated suite of application...