IT General Controls
Help Questions
CPA Auditing and Attestation (AUD) › IT General Controls
An issuer is audited under PCAOB standards. The company’s IT governance assigns responsibility for cybersecurity and financial systems to separate leaders, and there is no formal process for escalating cybersecurity incidents to the audit committee. A recent ransomware event affected a file server used to store accounting support schedules, though systems were restored from backups. Which factor would most likely affect the auditor's assessment of IT controls?
Whether the company maintains cyber insurance coverage with a low deductible
Whether incident response and escalation procedures include timely communication of events affecting financial reporting information to those charged with governance
Whether the company’s public relations team issued a statement within 24 hours of the ransomware event
Whether the company’s backups were stored offsite, regardless of the lack of governance escalation
Explanation
PCAOB AS 2201 integrates IT governance in ICFR, including escalation of incidents affecting financial data. The key facts include separate leaders without formal escalation to the audit committee, and a ransomware event impacting accounting files. Option A most affects the assessment as escalation ensures governance oversight, aligning with COSO monitoring. Option B is irrelevant to ICFR, and Option C is incorrect as insurance does not replace controls, per AS 2201. Option D is partial without addressing governance gaps. A transferable framework is to assess incident procedures by tracing escalations to governance roles. Professional judgment should evaluate monitoring's role in risk mitigation.
A nonissuer distribution company is undergoing a financial statement audit under AICPA standards. The company’s IT governance policy requires approval of system changes by a change advisory board, but the board did not meet for three months during the busiest season and changes were implemented directly by IT operations. The auditor is assessing the reliability of automated controls over inventory valuation that depend on system configuration. Which factor would most likely affect the auditor's assessment of IT controls?
Whether changes affecting inventory costing parameters were implemented without documented testing and approval during the period the board did not meet
Whether the company’s inventory turnover ratio improved compared to the prior year
Whether the company plans to hire additional IT staff next year
Whether the company uses an enterprise risk management framework for non-IT risks
Explanation
AICPA AU-C 315 requires assessing IT controls' reliability, including governance over changes affecting automated controls. The key facts involve a change advisory board not meeting for three months, allowing direct implementations impacting inventory valuation configurations. Option A most affects the assessment as unapproved changes undermine control reliability, aligning with COSO's control activities. Option B is irrelevant to IT controls, and Option C is incorrect as future hiring does not remediate past deficiencies, per AU-C 330. Option D is wrong because non-IT frameworks do not address system configuration risks. A transferable judgment framework is to evaluate governance lapses by tracing changes to approval evidence against automated control risks. Auditors should consider the period of exposure when assessing control effectiveness.
An issuer is audited under PCAOB standards, including an audit of ICFR. The company uses a shared service center where IT developers have emergency access to production to resolve outages, and the company asserts that compensating controls exist. The auditor is assessing segregation of duties within IT as it relates to financial reporting systems. Which control should the auditor evaluate to address the risk of unauthorized changes to programs and data?
A control where accounting reviews financial statements at quarter-end for reasonableness without considering IT access logs
A control requiring developers to document their coding standards in a personal notebook
A control requiring the organization to obtain a general ISO certification as a substitute for testing access controls
A control requiring all emergency production access to be time-bound, approved by management independent of development, logged, and reviewed after the fact for appropriateness
Explanation
PCAOB AS 2201 emphasizes testing segregation of duties in IT, including controls over emergency access to production environments. The key facts include developers' emergency access at a shared service center, with asserted compensating controls for financial systems. Option A aligns with COBIT by requiring time-bound, approved, logged, and reviewed access to mitigate unauthorized change risks. Option B is incorrect as personal documentation lacks oversight, and Option C represents financial review without IT specificity, per AS 2201. Option D is flawed because ISO certification does not replace specific access testing, as per audit evidence standards. A transferable framework involves assessing compensating controls for segregation risks by verifying independence and monitoring effectiveness. Auditors should consider the precision of such controls in preventing or detecting errors timely.
A nonissuer manufacturing company is undergoing a financial statement audit under AICPA standards. During the year, management implemented a new enterprise resource planning (ERP) system that automatically posts sales invoices from the order-entry module to the general ledger, and the legacy system is now read-only for reference. The auditor identifies a risk that unauthorized users could create or modify customer master data and sales prices, resulting in misstated revenue. Which control should the auditor evaluate to address the risk of unauthorized access?
Role-based access provisioning with documented approvals, periodic user access recertifications, and timely removal of terminated users from the ERP
A post-implementation review that occurs only after the first annual financial statements are issued
Adoption of a general cybersecurity maturity model not incorporated into audit evidence for access control testing
Management’s quarterly analytical review of revenue trends by product line, with follow-up on unusual fluctuations
Explanation
The COSO framework emphasizes the importance of control activities, including information technology general controls (ITGCs) such as logical access controls to mitigate risks in financial reporting systems. In this scenario, the key facts involve the implementation of a new ERP system with automated posting of sales invoices and the identified risk of unauthorized modifications to customer master data and sales prices, which could lead to revenue misstatements. Option B aligns with authoritative guidance from COBIT, which recommends role-based access controls, approvals, recertifications, and timely user terminations to prevent unauthorized access and ensure data integrity. Option A is incorrect because it represents a monitoring control rather than a preventive access control, and Option C is flawed as post-implementation reviews should occur timely, not delayed until after annual statements, per audit standards like AU-C 315. Option D is inappropriate because a general cybersecurity model without integration into audit evidence does not directly address access control testing, as per PCAOB AS 2201. A transferable professional judgment framework involves assessing the design and operation of access controls by evaluating provisioning processes against the principle of least privilege. Auditors should also consider the precision of controls in mitigating specific risks, balancing preventive and detective measures for effective risk response.
A nonissuer construction company is undergoing a financial statement audit under AICPA standards. The company implemented a new job-costing system that allocates overhead to projects using standard rates maintained in a configuration table. The auditor identifies a risk that unauthorized changes to standard rates could materially affect cost of revenues. Which control should the auditor evaluate to address the risk of unauthorized access?
A control requiring adoption of a general enterprise architecture framework as a substitute for access controls
Role-based access restricting who can change standard rates, with documented approvals for rate changes and periodic review of users with configuration access
A control requiring the IT department to perform an annual inventory count observation
A control requiring project managers to approve timecards, without addressing who can change overhead rates
Explanation
AICPA AU-C 315 requires access controls to prevent unauthorized changes in systems affecting financial statements. The key facts involve a new job-costing system with configurable overhead rates, risking cost of revenues misstatements. Option A aligns with COBIT by restricting and reviewing access to configurations. Option B addresses timecards but not rates, and Option C is irrelevant to IT, per AU-C 330. Option D substitutes without evidence. A transferable decision rule is to evaluate access by verifying restrictions against modification risks. Auditors should balance preventive controls with periodic reviews.
An issuer is audited under PCAOB standards. The auditor identifies that the company lacks a formal process to review and approve changes to key reports used in controls over financial reporting, including a cash reconciliation report generated from the ERP. Management asserts the report is unchanged from prior years. Which audit response is most appropriate to address the risk related to IT general controls over report changes?
Rely on management’s assertion that the report is unchanged because it has been used historically
Obtain a SOC 2 report from the ERP vendor as a substitute for testing report change controls at the company
Limit testing to inquiry of the report owner because inspection of report configuration is outside the scope of an ICFR audit
Test report logic and parameters, and evaluate change management controls over report modifications to support reliance on the report used in the control
Explanation
PCAOB AS 2201 requires testing ITGCs over changes to reports used in ICFR controls. The key facts include lacking formal processes for report changes, with management asserting stability for the cash reconciliation report. Option A aligns with AS 2201 by testing logic, parameters, and change controls to support reliance. Option B is incorrect as assertions require corroboration, and Option C violates evidence needs in AS 2301. Option D is wrong as SOC 2 covers vendor controls, not company-specific. A transferable framework is to validate report integrity by inspecting configurations against change risks. Professional judgment should assess the impact on dependent manual controls.
An issuer is audited under PCAOB standards. Management identified a deficiency where terminated employees’ access to the financial reporting system was not removed timely, but management argues it is not a material weakness because no unauthorized activity was detected. The auditor is evaluating the severity of the deficiency in ICFR. Which factor would most likely affect the auditor's assessment of IT controls?
The likelihood and magnitude of potential misstatement given the level of access retained by terminated users and the period of continued access
Whether the deficiency was discovered by internal audit rather than by external audit
Whether the company’s HR department has a documented employee handbook
Whether management intends to purchase a new identity management tool next year
Explanation
PCAOB AS 2201 evaluates ICFR deficiencies by likelihood and magnitude of misstatement, not just detection. The key facts include untimely access removal for terminated employees, argued as non-material despite no activity. Option A most affects the assessment as continued access heightens risks, aligning with COSO. Option B is irrelevant, and Option C is future-oriented, per AS 2201. Option D does not impact severity. A transferable framework is to classify deficiencies by potential impact, considering exposure periods. Professional judgment should disregard absence of errors if risks persist.
A nonissuer technology company is undergoing a financial statement audit under AICPA standards. The company uses a source code repository and automated deployment tools to push changes to its billing application, which feeds revenue transactions into the general ledger. The auditor notes that developers can approve their own pull requests and deployments. Which control should the auditor evaluate to address the risk of unauthorized changes to programs affecting financial reporting?
Segregation of duties in the deployment process, including independent code review/approval, restricted production deployment rights, and audit logs of deployments
A control requiring developers to document new features in release notes without independent approval
A control requiring adoption of a general quality management standard that does not provide evidence over specific deployments
A control requiring finance to perform a high-level monthly revenue trend analysis only
Explanation
AICPA AU-C 330 requires controls over program changes to mitigate unauthorized modifications affecting financial reporting. The key facts involve developers approving their own deployments to the billing application feeding the GL. Option A aligns with COBIT by enforcing segregation, reviews, and logs to prevent unauthorized changes. Option B lacks independence, and Option C is incorrect as trend analysis is monitoring, not preventive, per AU-C 315. Option D is inadequate without specific evidence. A transferable decision rule is to evaluate deployment controls by verifying segregation against change risks. Auditors should consider logging for detective effectiveness.
Which of the following is an example of an IT general control, rather than an application control?
An automated edit check that prevents a user from entering a non-numeric character in a sales amount field.
A system-generated report of all credit sales that exceed a customer's authorized credit limit for management review.
A policy requiring all changes to the payroll system software to be formally authorized and tested before implementation.
A programmed three-way match procedure for vendor invoices, purchase orders, and receiving reports.
Explanation
Program change management controls (B) are a classic example of an IT general control because they apply broadly to all systems and applications to ensure the integrity of the production environment. Choices A, C, and D are all examples of application controls because they are embedded within a specific business process (data entry, accounts payable, credit sales) to ensure transactions are processed correctly.
This situation represents a significant weakness primarily in which area of IT general controls?
Program development and acquisition.
Business continuity planning.
Segregation of duties and access controls.
Computer operations.
Explanation
The scenario describes a classic violation of segregation of duties. The network administrator has conflicting responsibilities: programming (authorization and development) and unrestricted access to production data (custody/operations). This combination creates a significant risk that unauthorized and potentially fraudulent changes could be made to systems and data without detection. This falls squarely under segregation of duties and access controls.