Question
Case Study Overview Information Technology General Controls (ITGCs) are a classification of internal controls that can be applied to a variety of information technology (IT)
Case Study Overview
Information Technology General Controls (ITGCs) are a classification of internal controls that can be applied to a variety of information technology (IT) environments. Although IT controls are not as well understood as business process controls, breaks in these internal controls can wreak havoc for companies. In this case study, you will uncover challenges faced by four different companies and try to identify IT controls that could have been used by each company. Each situation is focused on one of the four main categories of IT controls.
ITGC Basics
Before you get started, lets discuss some ITGC basics that will help you understand the context of each scenario. ITGCs are typically broken down into four main domains: Security, Computer Operations, Program Changes, and System Development. Each section of the case will be focused on one of these topics. Security (or access) controls ensure that only authorized individuals have access to company programs and data. Computer Operations controls ensure that the company IT systems, programs, data, and supporting infrastructure are available and processing as intended. Computer Operations controls typically include activities such as data backups, batch processes, and disaster recovery. Program Change controls (also known as Change Management or Change Control) are in place to ensure that changes to existing systems work as intended, and do not have any adverse impact. System Development controls are similar to Program Change, but are much more robust and extensive as these controls relate to the implementation of a new system or a massive change in an existing system. Program Change and Systems Development controls ensure that minor and major system changes are appropriate and effective through testing, approval, and documentation.
Based on your strong understanding of ITGCs, each of the following companies would like you to evaluate their situation. They would like you to provide insight on their issues and provide examples of information technology controls that could help them prevent another IT control crisis in the future. These discussion points are listed at the end of the case study.
Security
Costco Wholesale Corporation (Costco) is a large multinational retailer headquartered in Washington. The company operates by selling memberships that allow consumers to shop at their retail warehouses. On October 4, 2018, Costco executives shared the companys fourth quarter operating results. Although the company had strong financial results, significant control issues were identified. Despite the positive earnings, the companys shares of stock dropped approximately 4% after the announcement of major internal control issues.
The company reported a material weakness over information technology general controls. One of the major control deficiencies involved user access issues. The company noted that authorized users had excessive system access that was beyond what was required. In addition, both internal users and contractors had unnecessary access to systems that supported the companys financials. The company believes that access was needed at one point in time, but was not removed in a timely manner.
Computer Operations
The Oregon states public pension agency, Public Employee Retirement System (PERS), manages the pension of over 365,000 Oregonians. Each month, the system pays out over $300 million to retirees. An auditor uncovered the agencys information technology systems are at risk during a natural disaster. This could result in retirees not getting their critical payments. Although the pension agency has a disaster recovery plan in place, the plan has never been tested to determine its effectiveness. In addition, the organization creates data backups on a regular basis and stores these tapes offsite. Although this is typically a good practice, the location of these tapes is less than two miles from the office. In the event of a natural disaster, such as a flood or an earthquake, both the PERS office and the backup location would be negatively impacted by the event. As a result, the organization may not be able to be restore the system since the backup tapes would have encountered the same disaster. This scenario could leave retirees dependent on their pension payments in a serious situation.
Program Change
Southwest Airlines (SWA) is a major air carrier who is known for their low fares and excellent customer service. The seating arrangement on SWA is different than most commercial airlines. On SWA, the customers do not have assigned seats. Rather, seating is based on a first-come, first-serve basis by issuing customers a boarding pass with a boarding group (A, B, and C) and boarding number (1-60). The first customers on the plane get their choice of seats, while the customers in boarding group C may be stuck in a middle seat towards the back of the plane. Typically, A-List and A-List Preferred status customers have priority boarding on the airlines. Customers with this status have an added benefit that they are guaranteed positions in the A boarding group, assuring that they will have a choice of desirable seats to select.
From August 11th -15th, 2017, SWAs A-List and A-List Preferred status customers were in an uproar. There was a change in the way boarding passes were issued. These frequent flyers reviewed their boarding passes to discover that they were not prioritized. These individuals were getting boarding groups based on their check-in time and the system was not automatically giving them their coveted A-group boarding spot. Southwest Airlines apologized to their A-List and A-List Preferred status customers and gave each customer on an affected flight an extra 1,500 points in their rewards system. Five days after these problems began, the company still did not know the cause and were still working to resolve the issue.
Systems Development
Maine Medical Center (MMC) is Maines largest state-of-the-art healthcare center. It a part of the MaineHealth network. In December 2012, MMC implemented the EPIC Electronic Health Record (EHS) system. The new information technology system was estimated to cost $160 million. Within four months of the implementation, trouble was brewing. The companys chief information officer (CIO) was no longer employed with the health system. In April 2013, the chief executive officer (CEO) sent a letter to employees informing them of both a hiring and traveling freeze. The bad news did not stop there. The CEO also mentioned that the roll out of EPIC to the other MaineHealth affiliates was halted until some of the issues could be remediated. The EPIC system was not effectively capturing revenue information and undercharging patients for procedures performed. In addition, the nurses and doctors did not know how to charge for services in the new system. The financial repercussions of the EPIC implementation contributed to a $13.4 million operating loss for the organization.
Discussion Questions
Security
1. What were the access control issues that Costco was facing?
2. What can happen when users have this type of access?
3. What internal controls could the company put in place to detect this user access issue?
Computer Operations
4. What were the control issues the Public Employee Retirement System (PERS) was facing?
5. What could happen if there was a natural disaster and these controls were not working properly?
6. What internal controls could PERS put in place to prevent these computer operations issues?
Program Changes
7. Southwest Airlines systems were working as intended until August 11, 2017. What type of program change issue could have occurred that could have caused the change in boarding priority?
8. What Program Change internal controls could have prevented this type of issue?
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started