Answered step by step
Verified Expert Solution
Link Copied!

Question

1 Approved Answer

For each risk, use the list on the following page to identify the ITGCs (by letter) that would address the ITGC process risk, using the

For each risk, use the list on the following page to identify the ITGCs (by letter) that would address the ITGC process risk, using the example underlying cause provided.

ITGC process risk

ITGCs

1. Reliance on systems or programs that are inaccurately processing data, processing inaccurate data or both. (Example underlying cause: new IT application programs, or changes to existing programs, do not function as described or requested because they were not adequately tested.)

2. Unauthorized access to data that may result in destruction of data, or improper changes to data, including the recording of unauthorized or nonexistent transactions, or inaccurate recording of transactions. (Example underlying cause: users of the IT environment are not authorized because of requests for the removal of unneeded access, e.g., employee job changes of IT personnel within an entity, are not made timely, access action requests are fulfilled inaccurately or untimely.)

3. The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties, thereby breaking down the segregation of duties. (Example underlying cause: the access of IT users to the IT environment creates segregation-of-duties conflicts.)

4. Unauthorized changes to data in master files. (Example underlying cause: direct changes to data are made by IT personnel without authorization.)

5. Unauthorized changes to systems or programs. (Example underlying cause: unauthorized changes to systems or programs, including interfaces, configurations and report logic, are controlled by IT personnel.)

6. Inappropriate manual intervention. (Example underlying cause: issues with programs that cannot process through to completion are not addressed, or are not appropriately addressed.)

7. Potential loss of data, or inability to access data as required. (Example underlying cause: hardware or software issues result in loss of data or the loss of the ability to access data as needed.)

ITGCs

A. There is a defined process to change the access rights within the roles that includes approval by appropriate business management personnel. (Applicable to IT application when access rights are aggregated into roles.)

B. IT personnel monitor the execution of the job schedule and take actions appropriate for the issues that arise. (Applicable to IT environments when processing relies on job schedules and those job schedules are controlled by IT personnel.)

C. New or additional access rights are approved by an appropriate management person in advance of access being granted. (Applicable in all IT environments.)

D. Changes to the IT application are tested by business and (or) IT users, as appropriate, prior to the move into production. (Applies to most IT environments.)

E. Changes to the data made by users other than the IT application or IT application users are logged and compared with the requests and approvals for those changes by people without the access to make such changes. (Applicable to IT environments when there is routine use of direct data changes in the processing of transactions relevant to the financial statements.)

F. The production environment (including tools to move the programs into the test environment) is accessible only by a limited number of authorized, appropriate people who do not have development responsibilities. (Applies to most environments of more than minimal size that have developers.)

G. Programs and data are written to backup media at least weekly and stored in a physical location separate from the production equipment. (Applicable to environments whose backup function uses backup software.)

H. The programs in the test environment (including tools to move the programs into the test environment) are accessible only by a limited number of authorized, appropriate people who do not have development responsibilities. (Applicable in IT environments when there are many developers and the programs are moved from the development environment into the test environment and into the production environment by a more limited number of authorized personnel.)

I. Access rights no longer needed by users who are leaving the entitys employ or who have changed job responsibilities are ended timely based on notification from HR or the users supervisor or manager. (Generally, applicable to all environments, though testing may not be necessary if the periodic validation control operates effectively.)

Step by Step Solution

There are 3 Steps involved in it

Step: 1

blur-text-image

Get Instant Access to Expert-Tailored Solutions

See step-by-step solutions with expert insights and AI powered tools for academic success

Step: 2

blur-text-image

Step: 3

blur-text-image

Ace Your Homework with AI

Get the answers you need in no time with our AI-driven, step-by-step assistance

Get Started

Recommended Textbook for

More Books

Students also viewed these Accounting questions

Question

Explain demotion as an alternative to termination.

Answered: 1 week ago

Question

Discuss termination of employees at various levels.

Answered: 1 week ago

Question

Discuss the various approaches to disciplinary action.

Answered: 1 week ago