IT General Controls
Help Questions
CPA Auditing and Attestation (AUD) › IT General Controls
An issuer is audited under PCAOB standards. The company’s IT governance assigns responsibility for cybersecurity and financial systems to separate leaders, and there is no formal process for escalating cybersecurity incidents to the audit committee. A recent ransomware event affected a file server used to store accounting support schedules, though systems were restored from backups. Which factor would most likely affect the auditor's assessment of IT controls?
Whether the company’s public relations team issued a statement within 24 hours of the ransomware event
Whether incident response and escalation procedures include timely communication of events affecting financial reporting information to those charged with governance
Whether the company maintains cyber insurance coverage with a low deductible
Whether the company’s backups were stored offsite, regardless of the lack of governance escalation
Explanation
PCAOB AS 2201 integrates IT governance in ICFR, including escalation of incidents affecting financial data. The key facts include separate leaders without formal escalation to the audit committee, and a ransomware event impacting accounting files. Option A most affects the assessment as escalation ensures governance oversight, aligning with COSO monitoring. Option B is irrelevant to ICFR, and Option C is incorrect as insurance does not replace controls, per AS 2201. Option D is partial without addressing governance gaps. A transferable framework is to assess incident procedures by tracing escalations to governance roles. Professional judgment should evaluate monitoring's role in risk mitigation.
A nonissuer distribution company is undergoing a financial statement audit under AICPA standards. The company’s IT governance policy requires approval of system changes by a change advisory board, but the board did not meet for three months during the busiest season and changes were implemented directly by IT operations. The auditor is assessing the reliability of automated controls over inventory valuation that depend on system configuration. Which factor would most likely affect the auditor's assessment of IT controls?
Whether the company uses an enterprise risk management framework for non-IT risks
Whether the company’s inventory turnover ratio improved compared to the prior year
Whether the company plans to hire additional IT staff next year
Whether changes affecting inventory costing parameters were implemented without documented testing and approval during the period the board did not meet
Explanation
AICPA AU-C 315 requires assessing IT controls' reliability, including governance over changes affecting automated controls. The key facts involve a change advisory board not meeting for three months, allowing direct implementations impacting inventory valuation configurations. Option A most affects the assessment as unapproved changes undermine control reliability, aligning with COSO's control activities. Option B is irrelevant to IT controls, and Option C is incorrect as future hiring does not remediate past deficiencies, per AU-C 330. Option D is wrong because non-IT frameworks do not address system configuration risks. A transferable judgment framework is to evaluate governance lapses by tracing changes to approval evidence against automated control risks. Auditors should consider the period of exposure when assessing control effectiveness.
An issuer is audited under PCAOB standards, including an audit of ICFR. The company uses a shared service center where IT developers have emergency access to production to resolve outages, and the company asserts that compensating controls exist. The auditor is assessing segregation of duties within IT as it relates to financial reporting systems. Which control should the auditor evaluate to address the risk of unauthorized changes to programs and data?
A control requiring all emergency production access to be time-bound, approved by management independent of development, logged, and reviewed after the fact for appropriateness
A control requiring developers to document their coding standards in a personal notebook
A control requiring the organization to obtain a general ISO certification as a substitute for testing access controls
A control where accounting reviews financial statements at quarter-end for reasonableness without considering IT access logs
Explanation
PCAOB AS 2201 emphasizes testing segregation of duties in IT, including controls over emergency access to production environments. The key facts include developers' emergency access at a shared service center, with asserted compensating controls for financial systems. Option A aligns with COBIT by requiring time-bound, approved, logged, and reviewed access to mitigate unauthorized change risks. Option B is incorrect as personal documentation lacks oversight, and Option C represents financial review without IT specificity, per AS 2201. Option D is flawed because ISO certification does not replace specific access testing, as per audit evidence standards. A transferable framework involves assessing compensating controls for segregation risks by verifying independence and monitoring effectiveness. Auditors should consider the precision of such controls in preventing or detecting errors timely.
A nonissuer manufacturing company is undergoing a financial statement audit under AICPA standards. During the year, management implemented a new enterprise resource planning (ERP) system that automatically posts sales invoices from the order-entry module to the general ledger, and the legacy system is now read-only for reference. The auditor identifies a risk that unauthorized users could create or modify customer master data and sales prices, resulting in misstated revenue. Which control should the auditor evaluate to address the risk of unauthorized access?
A post-implementation review that occurs only after the first annual financial statements are issued
Role-based access provisioning with documented approvals, periodic user access recertifications, and timely removal of terminated users from the ERP
Adoption of a general cybersecurity maturity model not incorporated into audit evidence for access control testing
Management’s quarterly analytical review of revenue trends by product line, with follow-up on unusual fluctuations
Explanation
The COSO framework emphasizes the importance of control activities, including information technology general controls (ITGCs) such as logical access controls to mitigate risks in financial reporting systems. In this scenario, the key facts involve the implementation of a new ERP system with automated posting of sales invoices and the identified risk of unauthorized modifications to customer master data and sales prices, which could lead to revenue misstatements. Option B aligns with authoritative guidance from COBIT, which recommends role-based access controls, approvals, recertifications, and timely user terminations to prevent unauthorized access and ensure data integrity. Option A is incorrect because it represents a monitoring control rather than a preventive access control, and Option C is flawed as post-implementation reviews should occur timely, not delayed until after annual statements, per audit standards like AU-C 315. Option D is inappropriate because a general cybersecurity model without integration into audit evidence does not directly address access control testing, as per PCAOB AS 2201. A transferable professional judgment framework involves assessing the design and operation of access controls by evaluating provisioning processes against the principle of least privilege. Auditors should also consider the precision of controls in mitigating specific risks, balancing preventive and detective measures for effective risk response.
A nonissuer construction company is undergoing a financial statement audit under AICPA standards. The company implemented a new job-costing system that allocates overhead to projects using standard rates maintained in a configuration table. The auditor identifies a risk that unauthorized changes to standard rates could materially affect cost of revenues. Which control should the auditor evaluate to address the risk of unauthorized access?
A control requiring adoption of a general enterprise architecture framework as a substitute for access controls
A control requiring project managers to approve timecards, without addressing who can change overhead rates
A control requiring the IT department to perform an annual inventory count observation
Role-based access restricting who can change standard rates, with documented approvals for rate changes and periodic review of users with configuration access
Explanation
AICPA AU-C 315 requires access controls to prevent unauthorized changes in systems affecting financial statements. The key facts involve a new job-costing system with configurable overhead rates, risking cost of revenues misstatements. Option A aligns with COBIT by restricting and reviewing access to configurations. Option B addresses timecards but not rates, and Option C is irrelevant to IT, per AU-C 330. Option D substitutes without evidence. A transferable decision rule is to evaluate access by verifying restrictions against modification risks. Auditors should balance preventive controls with periodic reviews.
An issuer is audited under PCAOB standards. The auditor identifies that the company lacks a formal process to review and approve changes to key reports used in controls over financial reporting, including a cash reconciliation report generated from the ERP. Management asserts the report is unchanged from prior years. Which audit response is most appropriate to address the risk related to IT general controls over report changes?
Test report logic and parameters, and evaluate change management controls over report modifications to support reliance on the report used in the control
Limit testing to inquiry of the report owner because inspection of report configuration is outside the scope of an ICFR audit
Rely on management’s assertion that the report is unchanged because it has been used historically
Obtain a SOC 2 report from the ERP vendor as a substitute for testing report change controls at the company
Explanation
PCAOB AS 2201 requires testing ITGCs over changes to reports used in ICFR controls. The key facts include lacking formal processes for report changes, with management asserting stability for the cash reconciliation report. Option A aligns with AS 2201 by testing logic, parameters, and change controls to support reliance. Option B is incorrect as assertions require corroboration, and Option C violates evidence needs in AS 2301. Option D is wrong as SOC 2 covers vendor controls, not company-specific. A transferable framework is to validate report integrity by inspecting configurations against change risks. Professional judgment should assess the impact on dependent manual controls.
An issuer is audited under PCAOB standards. Management identified a deficiency where terminated employees’ access to the financial reporting system was not removed timely, but management argues it is not a material weakness because no unauthorized activity was detected. The auditor is evaluating the severity of the deficiency in ICFR. Which factor would most likely affect the auditor's assessment of IT controls?
Whether management intends to purchase a new identity management tool next year
Whether the company’s HR department has a documented employee handbook
The likelihood and magnitude of potential misstatement given the level of access retained by terminated users and the period of continued access
Whether the deficiency was discovered by internal audit rather than by external audit
Explanation
PCAOB AS 2201 evaluates ICFR deficiencies by likelihood and magnitude of misstatement, not just detection. The key facts include untimely access removal for terminated employees, argued as non-material despite no activity. Option A most affects the assessment as continued access heightens risks, aligning with COSO. Option B is irrelevant, and Option C is future-oriented, per AS 2201. Option D does not impact severity. A transferable framework is to classify deficiencies by potential impact, considering exposure periods. Professional judgment should disregard absence of errors if risks persist.
A nonissuer technology company is undergoing a financial statement audit under AICPA standards. The company uses a source code repository and automated deployment tools to push changes to its billing application, which feeds revenue transactions into the general ledger. The auditor notes that developers can approve their own pull requests and deployments. Which control should the auditor evaluate to address the risk of unauthorized changes to programs affecting financial reporting?
A control requiring adoption of a general quality management standard that does not provide evidence over specific deployments
A control requiring finance to perform a high-level monthly revenue trend analysis only
Segregation of duties in the deployment process, including independent code review/approval, restricted production deployment rights, and audit logs of deployments
A control requiring developers to document new features in release notes without independent approval
Explanation
AICPA AU-C 330 requires controls over program changes to mitigate unauthorized modifications affecting financial reporting. The key facts involve developers approving their own deployments to the billing application feeding the GL. Option A aligns with COBIT by enforcing segregation, reviews, and logs to prevent unauthorized changes. Option B lacks independence, and Option C is incorrect as trend analysis is monitoring, not preventive, per AU-C 315. Option D is inadequate without specific evidence. A transferable decision rule is to evaluate deployment controls by verifying segregation against change risks. Auditors should consider logging for detective effectiveness.
An issuer is undergoing an audit under PCAOB standards. During the year, the company experienced a cybersecurity incident involving compromised credentials for a privileged IT administrator account; management states that no financial data were altered. The auditor has identified deficiencies in privileged access management and is evaluating the impact on ICFR. Which factor would most likely affect the auditor's assessment of IT controls?
Whether the company’s marketing website experienced any downtime during the incident
Whether management plans to adopt a new cybersecurity framework in the next fiscal year
Whether the incident was disclosed in a press release, regardless of its relevance to financial reporting systems
Whether the incident involved a privileged account with access to applications and databases supporting financial reporting
Explanation
PCAOB AS 2201 guides the evaluation of IT control deficiencies in ICFR, focusing on risks to financial reporting from cybersecurity incidents. The key facts include a compromised privileged account and deficiencies in access management, with no financial data alterations claimed. Option A most affects the assessment as privileged access to financial systems heightens misstatement risks, aligning with COSO's risk assessment principles. Option B is irrelevant as website downtime does not impact ICFR, and Option C is incorrect because future plans do not remediate current deficiencies, per AS 2201. Option D is wrong as press releases do not substitute for control evidence, emphasizing substance over disclosure in COBIT. A transferable judgment framework is to assess deficiency severity by likelihood and magnitude of misstatement from privileged access breaches. Auditors should apply professional skepticism, considering compensating controls when evaluating overall ICFR effectiveness.
An issuer is being audited under PCAOB standards, including internal control over financial reporting (ICFR). The company uses a third-party cloud platform to host its financial reporting applications, and the IT governance structure includes an IT steering committee that approves system changes and prioritizes IT projects affecting financial reporting. The auditor plans to test IT governance as part of understanding and testing entity-level controls that support ICFR. What is the most appropriate audit procedure for testing IT governance?
Inspect steering committee charters, meeting minutes, and evidence of oversight of financial reporting systems, and corroborate through inquiry of members and follow-up on escalated issues
Obtain a penetration test report and treat it as sufficient evidence that IT governance controls are operating effectively
Test only year-end journal entries because IT governance does not affect ICFR when a cloud provider is used
Rely exclusively on management’s representation letter that IT governance operated effectively throughout the year
Explanation
PCAOB AS 2201 requires auditors to test entity-level controls, including IT governance, to assess their impact on internal control over financial reporting (ICFR). The key facts here include the use of a third-party cloud platform for financial applications and an IT steering committee overseeing changes and projects, necessitating evidence of effective governance. Option A aligns with AS 2201 by emphasizing inspection of charters, minutes, and corroboration through inquiry to verify oversight, ensuring governance supports ICFR. Option B is incorrect as reliance on management representations alone violates AS 2805's requirement for sufficient appropriate evidence, and Option C is wrong because IT governance affects ICFR even with cloud providers, per AS 2601. Option D is inadequate since penetration tests address vulnerabilities but not comprehensive governance, as noted in COBIT frameworks. A transferable decision rule is to evaluate governance by tracing oversight activities to risk mitigation, ensuring alignment with COSO's control environment component. Professional judgment should weigh the pervasiveness of governance controls in reducing detection risk for ICFR testing.