Evaluate IT General Controls (ITGCs)
Help Questions
CPA Information Systems and Controls (ISC) › Evaluate IT General Controls (ITGCs)
An auditor determines that an organization's program change controls are ineffective - developers can directly modify production code without authorization. What is the most significant implication for the financial statement audit?
The auditor must test all input controls manually.
Automated application controls in the affected systems cannot be relied upon, requiring the auditor to perform additional substantive procedures.
The organization must restate its financial statements for the prior year.
The auditor must issue an adverse opinion on the financial statements.
Explanation
Ineffective change controls mean automated controls could have been altered without authorization - the auditor cannot rely on them and must compensate with increased substantive testing. Answer C is correct. Input control testing (A) does not fully compensate. Prior year restatement (B) is not automatic. An adverse opinion (D) is not required solely due to ITGC weaknesses.
Which of the following is an example of a computer operations control?
Restricting database access to authorized personnel only.
Monitoring job scheduling to ensure batch processes run at their scheduled times and investigating failures promptly.
Reviewing the design specifications for a new financial application before development begins.
Requiring manager approval before deploying code changes to production.
Explanation
Computer operations controls govern the day-to-day operation of IT systems - job scheduling, batch monitoring, operations logs, and incident response. Answer D is correct. Deployment approval (A) is a change control. Database access restriction (B) is a logical access control. Design review (C) is a program development control.
When evaluating the design of ITGCs, an auditor finds that the organization has no formal segregation of duties between developers and production system administrators. The most significant risk is:
Production administrators may not understand the business requirements for system changes.
The development team may not have adequate technical skills.
Developers could make unauthorized changes directly to production systems without detection, undermining both change management and automated application controls.
The organization may not comply with IT governance best practices.
Explanation
Without segregation between development and production, developers can implement unauthorized code directly in production - a fundamental ITGC control failure that compromises all downstream application controls. Answer C is correct. Technical skills (A), business requirements (B), and best practice compliance (D) are secondary concerns compared to the unauthorized change risk.
An auditor is evaluating ITGCs for a company subject to SOX Section 404. The auditor selects a sample of user account provisioning and termination events. For each sampled event, the auditor verifies that access was granted only to appropriate roles and terminated promptly. This procedure tests which ITGC?
Program change controls - confirming that account changes were authorized through the change management process.
Logical access controls - specifically the provisioning and deprovisioning process for user accounts.
Computer operations controls - confirming that system administrators managed user accounts correctly.
Program development controls - confirming that the user provisioning system was properly developed.
Explanation
Testing the provisioning and deprovisioning of user accounts is directly testing logical access controls - the ITGC category governing who has access to systems and how access rights are managed. Answer A is correct. Account management is access control (A), not change management (B), operations (C), or development (D).
During an ITGC assessment, an auditor finds that the organization's production database has 47 active user accounts belonging to former employees. The most appropriate audit finding is:
A computer operations control deficiency - former employee accounts affect system performance.
A program change control deficiency - account deactivation was not implemented as a change.
A program development control deficiency - the user provisioning system was not properly developed.
A logical access control deficiency - terminated employee accounts were not promptly deactivated, creating risk of unauthorized access by former employees.
Explanation
Active accounts for terminated employees is a logical access control deficiency - the offboarding process failed to revoke access, creating unauthorized access risk. Answer D is correct. This is not an operations (A), development (B), or change control (C) issue.
Which of the following best describes the relationship between ITGCs and automated application controls?
Strong automated application controls can fully compensate for weak ITGCs.
Automated application controls are more important than ITGCs for financial reporting purposes.
ITGCs provide the foundation for automated application controls - if ITGCs are effective, auditors can place greater reliance on automated controls without additional testing.
ITGCs and automated application controls are independent - the effectiveness of one does not affect the other.
Explanation
Effective ITGCs (especially change controls and access controls) provide assurance that automated application controls have not been tampered with, enabling greater reliance. Weak ITGCs undermine automated control reliability. Answer B is correct. They are interdependent (A). ITGCs underpin application controls (C). Weak ITGCs cannot be fully compensated by strong automated controls (D).
When evaluating ITGCs for a cloud-hosted financial system, which of the following additional considerations is unique to the cloud environment?
Whether the organization has an IT steering committee that reviews IT investments.
Whether the cloud provider's own ITGCs are adequate, typically assessed through a SOC 1 Type II report covering the provider's relevant controls.
Whether the organization's disaster recovery plan covers the financial system.
Whether the system's automated application controls are properly designed.
Explanation
Cloud environments introduce a shared responsibility model - the organization must assess whether the cloud provider's ITGCs (infrastructure access, change management, operations) are effective, typically through a SOC 1 Type II report. Answer C is correct. IT steering committees (A) and DR plans (B) apply to all environments. Application control design (D) is not cloud-specific.
An auditor tests ITGC operating effectiveness by selecting a sample of change tickets from throughout the year and testing each for evidence of authorization, testing, and deployment segregation. The sample includes changes from all four quarters. Why is a sample covering the full year important?
It reduces the time required to complete ITGC testing.
It allows the auditor to calculate a statistically precise error rate.
It ensures the sample includes both major and minor changes.
It provides evidence that controls operated consistently throughout the financial reporting period, not just at the time of testing.
Explanation
For ITGCs supporting financial reporting, controls must have operated throughout the period under audit - a sample covering all quarters provides evidence of consistent operation, not just point-in-time compliance. Answer D is correct. Statistical precision (A), change size coverage (B), and time reduction (C) are not the primary reason for full-year sampling.
Which of the following represents a program development control?
Reviewing and approving user access requests based on job function.
Documenting system design specifications, conducting code reviews, and requiring user acceptance testing before any new application goes live.
Monitoring batch job logs for failures and investigating them promptly.
Requiring two approvers for all production deployments.
Explanation
Program development controls govern the lifecycle of new system development - design documentation, code reviews, and UAT ensure new systems are built correctly and work as intended before production deployment. Answer B is correct. Deployment approvals (A) are change controls. Batch monitoring (C) is operations. Access approval (D) is logical access.
An organization relies on a single IT administrator who has full administrative rights to all production systems, performs all deployments, manages user access, and responds to all incidents. From an ITGC perspective, the primary concern is:
A complete lack of segregation of duties - one person controls all aspects of the IT environment, creating unlimited opportunity for unauthorized changes or fraud without detection.
The administrator may lack the technical expertise to manage all these functions.
The organization is non-compliant with IT infrastructure best practices.
The administrator may become overwhelmed and cause performance issues.
Explanation
One person controlling all IT functions - access, changes, deployments, and operations - eliminates all segregation of duties and any possibility of independent check, representing a critical ITGC deficiency. Answer A is correct. Technical skills (B), best practices (C), and workload (D) are secondary concerns.