Professional Documents
Culture Documents
11v5 IT General and Application Controls PDF
11v5 IT General and Application Controls PDF
“
the structural changes, the process change that concerns that the communication
the data, and the information (and, therefore, the business inside the organization is
process) during the period. For example, just checking the The internalization efficient and effective. Thus,
number and significance of program changes performed it is possible for an auditor
during the period is helpful. Therefore, outsourcing these
of ITGC/ITAC is an
to have a full understanding
control tests can create a gap of knowledge that is not always important path to of a company (as COBIT
immediately or easily remedied. the integration of recommends) only when an
enterprise has applied the
The IT Department—A Company Within the Company fundamental IT specific strategic alignment
”
From the issuance of a client order, accounts payable (AP) governance knowledge between IT and business.
and wire transfers to suppliers and payroll, all company It is the risk of failure
within corporate assets.
processes move through the structure and substance of the in strategically aligning
information data. IT and business that is
An IT department can be defined as a company within the actually under scope within ITGC/ITAC, and it is through
company. The IT department usually has its own portfolio the operational infrastructure that one can actually “feel” the
of suppliers and customers (generally subsidiaries, branches company beat and seize its tone and culture. The veracity of
or even single departments of the holding company itself), strategic alignment is, therefore, established according to a
which, of course, rarely coincide with the suppliers and clients top-down approach. If the understanding of the company
of the holding company as a whole. For example, the finance passes through the information infrastructure (that is, the box
department can become a “customer” of the IT department that conceptually contains the company), an enterprise can be
Financial Statement
Financial Assertions:
1. Accuracy—A
2. Completeness—C
P=Process 3. Cut-off—CO
4. Existence—E/O
P n= Cycle 5. Occurence—E/O
6. Classification—P/D
7. Understandability—P/D
8. Rights and obligations—RO
P1 X X X
X
X
9. Valuation and allocation—V
P2 X X X As indicated in ISA500.15.
Source: Guess Europe, “ITGC & ITAC at Guess Europe Group: FY2010, July 2010,” Switzerland, 2010
fairly assured that the business processes that go through the with immediately visible benefits in the form of an annual
corporate network have a chance to be concretely realized. If audit plan that is strategically built on a fully integrated
the understanding of the company does not pass through the understanding of risk.
information infrastructure, it is probable that the entire business During an audit plan, the auditor needs to verify that
processes and relative risks cannot be understood completely. internal controls are effective to assure stakeholders of
ITGC/ITAC provide value immediately in terms of the true and fair representation of the financial statement.
IT governance knowledge and the maturity model of the Figure 1 depicts that, although the financial statement has its
processes that the auditor has to test. Furthermore, testing financial measurements and evaluations as financial assertions
ITGC/ITAC gives the enterprise the chance to assimilate externally, within the company all data come out of the
fundamental requirements on controls and related risk, process cycles of the company. The company is a group of
creating added value and knowledge on IT governance. business units crossed by processes; summaries of processes
It can be said that the internalization of ITGC/ITAC can create process cycles. With ITGC, the auditor tests the
is an important path to the integration of fundamental processes related to the MIS department, which is a business
IT governance knowledge within corporate assets. The unit that supports all business units and processes. For this
development of synergies between corporate governance reason, ITGC are reliable for other processes and audits.
and IT governance creates the opportunity to discover an ITAC concern processes and, with US Sarbanes-Oxley Act
interesting map of risks, and obviously, these synergies are test controls, give evaluations of the validity of the controls on
applicable only within the company. This is an incredible process cycles. The controls are implemented by management
opportunity for the auditor to use rigorously during the to cover the risks identified by the company. To have a good
audit cycle. This renewed awareness will provide companies knowledge and evaluation of all the risks, it is necessary to
ISACA JOURNAL VOLUME 5, 2011 3
test IT governance through ITGC/ITAC and, then, through
the business processes. The most in-depth audit concerns IT
controls; performing this audit correctly enables enterprises
to see more easily the interconnections of business processes
and the related risks. The sequence of ITGC/ITAC and other
audits is qualified and improves the audit quality when a
systemic and methodological approach is followed when Sam is an avid runner.
performing audits.
Sam is an IT professional.
Conclusion
Implementing in-house ITGC/ITAC is a great opportunity Sam is overwhelmed.
for auditors to improve their knowledge of the company,
and for the company, it is a chance to build IT governance Sam wants flexibility.
that strengthens corporate governance. The internalization
of ITGC/ITAC is an important path to the integration of
fundamental IT governance knowledge within corporate
Sam wants more.
assets, and it allows the auditor to become a proficient
catalyst of knowledge. This is especially true when the auditor
follows the entire audit process, including the basic and
important evaluation of IT controls. There are no particular
reasons to outsource IT controls except for the lack of
knowledge or expertise. However, every cloud has a silver
lining, and internalization of knowledge, in this case, could be
an investment in increased professionalism rather than in not-
so-proficient outsourcing.
References
Sam discovered
ISACA, CISA® Review Manual 2010, USA, 2010 ISACA’s eLearning
ISACA, IT Governance Implementation Guide: Using
COBIT® and Val IT, 2nd Edition, USA, 2007
IT Governance Institute (ITGI), COBIT ® Control Practices,
2nd Edition, USA, 2007
ITGI, IT Assurance Guide: Using COBIT ®, USA, 2007 www.isaca.org/elearning-journal
ITGI, IT Control Objectives for Sarbanes-Oxley, 2 Edition,
nd
USA, 2006
Flexibility . . . Knowledge . . . Growth
KPMG; Geneva & Universität Zürich Institut für
Rechnungswesen und Controlling “Objectifs de Contrôle Pour
l’Information et les Technologies Associées (COBIT),” 2005
Laudon, Ken; Jane Laudon; Management of Information
Systems, Prentice Hall, USA, 2006
Leleu, Eric; “Le COBIT: L’état de l’Art, Socle de la
Gouvernance des SI,” January 2009,
http://home.nordnet.fr/~ericleleu/cours/cobit/cobit.pdf