The IT Governance Institute on IT Controls
“The PCAOB standard includes specific requirements for auditors to understand the flow of transactions, including how transactions are initiated, authorized, recorded, processed and reported. Such transactions’ flows commonly involve the use of application systems for automating processes and supporting high volume and complex transaction processing. The reliability of these application systems is in turn reliant upon various IT support systems, including networks, databases, operating systems and more. Collectively, they define the IT systems that are involved in the financial reporting process and, as a result, should be considered in the design and evaluation of internal control.
The PCAOB suggests that these IT controls have a pervasive effect on the achievement of many control objectives. They also provide guidance on the controls that should be considered in evaluating an organization’s internal control, including program development, program changes, computer operations, and access to programs and data. While general in nature, these PCAOB principles provide direction on where SEC registrants likely should focus their efforts to determine whether specific IT controls over transactions are properly designed and operating effectively.
This document discusses the IT control objectives that might be considered for assessing internal controls, as required by the Act. The appendices of this document provide control examples that link PCAOB principles, including their relationship to internal control over financial reporting. To support implementation and assessment activities, illustrative control activities and tests of controls are provided in the appendices.”
Thoughts, Comments, and Official Opinions
- Excerpt on control frameworks from Final Rule: Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports.
- SEC Chairman Comments on Compliance
- Why you need both an Accounting and an IT framework
- ITGI’s “IT Control Objectives for Sarbanes-Oxley” (updated):