The Sarbanes-Oxley (SOX) Act of 2002 makes the evaluation of internal controls mandatory for SEC registrants. As part of the process for assessing the effectiveness of internal controls over financial reporting, management needs to consider controls related to the information systems that support relevant financial processes. These controls are known, collectively, as information technology general controls (ITGCs). ITGCs are IT processes and activities that are performed within the IT environment and relate to how the applications and systems are developed, maintained, managed, secured, accessed, and operated.
The objectives of ITGCs are to provide the proper development and maintenance of applications, as well as the integrity of the supporting IT infrastructure, data files and computer operations. ITGCs provide a basis for relying on the reports and data from these applications as well as a basis for concluding that other configurable and non-configurable system behavior (also known as business process automated controls) continues to function over time.
SOX authorizes the Public Company Accounting Oversight Board (PCAOB) to perform inspections of public accounting firms to assess compliance with certain laws, rules, and professional standards. The PCAOB identifies deficiencies in public accounting firms’ procedures and quality and then publishes certain of these issues in inspection reports, which are available to the public. These issues stem from the lack of understanding in ITGCs and how to evaluate IT components of the internal control structure, as well as the impact of ITGCs on the overall internal control structure.
This publication provides an overview of the importance of IT in the internal control structure as well as the what to consider when evaluating ITGCs.
Click here to download this document.