(IT Audit class) In general, this assignment will help you identify how general IT controls might relate to a specific financial statement item. Consider a control â€œmonthly review of budget vs. actual for overhead expendituresâ€ as you answer this question. See the second page for a bit more information to help you think this through.
How would a monthly review of budget vs. actual for overhead expenditures work?
Once a month, a manager run an overhead report, budget vs actual. On this report you would expect to find
Various expenditure categories listed such as Payroll, Utilities, Routine Maintenance, and other costs that would be considered overhead rather than costs related to sales, production, or delivery of services
For each category you it would report:
A list of the expenditures during the month in each category
A total for expenditures for the month and a budget the corresponding budget amount
YTD budget and actual amounts
Annual budget amounts
The manager would review the report:
Are there budget variances? (spending significantly above or below budget)
Does the payments look reasonable (reasonable amounts to appropriate vendors)
The manager is supposed to:
Be sufficiently knowledgeable to know if the payments are reasonable
Take due care in reviewing the report
Take action as appropriate
How might this control activity be verified?
Running of the report can be verified (is it emailed? run by request? Are report requests logged?)
Items deserving of action can be identified (over budget items, new vendors, out-ot-pattern amounts)
Follow-up action can be verified (Initials? Memos? Emails?)
Identity and Access Management:
Report logging and email are tracked based on the user id of the logged in user.
User IDs are issued by the card center
Rights to change the amounts to budget accounts and rights to change budgets are authorized based on user ID
Policies and computerized rules require strong passwords and annual password resets
Database Management Controls:
The AP system accesses the underlying database using a service account; the service account password is stored in a password management system and automatically and regularly changed
Direct access to the MS-SQL database and database server used by the AP system is limited to a few Database Administrators
Any updates to date made by privileged users (database administrators) are separately logged
The servers that run the database software are regularly patched with security updates
Changes to the software are controlled:
New versions and configuration changes are, by policy, tested before updates are applied to the production system
Configuration changes are logged and the change logs are reviewed
Only select individuals who are not the ones who make the changes, are allowed to â€˜migrateâ€™ changes from the test environment into the production environment, migrations are logged
Differences between the production and test environment are noted in a nightly report
1. Budget vs. Actual reporting is important to help an organization meet its objectives as per the definition of Internal Control even apart from any potential impact on financial reporting. Profitability goals matter for internal control. Does this mean that an auditor is interested in this control apart from its financial reporting implications? Briefly discuss.
2. Explain (a couple of sentences at most) how database management controls could impact the effectiveness of this control.
–Paper Writing Service – Get Custom paper at Studyproessay.com