Information Technology General Controls

1. Logical and Physical Security a. Is the computer network/computer system in a secure location? Are keys or pass codes necessary to enter IT areas? b. Are passwords required for each user of the accounting software? c. Has the client given consideration to whether user capabilities within the computer software are appropriately segregated (for example, an inventory clerk should not have access to the payroll pay rate master file)? If yes, how is that consideration documented? Document observations made (physical layout and security of IT system, passwords used to enter systems):

2. Firewalls a. Does the business use firewalls? b. If yes, what types of firewalls are used (software and/or hardware)? Provide names of firewall devices. c. Is the business aware of any penetrations of client data files in the last year? Is the client aware of any losses of data due to penetrations? Document observations or inspections (physical firewall, firewall penetration reports):

3. Backups a. How does the business backup its computer files? b. Where are backups maintained? c. If backups are maintained on site (in the location where the business operates), is the backup stored in a fire proof location? d. How often are files backed up? Document observations made (backup tapes, location of backups):

Created by Charles B. Hall, CPA, CFE, MAcc

4. Access to Code a. Are the accounting software applications canned (off-the-shelf) programs or tailored programs (written for the business)? b. Does anyone at the clients business have access to the written software code? If yes, can they change the code? 5. Testing Changes to Software (questions mainly for tailored software systems) a. Does the client test software changes prior to loading them for active use? b. Does client maintain a log of all changes made to the software library? Document observations or inspections made (log of changes made to software library, if any):

6. Maintenance of Computer System a. Who is responsible for maintenance of the computer systems? b. Does client have backup computer system maintenance (should the primary person or company not be available)?

7. Accounting Software Programs Application 1. 2. 3. 4. 5. 8. Outsourced Systems If the client outsources components of its accounting system, describe the outsourcing and consider whether a SSAE 16 (service organization report) is needed: Name of Program

Created by Charles B. Hall, CPA, CFE, MAcc

Deficiencies Noted Does it appear that there are any control deficiencies (see definitions below)? ___Yes ____No

If yes, then note control weaknesses on the Control Deficiency Comment and Management Point Development form (at 0153).
Control Deficiency. A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. The communication of control deficiencies that are not considered significant deficiencies or material weaknesses can be either written or oral. Significant Deficiency. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. Material Weakness. A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entitys financial statements will not be prevented, or detected and corrected on a timely basis. [As used in the SAS, a reasonable possibility exists when the likelihood of the event is either reasonably possible or probable as those terms are used in Statement of Financial Accounting Standards No. 5, Accounting for Contingencies (FASB ASC 450).]

If there are significant deficiencies in controls, then consider the weakness in developing your audit program for this area.
Disclaimer This document has not been peer reviewed; user assumes all risks related to its use.

Created by Charles B. Hall, CPA, CFE, MAcc