ساخت مدل ارزیابی کنترل عمومی IT برای حسابداران رسمی (CPA ها)تحت مدیریت ریسک سازمانی

The purpose of this study is to build the evaluation model of the Information Technology General Control (ITGC) for the certified public accountants (CPAs) under an Enterprise Risk Management (ERM) — Integrated Framework. First, this study investigates and sorts out the control objectives of ITGC over financial reporting under ERM. The control objectives were prioritized by Analytic Hierarchy Process (AHP) and then, the ITGC evaluation model was constructed accordingly. Finally, the study utilizes the case study approach to verify the CPAs' acceptance for the evaluation model of ITGC. According to case study and post hoc confirmations conducted with two experts, the evaluation model can be accepted by CPAs and employed to enhance the efficiency of ITGC assessment for CPAs to meet the challenges in a dynamic information technology environment.

Recently, the essential tasks in the financial reporting processes are mainly performed and supported by utilizing information technology (IT). In order to ensure a reliable financial reporting, more and more companies emphasize the use and development of effective IT control in this dynamic environment. If the firm employs a weak internal control, managers can easily override the imposed controls to manipulate or bias accrual estimate to take advantage of the stakeholders [5]. This situation has created a unique challenge for auditors. Sarbanes–Oxley Act Section 404 (SOX 404 hereafter) requires independent auditors to attest if appropriate and effective IT control over financial reporting is in place in the company. Consequently, some foreign private issuers who want to be listed in the US are required to establish corresponding accounting policy and control procedures to comply with SOX 404 [44]. In addition, after SOX emerged, some other countries such as Australia, Germany and Japan have also developed their own regulations for corporate reporting and other related disclosure laws [8], [12] and [39]. The Statement on Auditing Standards (SAS) No. 94 [6] declared that auditors must take into account the importance of IT processes and relevant controls to prepare the financial statements. In summary, auditors have responsibility to provide the assertion to the effectiveness of IT control established by the company. In general, the risk of audit can be composed of three parts and they are inherent risk, control risk and detection risk. If the auditor has some evidences to demonstrate that the effectiveness of internal control is well designed and operated in its entity, the risk of material misstatement might be mitigated. To reduce the audit risk in the IT environment, the auditor should have a clear and thorough understanding for IT control. Since IT General Control (ITGC) supports application processing, it is important that ITGC works well in the context of IT control. Even if ITGC may not directly influence a financial statement, it has created an impact on/to the consistency and effectiveness of financial application in all systems. Auditing Standard No. 2 of Public Company Accounting Oversight Board (PCAOB) [41] noted that the adoption of IT automated application may help increase audit efficiency when ITGC is effective. To fulfill SOX 404 compliance, it is important for auditors to select and implement a suitable internal control framework to assess IT control. Committee of the Sponsoring Organizations of the Treadway Commission (COSO) issued a report entitled “Internal Control — Integrated Framework” [10] which had been highly recommended for companies, auditors, regulating agencies and educational institutions. After extending and refining the original concept of risk analysis, COSO released “Enterprise Risk Management (ERM) — Integrated Framework” in 2004. ERM, which is a comprehensive and systematic framework for internal control, can help firms/organizations evaluate and respond to the risks that may influence their strategies and targets [11]. However, COSO does not provide the supplemental criteria to define the needed requirements for such IT control objectives and related activities [36]. On the other hand, when auditors perform the assessment of ITGC, they usually use the qualitative level such as “High”, “Moderate”, and “Low” to assess IT control risks based on their professional judgment and experience. However, inexperienced auditors may fail to measure the degree of risk precisely [23]. Hence, how to build up a quantitative evaluation model to aid auditors in assessing ITGC objectively is critical, and it is the main research question of this study. There are three research objectives in this study. Firstly, this study wants to sort out the objectives of ITGC based on an ERM framework. Secondly, this study employs the Analytic Hierarchy Process (AHP) technique to analyze/rank the priority of control objectives and to construct a quantitative ITGC evaluation model. Finally, based on available data, the acceptance of the evaluation model for CPAs will be verified by conducting a case study and post hoc confirmation. The rest of this article is divided into four sections. Section 2 describes the background of IT security, IT control, COSO-ERM, and auditors' responsibility in the internal control. In Section 3, the AHP methodology is discussed and then, development and verification of the evaluation model is covered after the introduction of research procedures by both quantitative and qualitative analyses of AHP and case study support are provided in Section 4. Finally, this paper concludes with the last section.

Nowadays, IT control assessment is increasingly emphasized by CPAs since more and more companies use IT to generate financial reports. The ITGC is relatively important because it supports application processing, and it may even influence financial statements and/or specific accounts. However, SOX 404 does not require any specific framework when auditors assess and report the effectiveness of internal control over financial reports annually. This study developed four levels of hierarchies of ITGC objectives under ERM for independent auditors to report on the effectiveness of internal control over financial reports and constructed the quantitative ITGC evaluation model by employing AHP. After analyzing the priority of ITGC objectives, this study finds out that the item “Activity-level IT Control” is more important than the item “Entity-level IT Control” in the ITGC. This result means that the auditors would pay more attention to the activity-level control. In the Activity-level IT Control, “Deliver and Support” is the most important objective, and this typifies that auditors would put more emphasis on the area whether entity is able to use the information systems effectively and safely. In the entity-level control, “Monitoring” is the most important objective, and this shows that the internal control through continuous and point-in-time assessment processes made by management is becoming increasingly important to implement IT governance. By ranking the overall objectives of ITGC, the top five important objectives for auditors to evaluate ITGC are “End-User Computing”, “Manage Data”, “Enable Operations and Use”, “Define IT Process, Organization and Relationships”, and “Manage Quality” respectively. By far, End-User Computing is served as the most crucial objective. Since users are not easy to control, or they can more easily move outside the boundary of managerial influence. Hence, users may pose the greatest risk in these circumstances. This item contains two aspects for checking (spreadsheets and other user-developed programs) which are documented and regularly reviewed for reporting the result precisely. Moreover, user-developed systems and data are regularly backed up and stored in the secure manner. User-developed systems need to be protected from unauthorized access. Hence, while auditors evaluate a firm's end user computing, they need to perform some evaluation activities, such as obtaining the End-User Computing policies and procedures; confirming that they perform security and processing integrity controls; selecting users and inquiring whether they understand this policy and comply with it; reviewing user-developed systems; testing their ability to sort, summarize and report appropriately; inquiring how end-user systems are backed up and where they are stored; selecting a sample of user-developed systems; and determining whether or not unauthorized users can access. Apart from prioritizing, the model has several applications. The first is that the ITGC evaluation model provides objectives under ERM and incorporates the concept of risk management. Thus, the auditors can follow this framework to mitigate audit risk when they assess ITGC and plan level of substantive tests (including the nature, timing, extent, and staffing of tests) as required in performing the audit tasks. The framework, on the other hand, can also help management verify their effectiveness of complying SOX 404 and other government/state related regulations for IT governance. The other application comes from the fact that it is a quantitative ITGC evaluation model. Thus, the model helps auditors assess IT control risk more precisely than traditional qualitative assessment. Furthermore, the result of top five weighted ITGC objectives would provide junior or inexperienced auditors an important and useful reference to perform their jobs. 5.1. Managerial implications After SOX 404 was enacted, the responsibility of CPAs in attesting the effectiveness of internal control for their clients is clearly regulated. Within the changing information technology environment, auditor must have a good understanding of internal control and information security. If the auditor does not have a clear understanding, the auditing work may be full of uncertainty and risks. This study constructs an assessment model based on ERM and COBIT, and it can help auditor evaluate the effectiveness of ITGC. Moreover, the result provide a substantial help for auditors to decide its auditing strategy and auditing program in order to detect the weaknesses of internal control. Overall, the assessment model can enhance the efficiency of evaluating ITGC and mitigate the audit risk for auditors. In practice, auditors often use qualitative levels in a traditional way to assess IT control risk based on their professional judgment and experience when performing the assessment of ITGC. When junior or inexperienced auditors have insufficient experience to perform such work, they may fail to measure the risk of ITGC precisely. Through the use of the model provided by this study, senior auditors are able to quantitatively assess an organization, and leave the results as a reference for junior auditors to assess the ITGC more efficiently. 5.2. Limitations and future research This study can have two limitations. First, these ITGC objectives under ERM framework may not be suitable for some industries and certain types of information systems utilization, so auditors may amend or delete some control objectives to fit some specific circumstances. ITGI [25] also indicates that each organization must carefully take into account the adequate IT control objectives as necessary according to its own specific circumstances. There may be a case that one organization may decide not to include all the control objectives mentioned in the COBIT. Meanwhile, they may consider others which are not discussed in the COBIT. Similarly, the description of control objectives, illustrative controls, and illustrative tests of controls listed in the COBIT may need to be modified for reflecting the specific characteristics of certain industry or entity. In the proposed framework of this study, for instance, service industry and virtual team project based companies may emphasize the control objective of “manage project” which is not included in this evaluation model. Due to more regulations given by the government, financial sector needs to add more control items into the framework. Furthermore, for Internet based companies, such as Google, “manage performance and capacity” may be considered as a crucial control item. Secondly, although this study used a representative case to construct an innovative and effective ITGC evaluation model, our detailed assessment results should be cited carefully for the purpose of comparison. Thirdly, this evaluation model can be used to judge the degree of ITGC as high, moderate, or low based on the total score calculated. Despite that the total scores of might be closely located in the level boundary, auditors can professionally utilize the result produced from our model to judge client's ITGC. For instance, two companies assessed the score of 35 and 65 are identified as the moderate reliability via this evaluation model. However, auditors can differentiate the ITGC degree of these two companies by their professional judgment. In addition, despite the eyes being caught by high total score of the ITGC result, the auditor must also pay attention to check whether those control items with extreme low or zero scores will generate serious risk to the company. There are some directions for future research. First, since the ITGC evaluation model is based on the higher level of risk evaluation under ERM, future research can verify current detailed objectives or even add more specific detailed objectives to tailor the assessment of different industries and information systems (e.g. SAP, Oracle, and JDE). Secondly, future research can develop more interactive and more user friendly application programs for ITGC evaluation model. Finally, it may be possible for CPAs to conduct more case studies in other industries, and then use the results to construct the related norm database of evaluation model for the establishment of the industrial best practice examples.