Management documents the underlying technology that supports control activities in risk and control matrices, flow charts, or narratives. Using this information, management can document the linkage between control activities and technology. Management should understand which aspects of technology (infrastructure, security, technology acquisition, development, and maintenance processes) are important to the continued, proper operation of the technology and any associated automated controls. Management also develops an understanding of how various applications and technologies interface with each other.

A global publicly traded information services organization, Signal Corp., recently acquired a privately held newspaper chain. During the due diligence process, Signal Corp. determined that the management of the newspaper chain did not have a good understanding of which applications were critical to the integrity and reliability of its financial information. To assess this linkage, the internal audit department of Signal Corp. performed a walkthrough of each of the newspaper chain's significant financial processes and documented in a process flow diagram all the applications that supported these processes. These included the automated controls and any controls that depended on system-generated reports.

The walkthrough covered each major class of transactions. The internal audit team asked the relevant personnel of the newspaper chain about all significant aspects of the process.

Management understands the use of end-user computing, which includes spreadsheets, that supports its financially significant processes and associated control activities. Management assesses the risks of a misstatement resulting from an error in one of these end-user computing applications. Based on the level of risk, management selects and develops general control activities over the technology covering the relevant processes over:

For high-risk end-user computing applications, management considers converting to an IT-supported application.

Smythe & Smythe International recently evaluated the use of spreadsheets in its financial close process. In doing so, it identified that the spreadsheets supporting the calculation of LIFO (last-in, first-out) adjustment and the fair values of goodwill, intangible assets, and debt were of high risk, based on their susceptibility to error and significance to the financial statements.

Smythe & Smythe also classified the spreadsheets as high in complexity because they included the use of macros and multiple supporting spreadsheets to which cells and values were interlinked. The spreadsheets were used either as the basis for journal entries into the general ledger (LIFO reserve) or as financial statement disclosures (fair value of goodwill, intangible assets, and debt).

The company considered the security, maintenance, and update risks of the spreadsheets and then selected and developed the following control activities: ^{fn 19}

Management outsources certain aspects of its IT infrastructure to an outside service provider, which may or may not have a "report on controls at a service organization" following an appropriate local or international standard. If a report is available, management uses it to determine what financially significant IT processes are covered, whether appropriate controls are in place at the service organization, and what controls are required in its own organization to mitigate risks to external financial reporting to an acceptable level.

If an appropriate report does not exist, management uses internal resources (e.g., internal audit) to review the controls at the third party, verifying that the combination of the company's controls and those at the service organization mitigate risks to external financial reporting to an acceptable level.

E-Book Frontier, a retailer of electronic books, has outsourced its enterprise resource planning (ERP) application to a cloud-based service provider (CSP). To prepare for its initial public offering, the company began to develop and implement a system of internal control in support of its anticipated external financial reporting objectives. E-Book Frontier uses the ERP application to support its revenue, inventory, purchasing, and payables processes, so it supports a number of financial statement line items and their associated assertions.

To that end, the management of E-Book Frontier assessed the risks associated with the business processes outsourced to the ERP cloud service provider and determined a number of control activities and information requirements that needed to be addressed. E-Book Frontier management obtained a Statement on Standards for Attestation Engagements (SSAE) No. 16 (SOC 1) report on internal controls prepared by a third-party service auditor. As part of developing and deploying internal controls across the end-to-end business processes managed in part by the CSP, E-Book Frontier incorporated the review of the audit report as a control activity. In performing its review, management noted the following:

Management reviewed the results of the tests of controls and the service auditor's opinion on the operating effectiveness of the controls to determine whether each control objective was achieved. Two exceptions were noted in the report, and management reviewed the additional information related to these that was provided by the CSP in the unaudited portion of the report. They concluded that one exception was not relevant to their organization. For the second exception, additional procedures were needed.

The second exception related to evidence of customer approval of program changes; management evaluated the sufficiency of E-Book Frontier's controls over approval of changes requested to be performed by the CSP. In addition, it requested a report of all changes for the past six months from the CSP and verified that the report of all changes was complete and accurate. It then compared the list of changes and noted no variances from its internal records.

Based on these additional procedures, management concluded that the exceptions did not result in a deficiency of their system of internal control.

The applications, databases, operating systems, and networks that support financially significant processes are configured to support restricted access to financial applications and data consistent with the organization's policies and procedures. The configuration includes a means to authenticate users or systems and enforce restricted access, as well as key parameters, such as minimum password length and the aging of passwords.

Woodlawn Wireless Telecommunications, which has a number of applications critical to its financial reporting process, was recently cited for poor infrastructure security controls by its internal audit group. Specifically, the setup of key security parameters, such as password length and complexity, was not consistently applied across these applications, and in many cases they were below industry standards for good practices. To correct the situation, Woodlawn developed a four-step approach:

Management selects and develops control activities so that transaction processing, whether batch or real-time, is complete, accurate, and valid. Processing is actively checked for problems, either through a manual review of system status and logs or by automated programs with alarms. Timely corrective action is taken when problems are identified. Critical financial data and programs are regularly backed up and procedures are in place to completely and accurately do a restore. The restoration process is regularly tested to help ensure the backup and restoration processes work properly.

In the data center of Sullivan Financial Services, the IT operations staff monitors the batch and real-time processing of applications (including all financially significant applications) for errors using automated software. The scheduling software on the mainframe application checks for various problems with batch jobs, including data errors and programs that don't complete properly or that run out of order. The operators are alerted to any of these issues and alert the appropriate business process owner based on standard documented procedures.

For applications that process in real time, software is also used to automatically monitor for errors, such as incomplete, inaccurate, or invalid record transfers between systems. When a possible error is detected, the software attempts to resend the record without error. If the error persists, an email alert is sent to an operator who corrects the error following standard documented procedures. Financial management is notified of any errors in a weekly report. The weekly report is reviewed to determine if any accounting record adjustments are required due to the system problems. The controller reviews and approves any changes. (Note: this could be considered a process-level control.)

Financial management establishes policies that define appropriate access rights to be consistent with job functions, including segregation of duties, for financially significant applications and processes. New access requests or changes to access are reviewed against the policy by the functional owner of the IT resource (i.e., application, database, operating system, or network). The owner of the IT resource periodically recertifies access to ensure it is commensurate with policy. Problem reports, such as excessive improper logins, are regularly reviewed, and follow-up actions are taken when issues are identified.

The management team of a compensation and benefits consultancy reviews logical security controls to prevent unauthorized access to its financial reporting systems as follows:

Management considers many factors when selecting new packaged software, including functionality, application controls, security features, and data conversion requirements. Management utilizes competent internal resources or hires a third-party vendor to implement the software, following the organization's requirements.

Management follows a defined change-control process to implement system upgrades or patches. This includes assessing the nature of the upgrade or patch and whether it is appropriate to implement. If deemed appropriate, the patch or upgrade is system and user tested in an environment that mirrors production before being implemented. Key stakeholders, such as the functional users, finance, and IT, sign off on the change before it is implemented. Appropriate documentation is maintained to provide evidence that the changes have been made.

FabFun Toys is a manufacturer of plastic toys. For several years it has been using packaged general ledger software, and it has developed a set procedure for managing vendor announcements of software upgrades, which is as follows:

Management follows a full system development life cycle (SDLC) covering problem fixes to major implementations. The SDLC covers a number of process steps and control activities, including the following:

Summer Run Co. provides material-based solutions for electronic, acoustical, thermal, and coated metal applications. IT has recently decided to significantly modify inventory management software, which is considered a financially significant application. To do so, the company must rely on the only two developers on staff to develop, test, and migrate the software to production.

Because Summer Run does not have an automated code promotion utility to control versions and migrations to the production environment, the IT manager, James Robb, takes the following steps:

Mr. Robb also relies on these manual controls to manage the code version and migration:

The multi-billion-dollar telecommunications organization, Brassen Systems, uses an SDLC to update and maintain more than 200 applications. The changes vary from large and complex development initiatives to simple report changes. Brassen seeks to match the degree and rigor of control activities to the range of risks of these changes.

The organization assigns the level of risk to one of four categories based on several factors, including the length, level of effort, possible risks to financial processing and control activities, and complexity of the change. Level 1 changes (the most risky) are required to go through twenty quality gates, or control points, before implementation, while Level 4 changes (the least risky) are required to go through only ten gates. All changes that may affect financial processing and control activities are required to be reviewed by someone in the finance department before being implemented.