ISSUES IN ACCOUNTING EDUCATION

Vol. 24, No. 1

February 2009
pp. 63–76

Assessing Information Technology

General Control Risk:
An Instructional Case
Carolyn Strand Norman, Mark D. Payne, and
Valaria P. Vendrzyk
ABSTRACT: Information Technology General Controls (ITGCs), a fundamental category
of internal controls, provide an overall foundation for reliance on any information pro-
duced by a system. Since the relation between ITGCs and the information produced
by an organization’s various application programs is indirect, understanding how ITGCs
interact and affect an auditor’s risk assessment is often challenging for students. This
case helps students assess overall ITGC risk within an organization’s information sys-
tems. Students identify specific strengths and weaknesses within five ITGC areas, pro-
vide a risk assessment for each area, and then evaluate an organization’s overall level
of ITGC risk within the context of an integrated audit.
Keywords: internal controls; general control; ITGC; risk assessment.

INTRODUCTION

T
he Sarbanes-Oxley Act (SOX 2002) and the Public Company Accounting Oversight
Board (PCAOB) Auditing Standard No. 5 (PCAOB 2007) require that the organi-
zation’s chief executive officer (CEO) and chief financial officer (CFO) include an
assessment of the operating effectiveness of their internal control structure over financial
reporting when issuing the annual report. External auditors must review management’s
internal control assessment as part of an annual integrated audit of an organization’s internal
controls over financial reporting. In short, accountants—external auditors, internal auditors,
and management accountants at all levels—are actively involved in helping their respective
organizations comply with SOX-related internal control requirements.
Because of the pervasiveness of IT in organizations, the information systems themselves
contain many internal controls. As a result, both internal and external auditors must develop
an understanding of the IT environment and its related processes and controls, including
the IT general controls (ITGCs), by performing risk assessment procedures. Although de-
ficiencies in ITGCs do not directly result in misstated financial statements or material

Carolyn Strand Norman is an Associate Professor at Virginia Commonwealth University,

Mark D. Payne is an Executive Director at Ernst & Young, and Valaria P. Vendrzyk is an
Associate Professor at the University of Richmond.
The authors thank Nancy Bagranoff, Faye Borthick, Jason Emmons, Tony Hubbard, Tanya Lee, John McLain,
Richard Newmark, Brad Tuttle, Ralph Viator, Marcia Weidenmier-Watson, Chris Wolfe, participants at the 2007
American Accounting Association Annual Meeting, and our anonymous reviewers for their helpful suggestions on
earlier versions of this case. We gratefully acknowledge William Sanders, Information Systems Department, Vir-
ginia Tech, for the matrix prioritization materials.

63
64 Norman, Payne, and Vendrzyk

control weaknesses, they can indirectly cause or contribute to application control deficien-
cies (Center for Public Company Audit Firms 2004). Since the relation between ITGCs
and the information produced by an organization’s various application programs is indirect,
understanding how ITGCs interact and affect an auditor’s risk assessment is often chal-
lenging for students. Accordingly, our case offers accounting faculty an assignment or
project that is a ‘‘real world,’’ comprehensive supplement to textbook materials on the topic
of risk and ITGCs.

THE CASE
Several months ago, you started working at a large public accounting firm as an IT
staff auditor. You are currently working on your first assignment, an ITGC review of the
Foods Fantastic Company (FFC). FFC is a publicly traded, regional grocery store chain,
headquartered in Mason, Maryland, and includes 50 stores located in the mid-Atlantic area.
The centralized data center is in Mason. FFC relies on an integrated suite of application
programs that include state-of-the-art software to manage merchandise replenishment, store-
level sales forecasting, and point-of-sale data. For example, FFC relies on bar code scanners
and credit/debit card readers. To maintain its competitive edge in its market area, FFC
recently implemented a fingerprint bio-coding payment system in all of its stores. This new
systems implementation required that FFC change several of its general-ledger application
programs; in particular, those related to its cash receipts processing. FFC does not use any
outside service organizations to provide its IT services.
Sophie Ewing, the audit senior who heads up your team, decided that because of FFC’s
complex and sophisticated IT processing, an IT General Control (ITGC) review is man-
datory to meet SAS 109’s risk assessment procedures and SOX Section 404 Management
Assessment of Internal Controls requirements. You know that an ITGC review is very
important because ITGCs provide the foundation for reliance on any financial information
FCC’s systems produce. Your evaluation will affect the financial auditor in assessing the
risk of material misstatement in FFC’s financials, and consequently, the audit plan. At your
first team meeting, Sophie announced that your firm’s network security specialists would
review the technical issues related to FFC’s internal controls. They will evaluate FFC’s
operating systems, its telecommunications software, and its network configuration and
firewalls.
In preparation for the meeting, Sophie encouraged you to review the key provisions
included in SAS 109, SOX Section 404, applicable sections of PCAOB Auditing Standard
No. 5, and your firm’s internal guidance, which groups ITGCs into the following five areas:
IT management, systems development, data security, change management, and business
continuity planning (BCP).

IT Management
IT management’s key concepts include IT’s position within the organization, whether
IT goals are aligned with the organization’s strategic goals, the use of an IT steering com-
mittee, and whether the IT department’s structure promotes proper segregation of duties to
protect the organization’s assets. Your primary concerns are:
● Does FFC have an IT strategic plan?
● To whom does the Chief Information Officer (CIO) report?
● What key responsibility areas report to the CIO?
● Does FFC have an IT steering committee? Is so, who are the members?

Issues in Accounting Education, February 2009

Assessing Information Technology General Control Risk: An Instructional Case 65

Systems Development
The key concepts within systems development include the existence of a new systems
implementation methodology, project management, pre- and post-implementation reviews,
quality control, adequate testing, and demonstrated compliance with the selected imple-
mentation methodology. Based on this understanding, your team’s primary concerns are:
● Does FFC design, develop, and implement systems in a logical fashion?
● Does the organization consider internal controls as an integral part of systems design
or does it retrofit them after implementation?
● To what extent is FFC’s Internal Audit department involved in systems development
activities? Is it part of the project review team? Is it a voting member of the team?
● In particular, how well did FFC manage the development and implementation of its
new fingerprint bio-coding payment system?
Data Security
The critical concepts within data security include adherence to an established infor-
mation security policy, access approval on a need-to-know basis, periodic rotation or change
of access controls, monitoring, exception reporting, and incident response. Data security
has both physical and logical aspects. On the physical side, data security includes physical
access and environmental controls over the data center computer room. On the logical side,
data security includes policies related to password configuration, change, and history re-
strictions. Logical security also includes prompt review, modification, or removal of access
due to personnel transfers, promotions, and terminations. Your team’s primary concerns are:
● How well does FFC control physical access to its data center computer room?
● Is FFC’s computer room adequately protected against environmental dangers, such as
fire?
● Does FFC control logical access to its information systems? In particular, how does it
control the logical access of terminated or transferred employees?
● Does FFC have a current IT security policy?
● Does FFC produce access violation reports?
● Do FFC IT personnel adhere to IT policy and follow IT procedures? For example, do
appropriate personnel review any access violation reports and take the prescribed
action?
Change Management
Change Management’s key concepts include documented change procedures, user au-
thorization and approval, separation of duties in implementing changes, management re-
view, quality control, and adequate testing. Your audit team’s primary concerns are:
● Does FFC have (and follow) formal change management procedures?
● In particular, did FFC follow these procedures when making any necessary changes to
its current application programs because of the new bio-coding payment system? For
example: Were the changes approved? Did the programmers adequately test the changes
before putting them into production? Did the application programmer(s) that made the
code changes, test the changes, and/or put them into production?
Business Continuity Planning
Key concepts of BCP are management’s expectations regarding a timely recovery of
processing capabilities, the existence of a written plan, the currency of the plan, offsite

Issues in Accounting Education, February 2009

66 Norman, Payne, and Vendrzyk

storage of both the plan and data files, and testing of the plan. Your audit team’s main
concerns are:
● Does FFC have a written BCP plan? Is it current?
● When is the last time FFC tested its plan?
● Does FFC back up its software and data? How often? Where do they store the backups?
● Did FFC need to recover its systems using its backups during the past fiscal year?

Information Collected During the ITGC Review

Under Sophie Ewing’s direction, you and other members of the audit team worked
very diligently reviewing FFC’s policies and procedures, interviewing FFC client personnel,
and observing FFC’s various operations and procedures related to its ITGCs. First, your
team created an organization chart to document the FFC’s management structure (see Ex-
hibit 1).
Exhibit 2 reflects the information your team collected from interviews, observations,
and reviews of corroborating documentation related to FFC’s ITGCs.

EXHIBIT 1
Foods Fantastic Company Organization Chart

Executive Vice President and Chief

Financial Officer
(CFO)

Senior Vice President, Senior Vice President

Senior Vice President Senior Vice President
Internal Audit and Chief Information
and Controller and Treasurer
Officer
(CIO)

Vice President, Vice President, Vice President,

Vice President,
Applications Operations Information
Database
Security
Administration
(Currently
Vacant)

Issues in Accounting Education, February 2009

Assessing Information Technology General Control Risk: An Instructional Case 67

EXHIBIT 2
Foods Fantastic Company
IT General Control (ITGC) Review Notes
Notes from meetings with the Chief Financial Officer (CFO):
● Foods Fantastic Company (FFC) implemented a new bio-coding payment system in all of its
stores this past fiscal year.
● FFC’s IT Executive Steering Committee develops IT policies and reviews the overall operations
of the IT department. The voting members of the committee are:
1. the Senior Vice President (SrVP) and Chief Information Officer (CIO)
2. the VP, Applications
3. the VP, Data Base Administration (DBA)
4. the VP, Operations
5. the VP, Information Security (IS)
6. the Executive Vice President and Chief Financial Officer (CFO)
7. the SrVP, Internal Audit
● The IT Executive Steering Committee revised FFC’s security policy in 2005. The policy addresses
all organizational security issues including IT.
● FFC has no documented business continuity or disaster recovery plan. Management believes such
a plan is cost-prohibitive for an organization of its size and FFC has never experienced any major
business disruption. In case of disaster, the data center manager would retrieve the most recent
backup tapes that are stored offsite. FFC would use these files to recover its systems.

Notes from meetings with the SrVP, Internal Audit:

● FFC’s Internal Audit Department is involved as a voting member of the project teams responsible
for design, development, and implementation of new projects. Internal audit performs post-
implementation reviews on all projects over $2 million.
● The new bio-coding payment system was 25 percent over its initial time budget and 40 percent
over its initial dollar budget.

Notes from meetings with the CIO:

● The VP, Applications is currently responsible for the DBA function. However, the CIO reviews
the logs that show the actions of the Application VP’s user ID.
● FFC has an IT strategic plan, which is consistent with its corporate strategic plan. The IT strategic
plan outlines the objectives and strategies that the information systems group will implement to
assist FFC in meeting its overall business objectives.
● FFC adopted Structured Systems Analysis and Design Methodology (SSADM), an industry-
recognized standard for systems development and project management. All projects (buy or build)
follow the applicable SSADM phases. The CIO periodically reviews each project’s required
budget-to-actual reconciliation.
● FFC’s security policy states that the VP, IS is to conduct a user audit on a quarterly basis. The
appropriate department manager reviews electronically submitted reports that list each user’s
profile, note changes on the reports, and return the reports to the VP, IS. The VP then makes the
appropriate modifications based on the returned reports. The VP maintains the reports, and initials
and dates the report after completing all modifications.

Notes from meetings with the VP, Human Resources:

● FFC is currently interviewing individuals to assume the DBA’s responsibilities and hopes to hire
someone within the next six to eight months.
● Aside from the security policy, management does not provide any formalized security awareness
programs related to data security.
● Each month, the Human Resources department forwards a Transfers and Terminations report to
the VP, IS.
(continued on next page)

Issues in Accounting Education, February 2009

68 Norman, Payne, and Vendrzyk

EXHIBIT 2 (continued)
Notes from meetings with the VP, Applications:
● The VP, Applications assigns a project manager and develops an initial time and dollar budget
for each new development project.
● IT personnel adequately tested the new bio-coding payment system prior to its implementation.
This testing included integration testing, stress testing, and user acceptance testing. User depart-
ments corroborated their testing and acceptance of the new system.
● Application programmers do not have access to the computer room unless escorted by data center
personnel (e.g., an operator).
● FFC instituted formal procedures for change management. The VP, Applications is responsible
for change management and maintains all documentation in a fireproof vault in his office. A
Change Request form initiates all application software changes, including required software up-
grades. A user completes the form, which the user’s department manager approves. The user
forwards the request form to the VP, Applications, who logs each request in a Change Request
Log. The VP performs an initial analysis and feasibility study and estimates the required devel-
opment hours. The Change Request log is a listing of all requested changes and the status of the
change request. The VP, Applications uses this log to track open items and follow up on changes
not completed within the original time estimate.
● The VP, Applications assigns the change request to an applications programmer and issues the
current system’s documention to the programmer. The applications programmer copies the source
code from the system’s production region to its development region and makes the change. The pro-
grammer works in the systems development region using test data. The programmer tests the
change first within the affected module and then within the entire application. Changes are never
tested against production data. The programmer updates the necessary system’s documentation.
● The applications programmer migrates the code to the system’s test region. A second programmer
performs systems integration testing, volume testing, and user acceptance testing, again using test
files. The second programmer then performs a quality review of the change, including a source-
compare analysis, and reviews the updated systems documentation.
● Upon completion of testing, the user who requested the change and the appropriate department
manager review the test results and accept the change by signing the original request form. The
VP, Applications reviews the user-approved request form on which the department manager has
indicated that s / he is satisfied that the program is ready for implementation. The VP, Applications
also reviews the documentation prior to implementing any new or changed program to ensure
that the documentation is adequate.
● The VP, Applications approves the change, initials the change request form, and transfers the
change to the VP, Operations, who officially accepts the change. The VP, Applications then
updates the Change Request log and returns the revised systems documentation to the fireproof
vault.

Notes from meetings with the VP, Operations:

● FFC’s computer room, within its data center, is locked at all times. All outside contractors or
visitors must first contact the data center manager for entry into the computer room. Each must
bring an official picture ID, sign a visitors’ log, and be escorted at all times by data center
personnel during the visit.
● In 2002, FFC installed video cameras on all doors entering the computer room to record activity
24 / 7. Building management staff, who report to the facilities manager, are responsible for main-
taining these tapes. The VP, Operations has not needed to review these tapes for at least six
months since no unathorized access attempts have been reported.
● Environmental controls are in place in the computer room (i.e., temperature controls, uninter-
rupted power supply, a backup generator, fire-extinguishing equipment, and raised floor). Appro-
priate maintenance staff test these controls semi-annually.
● FFC backs up all of its data each day. It stores its most recent daily backup once a week at a
company-owned offsite location, along with the most recent version of its software. FFC did not
test backup tapes during the past year and has no plan to test these tapes in the future.
● The VP, Operations assigns IT operations personnel the task of placing new or changed appli-
cations programs into production after the VP, Applications has approved the work.
(continued on next page)
Issues in Accounting Education, February 2009
Assessing Information Technology General Control Risk: An Instructional Case 69

EXHIBIT 2 (continued)
Notes from meetings with the VP, Information Security:
● The VP, IS grants keycard access to the computer room. The VP, IS receives a keycard access
report for the computer room on a monthly basis. The VP, IS determines if an unauthorized
access attempt into the computer room has occurred.
● Passwords are not displayed on terminals or reports. Password standards are enforced by security
software. FFC requires a minimum password length of six alphanumeric or special characters
and a maximum length of nine alphanumeric or special characters. The software prevents the
same character from being used more than once in a password and prevents numbers from being
used next to each other in a password. The security software forces users to change their pass-
words twice each year. The security software maintains a history of two previous passwords and
does not permit employees to reuse their two most recent passwords. The security software does
not display statistics regarding employees’ sign-on information. For example, there is no infor-
mation regarding a user’s sign-on attempts (such as date and time of last sign-on), number of
invalid sign-on attempts since last successful sign-on, or number of days prior to password
expiration.
● The system allows three access attempts. If the third attempt is unsuccessful, the user ID is
automatically disabled. The user must contact the VP, IS to reset the user ID. The system gen-
erates a logical access violation report on a daily basis.
● User access is limited to workstations within the corresponding responsibility area. For example,
users with access to the Accounts Payable module can only log in from workstations located in
the Accounts Payable area. A workstation can stand idle for up to 60 minutes before the user is
logged off.
● The VP, IS is responsible for maintaining user profiles and authorization lists.
● The VP grants access to the system to new hires. The appropriate department manager completes
a computerized form that specifies the proper level of access. The VP reviews the request form
for proper approvals and then either approves or denies the request. If approved, the VP issues
the necessary ID and initial password with the requested access via encrypted email.
● Normal users may have multiple IDs. Each user ID can log on to one sign-on session at a time.
The VP, IS, who has unlimited access, can log in from any workstation and have multiple sign-
on sessions.
● The VP, IS is responsible for modifying and / or disabling user IDs for personnel whose job duties
change because of promotions, transfers, and / or terminations based on the Transfers and Ter-
minations report. The VP, IS maintains the report, and initials and dates the report when the VP,
IS has made all of the modifications.

Notes from meeting with the facilities manager, who reports to the VP, Human Resources:
● According to the facilities manager, no one asked to view the computer room video tapes during
the past six months.

Observations of the audit team:

● Documentation of the systems development process for the new bio-coding payment system
confirms that the VP, Applications complied with SSADM requirements when implementing this
new system.
● The data center is on the first floor of FFC’s building. The data center manager reports to the
VP, Operations.
● Company policy requires the VP, IS to review the keycard access report at least once per quarter.
During the past six months, the VP has not reviewed the report for any unauthorized access
attempts.
● The team observed no instances in which application programmers were in the computer room
without a proper escort.
● The team observed no instances in which visitors or outside contractors were in the computer
room without a proper escort.
(continued on next page)

Issues in Accounting Education, February 2009

70 Norman, Payne, and Vendrzyk

EXHIBIT 2 (continued)
● Documentation of the computer room environment controls test results for the last 18 months
shows no irregularities. These files are in the CIO’s office.
● If someone attempts to enter the computer room without authorization, company policy requires
that the VP, Operations review the video tapes from the computer room cameras within 24 hours.
● The FFC security policy requires each employee to sign an acknowledgment that s / he read the
current policy. A review of the personnel files of a sample of employees found no exceptions.
● A review of the selected user profiles and passwords revealed the following:

User Password
Vice President, Applications 7LiAcOf#
Vice President, Information Systems QSECOFR1

Note: The acronym QSECOFR looks familiar. Remember to review A Beginner’s Guide to Auditing the AS / 400
Operating System (Bines 2002).

● During the past six months, the dates of the modifications were about three weeks after the VP,
IS received the HR’s Transfers and Terminations report.
● The VP, IS performed the most recent user audit eight months ago.
● Company policy requires the VP, IS to review the unauthorized system access report on a monthly
basis to check for unusual activity (e.g., multiple violations, changes to the authorization lists,
etc.). During the past six months, the VP, IS has not reviewed the report for any unauthorized
access attempts.
● The audit team verified that FFC followed its approved change management procedures when
making the bio-code payment-related changes to its cash receipts processing and other financial
reporting application programs.
● In the past fiscal year, no incidents occurred that required FFC to recover its systems using its
backup tapes.

Case Requirements
Sophie Ewing assigned your team the following tasks:
1. For each ITGC area, identify the control issues and classify them as strengths or weak-
nesses, using Exhibit 3 to document your work. Exhibit 3 will be part of the audit
team’s work papers.
2. Determine the level of risk (High, Medium, or Low) that you believe is present in each
particular ITGC area.
3. Assess the overall risk of the organization’s ITGCs, taking into consideration the five
separate risk assessments that you just made (task #2 above), and their relative impor-
tance to internal controls over FFC’s financial reporting.
4. Prepare a report that documents and appropriately supports your overall IT risk as-
sessment (task #3), using the guidance Sophie provided in Exhibit 4. You must include
a statement explicitly stating your overall risk assessment in the report’s concluding
section and attach your completed ITGCs matrix.

Issues in Accounting Education, February 2009

Assessing Information Technology General Control Risk: An Instructional Case 71

EXHIBIT 3
Foods Fantastic Company IT General Controls Matrix
Part A: Strengths and Weaknesses

ITGC Area Summary of Issue Strength or Weakness

IT Management FFC has an IT strategic plan Strength

Part B: Risk Assessment for each ITGC area (Indicate Low, Medium or High)

ITGC Area Risk Assessment

IT Management
Systems Development
Data Security
Change Management
Business Continuity Planning

Issues in Accounting Education, February 2009

72 Norman, Payne, and Vendrzyk

EXHIBIT 4
Report Guidance
IT General Controls Risk Assessment Report
Foods Fantastic Company
Student’s Name
Date

Background: Write a short description of Foods Fantastic Company (FFC) and why the ITGC review
is necessary (2–3 sentences).
Purpose: Briefly describe the purpose of an ITGC review and why it is important (2–3 sentences).
Scope: Provide a short description of the work your team performed at Foods Fantastic to develop
your risk assessment (3–4 sentences).
Findings: Elaborate on the key finding(s) that influenced your overall risk assessment. Discuss the
key control strengths and weaknesses you identified within each of the five ITGC areas and its
corresponding risk assessment. Provide enough detail to support your assessment. Include specific
examples from the information your team collected (interviews, observations, and reviews of corrob-
orating documentation). Your arguments need to be consistent with your risk assessment for the five
different areas, as well as your overall risk assessment (4–5 paragraphs).
Conclusion: Provide a statement of your overall risk assessment. For example, I set FFC’s assessed
level of ITGC risk as (Low, Medium, or High) because of .
Summarize the primary reasons that contributed to your assessment. Keep in mind the relative im-
portance of each of the five ITGC areas in controlling FFC’s financial reporting (3–4 sentences).

REFERENCES
Bines, J. 2002. A beginner’s guide to auditing the AS / 400 operating system. Information Systems
Control Journal, Volume 2. Available at: http: / / www.isaca.org.
Center for Public Company Audit Firms. 2004. A Framework for Evaluating Control Exceptions and
Deficiencies, Version No. 3. Available at: http: / / cpcaf.aicpa.org.
Public Company Accounting Oversight Board (PCAOB). 2007. An Audit of Internal Control over
Financial Reporting Performed in Conjunction with an Audit of Financial Statements. Auditing
Standard No. 5. Washington, D.C.: PCAOB.
U.S. House of Representatives. 2002. The Sarbanes-Oxley Act of 2002. Public Law 107-204 [H. R.
3763]. Washington, D.C.: Government Printing Office. See also: http: / / www.sarbanes-
oxley.com.

Issues in Accounting Education, February 2009

Assessing Information Technology General Control Risk: An Instructional Case 73

CASE LEARNING OBJECTIVES AND IMPLEMENTATION GUIDANCE

Learning Objectives
The primary objectives of this case are to: (1) provide students with hands-on experi-
ence in assessing risk in an IT context, (2) improve students’ understanding of how ITGCs
affect an auditor’s risk assessment, and (3) facilitate students’ comprehension of how
ITGCs can enhance the operating effectiveness of an organization’s internal control struc-
ture. Our case illustrates the ITGC evaluation process within the context of an integrated
audit. We challenge students to reflect upon many of the factors that external auditors must
consider when trying to assess the overall risk related to an organization’s information
systems. The case materials include the notes from an ITGC review for a grocery store
chain with highly complex information processing systems. Based on these materials, stu-
dents group the review findings into five ITGC areas and develop an integrated risk as-
sessment—a challenging task that helps students develop their critical thinking skills.
This case offers a number of important benefits with respect to these issues and aug-
ments previously published cases. First, this case offers students an opportunity to practice
assessing risk as it relates to ITGCs. Second, it provides a broad understanding of ITGCs
so that students are better prepared to tackle cases that examine one or two specific general
control areas; for example, Bagranoff and Brewer’s (2003) enterprise system software ac-
quisition case. Third, our case serves as an introduction to more complex cases that include
both ITGCs and application controls, such as Janvrin’s (2003) case on general and appli-
cation controls in the payroll process.
Although we changed some aspects of the case, such as the company’s name, to protect
client confidentiality, we base the case on an actual ITGC review conducted by a large
public accounting firm. In addition to the authenticity of the interview notes and actual
observations, students have the opportunity to use and become more familiar with signifi-
cant professional guidance that accountants use to evaluate ITGCs, such as the COSO
internal control frameworks and Sarbanes-Oxley (SOX) Section 404 requirements.
These learning objectives respond to the needs of the profession. According to
O’Donnell and Moore (2005, 64), ‘‘the pervasive use of systems in organizations and the
increased emphasis on assurance of information technology (IT) processes has [sic] in-
creased the need for accounting professionals with IT control knowledge and skills.’’ This
case also helps students focus on their writing and critical thinking skills, as well as their
ability to solve unstructured problems as they evaluate notes compiled during an ITGC
evaluation of a client. A number of studies over the past decade point out the need for these
abilities and skills in entry-level accountants (e.g., Reinstein and Houston 2004; Ashbaugh
et al. 2002; Coppage and French 2002; Rothenburg 2002; Messmer 2001; Riordan et al.
2000).
Implementation Guidance
This case is appropriate for IT auditing, financial auditing, and internal auditing courses,
as well as graduate and undergraduate AIS courses. When using the case in a graduate AIS
or IT auditing course, we spend a considerable amount of time studying each of the ITGC
areas and require a formal written report. When using the case in an undergraduate AIS
course, we often introduce the case during one 75-minute class period, require the students
to complete the matrix prior to the next class session, and omit the requirement for a written
report. We usually provide undergraduate AIS students with a simpler version of the case.
This version, which is included with the case’s ancillary materials, assumes that students
have not yet taken an auditing class. The alternate version presents the case in the context
of an internal SOX 404-related review (of ITGCs), rather than part of an integrated audit.

Issues in Accounting Education, February 2009

74 Norman, Payne, and Vendrzyk

It also presents the control issues in a straightforward manner, requiring only that students
classify the issue as a strength or a weakness.

Prerequisite Knowledge
To complete the case in an undergraduate AIS class, students need a working knowl-
edge or at least exposure to the following professional guidance:
● The Committee of Sponsoring Organizations (COSO) Report, Internal Control—
Integrated Framework (COSO 1992)
● The follow-up COSO report, Enterprise Risk Management (COSO 2004)
● The requirements of SOX Sections 302 and 404 (SOX 2002)
To complete the case in an auditing or graduate AIS class, students should also be familiar
with:
● The primary provisions of SAS 109 (American Institute of Certified Public Accountants
[AICPA] 2006)
● Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5
(PCAOB 2007)
In addition to this professional guidance, the Teaching Notes include supplemental textbook
cites, other cases, and professional articles to assist students in understanding the ITGC-
related concepts. Students should already be familiar with the case setting, which is a
grocery store that uses automated checkout systems.
Students can complete the case individually, in teams, or a combination of both. A
team setting is probably more representative of the types of meetings accounting profes-
sionals encounter in practice. In addition, a team setting facilitates student discussions of
the various ITGC control strengths and weaknesses and the relative importance of the five
ITGC areas to the integrated audit.

Ranking of IT General Control Areas

Students struggle most when integrating the five ITGC areas to develop an overall risk
assessment. When students have a method of ranking the relative importance of the ITGC
areas to financial statement reporting, they tend to assimilate the widely assorted infor-
mation more quickly and to evaluate the overall risk assessment more accurately. To help
students reach a consensus on the rank ordering of the ITGC areas, we suggest first using
a matrix prioritization technique and then comparing the students’ rankings to those pro-
vided by a partner from each of the Big 4 accounting firms. The Teaching Notes include
detailed instructions for completing the matrix prioritization exercise, including a worksheet
(available as a Microsoft Excel file in the case’s ancillary materials) that instructors can
use to help students complete this task and a summary of the partners’ rankings.

Grading the Case

As noted above, instructors may use the case at either the undergraduate or graduate
level. In an undergraduate setting, one instructor has assigned the case as an activity worth
50 (of 600 available) points. At the graduate level, one instructor has assigned the case as
a weekly assignment worth 50 (out of 550) points; another has assigned the case as a take-
home exam worth 100 (out of 500) points.
We estimate that each case requires approximately 15 to 30 minutes to grade, depending
on the quality of the case. To facilitate grading, we developed a grading rubric (included

Issues in Accounting Education, February 2009

Assessing Information Technology General Control Risk: An Instructional Case 75

in the Teaching Notes and as a Microsoft Excel file in the case’s ancillary materials) that
assigns points to various criteria, such as classification of strengths and weaknesses, ac-
curacy of risk assessments, and writing quality. We believe that use of the grading rubric
has reduced students’ grading-related ambiguity and improved our grading consistency and
efficiency. Since the grading rubric is in Excel format, it allows the instructor to easily vary
the grading criteria, their weightings, and the total points allotted to the assignment.
Efficacy of the Case
This case is a more robust version of one currently used by a large public accounting
firm in its entry-level IT auditor staff training. Over the past ten years, an executive-level
IT professional has used various versions of this case (as a guest speaker) in both AIS
and IT auditing classes. In response to student and faculty feedback, as well as to incor-
porate IT-related changes, he has frequently updated and augmented the details included in
the case. In addition, two instructors have used versions of this case in both undergraduate
and graduate-level AIS and IT auditing courses. In summary, more than 500 students from
four large state universities and one small private university have worked on versions of
this case. During the fall 2006 semester, we collected formal feedback from 24 students
enrolled in graduate AIS courses at two different universities using the same version of the
case. In general, the majority of the students thought it was important that accounting majors
have a comprehensive understanding of ITGCs, and that the case covers a topic (internal
controls) that is important to managers, internal auditors, and external auditors. Students
believed that the case helped them learn about ITGCs and control risk. On average, they
reported that it took them about eight hours to complete the case.

SUMMARY OF TEACHING NOTES

The Teaching Notes for this case include the following:
1. A suggested solution to the ITGC Matrix and the ITGC risk assessment report.
2. Suggestions for adapting the case, including additional readings and other teaching
cases to help students better understand and complete this case on ITGCs.
3. Discussion notes to introduce the ITGCs.
4. Additional information to clarify the case requirements.
5. Discussion notes to help students rank the relative importance of the ITGC areas,
including a matrix priority worksheet with instructions.
6. A grading rubric.
7. A URL for a zip-file that includes the following ancillary materials to facilitate case
implementation:
a. The case materials in Microsoft Word format
b. The matrix priority worksheet in Microsoft Excel format
c. The grading rubric in Microsoft Excel format
d. A Microsoft Power Point presentation on General Controls
e. A simpler version of the case, possibly more suited for use in an undergraduate
AIS class, in Microsoft Word format.

TEACHING NOTES
Teaching Notes are available only to full-member subscribers to Issues in Accounting
Education through the American Accounting Association’s electronic publications system
at http:// aaapubs.aip.org/tnae/. Full-member subscribers should use their usernames and
passwords for entry into the system where the Teaching Notes can be reviewed and printed.

Issues in Accounting Education, February 2009

76 Norman, Payne, and Vendrzyk

If you are a full member of AAA with a subscription to Issues in Accounting Education
and have any trouble accessing this material, then please contact the AAA headquarters
office at [email protected] or (941) 921-7747.

REFERENCES
American Institute of Certified Public Accountants (AICPA). 2006. Understanding the Entity and Its
Environment and Assessing the Risks of Material Misstatement. Statement on Auditing Stan-
dards (SAS) No. 109. New York, NY: AICPA.
Ashbaugh, H., K. Johnstone, and T. Warfield. 2002. Outcome assessment of a writing-skill improve-
ment initiative: Results and methodological implications. Issues in Accounting Education 17
(2): 123–148.
Bagranoff, N., and P. Brewer. 2003. PMB investments: An enterprise system implementation. Journal
of Information Systems 17 (Spring): 85–106.
Committee of Sponsoring Organizations (COSO). 1992. Internal Control—Integrated Framework.
New York, NY: AICPA.
———. 2004. Enterprise Risk Management—Integrated Framework. New York, NY: AICPA.
Coppage, R., and G. French. 2002. Restructuring management accounting education. Cost Manage-
ment 16 (2): 40–49.
Janvrin, D. 2003. St. Patrick Company: Using role-play to examine internal control and fraud detection
concepts. Journal of Information Systems 17 (Fall): 17–39.
Messmer, M. 2001. Enhancing your writing skills. Strategic Finance 82 (7): 8–10.
O’Donnell, E., and J. Moore. 2005. Are accounting programs providing fundamental IT control knowl-
edge? The CPA Journal 75 (5): 64–66.
Public Company Accounting Oversight Board (PCAOB). 2007. An Audit of Internal Control over
Financial Reporting Performed in Conjunction with an Audit of Financial Statements. Auditing
Standard No. 5. Washington, D.C.: PCAOB.
Reinstein, A., and M. Houston. 2004. Using the Securities and Exchange Commission’s ‘‘plain En-
glish’’ guidelines to improve accounting students’ writing skills. Journal of Accounting Edu-
cation 22 (1): 53–67.
Riordan, D., M. Riordan, and M. Sullivan. 2000. Writing across the accounting curriculum: An ex-
periment. Business Communications Quarterly 63 (3): 49–59.
Rothenburg, E. 2002. How writing across the curriculum can be incorporated into accounting pro-
grams. The CPA Journal 72 (4): 14.

Issues in Accounting Education, February 2009