Implemented informaton technology general control audit performed by ey vietnam audit firm in the audit of financial statements of abc company

HO CHI MINH CITY UNIVERSITY OF BANKING GRADUATION THESIS IMPLEMENTED INFORMATION TECHNOLOGY GENERAL CONTROL AUDIT PERFORMED BY EY VIETNAM AUDIT FIRM IN THE AUDIT OF FINANCIAL STATEMEN

HO CHI MINH CITY UNIVERSITY OF BANKING

GRADUATION THESIS

IMPLEMENTED INFORMATION TECHNOLOGY GENERAL CONTROL AUDIT PERFORMED BY EY VIETNAM

AUDIT FIRM IN THE AUDIT OF

FINANCIAL STATEMENTS FOR ABC

COMPANY

NGUYEN HOANG BAO TRAM

HO CHI MINH CITY –2023

HO CHI MINH CITY UNIVERSITY OF BANKING

HO CHI MINH CITY –2023

ABSTRACT

Due to business’s rapid growth, many companies require a wide range of software, from small-scale to enterprise-class, to match their characteristic business objects ITGC (Information Technology General Control) is commonly referred to as a part of the internal control system of the business, which defines the reliability of the information within the business Therefore, it has a significant importance to financial statement audit This study seeks to evaluate the current state of the ITGC audit process in EY’s financial statement audit process, thereby providing the impact of the ITGC audit results on the financial statement audit and giving recommendations to improve the ITGC audit process for EY audit firm in particular and other auditing firms in general

Keywords: ITGC auditing, IT auditing, Financial Audit

DECLARATION OF AUTHENTICITY

This thesis course is the author's research work Therefore, the research

results are truthful, in which there is no previously published content except for

quotes fully cited in the thesis course

I declare that all information contained herein is true, correct, and accurate to

the best of my knowledge and belief

Ho Chi Minh City, 19th July 2023 Nguyen Hoang Bao Tram

ACKNOWLEDGEMENTS

Firstly, I would like to express my sincerest and most profound thankfulness

to Mrs Tran Thi Thu Thuy for her guidance and patience in giving me valuable recommendations during my study period I am happy and fortunate to carry out this study under her supervisor

Secondly, I would like to thank the teachers of the Faculty of Accounting and Auditing Department for always accompanying and carrying to give me helpful knowledge and work experiences to have better luggage for the next steps in the future

Thirdly, I would also like to express my sincerest thanks to all the brothers and sisters in the Technology Information Risk Assessment (ITRA) team has supported, guided, and provided me with professional knowledge, created opportunities for me to participate in real projects so that I can experience more and directly guided me in the working process to achieve the best results

Finally, I would like to express my gratitude to my family for their support during my study and life Without their encouragement and sacrifice, I would not have finished this thesis

Warmest regards Nguyen Hoang Bao Tram

TABLE OF CONTENTS

ABSTRACT i

DECLARATION OF AUTHENTICITY ii

ACKNOWLEDGEMENTS iii

LIST OF ACRONYMS vi

NOMENCLATURE OF IMAGES ix

CHAPTER 1: INTRODUCTION 1

1.1 The significance of research 1

1.2 The object of research 2

1.2.1 General objective: 2

1.2.2 Detailed objective: 2

1.3 Research questions 2

1.4 Subject and scope of research 2

1.4.1 Subject of research 2

1.4.2 Scopes of research 3

1.5 Research methodology 3

1.6 Content of research 3

1.7 Topic contributions 4

CHAPTER 2: LITERATURE REVIEW 5

2.1 Literature Review 5

2.2 Background knowledge of IT Environment and Auditing 10

2.2.1 Components of the Information Technology Environment 10

2.2.2 Relationship between IT and Financial Statements audit 11

2.2.3 Definition of ITGC audit 12

2.2.4 IT Audit Process 13

2.2.5 ITGC audit process in EY 14

CHAPTER 3: IMPLEMENTED ITGC AUDIT PROGRESS AT EY IN ABC COMPANY AND RECOMMENDATION 24

3.1 General Introduction of EY 24

3.1.1 Introduction of EY Global 24

3.1.2 Introduction of Ernst & Young Vietnam (EY Vietnam) 27

3.2 Implemented ABC company’s ITGC Audit Progress at EY 29

3.2.1 Planning 29

3.2.2 Execution 31

3.2.3 Reporting 55

3.2.4 Summing up the survey of Auditors on ITGC Audit 56

3.3 Discussion and Recommendation 57

3.3.1 Discussion on ITGC audit process 57

3.3.2 Some recommendations to improve the ITGC audit at EY 58

CHAPTER 4: CONCLUSION 60

4.1 Conclusion 60

4.2 Limitations of the research 60

4.2.1 Limitation 60

4.2.2 Suggest for future study 61

REFERENCES 62

APPENDIX 1: IT AUDIT PROGRESS AT EY 65

APPENDIX 2: ITRA REQUEST FORM (INCLUDING BUDGET) 66

APPENDIX 3: DETAIL TESTING PHASE (BUG CHANGE – MC) 67

APPENDIX 4: DETAIL TESTING PHASE (ENHANCEMENT CHANGE – MC) 68

APPENDIX 5: DETAIL TESTING PHASE (NUS – MA) 69

APPENDIX 6: DETAIL TESTING PHASE (MOD – MA) 73

APPENDIX 7: DETAIL TESTING PHASE (MO) 78

APPENDIX 8: RESEARCH SURVEY QUESTIONS 80

MOD Modify Or Disable Access Right

ISACA Information Systems Audit and Control

Association

NOMENCLATURE OF TABLE

Table 1: Describe the controls of the change management process 17

Table 2: Describe the controls of the change access process 19

Table 3: Describe the controls of the other IT operation process 22

Table 4: Total population at ABC company 31

Table 5: Evaluate the controls of the change management process at ABC enterprise 39

Table 6: Evaluate the controls of the access management process at ABC enterprise 48

Table 7: Evaluate the controls of the access management process at ABC enterprise 54

Table 8: ITGC process assessment summary results 56

Table 9: Final conclusion on ITGC process 56

NOMENCLATURE OF IMAGES

Image 1: ITGCs process categories 16

Image 2: organization structure at EY 26

Image 3: Understanding IT environment components in ABC company 30

Image 4: Manage Change Workflow of ABC Company 34

Image 5: UAT of change in ABC company 38

Image 6: Promote request form into real environment in ABC company 39

Image 7: Manage Access Workflow of ABC Company 43

Image 8: General security access settings 44

Image 9: IT request form for new user account in ABC company 45

Image 10: Image showing permissions on the DMS system (Resigned) 46

Image 11: Last login date export from the DMS system - Walkthrough 46

Image 12: Request form of user's remove access sample in ABC company 47

Image 13: Image showing permissions on the DMS system (Transfer) 48

Image 14: Tocology in ABC company 53

Image 15: IT audit process 65

Image 16: Request for IT audit involvement 66

Image 17: Detail testing phases - MC - Bug testing results 67

Image 18: Detail testing phases - MC - Enhancement testing results 68

Image 19: Detail testing phases - MA - NUS testing results (part 1) 69

Image 20: Detail testing phases - MA - NUS testing results (part 2) 70

Image 21: Detail testing phases - MA - NUS testing results (part 3) 71

Image 22: Detail testing phases - MA - NUS controls 72

Image 23: Detail testing phases - MA - Resign user testing results 73

Image 24: Detail testing phases - MA - Transfer user testing results (part 1) 75

Image 25: Detail testing phases - MA - Transfer user testing results (part 2) 76

Image 26: Detail testing phases - MA - Transfer user testing results (part 3) 77

Image 27: Detail testing phases - MO - Back up testing results 78 Image 28: Detail testing phases - MO - restore testing results 79 Image 29: Survey questions 81

CHAPTER 1: INTRODUCTION 1.1 The significance of research

In today's modern world, new terminology and products such as Blockchain, Smart Contract, ChatGPT, and others are evidence of the rapid and outstanding development of information technology (IT) in most fields No one can deny the benefits that IT brings to the community

Seeing such practical benefits, businesses are gradually applying technology to their operational systems, which has brought many significant advantages such as smoother operation, efficiency, increased profits, and cost savings, thereby contributing significantly to the development of the business As a result, IT has become an integral part of businesses’ operations, including financial reporting However, as the use of IT increases, the associated risks have also increased, such

as cyber threats, data breaches, and system failures, which are some of the risks that businesses face Additionally, as technology continues to play an increasingly important role in the operations of organizations, it has become critical to have effective ITGC in place to ensure the integrity and accuracy of financial data In audit, ITGC is an extremely important part of the internal control system of most companies in many fields Therefore, an effective ITGC audit will reduce the amount of work that the auditors need to do, as well as ensure the quality of the audit and save the cost of the audit

The author's choice of research topic for the graduate thesis was influenced by the practical problems above After careful consideration, the author decided to focus on the "Implemented Information Technology General Control Audit Performed by EY Vietnam Audit Firm in The Audit of Financial Statements for ABC Company''

1.2 The object of research

1.2.1 General objective:

This study aims to evaluate the ITGC audit process of EY auditing company through ABC company case From there, some recommendations are proposed to improve the ITGC audit process in the audit of financial statements at the company

1.2.2 Detailed objective:

- Explore the concept of ITGC processes, their importance of it in the audit

of financial statements

- Illustrate the actual application of the ITGC audit process

- Proposing recommendations to improve the ITGC audit process in auditing financial statements at EY

In conclusion, this research will provide recommendations for improving the effectiveness of ITGC audit at EY The recommendations will be based on best practices and industry standards and will take into account the specific context of ABC company This research hopes to contribute to understanding ITGC processes, ITGC audit processes, their importance in mitigating IT-related risks in businesses and their affect to financial statement audit process

1.3 Research questions

- How ITGC audit conducted in auditing financial statements at EY auditing firm?

- What recommendations contribute to improving the ITGC audit process

in auditing financial statements at EY auditing firm?

1.4 Subject and scope of research

1.4.1 Subject of research

The subject of the research is the ITGC audit process at EY

▪ In terms of time: Data is collected from 01st January 2022 to 28th February 2023

▪ Tools used for testing: Microsoft Excel

1.5 Research methodology

Because the author is a direct participant in the implementation of IT audit at ABC enterprise Therefore, this thesis will use the qualitative approach to the collected data and documents From that, they will be compared, analyzed and evaluated to find any errors or frauds, if any, so that solutions can be given The author will collect data through the following methods:

- Observation of IT audit and ITGC audit process at EY

- Records and documents related to the ITCG audit process at EY Vietnam

- Textbooks and documents related to the ITGC audit process, the VACPA sample audit program

- Communicate with auditors participating in ITGC audits

- Survey of opinions of 14 auditors audit including both financial auditors and IT auditor for ABC Company in year end 2022 It will be used as one of the based to give recommendations

1.6 Content of research

Chapter 1: Introduction

Chapter 2: Literature Review

Chapter 3: Implemented ITGC Audit Progress at EY In ABC Company and Recommendation

In terms of practice:

▪ Understand the importance of ITGC in business operations, its impact on financial reporting and financial statements audit

▪ Understand how the ITGC audit process when used to support the audit

of financial statements at EY

CHAPTER 2: LITERATURE REVIEW 2.1 Literature Review

The world is rapidly embracing the 4.0 technology era, and businesses are paying more attention to how their operations are connected, especially when it comes to developing information technology standards for financial statement audits Consequently, the role of IT applications in traditional auditing is becoming increasingly vital

According to a 2001 article by GH Tucker in the Journal of Accountancy, IT has made audits more efficient and effective by automating many tasks that were once done manually, such as data entry and analysis (Tucker, 2001) This has allowed auditors to focus more on analyzing and interpreting financial information rather than spending time on routine tasks Additionally, IT has made it easier for auditors

to access and analyze large amounts of data, which is particularly important in today's complex business environment (Tucker, 2001) However, as Tucker notes,

IT has also created new challenges for auditors One of the biggest challenges is the need for auditors to have a strong understanding of IT systems and controls to effectively assess their associated risks (Tucker, 2001) Auditors must also stay up-to-date with new technologies and their potential impact on the audit process Another challenge is the potential for fraud and other issues related to IT security

As Tucker notes, auditors must be aware of the risks associated with IT systems and controls and be able to identify potential security breaches or other issues that could impact the accuracy of financial statements (Tucker, 2001) This requires a strong understanding of IT security protocols and the ability to identify potential vulnerabilities in IT systems

The Sarbanes-Oxley (SOX) Act was enacted in 2002 as a response to several scandals in the United States The Act was designed to protect investors by improving the accuracy and reliability of corporate disclosures In addition, the Act requires companies to establish and maintain adequate internal controls over their

financial reporting processes According to S Chan (2004), information technology can play a key role in auditors' assessment of financial reporting controls

One of the major provisions of SOX is Section 404, which requires companies to assess and report on the effectiveness of their internal controls over financial reporting This includes controls related to IT systems and processes that are used to generate financial statements As Chan points out, auditors need to be able to assess the effectiveness of these controls to provide an opinion on the accuracy of the financial statements IT systems and processes are often critical to the financial reporting process, and auditors must be able to evaluate the controls in place to ensure their effectiveness

Another key aspect of SOX is the requirement for companies to maintain accurate and complete records of their financial transactions This includes electronic records, which are often managed by IT systems As Chan notes, auditors need to be able to evaluate the accuracy and completeness of these records to provide an opinion on the financial statements IT systems play a critical role in managing these records, and auditors must be able to evaluate the controls in place to ensure the accuracy and completeness of the records

Next, the study by Ronald J Daigle, Tim Kizirian, ChicoL Dwight Sneathen Jr (2011) qualitative methods are used and given out four key results There are four key results:

Firstly, the strength of IT control assessments performed by auditors is directly linked to the control risk assessment made by financial statement auditors This means that the better the IT controls, the lower the risk of errors or fraud in financial statements

Secondly, the control risk assessment is directly tied to the amount of time and money invested in the audit Essentially, the higher the perceived risk, the more time and resources are allocated to ensure accuracy

Thirdly, stronger IT control assessments are inversely related to audit hours and fees This highlights the importance of investing in effective IT controls to save on audit costs

Finally, compared the second and third results and found that IT control strength assessments by IT auditors are just as important as the control risk assessment made

by financial statement auditors in terms of actual hours and fees Our study showed that a one-point increase (or decrease) in IT control strength led to a whopping 46% decrease (or 52% increase) in audit effort and fees, respectively

The research of Gergő Barta (2018) with the topic “The increasing role of IT auditors in financial audit: risks and intelligent answers” is oriented to the presentation of the role of IT auditors in financial audit with qualitative research As the research analyzed 7 challenges, the researchers concluded that in today's digital world, financial auditors cannot perform their duties effectively without the help of

IT auditors With the rise of technology, IT experts have become an integral part of the auditing process Their role is crucial to ensuring that financial data is secure and free from any internal fraud, which can be done through the exploitation of vulnerabilities Therefore, the need for IT experts to test IT environments has become increasingly important to obtain assurance and guarantee financial data protection

The research of Shaikh, Humaiz; Uzair Jokhio, Mohammad; Ahmed Maher, Zulfikar; Chandio, Shahmurad; Manirajah, Mirza; Abdullah, Bin; Raza, Ali; Salam, Shah and Shah, Asadullah (2018) using qualitative methods produce the result that the need for auditors to stay up-to-date with their IT skills is more critical than ever before Auditors must be well-equipped and aware of the latest emerging methods

to stay ahead of the competition and make significant progress in the market Before carrying out extensive audit procedures, it's essential to have a thorough understanding of the technology installed in the control environment

The research of Santy Setiawan, Barnabas Tridig S, Yuliana Gunawan, and Deta Sekar Sari (2020) with the topic “The Effect of Information Technology Audit on the Audit Quality in Detecting Fraud Using the Competence of the Auditor as a Moderation Variable” using the qualitative research and after conducting extensive research, the findings suggest that IT auditing plays a crucial role in maintaining the quality of auditing and detecting fraudulent activities It has been noted that the competence of the auditor acts as a moderation variable in the process

By diving into a plethora of articles and studies centered around the use of IT in auditing, the author has discovered a new trend that is leading the world and Vietnam is no exception Researchers worldwide are flocking to this topic and for a good reason These previous studies have explored every nook and cranny of the subject, from the influencing factors to the impact of IT audits, the role of auditors

in IT audits, and the use of IT in auditing financial statements and all conclusion that IT and IT Audits have an important impact on the quality of financial statements These studies delve into various research directions and highlight the significance of incorporating modern technological advances into the auditing process However, there seems to be a lack of sufficient research highlighting the tangible advancements in IT audits, particularly ITGC audits, and their consequential influence on financial audit scenarios

Moreover, the year 2020 brought unprecedented challenges to businesses worldwide with the outbreak of the Covid-19 pandemic As a result, earlier studies on the application of IT in business operations did not account for this complex and rapidly changing environment Fast forward to 2023, the author's research takes into consideration the impact of the pandemic on the use of IT in business operations This means that the findings show a stark contrast in the effectiveness of IT before and after the pandemic

With those differences, the author decided to implement the empirical research method to study the ITGC audit process and its impact on the financial statements

of ABC company by choosing the topic “Implemented Information Technology General Control Audit Performed by EY Vietnam Audit Firm in The Audit of Financial Statements for ABC Company”

2.2 Background knowledge of IT Environment and Auditing

2.2.1 Components of the Information Technology Environment

According to Marshall B Romney, Paul J Steinbart (2015), the IT environment consists of 4 main components:

Computer network: a collection of computers connected by a transmission line in

a certain structure Computers in the network can exchange information with each other Usually, the access to the network is limited to users such as the Network Administrator, so there is less risk for the audit process

Operating system: a collection of programs organized into a system with the task

of ensuring interaction between users and computers, providing facilities and services to coordinate the execution of programs, managing the machine's resources, organize to exploit them conveniently and optimally The operating system will have no direct influence on the correctness of operational processes because its primary function is to manage the communication between hardware and software in the IT environment Normally, access to the operating system is limited to authorized users such as system administrators However, when the IT application integrates with the operating system, the operating system is related to the accuracy of the operations

Database: is an organized collection of data, stored in a computer Databases are

designed and built to allow users to store data, retrieve information or update data The risk of creating a material misstatement in the financial statements of the database is lower than that of the IT processes because most data is less affected by

IT staff

Information technology application: is a program or group of programs designed

for end users Because IT applications include procedures for receiving process information, executing the process, and presenting information in a report, the use

of IT applications carries the highest risk of creating material misstatement in the financial statements

2.2.2 Relationship between IT and Financial Statements audit

In “Guideline for Audit of IT Environment’’ of European Court of Auditors (EAC), they conclude that financial transactions and statements are primarily processed using IT systems As a result, financial and administrative controls are becoming increasingly computerized in form in order to assure data correctness and integrity

IT systems, which is one of the five components of the internal control framework, should have needed IT controls in place to reduce IT-related risks, ensure the confidentiality, availability, and integrity of data, and maintain the efficiency and effectiveness of business operations

Moreover, section 404 of the Sarbanes-Oxley (SOX) 2002 Act is one of the sections that has an impact on the IT department and auditor This section includes the requirements for the monitoring and maintenance of ITGC related to the business's accounting and financials It required IT mandates yearly assessment must be done

by an independent party (auditor), and must be separate from other audits (i.e.financial statements) to prevent conflicts of interest ITGC in section 404 is separated into four groupings: access control, data backup and recovery, application change and management control, and systems development life cycle (SDLC) ITGC are also an integral part of many different operational and regulatory (federal and state) audit, include: Health Insurance Portability and Accountability Act of

1996 (HIPAA), Statement on Standards for Attestation Engagements no 16 (SSAE16)

To summarize, IT auditing is a part of financial statement auditing because the auditor must ensure that the internal controls of computerized accounting or other information systems are functioning properly to guarantee the integrity, reliability, and completeness of the data The IT auditor evaluates the audited entity's IT environment, assesses their control risks and gives advice to the financial auditor on their results

2.2.3 Definition of ITGC audit

2.2.3.1 Definition of IT audit and ITGC

IT audit

According to Harvard University’s definition “An Information Technology audit is the examination and evaluation of an organization's information technology infrastructure, applications, data use and management, policies, procedures and operational processes against recognized standards or established policies Audits evaluate if the controls to protect information technology assets ensure integrity and are aligned with organizational goals and objectives.”

ITGC

According to ACCA UK’s internal audit network, ITGC are controls associated with the environment that supports IT Applications As a result, the suitability and effectiveness of ITGCs has an impact on all of the organization's IT applications

ITGC audit

From the above two definitions, the author identifies ITGC audit as the examination and evaluation controls associated with the environment that supports IT Applications

2.2.3.2 The objects of ITGC auditing

During the planning stage of an engagement, audit goals are defined and closely aligned with the business process objectives under review The majority of engagements are focused on ensuring that controls are in place to effectively reduce risks that might prevent the process from meeting its business objectives Auditors additionally check that engagement goals are aligned with the organization's goals

in terms of:

1 Achievement of operational targets

2 Information reliability and integrity

3 Asset protection

4 Resource utilization that is both effective and efficient

5 Compliance with major policies, processes, laws, and regulations

2.2.4 IT Audit Process

Understanding the IT audit process will help you understand the importance of IT integration The audit process is the activity performed by an auditor to obtain evidence that supports the formation of a reasonable opinion on a company's financial statements An IT audit occurs only when the financial auditor assesses that the client's IT system materially affects the items on the financial statements in the planning stage

There are various ways to divide the audit process into different phases However, just like financial statement audit, ECA divided IT audit into three stages: Planning, Execution and Reporting

2.2.2.1 Planning

In this phase, four main jobs need to be completed and should be working in order: First, it is critical for the auditor to get an understanding of the auditee's IT systems during the planning stage of an ITGC audit, such as their IT policies, their employees, as well as their IT organization, software, and hardware Furthermore, the auditor should analyze any issues raised during previous internal

or external audits of the auditee's IT systems

Following that, the auditor must identify which IT applications are important in the context of financial reporting and corporate management, as well as obtain relevant data and understanding for risk assessment and IT audit work planning

Third, the auditors need to assess the complexity of the IT systems in order to identify risks and decide whether there is a need for the support of IT audit team Finally, the auditors use all information in the above steps to make a preliminary risk assessment to identify the risk of material misstatement consequent upon the use of IT and decide whether there a need for application controls audit

2.2.2.2 Execution

In this stage, first, the auditors need to review of general controls of the auditee’s IT environment If it is effective then the auditors move to review the application controls (if requested in the planning stage)

Standards Guidelines Tools and Techniques by Information Systems Audit and Control Association (ISACA) point out that the ITGC act as a foundation on which specific application controls are built, so if ITGC ineffective then will lead to the ineffective of application controls Therefore, the highlight in this stage is that the ITGC audit performant is the most important because IT auditor must ensure the integrity (reliability) of the information that are collected in financial statement audit

2.2.2.3 Reporting

Based on the audit process model by VACPA 2019, in this stage audit team summarizes the audit results and values the appropriateness of audit evidence to build audit opinion However, in IT audit process, the auditors in this phase will make an overall assessment about IT controls, which can lead to three possible conclusions in the context of the financial audit:

- IT controls are effective;

- There are some weaknesses are noted in the effectiveness of IT controls However, the system overall is considered reliable;

- IT controls are ineffective

2.2.5 ITGC audit process in EY

Because each organization has unique features in terms of operational procedures and technological infrastructure, the method and scope of auditing will change depending on them First, the financial auditors and ITRA team will collaborate to identify the scope of the audit and find out the relevance of the information systems

to the accounts in the financial statements To help guarantee the reasonableness and truthfulness of the financial statements, the ITRA department will control the

system components based on the requirements of the financial auditors However, the critical control contents of the ITRA department consist of the three categories: ITGC, application controls, journal entry testing (Please refer in appendix 1 for the summarized of the IT audit process in EY)

In the IT audit stage, ITGCs is a mandatory category for any IT audit, there are many cases that in IT audit only include ITGC audit due to other parts are doing manually and being taken over by financial statement audit ITGCs are implemented to ensure that application systems and related IT infrastructure layers are incorporated into business processes

For the scope of ITGCs, the IT auditor team at EY will conduct 3 main processes, which are: Manage Change (MC), Manage Access (MA) and Manage other IT Operation (MO)

Image 1: ITGCs process categories

Source: EY internal policies

After understanding enterprise's IT process through detail understanding on the control process in an IT environment, the IT auditor determine the characteristics of the internal control system and the its associated risks From that, they can plan, come up with specific testing strategies and methods for each of the above processes

Potential risks

Each business's processes will have unique characteristics, therefore in this chapter,

a general description of each process's contents will be presented The material provided will still be sure to clarify the common factors to be taken into account in

the processes mentioned above, as well as the risks that arise during operation and the controls that are put in place to minimize their risks

2.2.5.1 Manage Change (MC)

Changes in the systems and applications used by businesses are unavoidable due to the need to advance and improve science, technology, and business operations Before making modifications to the current system, changes that have an impact on financial aspects should be studied, debated, and accepted in order to guarantee the reliability and correctness of the data within the system

The controls implemented helps minimize the risks that may result from these risks are shown in table 1 below

Table 1: Describe the controls of the change management process

Potential Risk Control Implemented Control Description

Inappropriate change Changes are reviewed

and approved by an authorized person

Change requested should be review the requirements, system state, business, necessity, and approval by individuals with authority

The change did not

meet the requirements

because it was not

tested by the business

department/End-user

Changes are tested and approved by requestor/

End-user/business department

The user checks and validates testing that is carried out during programming Test results are recorded and checked by an authorized individual

Before being implemented in the real environment Changes must have a successful test then be accepted by an authorized

There is abuse of

power in the process

of making changes

Separation of tasks There should be a separation of

duties between the personnel conducting the change:

1 Requestor/programmer and approver cannot be the same person

2 The programmer and the person migrate the change into production

environment are not allowed to be the same person

3 The person who migrates the change into

production environment and monitored it after the change is not the same person The third party should be supervised when access makes changes to the operating environment

Source: EY internal IT audit guide

2.2.5.2 Manage Access (MA)

MA is the controls that prevent inappropriate and unauthorized use of the system across all layers of systems, operating system, database and application

Same as MC, the controls implemented helps minimize the risks that may result from these risks are shown in table 2 below

Table 2: Describe the controls of the change access process

Potential Risk Control Implemented Control Description

There should be having

IT policies and settings

on the system so that only authorized users can log into the enterprise's data system In addition, there should be strict control of

administrative accounts such as always leaving these accounts disabled when they are not in use, and only

authorized people can log in

1 General security settings are configured

appropriately to authenticate users

2 Password settings in the environment

(applications, operating system and database level) are appropriated

3 Password and other key security settings are verified periodically to appropriate settings defined by policy

4 Default passwords to delivered system IDs that affect system

5 Security have been changed or the related accounts have been disabled

Access to privileged IT functions, system resources, and utilities should be restricted

to appropriate personnel and should have a log recorded as

personnel

2 Access to system resources &

utilities is restricted to appropriate personnel

well as have management personnel to check regularly

Access requests for

IT and business users

of components of the

IT environment are

inappropriate

New or additional access rights are approved by an appropriate management person in advance of the access being granted

Access requests should be approved by the department head before access is granted

Access granted to

components of the IT

environment does not

match the Access

approved

The user access right is created/updated

appropriately basing on the request from

business user

After granting permission, there is needed user access review in the year to see if user's right matches with request form

Users’ access rights who are leaving the entity’s employ or who have changed job

responsibilities timely based on notification from HR or the user’s supervisor or manager are revoked in a timely manner Manage access The high-level 1 The appropriateness of

process are not

inadequately

monitored by

management level

managers taking responsibility to monitoring access right frequently

access rights is verified periodically by

appropriate management personnel

2 IT Supervisor review the access administrative user’s activities daily in System Daily Checklist The check list is

reviewed by Senior Manager of IT department Inconsistency/

Incompliance in

applying IT controls

Having consistency checks when applying

IT controls in the business

Internal IT audit is performed periodically

Physical access is limited to authorized personnel and only these people hold the key to the Sever room

Access to functions

within the IT

application is

combined into roles

The access rights

within the roles

contain segregation of

Separation of tasks Different individuals approve

user access, set up user access, and monitor access

violations/violation attempts The individuals with privileged user access do not perform privileged user access

duties issues that

could cause a material

1 There is a defined process to change the access rights within the roles that includes approval by appropriate business management

2 The composition of roles is reviewed for appropriateness at least annually

Source: EY internal IT audit guide

2.2.5.3 Manage other IT operation (MO)

The system could encounter issues with its hardware or software, which would disrupt operations Controls are therefore required to enable the system to function flexibility and respond to emergencies and accidents

Table 3: Describe the controls of the other IT operation process

Potential Risk Control Implemented Control Description

Data is lost when the

system fails

- Data backup

- Checking data recovery periodically

A routine must be followed for frequently backing up data Tape, disk, and other backup device data must be archived

Maintain a record of periodically reviewing and approving the findings of data recovery Handling untimely or

unrecognized incidents

Record and handle incidents in a timely manner according to the policy

Users are required to report incidents as they happen Next, the department responsible for troubleshooting needs

to solve it right away, within a reasonable amount of time Also, they should record a list

of problems so that the system can be maintained and improved

When a disaster occurs,

the system is unable to be

- Develop a plan to ensure business continuity, respond to potential threats

- Make periodic assumptions

Source: EY internal IT audit guide

CHAPTER 3: IMPLEMENTED ITGC AUDIT PROGRESS AT EY IN ABC

COMPANY AND RECOMMENDATION 3.1 General Introduction of EY

3.1.1 Introduction of EY Global

3.1.1.1 History of the formation and development

According to EY's official website, the company was founded in 1989 as a result of the merger of two auditing firms, A.C Ernst and Arthur Young

In 2000, EY became the first of the "Big Four" firms to formally and fully separate its consulting services

In 2006, EY became the only member of the Big Four to have two member firms in the United States, with the inclusion of Mitchell & Titus, LLP, the largest minority-owned accounting firm in the United States

In 2013, EY changed its brand name from Ernst & Young to EY and its tagline to "Building a better working world." As of 2023, EY functions as a network

of member firms, each of which is an independent legal entity in its own country It employs 270,000 people in over 700 offices spread over 150 countries The Regions span across three geographic Areas: Americas; Asia - Pacific and Europe, Middle East, India and Africa All of their people work in one of their service lines – Assurance, Advisory, Tax, Transaction Advisory Service (TAS) – or in Core Business Services (CBS) which provides internal operational support such as Human Resources (HR) and EY Technology

EY was placed 52nd on Fortune magazine's list of the 100 Best Companies

to Work For in 2018 In 2017, EY was the ninth biggest privately held company in the United States

3.1.1.2 Value and business culture

EY Global is one of the leading professional services firms in the world, with a strong focus on delivering value to clients and building a better working world The

company's mission is to help clients solve their toughest challenges and realize their greatest ambitions EY Global places a strong emphasis on innovation, collaboration, and integrity, and strives to create a culture that values diversity and inclusion

According to EY's official website, the company's values are: Integrity, Respect, Teamwork, Excellence, Stewardship

EY Global has been recognized as one of the best companies to work for, and places

a strong emphasis on employee development and career growth The company offers a range of training and development programs, including mentoring, coaching, and leadership development

o Fraud investigation and dispute settlement services: Fraud investigation, Dispute resolution, Anti-fraud solutions,

▪ Tax consulting services:

o Tax service and consulting in business activities

o Tax consulting service and Indirect tax

o International tax consulting service

o Tax consulting services for corporate restructuring, mergers and acquisitions transactions

▪ Business consulting services:

o Improve operational efficiency: Finance, Supply Chain,

o Risk consulting: Internal audit, Consulting on corporate governance, Risk management and compliance,

o Risk and security consulting in Information Technology: Supporting independent audits related to Information Technology, Internal audit consulting for Information Technology,

4.1.1.1 Auditing organization structure

Image 2: Organization structure at EY

(Source: EY internal) There are two groups department in EY, one is administration group, the other is professional group The company's administration group includes an accounting department, an IT department, back-office department and HR department However, in EY Vietnam Company, the most important part, bringing revenue and profit to the company is the professional group This department currently consists

of 3 main departments: Auditing department, Consulting department and Tax department

Audit team model

Partners (EY

Gobal)

Partner (Vietnam and Campodia)

Administration Departments

Accounting

IT Back-office

HR

Professional Department

Auditing Consulting Tax

Like other auditing firms, the audit organization model at EY is divided into two main parts: the group that performs the audit and the group that evaluates, giving the audit results

- Auditing team:

o Members: Audit team leader and Audit assistant

o Scope of work: Planning the implementation, directly participating

in the audit activities, assigning work directly to the audit assistant, monitoring work situation and report to the audit manager

- The review team gives the audit results:

o Members: Audit manager, senior audit manager and audit director

o Scope of work: The audit leader regularly monitors the work and reviews the progress that the team has made The senior audit manager will review the work and make preliminary audit conclusions in complex cases The audit director is the person who directly participates in the risk assessment, signs contract, reports, reviews the audit work and makes the final audit conclusions

3.1.2 Introduction of Ernst & Young Vietnam (EY Vietnam)

3.1.2.1 History of the formation and development of EY Vietnam

Ernst and Young Vietnam (EY Vietnam) was established in 1992 as one of the first foreign-invested professional services firms in Vietnam It is a member firm of Ernst and Young Global, which is one of the world's largest professional services firms Since its inception, EY Vietnam has grown rapidly and has become one of the most respected and trusted professional services firms in Vietnam The company provides a wide range of services, including audit, tax, advisory, and transaction advisory services, to clients in a variety of industries

EY Vietnam has offices in both the biggest cities in Vietnam, which are Hanoi and

Ho Chi Minh City They employ over 1000 local and expatriate professionals with vast expertise servicing multinational customers domestically and internationally

Furthermore, EY Vietnam is committed to providing the same quality professional service that our their worldwide have come to expect

Locally, EY Vietnam is committed to doing our share to create a better working environment for their people, clients, and communities

In 2015, Accounting Today provided that EY Vietnam had overcame the remaining competitors in the Big Four (Deloitte, PwC and KPMG) about the number of audits that audiences are public companies

In 2016, EY Vietnam ranked 85th in the top 100 best places to work in Vietnam, as voted by HR Asia magazine This is the first year EY Vietnam has received this award

In 2017, EY Vietnam won the "Best Financial Services" award at the Asia Pacific Enterprise Awards (APEA)

In 2018, EY Vietnam was honored as one of the 100 best places to work in Vietnam,

as voted by HR Asia magazine This is the third consecutive year EY Vietnam has received this award

In 2019, EY Vietnam won the "Best Financial Services" award at the Asia Pacific Enterprise Awards (APEA)

In 2020, EY Vietnam was honored as one of the 100 best places to work in Vietnam,

as voted by HR Asia magazine This is the fourth consecutive year EY Vietnam has received this award

3.1.2.2 Introduction of Technology Information Risk Assessment Department (ITRA)

ITRA team currently has dozens of employees working at 2 main offices located in

Ho Chi Minh City and Hanoi up to 50 employees This department provides 2 main services: IT audit for the purpose of supporting audit of financial statements and