MINISTRY OF EDUCATION AND TRAINING HO CHI MINH CITY UNIVERSITY OF BANKING GRADUATION THESIS IMPLEMENTED INFORMATION TECHNOLOGY GENERAL CONTROL AUDIT PERFORMED BY EY VIETNAM AUDIT FIRM IN THE AUDIT OF FINANCIAL STATEMENTS FOR ABC COMPANY NGUYEN HOANG BAO TRAM HO CHI MINH CITY –2023 MINISTRY OF EDUCATION AND TRAINING HO CHI MINH CITY UNIVERSITY OF BANKING GRADUATION THESIS IMPLEMENTED INFORMATION TECHNOLOGY GENERAL CONTROL AUDIT PERFORMED BY EY VIETNAM AUDIT FIRM IN THE AUDIT OF FINANCIAL STATEMENTS FOR ABC COMPANY Major: Accounting - Auditing Major code: 7340301 Student name: Nguyen Hoang Bao Tram Student code: 050607190562 Class: HQ7-GE01 Supervisor: Ph.D Tran Thi Thu Thuy HO CHI MINH CITY –2023 i ABSTRACT Due to business’s rapid growth, many companies require a wide range of software, from small-scale to enterprise-class, to match their characteristic business objects ITGC (Information Technology General Control) is commonly referred to as a part of the internal control system of the business, which defines the reliability of the information within the business Therefore, it has a significant importance to financial statement audit This study seeks to evaluate the current state of the ITGC audit process in EY’s financial statement audit process, thereby providing the impact of the ITGC audit results on the financial statement audit and giving recommendations to improve the ITGC audit process for EY audit firm in particular and other auditing firms in general Keywords: ITGC auditing, IT auditing, Financial Audit ii DECLARATION OF AUTHENTICITY This thesis course is the author's research work Therefore, the research results are truthful, in which there is no previously published content except for quotes fully cited in the thesis course I declare that all information contained herein is true, correct, and accurate to the best of my knowledge and belief Ho Chi Minh City, 19th July 2023 Nguyen Hoang Bao Tram iii ACKNOWLEDGEMENTS Firstly, I would like to express my sincerest and most profound thankfulness to Mrs Tran Thi Thu Thuy for her guidance and patience in giving me valuable recommendations during my study period I am happy and fortunate to carry out this study under her supervisor Secondly, I would like to thank the teachers of the Faculty of Accounting and Auditing Department for always accompanying and carrying to give me helpful knowledge and work experiences to have better luggage for the next steps in the future Thirdly, I would also like to express my sincerest thanks to all the brothers and sisters in the Technology Information Risk Assessment (ITRA) team has supported, guided, and provided me with professional knowledge, created opportunities for me to participate in real projects so that I can experience more and directly guided me in the working process to achieve the best results Finally, I would like to express my gratitude to my family for their support during my study and life Without their encouragement and sacrifice, I would not have finished this thesis Warmest regards Nguyen Hoang Bao Tram iv TABLE OF CONTENTS ABSTRACT i DECLARATION OF AUTHENTICITY ii ACKNOWLEDGEMENTS iii LIST OF ACRONYMS vi NOMENCLATURE OF IMAGES ix CHAPTER 1: INTRODUCTION .1 1.1 The significance of research 1.2 The object of research 1.2.1 General objective: 1.2.2 Detailed objective: 1.3 Research questions 1.4 Subject and scope of research 1.4.1 Subject of research 1.4.2 Scopes of research 1.5 Research methodology 1.6 Content of research 1.7 Topic contributions CHAPTER 2: LITERATURE REVIEW 2.1 Literature Review 2.2 Background knowledge of IT Environment and Auditing 10 2.2.1 Components of the Information Technology Environment 10 2.2.2 Relationship between IT and Financial Statements audit 11 2.2.3 Definition of ITGC audit 12 2.2.4 IT Audit Process 13 2.2.5 ITGC audit process in EY 14 CHAPTER 3: IMPLEMENTED ITGC AUDIT PROGRESS AT EY IN ABC COMPANY AND RECOMMENDATION 24 3.1 General Introduction of EY 24 3.1.1 Introduction of EY Global 24 3.1.2 Introduction of Ernst & Young Vietnam (EY Vietnam) 27 v 3.2 Implemented ABC company’s ITGC Audit Progress at EY 29 3.2.1 Planning 29 3.2.2 Execution 31 3.2.3 Reporting 55 3.2.4 Summing up the survey of Auditors on ITGC Audit 56 3.3 Discussion and Recommendation 57 3.3.1 Discussion on ITGC audit process 57 3.3.2 Some recommendations to improve the ITGC audit at EY 58 CHAPTER 4: CONCLUSION 60 4.1 Conclusion 60 4.2 Limitations of the research .60 4.2.1 Limitation 60 4.2.2 Suggest for future study 61 REFERENCES 62 APPENDIX 1: IT AUDIT PROGRESS AT EY 65 APPENDIX 2: ITRA REQUEST FORM (INCLUDING BUDGET) 66 APPENDIX 3: DETAIL TESTING PHASE (BUG CHANGE – MC) 67 APPENDIX 4: DETAIL TESTING PHASE (ENHANCEMENT CHANGE – MC) 68 APPENDIX 5: DETAIL TESTING PHASE (NUS – MA) 69 APPENDIX 6: DETAIL TESTING PHASE (MOD – MA) 73 APPENDIX 7: DETAIL TESTING PHASE (MO) 78 APPENDIX 8: RESEARCH SURVEY QUESTIONS .80 vi LIST OF ACRONYMS Acronym Denotation IT Information Technology ITRA Technology Information Risk Assessment ITGC Information Technology General Control SOX Sarbanes-Oxley Act SDLC Systems Development Life Cycle OS Operating System DB Database TAS Transaction Advisory Service CBS Core Business Services HR Human Resources Department EY Ernst and Young APEA Asia Pacific Enterprise Awards MC Manage Change MA Manage Access MO Manage other IT Operations UAT User Acceptance Testing BA Business Analysis NUS New User Setting Access vii MOD Modify Or Disable Access Right BCP Business Continuity Plan DRP Disaster Recovery Plan BA Business Analyst ECA European Court of Auditors ISACA Information Systems Audit and Control Association UAT User Acceptance Testing viii NOMENCLATURE OF TABLE Table 1: Describe the controls of the change management process 17 Table 2: Describe the controls of the change access process 19 Table 3: Describe the controls of the other IT operation process 22 Table 4: Total population at ABC company 31 Table 5: Evaluate the controls of the change management process at ABC enterprise 39 Table 6: Evaluate the controls of the access management process at ABC enterprise 48 Table 7: Evaluate the controls of the access management process at ABC enterprise 54 Table 8: ITGC process assessment summary results 56 Table 9: Final conclusion on ITGC process 56