1) | Information technology general controls (ITGCs) around financially significant information technology (IT) systems were not effective. Specifically, the ITGCs around system access were not operating consistently to ensure that access to applications and data was adequately restricted to appropriate personnel. Because of the deficiency in ITGCs for these systems, the business process controls (automated and manual) that are dependent on these systems were also deemed ineffective because they could have been adversely impacted. These control deficiencies were a result of an inadequate assessment of IT risks, which in turn contributed to inappropriate reliance on manual business process controls rather than ITGCs. |
2) | Internal controls around the payroll process were ineffective due to an aggregation of deficiencies relating to the IT deficiencies described above, ineffectively designed controls over payroll changes, and ineffective review and monitoring controls. These control deficiencies were a result of an inadequate assessment of risk related to outsourcing payroll processing to a third-party provider, which contributed to the ineffective design of controls intended to validate that manual changes to payroll inputs were appropriate. |