Jack Herron is an IT auditor with McGee LLP, a large national public accounting firm. His manager, Amanda McDermott, has assigned him to the Linz Company audit. The McGee financial auditors have requested that the IT auditors complete several auditing steps so that they may make a decision about the scope of their audit work. The IT auditors also need to evaluate IT controls to provide the financial auditors with information in order to garner an opinion on internal controls as part of Sarbanes-Oxley compliance. The Linz Company manufactures automotive parts and supplies them to the largest auto-makers. The company has approximately 600 employees and has manufacturing operations and offices in three locations. Linz uses a mid-sized ERP software program for manufacturers that they acquired and implemented two years ago. Amanda has asked Jack to develop an audit program to examine logical access to the ERP system. According to the Security Administrator at Linz, each employee is assigned a unique User ID and password when they join the company. The company is very concerned about security, so there is no remote access to the ERP system. The ERP system requires that users change their passwords every six months. System and group settings assigned to each User ID determine what parts of the ERP systems are available to each user.

Requirements:
1. Explain how a deficiency in controls over User IDs and passwords might impact Linz’s financial statements.
2. Explain why auditing User IDs and passwords should be part of the overall IT audit program for Linz.
3. Describe at least four control procedures that Linz could have in place to ensure that only authorized users access the system and that user access is limited according to their responsibilities.