Why do auditors need to understand information processing controls and general IT controls?

 

Control activities is one of the components of the company’s system of internal control.

Components of the Company’s System of Internal Control

Control activities include information processing controls and general IT controls, both of which may be manual or automated in nature. It is necessary to identify the IT applications and supporting IT infrastructure to understand of how information relating to significant classes of transactions, account balances and disclosures flows into, through and out the company’s information system.

The greater the extent of automated controls,  that management uses and relies on in relation to its financial reporting, the more important it may become for the company to implement general IT controls that address the functioning of the automated aspects of information processing controls.

The auditor obtains an understanding of the information processing controls and general IT control, through performing risk assessment procedures, by:

1. Identifying IT Applications that are Subject to Risks Arising from the use of IT.

2. Identifying Risks Arising from the Use of IT and General IT Controls.

3. Identifying the company’s general IT controls that address such risks.

 1.Identifying IT Applications that are Subject to Risks Arising from the use of IT

The identification of IT applications on which the company relies may affect the auditor’s decision to test the automated controls within such IT applications, assuming that such automated controls address identified risks of material misstatement. In considering whether the IT applications for which the auditor has identified automated controls are subject to risks arising from the use of IT, the auditor is likely to consider whether, and the extent to which, the company may have access to source code that enables management to make program changes to such controls or the IT applications. The auditor is also likely to consider the risk of inappropriate access or changes to data.

Example characteristics of an IT application that is likely subject to risks arising from IT:

  • Applications are interfaced.
  • The volume of data (transactions) is significant.
  • The application’s functionality is complex as   the application automatically initiates transactions; and  there are a variety of complex calculations underlying automated entries. 
  • IT application is likely subject to risks arising from IT because  management relies on an application system to process or maintain data as the volume of data is significant and  management relies upon the application system to perform certain automated controls that the auditor has also identified.
 2. Identifying Risks Arising from the Use of IT and General IT Controls

Examples of risks arising from the use of IT include risks related to inappropriate reliance on IT applications that are inaccurately processing data, processing inaccurate data, or both, such as:

● Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or non-existent transactions, or inaccurate recording of transactions. Particular risks may arise where multiple users access a common database.

● The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties therefore breaking down segregation of duties.

● Unauthorized changes to data in master files.

● Unauthorized changes to IT applications or other aspects of the IT environment.

● Failure to make necessary changes to IT applications or other aspects of the IT environment.

● Inappropriate manual intervention.

 ● Potential loss of data or inability to access data as required

3.  Identifying the company’s general IT controls that address such risks

General IT controls are implemented to address risks arising from the use of IT.

General IT controls are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. General IT controls usually include controls over data center and network operations; system software acquisition, change and maintenance; access security; and application system acquisition, development, and maintenance.

Examples of general IT controls that may exist, established by IT process include:

           Process to manage access: authentication, authorization, provisioning, deprovisioning, privileged access, user access reviews, security configuration controls, physical access.

        Process to manage program or other changes to the IT environment:

i)     Controls over the process to design, program, test and migrate changes to a production (i.e., end user) environment.

ii)     Controls that segregate access to make and migrate changes to a production environment.

iii)   Controls over initial IT application development or implementation (or in relation to other aspects of the IT environment).

iv)    Controls over the conversion of data during development, implementation or upgrades to the IT environment.

 Process to manage IT operations: job scheduling, job monitoring, backup and recovery, intrusion detection.


Comments

Post a Comment

Popular posts from this blog

Why do auditors use assertions?

Image
  Assertions are representations by management that are embodied in the financial statements and used by the auditor to consider the different types of potential misstatements that may occur. Assertions may fall into the following categories: Assertions about classes of transactions and events, and related disclosures, for the period under audit : ·         Occurrence —transactions and events that have been recorded or disclosed have occurred, and such transactions and events are related to the company. ·         Completeness —all transactions and events that should have been recorded have been recorded, and all related disclosures that should have been included in the financial statements have been included.   ·         Accuracy —amounts and other data relating to recorded transactions and events have been recorded appropriately, and related disclosures have been app...
Read more

What is the new International Standard on Auditing for Audits of Financial Statements of Less Complex Entities?

Image
  The International auditing and assurance standards board designed “The International Standard on Auditing for Audits of Financial Statements of Less Complex Entities” which is effective for audits of financial statements of less complex entities for periods Beginning on or after December 15, 2025. The standard is based on the International Standards on Auditing (ISA) and would follow a simplified approach based on risk assessment. The standard will enable auditors to obtain reasonable assurance that financial statements are free from material misstatements, and in an independent audit`s report will be pointed out that the audit is conducted in accordance with the ISA for LCE. The ISA for LCE has the following limitations for using: 1.       Specific classes of entities for which the use of the ISA for LCE is prohibited (described below). 2.       Qualitative characteristics that describe an LCE. Qualitative characteristics rel...
Read more