Identifying and evaluating general IT controls
As we complete our examination of the impacts of SAS 145 for tax and accounting professionals, we’ll build on our previous posts on risk assessment, documentation and analysis, and balancing scope and complexity in auditing. In this last post, we’ll look at risks that can arise from the use of IT in accounting and auditing.
General IT controls
Keeping in line with advancements in technology and the widespread use of automation tools and techniques, SAS 145 acknowledges the use of IT by both auditors and clients and expressly defines the risks arising from the use of IT.
No, this doesn’t mean that auditors need to become IT experts. It does mean they should think of IT use in terms of assertions. They also need to evaluate the complexity of a system, even off-the-shelf software packages, and what all is included.
SAS 145 provides definitions for the terms “general IT controls” and “risks arising from the use of IT.” Under the new standard, auditors are required to identify general IT controls that address the risks arising from the use of IT and, when they relate to identified controls, as discussed earlier, evaluate their design and determine their implementation.
What is the definition of general IT controls?
SAS 145 defines “general IT controls” as: “Controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information-processing controls and the integrity of information in the entity’s information system.”
Examples of general IT controls that may exist include:
- Authentication
- Privileged access
- Backup and recovery
Under SAS 145, “risks arising from the use of IT” is defined as: “Susceptibility of information-processing controls to ineffective design or operation, or risks to the integrity of information in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes.”
Thinking in terms of assertion, firms may still be wondering what IT controls they should consider. The answer: those IT controls that impact the risk of material misstatement at the assertion level.
What are the risks of using IT?
To assist auditors, SAS 145 outlines several considerations to help determine whether IT applications are subject to risks arising from the use of IT.
For example, characteristics of higher risk IT applications may include:
- The volume of data (transactions) is significant.
- Applications are interfaced.
- The application’s functionality is complex because it automatically initiates transactions, and there are a variety of complex calculations underlying automated entries.
- An IT application is likely subject to risks arising from the use of IT because management relies on an application system to process or maintain data, and management relies upon the application system to perform certain automated controls that the auditor has also identified.
Characteristics of a lower risk IT application include:
- The volume of data (transactions) is not significant.
- Applications stand-alone.
- Each transaction is supported by original hard copy documentation.
- The application’s functionality is not complex.
Conclusion
For all the advantages that technology provides for firms, it is important to understand the possible implications general IT controls can have. This is especially true with regard to risk assessment and the potential for material misstatement.
Take action now to ensure that your firm is fully prepared for SAS 145. To learn more, view our webinar offering early guidance on SAS No. 145.
This is the final post in a four-blog series about SAS 145 and its impact on tax and accounting professionals. Check out the first three posts below: