The Effect of IT General Controls on Financial Statement Audits
Information technology general controls (ITGC) must operate effectively to support your financial statement audit. Therefore, a team member skilled and experienced in ITGC should be integrated into the team responsible for the financial statement audit.
First, you need to understand issues of design and operating effectiveness.
Design effectiveness is when an IT audit specialist tests the design of a client’s IT environment. In general, this type of review is performed when the financial audit team does not rely on controls surrounding the IT operations. Substantive testing is performed under these circumstances. Only one transaction of a procedure is tested in the IT operations to determine whether the process design is effective.
Operating effectiveness is when the IT audit specialist performs a sample transaction relative to the processes in the IT operations. Based on the size of the transaction population, a sample is tested and finds no exceptions to the rule. Under this approach, the financial audit team will rely on controls based on the results of the ITGC.
Secondly, here are the areas of the ITGC review:
Entity-level controls – Under this category, the integrated strategy between IT and business objectives is inspected. This strategy can encompass a separate document detailing the strategy of the IT operations and how this strategy influences business processes. This strategy includes IT budgets and minutes of meetings involving top executives, including the chief information officer (CIO).
Typical entity-level controls include:
- Documentation to support monthly meetings between the CFO, CIO, application development manager and technical services manager
- IT personnel performing functions only allocated to them regarding systems operations with no access to business functions, e.g., check writing or cash receipts
Program change controls – Changes to software programs must be properly controlled to reduce the risk of implementing erroneous programs into operations.
Typical program change controls include the following:
- The organization’s policies and procedures consider the development and acquisition of new systems and major changes to existing systems.
- The organization acquires or develops application system software in accordance with its acquisition, development and planning process.
- A testing strategy is developed and followed for all significant changes in applications and infrastructure technology; the strategy addresses unit, system, integration and user acceptance-level testing so deployed systems operate as intended.
- Requests for program changes, system changes and maintenance are standardized, logged, approved, documented and subject to formal change management procedures.
- Emergency change requests are documented and subject to formal change management procedures.
- Controls are in place to restrict migration of programs to production only by authorized individuals.
Logical security (including physical security) – Logical security is the process of ensuring that unauthorized access to systems is not obtained.
Typical logical security controls include the following:
- An information security policy exists and has been approved by an appropriate level of executive management.
- Procedures exist and are followed to authenticate both internal and external system users to support the existence of transactions.
- Procedures exist and are followed to maintain the effectiveness of authentication and access mechanisms, e.g., regular password changes.
- A control process exists and is followed to periodically review and confirm access rights.
- Appropriate controls—including firewalls, intrusion detection and vulnerability assessments—exist and are used to prevent unauthorized access via public networks.
- System infrastructure—including firewalls, routers, switches, network operating systems, servers and other related devices—is properly configured to prevent unauthorized access.
- Procedures related to timely action for requesting, establishing, issuing, suspending and closing user accounts exist and are followed.
- Controls related to appropriate segregation of duties over requesting and granting access to systems and data exist and are followed.
- Access to facilities is restricted to authorized personnel and requires appropriate identification and authentication.
Operations – This area is primarily concerned with controls surrounding backup and recovery, third-party security and problem and incident management. Controls directly affect the continuity of operations and breaches.
Typical operational controls include the following:
- Management has implemented a strategy for cyclical data and program backup.
- Information restoration is periodically tested.
- A disaster recovery plan covering all aspects of the organization has been documented and implemented.
- Service levels are defined and managed to support financial reporting system requirements.
- Third-party service contracts address the risks, security controls and procedures for information systems and networks in the contract between the parties.
- IT management has defined and implemented an incident and problem management system so data integrity and access control incidents are recorded, analyzed, resolved in a timely manner and reported to management.
- The problem management system provides adequate audit trail facilities, which allow tracing from problem or incident to underlying cause.
- A security incident response process exists to support timely response and investigation of unauthorized activities.
- Management has established and follows documented standard procedures for IT operations, including job scheduling and monitoring and responding to security and processing integrity events.
You also should review how well you know the IT environment; only technical areas that affect the different areas of the ITGC should be considered from a financial statement impact perspective. These may include:
- Network layers
- Database management systems
- Operating systems
Depending on the size and complexity of the client’s IT environment, only selected technical areas may be applicable.
IT procedures and controls play an important role in how we look at financial statement auditing. It’s imperative to look at these controls and their impact on the way we audit.
For more information on this or other topics, please contact us.