Wiley Practitioner's Guide to GAAS 2020. Joanne M. Flood

Чтение книги онлайн.

СКАЧАТЬ An entity’s mix of controls varies with the nature and complexity of its use of IT. IT enables an entity to:

      1 Consistently apply predefined business rules and perform complex calculations in processing large volumes of transactions or data.

      2 Enhance the timeliness, availability, and accuracy of information.

      3 Facilitate the additional analysis of information.

      4 Enhance the ability to monitor the performance of activities and the policies and procedures.

      5 Reduce the risk that controls will be circumvented.

      6 Enhance the ability to achieve effective segregation of duties by implementing security controls.

      IT also poses specific risks to an entity’s internal control, including:

      1 Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both

      2 Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions

      3 Unauthorized changes to data in master files

      4 Unauthorized changes to systems or programs

      5 Failure to make necessary changes to systems or programs

      6 Inappropriate manual intervention

      7 Potential loss of data

      IT General Controls

      IT general controls are entity-wide controls that apply to many if not all application systems and help ensure their continued proper operation. For example, the effectiveness of an entity’s controls relating to the access of its database will determine whether it will be successful in maintaining the integrity of those data, which may be used in a number of different applications.

      If there are inadequate general controls, controls at the application level may not function properly, and the information produced by the system may be largely unreliable. For that reason, IT general controls are typically included within the evaluation of internal control effectiveness.

      But which IT general controls are used?

      To answer this question, it is helpful to think of IT general controls as operating within three different domains, or stacks:

      1 Database

      2 Operating system

      3 Network

      There are three control objectives within each of these domains:

      1 Systems are appropriately tested and validated prior to being placed into production.

      2 Data are protected from unauthorized change.

      3 Any problems or incidents in operations are properly responded to, recorded, investigated, and resolved.

To determine which IT general controls should be used for the evaluation, apply the risk- based, top-down approach. IT general controls will vary in how directly they affect the financial reporting process and therefore in the risk that their failure could result in a material misstatement of the financial statements.

      IT General Controls That Are Unlikely to Affect the Financial Statements

      Some IT control frameworks include controls that have only an indirect effect on IT systems. For example, the IT strategic plan and the overall IT organization and infrastructure may contribute indirectly to the effective functioning of IT systems and could be an area of interest for an IT auditor. However, these controls are so far removed from the financial reporting process that, in most situations, they will have only a negligible effect on the financial statements. The risk that a failure in one of these controls could result in a financial statement misstatement likewise is negligible. Thus, typically, these controls would not be included in an evaluation of controls over financial reporting.

      IT General Controls That May Affect the Financial Reporting Process

      Some IT systems process information that is not reflected in the financial statements. For example, an organization may have a sales and marketing system that tracks lead generation, customer contact information, and purchase history. IT general controls that affect the functioning of this system may or may not be included within the scope of an evaluation of financial reporting controls, depending on how management uses the information generated by the system.

      For example, management and the sales team may use the information only to manage the sales process, in which case the sales system is not important to the financial reporting process. Or management may use the information generated from the sales system to monitor financial results, generate financial information, or perform some other control procedure.

      For example, information in the sales system could be used to:

       Calculate bonuses to salespeople, an amount that is reported in the financial statements.

       Generate a key performance indicator, which management uses to identify anomalies in the accounting records or financial statements.

       Generate nonfinancial information, which management uses in its monitoring process.

      General controls related to nonfinancial systems may be included in management’s evaluation if the risk of failure of the control is significant. If the risk is small, then the system can be excluded from the scope of the evaluation.

      General Controls Directly Related to Financial Information

      Other IT systems at an organization are directly related to the processing of financial information; these systems include the accounting system, the sales system, or the inventory management system. To the extent that these systems process significant financial information where a material misstatement could occur, they will be included within the scope of the auditor’s evaluation.

      IT systems that have a more direct effect on the financial reporting process typically are included within the scope of management’s evaluation. Relevant IT general control objectives usually relate to:

       Logical access to programs and data

       Physical access to computer hardware and the physical environment within which the hardware operates

       System development and change

       Effect on the internal audit function

AU-C 315 ILLUSTRATIONS

      The following questionnaire will help the auditor assess risk. The existence of a condition covered by the questionnaire does not mean errors or fraud have occurred; it is a warning sign indicating increased risk in the audit areas affected. The questionnaire should be modified in accordance with the size and complexity of the entity.

СКАЧАТЬ