IT Controls

​

IT Controls Case Example: ABC Manufacturing Company

Context

With ABC Manufacturing Company’s significant use of IT systems for financial processing, including ERP systems, databases, and reporting tools, ensuring the integrity, security, and reliability of these systems is paramount. The audit must, therefore, include an assessment of IT controls that support the accuracy and completeness of financial reporting.

Audit Objective

To evaluate the design and operating effectiveness of IT controls that affect the financial reporting process of ABC Manufacturing Company, ensuring that financial data is accurately processed and reported.

Types of Audit Evidence and Documentation for IT Controls

1. Understanding the IT Environment and Systems

• Case: Obtain an understanding of the IT environment, including the IT governance framework, the structure of IT systems relevant to financial reporting, and the data flow between these systems.

• Documentation: Document the overview of the IT environment and systems, focusing on components relevant to financial processing and reporting. This includes network diagrams, system descriptions, and data flowcharts.

2. Evaluation of General IT Controls

• Case: Assess general IT controls, including IT governance, system and network access controls, change management processes, and IT operations controls.

• Documentation: Document the evaluation of general IT controls, noting the control environment, access security measures, procedures for system changes, and operations controls such as data backup and recovery processes.

3. Assessment of Application Controls

• Case: Examine application controls for systems critical to financial reporting, focusing on input, processing, and output controls. This includes controls over manual and automated financial transactions, data integrity checks, and authorization controls.

• Documentation: Detail the assessment of application controls, including specific controls tested, the nature, timing, and extent of testing, and the effectiveness of the controls in ensuring accurate and complete financial reporting.

4. Testing IT Controls

• Case: Perform tests of IT controls to determine their operating effectiveness. This may involve observing control procedures, reperforming control activities, and inspecting documents and logs that evidence control operation.

• Documentation: Summarize the tests performed on IT controls, including test procedures, dates, and results. Note any deficiencies identified and implications for financial reporting.

5. Identifying IT Control Deficiencies

• Case: Identify and assess any deficiencies in IT controls, considering their impact on the reliability of financial reporting and the risk of material misstatement.

• Documentation: Document identified IT control deficiencies, assessing their severity and the risk they pose to the accuracy and completeness of financial reporting. Include management’s responses and planned remediation actions.

6. Consideration of IT Controls in the Audit Plan

• Case: Incorporate the understanding and assessment of IT controls into the overall audit plan, adjusting the nature, timing, and extent of audit procedures based on the effectiveness of IT controls.

• Documentation: Document how the evaluation of IT controls has influenced the audit strategy and plan, including any additional audit procedures determined necessary to address risks associated with IT control deficiencies.

7. Communication with Management and Those Charged with Governance

• Case: Communicate significant findings related to IT controls, including deficiencies and their impact on financial reporting, to management and those charged with governance.

• Documentation: Summarize communications with management and those charged with governance regarding IT controls, including discussions about deficiencies, their implications, and agreed-upon actions for remediation.

Conclusion

Evaluating IT controls is a vital component of the audit process for ABC Manufacturing Company, given the integral role of IT in financial reporting. Documenting the assessment of IT controls provides evidence of the auditor’s consideration of the reliability of IT systems and processes that support financial statement assertions. This thorough documentation supports the overall audit opinion and helps ensure that stakeholders can have confidence in the company’s financial reporting integrity.