top of page
Search

Day 3 (19 Oct 2022)

  • Writer: Foo Yoong Hou
    Foo Yoong Hou
  • Jan 17, 2023
  • 4 min read

Today, I continue yesterday’s online based course session, yesterday’s course is focusing on the introduction of component of information system while today’s course is focusing on the information technology general controls (ITGC). The objective of today course is to explain what ITGCs are and their purpose, understand the IT risk assessment process. Below bullets are the points that I have learnt from the course:

  • Part of the identify and assess risk phase of the audit, obtain an understanding of each of the following components of internal control: control environment, risk assessment process, control activities, information and communication processes, monitoring.

  • Understanding the entity’s IT environment is a component of the system of internal control which engagement teams are required to evaluate during risk assessment procedures in accordance with ISA 315 (Revised 2019). The objective of understanding the IT environment is to identify potential risks arising from the use of IT through identifying key IT applications and processes relevant to the audit. This information will then assist in identifying IT general controls (ITGCs) that address those risks and creating specific audit responses to address those risks, as applicable.

  • In BDO, there are eight steps for the ITGC audit procedure, below are the steps::

  1. Identifying IT applications relevant to the audit, engagement teams should identify IT applications relevant to the audit which normally include all IT applications where automated or IT-dependent CARA use information from, or depend on processes performed by, the IT application and all IT applications where the audit uses IPE that we don’t plan to test substantively.

  2. Identifying incidents and cyber-attacks: When a cyber-attack, system disruptions or other security events have occurred during the year that may have damaged the integrity of the data and/or IT applications that affect financial reporting or may have resulted in the need to recover data affecting financial reporting from backup systems, there is an inherent risk related to these events. An IS Audit Specialist should be involved in determining the nature and extent of audit work necessary to address the inherent risk.

  3. Identifying system characteristics for relevant IT applications. Once relevant IT applications are identified, engagement teams evaluate the characteristics of the IT application to determine whether IT risks related to that characteristic need to be assessed. At a minimum, access controls are evaluated for each relevant IT application, with the following sections being applicable based on characteristics identified which: Program Changes Risks and Controls, Data Processing Risks and Controls, Data Conversion Risks and Controls.

  4. Identifying IT risks and performing the ITGC D&I evaluation, engagement team is presented with typical IT risks related to accessing the IT application, and if relevant, typical IT risks related to program changes, data processing and data conversion. For each IT risk, the engagement team determines whether the entity has a relevant ITGC to address that IT risk. Once the relevant ITGCs have been identified and documented in the ITGC Risk Assessment Questionnaire, the engagement team performs procedures to evaluate the design and implementation (D&I) of the relevant ITGCs. Implementation testing involves at least some of the following procedures: Walkthroughs, Inspection or examination of evidence, Observation, Reperformance of the control, Inquiry (although inquiry alone is typically not sufficient as evidence). Performing the ITGC OE (operating effectiveness) test of controls if they are testing controls of an automated or IT-dependent CARA or testing IPE using a controls approach. The purpose of this is to address the risks arising from the use of IT, and to provide a basis for the auditor’s expectation that the automated or IT-dependent control operated effectively throughout the period. In case of ITCG deficiencies related to IT Application. Record the impact of the unsatisfactory ITGCs on the testing of CARA or IPE. For example, one impact may be that you cannot rely on the automated controls, and you must test the IPE substantively since relevant have deficiencies. Evaluate whether the ITGC deficiency is already considered as part or element of a documented inherent RMM. Where it is not, consider adding an RMM in APT to ensure any impacts are integrated into the audit work. Also report the control deficiency to management or those charged with governance.

  5. Analysis of IT risks for the IT environment, including relevant ITGC assessment.

  6. Documenting ITGC deficiencies and reporting to TCWH. For each IT risk where the ITGC design and/or implementation and/or operating effectiveness conclusion is evaluated as Unsatisfactory, document what the ITGC deficiencies are and how they impact the audit.

  7. Reporting to TCWG and management, once we have performed our ITGC risk assessment and planned appropriate audit responses to any ITGC related risks, engagement teams determine if such ITGC deficiencies require reporting to those charged with governance (TCWG) and management. If so, a TCWG or Management Letter point is raised in APT NG. Some considerations that may assist in the decision to report and be added to the management letter include: the deficiency is related to applications relevant to the financial reporting or business cycles or IPE, the business cycle affected relies on automated or IT-dependent controls, as opposed to manual controls, the risk occurred during the audited period, no compensating controls that mitigate the ITGC risk have been identified.


Below are the common ITGC deficiencies and impact on the audit:


IT Risk Ref's

ITGC Deficiency

Impact on the audit

AAR6

Password parameters to the ERP application do not meet company or industry standards: Password minimum length is 4 characters,

Complexity mechanism not applied. Password never expires

Account lockout occurs only after 20 incorrect attempts.


To compensate for the lack of proper user authentication controls, engagement teams identify the existence of compensating authentication controls (e.g. whether the IT application is only installed on the computers of authorized users or the existence of proper authentication controls for computer login) or of other manual controls designed and implemented to validate business transactions.

AAR4

Existing access rights of Privileged-level users (system administrators) may allow these users to add or change journal entries or initiate transactions.

Determine whether the super-user access rights permit the user to initiate transactions.

PCR2

​Programmers have unrestricted access to the production environment and have the ability to make and implement program / configuration changes to the production environment where financial applications and data are maintained.

Engagement teams should obtain a system-generated list of program changes implemented into the production environment and determine whether changes were made to key financial applications. This is only feasible if the system reliably tracks all program changes, or there is some other means to identify any changes made to IT applications. If changes were made, assess the impact of such changes and whether the changes were properly tested and authorized for production implementation


 

Main things that have learnt


  • Learn the definition of ITGC and how it relate to financial audit.

  • Learn about the areas I should focus when I am doing the ITGC audit.

  • Learn about the audit procedure to audit the respective ITGC areas.

 

Comment/idea/opinion


After attending the online course, I know that ITGCs are controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information processing controls and the integrity of information (i.e., the completeness, accuracy, and validity of information) in the entity’s information system. The purpose of ITGCs is to prevent or detect risks of material misstatement arising from the use of IT relevant to the audit. Therefore, it is critical for me to obtain an understanding of how the entity is using their IT systems and what ITGCs are in place to appropriately identify and address these potential risks as part of our audit.




 
 
 

Recent Posts

See All
Day 121 (14 Apr 2023)

Today is my last day as an intern, and my focus is on the sales matching test. My senior has asked me to teach the new joiners how to...

 
 
 
Day 120 (13 Apr 2023)

Today I focusing on helping my seniors with their CAATs, which are the purchase and sales match tests. As tomorrow is my last day as an...

 
 
 
Day 119 (12 Apr 2023)

Today, I faced an issue when one of the auditors inquired about the variances stated in the JV test report of our CAATs report. Upon...

 
 
 

Comentarios

THANKS FOR YOUR VISIT

bottom of page