Internal Controls Over Information Technology at Your Firmby
Organizations have historically relied on manual controls to identify unusual transactions; however, enhancements in technology have significantly changed the outlook of evaluating controls from an auditor’s perspective.
Integrated audit technique is the new buzzword that involves reviewing management’s financial and operational controls as it relates to technology.
Controls over technology have a direct impact on the overall reliability of financial statements regardless of the size of the organization. Financial auditors are therefore required to obtain a general understanding of information technology (IT) controls as part of their audits.
Auditors also evaluate whether controls currently in place are able to prevent and detect misstatements that could cause financial statements to be materially misstated. These controls are primarily split between general controls and application controls.
General controls involve review of overall infrastructure, which would include IT governance, employee access, network configuration, disaster recovery plans, physical and logical controls, policies, etc.
Application controls, on the other hand, include review of automated controls built into the application. Reviewing these types of controls includes obtaining an understanding of how transactions are being processed.
Various input and output controls over accounts payable, inventory, payroll, reporting, and general ledger entries are some examples of areas that are reviewed. Potential areas of concern would be unauthorized access, duplicate posting, and mathematical inaccuracies, to name a few.
Certain regulated industries and public companies are required to have an independent assessment of their IT controls. Internal audit departments within certain organizations have also been given the responsibility of performing technology reviews. The responsibility of managing internal controls in small to midsize firms is usually handled by individuals who are wearing multiple hats and who are provided limited resources.
In addition, there are several aspects of technology that change on a constant basis. Therefore, it is critical that management ensures controls relating to technology are evaluated on a frequent basis. Here are a few critical questions that management should take into consideration:
- Is current access provided to employees in line with their job descriptions?
- Does the organization have a documented disaster recovery plan in place for critical functions?
- For outsourced applications, is there a vendor management program to adequately evaluate controls at vendor site?
- For in-house applications, is there a reliable change management policy to prevent unauthorized changes?
- Are written IT policies in place to address various IT functions?
- Are employees trained to recognize social engineering techniques?
- For companies accepting credit card transactions, are they PCI compliant?
- Are adequate logs available for keeping track of employee activity?
- Is critical company information adequately protected?
- Does management have a business continuity plan in place?
IT is included in almost every aspect of the business function and has created a need for proper management to provide detailed oversight on this multifaceted function. The overall health of an organization is dependent on the operation of its IT department.
That’s why investing in IT controls is essential to financial operations and ensuring greater operational efficiency.
However, it is important to probe the needs of a company and tailor IT operations to fit those specific needs. Consider the questions above as you get ready to incorporate the latest information technologies into your organization.