When it comes to internal controls, much of the focus and discussion is typically around business process controls such as those within the revenue cycle and expenditures cycle. But information technology plays an equally important role because of the reliance upon systems and software applications.
This article provides a brief overview of Information Technology (IT) internal controls, and how management can align the controls to enhance business operations, and regulatory requirements such as Bill 198 in Canada and Sarbanes Oxley (SOX) in the USA.
Internal controls within the Information Technology are some of the most important internal controls because of the pervasive reliance upon automated data processing and information systems throughout all organizations. As a result, it is important for companies to ensure that IT controls are designed properly and operating effectively.
As you might expect, there is a tremendous amount of literature regarding IT controls that has been developed and refined over the years by several different stakeholder organizations. Two control “frameworks” have been devised to assist both management and auditors in designing and assessing controls in computerized environments. One is the Information Technology Control Guidelines (IT Guidelines), first published by the Canadian Institute of Chartered Accountants (CICA) in 1970 (in its 3rd edition in 2011). The other is the Control Objectives for Information and related Technology (COBiT) developed by the Information Systems Audit and Control Association (ISACA). Further details of on both of these IT frameworks can be assessed by the web-links below.
Both the IT Guidelines and COBiT are very detailed and used primarily by large organizations and external auditors. However, the general concepts essentially boil down to IT General controls, and IT Application controls, and are relevant to organizations of any size.
Let’s cut to the chase – which IT Controls do management within all organizations need to be aware of, and furthermore, from publicly listed entity point of view, which controls need to be reviewed and tested ongoing?
IT General Controls – are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. These controls apply to mainframe, server, and end-user environments. General IT controls commonly include:
• Controls over data centre and network operations
• System software acquisition, change and maintenance
• Access security
• Application system acquisition, development, and maintenance.
• Physical security of assets, including adequate safeguards such as secured facilities over access to assets and records,
• Authorization for access to computer programs and data files.
Separation of the duties performed by analysts, programmers and operators is another important IT general control. The general idea is that anyone who designs a processing system should not do the technical programming work, and anyone who performs either of these tasks should not be the computer operator when “live” data are being processed. Persons performing each function should not have access to the equipment. Computer systems are susceptible to manipulative handling, and the lack of separation of duties along the lines described should be considered a serious weakness in general control. The control group or similar monitoring by the user departments can be an important compensating factor for weaknesses arising from lack of separation of duties in computerized systems”.
IT General Controls are one of the most important areas to review, especially as part of the CEO / CFO Certification at publicly listed entities in Canada. It makes sense – almost all business use some form of ERP system including automated financial reporting systems. The accuracy and reliability of financial reporting depend to a large extent on the IT controls that an organization has in place.
IT Application Controls – these are controls that relate to specific computer software applications and the individual transactions. For example, a company would usually place restrictions on which personnel have authorization to access its general ledger so as to revise its chart of accounts, posting / approving journal entries etc. In order to enact this policy and restrict access, the general ledger software package would require the necessary functionality. Furthermore, assuming the functionality exists, does the company have a policy in place, and is there evidence that the general ledger authorizations align with the policy? Controls around application access are obviously very important and need to be reviewed closely as part of the certification process.
The literature and regulations pertaining to the review and testing of IT Application controls by auditors and management, addresses 3 types of application controls; Input Controls (transactions captured, accurately recorded, and properly authorized), Processing Controls (transaction processing has been performed as intended), and Output Controls (accuracy of processing result). These control tests are typically performed when a new system has been implemented. Afterwards, once the controls have been confirmed to be operating effectively, for purposes of expediency, the focus tends to be on the “key” controls, such as who has system access to make changes to the various applications, and are the policies being followed.
In my experience, IT Application controls are extremely important to monitor. Consider the impact of in-correct pricing on reported revenues. The employees that have access to change pricing within the ERP system should be authorized by the appropriate level of management. A list of employees having access to pricing modifications should be reviewed periodically. Furthermore, the system should be secure so that only authorized employees can have access. This may sound very logical and straightforward, but without ongoing vigilance and monitoring by management, it is very likely that some unauthorized employees may have access. Incorrect pricing leads to incorrect revenues. Remember – revenue recognition has been cited as the number one cause of errors regarding financial reporting.
I hope this helps to bridge the understanding the theory behind IT General and IT Application Controls, and the practical realities and basic requirements that business should be aware of.
If you require further information, assistance in this area, or wish to comment on this, please don’t hesitate to contact Edelkoort Smethurst Schein CPA’s LLP at firstname.lastname@example.org or 905-630-1607.
Edelkoort | Smethurst | Schein CPAs LLP is located in Burlington Ontario servicing the Golden Horseshoe and Greater Toronto Area and beyond. The firm is fully licensed with CPA Ontario to provide assurance, tax and accounting services as well as registered as tax preparers with the Canada Revenue Agency (CRA) & Internal Revenue Service (IRS). The firm is also registered as an IRS Certified Acceptance Agent.
All blog posts published on this site are for informational purposes only and do not constitute professional advice. Readers should contact a professional to discuss their individual situation. Neither the author or the accounting firm shall accept any liability for any reliance placed on the information posted.