Page 245 - COSO Guidance
P. 245

Control activities and technology

            The framework addresses two ways that control activities and technology are interrelated.

            First, technology supports business processes, and controls should be implemented to lessen the risk
            that the technology will not continue to operate properly such that the entity’s objectives will not be
            achieved. For example, a community bank that uses packaged software will perform tests of major
            software updates before implementing the software updates in a live operating environment.

            Second, technology is used to automate control activities. An example of an automated control in an
            accounts-payable system would be that a purchase order must be matched with a vendor’s invoice and a
            receiving report before a payment can be made. Sometimes the control is wholly automated such as the
            automatic resending of an email message that failed to transmit the first time. There could also be a
            combination of manual and automated controls. For example, the automated control notifies the
            appropriate user that the email failed to send. The system could then prompt the user to select an option
            to send the email later when system problems have been resolved or cancel the transmission.




            Control activities principle 11: Selects and develops general controls

            over technology

            The organization selects and develops general control activities over technology to support the
            achievement of objectives.

            The following four points of focus emphasize important characteristics relating to this principle:

              Point of focus — Determines dependency between the use of technology in business processes and
               technology general controls
               Management understands and determines the dependency and linkage among business processes,
               automated control activities, and technology general controls.

               The framework states that reliability within business processes, including automated controls, is
               dependent on the selection, development, and distribution of general control activities over
               technology (technology general controls). Technology general controls over the acquisition of
               technology are employed to provide assurance that automated controls work as they should when
               first developed and implemented. Technology general controls should also provide assurance that
               information systems continue to operate correctly after they are implemented.

               Furthermore, the framework notes that technology general controls include control activities over the
               technology infrastructure, security management, technology acquisition, development, and
               maintenance. Technology general controls apply to all types of technology, from applications on a
               mainframe computer or server, desktop, end-user computing (such as spreadsheets), portable
               computer, and mobile device environments. These controls are also applicable to operational
               technology, such as a computer-aided manufacturing environment. The scope and rigidity of general
               technology control activities will differ for each of these technologies due to numerous issues, such
               as the complexity of the technology and the risk of the underlying business process being supported.



            © 2020 Association of International Certified Professional Accountants. All rights reserved.    5-11
   240   241   242   243   244   245   246   247   248   249   250