Page 70 - Internal Auditing Standards
P. 70

Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts





                   internal controls are expected to work effectively, the necessary audit evidence could be obtained

                   through a test of the operating effectiveness of those controls.
        5.7    Understanding IT Risks and Controls

        Most entities today use information technology (IT) to manage, control, and report on at least some of their
        activities. IT operations are often managed by a central support team that ensures the day-to-day users (staff )
        have appropriate access to the hardware, software, and applications required to perform their responsibilities. In
        smaller entities, IT management may be the responsibility of just one, or even a part-time or outsourced, person.
        Regardless of the entity’s size, there are a number of risk factors relating to IT management and applications
        that, if not mitigated, could result in a material misstatement in the fi nancial statements.

        There are two types of IT controls that need to work together to ensure complete and accurate information
        processing:

        •     General IT controls
              These controls operate across all applications and usually consist of a mixture of automated controls
              (embedded in computer programs) and manual controls (such as the IT budget and contracts with
              service providers); and

        •     IT application controls

              These controls are automated controls that relate specifically to applications (such as sales processing or payroll).
        There is also a third kind of control, which has a manual and an IT element. These controls can be called IT-

        dependent controls. The control is performed manually, but its effectiveness relies on information produced
        by an IT application. For example, the financial manager may review the monthly/quarterly fi nancial statement

        (generated by the accounting system) and investigate variances.
        The following exhibit outlines the scope of general IT controls.


        Exhibit 5.7-1

         General IT Controls
         Standards,            The IT governance structure.
         Planning,
                               How IT risks are identified, mitigated, and managed.

         Policies, etc.
                               The required information system, strategic plan (if any), and budget.
         (The IT Control
         Environment)          IT policies, procedures, and standards.
                               The organizational structure and segregation of duties.

                               Contingency planning.
         Security over         Acquisitions, installations, configurations, integration, and maintenance of the IT

         Data, the IT          infrastructure.
         Infrastructure, and   Delivery of information services to users.
         Daily Operations
                               Management of third-party providers.
                               Use of system software, security software, database-management systems, and utility
                               programs.
                               Incident tracking, system logging, and monitoring functions.




     68
   65   66   67   68   69   70   71   72   73   74   75