Information technology

            Many smaller companies do not have the technical or financial resources to develop software in-house;
            they rely principally on third parties. Many risks associated with in-house development are thereby
            diminished. Some of these risks include developing systems that are not delivered on time, that are over
            budget, or that contain errors. The framework notes that program changes made exclusively by software
            developers could reduce these risks. It also notes that purchased software might have access-control
            functions that permit the company to employ functions providing segregation of duties enforced by the
            software. The software might also contain embedded application controls, such as a general ledger
            package that will not allow posting of a journal entry unless the total of the debit amount equals the total
            of the credit amount.


            Still, there are risks with purchased software. The software might not meet users’ needs and may contain
            many options that are never used. Additionally, many software updates are automatically downloaded.
            Another concern is the extent and integrity of access and other controls employed by third-party service
            providers that process significant transactions for the company.




            Monitoring activities

            Management often routinely performs monitoring activities as part of running the business.
            Management’s performance of the monitoring function, such as review of reports, is often difficult to
            classify as either a control activity or a monitoring function. A control activity relates to a specific risk; a
            monitoring activity assesses whether controls are operating as intended.






































            © 2020 Association of International Certified Professional Accountants. All rights reserved.     10-7