Page 100 - CITP Review
P. 100

IT risks, process, and controls



            Effective IT governance relies on an understanding of the primary IT risks. The following sections cover
            how to identify and properly assess these risks, as well as the controls available for risk mitigation.
            Understanding common frameworks for these controls, as well as the types of controls themselves and
            how to assess them, is also essential.




            IT risk identification and assessment

            Often, tracking the entire process using a flowchart becomes critical for the CITP to be able to identify
            potential IT-related risks associated with the data that will end up in the financial statements, and risks
            associated with automated business processes and IT-embedded controls.


            Process — Applications
            The documentation of key systems and applications allows the CITP to identify the possible IT-related
            risks associated with those applications. Specifically, customized software developed by the entity is
            generally seen as more risky than customized software from a software vendor, or commercial off-the-
            shelf software (COTS).

            The external CITP, in financial audits, will need to focus on those financial systems identified in the
            preceding process that are material to the financial audit to properly scope the financial audit.

            Of the three, the one with the highest inherent risk (IR) is customized software developed by the entity.
            That is, there is a relatively high IR for applications developed in-house.


            There are controls that can mitigate that IR, and the CITP will want to examine, observe, review, and
            otherwise gather assurance that the IR of customized applications has been adequately mitigated.

            The reason for the high level of IR is the nature of programming. It is very difficult to develop an
            application, even when tested, and put it into operation without any bugs or glitches. The probability of
            something not being quite right once an application is developed and implemented is almost 100%. This
            phenomenon could be referred to as “Murphy’s IT law.”

            Sometimes vendors customize software applications for their customers. This situation is less risky but
            carries the risk of bugs or fraud like any other application development project.

            The application situation with the least risk is when it is a COTS package and the vendor is reliable. The
            assumption is that a vendor with a large set of customers, where the application has been in existence
            for some years, is more reliable than customized applications.

            Suppose an entity has identified a risk associated with a new application the entity has purchased from a
            software vendor where the version is 1.0, the vendor is new to software manufacturing, and the project





            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-16
   95   96   97   98   99   100   101   102   103   104   105