Page 101 - CITP Review
P. 101
manager for the entity is a salesperson from the vendor. The reasons this risk may be high, even though
it is a COTS package, include the following:
The vendor’s reliability is unknown and being new to software manufacturing presents the same kind
of risk as customized software.
Version 1.0 is particularly risky (see following discussion).
IT projects are relatively risky regardless of how well they are handled. Being managed by the vendor
presents more risk than a project manager from the entity.
Version numbers provide information related to risk assessment. They use a format of MM.nn where MM
represents a major change in the application, beginning with version number 1. Version 8.01 would
indicate an application that has been through seven major changes since its inception, and likely has
been used for years by customers. If the vendor were reliable (for example Microsoft, Sage, IBM, or some
other well-known vendor with a substantial customer base), then 8.01 would generally be fairly reliable,
and there would be assurance that the application and its controls could be relied upon to some extent,
or the risk of the application in the financial statement system is generally fairly low.
The number to the right of the decimal (nn) represents minor fixes, changes, or modifications within a
major version. Thus 8.01 would mean 1 minor change had been made since version 8 (that is, 8.00) had
been released; 8.11 would mean 11 minor changes had been made.
One general risk avoidance is to avoid 1.00 and wait for M.01 before implementing M.00 because a major
change in the application follows Murphy’s IT law; the R5 scenario represents an IT-related risk where the
magnitude (level) is at the peak of IR.
Another general risk is whether the entity is relatively current with the version of the application it is using
compared to the most recent version. That is, if the current version is 8.12 and the entity is using 6.9,
there is likely some risk associated with the fact that the entity is so far behind the current version. One
actual risk is the fact that software vendors generally do not support older versions of their software.
The preceding ignores one factor that is rather common, especially in medium- to large-sized entities.
Sometimes applications used in the financial reporting “trail” include some COTS and some customized,
13
even if it is just one or two middleware applications. These applications need to be evaluated
independently, and the CITP will need to respond to whatever risks emerge.
Process — Data storage (integrity, security, and reliability)
One fairly common IT-related risk is the database. The nature of the modern database is to be enterprise-
wide in scope, which means that a single database holds an enormous portion of the data the enterprise
has captured. So, if an unauthorized party gains access to the entity’s database, that person has access
to a large portion of its data. Because of this, data storage has a relatively high IR. The CITP will want to
examine the degree of that risk and what controls are in place to mitigate the risk.
13
Middleware is software written to coordinate communications of some kind between two systems. In this
document, middleware is software used to transfer data between two systems, platforms, or databases. It is
customized for the two different systems by a vendor, consultant, or in-house IT. It usually is a relatively small
program, and only one program, so it is limited in scope somewhat compared to payables, payroll, and so on.
© 2019 Association of International Certified Professional Accountants. All rights reserved. 3-17
