Thus, the data is at the hub of almost all IT risks in a financial audit. The CITP can use this fact in
            reaching conclusions about the IT risk assessment and tracing IT-related risks (RMM).


            Process — Communications
            Sometimes relevant data is communicated across networked lines or systems. This situation usually
            carries a relatively high IR because of the nature of communications — or, more specifically, the
            susceptibility of intrusions or unauthorized interception. Most of these cases require a subject matter
            expert (SME) to properly assess risks.


            Process — Data transfers
            A special type of communications is data transfers. Any time data is transferred from one system to
            another, that process is generally considered to be a relatively high IR. The transfer can be made in
            several ways, classified as follows:

              Manual
              Semiautomated
              Automated

            The manual process involves converting data in the originating system to a hard copy printout; one or
            more keypunch personnel enter the data into the receiving (downstream) system (for example, an
            electronic spreadsheet). This type of transfer would be considered the highest transfer risk because of
            the high-risk manual rekeying of all that data.

            Part of the risk is associated with the fact that the receiving system is an electronic spreadsheet, rather
            than a computerized system or application. This situation, referred to as end-user computing (EUC),
            means that

              the employee is using a tool that is customizable,
              the employee makes raw data entries,
              the employee builds calculations or processes, or
              some combination of all of these.

            EUC is generally considered to be relatively high in IR because of these employee-dependent
            circumstances. Usually, EUC involves employees who have an insufficient knowledge, ability, and
            expertise related to IT and controls, and who lack proper SoD, which means that the user

              develops a unique processing tool (such as formulas in Excel),
              runs the tool, and
              has virtual sole custody of the tool.

            The transfer could also be semiautomated, where data is exported into some kind of file — for example,
            text or ASCII (American Standard Coded Information Interchange), Excel or CSV (comma-separated
            value) — then is manually imported into Excel or a similar tool.

            This type of transfer has a little less IR regarding the transfer because it does not involve the manual
            rekeying of data, but it still has a receiving system with a relatively high IR because it is an electronic



            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-20