Page 111 - CITP Review
P. 111

IT general controls

            It is important to adequately identify and address the specific risks that IT introduces into financial
            reporting processes and data. Part of that risk emanates indirectly from IT general controls (ITGC). IT
            general control is one of the two main types of IT controls (the other being application controls).

            With regard to the role of the CITP, the purpose of ITGC is to provide assurance that the underlying
            automated controls and programmed accounting procedures are performing correctly and consistently
            throughout the period being examined (i.e., the things that directly affect RMM).

            ITGC are pervasive controls that operate within the IT environment. They generally do not directly lead to
            or cause the RMM, but rather they affect some element of the financial reporting systems or process in
            such a way that the element affected leads to or causes the RMM. That is, there is a chain effect from
            ITGC to RMM.

            For instance, the effectiveness of automated controls depends on the effectiveness of the ITGCs; weak
            or unreliable ITGC necessarily implies the underlying automated controls are unreliable, which could
            cause or lead to the RMM.
            Because there are a large number of IT general controls, an appropriate framework is useful in evaluating
            them. One such framework is ISACA’s ITAF. As part of the ITAF mentioned previously, section 3000 (IT
            Assurance Guidelines) provides guidance on enterprise topics, IT management processes, IT audit and
            assurance processes, and IT audit and assurance management.

            The IT audit and assurance processes section (3600) provides valuable information on internal controls,
            especially ITGC found in segment 3630 entitled “Auditing ITGCs.” In that segment, there is a list of 16
            ITGCs, with resources for auditors (such as mapping to COBIT) as well as guidance content.




            Application controls

            Applications controls are important not only for assessing assurance over critical financial reporting
            applications and data for external auditors and CITPs, but also for internal auditors and CITPs to gain
            assurance that business processes are following management’s policies and procedures, which can
            have implications about operational efficiency, effectiveness, customer satisfaction, effective decision-
            making, and a variety of other relevant issues.

            An application control occurs automatically, usually through computer systems, based on predefined criteria,
            circumstances, times, dates, or events. Application controls are embedded and specific to accounting
            applications. They are intended to provide controls for authorization, approval, delivery of product or service,
            transactional recording, integrity of data, and audit trail. Usually, these controls are described as either being
            preventive, detective, or corrective controls.








            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-27
   106   107   108   109   110   111   112   113   114   115   116