Parallel is seldom used. Small and mid-sized companies tend to favor keeping the system running with
            data as of a certain cutover date, and to migrate limited amounts of data, such as GL balances as of
            month end.


            Risks associated with financial system management
            There are different risks associated with the approach to systems acquisition, depending on whether the
            entity develops the system internally or buys the system from a vendor.


            Customization of financial and accounting information systems
            Anytime an entity writes its own code, the IR of that process is generally assessed as high. There are,
            however, principles that can adequately reduce the residual risk by introducing effective mitigating
            controls (for instance, how the usage of SDLC principles can serve as mitigating controls for this
            particular risk). Control activities like effective QC, testing, use of a staging area, and thorough
            documentation are generally effective in mitigating this risk.

            Purchase of commercial financial and accounting information systems
            The purchase of commercial systems has less inherent risk if the vendor is reliable. A reliable vendor
            would be one with a respectable portion of the market share that has been in the software manufacturing
            business for a relatively long time (for that type of software), regularly updates its software, and has a
            good reputation for the support of its products. The more entities that use a COTS package, or the longer
            the software has been around, the more likely there are sufficient controls, and a reduction in the risks
            associated with processing

            The current version being used should be a fairly recent release; for version 1.0 from a new software
            manufacturer, the IR is probably as high as it can be assessed, and the likelihood of bugs, errors, or
            problems is probably 100%.

            Sound vendor management should be in place as well. That is, it is possible for the purchase of a
            commercial package to lead to major control problems, errors, and other negative impacts on the
            processing of financial and accounting information and transactions.

            Generally speaking, purchasing COTS is less expensive than developing in-house, customized solutions.
            Both approaches can have IR mitigated, with the right controls or circumstances, to an acceptable level
            of residual risk.



            Assessment of IT controls


            The assessment of controls is an important part of audits of ICFR (for example, SOX audits). In an IT
            review, assessment of controls may be the purpose. Either way, the CITP or IT auditor will evaluate
            whether the control is an impairment to data integrity or effective business processes. If a control
            problem exists, there is a standard manner of rating its deficiency, including a deficiency in internal
            control, a material weakness, and a significant deficiency. If a deficiency exists, an auditor should
            communicate it to management before the completion of the audit, even if the auditor is not part of the



            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-39