General IT Controls (GITC) Risk and Impact November 2018 Risk Advisory General IT Controls (GITC) Table of Contents Introduction 02 IT scoping for evaluation of internal controls 04 Importance of GITC 06 Implications of GITC deficiencies 07 Stepping towards a controlled IT environment 08 Conclusive remarks 13 Impact of GITC failure on the overall ICFR framework 15 Contact 16 01 General IT Controls (GITC) Introduction The importance of information technology (IT) controls has recently caught the attention of organisations using advanced IT products and services. This thought paper has been developed for the management of companies that are required to establish framework on internal controls and to ensure its effective operation throughout the year. This document draws attention on how applications should be scoped-in for monitoring internal controls and how control gaps need to be assessed and concluded. Increasing complexity of the IT setup has resulted in a greater focus around controls in the IT environment. With mandates emanating from various regulations, internal controls have gained more momentum in India during recent years. There is a trend of automation in processes and controls by adoption of advanced IT products and services for enabling greater efficiency in operations, compliance and reporting activities. This requires an increased focus on effective operation of controls around IT assets and services. Internal Financial Controls over Financial Reporting “Internal controls” refers to those activities within a company that are placed by the management to mitigate the risks that could hinder the company from achieving its objectives. Under the Committee on Sponsoring Organizations (COSO) framework revised in May 2013, there are three types of objectives which internal controls need to meet, as depicted below: Compliance Operations Reporting 02 General IT Controls (GITC) In many cases, a control may address more than one of COSO Cube (2013) these objectives. Under the COSO framework, there are five interrelated “components” of an effective internal control system; these are derived from the way the company is managed on a day-to-day basis: Operations Reporting Compliance The company’s control environment at the top- management level with respect to controls. This includes elements such as “tone at the top,” and Contro Environment the effectiveness of the board’s audit committee in its high-level oversight of financial reporting. Risk Assessment This component is known as the Control Environment. Division Entity Risk assessment of various processes and factors Control Activities that might hinder the company from achieving its Function objectives. For example, a process that is highly Information & Communication susceptible to fraud would be considered a high- Operating Unit risk area. The way in which controls are designed and Monitorng Activities implemented within the company, so as to address identified risks. This component is known as Control Activities. Purpose of Internal Control Internal control is designed, implemented, and monitored The way in which information within the company to address identified business risks that threaten the is gathered and shared, both to people within the achievement of any of the entity’s objectives that concern company responsible for operations and financial reporting, and to external users of financial • The reliability of the entity’s financial reporting; reports. This component is known as Information • The effectiveness and efficiency of its operations; and and Communication. • Its compliance with applicable laws and regulations. The way in which the effectiveness of these controls are monitored by the company management who take corrective actions wherever necessary. 03 General IT Controls (GITC) IT scoping for evaluation of internal controls Multiple application systems, data warehouses, report writers, and layers of supporting IT infrastructure (database, operating system, and network) may be involved in the business process, right from initiation of a transaction to its recording in the general ledger. Such transactions ultimately lead to reporting in the financial statements, and therefore, any or all of these systems and IT infrastructure may be relevant to the audit. Scoping considerations for IT applications relevant to audit The management needs to maintain documentation for understanding the system landscape mapped to key business processes that are relevant to financial reporting, including: • The classes of transactions in the company's operations that are significant to the financial statements; • The procedures, within both automated and manual systems, by which those transactions are initiated, authorised, processed, recorded, and reported; • Significant account balances that are material with respect to financial reporting; • Ways in which the information system captures transaction, events and conditions that are significant to the financial statements; and • The period-end financial reporting process. The determination as to which application system, data warehouses, or report writers are relevant to the audit requires general IT controls to address their integrity and reliability. 04 General IT Controls (GITC) Data Automated Controls System-Generated Reports The management relies on The management relies upon the The management relies on an an application system or data application system to perform application, data warehouse query, warehouse to process or maintain certain automated functions that or report writer to generate a data (e.g. transactions or other are relevant to the audit. report that is used in the operation relevant data) related to significant of relevant controls. accounts or disclosures or reports used in the operation of relevant control. For Example Assume that an entity’s SAP application runs on a UNIX server (operating system) and uses an Oracle database. User authentication is dependent upon Windows Active Directory (operating system) and the entity is using Cisco network management software. In this example, the UNIX and Windows Active Directory operating systems, Oracle database, and Cisco network management software are the technology elements supporting the SAP application system, and all of these technology elements are relevant to the audit. 05 General IT Controls (GITC) Importance of GITC Sustaining reliable financial information is dependent upon effective internal control and General IT Controls (GITCs) are a key part of entities’ internal control framework. GITCs are a critical component of business operations and financial information controls. They provide the foundation for reliance on data, reports, automated controls, and other system functionality underlying business processes. The security, integrity, and reliability of financial information relies on proper access controls, change management, and operational controls. The importance and relevance of General IT Controls to key stakeholders—owners, investors, regulators, audit committees, management, and auditors— continues to increase. Effective controls The processes, While financial Regulators Cyber security Automation in operations, controls, information is expect enhanced is a broad is becoming compliance and financial not new, the reliability business risk, increasingly with laws and data relevant complexity of financial which extends important given regulations, to financial of financial information, and to financial the reliance and financial information are reporting, stakeholders information. on automated reporting are often also relied business are looking for controls such fundamental to upon by the models, and the more specific as calculations, well-managed management technology used information and access controls, entities. Entities to manage the to support them transparency. segregation of recognise the business and key continues to Entities and duties and input, importance of decision-making. evolve. auditors need to processing, and internal control address these output controls. to the reliability concerns to These automated of the business meet evolving controls rely on processes that owner, investor, GITCs to ensure they use to run and regulator they function the entity. expectations. properly. 06 General IT Controls (GITC) Implications of GITC deficiencies Deficiencies in GITCs may hinder Deficiencies in GITCs may increase of technical skill necessary to exploit the the management’s ability to prepare audit effort and cost due to additional deficiency, among other factors, could accurate financial information. If these audit procedures needed to respond to affect the severity of a deficiency. deficiencies are not identified and unaddressed IT risks. addressed in a timely manner, they As such, when considering the nature may impact the overall functioning Certain GITC deficiencies present and cause of the deficiency, it is of internal controls, thereby resulting "a greater risk" of resulting in a important to consider whether the in delayed financial closing process, misstatement that could be pervasive GITC deficiency presents a "lesser risk" impact on internal decisions and/or in nature and could have far-reaching of misstatement or a "greater risk" of public disclosure. This could ultimately implications. The proximity of the GITC misstatement. These considerations affect the reputation and brand of the deficiency to financial reporting (e.g., a are relevant to determine the nature, company. deficiency at the application layer versus
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages20 Page
-
File Size-