Information Technology Controls and Risk Assessment

By Charles Hall | Risk Assessment

May 04

Information technology controls (IT controls) are getting increased attention with the implementation of SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatements.

IT Controls Video

In the following video, I provide an overview of what you need to do regarding IT controls including general and information processing controls. 

YouTube player

 

Consider general controls and transaction processing controls as you plan your financial statement audits. 

General Controls

Examples of general controls include:

  • Passwords
  • Intrusion detection
  • Backup and recovery
  • Logical access to software 
  • Change control
  • Physical protection of IT systems

Transaction Processing Controls

An example of a transaction processing control is a software requirement that information in purchase orders, invoices, and shipping documents agree (known as a three-way match) before processing the payment. 

IT controls

Design and Implementation 

Review the design and implementation of these IT controls, and do so in the planning phase of your audit. Weak IT controls may require you to perform additional audit procedures to lower detection risk. Why? Because weak general controls or transaction processing controls might allow material misstatements to occur without detection. 

Follow

About the Author

Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty-five years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention, The Why and How of Auditing, Audit Risk Assessment Made Easy, and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles consults with other CPA firms, assisting them with auditing and accounting issues.

>
Tweet
Share
Share
Email
Pocket