Audits are designed to evaluate the effectiveness of an operation’s controls by first gathering information about how a unit operates, identifying points at which errors or inefficiencies are possible, and identifying system controls designed to prevent or detect such occurrences.
Internal auditing is defined as an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. The role of internal audit is changing because of increasing business complexity and challenges.
Role of IT in mitigating the audit risks
As per a study, “Effectively harnessing technology to support risk management is the greatest weakness or opportunity for most organizations”. These days almost all organizations would critically depend on IT as enabler of their continued success.
IT enabled audit provide reasonable assurance that business processes and their supporting technology are secure and comply with enterprise policies, standards, and applicable statutory and regulatory mandates. The lack of IT audit plans and the absence of appropriate technical resources can cause deficiencies in safeguards and conformance with external mandates.
Role of Auditor
The auditor must continually develop and adapt to a landscape where technology and risk are always evolving. Adopting a risk-based approach to audits involves determining and applying the enterprise’s risk appetite, tolerance, and expectation for compliance.
The impact of IT must be considered carefully during an evaluation of internal control over financial reporting. There are unique risks to be considered. The controls that mitigate these risks are important because of their pervasive effect on the reliability, integrity, and availability of processing and relevant data.
IT risks and controls must be evaluated from the top down. There are general controls and there are application controls.
General controls typically impact multiple applications in the technology environment and prevent certain events from impacting the integrity of processing or data. Computer operations, physical and logical security, program changes, systems development and business continuity are examples of processes where general IT controls reside. These IT controls are “pervasive” because they can have an impact on the organization’s achievement of financial reporting objectives germane to many of its processes.
Application controls are more specific to individual business processes. These controls include policies and procedures designed and implemented in the business areas by the respective owners of the applications and data. They also include “programmed controls” within the applications that perform specific control-related activities, such as computerized edit checks of input data, numerical sequence checks, validation of key fields, and exception reporting and related follow up on exceptions.
Importance of Control over IT
IT plays a key role in the financial reporting process. Many economic events are captured in application systems. These transactions are summarized and reported by applications to form the basis for preparing financial statements.
Ignoring IT controls is not possible. Almost without exception, every company utilizes IT to record, summarize and report transactions. Even some manual controls are dependent on technology, e.g., comparing a computer-generated report to manual records, making sure the general ledger and sub-ledgers are reflecting the same information, using performance metrics to monitor certain activities, etc.
For details, please refer the attached pdf:
The information contained herein is in summary form and is based on information available in the public domain. While the information is believed to be accurate to the best of our knowledge, we do not make any representations or warranties, express or implied, as to the accuracy or completeness of such information. This document is not an offer, invitation, advice, or solicitation of any kind. We accept no responsibility for any errors it may contain or for any loss, howsoever caused or sustained, by the person who relies on it.