Joanne M. Flood - Wiley Practitioner's Guide to GAAS 2020

In a typical control system there are many, many activity-level controls. There are two reasons for this relative abundance of preventive activity-level controls:

1 Activity-level controls address very specific risks and have a very narrow (but direct) effect on financial reporting risks. Entities enter into many different types of transactions. In our example, paying suppliers is just one of dozens of different types of financial activities, and an organization will have activity-level controls for each of these activities. Additionally, for each transaction type, the company may face many different kinds of risk, each requiring a different kind of activity-level control. For example, not only will companies want to make sure that they pay only approved suppliers, but they also will want to make sure they pay the correct amount.

2 Many internal control systems include redundant controls—multiple controls that achieve the same objective. For example, the company may use a purchase order system to make sure that its buyers are approved to enter into transactions. In addition, a manager may periodically compare actual purchases to the budget to make sure that company buyers are staying within their approved limits.

Between the entity-level controls and preventive activity-level controls are the broad-based activity-level controls. A bank reconciliation is a good example of such a control. A bank reconciliation does not prevent the bookkeeper from entering an incorrect amount as a cash disbursement, but if such an error were made, a properly performed bank reconciliation should detect and correct it. Many broad-based activity-level controls are detective in nature and usually performed periodically, rather than on every transaction.

A top-down approach to internal control evaluation means that the auditor starts with entity- level controls, which have the broadest span but the most indirect effect on reducing financial statement misstatements. Once the auditor has evaluated entity-level controls, he or she then proceeds “down” to the more specific activity-level controls. At the activity level, the auditor again begins at the “top,” with those controls that are furthest along in the information processing stream. Usually, these are detective controls.

After evaluating detective controls, the auditor may then proceed back down the information processing stream, back to the inception of the transaction, evaluating controls along the way.

The key to applying the top-down approach is to ask—at each step of the evaluation—“Are the controls I have evaluated so far capable of appropriately addressing the related risk of material misstatement?” If the answer is “yes,” then there is no need to evaluate more controls. If the answer is “no,” then the auditor should continue to evaluate more controls further down in the structure until reaching a point where he or she has evaluated enough controls to evaluate the risk.

Information technology (IT) affects the way in which transactions are initiated, recorded, processed, and reported. IT controls consist of automated controls (e.g., controls embedded in computer programs) and manual controls. Manual controls may be independent of IT, may use information produced by IT, or may be limited to (1) monitoring the effective function of IT and of automated controls and (2) handling exceptions. An entity’s mix of controls varies with the nature and complexity of its use of IT. IT enables an entity to:

1 Consistently apply predefined business rules and perform complex calculations in processing large volumes of transactions or data.

2 Enhance the timeliness, availability, and accuracy of information.

3 Facilitate the additional analysis of information.

4 Enhance the ability to monitor the performance of activities and the policies and procedures.

5 Reduce the risk that controls will be circumvented.

6 Enhance the ability to achieve effective segregation of duties by implementing security controls.

IT also poses specific risks to an entity’s internal control, including:

1 Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both

2 Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions

3 Unauthorized changes to data in master files

4 Unauthorized changes to systems or programs

5 Failure to make necessary changes to systems or programs

6 Inappropriate manual intervention

7 Potential loss of data

IT general controls are entity-wide controls that apply to many if not all application systems and help ensure their continued proper operation. For example, the effectiveness of an entity’s controls relating to the access of its database will determine whether it will be successful in maintaining the integrity of those data, which may be used in a number of different applications.

If there are inadequate general controls, controls at the application level may not function properly, and the information produced by the system may be largely unreliable. For that reason, IT general controls are typically included within the evaluation of internal control effectiveness.

But which IT general controls are used?

To answer this question, it is helpful to think of IT general controls as operating within three different domains, or stacks:

1 Database

2 Operating system

3 Network

There are three control objectives within each of these domains:

1 Systems are appropriately tested and validated prior to being placed into production.

2 Data are protected from unauthorized change.

3 Any problems or incidents in operations are properly responded to, recorded, investigated, and resolved.

To determine which IT general controls should be used for the evaluation, apply the risk- based, top-down approach. IT general controls will vary in how directly they affect the financial reporting process and therefore in the risk that their failure could result in a material misstatement of the financial statements.

Some IT control frameworks include controls that have only an indirect effect on IT systems. For example, the IT strategic plan and the overall IT organization and infrastructure may contribute indirectly to the effective functioning of IT systems and could be an area of interest for an IT auditor. However, these controls are so far removed from the financial reporting process that, in most situations, they will have only a negligible effect on the financial statements. The risk that a failure in one of these controls could result in a financial statement misstatement likewise is negligible. Thus, typically, these controls would not be included in an evaluation of controls over financial reporting.

Some IT systems process information that is not reflected in the financial statements. For example, an organization may have a sales and marketing system that tracks lead generation, customer contact information, and purchase history. IT general controls that affect the functioning of this system may or may not be included within the scope of an evaluation of financial reporting controls, depending on how management uses the information generated by the system.

For example, management and the sales team may use the information only to manage the sales process, in which case the sales system is not important to the financial reporting process. Or management may use the information generated from the sales system to monitor financial results, generate financial information, or perform some other control procedure.