As the pace of technology advancement increases, the information systems we rely on to record and store accounting information are growing in complexity and sophistication. Financial data can be dispersed over multiple systems or “sources of truth,” leading to inconsistencies or inaccuracies that may impact business decisions.
With this greater dispersion of information, personnel may end up with too much access, leading to an increased potential of manual error in data entry or even fraud. The completeness, accuracy, and integrity of financial information is, and should be, of great concern to organizational leaders with decision making responsibilities. As such, there is greater need than ever to assess the control environment around the IT systems that produce financial data.
What are IT General Controls (ITGCs)?
ITGCs are a suite of control objectives to ensure financial data is processed, stored, and shared completely and accurately. These control objectives also serve as foundational objectives that contribute to the optimal operations of IT and security, hence the term “general.”
There are three control objectives:
Change management ensures that changes made to systems are appropriate (e.g., tested). When thinking about “system change,” many think about complex source code changes or new systems development. While this is true, it also applies to generating key accounting reports. Inappropriate queries may pull data from the wrong source or multiple sources that don’t reconcile, impacting business decisions or audit procedures.
Logical access ensures that end-users have appropriate access to financial data (and enables segregation of duties). Users generally accumulate a series of access permissions to a variety of systems over time without even knowing it. These users may have access to authorize transactions, have custody of assets, and modify accounting records. For example, an organization’s controller may unintentionally have logical access granting the ability to create, approve, and post journal entries; cut checks; and modify vendors (recipient of that check). Proper logical access controls can contribute to enhanced segregation of duties.
IT operations ensures that transmission and storage of data is complete and accurate. Data can manually or automatically flow from one system to another. This flow can be controlled by custom code (addressed by change management), overnight batch jobs, or vendor-provided interfaces, such as APIs. There can be many ways in which these processes fail. For example, an organization’s daily sales report from the prior day may actually contain figures from last month. Improper data flow can negatively impact business decisions.
Example of Controls Matrix
The following represents a matrix a company could create to illustrate the example controls it could install and the benefits to doing so:
|ITGC Objective||Control (Example)||Benefit (Example)|
|Change Management||All changes (e.g., query, data source) to key financial reports are authorized and tested.||Ensures that the daily sales report is populated from the correct source with the correct amounts.|
|Segregation of duties exist between those who develop source code and those who implement source code.||Ensures that malicious code is not introduced to custom production code.|
|Logical Access||Users’ access to financial systems are approved and reviewed.||Ensures that end users cannot perform incompatible duties, such as recording and approving journal entries, authorizing payments, and updating vendor records.|
|Users’ access to financial systems are de-provisioned upon transfer.||Ensures that end user rights are not retained over time, leading to a breach in segregation of duties, such as the ability to approve and send payments.|
|Passwords are appropriate with multi-factor authentication enabled.||Ensures that end user accounts are not subject to brute-force attacks that could lead to financial data leakage or modification.|
|IT Operations||Backups are conducted regularly and can be restored.||Ensures that lost financial data is recoverable.|
|Data processing is complete and accurate.||Ensures that data pulled from systems is complete and accurate.|
While testing ITGCs is not required, consider a discussion with your auditor to maximize the value of your external audits. The benefits can include:
- Identification of inefficient or ineffective processes
- IT solutions to address repeating deficiencies
- Recommendations based on leading practices
- Identification of key areas of financial risk due to incomplete or inaccurate data
- Identification of key fraud risk due to inappropriate access
Data Analytics: Embracing Change for the Future
The future of financial compliance work will likely look very different than an audit does today. The industry is in the process of experimenting with data analytics and artificial intelligence, and revisiting standards surrounding how an auditor does their job in a digital work. Audit requirements are constantly evolving to provide better guidance to organizations and auditors. While there are differing approaches to how soon and to the degree of standards that will be implemented via new technologies, the focal point will always remain on improving audit quality and financial transparency for the users of financial statements.
Financial transparency depends on data integrity. Organizations have a patchwork of various systems, including legacy systems, new systems, and even third-party software. Data can live everywhere and anywhere, ranging from a single “source of truth” to multiple versions of these truths. Given that, reliability of data will vary, and this reliability can only be improved if they come from systems for which IT internal controls are operating effectively.
Data analytics will allow for better, more efficient audits, and will provide deep insights. It should also be an expectation to consider the internal controls environment, system deficiencies, and IT risk as a critical and required component of analytics.
Interested in Incorporating IT into Your Audits?
Please reach out to your respective audit team (or Steve Vasconcellos) for best practices or any key risk areas that exist within your organization. This dialogue helps design more efficient (and effective) audit procedures.
©2021 Clark Nuber PS. All rights reserved.