If your company has any form of financial reporting requirements, then you likely have been inundated with auditors. While your auditors will ask a number of questions, there is one area of focus that can sometimes surprise management and staff; questions about information technology. In the audit world, this is most accurately described as IT General Controls and Application Controls.
IT General Controls (ITGC) are standards and processes that, when applied to a company’s information systems, allow auditors to obtain a level of comfort regarding the accuracy, integrity, and availability of the data and information as it pertains to financial reporting. For example, if you provide your auditor with a reconciliation and supporting evidence for an inventory account, the auditor will need to consider ITGC to rely upon the accuracy and integrity of the report.
Questions they may ask are:
- Has the inventory report from the system accounted for all inventory types?
- Has the data within the report been changed?
- Were any scripts or filters used to generate the report?
In each case, IT General Controls can assist in ensuring the data is reliable.
The areas of focus for the understanding and testing of IT General Controls are somewhat similar to those controls that would be tested during an IT audit. These areas include IT Governance, Logical Security, Physical Security, Change Management, and Data Availability.
Let’s consider each in turn, and how you can ensure you are meeting the control requirements to satisfy the audit requirements.
- IT Governance – Auditors will look to see that standards have been set for the configuration and maintenance of the IT systems, mitigation of third-party vendor activity, and end users’ use of the bank’s systems. It is also important to remember that one of the most vital controls in mitigating risks associated with critical or high-risk vendors is the review of the annual SOC report, as well as the mapping of all relevant complementary user entity controls. These controls grant your organization the ability to rely on those individual vendor ITGCs and application controls.
- Logical Security – While a broad category at first glance, we can narrow down the focus by remembering that the scope of the audit is about financial reporting. The ultimate focus will be driven by user access to key systems and applications. This includes management’s periodic review of access levels for all users and generic accounts and the adequacy of the change process for hires, terminations, and employees changing roles. Additional considerations will be given to the establishment of password requirements, as well as understanding network perimeter controls.
- Physical Security – This is often the forgotten or overlooked control. The strongest firewalls and monitoring devices are left helpless if a threat-actor can directly access a company’s network or storage devices. The main focus of physical security for financial reporting is the protection of the data center.
- Change Management – Automatically most will consider change management to simply amount to the patching process. While significant, we must stress the importance of financial reporting. Your auditors will be happy to know that you quickly test and apply Windows patches, but they would be far more concerned if an employee was able to make changes to underlying code or system reports at will. The key implication here is to have a clearly defined development, approval, and deployment process. And, as any auditor will tell you, documentation, particularly of the approval, is paramount.
- Data Availability – The idea of data availability directly relates to the ability of an organization to limit downtime and data loss. A company that faces the significant downtime or data loss can face short-term financial losses, and may even represent a ‘Going Concern’ risk in the long run. This makes the importance of standardized data backup procedures, and the overall physical location of said backups, vital.
Now that you have the basics of what you auditor may be looking for when they say IT General Controls, you can move on to risk assessing your own organizational environment and ensuring that appropriate controls have been developed. In the long run, you, your auditor, and most importantly your customers will appreciate it.
About the Author
Brad graduated from Indiana University of Pennsylvania in 2014 with Bachelor’s Degrees in Accounting and Management Information Systems. He joined YHB that same year and has since split his time between both the Bank team and the Risk Advisory Services team completing external and internal financial audits, SOX consulting services, and IT related audit and consulting services. Brad became a Certified Information Systems Auditor in early 2019.