Revised ISA 315 – General IT Controls
Why do we need to understand an entity’s IT environment and its GITCs?
Increasingly audited entities rely on their IT systems to process and maintain their data, including data which impacts on the financial reporting process. Management may also rely on automated controls and/or system generated reports to perform functions which are directly relevant to the audit or to the operations of controls over financial reporting processes.
Whilst a GITC alone is typically not sufficient to address a risk of material misstatement, GITCs support the continued effective functioning of information processing controls, upon which the entity and the auditor may be able to place some reliance.
What are the new requirements?
The revised ISA includes prescriptive requirements for auditors to gain an understanding of information processing activities. Based on this understanding, auditors are required to identify the IT applications and other aspects of the entity’s IT environment (such as the databases, operating system and network) that are subject to risks arising from the use of IT.
For such applications and other aspects of the entity’s IT environment, auditors must identify the related risks arising from the use of IT and the entity’s GITCs that address such risks.
The auditor must then evaluate the design of each such GITC and determine whether it has been implemented.
These requirements are therefore far more extensive than those of the extant standard, and, for firms which have traditionally taken a fully substantive approach to audit, will introduce a significant new aspect to the risk assessment process.
What are the risks arising from the use of IT?
Appendix 5 to the revised ISA offers a range of examples. These include:
- Unauthorised access to data that may result in destruction of data or improper changes to data, including the recording of unauthorised or non-existent transactions, or inaccurate recording of transactions.
- Inappropriate manual intervention.
- The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties thereby breaking down segregation of duties.
- Unauthorised changes to IT applications or other aspects of the IT environment.
To give a more specific example, if an employee has access to approve a purchase order, create a GRN and process a supplier invoice, there is a possibility of a false supplier payment being processed.
If generic administrator usernames and passwords are used (e.g. “admin” and “password”), unauthorised users may be able to make inappropriate changes to data and audit trails would likely lack sufficient information.
What are GITCs?
GITCs are implemented to address risks arising from the use of IT. They are typically grouped into three areas:
- Processes to manage access – those that ensure a user accessing the system is appropriately authorised to do so, has been given an appropriate level of access which is regularly reviewed and revoked when the individual no longer needs such access for their role.
- Processes to manage program or other changes to the IT environment – those that implement a change management process to ensure that changes to the design and implementation of the system are suitably tested, appropriately authorised and that data is correctly converted.
- Processes to manage IT operations – those that control access to schedule and initiate jobs or programs that may affect financial reporting, job monitoring to check successful execution of jobs, backup and recovery and intrusion detection. IT operations may well be outsourced to third-party providers.
Common examples of GITCs include:
- Access to programs is restricted to authorised personnel who each have their own credentials and whose access is limited to that which is required for their specific role. A list of users and their access levels is reviewed by management on a monthly basis.
- Passwords must meet minimum standards with regard to complexity including being more than 12 characters long, including both upper and lowercase, including at least one number and at least one special character.
- Changes to programs are tested and approved before being moved into a production environment.
- The system will not permit the same person to set up and approve a payment.
Appendix 6 to the revised ISA also offers a range of examples.
What should auditors be doing now?
Due to the much more prescriptive requirements, for many auditors, the entity’s IT environment and GITCs will be an area over which more work will be required than has previously been the case. Even where the revised standard is not early adopted, auditors may still find that gathering additional information on the entity’s IT environment and GITCs in current year audits could save time in future years.
It may also be beneficial for auditors to be bringing themselves up to speed on these areas, perhaps considering relevant training to assist. Where firms have in the past made use of IT trained auditors or champions to assist on selected audits, they may wish to train more such staff in these areas ready to hit the ground running when the new requirements come in.
How Mercia can help
Mercia’s methodology will be updated in due course to reflect the revised requirements of the standard. If you would like to learn more, please book onto one of our update courses. We also have a number of other news and blog posts considering the changes.