In the ever-evolving landscape of information technology, auditors must adapt to the complexities introduced by IT systems within the entities they audit. SAS 145 marks a significant step in this direction by enhancing the auditor’s understanding of general IT controls and the associated risks.
This shift not only underscores the importance of understanding the nuances of general IT controls but also their role in safeguarding the integrity of financial information. Understanding these IT applications and risks can help auditors conduct more effective and current risk assessments.
In this blog, we’ll dive into the intricacies of SAS 145, shedding light on the updated definitions of general IT controls and the risks arising from the use of IT, while also examining how to assess these factors in relation to assertions and material misstatements.
General IT controls
Keeping in line with advancements in technology and the widespread use of automation tools and techniques, SAS 145 acknowledges the use of IT by both auditors and clients and expressly defines the risks arising from the use of IT.
No, this doesn’t mean that auditors need to become IT experts. It does mean they need to think of IT use in terms of assertions. They also need to evaluate the complexity of a system, even off-the-shelf software packages, and all that is included.
SAS 145 provides enhanced and new definitions for the terms “general IT controls” and “risks arising from the use of IT,” respectively. Under the new standard, auditors are required to identify general IT controls that address the risks arising from the use of IT and, when they relate to certain identified controls, as discussed in a previous post, and to evaluate their design and determine their implementation.
What is the definition of general IT controls?
SAS 145 defines “general IT controls” as: “Controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information-processing controls and the integrity of information in the entity’s information system.”
Examples of general IT controls include:
- Authentication
- Privileged access
- Change management policies and procedures
- Backup and recovery
- Intrusion detection
Under SAS 145, “risks arising from the use of IT” is defined as: “Susceptibility of information-processing controls to ineffective design or operation, or risks to the integrity of information in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes.”
Thinking in terms of assertion, firms may still be wondering what IT controls to consider. The answer: those IT controls that impact the risk of material misstatement at the assertion level.
Special reportRisk assessment changes are here. Are you ready? Read our special report on understanding the entity and its environment in SAS 145. |
What are the risks of using IT?
To assist auditors, SAS 145 outlines several considerations to help determine whether IT applications are subject to risks arising from the use of IT.
For example, characteristics of higher risk IT applications may include:
- The volume of data or transactions is significant.
- Applications are interfaced.
- The application’s functionality is complex (e.g. it automatically initiates transactions, and there are a variety of complex calculations underlying automated entries).
- Management relies on an application system to process or maintain data, and management relies upon the application system to perform certain automated controls that the auditor has also identified.
Characteristics of a lower risk IT application include:
- The volume of data (transactions) is not significant.
- Applications stand-alone.
- Each transaction is supported by original hard copy documentation.
- The application’s functionality is not complex.
Conclusion
For all the advantages that technology provides for firms, it is important to understand the possible implications general IT controls can have. This is especially true with regard to risk assessment and the potential for material misstatement.
Take action now to ensure that your firm is fully prepared to manage the impact of SAS 145. To learn more, view our webinar offering early guidance on SAS No. 145.
More SAS 145 insightsDive deeper into SAS 145. Browse our collection of blogs, infographics, and more to stay up to date on everything SAS 145. |